Kubernets:您正在对支持SSL的服务器端口使用纯HTTP

本文介绍了Kubernets:您正在对支持SSL的服务器端口使用纯HTTP的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我的网关文件为

apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway-secure namespace: myapp spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key #caCertificates: /etc/istio/ingressgateway-ca-certs/kbundle.crt hosts: - "*" apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-gateway-service-secure namespace:myapp spec: hosts: - "sub.domaincom" gateways: - my-gateway-secure http: - route: - destination: host: my-mono port: number: 443 protocol: TCP

我的服务文件是

apiVersion: v1 kind: Service metadata: name: my-mono namespace: myapp labels: tier: backend spec: selector: app: my-mono tier: backend ports: - port: 443 name: https protocol: TCP

部署文件为

apiVersion: apps/v1 kind: Deployment metadata: name: my-mono namespace: myapp spec: replicas: 1 selector: matchLabels: app: my-mono template: metadata: labels: app: my-mono spec: containers: - name: my-mono image: myapacheimage imagePullPolicy: Never ports: - containerPort: 443

当我使用网关访问我的服务时，它说

when i access my service using gateway it says

Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.38 (Debian) Server at 10.0.159.77 Port 443

我可以确认apache仅在443上侦听并且配置正确

i can confirm that apache is only listening on 443 and is properly configured

推荐答案

您的配置在istio网关上使用TLS终端.因此，进入istio入口的HTTPS流量在到达您的服务端点之前被解密为普通的HTTP流量.

Your configuration uses the TLS termination on istio gateway. So the HTTPS traffic entering the istio ingress is decrypted to plain HTTP traffic before reaching Your service endpoint.

要解决此问题，您需要配置对HTTPS服务的HTTPS入口访问，即，配置入口网关以执行SNI直通，而不是对传入请求进行TLS终止.

To fix this You need to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.

您可以在istio文档指南TLS终端的Ingress Gateway的示例. rel ="nofollow noreferrer">此处.

You can find an example of Ingress Gateway without TLS Termination in istio documentation guide here.

您的Gateway和VirtualService应该看起来像这样:

Your Gateway and VirtualService should look something like this:

apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway-secure namespace: myapp spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 443 name: https protocol: HTTPS tls: mode: PASSTHROUGH hosts: - "*" apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-gateway-service-secure namespace:myapp spec: hosts: - "sub.domaincom" gateways: - my-gateway-secure tls: - match: - port: 443 sni_hosts: - "sub.domaincom" route: - destination: host: my-mono port: number: 443

希望有帮助.