GKE Nginx入口-设置主机导致400无需SSL证书
我在GKE 1.16.13-GKE.401中使用nginx入口 我的配置GKE Nginx入口-设置主机导致400无需SSL证书,nginx,google-kubernetes-engine,kubernetes-ingress,nginx-ingress,Nginx,Google Kubernetes Engine,Kubernetes Ingress,Nginx Ingress,我在GKE 1.16.13-GKE.401中使用nginx入口 我的配置 apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: api-ingress namespace: development annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/backend
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: api-ingress
namespace: development
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
kubernetes.io/ingress.class: "nginx"
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/auth-tls-secret: "development/client-cert-api-ingress"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
# Automatically redirect http to https
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# Use regex in paths
nginx.ingress.kubernetes.io/use-regex: "true"
# For notifications we add the proxy headers
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
spec:
tls:
- hosts:
- example.com
secretName: api-tls-certificate
rules:
- host: example.com
http:
paths:
- path: /(.*)
backend:
serviceName: v2-api-frontend
servicePort: 443
Nginx控制器配置:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingressnginx/controller-v0.40.2/deploy/static/provider/cloud/deploy.yaml
问题
调用curl-k--cert my-cert.pem--key my-cert.keyhttps://MY_IP/ --当指定了rules.Host
时,标题“Host:example.com”
不起作用
如果我正在指定规则。主机服务器以
400错误请求
未发送所需的SSL证书
如果我没有指定rules.host
的话,curl可以正常工作
我怎样才能解决这个问题
编辑1:
似乎是我签发的自签名客户端证书导致了问题
使用以下脚本创建:
#!/bin/bash
# USE: ./build-client-cert.sh <CERTNAME> <EXPR_DAYS>
# How to generate client certificate
# based on https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.req
openssl x509 -req -in client.req -CA rootCA.crt -CAkey rootCA.key -set_serial 101 -extensions client -days $2 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out $1.p12
rm client.key client.cer client.req
#!/bin/bash
# https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
如果忽略ssl检查,输出是什么<代码>curl-IL“Host:example.com”https://MY_IP -k
?HTTP/2400日期:周二,2020年10月20日11:54:26 GMT内容类型:text/html内容长度:230有趣的是你说:如果你不指定规则。主机
一切正常。那么证书是与example.com
一起颁发的?这是自我暗示吗?请提供更多详细信息。它是自签名的。似乎是我颁发的客户端证书导致了这个问题。使用cloudflare客户端证书可以正常工作。我将添加用于创建有问题的客户端证书的代码。@KoopaKillerCoul请告诉我您是如何创建证书和CA的机密的?