k8s nginx ingress配置TLS
在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1
默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:
apiVersion: v1 data:allow-backend-server-header: 'true'enable-underscores-in-headers: 'true'generate-request-id: 'true'http-redirect-code: '301'ignore-invalid-headers: 'true'max-worker-connections: '65536'proxy-body-size: 20mproxy-connect-timeout: '10'reuse-port: 'true'server-tokens: 'false'ssl-redirect: 'false'worker-cpu-affinity: auto kind: ConfigMap metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: >{"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}labels:app: ingress-nginxname: nginx-configurationnamespace: kube-systemselfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration
看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可
To provide the most secure baseline configuration possible,
nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.
The default configuration, though secure, does not support some older browsers and operating systems.For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May 2018, approximately 15% of Android devices are not compatible with nginx-ingress's default configuration. To change this default behavior, use a ConfigMap.A sample ConfigMap fragment to allow these older clients to connect could look something like the following:
kind: ConfigMap apiVersion: v1 metadata:name: nginx-config data:ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"
为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!
在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可
apiVersion: v1 data:allow-backend-server-header: 'true'enable-underscores-in-headers: 'true'generate-request-id: 'true'http-redirect-code: '301'ignore-invalid-headers: 'true'max-worker-connections: '65536'proxy-body-size: 20mproxy-connect-timeout: '10'reuse-port: 'true'server-tokens: 'false'ssl-ciphers: >-ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHAssl-protocols: TLSv1 TLSv1.1 TLSv1.2ssl-redirect: 'false'worker-cpu-affinity: auto kind: ConfigMap metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: >{"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}labels:app: ingress-nginxname: nginx-configurationnamespace: kube-systemselfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration
加上配置之后呢,需要重启下容器 nginx-ingress
验证,能正常相应即可:
$ curl -v --tlsv1.0 https://test.com $ curl -v --tlsv1.1 https://test.com $ curl -v --tlsv1.2 https://test.com
下图是成功访问的响应:
下图是错误的响应:
参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls
转载于:https://www.cnblogs.com/lyc94620/p/11345124.html
k8s nginx ingress配置TLS相关推荐
- k8s nginx ingress原理解读
阅读本文需要以下知识为前提 了解k8s基本架构,k8s基本资源清单 用自己的k8s实验环境 首先了解ingress解决了什么问题 k8s内部项目暴露外部访问,只用一个固定端口,暴露多个服务.相对于:L ...
- 微信小程序Nginx环境配置
环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...
- aws eks 配置nginx tls 和 nginx ingress controller
参考资料 nginx快速入门 NGINX Ingress Controller 版本区别 社区版 Nginx ingress controller NGINX版 Nginx Ingress Contr ...
- Kubernetes(k8s)集群部署七、k8s网络通信+service扩展ingress(TLS,认证,地址重写)calico网络插件(允许指定pod访问服务,禁止其他namespace访问服务)
k8s网络通信 k8s网络通信 1.容器间通信 2.pod之间的通信 2.1同一节点的pod 2.2不同节点的pod之间的通信 flannel网络原理 flannel支持多种后端: 3.pod和ser ...
- k8s 使用Nginx Ingress实现灰度发布和蓝绿发布
**导语:**云原生最佳实践系列,涵盖了灰度发布.弹性伸缩.集群迁移.网络通信.应用容器化改造等等场景,针对各行业面临的应用现状,提出最佳解决方案,并提供详细操作指导,希望对您有所帮助. Ingres ...
- Ingress Nginx 日志配置
前言 1.Ingress Nginx 默认访问日志都输出到 /var/log/nginx/access.log 文件中,但是对于生产环境来说,不可能把所有日志都输到一个日志文件中,一般情况都是根据域名 ...
- ingress配置无效,zuul重启nginx重启奔溃,nginx-ingress-controller无法启动
ingress配置无效,zuul重启nginx重启奔溃 现象: 部署新服务上去后ingress无法生效,无法路由到指定服务 后重启zuul网关服务,导致所有服务无法访问.前端报 nginx - 502 ...
- k8s 安装ingress nginx controller 并部署.net core ingress服务
192.168.28.132 k8smaster 192.168.28.133 k8snode1 192.168.28.134 k8snode2 192.168.28.135 k8snode3 192 ...
- k8s的ingress使用
ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...
最新文章
- 如何写一篇不水的机器学习论文?这17页指南从建模、评估到写报告,手把手教你...
- 苏黎世华人博士提出模型SwinIR,只用33%的参数量就碾压图像修复领域sota
- LAN WAN WLAN 的区别
- mysql重装要删注册表_Mysql重装问题—删除注册表
- Surface Computing
- Java高级开发工程师面试笔记
- python中词云图是用来描述_python中实现词云图
- mysql-5.7.24初始化数据库_MySQL5.7.28 初始化数据库
- 视觉、语音、NLP、ML、AI安全,一家金融科技公司等你来
- 跨境商家为什么要建自己的独立站?
- 计算机算法设计与分析 最大子数组问题
- ASP.NET之Response.Write说
- w3wp.exe进程资源占用过大问题
- 【小白学前端】化腐朽为神奇-Bootstrap实现表单美化(day02-6)
- Java性能优化之for循环
- Kali Linux 破解无线网密码
- html页面如何嵌套if标签,IF嵌套10个以上
- 哈耶克《感觉的秩序》导读
- R语言 REmap安装以及城市信息获取失败问题
- L2正则化和collection,tf.GraphKeys