在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1

默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:

apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.



The default configuration, though secure, does not support some older browsers and operating systems.

For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May , approximately % of Android devices are not compatible with nginx-ingress's default configuration.

To change this default behavior, use a ConfigMap.

A sample ConfigMap fragment to allow these older clients to connect could look something like the following:






kind: ConfigMap

apiVersion: v1

metadata:

  name: nginx-config

data:

  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"




为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!


在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可




apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-ciphers: >-

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  ssl-protocols: TLSv1 TLSv1. TLSv1.

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration




加上配置之后呢,需要重启下容器 nginx-ingress


验证,能正常相应即可:




$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com




下图是成功访问的响应:




下图是错误的响应:




参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls
												


											
k8s nginx ingress配置TLS的更多相关文章
	

    
								
  1. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
		
    更新:这里用的是 nginxinc/kubernetes-ingress ,还有个 kubernetes/ingress-nginx ,它们的区别见 Differences Between nginx ...
    
		
    2. 
						
  2. 微信小程序Nginx环境配置
		
    环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...
    
		
    3. 
						
  3. Nginx Ingress 高并发实践
		
    概述 Nginx Ingress Controller 基于 Nginx 实现了 Kubernetes Ingress API,Nginx 是公认的高性能网关,但如果不对其进行一些参数调优,就不能充分 ...
    
		
    4. 
						
  4. [转帖]在 k8s 中通过 Ingress 配置域名访问
		
    在 k8s 中通过 Ingress 配置域名访问 https://juejin.im/post/5db8da4b6fb9a0204520b310 在上篇文章中我们已经使用 k8s 部署了第一个应用,此 ...
    
		
    5. 
						
  5. 见异思迁:K8s 部署 Nginx Ingress Controller 之 kubernetes/ingress-nginx
		
    前天才发现,区区一个 nginx ingress controller 竟然2个不同的实现.一个叫 kubernetes/ingress-nginx ,是由 kubernetes 社区维护的,对应的容 ...
    
		
    6. 
						
  6. k8s的ingress使用
		
    ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...
    
		
    7. 
						
  7. Kubernetes 使用 ingress 配置 https 集群(十五)
		
    目录 一.背景 1.1 需求 1.2 Ingress 1.3 环境介绍 二.安装部署 2.1.创建后端 Pod 应用 2.2 创建后端 Pod Service 2.3.创建 ingress 资源 2. ...
    
		
    8. 
						
  8. 11. Ingress及Ingress Controller(主nginx ingress controller)
		
    11. Ingress,Ingress Controller拥有七层代理调度能力 什么是Ingress: Ingress是授权入站连接到达集群服务的规则集合 Ingress是一个Kubernetes资 ...
    
		
    9. 
						
  9. k8s系列---ingress资源和ingress-controller
		
    https://www.cnblogs.com/zhangeamon/p/7007076.html http://blog.itpub.net/28916011/viewspace-2214747/  ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 消灭 Java 代码的“坏味道”
			
    消灭 Java 代码的“坏味道” 原创: 王超 阿里巴巴中间件 昨天 导读 明代王阳明先生在<传习录>谈为学之道时说: 私欲日生,如地上尘,一日不扫,便又有一层.着实用功,便见道无终穷,愈 ...
    
			
    2. 
						
  2. Shell脚本的fork炸弹
			
    #!bin/bash#功能:快速消耗计算机资源,致使计算机死机#作者:liusingbon#定义函数名为.(点), 函数中递归调用自己并放入后台执行function . { .|.& };.
    
			
    3. 
						
  3. cat 合并文件或查看文件内容
			
    1.命令功能 cat 合并文件或者查看文件内容. 2.语法格式 cat   option    file 参数说明 参数 参数说明 -n 打印文本,并显示每行行号并且空白行也同样包括 -b 与-n用法 ...
    
			
    4. 
						
  4. WTSQueryUserToken failed
			
    https://www.cnblogs.com/tabjin/articles/11057663.html 令牌错误 https://www.cnblogs.com/FCoding/archive/2 ...
    
			
    5. 
						
  5. css 块级格式化上下文(BFC)
			
    一.块级格式化上下文(BFC) 1.什么是块级格式化上下文? Block Formatting Contexts (BFC,块级格式化上下文)就是一个块级元素 的渲染显示规则 (可以把 BFC 理解为 ...
    
			
    6. 
						
  6. Python---基础-小游戏用户猜数字2
			
    一.使用int()将小数转换成整数,结果是向上取数还是向下取数 int(3,4) print(int(3,4)) ####写一个程序,判断给定年份是否为闰年 - 闰年的定义,能够被4整除的年份就叫闰年 ...
    
			
    7. 
						
  7. C# 与 C++,语法差别有多小-第二章 C++浏览
			
    (一)动态内存分配和指针 C++:new  和 delete                                  int *arr = new int[ 4 ]; C#:只有new,de ...
    
			
    8. 
						
  8. IT 技术人需要思考的 15 个问题
			
    行内的人自嘲是程序猿.屌丝和码农,行外的人也经常拿IT人调侃,那么究竟是IT人没有价值,还是没有仔细思考过自身的价值? 1.搞 IT 的是屌丝.码农.程序猿? 人们提到IT人的时候,总会想到他们呆板. ...
    
			
    9. 
						
  9. Hash树——数据结构
			
    
			
    10. 
						
  10. WPF 设置窗体大小为显示器工作区域大小
			
      最近做的项目遇到一个问题,窗体在1680*1050分辨率下显示,系统字体设置为小字体时,显示没问题,但是调到中等字体时,窗体显示位置出了问题.主窗体为无边框窗体,拖动及放大缩小事件都是自己写的.  ...
    
			
    11.