能够从 nginx 入口控制器中的 https 重定向中排除一页

Question

我在 Kubernetes 中有一个通过 https 提供服务的应用程序。所以现在我想从该规则中排除一个 URL，并出于性能原因使用 HTTP 来提供它。我整天都在为此苦苦挣扎，这似乎是不可能的。

这些是我的入口 YAML：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    field.cattle.io/publicEndpoints: '[{"addresses":["172.31.1.11"],"port":443,"protocol":"HTTPS","serviceName":"myservice:myservice","ingressName":"myservice:myservice","hostname":"app.server.test.mycompany.com","path":"/","allNodes":true}]'
    kubernetes.io/ingress.class: nginx
  creationTimestamp: "2020-02-17T13:14:19Z"
  generation: 1
  labels:
    app-kubernetes-io/instance: mycompany
    app-kubernetes-io/managed-by: Tiller
    app-kubernetes-io/name: mycompany
    helm.sh/chart: mycompany-1.0.0
    io.cattle.field/appId: mycompany
  name: mycompany
  namespace: mycompany
  resourceVersion: "565608"
  selfLink: /apis/extensions/v1beta1/namespaces/mycompany/ingresses/mycompany
  uid: c6b93108-a28f-4de6-a62b-487708b3f5d1
spec:
  rules:
  - host: app.server.test.mycompany.com
    http:
      paths:
      - backend:
          serviceName: mycompany
          servicePort: 80
        path: /
  tls:
  - hosts:
    - app.server.test.mycompany.com
    secretName: mycompany-tls-secret
status:
  loadBalancer:
    ingress:
    - ip: 172.31.1.11

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    field.cattle.io/publicEndpoints: '[{"addresses":["172.31.1.1"],"port":80,"protocol":"HTTP","serviceName":"mycompany:mycompany","ingressName":"mycompany:mycompany-particular-service","hostname":"app.server.test.mycompany.com","path":"/account_name/particular_service/","allNodes":true}]'
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
  creationTimestamp: "2020-02-17T13:14:19Z"
  generation: 1
  labels:
    app-kubernetes-io/instance: mycompany
    app-kubernetes-io/managed-by: Tiller
    app-kubernetes-io/name: mycompany
    helm.sh/chart: mycompany-1.0.0
    io.cattle.field/appId: mycompany
  name: mycompany-particular-service
  namespace: mycompany
  resourceVersion: "565609"
  selfLink: /apis/extensions/v1beta1/namespaces/mycompany/ingresses/mycompany-particular-service
  uid: 88127a02-e0d1-4b2f-b226-5e8d160c1654
spec:
  rules:
  - host: app.server.test.mycompany.com
    http:
      paths:
      - backend:
          serviceName: mycompany
          servicePort: 80
        path: /account_name/particular_service/
status:
  loadBalancer:
    ingress:
    - ip: 172.31.1.11

正如您从上面看到的，我想通过 HTTP 服务 /particular_service/。但是，入口会重定向到 HTTPS，因为在第一个入口中为该主机启用了 TLS。

当使用同一主机进行配置时，是否有任何方法可以仅针对该特定路径禁用 TLS？

简而言之，我想要：

https://app.server.test.mycompany.com
but
http://app.server.test.mycompany.com/account_name/particular_service/

Answer 1

我已经测试了同一个域的 2 个入口，第一个启用了 tls，第二个没有启用 tls，它工作正常。

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  name: echo-https
spec:
  tls:
  - hosts:
    - myapp.mydomain.com
    secretName: https-myapp.mydomain.com
  rules:
  - host: myapp.mydomain.com
    http:
      paths:
      - backend:
          serviceName: echo-svc
          servicePort: 80
        path: /
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  name: echo-http
spec:
  rules:
  - host: myapp.mydomain.com
    http:
      paths:
      - backend:
          serviceName: echo-svc
          servicePort: 80
        path: /insecure

由 Nginx docs:

默认情况下，如果为该 Ingress 启用了 TLS，控制器会使用 308 永久重定向响应将 HTTP 客户端重定向到 HTTPS 端口 443。

这可以在 NGINX 配置映射中使用 ssl-redirect: "false" 全局禁用，或者在特定资源中使用 nginx.ingress.kubernetes.io/ssl-redirect: "false" 注释在每个 Ingress 中禁用。

如果有帮助，请告诉我。

Answer 2

同时添加nginx.ingress.kubernetes.io/ssl-redirect ": "false"。它以前对我有用。你可以试试看。