问题描述
我的网关文件为
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway-secure
namespace: myapp
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
#caCertificates: /etc/istio/ingressgateway-ca-certs/kbundle.crt
hosts:
- "*"
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-gateway-service-secure
namespace:myapp
spec:
hosts:
- "sub.domaincom"
gateways:
- my-gateway-secure
http:
- route:
- destination:
host: my-mono
port:
number: 443
protocol: TCP
我的服务文件是
apiVersion: v1
kind: Service
metadata:
name: my-mono
namespace: myapp
labels:
tier: backend
spec:
selector:
app: my-mono
tier: backend
ports:
- port: 443
name: https
protocol: TCP
部署文件为
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-mono
namespace: myapp
spec:
replicas: 1
selector:
matchLabels:
app: my-mono
template:
metadata:
labels:
app: my-mono
spec:
containers:
- name: my-mono
image: myapacheimage
imagePullPolicy: Never
ports:
- containerPort: 443
当我使用网关访问我的服务时,它说
when i access my service using gateway it says
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.38 (Debian) Server at 10.0.159.77 Port 443
我可以确认apache仅在443上侦听并且配置正确
i can confirm that apache is only listening on 443 and is properly configured
推荐答案
您的配置在istio网关上使用TLS终端.因此,进入istio入口的HTTPS流量在到达您的服务端点之前被解密为普通的HTTP流量.
Your configuration uses the TLS termination on istio gateway. So the HTTPS traffic entering the istio ingress is decrypted to plain HTTP traffic before reaching Your service endpoint.
要解决此问题,您需要配置对HTTPS服务的HTTPS入口访问,即,配置入口网关以执行SNI直通,而不是对传入请求进行TLS终止.
To fix this You need to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.
您可以在istio文档指南TLS终端的Ingress Gateway的示例. rel ="nofollow noreferrer">此处.
You can find an example of Ingress Gateway without TLS Termination in istio documentation guide here.
您的Gateway和VirtualService应该看起来像这样:
Your Gateway and VirtualService should look something like this:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway-secure
namespace: myapp
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
hosts:
- "*"
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-gateway-service-secure
namespace:myapp
spec:
hosts:
- "sub.domaincom"
gateways:
- my-gateway-secure
tls:
- match:
- port: 443
sni_hosts:
- "sub.domaincom"
route:
- destination:
host: my-mono
port:
number: 443
希望有帮助.
这篇关于您正在使用普通HTTP来与Kubernetes中启用SSL的服务器端口通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!