Kubernetes在AWS上使用ELB终止SSL的HTTP到HTTPS重定向

本文介绍了Kubernetes在AWS上使用ELB终止SSL的HTTP到HTTPS重定向的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试为进入Kubernetes集群的流量设置一个简单的HTTP到HTTPS重定向. SSL终止发生在ELB上.当我尝试使用nginx.ingress.kubernetes.io/ssl-redirect = true时，它会导致无限重定向，这导致我设置了配置映射来处理此问题( nginx入口:启用force-ssl时重定向过多).

I'm trying to set up a simple HTTP to HTTPS redirect for traffic going to a Kubernetes cluster. The SSL termination is happening on the ELB. When I try to use the nginx.ingress.kubernetes.io/ssl-redirect = true it results in an infinite redirect which led me to setting up a config map to handle this (nginx-ingress: Too many redirects when force-ssl is enabled).

现在似乎根本没有重定向发生.

Now there seems to be no redirection happening at all.

我的入口服务定义为:

apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600" service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...:certificate/... service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https labels: k8s-addon: ingress-nginx.addons.k8s.io name: ingress-nginx namespace: ingress-nginx spec: externalTrafficPolicy: Cluster ports: - name: https port: 443 protocol: TCP targetPort: http - name: http port: 80 protocol: TCP targetPort: http selector: app: ingress-nginx type: LoadBalancer

我的配置映射定义为:

apiVersion: v1 kind: ConfigMap data: client-body-buffer-size: 32M hsts: "true" proxy-body-size: 1G proxy-buffering: "off" proxy-read-timeout: "600" proxy-send-timeout: "600" server-tokens: "false" ssl-redirect: "false" upstream-keepalive-connections: "50" use-proxy-protocol: "true" http-snippet: | server { listen 8080 proxy_protocol; server_tokens off; return 307 $host$request_uri; } metadata: labels: app: ingress-nginx name: nginx-configuration namespace: ingress-nginx --- apiVersion: v1 kind: ConfigMap metadata: name: tcp-services namespace: ingress-nginx --- apiVersion: v1 kind: ConfigMap metadata: name: udp-services namespace: ingress-nginx

而且，入口定义为:

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: gateway-ingress annotations: nginx.ingress.kubernetes.io/cors-allow-credentials: "true" nginx.ingress.kubernetes.io/cors-allow-headers: Authorization, origin, accept nginx.ingress.kubernetes.io/cors-allow-methods: GET, OPTIONS nginx.ingress.kubernetes.io/cors-allow-origin: gateway.example/monitor nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/ssl-redirect: "false" spec: rules: - host: gateway.example http: paths: - backend: serviceName: gateway servicePort: 8080 path: / tls: - hosts: - gateway.example

推荐答案

问题是我在负载均衡器上使用的目标端口与重定向服务器正在侦听的端口不匹配:

The issue was the target port I was using on the load balancer not matching the port the redirection server was listening on:

ports: - name: http port: 80 protocol: TCP targetPort: http

这只是将所有内容发送到端口80.应该是这样:

This was just sending everything to port 80. It should have been this:

ports: - name: http port: 80 protocol: TCP targetPort: 8080

这样，它与ConfigMap的匹配:

That way it matches up with the ConfigMap's:

data: ... http-snippet: | server { listen 8080 proxy_protocol; server_tokens off; return 307 $host$request_uri; }