[英]Too many redirects on ingress-controller
我正在嘗試根據以下內容設置 Ingress Controller:
https://kube.netes.github.io/ingress-nginx/deploy/#aws
它適用於 ELB,但出於某種原因,如果我在 NLB 中設置以下內容:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
然后我收到Too many redirects
錯誤。
如果我將以上設置為 false,那么我可以分別訪問 HTTP 和 HTTPS,但沒有重定向。
在我的 NLB 服務注釋中,我有:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:12345:certificate/xyz
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-FS-1-2-2019-08
...
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: http
appProtocol: https
對於 ELB,它可以正常工作,我有:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:12345:certificate/xyz
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-type: elb
...
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: tohttps
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: http
appProtocol: https
我嘗試了很多組合,但我無法讓 NLB 以與 ELB 相同的方式運行。
嘗試刪除appProtocol: https
並在 LB 級別卸載 SSL
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:12345:certificate/xyz
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-FS-1-2-2019-08
...
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: HTTP
您可以在以下位置檢查配置: https://aws.amazon.com/blogs/opensource.network-load-balancer-nginx-ingress-controller-eks/
此外,從具有80 個和TLS 443個偵聽器的 AWS 控制台 LB 檢查。
SSL 卸載和終止: https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm/
如果后端協議設置為“ssl”,一切正常,除了我們無緣無故地進行雙 TLS 卸載(首先在 NLB 上,然后在入口上)。 如果后端協議設置為“tcp”,我們將收到“Plain HTTP request sent to TLS port”錯誤。 如果我們 map https 到 http 端口來解決上述問題,那么 HTTP -> HTTPS 重定向將停止工作。
所以為了讓它與 NLB 一起工作,我需要將后端協議設置為 ssl: service.beta.kube.netes.io/aws-load-balancer-backend-protocol: ssl
然后:
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.