Kubernetes 入口 nginx 重定向到 https
[英]Kubernetes ingress nginx redirect to https
问题描述
To redirect any HTTP traffic to HTTPS on tls enabled hosts, I have added the below annotation to my ingress resources
要将任何 HTTP 流量重定向到启用 tls 的主机上的 HTTPS,我已将以下注释添加到我的入口资源
nignx.ingress.kubernetes.io/force-ssl-redirect: true
With this when I curl the host in question, I get redirected as expected有了这个,当我 curl 有问题的主机时,我会按预期重定向
But when I use a browser, the request to HTTP times out.但是当我使用浏览器时,对 HTTP 的请求超时。
Now, I am not sure if it's something I am doing wrong at Nginx ingress conf as curl works?现在,我不确定在 Nginx 入口配置中我做错了什么,因为 curl 有效? Any pointers please?请问有什么指点吗? Thanks!谢谢!
complete annotaiotns:完整的注释:
annotations:
kubernetes.io/ingress.class: nginx-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
rules规则
rules:
- host: hostX
http:
paths:
- backend:
serviceName: svcX
servicePort: 8080
path: /
- host: hostY
http:
paths:
- backend:
serviceName: svcX
servicePort: 8080
path: /
tls:
- hosts:
- hostX
- hosts:
- hostY
secretName: hostY-secret-tls
Note:笔记:
- The curl mentioned is to hostY in the rule above.上面提到的 curl 是 hostY 在上面的规则。
- HTTPS to hostY via browser works and so cert is valid one. HTTPS 通过浏览器工作到 hostY,因此证书是有效的。
1 个解决方案
解决方案1
1 已采纳 2021-03-03 08:26:10
As @mdaniel have mentioned your snippet shows nignx.ingress.kubernetes.io/force-ssl-redirect: true but annotations should be strings.正如@mdaniel 提到的,您的代码段显示nignx.ingress.kubernetes.io/force-ssl-redirect: true但注释应该是字符串。 Notice that in your "complete" config, you have both force-ssl-redirect: "true" (now correctly a string) and ssl-redirect: "false" .请注意,在您的“完整”配置中,您同时拥有force-ssl-redirect: "true" (现在正确地是一个字符串)和ssl-redirect: "false" 。
Simply remove annotation nginx.ingress.kubernetes.io/ssl-redirect: "false" and leave just nignx.ingress.kubernetes.io/force-ssl-redirect: "true" Also enable --enable-ssl-passthrough .只需删除注释--enable-ssl-passthrough nginx.ingress.kubernetes.io/ssl-redirect: "false"并只留下nignx.ingress.kubernetes.io/force-ssl-redirect: "true" : "false"。 This is required to enable passthrough backends in Ingress objects.这是在 Ingress 对象中启用直通后端所必需的。
Your annotation should look like:您的注释应如下所示:
kubernetes.io/ingress.class: nginx-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
If you defined hosts under TLS section they are going to be accessible only using https.如果您在 TLS 部分下定义了主机,则只能使用 https 访问它们。 HTTP requests are being redirected to use HTTPS. HTTP 请求被重定向到使用 HTTPS。 That is why you cannot access host via HTTP.这就是为什么您无法通过 HTTP 访问主机的原因。 Also you have to specify secret for host hostX , otherwise the default certificate will be used for ingress.您还必须为主机hostX指定密码,否则默认证书将用于入口。 Or if you don't want to connect to host hostX via HTTPS simply create different ingress without TLS section for it.或者,如果您不想通过 HTTPS 连接到主机hostX ,只需为其创建不带 TLS 部分的不同入口。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.