访问部署在kubernetes上的istio特使时,Nginx坏网关502
我的web应用程序运行在一台服务器和两个工作节点上 我的nginx配置文件是 服务器{访问部署在kubernetes上的istio特使时,Nginx坏网关502,nginx,kubernetes,istio,Nginx,Kubernetes,Istio,我的web应用程序运行在一台服务器和两个工作节点上 我的nginx配置文件是 服务器{ listen ip-address:80 ; server_name subdomain.domain.com; server_name www.subdomain.domain.com; server_name ipv4.subdomain.domain.com; location / { proxy_pass http://ip-address:32038/; proxy_
listen ip-address:80 ;
server_name subdomain.domain.com;
server_name www.subdomain.domain.com;
server_name ipv4.subdomain.domain.com;
location / {
proxy_pass http://ip-address:32038/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
fastcgi_read_timeout 3000;
}
listen ip-address:443 ssl http2;
server_name subdomain.domain.com;
server_name www.subdomain.domain.com;
server_name ipv4.subdomain.domain.com;
ssl_certificate /opt/psa/var/certificates/scf83NyxP;
ssl_certificate_key /opt/psa/var/certificates/scf83NyxP;
ssl_client_certificate /opt/psa/var/certificates/scfrr8L8y;
proxy_read_timeout 60;
location / {
proxy_pass https://ip-address:30588/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen ip-address:80 ;
server_name subdomain.domain.com;
server_name www.subdomain.domain.com;
server_name ipv4.subdomain.domain.com;
location / {
proxy_pass http://ip-address:32038/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
fastcgi_read_timeout 3000;
}
listen ip-address:443 ssl http2;
server_name subdomain.domain.com;
server_name www.subdomain.domain.com;
server_name ipv4.subdomain.domain.com;
ssl_certificate /opt/psa/var/certificates/scf83NyxP;
ssl_certificate_key /opt/psa/var/certificates/scf83NyxP;
ssl_client_certificate /opt/psa/var/certificates/scfrr8L8y;
proxy_read_timeout 60;
location / {
proxy_pass https://ip-address:30588/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
谢谢在不了解后端服务的情况下,我猜它可能没有配备HTTPS。您可能只需要更改这一行
proxy_pass https://ip-address:30588/;
如果后端服务确实需要通过https调用(不常见),那么我们需要查看该服务的配置情况,因为nginx错误表明它没有正确处理SSL连接。当您从主机退出时会发生什么?Http,而不是https。502通常意味着nginx无法联系proxy\u pass地址。nginx日志是否有帮助?nginx日志文件中发现以下错误*1 SSL握手时对等方关闭连接(104:由对等方重置连接),客户端:workernode ip,服务器:subdomain.mydomain.com,请求:“HEAD/HTTP/2.0”,上游:,,主机:“subdomain.mydomain.com”可能代理传递到HTTP,不是https。正常情况下,nginx将终止ssl,然后通过http调用后端。是的,它正在终止ssl并调用后端。这是nginx的默认行为还是有任何解决方法因为后端显然也需要通过https调用,那么您需要在proxy_pass中使用正确的主机名。Nginx实际上是直接与后端建立另一个https连接,因此主机名必须与ssl证书的通用名称相匹配。但还是同样的错误。谢谢你调查这个问题。在主节点的终端上运行以下命令时,仍然可以看到我的网站结果curl-v-HHost:subdomain.mydomain.com--resolve subdomain.mydomain.com:30588:ip地址--cacert/opt/psa/var/certificates/scf83NyxP,如果端口30588上的服务是https,然后需要更改代理传递配置以使用正确的域名。