Ssl 升级到nginx 3.11.1时获得“最大重定向”_Ssl_Kubernetes_Ingress Nginx

Ssl 升级到nginx 3.11.1时获得“最大重定向”

ssl kubernetes

Ssl 升级到nginx 3.11.1时获得“最大重定向”,ssl,kubernetes,ingress-nginx,Ssl,Kubernetes,Ingress Nginx,我有一个Kubernetes集群在AWS中运行，我正在升级各种组件。在内部，我们使用的是NGINX，目前在NGINX入口图表的v1.1.1中，配置如下： controller: publishService: enabled: "true" replicaCount: 3 service: annotations: external-dns.alpha.kubernetes.io/hostname: '*.MY.TOP.LEVEL.DO

我有一个Kubernetes集群在AWS中运行，我正在升级各种组件。在内部，我们使用的是NGINX，目前在NGINX入口图表的v1.1.1中，配置如下：

controller:
  publishService:
    enabled: "true"
  replicaCount: 3
  service:
    annotations:
      external-dns.alpha.kubernetes.io/hostname: '*.MY.TOP.LEVEL.DOMAIN'
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: [SNIP]
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    targetPorts:
      http: http
      https: http

我的服务的入口资源看起来像

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
  [SNIP]
spec:
  rules:
  - host: MY-SERVICE.MY.TOP.LEVEL.DOMAIN
    http:
      paths:
      - backend:
          serviceName: MY-SERVICE
          servicePort: 80
        path: /
status:
  loadBalancer:
    ingress:
    - hostname: [SNIP]

然而，当我升级到从提供的ingress nginx图表的v3.11.1时，这种配置工作得很好

使用未修改的配置，卷曲到HTTPS方案会重定向回自身：

curl -v https://MY-SERVICE.MY.TOP.LEVEL.DOMAIN/INTERNAL/ROUTE
*   Trying W.X.Y.Z...
* TCP_NODELAY set
* Connected to MY-SERVICE.MY.TOP.LEVEL.DOMAIN (W.X.Y.Z) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.MY.TOP.LEVEL.DOMAIN
*  start date: Aug 21 00:00:00 2020 GMT
*  expire date: Sep 20 12:00:00 2021 GMT
*  subjectAltName: host "MY-SERVICE.MY.TOP.LEVEL.DOMAIN" matched cert's "*.MY.TOP.LEVEL.DOMAIN"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> GET INTERNAL/ROUTE HTTP/1.1
> Host: MY-SERVICE.MY.TOP.LEVEL.DOMAIN
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 308 Permanent Redirect
< Content-Type: text/html
< Date: Wed, 28 Apr 2021 19:07:57 GMT
< Location: https://MY-SERVICE.MY.TOP.LEVEL.DOMAIN/INTERNAL/ROUTE
< Content-Length: 164
< Connection: keep-alive
< 
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host MY-SERVICE.MY.TOP.LEVEL.DOMAIN left intact
* Closing connection 0

然后

config:
  compute-full-forwarded-for: "true"
  use-forwarded-headers: "true"

这些似乎没有什么不同。那是在中午的时候，所以我没能在翻滚之前潜水太远。

我应该看什么，如何调试它

更新：

我希望我发布了更新配置的完整副本，因为我会注意到我没有正确地将更改应用于add config.compute-full-forwarded-for:true。它需要在控制器块内，我已经把它放在其他地方了

添加compute full forwarded for:true config后，一切立即开始工作。

这是一个社区wiki答案，旨在提高可见性。请随意扩展它

正如@object88所确认的，问题在于位于错误块中的config.compute-full-forwarded-for:true配置错误。将其添加到控制器块解决了问题。

如果使用-L选项进行卷曲，在重定向之后会发生什么？它会永久性地重定向你吗？

config:
  compute-full-forwarded-for: "true"
  use-forwarded-headers: "true"