【发布时间】:2016-08-02 01:16:19
【问题描述】:
我正在尝试在我的集群中设置一个 nginx 代理。 我有 3 个在容器内运行的应用程序以及一个 nginx pod。
这是我的 nginx 复制控制器和服务
{
"kind": "Service",
"apiVersion": "v1",
"metadata": {
"name": "nginx-ssl-proxy",
"namespace": "default",
"labels": {
"app": "nginx-ssl-proxy",
"version": "1.0.2",
"role": "ssl-proxy"
}
},
"spec": {
"ports": [
{
"name": "http",
"protocol": "TCP",
"port": 80,
"targetPort": "ssl-proxy-http"
},
{
"name": "https",
"protocol": "TCP",
"port": 443,
"targetPort": "ssl-proxy-http"
}
],
"selector": {
"app": "nginx-ssl-proxy",
"version": "1.0.2"
},
"type": "LoadBalancer",
"sessionAffinity": "ClientIP"
}
}
{
"kind": "ReplicationController",
"apiVersion": "v1",
"metadata": {
"name": "nginx-ssl-proxy",
"namespace": "default",
"labels": {
"app": "nginx-ssl-proxy",
"version": "1.0.2",
"role": "ssl-proxy"
}
},
"spec": {
"replicas": 2,
"selector": {
"app": "nginx-ssl-proxy",
"version": "1.0.2"
},
"template": {
"metadata": {
"name": "nginx-ssl-proxy",
"labels": {
"app": "nginx-ssl-proxy",
"version": "1.0.2",
"role": "ssl-proxy"
}
},
"spec": {
"volumes": [
{
"name": "secrets",
"secret": {
"secretName": "ssl-certs"
}
}
],
"containers": [
{
"name": "nginx-ssl-proxy",
"image": "gcr.io/green-hall-126004/nginx-ssl-proxy-api:1.0.2",
"env": [
{
"name": "CERT_SERVICE_HOST_ENV_NAME",
"value": "LETSENCRYPT_SERVICE_HOST"
},
{
"name": "CERT_SERVICE_PORT_ENV_NAME",
"value": "LETSENCRYPT_SERVICE_PORT"
},
{
"name": "ENABLE_SSL",
"value": "true"
}
],
"ports": [
{
"name": "ssl-proxy-http",
"containerPort": 80
},
{
"name": "ssl-proxy-https",
"containerPort": 443
}
],
"resources": {},
"volumeMounts": [
{
"name": "secrets",
"readOnly": true,
"mountPath": "/etc/secrets"
}
],
"terminationMessagePath": "/dev/termination-log",
"imagePullPolicy": "Always",
"securityContext": {
"privileged": false
}
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"securityContext": {}
}
}
},
"status": {
"replicas": 2,
"fullyLabeledReplicas": 2,
"observedGeneration": 4
}
}
我已经剥离了大部分 ssl 配置和其他虚拟主机。我的nginx.conf
user nginx;
worker_processes 5;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
server_names_hash_bucket_size 128;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
client_max_body_size 20M;
include /etc/nginx/conf.d/proxy.conf;
include /etc/nginx/conf.d/default.conf;
}
还有我的proxy.conf
upstream app_guest {
server guest:3200;
keepalive 8;
}
# the nginx server instance
server {
server_name project.com www.project.com ws.project.com _;
listen 80;
location / {
return 301 https://$host$request_uri;
}
access_log /var/log/nginx/project.log;
}
server {
server_name project.com www.project.com ws.project.com _;
#ws subdomain is to be used for websockets
access_log /var/log/nginx/project.log;
#Start SSL config
listen 443;
ssl on;
ssl_certificate /etc/secrets/proxycert;
ssl_certificate_key /etc/secrets/proxykey;
# pass the request to the node.js server with the correct headers
# and much more can be added, see nginx config options
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app_guest/;
proxy_redirect off;
}
}
当我点击https://project.com(http 被重定向到 https)时,Chrome 显示 SSL 协议错误
这是错误日志:
2016-04-11T17:53:36.480653970Z 2016/04/11 17:53:36 [info] 12#12: *17 client sent invalid method while reading client request line, client: 10.24.1.1, server: project.com, request: "��������.ך!"
2016-04-11T17:53:36.580580659Z 2016/04/11 17:53:36 [info] 12#12: *18 client sent invalid method while reading client request line, client: 10.24.1.1, server: project.com, request: "���� 'k��u+<JK�j� ƞ���/DӮq�"
2016-04-11T17:53:36.685015025Z 2016/04/11 17:53:36 [info] 12#12: *19 client sent invalid method while reading client request line, client: 10.24.1.1, server: project.com, request: "������ߗl<"
前面只是一个转发规则:
- 描述:{"kubernetes.io/service-name":"default/nginx-ssl-proxy"}
- 地区:us-east1
- 外部IP:104.196.120.173
- 协议:TCP
- 端口/范围:80-443
我不知道 ssl 可能出了什么问题。 Http工作正常。任何帮助将不胜感激。
【问题讨论】:
-
您列出的 IP 地址似乎没有响应 HTTP 请求。
-
您是否尝试过在没有转发规则的情况下连接到其中一台虚拟机?由于转发规则只是一个负载均衡器,因此您应该会在路径中没有负载均衡器的情况下看到相同的行为。 (但这排除了一种可能性。)
-
FWIW,我使用
curl -vv http://104.196.120.173/进行了测试,它在工作时应该会给出相当详细的输出。
标签: nginx google-compute-engine google-kubernetes-engine