Fatal编程技术网
  • nginx/
  • Kubernetes ingress nginx保留源IP

Kubernetes ingress nginx保留源IP

nginx networking kubernetes

Kubernetes ingress nginx保留源IP,nginx,networking,kubernetes,haproxy,devops,Nginx,Networking,Kubernetes,Haproxy,Devops,我有一个位于集群前面的vm。目前它正在运行HAProxy(使用代理协议:“true”)。我的最终目标是允许与默认后端关联的pod能够读取实际的源客户机源IP 以下是启用了使用代理协议的示例日志: 10.244.0.0 - [10.244.0.0] - - [10/Jan/2018:23:06:42 +0000] "GET /platform/ping HTTP/1.1" 200 16 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) App

我有一个位于集群前面的vm。目前它正在运行HAProxy(使用代理协议:“true”)。我的最终目标是允许与默认后端关联的pod能够读取实际的源客户机源IP

以下是启用了
使用代理协议
的示例日志:


10.244.0.0 - [10.244.0.0] - - [10/Jan/2018:23:06:42 +0000] "GET /platform/ping HTTP/1.1" 200 16 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7" 367 0.002 [upstream-default-backend] 10.244.3.101:80 16 0.002 200
10.244.0.0 - [10.244.0.0] - - [10/Jan/2018:23:06:59 +0000] "GET /platform/ping HTTP/1.1" 200 16 "-" "curl/7.54.0" 91 0.074 [upstream-default-backend] 10.244.3.101:80 16 0.074 200
10.244.0.0 - [10.244.0.0] - - [10/Jan/2018:23:09:51 +0000] "PROXY TCP4 127.0.0.1 127.0.0.1 43088 80" 400 173 "-" "-" 0 0.001 [] - - - -
10.244.0.0 - [10.244.0.0] - - [10/Jan/2018:23:09:59 +0000] "PROXY TCP4 127.0.0.1 127.0.0.1 43092 80" 400 173 "-" "-" 0 0.001 [] - - - -
10.244.0.0 - [10.244.0.0] - - [10/Jan/2018:23:10:09 +0000] "PROXY TCP4 127.0.0.1 127.0.0.1 43096 80" 400 173 "-" "-" 0 0.002 [] - - - -
I0110 23:11:42.050971       5 controller.go:211] backend reload required
I0110 23:11:42.054732       5 event.go:218] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"ingress-nginx", Name:"nginx-configuration", UID:"7539f546-f599-11e7-bee6-fa163e2f1153", APIVersion:"v1", ResourceVersion:"127044", FieldPath:""}): type: 'Normal' reason: 'UPDATE' ConfigMap ingress-nginx/nginx-configuration
I0110 23:11:42.138901       5 controller.go:220] ingress backend successfully reloaded...
127.0.0.1 - [127.0.0.1] - - [10/Jan/2018:23:11:56 +0000] "GET /platform/ping HTTP/1.1" 200 16 "-" "curl/7.47.0" 86 0.003 [upstream-default-backend] 10.244.3.101:80 16 0.003 200
142.xx.xxx.xx - [142.xx.xxx.xx] - - [10/Jan/2018:23:15:50 +0000] "GET / HTTP/1.1" 500 21 "-" "curl/7.47.0" 78 0.020 [upstream-default-backend] 10.244.3.101:80 21 0.020 500
142.xx.xxx.xx - [142.xx.xxx.xx] - - [10/Jan/2018:23:16:02 +0000] "GET /platform/bitcoin HTTP/1.1" 200 45 "-" "curl/7.47.0" 94 0.165 [upstream-default-backend] 10.244.3.101:80 45 0.165 200
216.249.49.20 - [216.249.49.20] - - [10/Jan/2018:23:16:16 +0000] "GET / HTTP/1.1" 500 21 "-" "curl/7.54.0" 78 0.002 [upstream-default-backend] 10.244.3.101:80 21 0.002 500
216.249.49.20 - [216.249.49.20] - - [10/Jan/2018:23:16:30 +0000] "GET /platform/bitcoin HTTP/1.1" 200 45 "-" "curl/7.54.0" 94 0.002 [upstream-default-backend] 10.244.3.101:80 45 0.002 200
216.249.49.20 - [216.249.49.20] - - [10/Jan/2018:23:16:43 +0000] "GET /platform/bitcoin HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7" 370 0.049 [upstream-default-backend] 10.244.3.101:80 45 0.049 200
216.249.49.20 - [216.249.49.20] - - [10/Jan/2018:23:16:44 +0000] "GET /favicon.ico HTTP/1.1" 404 9 "http://142.xx.xxx.xx/platform/bitcoin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7" 324 0.013 [upstream-default-backend] 10.244.3.101:80 9 0.013 404
216.249.49.20 - [216.249.49.20] - - [10/Jan/2018:23:17:04 +0000] "GET /platform/bitcoin HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7" 370 0.002 [upstream-default-backend] 10.244.3.101:80 45 0.002 200
216.249.49.20 - [216.249.49.20] - - [10/Jan/2018:23:17:07 +0000] "GET /platform/ping HTTP/1.1" 200 16 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7" 367 0.002 [upstream-default-backend] 10.244.3.101:80 16 0.002 200
216.249.49.20 - [216.249.49.20] - - [10/Jan/2018:23:17:56 +0000] "GET /platform/ping HTTP/1.1" 200 16 "-" "curl/7.54.0" 91 0.002 [upstream-default-backend] 10.244.3.101:80 16 0.002 200
Logs from 1/10/18 10:17 PM to 1/10/18 11:17 PM UTC


