在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1

默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:

apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.



The default configuration, though secure, does not support some older browsers and operating systems.

For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May , approximately % of Android devices are not compatible with nginx-ingress's default configuration.

To change this default behavior, use a ConfigMap.

A sample ConfigMap fragment to allow these older clients to connect could look something like the following:






kind: ConfigMap

apiVersion: v1

metadata:

  name: nginx-config

data:

  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"




为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!


在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可




apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-ciphers: >-

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  ssl-protocols: TLSv1 TLSv1. TLSv1.

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration




加上配置之后呢,需要重启下容器 nginx-ingress


验证,能正常相应即可:




$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com




下图是成功访问的响应:




下图是错误的响应:




参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls
												


											
k8s nginx ingress配置TLS的更多相关文章
	

    
								
  1. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
		
    更新:这里用的是 nginxinc/kubernetes-ingress ,还有个 kubernetes/ingress-nginx ,它们的区别见 Differences Between nginx ...
    
		
    2. 
						
  2. 微信小程序Nginx环境配置
		
    环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...
    
		
    3. 
						
  3. Nginx Ingress 高并发实践
		
    概述 Nginx Ingress Controller 基于 Nginx 实现了 Kubernetes Ingress API,Nginx 是公认的高性能网关,但如果不对其进行一些参数调优,就不能充分 ...
    
		
    4. 
						
  4. [转帖]在 k8s 中通过 Ingress 配置域名访问
		
    在 k8s 中通过 Ingress 配置域名访问 https://juejin.im/post/5db8da4b6fb9a0204520b310 在上篇文章中我们已经使用 k8s 部署了第一个应用,此 ...
    
		
    5. 
						
  5. 见异思迁:K8s 部署 Nginx Ingress Controller 之 kubernetes/ingress-nginx
		
    前天才发现,区区一个 nginx ingress controller 竟然2个不同的实现.一个叫 kubernetes/ingress-nginx ,是由 kubernetes 社区维护的,对应的容 ...
    
		
    6. 
						
  6. k8s的ingress使用
		
    ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...
    
		
    7. 
						
  7. Kubernetes 使用 ingress 配置 https 集群(十五)
		
    目录 一.背景 1.1 需求 1.2 Ingress 1.3 环境介绍 二.安装部署 2.1.创建后端 Pod 应用 2.2 创建后端 Pod Service 2.3.创建 ingress 资源 2. ...
    
		
    8. 
						
  8. 11. Ingress及Ingress Controller(主nginx ingress controller)
		
    11. Ingress,Ingress Controller拥有七层代理调度能力 什么是Ingress: Ingress是授权入站连接到达集群服务的规则集合 Ingress是一个Kubernetes资 ...
    
		
    9. 
						
  9. k8s系列---ingress资源和ingress-controller
		
    https://www.cnblogs.com/zhangeamon/p/7007076.html http://blog.itpub.net/28916011/viewspace-2214747/  ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 372-基于XC7VX690T的高速模拟信号、万兆光纤综合计算平台
			
    基于XC7VX690T的高速模拟信号.万兆光纤综合计算平台 一.板卡概述 基于V7的高性能PCIe信号处理板,板卡选用Xilinx 公司Virtex7系列FPGA XC7VX690T-2FFG1761 ...
    
			
    2. 
						
  2. Tunnel connection failed: 407 Proxy Authentication Required
			
    报错信息 : Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connecti ...
    
			
    3. 
						
  3. 前端每日实战:35# 视频演示如何把 CSS 径向渐变用得出神入化,只用一个 DOM 元素就能画出国宝熊猫
			
    效果预览 按下右侧的"点击预览"按钮可以在当前页面预览,点击链接可以全屏预览. https://codepen.io/comehope/pen/odKrpy 可交互视频教程 此视频 ...
    
			
    4. 
						
  4. django之路由的理解
			
    一:路由 简单的路由过程图: 1. 路由的定义位置 路由定义方式一:主路由和子路由分开定义 主路由的定义 urls.py from django.conf.urls import url from d ...
    
			
    5. 
						
  5. python中sort与sorted区别
			
    1.sort()函数 (只对list有用) sort(...) L.sort(key = None,reverse=False) key = 函数 这个函数会从每个元素中提取一个用于比较的关键字.默认 ...
    
			
    6. 
						
  6. Centos中文语言乱码解决方法
			
    vim /etc/locale.conf 添加:LANG="zh_CN.UTF-8" 执行一下source /etc/locale.conf,使刚修改的文件生效
    
			
    7. 
						
  7. 玩转MaxCompute studio SQL编辑器
			
    SQL因其简单易学的特点,是用户与MaxCompute服务交互的主要手段.如何帮助用户高效愉快的编写SQL是MaxCompute studio的核心使命,下面就让我们来一探究竟: 忘记语法 相信大家都 ...
    
			
    8. 
						
  8. java中super的用法总结
			
    package com.ssm.java; /** * Super * usage1:super. 直接去调用父类的方法和属性. * usage2:放在构造器中的第一位,代表引用父类的构造器. */  ...
    
			
    9. 
						
  9. [USACO16JAN]愤怒的奶牛Angry Cows (单调队列优化dp)
			
    题目链接 Solution 应该可以用二分拿部分分,时间 \(O(n^2logn)\) . 然后可以考虑 \(n^2\) \(dp\) ,令 \(f_i\) 代表 \(i\) 点被激活,然后激活 \( ...
    
			
    10. 
						
  10. PHP的重载-使用魔术方法实现
			
    摘录PHP官网对PHP重载的解释: PHP所提供的"重载"(overloading)是指动态地"创建"类属性和方法.我们是通过魔术方法(magic method ...
    
			
    11.