本文介绍了Kubernets:您正在对支持SSL的服务器端口使用纯HTTP的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

限时删除!!

我的网关文件为


apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway-secure
  namespace: myapp
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      #caCertificates: /etc/istio/ingressgateway-ca-certs/kbundle.crt
    hosts:
    - "*"

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-gateway-service-secure
  namespace:myapp
spec:
  hosts:
  - "sub.domaincom"
  gateways:
  - my-gateway-secure
  http:
  - route:
    - destination:
        host: my-mono
        port:
          number: 443
          protocol: TCP

我的服务文件是


apiVersion: v1
kind: Service
metadata:
  name: my-mono
  namespace: myapp
  labels:
    tier: backend
spec:
  selector:
    app: my-mono
    tier: backend
  ports:
    - port: 443
      name: https
      protocol: TCP

部署文件为


apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-mono
  namespace: myapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-mono
  template:
    metadata:
      labels:
        app: my-mono
    spec:
      containers:
      - name: my-mono
        image: myapacheimage
        imagePullPolicy: Never
        ports:
        - containerPort: 443

当我使用网关访问我的服务时,它说

when i access my service using gateway it says


Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.38 (Debian) Server at 10.0.159.77 Port 443

我可以确认apache仅在443上侦听并且配置正确

i can confirm that apache is only listening on 443 and is properly configured

推荐答案

您的配置在istio网关上使用TLS终端.因此,进入istio入口的HTTPS流量在到达您的服务端点之前被解密为普通的HTTP流量.

Your configuration uses the TLS termination on istio gateway. So the HTTPS traffic entering the istio ingress is decrypted to plain HTTP traffic before reaching Your service endpoint.

要解决此问题,您需要配置对HTTPS服务的HTTPS入口访问,即,配置入口网关以执行SNI直通,而不是对传入请求进行TLS终止.

To fix this You need to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.

您可以在istio文档指南TLS终端的Ingress Gateway的示例. rel ="nofollow noreferrer">此处.

You can find an example of Ingress Gateway without TLS Termination in istio documentation guide here.

您的GatewayVirtualService应该看起来像这样:

Your Gateway and VirtualService should look something like this:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway-secure
  namespace: myapp
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - "*"

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-gateway-service-secure
  namespace:myapp
spec:
  hosts:
  - "sub.domaincom"
  gateways:
  - my-gateway-secure
  tls:
  - match:
    - port: 443
      sni_hosts:
      - "sub.domaincom"
    route:
    - destination:
        host: my-mono
        port:
          number: 443

希望有帮助.

这篇关于Kubernets:您正在对支持SSL的服务器端口使用纯HTTP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

1403页,肝出来的..

09-09 02:38