我正在使用堆栈Nginx + Kubernetes与Ingress Nginx安装一个Ghost博客。我的K8s部署和Nginx配置如下:
问题是,当访问部署的博客,我得到太多的重定向错误从浏览器。我猜根本原因是HTTPS URL在Nginx入口没有正确配置,但我没有正确的方法来解决它。有人能告诉我哪里不对吗?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-blog
spec:
rules:
- host: my-blog.com
http:
paths:
- backend:
service:
name: my-blog
port:
number: 2368
path: /
pathType: Prefix
---
apiVersion: v1
kind: Service
metadata:
labels:
app: my-blog
name: my-blog
spec:
ports:
- port: 2368
protocol: TCP
selector:
app: my-blog
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: my-blog
name: my-blog
spec:
replicas: 1
selector:
matchLabels:
app: my-blog
template:
metadata:
labels:
app: my-blog
spec:
containers:
- env:
- name: url
value: https://my-blog.com
image: ghost:latest
name: my-blog
ports:
- containerPort: 2368
terminationGracePeriodSeconds: 30
server {
server_name my-blog.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
proxy_pass http://k8s_cluster;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/my-blog.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my-blog.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = my-blog.com) {
return 301 https://$host$request_uri;
}
server_name my-blog.com;
listen 80;
return 404;
}
如果你正在使用Nginx入口,不确定为什么要使用Nginx配置
这是一个问题,由于HTTPS重定向在Nginx入口端
你应该在Nginx入口层实现SSL终止
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: blog
labels:
app: blog
spec:
replicas: 1
selector:
matchLabels:
app: blog
template:
metadata:
labels:
app: blog
spec:
containers:
- name: blog
image: ghost:2.6-alpine
imagePullPolicy: Always
ports:
- containerPort: 2368
env:
- name: url
value: http://my-blog.com
使用纯HTTP运行您的站点,并在ingress nginx终止SSL,这样您的站点将运行在HTTP上,从ingress到内部集群的流量将运行在HTTP上。你的流将是像
这样的东西Internet HTTPs > ingress HTTP > kubernets svc HTTP > deployment > pods > container
你必须将你的证书设置在入口级别你可以将证书存储在Kubernetes secret中并将该secret附加到入口,这样你的网站就可以在HTTPS上运行
导入示例
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: service-ingress
annotations:
kubernetes.io/ingress.class: nginx
#certmanager.k8s.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- hosts:
- service1.example.com
secretName: letsencrypt-staging
rules:
- host: service1.example.com
http:
paths:
- backend:
serviceName: service1
servicePort: 80
这样你的网站将运行在HTTPS上,但SSL在Nginx级别被终止。
您的SSL证书将存储在K8s的秘密中,在上面的例子中,您可以看到秘密名称letsencrypt-staging
参考:https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d