Ssl 端到端加密Nginx入口控制器和AWS NLB
在过去的几天里,我都在为下面的问题绞尽脑汁。我想在EKS上设置从客户端到pod的端到端加密,并保留客户端ip。我已经检查过了,为了保留ip,我需要使用代理协议V2。首先,我在ingress使用TLS终端进行了测试,在Nginx ingress controller和NLB上配置了代理协议,一切正常。作为下一步,我在Nginx控制器中启用了sslpasstour来终止pod上的ssl,这就是问题所在。任何人都成功地实现了这样的流程,或者有一些想法ssl PassTour配置会有什么问题 当我通过浏览器访问nlb DNS记录时,我得到了这样的错误Ssl 端到端加密Nginx入口控制器和AWS NLB,ssl,nginx-ingress,amazon-eks,nlb,Ssl,Nginx Ingress,Amazon Eks,Nlb,在过去的几天里,我都在为下面的问题绞尽脑汁。我想在EKS上设置从客户端到pod的端到端加密,并保留客户端ip。我已经检查过了,为了保留ip,我需要使用代理协议V2。首先,我在ingress使用TLS终端进行了测试,在Nginx ingress controller和NLB上配置了代理协议,一切正常。作为下一步,我在Nginx控制器中启用了sslpasstour来终止pod上的ssl,这就是问题所在。任何人都成功地实现了这样的流程,或者有一些想法ssl PassTour配置会有什么问题 当我通过浏
An error occurred during a connection to myexample.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
如果我做卷曲,我会
* Connected to myexample.com (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
* Closing connection 0
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
以下是我的配置更改:
Nginx服务
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-type: nlb
labels:
helm.sh/chart: ingress-nginx-3.4.1
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.40.2
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
Nginx部署从---启用ssl直通开始
Nginx Configmap已经完成
data:
use-proxy-protocol: "true"
real-ip-header: "proxy_protocol"
入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tls-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: myexample.com
http:
paths:
- path: /
backend:
serviceName: secure-app
servicePort: 8443
示例应用程序
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
spec:
replicas: 1
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
containers:
- name: secure-app
image: nginxdemos/nginx-hello:plain-text
ports:
- containerPort: 8443
volumeMounts:
- name: secret
mountPath: /etc/nginx/ssl
readOnly: true
- name: config-volume
mountPath: /etc/nginx/conf.d
volumes:
- name: secret
secret:
secretName: app-tls-secret
- name: config-volume
configMap:
name: secure-config
---
apiVersion: v1
kind: Service
metadata:
name: secure-app
spec:
ports:
- port: 8443
targetPort: 8443
protocol: TCP
name: https
selector:
app: secure-app
---
apiVersion: v1
kind: ConfigMap
metadata:
name: secure-config
data:
app.conf: |-
server {
listen 8443 ssl;
server_name myexample.com;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
default_type text/plain;
location / {
return 200 "hello from pod $hostname\n";
}
}