背景
我们在集群内运行 GitLab CI 运行程序。它执行 cypress.io 端到端测试。为此,运行程序启动一个带有一些 cypress docker 容器的 pod。我们正在测试的前端 Web 应用程序也由同一个集群托管。用于运行 cypress test 的 pod 应通过我们面向用户的公共域(例如 webapp.example.dev)连接到前端。
简化:
我们在 https://webapp.example.dev/ 下提供 1 个前端服务
*.example.dev 上使用 Let's Encrypt Certs Wildcard 证书)webapp.example.dev 的 Istio 虚拟服务可以使用以下 pod 简化 GitLab Runner 的内容:
apiVersion: v1
kind: Pod
metadata:
name: debugger-pod
labels:
app: debugger-pod
spec:
containers:
- name: debugger
image: curlimages/curl
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
在那个 pod 中,我遇到了 SSL 连接错误。
curl https://webapp.example.dev -v
* Trying 100.200.100.200:443...
* Connected to webapp.example.dev (100.200.100.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /cacert.pem
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to webapp.example.dev:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to webapp.example.dev:443
(IP地址被更改和弥补)
通过 HTTP 代理发出相同的请求工作正常,正如您从这些日志中看到的那样。 (您可以在这里找到代理:https://free-proxy-list.net/)
/ $ curl -I https://webapp.example.dev -x 178.217.216.184:49086 -v
* Trying 178.217.216.184:49086...
* Connected to 178.217.216.184 (178.217.216.184) port 49086 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to webapp.example.dev:443
> CONNECT webapp.example.dev:443 HTTP/1.1
> Host: webapp.example.dev:443
> User-Agent: curl/7.75.0-DEV
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /cacert.pem
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.example.dev
* start date: Jan 4 09:31:45 2021 GMT
* expire date: Apr 4 09:31:45 2021 GMT
* subjectAltName: host "webapp.example.dev" matched cert's "*.example.dev"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55a551522940)
> HEAD /metainfo HTTP/2
> Host: webapp.example.dev
> user-agent: curl/7.75.0-DEV
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200
HTTP/2 200
< server: istio-envoy
server: istio-envoy
< date: Tue, 23 Feb 2021 19:30:33 GMT
date: Tue, 23 Feb 2021 19:30:33 GMT
< content-type: text/html
content-type: text/html
< content-length: 4273
content-length: 4273
< etag: "5fd87257-10b1"
etag: "5fd87257-10b1"
< x-envoy-upstream-service-time: 2
x-envoy-upstream-service-time: 2
<
* Closing connection 0
Istio 详细信息:
问题:
看来我的调试器 pod 的 curl 连接是在集群内建立的。尽管 curl 的详细输出是连接到我们集群的外部 IP 地址/它的负载均衡器。它通过使用代理强制将流量路由到集群外来工作,这一事实给了我证据。
现在,有没有办法直接连接到前端应用程序而不会出现 SSL 问题?