Ssl 端到端加密Nginx入口控制器和AWS NLB_Ssl_Nginx Ingress_Amazon Eks_Nlb

Ssl 端到端加密Nginx入口控制器和AWS NLB

ssl

Ssl 端到端加密Nginx入口控制器和AWS NLB,ssl,nginx-ingress,amazon-eks,nlb,Ssl,Nginx Ingress,Amazon Eks,Nlb,在过去的几天里，我都在为下面的问题绞尽脑汁。我想在EKS上设置从客户端到pod的端到端加密，并保留客户端ip。我已经检查过了，为了保留ip，我需要使用代理协议V2。首先，我在ingress使用TLS终端进行了测试，在Nginx ingress controller和NLB上配置了代理协议，一切正常。作为下一步，我在Nginx控制器中启用了sslpasstour来终止pod上的ssl，这就是问题所在。任何人都成功地实现了这样的流程，或者有一些想法ssl PassTour配置会有什么问题当我通过浏

在过去的几天里，我都在为下面的问题绞尽脑汁。我想在EKS上设置从客户端到pod的端到端加密，并保留客户端ip。我已经检查过了，为了保留ip，我需要使用代理协议V2。首先，我在ingress使用TLS终端进行了测试，在Nginx ingress controller和NLB上配置了代理协议，一切正常。作为下一步，我在Nginx控制器中启用了sslpasstour来终止pod上的ssl，这就是问题所在。任何人都成功地实现了这样的流程，或者有一些想法ssl PassTour配置会有什么问题

当我通过浏览器访问nlb DNS记录时，我得到了这样的错误

An error occurred during a connection to myexample.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

如果我做卷曲，我会

* Connected to myexample.com (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
* Closing connection 0
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

以下是我的配置更改：

Nginx服务

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
  labels:
    helm.sh/chart: ingress-nginx-3.4.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.40.2
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller

Nginx部署从---启用ssl直通开始

Nginx Configmap已经完成

data:
  use-proxy-protocol: "true"
  real-ip-header: "proxy_protocol"

入口

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tls-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: myexample.com
    http:
      paths:
        - path: /
          backend:
            serviceName: secure-app
            servicePort: 8443

示例应用程序

apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: secure-app
  template:
    metadata:
      labels:
        app: secure-app
    spec:
      containers:
        - name: secure-app
          image: nginxdemos/nginx-hello:plain-text
          ports:
            - containerPort: 8443
          volumeMounts:
            - name: secret
              mountPath: /etc/nginx/ssl
              readOnly: true
            - name: config-volume
              mountPath: /etc/nginx/conf.d
      volumes:
        - name: secret
          secret:
            secretName: app-tls-secret
        - name: config-volume
          configMap:
            name: secure-config
---
apiVersion: v1
kind: Service
metadata:
  name: secure-app
spec:
  ports:
    - port: 8443
      targetPort: 8443
      protocol: TCP
      name: https
  selector:
    app: secure-app
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: secure-config
data:
  app.conf: |-
    server {
      listen 8443 ssl;

      server_name myexample.com;

      ssl_certificate /etc/nginx/ssl/tls.crt;
      ssl_certificate_key /etc/nginx/ssl/tls.key;

      default_type text/plain;

      location / {
        return 200 "hello from pod $hostname\n";
      }
    }