[英]Is it safe to have an internal ClusterIp backend service using HTTP behind an Ngynx Ingress controller accessible via HTTPS?
I have a Service configured to be accessible via HTTP.我有一个服务配置为可通过 HTTP 访问。
kind: Service
apiVersion: v1
metadata:
name: myservice
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080
type: ClusterIP
And an Ngynx Ingress configured to make that internal service accessible from a specific secure subdomain.domain和一个 Ngynx Ingress 配置为使该内部服务可从特定的安全 subdomain.domain 访问
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: myservice-ingress
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/myservice-ingress
annotations:
certmanager.k8s.io/issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTP
spec:
tls:
- hosts:
- myservice.mydomain.com
secretName: myservice-ingress-secret-tls
rules:
- host: myservice.mydomain.com
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
status:
loadBalancer:
ingress:
- {}
So when I reach https://myservice.mydomain.com I can acces to my service through HTTPS.因此,当我到达https://myservice.mydomain.com时,我可以通过 HTTPS 访问我的服务。 Is it safe enought or should I configure my service and pods to communicate only through HTTPS?
是否足够安全,或者我应该将我的服务和 Pod 配置为仅通过 HTTPS 进行通信?
It's expected behaviour since you've set TLS
in your Ingress.这是预期的行为,因为您在 Ingress 中设置了
TLS
。
Note that by default the controller redirects (308) to HTTPS if TLS is enabled for that ingress.
请注意,默认情况下,如果为该入口启用了 TLS,则controller会将(308) 重定向到HTTPS 。 If you want to disable this behavior globally, you can use ssl-redirect: "false" in the NGINX ConfigMap .
如果要全局禁用此行为,可以在 NGINX ConfigMap中使用 ssl-redirect: "false" 。
To configure this feature for specific ingress resources, you can use the nginx.ingress.kubernetes.io/ssl-redirect: "false"
annotation in the particular resource.要为特定入口资源配置此功能,您可以在特定资源中使用
nginx.ingress.kubernetes.io/ssl-redirect: "false"
注释。
About your question: "Is it safe enough.." - it's opinion based question, so I can answer to use better HTTPS
, rather than HTTP
, but it's just my opinion.关于你的问题:“它足够安全吗..” - 这是基于意见的问题,所以我可以回答使用更好
HTTPS
,而不是HTTP
,但这只是我的意见。 You can always find the difference between HTTP
and HTTPS
您总能找到
HTTP
和HTTPS
之间的区别
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.