我正在设置一个Nginx反向代理,用于通过30000端口将所有流量从域重定向到kubernetes集群。Kubernetes正在收集任何工作负载,并将其发送到基于子域的相关服务(使用Istio/Virtual services(。
虽然这个效果很好,但我注意到一些奇怪的效果,作为Open ID Connect(Key斗篷(重定向的一部分。重定向URL不是使用浏览器URL,而是Kubernetes的内部DNS名称和端口。
我想请求您的帮助,检查/更正我的Nginx配置。我目前的例子是Jenkins连接到Keycloft,但重定向URL不正确:
https://keycloak.example.de/auth/realms/myrealm/protocol/openid-connect/auth?client_id=jenkins-客户端&redirect_uri=https://**jenkins.svc.cluster.local**/securityRealm/finishLogin&response_type=代码&scope=网站来源%20地址%20电话%20打开ID%20脱机访问%20配置文件%20角色%20微配置文件jwt%20电子邮件&state=OGIxYWzZGYtMmY1NS00
Redirect_URI应为jenkins.example.de,但已设置为jenkins-svc.jenkins.svc.cluster.local(不正确(。Kubernetes内部服务名称被用于任何原因。
Nginx配置
# Redirect Subdomains (incl. Web-Socket)
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name ~^(.*).example.de;
access_log /opt/bitnami/nginx/logs/yourapp_access.log;
error_log /opt/bitnami/nginx/logs/yourapp_error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=100 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Keycloak
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443; # Hard-Coded as K8s Port was within variable.. :-(
set $upstream redirect.example.de;
proxy_pass https://$upstream:30000;
proxy_redirect off;
}
}
看起来重定向是由Jenkins错误的Configure System/Jenkins URL:引起的
在此处输入图像描述