Kubernetes nginx入口在https请求时返回默认后端_Kubernetes_Nginx Ingress_Azure Aks

Kubernetes nginx入口在https请求时返回默认后端

kubernetes

Kubernetes nginx入口在https请求时返回默认后端,kubernetes,nginx-ingress,azure-aks,Kubernetes,Nginx Ingress,Azure Aks,我的AKS可通过nginx入口访问。一切都可以使用https，但由于我使用https，nginx无法匹配任何路由并使用默认后端我使用的是Kubernetes版本1.15。我将域名改为example.com，IP改为51.000.000.128。 SSL证书由外部提供程序（digicert）签名入口控制器 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/stati

我的AKS可通过nginx入口访问。一切都可以使用https，但由于我使用https，nginx无法匹配任何路由并使用默认后端

我使用的是Kubernetes版本1.15。我将域名改为example.com，IP改为51.000.000.128。 SSL证书由外部提供程序（digicert）签名

入口控制器

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml

入口服务

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

http://51.000.000.128/app1 => working
https://51.000.000.128/app1 => working but unsecure (browser use http)
example.com => not working (404 Not Found by nginx | default backend)

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: ingress-nginx
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - kp-user'
spec:
  tls:
  - hosts:
    - example.com
    secretName: ssl-secret
  rules:
  - host: example.com
  - http:
      paths:
      - path: /app1(/|$)(.*)
        backend:
          serviceName: app1-service
          servicePort: 80
      - path: /app2(/|$)(.*)
        backend:
          serviceName: app2-service
          servicePort: 80

入口正在运行：

$ kubectl -n ingress-nginx get ing
NAME            HOSTS           ADDRESS          PORTS     AGE
nginx-ingress   example.com     51.000.000.128   80, 443   43h

$ kubectl describe ingress nginx-ingress --namespace=ingress-nginx
Name:             nginx-ingress
Namespace:        ingress-nginx
Address:          51.000.000.128
Default backend:  default-http-backend:80 (<none>)
TLS:
  ssl-secret terminates example.com
Rules:
  Host  Path  Backends
  ----  ----  --------
  *
        /app1(/|$)(.*)   app1-service:80 (10.244.1.10:80,10.244.2.11:80)
        /app2(/|$)(.*)   app2-service:80 (10.244.1.12:80,10.244.2.13:80)
Annotations:
  nginx.ingress.kubernetes.io/rewrite-target:        /$2
  nginx.ingress.kubernetes.io/ssl-passthrough:       true
  nginx.ingress.kubernetes.io/ssl-redirect:          false
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/auth-realm":"Authentication Required - kp-user","nginx.ingress.kubernetes.io/auth-secret":"basic-auth","nginx.ingress.kubernetes.io/auth-type":"basic","nginx.ingress.kubernetes.io/rewrite-target":"/$2","nginx.ingress.kubernetes.io/ssl-passthrough":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false"},"name":"nginx-ingress","namespace":"ingress-nginx"},"spec":{"rules":[{"host":"example.com"},{"http":{"paths":[{"backend":{"serviceName":"app1-service","servicePort":80},"path":"/app1(/|$)(.*)"},{"backend":{"serviceName":"app2-service","servicePort":80},"path":"/app2(/|$)(.*)"}]}}],"tls":[{"hosts":["example.com"],"secretName":"ssl-secret"}]}}

  kubernetes.io/ingress.class:              nginx
  nginx.ingress.kubernetes.io/auth-realm:   Authentication Required - kp-user
  nginx.ingress.kubernetes.io/auth-secret:  basic-auth
  nginx.ingress.kubernetes.io/auth-type:    basic
Events:                                     <none>

和入口说明：

$ kubectl -n ingress-nginx get ing
NAME            HOSTS           ADDRESS          PORTS     AGE
nginx-ingress   example.com     51.000.000.128   80, 443   43h

$ kubectl describe ingress nginx-ingress --namespace=ingress-nginx
Name:             nginx-ingress
Namespace:        ingress-nginx
Address:          51.000.000.128
Default backend:  default-http-backend:80 (<none>)
TLS:
  ssl-secret terminates example.com
Rules:
  Host  Path  Backends
  ----  ----  --------
  *
        /app1(/|$)(.*)   app1-service:80 (10.244.1.10:80,10.244.2.11:80)
        /app2(/|$)(.*)   app2-service:80 (10.244.1.12:80,10.244.2.13:80)
Annotations:
  nginx.ingress.kubernetes.io/rewrite-target:        /$2
  nginx.ingress.kubernetes.io/ssl-passthrough:       true
  nginx.ingress.kubernetes.io/ssl-redirect:          false
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/auth-realm":"Authentication Required - kp-user","nginx.ingress.kubernetes.io/auth-secret":"basic-auth","nginx.ingress.kubernetes.io/auth-type":"basic","nginx.ingress.kubernetes.io/rewrite-target":"/$2","nginx.ingress.kubernetes.io/ssl-passthrough":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false"},"name":"nginx-ingress","namespace":"ingress-nginx"},"spec":{"rules":[{"host":"example.com"},{"http":{"paths":[{"backend":{"serviceName":"app1-service","servicePort":80},"path":"/app1(/|$)(.*)"},{"backend":{"serviceName":"app2-service","servicePort":80},"path":"/app2(/|$)(.*)"}]}}],"tls":[{"hosts":["example.com"],"secretName":"ssl-secret"}]}}

