[英]Forward real requestor IP in K3S NGINX ingress
I've set up a K3S Kubernetes Environment in my Home-Lab on Raspberry PIs in order to teach myself some Kubernetes (Noob-Alert), using NGINX as Ingress Controller and I'm kind of stuck at passing the real IP of requests to目標 Pod,在我的例子中是 Nextcloud 實例。 K3S 的版本是v1.22.5+k3s1
。
K3S 是使用 Docker 作為容器運行時並使用--no-deploy traefik
選項設置的。
之后,我使用
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/baremetal/deploy.yaml
然后,在部署 Nextcloud pod 之后,我部署了 Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- my.own-dns.org
secretName: very-secret-ssl-secret
ingressClassName: nginx
rules:
- host: my.own-dns.org
http:
paths:
- path: /somepath
pathType: Prefix
backend:
service:
name: someservice-service
port:
number: 8081
- path: /
pathType: Prefix
backend:
service:
name: nextcloud-service
port:
number: 80
在 IngressController 的部署中,我在 ConfigMap 中添加了以下條目:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.10
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.1.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: 'true'
compute-full-forwarded-for: 'true'
use-forwarded-headers: 'true'
enable-real-ip: 'true'
proxy-add-original-uri-header: 'true'
forwarded-for-header: 'X-Forwarded-For'
並將 ServiceType 從 http 服務更改為LoadBalancer
,因此我的 IngressController 服務如下所示:
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-4.0.10
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.1.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
So far so good, accessing the Nextcloud Instance from the Internet working great, including redirection to https, etc. But the Nextcloud Audit Log is only getting an internal Cluster IP as Source IP (surprisingly no IP from any Service I am running inside the Cluster ),而不是來自外部世界的真實。
那么我錯過了什么? 我嘗試將use-proxy-protocol
設置為 true,但這會導致ERR_CONNECTION_RESET
。
在 NGINX 服務器上配置 SSL 終止時,原始 IP 地址應顯示在 X-Forward-for 標頭中
當 SSL 未被 NGINX 卸載時, use-proxy-protocol
用於通過代理協議轉發 IP 地址。 客戶端必須能夠接受包含原始 IP 地址的附加 TCP 數據包。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.