[英]Kubernetes Ingress: SSL (HTTP -> HTTPS) redirect not working (Nginx Docker)
I am using Kubernetes within Google Cloud Kubernetes Engine and have setup the following: - Nginx docker image (nginx:latest), which is hosting a web application - Kubernetes Deployment (yaml file) - Kubernetes Service (yaml file) - Kubernetes Secret with existing密鑰和證書(通配符 PositiveSSL)- Kubernetes 入口
目前我有 HTTP 和 HTTPS 工作。 但是,我想自動將所有 HTTP 調用重定向到 HTTPS,但似乎沒有讓它工作。
我已經嘗試了下面的 conf 和腳本文件的許多變體,它似乎無法將 HTTP 重定向到 HTTPS。
知道我在這里可能做錯了什么嗎?
請參閱下面的配置文件 yaml 和 docker 文件。
Nginx 配置:
server {
listen 80;
charset utf-8;
root /usr/share/nginx/html;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://portal.domain.com;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
server {
listen 443 ssl;
charset utf-8;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/ssl/domain_com_full.crt;
ssl_certificate_key /etc/nginx/ssl/domain_com.key;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://portal.domain.com;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
Docker 文件:
FROM nginx:latest
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY domain_com_full.crt /etc/nginx/ssl/domain_com_full.crt
COPY domain_com.key /etc/nginx/ssl/domain_com.key
COPY dist /usr/share/nginx/html
EXPOSE 443 80
部署 YAML (我使用腳本填寫鏡像的修訂部分):
apiVersion: apps/v1
kind: Deployment
metadata:
name: domain-frontend-prd
spec:
replicas: 2
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
run: domain-frontend-prd
template:
metadata:
labels:
run: domain-frontend-prd
spec:
containers:
- name: domain-frontend-image
image: eu.gcr.io/domain-service/domain-frontend-image:{{REVISION_ID}}
ports:
- containerPort: 80
- containerPort: 443
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
服務 YAML:
apiVersion: v1
kind: Service
metadata:
name: domain-frontend-service-prd
spec:
type: NodePort
selector:
run: domain-frontend-prd
ports:
- protocol: TCP
port: 443
targetPort: 443
name: https-port
- protocol: TCP
port: 80
targetPort: 80
name: http-port
入口 YAML(秘密工作,因為 HTTPS 調用也有效 + static ZA12A3079E14CED46E69BA2 也有效)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: domain-frontend-ingress-prd
annotations:
kubernetes.io/ingress.global-static-ip-name: kubernetes-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- portal.domain.com
secretName: domain-tls
backend:
serviceName: domain-frontend-service-prd
servicePort: 80
rules:
- host: portal.domain.com
http:
paths:
- path: /
backend:
serviceName: domain-frontend-service-prd
servicePort: 80
通過廣泛的搜索,我發現顯然 Google Cloud Kubernetes 引擎中的標准 Ingress 控制器不支持重定向到 HTTPS。
為了能夠將流量重新發送到 HTTPS(從 HTTP),您需要根據本教程/文檔安裝 NGINX Ingress 控制器:
https://cloud.google.com/community/tutorials/nginx-ingress-gke
這已經解決了我的問題。
As of GKE version 1.18.10-gke.600, you can use FrontendConfig to create HTTP -> HTTPS redirection in Google Kubernetes Engine Ingress Controller .
HTTP 到 HTTPS 重定向是使用 FrontendConfig 自定義資源中的 redirectToHttps 字段配置的。 為整個 Ingress 資源啟用重定向,因此 Ingress 引用的所有服務都將啟用 HTTPS 重定向。
以下 FrontendConfig 清單啟用 HTTP 到 HTTPS 重定向。 將 spec.redirectToHttps.enabled 字段設置為 true 以啟用 HTTPS 重定向。 spec.responseCodeName 字段是可選的。 如果省略,則使用 301 Moved Permanently 重定向。
例如:
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: your-frontend-config-name
spec:
redirectToHttps:
enabled: true
responseCodeName: MOVED_PERMANENTLY_DEFAULT
MOVED_PERMANENTLY_DEFAULT位於可用的RESPONSE_CODE字段值中,以返回301重定向響應代碼(如果未指定 responseCodeName,則為默認值)。
您可以在此處找到更多選項: HTTP 到 HTTPS 重定向
然后,您必須將您的FrontendConfig鏈接到您的Ingress ,如下所示:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: your-ingress-name
annotations:
networking.gke.io/v1beta1.FrontendConfig: your-frontend-config-name
spec:
tls:
...
如何使用 Google 計算雲在 kubernetes_ingress_v1 中自動從 http 重定向到 https?
[英]How to redirect from http to https automatically in kubernetes_ingress_v1 with Google compute cloud?
SSL 已添加證書但顯示“Kube.netes Ingress controller 假證書”
[英]SSL Certificate added but shows "Kubernetes Ingress controller fake certificate"
Kubernetes - nginx-ingress 在通過 php 上傳文件后崩潰
[英]Kubernetes - nginx-ingress is crashing after file upload via php
Kube.netes - Ingress-nginx 路由錯誤(無法將前端連接到后端)
[英]Kubernetes - Ingress-nginx routing error (Cannot connect frontend to backend)
如何在 kube.netes 中為 nginxinc/nginx-ingress 配置添加第三方模塊?
[英]How to Add a third party module for nginxinc/nginx-ingress configuration in kubernetes?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.