我正在GKE 1.16.13-gke.401中使用nginx入口。
我的配置
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<div class="mk-tabs">
<ul>
<li class="mk-tabs-tab"><a href="#">Tab 1</a></li>
<li class="mk-tabs-tab is-active"><a href="#">Tab 2</a></li>
<li class="mk-tabs-tab"><a href="#">Tab 3</a></li>
<li class="mk-tabs-tab"><a href="#">Tab 4</a></li>
</ul>
<div class="mk-tabs-panes">
<div class="mk-tabs-pane">Tab Content 1</div>
<div class="mk-tabs-pane is-active">Tab Content 2</div>
<div class="mk-tabs-pane">Tab Content 3</div>
<div class="mk-tabs-pane">Tab Content 4</div>
</div>
</div>
<div class="mk-tabs2">
<ul>
<li class="mk-tabs-tab"><a href="#">Tab 1</a></li>
<li class="mk-tabs-tab is-active"><a href="#">Tab 2</a></li>
<li class="mk-tabs-tab"><a href="#">Tab 3</a></li>
<li class="mk-tabs-tab"><a href="#">Tab 4</a></li>
</ul>
<div class="mk-tabs-panes">
<div class="mk-tabs-pane">Tab Content 1</div>
<div class="mk-tabs-pane is-active">Tab Content 2</div>
<div class="mk-tabs-pane">Tab Content 3</div>
<div class="mk-tabs-pane">Tab Content 4</div>
</div>
</div>Nginx控制器配置:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: api-ingress
namespace: development
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
kubernetes.io/ingress.class: "nginx"
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/auth-tls-secret: "development/client-cert-api-ingress"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
# Automatically redirect http to https
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# Use regex in paths
nginx.ingress.kubernetes.io/use-regex: "true"
# For notifications we add the proxy headers
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
spec:
tls:
- hosts:
- example.com
secretName: api-tls-certificate
rules:
- host: example.com
http:
paths:
- path: /(.*)
backend:
serviceName: v2-api-frontend
servicePort: 443
问题
在指定kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingressnginx/controller-v0.40.2/deploy/static/provider/cloud/deploy.yaml
时无法调用curl -k --cert my-cert.pem --key my-cert.key https://MY_IP/ --header "Host: example.com"。
如果我指定rules.host服务器响应
400错误的请求 没有发送必需的SSL证书
如果我未指定rules.host,则卷曲效果很好。
我该如何解决?
编辑1:
看来我签发的是自签名的客户证书引起了问题。
使用以下脚本创建:
rules.host使用cloudflare时,服务器正确响应,只有通过curl使用我的证书时,这种情况才会发生。
编辑2
使用以下脚本创建CA:
#!/bin/bash
# USE: ./build-client-cert.sh <CERTNAME> <EXPR_DAYS>
# How to generate client certificate
# based on https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.req
openssl x509 -req -in client.req -CA rootCA.crt -CAkey rootCA.key -set_serial 101 -extensions client -days $2 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out $1.p12
rm client.key client.cer client.req