Z.S.K.'s Records

Kong学习(kong ingress代理https请求到upstream)

在有些对安全要求更高的场景下,需要保证端到端的请求都是https, 正常情况下, 请求到达kong ingress后都会将https转换成http后再proxy到upstream, 所以如果需要将https直接proxy到upstream,需要做些额外的操作,好在kong ingress原生就支持.

如果直接使用kong ingress 访问后端协议为https的service会提示以下错误:

1
This combination of host and port requires TLS.

原因: 除了kongingress中需要proxy.protocol指定为https外,在k8s的service中也需要绑定kongingress.

1
2
3
annotations:
configuration.konghq.com: https-upstream
konghq.com/override: https-upstream

比如身份验证服务,本身只支持https协议,如果使用kong进行转发的话,需要以下3个操作

定认一个kongingress, 重点是proxy.protocol:https

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: "https-upstream"
proxy:
protocol: https # 这行
connect_timeout: 10000
retries: 10
read_timeout: 10000
write_timeout: 10000
route:
protocols:
- https
strip_path: true

再定义一个ingress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
configuration.konghq.com: https-upstream # 这个配置在0.8以上已被弃用,使用konghq.com/override
konghq.com/override: https-upstream
kubernetes.io/ingress.class: kong-common
name: cas-sso-kong-ingress
namespace: default
spec:
rules:
- http:
paths:
- backend:
serviceName: cas-sso-kong-service
servicePort: 8443
path: /

在k8s的service添加annotations

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: v1
kind: Service
metadata:
annotations: # 这两行
configuration.konghq.com: https-upstream
konghq.com/override: https-upstream
labels:
app: cas-sso-kong-service
name: cas-sso-kong-service
namespace: default
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: 8443
selector:
app: cas-sso-kong-service
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}

再次访问后即可正常

kong ingress也支持在proxy https到upstream时使用指定的证书信息, 如果是自签证书的话,浏览器还是会提示站点不安全, 要么手动导入到浏览器中或者使用第三方平台(如阿里云)上提供的权威证书签发功能

参考文章:

转载请注明原作者: 周淑科(https://izsk.me)

 wechat
Scan Me To Read on Phone
I know you won't do this,but what if you did?