在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1

默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:

apiVersion: v1
data:allow-backend-server-header: 'true'enable-underscores-in-headers: 'true'generate-request-id: 'true'http-redirect-code: '301'ignore-invalid-headers: 'true'max-worker-connections: '65536'proxy-body-size: 20mproxy-connect-timeout: '10'reuse-port: 'true'server-tokens: 'false'ssl-redirect: 'false'worker-cpu-affinity: auto
kind: ConfigMap
metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: >{"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}labels:app: ingress-nginxname: nginx-configurationnamespace: kube-systemselfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.

The default configuration, though secure, does not support some older browsers and operating systems.For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May 2018, approximately 15% of Android devices are not compatible with nginx-ingress's default configuration.

To change this default behavior, use a ConfigMap.A sample ConfigMap fragment to allow these older clients to connect could look something like the following:

kind: ConfigMap
apiVersion: v1
metadata:name: nginx-config
data:ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!

在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可

apiVersion: v1
data:allow-backend-server-header: 'true'enable-underscores-in-headers: 'true'generate-request-id: 'true'http-redirect-code: '301'ignore-invalid-headers: 'true'max-worker-connections: '65536'proxy-body-size: 20mproxy-connect-timeout: '10'reuse-port: 'true'server-tokens: 'false'ssl-ciphers: >-ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHAssl-protocols: TLSv1 TLSv1.1 TLSv1.2ssl-redirect: 'false'worker-cpu-affinity: auto
kind: ConfigMap
metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: >{"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}labels:app: ingress-nginxname: nginx-configurationnamespace: kube-systemselfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

加上配置之后呢,需要重启下容器 nginx-ingress

验证,能正常相应即可:

$ curl -v --tlsv1.0 https://test.com
$ curl -v --tlsv1.1 https://test.com
$ curl -v --tlsv1.2 https://test.com

下图是成功访问的响应:

下图是错误的响应:

参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls

转载于:https://www.cnblogs.com/lyc94620/p/11345124.html

k8s nginx ingress配置TLS相关推荐

  1. k8s nginx ingress原理解读

    阅读本文需要以下知识为前提 了解k8s基本架构,k8s基本资源清单 用自己的k8s实验环境 首先了解ingress解决了什么问题 k8s内部项目暴露外部访问,只用一个固定端口,暴露多个服务.相对于:L ...

  2. 微信小程序Nginx环境配置

    环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...

  3. aws eks 配置nginx tls 和 nginx ingress controller

    参考资料 nginx快速入门 NGINX Ingress Controller 版本区别 社区版 Nginx ingress controller NGINX版 Nginx Ingress Contr ...

  4. Kubernetes(k8s)集群部署七、k8s网络通信+service扩展ingress(TLS,认证,地址重写)calico网络插件(允许指定pod访问服务,禁止其他namespace访问服务)

    k8s网络通信 k8s网络通信 1.容器间通信 2.pod之间的通信 2.1同一节点的pod 2.2不同节点的pod之间的通信 flannel网络原理 flannel支持多种后端: 3.pod和ser ...

  5. k8s 使用Nginx Ingress实现灰度发布和蓝绿发布

    **导语:**云原生最佳实践系列,涵盖了灰度发布.弹性伸缩.集群迁移.网络通信.应用容器化改造等等场景,针对各行业面临的应用现状,提出最佳解决方案,并提供详细操作指导,希望对您有所帮助. Ingres ...

  6. Ingress Nginx 日志配置

    前言 1.Ingress Nginx 默认访问日志都输出到 /var/log/nginx/access.log 文件中,但是对于生产环境来说,不可能把所有日志都输到一个日志文件中,一般情况都是根据域名 ...

  7. ingress配置无效,zuul重启nginx重启奔溃,nginx-ingress-controller无法启动

    ingress配置无效,zuul重启nginx重启奔溃 现象: 部署新服务上去后ingress无法生效,无法路由到指定服务 后重启zuul网关服务,导致所有服务无法访问.前端报 nginx - 502 ...

  8. k8s 安装ingress nginx controller 并部署.net core ingress服务

    192.168.28.132 k8smaster 192.168.28.133 k8snode1 192.168.28.134 k8snode2 192.168.28.135 k8snode3 192 ...

  9. k8s的ingress使用

    ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...

最新文章

  1. 如何写一篇不水的机器学习论文?这17页指南从建模、评估到写报告,手把手教你...
  2. 苏黎世华人博士提出模型SwinIR,只用33%的参数量就碾压图像修复领域sota
  3. LAN WAN WLAN 的区别
  4. mysql重装要删注册表_Mysql重装问题—删除注册表
  5. Surface Computing
  6. Java高级开发工程师面试笔记
  7. python中词云图是用来描述_python中实现词云图
  8. mysql-5.7.24初始化数据库_MySQL5.7.28 初始化数据库
  9. 视觉、语音、NLP、ML、AI安全,一家金融科技公司等你来
  10. 跨境商家为什么要建自己的独立站?
  11. 计算机算法设计与分析 最大子数组问题
  12. ASP.NET之Response.Write说
  13. w3wp.exe进程资源占用过大问题
  14. 【小白学前端】化腐朽为神奇-Bootstrap实现表单美化(day02-6)
  15. Java性能优化之for循环
  16. Kali Linux 破解无线网密码
  17. html页面如何嵌套if标签,IF嵌套10个以上
  18. 哈耶克《感觉的秩序》导读
  19. R语言 REmap安装以及城市信息获取失败问题
  20. L2正则化和collection,tf.GraphKeys

热门文章

  1. vue2.x的小问题
  2. GitHub常用命令
  3. VS 2010 Beta2中WPF与Silverlight的关键区别?
  4. 杭电2855 Fibonacci Check-up
  5. java集合框架(Framework)的性能
  6. C语言中static关键字的作用
  7. tyvj1305 最大子序和 【单调队列优化dp】
  8. linux配置oracle11G监听及本地网络服务 及 数据库建库
  9. JBoss5.1.0部署SSH2
  10. 一小段代码,得到项目决对路径