Question

我正在尝试在群集中设置nginx代理。我有3个在容器内运行的应用程序以及一个nginx pod。

这是我的nginx复制控制器和服务

{
  "kind": "Service",
  "apiVersion": "v1",
  "metadata": {
    "name": "nginx-ssl-proxy",
    "namespace": "default",
    "labels": {
      "app": "nginx-ssl-proxy",
      "version": "1.0.2",
      "role": "ssl-proxy"
    }
  },
  "spec": {
    "ports": [
      {
        "name": "http",
        "protocol": "TCP",
        "port": 80,
        "targetPort": "ssl-proxy-http"
      },
      {
        "name": "https",
        "protocol": "TCP",
        "port": 443,
        "targetPort": "ssl-proxy-http"
      }
    ],
    "selector": {
      "app": "nginx-ssl-proxy",
      "version": "1.0.2"
    },
    "type": "LoadBalancer",
    "sessionAffinity": "ClientIP"
  }
}

{
  "kind": "ReplicationController",
  "apiVersion": "v1",
  "metadata": {
    "name": "nginx-ssl-proxy",
    "namespace": "default",
    "labels": {
      "app": "nginx-ssl-proxy",
      "version": "1.0.2",
      "role": "ssl-proxy"
    }
  },
  "spec": {
    "replicas": 2,
    "selector": {
      "app": "nginx-ssl-proxy",
      "version": "1.0.2"
    },
    "template": {
      "metadata": {
        "name": "nginx-ssl-proxy",
        "labels": {
          "app": "nginx-ssl-proxy",
          "version": "1.0.2",
          "role": "ssl-proxy"
        }
      },
      "spec": {
        "volumes": [
          {
            "name": "secrets",
            "secret": {
              "secretName": "ssl-certs"
            }
          }
        ],
        "containers": [
          {
            "name": "nginx-ssl-proxy",
            "image": "gcr.io/green-hall-126004/nginx-ssl-proxy-api:1.0.2",
            "env": [
              {
                "name": "CERT_SERVICE_HOST_ENV_NAME",
                "value": "LETSENCRYPT_SERVICE_HOST"
              },
              {
                "name": "CERT_SERVICE_PORT_ENV_NAME",
                "value": "LETSENCRYPT_SERVICE_PORT"
              },
              {
                "name": "ENABLE_SSL",
                "value": "true"
              }
            ],
            "ports": [
              {
                "name": "ssl-proxy-http",
                "containerPort": 80
              },
              {
                "name": "ssl-proxy-https",
                "containerPort": 443
              }
            ],
            "resources": {},
            "volumeMounts": [
              {
                "name": "secrets",
                "readOnly": true,
                "mountPath": "/etc/secrets"
              }
            ],
            "terminationMessagePath": "/dev/termination-log",
            "imagePullPolicy": "Always",
            "securityContext": {
              "privileged": false
            }
          }
        ],
        "restartPolicy": "Always",
        "terminationGracePeriodSeconds": 30,
        "dnsPolicy": "ClusterFirst",
        "securityContext": {}
      }
    }
  },
  "status": {
    "replicas": 2,
    "fullyLabeledReplicas": 2,
    "observedGeneration": 4
  }
}

我已经剥离了大部分ssl配置和其他虚拟主机。我的nginx.conf

user  nginx;
worker_processes  5;

error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;
worker_rlimit_nofile 8192;

events {
  worker_connections  4096;
}


http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
            '$status $body_bytes_sent "$http_referer" '
            '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile        on;
  tcp_nopush     on;
  server_names_hash_bucket_size 128;
  keepalive_timeout  65;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  client_max_body_size 20M;
  include /etc/nginx/conf.d/proxy.conf;
  include /etc/nginx/conf.d/default.conf;

}

我的proxy.conf

upstream app_guest {
    server guest:3200;
    keepalive 8;
}

# the nginx server instance
server {
  server_name project.com www.project.com ws.project.com _;
  listen 80;

  location / {
    return 301 https://$host$request_uri;
  }

  access_log /var/log/nginx/project.log;
}

server {
  server_name project.com www.project.com ws.project.com _;
  #ws subdomain is to be used for websockets
  access_log /var/log/nginx/project.log;

  #Start SSL config
  listen 443;
  ssl on;
  ssl_certificate /etc/secrets/proxycert;
  ssl_certificate_key /etc/secrets/proxykey;

  # pass the request to the node.js server with the correct headers
  # and much more can be added, see nginx config options
  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;

    proxy_pass http://app_guest/;
    proxy_redirect off;
  }
}

当我点击https://project.com（http重定向到https）时，Chrome会显示SSL协议错误

这里是错误日志：

2016-04-11T17:53:36.480653970Z 2016/04/11 17:53:36 [info] 12#12: *17 client sent invalid method while reading client request line, client: 10.24.1.1, server: project.com, request: "��������.ך!"
2016-04-11T17:53:36.580580659Z 2016/04/11 17:53:36 [info] 12#12: *18 client sent invalid method while reading client request line, client: 10.24.1.1, server: project.com, request: "���� 'k��u+<JK�j� ƞ���/DӮq�"
2016-04-11T17:53:36.685015025Z 2016/04/11 17:53:36 [info] 12#12: *19 client sent invalid method while reading client request line, client: 10.24.1.1, server: project.com, request: "������ߗl<"

前面只有转发规则：

描述：{＆＃34; kubernetes.io/service-name"：＆＃34;默认/ nginx-ssl-proxy＆＃34;}
地区：us-east1
外部IP：104.196.120.173＆lt; - 如果有人想测试，则为真正的IP
协议：TCP
港口/范围：80-443

我对ssl可能出错的想法不以为然。 Http工作正常。任何帮助将不胜感激。

Answer 1

对于错误为 client sent invalid method while reading client request line 的乱码 nginx 请求，请参阅 https://stackoverflow.com/a/66065627/467453

GKE上的Nginx导致ssl请求乱码

1 个答案: