使用Traefik和GCE入口获取HTTPS
我追求的是一个非常简单的要求——但似乎不可能让Traefik在外部负载平衡器后面将流量从HTTP重定向到HTTPS 这是我的GCE入门使用Traefik和GCE入口获取HTTPS,https,kubernetes,google-kubernetes-engine,traefik,traefik-ingress,Https,Kubernetes,Google Kubernetes Engine,Traefik,Traefik Ingress,我追求的是一个非常简单的要求——但似乎不可能让Traefik在外部负载平衡器后面将流量从HTTP重定向到HTTPS 这是我的GCE入门 apiVersion: extensions/v1beta1 kind: Ingress metadata: namespace: platform name: public-ingress annotations: kubernetes.io/ingress.global-static-ip-name: "kubernetes-cluste
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: platform
name: public-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: "kubernetes-cluster-dev-ip"
kubernetes.io/ingress.class: "gce"
ingress.gcp.kubernetes.io/pre-shared-cert: "application-dev-ssl,application-dev-graphql-ssl"
spec:
backend:
serviceName: traefik-ingress-service
servicePort: 80
从HTTP接收流量,然后转发到Traefik端口80
我最初尝试使用Traefik方式重定向匹配此配置的架构:
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
但很明显,由于负载平衡器总是将流量代理到Traefik端口80,因此会进入无限重定向循环
GCE建议的简单解决方案正是让这项工作发挥作用的方法
能够检查http_x_forwarded_proto头并基于此重定向
Nginx当量
# Replace '_' with your hostname.
server_name _;
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}
有人能告诉我用Traefik处理这个问题的最好方法吗 总而言之,您有一个GCE L7(第7层)负载平衡器代理Traefik中的另一个L7负载平衡器,您可以使用它来代理另一个后端服务。看起来你有这样的东西:
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTP 80
=> Infinite loop
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTP 443
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTPS service
=> Service forward to Traefik port 443
你需要有这样的东西:
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTP 80
=> Infinite loop
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTP 443
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTPS service
=> Service forward to Traefik port 443
如果Traefik根据http\u x\u forwarded\u proto
的值重定向到HTTPS,则任何地方都没有记录,但这是一般假设。在任何情况下,ingres
对HTTPS后端一无所知(您没有指定如何配置HTTPS GCE LB端点)
您可以看到,它记录了如何让GCE LB直接创建直接转发到HTTPS后端的HTTPS端点。基本上,您可以尝试将service.alpha.kubernetes.io/app protocols
注释添加到HTTPS Traefik服务:
apiVersion: v1
kind: Service
metadata:
name: traefik-https
annotations:
service.alpha.kubernetes.io/app-protocols: '{"my-https-port":"HTTPS"}'
labels:
app: echo
spec:
type: NodePort
ports:
- port: 443
protocol: TCP
name: my-https-port
selector:
app: traefik
所以你会有这样的想法:
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTP 80
=> Infinite loop
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTP 443
GCE L7 LB HTTP 80
=> Forwarded to Traefik HTTP 80
=> Redirect initial request to HTTPS 443
=> The client thinks it needs to talk to GCE L7 LB HTTPS 443
=> GCE L7 LB HTTP 443
=> Forwarded to Traefik HTTPS service
=> Service forward to Traefik port 443
希望这有帮助。我认为问题中的traefik不监听443,也不终止SSL,即没有https后端。如问题中的链接所述,目的是检查
http\u x\u forwarded\u proto
,并根据检查结果进行(或不进行)重定向,即如果它等于“http”,则进行重定向,而不以其他方式重定向。您最终是如何解决此问题的?