142.xx.xxx.xx是HAProxy虚拟机的IP

216.249.49.20是来自大学的外部IP。如您所见,入口吊舱可以通过
使用代理协议“true”
读取从HAProxy传递的外部IP

但是当我卷曲HAProxy vm的地址时,我得到:


demonfuse@Williams-MacBook-Pro ~/N/K/NGINX> curl 142.xx.xxx.xx/platform/ping
pong2 10.244.2.6   


10.244.2.6是入口吊舱的IP我相信ingress nginx在这一点上拥有真正的源IP。

是否有办法通过configmaps将标头和真实源IP转发到ingress nginx后面的POD?据我所知,它的大部分应该默认打开

如何复制


  • 按照指南在全新群集上安装ingress nginx
    • 

  • 将流量从HAProxy/外部负载平衡器重定向到ingress nginx
    • 

  • 围棋脚本
    • 
详情如下:
    

    import (
        "github.com/kataras/iris"
        "github.com/kataras/iris/context"
        //...
    )

    func main() {
        app := iris.New()
            app.Get("/platform/ping", func(ctx context.Context) {
            fmt.Println("connected with " + ctx.RemoteAddr() + "!")
            ctx.WriteString("pong2 " + ctx.RemoteAddr())
        })

        //...

        app.Run(iris.Addr(":80"), iris.WithoutServerError(iris.ErrServerClosed))
    }

    
其他信息:
    
环境:
    互联网->专用HAProxy虚拟机->裸机OVH K8S群集(1个主机,2个工作机)
    
configmap.yaml
    

    apiVersion: v1
data:
  proxy-set-headers: "ingress-nginx/custom-headers"
  use-proxy-protocol: "true"
kind: ConfigMap
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app: ingress-nginx

    
自定义标题.yaml
    

    apiVersion: v1
data:
  X-Forwarded-For: "142.xx.xxx.xxx"
kind: ConfigMap
metadata:
  name: custom-headers
  namespace: ingress-nginx

    
haproxy配置
    

    global
   maxconn 4096
   log 127.0.0.1 local0 notice
   maxconn 2000
   user haproxy
   group haproxy

defaults
   log   global
   mode   http
   retries   3
   option redispatch
   maxconn   2000
   timeout connect 5000
   timeout client  50000
   timeout server  50000

frontend TestServerTest
    bind 142.xx.xxx.xxx:80
    mode tcp
    default_backend TestServernodes

backend TestServernodes
    mode tcp
    server TestServer01 142.xx.xxx.xxx:80 send-proxy

    
我在哪里以及如何犯了错误
    

    我已尝试将X-Forwaded-For与内部入口吊舱IP、与入口服务相关的外部IP以及HAProxy vm的公共IP相结合。到目前为止,卷曲HAProxy的外部IP仍然返回
    pong2 10.244.2.6
    (入口吊舱的内部IP)
    我找到了!问题在于Iris web框架,与ingress nginx几乎没有任何关系
    
解决方案是在
    ctx.Application().ConfigurationReadOnly().GetRemoteAddrHeaders()
    中手动读取远程头。默认情况下,Iris框架不检查
    X-Forwarded-for
    X-Real-Ip
    

    希望这对那些运行往返于Kubernetes的反向代理的人有用
     haproxy是否配置为
    tcp
    http/https
    代理?ingress nginx的访问日志中有哪些源IP?@Nickolay tcp(请参阅随附的haproxy配置)@Nickolay
    216.249.49.12-[216.249.49.12]-[11/Jan/2018:20:59:00+0000]“GET/platform/ping HTTP/1.1“200 16”-“curl/7.54.0”91 0.003[上游默认后端]10.244.3.101:80 16 0.003 200
    216.249.49.12
    是客户端的源ip,
    10.244.3.101
    是默认后端pod的ip