  kubernetes.io/ingress.class:              nginx
  nginx.ingress.kubernetes.io/auth-realm:   Authentication Required - kp-user
  nginx.ingress.kubernetes.io/auth-secret:  basic-auth
  nginx.ingress.kubernetes.io/auth-type:    basic
Events:                                     <none>

当我通过域访问页面时，ingress controller将识别该页面：

$ sudo kubectl logs nginx-ingress-controller-799dbf6fbd-bbxdp -n ingress-nginx

// https request
165.000.00.000 - - [05/Dec/2019:12:26:40 +0000] "GET /app1 HTTP/1.1" 308 177 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 500 0.000 [upstream-default-backend] [] - - - - 323deb61e1babdbca2006844d268b1ce
165.000.00.000 - - [05/Dec/2019:12:26:40 +0000] "GET /app1 HTTP/2.0" 404 179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 306 0.001 [upstream-default-backend] [] 127.0.0.1:8181 190 0.000 404 d0cae28ba059531c78bffff38de2a84d
165.000.00.000 - - [05/Dec/2019:12:26:55 +0000] "GET /app1 HTTP/2.0" 404 179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 44 0.000 [upstream-default-backend] [] 127.0.0.1:8181 190 0.000 404 db153c080e0116f8b730508b5ae0b0f3

// http request
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1 HTTP/1.1" 200 550 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 501 0.004 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 1116 0.000 200 01beb82bb5173e7b0392660a9325c222
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/styles.66c87fc4c5e0902762b4.css HTTP/1.1" 200 10401 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 439 0.001 [ingress-nginx-app1-service-80] [] 10.244.2.11:80 70796 0.000 200 d367dfc0ae4db08c54dc6b0cb96e1f55
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/polyfills-es2015.80abe0a50bdacb904507.js HTTP/1.1" 200 12933 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 464 0.002 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 37277 0.000 200 a2a4cd368a4badf1b6d2b202cf3958c5
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/runtime-es2015.cd056c32d7e60bda4f6b.js HTTP/1.1" 200 1499 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 462 0.000 [ingress-nginx-app1-service-80] [] 10.244.2.11:80 2728 0.000 200 f34c880d21f0172eeee3cc4f058c52a7
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/main-es2015.2bb12b52c456e81e18a1.js HTTP/1.1" 200 164595 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 459 0.029 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 566666 0.028 200 7375f5092851e8407fe299c36c8a1b13
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/18-es2015.b5bfc8f7102d1318aebc.js HTTP/1.1" 200 554 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 426 0.002 [ingress-nginx-app1-service-80] [] 10.244.2.11:80 973 0.000 200 92e549e50e5ab6df5d456b31a8a34d8a
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/assets/logo.svg HTTP/1.1" 200 2370 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 443 0.003 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 4717 0.000 200 c2503ed57519784af2988b70861302ec

据我所知，我的域名的请求是有效的。出于任何原因，入口控制器无法通过https使用/查找入口。我做错了什么。

问题1：

它应该与您的

nginx.ingres.kubernetes.io/ssl-passthrough:“true”

配置相关

如果启用了ssl passthrough，nginx入口将不会尝试为您解密流量。它将通过流量直接到达目标服务进行解密。这样，基于路径的路由将不起作用，因为路径实际上也是加密的。此外，由于基本上不涉及请求的性质，其他nginx入口注释都不会被忽略

如果这不是您想要的，您希望删除ssl passthrough配置，并让nginx入口为您终止HTTPS

有关更多阅读资料，请参阅以下内容：

问题2：

在入口配置中。对于spec=>规则，在

http

标记之前不应该有

。添加

将路径路由应用于所有主机，而不仅仅是

example.com

路由。仅将tls应用于

example.com

主机的

tls

配置应存在冲突。

请查看此链接：

example.eon.com

在您的测试中是否存在打字错误？很抱歉，复制错误。它是example.com。我修复了它。与本教程的唯一区别在于，我使用了特定的名称空间，而不是默认名称空间。我更改了，但它仍然不起作用。是否有其他方法来调试此问题？我删除了ssl传递，但不幸的是，它仍然不起作用。我找到了解决方法。我删除了http前面的“-”（spec.rules）。你知道有什么不同吗？哦，很高兴你发现了。不同之处在于，如果没有“-”，路由将应用于所有路由。带“-”，它仅适用于“example.com”路由。这和ssl passthrough配置都会导致集群的错误行为。这是有道理的。如果你能调整一下你的答案，那就太好了。然后我会为其他人接受它