问题描述
过去几天来,我一直在努力解决以下问题。我想设置从客户端到在EKS上运行的Pod的端到端加密,并保留客户端ip。我检查过要保留IP,我需要使用代理协议V2。最初,我使用TLS终止在入口处进行了测试,并在Nginx入口控制器和NLB上配置了代理协议,并且一切正常。下一步,我在Nginx控制器中启用了ssl-passtrough来终止Pod上的SSL,这就是问题所在。任何人都可以通过这种流程或某些想法获得成功,而ssl-passtrough配置可能出什么问题?
当我通过浏览器访问nlb DNS记录时,出现此类错误
An error occurred during a connection to myexample.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
如果我卷曲,我会得到
* Connected to myexample.com (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN,offering h2
* ALPN,offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT),TLS handshake,Client hello (1):
* error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
* Closing connection 0
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
这是我的配置更改:
Nginx服务
apiVersion: v1
kind: Service
Metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-type: nlb
labels:
helm.sh/chart: ingress-Nginx-3.4.1
app.kubernetes.io/name: ingress-Nginx
app.kubernetes.io/instance: ingress-Nginx
app.kubernetes.io/version: 0.40.2
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-Nginx-controller
namespace: ingress-Nginx
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: ingress-Nginx
app.kubernetes.io/instance: ingress-Nginx
app.kubernetes.io/component: controller
Nginx部署始于---enable-ssl-passthrough
data:
use-proxy-protocol: "true"
real-ip-header: "proxy_protocol"
入口
apiVersion: extensions/v1beta1
kind: Ingress
Metadata:
name: tls-ingress
annotations:
Nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: myexample.com
http:
paths:
- path: /
backend:
serviceName: secure-app
servicePort: 8443
示例应用
apiVersion: apps/v1
kind: Deployment
Metadata:
name: secure-app
spec:
replicas: 1
selector:
matchLabels:
app: secure-app
template:
Metadata:
labels:
app: secure-app
spec:
containers:
- name: secure-app
image: Nginxdemos/Nginx-hello:plain-text
ports:
- containerPort: 8443
volumeMounts:
- name: secret
mountPath: /etc/Nginx/ssl
readOnly: true
- name: config-volume
mountPath: /etc/Nginx/conf.d
volumes:
- name: secret
secret:
secretName: app-tls-secret
- name: config-volume
configMap:
name: secure-config
---
apiVersion: v1
kind: Service
Metadata:
name: secure-app
spec:
ports:
- port: 8443
targetPort: 8443
protocol: TCP
name: https
selector:
app: secure-app
---
apiVersion: v1
kind: ConfigMap
Metadata:
name: secure-config
data:
app.conf: |-
server {
listen 8443 ssl;
server_name myexample.com;
ssl_certificate /etc/Nginx/ssl/tls.crt;
ssl_certificate_key /etc/Nginx/ssl/tls.key;
default_type text/plain;
location / {
return 200 "hello from pod $hostname\n";
}
}
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)