[英]How NGINX Ingress controller back-end protocol annotation works in path based routing?
I'm currently playing with NGINX ingress controller in my k8s cluster.我目前正在 k8s 集群中使用 NGINX 入口控制器。 I was trying to make end-to-end encryption work and I was able to make the connection secure all the way to the pod.
我试图使端到端加密工作,并且我能够使连接一直安全到 pod。
In order to achieve HTTPS all the way till pod, I had to use annotation为了实现 HTTPS 一直到 pod,不得不使用注解
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
Sample Ingress:样本入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-api-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- foo.example.com
secretName: foo-cert
rules:
- host: foo.example.com
http:
paths:
- path: /path1
backend:
serviceName: foo-api-path1-service
servicePort: 443
- path: /path2
backend:
serviceName: foo-api-path2-service
servicePort: 443
I'm confused in terms of how exactly this happens because when we encrypt the connection path also get encrypted then how NGINX does path-based routing?我很困惑这到底是怎么发生的,因为当我们加密连接路径时也会被加密,那么 NGINX 如何进行基于路径的路由? does it decrypt the connection at ingress and re-encrypt it?
它是否在入口解密连接并重新加密它? also, does performance get affected by using this method?
另外,使用这种方法会影响性能吗?
TL;DR TL; 博士
does it decrypt the connection at ingress and re-encrypt it?
它是否在入口解密连接并重新加密它?
In short, yes.简而言之,是的。 Please see the explanation below.
请看下面的解释。
The path that a request is travelling to get to a Pod
can be seen as:请求到达
Pod
的路径可以看作:
Assuming that we have an Ingress controller
( nginx-ingress
) in place of an Ingress
you can have several ways to connect your client with a Pod
(simplified):假设我们有一个
Ingress controller
( nginx-ingress
)代替Ingress
您可以通过多种方式将您的客户端与Pod
连接(简化):
client
-- (HTTP) --> Ingress controller
-- (HTTP) --> Service
----> Pod
client
-- (HTTP) --> Ingress controller
-- (HTTP) --> Service
----> Pod
Ingress controller
(with nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
)Ingress controller
加密(使用nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
)
client
-- (HTTP) --> Ingress controller
-- (HTTP S ) --> Service
----> Pod
client
-- (HTTP) --> Ingress controller
-- (HTTP S ) --> Service
----> Pod
Ingress controller
where TLS Termination happens:Ingress controller
上加密和解密:
client
-- (HTTP S ) --> Ingress controller
(TLS Termination) -- (HTTP) --> Service
----> Pod
client
-- (HTTP S ) --> Ingress controller
(TLS Termination) -- (HTTP) --> Service
----> Pod
Your setup:您的设置:
Ingress
controller where TLS Termination happens and encrypted once again when connecting with a HTTPS backend by nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
:Ingress
控制器上加密和解密,并在通过nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
与 HTTPS 后端连接时再次加密:
client
-- (HTTP S ) --> Ingress controller
(TLS Termination) -- (HTTP S ) --> Service
----> Pod
client
-- (HTTP S ) --> Ingress controller
(TLS Termination) -- (HTTP S ) --> Service
----> Pod
Pod
where Ingress controller
is configured with SSL Passthrough :Ingress controller
的Pod
上加密和解密:
client
-- (HTTP S ) --> Ingress controller
-- (HTTP S ) --> Service
----> Pod
client
-- (HTTP S ) --> Ingress controller
-- (HTTP S ) --> Service
----> Pod
Disclaimer!
免责声明!
This is only a simplified explanation.
这只是一个简化的解释。 For more reference you can look at this comment:
有关更多参考,您可以查看此评论:
there is a missing detail here, the SSL Passthrough traffic never reaches NGINX in the ingress controller.
这里缺少一个细节,SSL Passthrough 流量永远不会到达入口控制器中的 NGINX。 There is a go listener for TLS connections that just pipes the traffic to the service defined in the ingress.
TLS 连接有一个 go 侦听器,它只是将流量通过管道传输到入口中定义的服务。
For more reference you can look on the similar question (with an answer):如需更多参考,您可以查看类似问题(附有答案):
You can also check this article with example setup similar to yours:您还可以使用与您类似的示例设置查看本文:
Additional resources:其他资源:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.