Kubernetes入口不使用https/ssl
我在kubernetes集群中安装了入口 我在AWSEC2实例上部署了所有东西,经典的负载平衡器就在Ingress控制器前面。我可以使用http端口访问服务,但无法使用https访问服务 我从godaddy购买了一个有效的域名,并从godaddy获得了AWS SSL证书 负载平衡器侦听器的配置如下所示 我修改了Ingress NGINX服务(添加了证书ARN) 入口规则Kubernetes入口不使用https/ssl,ssl,nginx,kubernetes,https,kubernetes-ingress,Ssl,Nginx,Kubernetes,Https,Kubernetes Ingress,我在kubernetes集群中安装了入口 我在AWSEC2实例上部署了所有东西,经典的负载平衡器就在Ingress控制器前面。我可以使用http端口访问服务,但无法使用https访问服务 我从godaddy购买了一个有效的域名,并从godaddy获得了AWS SSL证书 负载平衡器侦听器的配置如下所示 我修改了Ingress NGINX服务(添加了证书ARN) 入口规则 apiVersion: extensions/v1beta1 kind: Ingress metadata: name
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: practice-ingress
namespace: practice
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: kdhut.com
http:
paths:
- backend:
serviceName: customer-service
servicePort: 9090
path: /customer
- backend:
serviceName: prac-service
servicePort: 8000
path: /prac
我可以访问http中的服务,但https不起作用
我试过卷发
curl -v https://kdhut.com -H 'Host: kdhut.com'
* Rebuilt URL to: https://kdhut.com/
* Trying 3.12.176.17...
* TCP_NODELAY set
* Connected to kdhut.com (3.12.176.17) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=kdhut.com
* start date: Mar 20 00:00:00 2020 GMT
* expire date: Apr 20 12:00:00 2021 GMT
* subjectAltName: host "kdhut.com" matched cert's "kdhut.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: kdhut.com
> User-Agent: curl/7.58.0
> Accept: */*
我认为这是AWS负载平衡器的一个问题。我不久前在AWS NLB上遇到了一些东西,找到了一个“变通/破解”链接:
HTH关于我的部署?没什么疯狂的。我当时正在建立一些后台有应用程序的云基础设施,我在“入口”前面和NLB后面使用NGINX。我之所以这样做是因为HA的原因,这使得我可以为HA集群设置几个NGINX实例,并为HA设置几个入口。流量将进入,点击NLB,将其发送到我的“边缘”nginx层,然后将其发送到入口。我不喜欢单一的例子,因为它是单一的失败点。
curl -v https://kdhut.com -H 'Host: kdhut.com'
* Rebuilt URL to: https://kdhut.com/
* Trying 3.12.176.17...
* TCP_NODELAY set
* Connected to kdhut.com (3.12.176.17) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=kdhut.com
* start date: Mar 20 00:00:00 2020 GMT
* expire date: Apr 20 12:00:00 2021 GMT
* subjectAltName: host "kdhut.com" matched cert's "kdhut.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: kdhut.com
> User-Agent: curl/7.58.0
> Accept: */*