[英]Kubernetes Ingress: SSL (HTTP -> HTTPS) redirect not working (Nginx Docker)
I am using Kubernetes within Google Cloud Kubernetes Engine and have setup the following: - Nginx docker image (nginx:latest), which is hosting a web application - Kubernetes Deployment (yaml file) - Kubernetes Service (yaml file) - Kubernetes Secret with existing key and certificates (Wildcard PositiveSSL) - Kubernetes Ingress I am using Kubernetes within Google Cloud Kubernetes Engine and have setup the following: - Nginx docker image (nginx:latest), which is hosting a web application - Kubernetes Deployment (yaml file) - Kubernetes Service (yaml file) - Kubernetes Secret with existing密钥和证书(通配符 PositiveSSL)- Kubernetes 入口
Currently I have both HTTP and HTTPS working.目前我有 HTTP 和 HTTPS 工作。 However, I want to redirect any and all HTTP calls to HTTPS automatically, but don't seem to get it to be working.
但是,我想自动将所有 HTTP 调用重定向到 HTTPS,但似乎没有让它工作。
I have tried many variations of the conf and script files below, and it doesn't seem to be able to redirect HTTP to HTTPS.我已经尝试了下面的 conf 和脚本文件的许多变体,它似乎无法将 HTTP 重定向到 HTTPS。
Any idea what I might be doing wrong here?知道我在这里可能做错了什么吗?
Please see below for my conf, yaml and docker files.请参阅下面的配置文件 yaml 和 docker 文件。
Nginx Conf: Nginx 配置:
server {
listen 80;
charset utf-8;
root /usr/share/nginx/html;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://portal.domain.com;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
server {
listen 443 ssl;
charset utf-8;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/ssl/domain_com_full.crt;
ssl_certificate_key /etc/nginx/ssl/domain_com.key;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://portal.domain.com;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
Docker file: Docker 文件:
FROM nginx:latest
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY domain_com_full.crt /etc/nginx/ssl/domain_com_full.crt
COPY domain_com.key /etc/nginx/ssl/domain_com.key
COPY dist /usr/share/nginx/html
EXPOSE 443 80
Deployment YAML (I use a script to fill in the revision part of the image):部署 YAML (我使用脚本填写镜像的修订部分):
apiVersion: apps/v1
kind: Deployment
metadata:
name: domain-frontend-prd
spec:
replicas: 2
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
run: domain-frontend-prd
template:
metadata:
labels:
run: domain-frontend-prd
spec:
containers:
- name: domain-frontend-image
image: eu.gcr.io/domain-service/domain-frontend-image:{{REVISION_ID}}
ports:
- containerPort: 80
- containerPort: 443
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
Service YAML:服务 YAML:
apiVersion: v1
kind: Service
metadata:
name: domain-frontend-service-prd
spec:
type: NodePort
selector:
run: domain-frontend-prd
ports:
- protocol: TCP
port: 443
targetPort: 443
name: https-port
- protocol: TCP
port: 80
targetPort: 80
name: http-port
Ingress YAML (The Secret is working, as the HTTPS call also works + static IP is also there and working):入口 YAML(秘密工作,因为 HTTPS 调用也有效 + static ZA12A3079E14CED46E69BA2 也有效)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: domain-frontend-ingress-prd
annotations:
kubernetes.io/ingress.global-static-ip-name: kubernetes-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- portal.domain.com
secretName: domain-tls
backend:
serviceName: domain-frontend-service-prd
servicePort: 80
rules:
- host: portal.domain.com
http:
paths:
- path: /
backend:
serviceName: domain-frontend-service-prd
servicePort: 80
Through extensive search I have found out that apparently the standard Ingress controller in Google Cloud Kubernetes engine, does not support redirect to HTTPS.通过广泛的搜索,我发现显然 Google Cloud Kubernetes 引擎中的标准 Ingress 控制器不支持重定向到 HTTPS。
In order to be able to resend traffic to HTTPS (from HTTP), you need to install the NGINX Ingress controller according to this tutorial/documentation:为了能够将流量重新发送到 HTTPS(从 HTTP),您需要根据本教程/文档安装 NGINX Ingress 控制器:
https://cloud.google.com/community/tutorials/nginx-ingress-gke https://cloud.google.com/community/tutorials/nginx-ingress-gke
This has resolved my issue.这已经解决了我的问题。
As of GKE
version 1.18.10-gke.600, you can use FrontendConfig
to create HTTP -> HTTPS
redirection in Google Kubernetes Engine Ingress Controller
. As of
GKE
version 1.18.10-gke.600, you can use FrontendConfig
to create HTTP -> HTTPS
redirection in Google Kubernetes Engine Ingress Controller
.
HTTP to HTTPS redirects are configured using the redirectToHttps field in a FrontendConfig custom resource.
HTTP 到 HTTPS 重定向是使用 FrontendConfig 自定义资源中的 redirectToHttps 字段配置的。 Redirects are enabled for the entire Ingress resource so all services referenced by the Ingress will have HTTPS redirects enabled.
为整个 Ingress 资源启用重定向,因此 Ingress 引用的所有服务都将启用 HTTPS 重定向。
The following FrontendConfig manifest enables HTTP to HTTPS redirects.
以下 FrontendConfig 清单启用 HTTP 到 HTTPS 重定向。 Set the spec.redirectToHttps.enabled field to true to enable HTTPS redirects.
将 spec.redirectToHttps.enabled 字段设置为 true 以启用 HTTPS 重定向。 The spec.responseCodeName field is optional.
spec.responseCodeName 字段是可选的。 If it's omitted a 301 Moved Permanently redirect is used.
如果省略,则使用 301 Moved Permanently 重定向。
For example:例如:
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: your-frontend-config-name
spec:
redirectToHttps:
enabled: true
responseCodeName: MOVED_PERMANENTLY_DEFAULT
MOVED_PERMANENTLY_DEFAULT
is on of the available RESPONSE_CODE
field value, to return a 301
redirect response code (default if responseCodeName is unspecified). MOVED_PERMANENTLY_DEFAULT
位于可用的RESPONSE_CODE
字段值中,以返回301
重定向响应代码(如果未指定 responseCodeName,则为默认值)。
You can find more options here: HTTP to HTTPS redirects您可以在此处找到更多选项: HTTP 到 HTTPS 重定向
Then, you have to link your FrontendConfig
to your Ingress
, like this:然后,您必须将您的
FrontendConfig
链接到您的Ingress
,如下所示:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: your-ingress-name
annotations:
networking.gke.io/v1beta1.FrontendConfig: your-frontend-config-name
spec:
tls:
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.