在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1

默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:

apiVersion: v1
data:
allow-backend-server-header: 'true'
enable-underscores-in-headers: 'true'
generate-request-id: 'true'
http-redirect-code: ''
ignore-invalid-headers: 'true'
max-worker-connections: ''
proxy-body-size: 20m
proxy-connect-timeout: ''
reuse-port: 'true'
server-tokens: 'false'
ssl-redirect: 'false'
worker-cpu-affinity: auto
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}
labels:
app: ingress-nginx
name: nginx-configuration
namespace: kube-system
selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.


The default configuration, though secure, does not support some older browsers and operating systems.

For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May , approximately % of Android devices are not compatible with nginx-ingress's default configuration.

To change this default behavior, use a ConfigMap.

A sample ConfigMap fragment to allow these older clients to connect could look something like the following:
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-config
data:
ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!

在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可

apiVersion: v1
data:
allow-backend-server-header: 'true'
enable-underscores-in-headers: 'true'
generate-request-id: 'true'
http-redirect-code: ''
ignore-invalid-headers: 'true'
max-worker-connections: ''
proxy-body-size: 20m
proxy-connect-timeout: ''
reuse-port: 'true'
server-tokens: 'false'
ssl-ciphers: >-
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-protocols: TLSv1 TLSv1. TLSv1.
ssl-redirect: 'false'
worker-cpu-affinity: auto
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}
labels:
app: ingress-nginx
name: nginx-configuration
namespace: kube-system
selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

加上配置之后呢,需要重启下容器 nginx-ingress

验证,能正常相应即可:

$ curl -v --tlsv1. https://test.com
$ curl -v --tlsv1. https://test.com
$ curl -v --tlsv1. https://test.com

下图是成功访问的响应:

下图是错误的响应:

参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls

k8s nginx ingress配置TLS的更多相关文章

  1. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress

    更新:这里用的是 nginxinc/kubernetes-ingress ,还有个 kubernetes/ingress-nginx ,它们的区别见 Differences Between nginx ...

  2. 微信小程序Nginx环境配置

    环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...

  3. Nginx Ingress 高并发实践

    概述 Nginx Ingress Controller 基于 Nginx 实现了 Kubernetes Ingress API,Nginx 是公认的高性能网关,但如果不对其进行一些参数调优,就不能充分 ...

  4. [转帖]在 k8s 中通过 Ingress 配置域名访问

    在 k8s 中通过 Ingress 配置域名访问 https://juejin.im/post/5db8da4b6fb9a0204520b310 在上篇文章中我们已经使用 k8s 部署了第一个应用,此 ...

  5. 见异思迁:K8s 部署 Nginx Ingress Controller 之 kubernetes/ingress-nginx

    前天才发现,区区一个 nginx ingress controller 竟然2个不同的实现.一个叫 kubernetes/ingress-nginx ,是由 kubernetes 社区维护的,对应的容 ...

  6. k8s的ingress使用

    ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...

  7. Kubernetes 使用 ingress 配置 https 集群(十五)

    目录 一.背景 1.1 需求 1.2 Ingress 1.3 环境介绍 二.安装部署 2.1.创建后端 Pod 应用 2.2 创建后端 Pod Service 2.3.创建 ingress 资源 2. ...

  8. 11. Ingress及Ingress Controller(主nginx ingress controller)

    11. Ingress,Ingress Controller拥有七层代理调度能力 什么是Ingress: Ingress是授权入站连接到达集群服务的规则集合 Ingress是一个Kubernetes资 ...

  9. k8s系列---ingress资源和ingress-controller

    https://www.cnblogs.com/zhangeamon/p/7007076.html http://blog.itpub.net/28916011/viewspace-2214747/ ...

随机推荐

  1. Git命令——撤销修改

    Git命令 1. 撤销修改 (1) 当改乱了工作区(working directory)某个文件的内容,想直接丢弃工作区中的修改时,用命令git checkout -- file. (2) 当不但改乱 ...

  2. Qt 鼠标悬浮按钮上出现浮窗效果

    操作: 鼠标hover于Btn(or other widget),在指定位置显示想要的widget(或其他控件窗口) 方法:重载以下几个api void paintEvent(QPaintEvent ...

  3. mysql 5.6 datetime default now()

    CREATE TABLE `test` (   id int,   `gmt_create` datetime  DEFAULT NOW() not NULL )ENGINE=InnoDB; mysq ...

  4. php range()函数 语法

    php range()函数 语法 作用:创建一个包含指定范围的元素的数组.dd马达哪家好 语法:range(low,high,step) 参数: 参数 描述 low  必需.规定数组的最低值. hig ...

  5. linux之rpm软件包管理

    1.RPM包的命名规则 例如:httpd-2.2.15-15.el6.centos.1.i686.rpm httpd ·        软件包名 2.2.15        软件版本 15       ...

  6. spring+JdbcTemplate简单使用(一)

    目录 @ 1. 环境配置 maven(项目管理) idea(编译器) jdk1.8(Java环境) MySQL5.6(MySQL数据库) 2. 创建项目 在 idea 中创建普通的 maven 项目 ...

  7. loj#2333 「JOI 2017 Final」准高速电车

    分析 我们发现到达一个点一定是先快车再准快车再慢车 于是快车将1-n分为多个区间 每次取出每个区间当前能到达的点的数量 选剩余时间贡献最大的的一个取得贡献并且再能到达的最远点建立准快车 代码 #inc ...

  8. .NET Core:目录

    ylbtech-.NET Core:目录 1.返回顶部 1. https://dotnet.microsoft.com/ 2. 2.返回顶部   3.返回顶部   4.返回顶部   5.返回顶部   ...

  9. ubuntu搭建jdk+jenkins

    第一步,安装jdk(如果已安装,直接进行第二步) 1.下载 jdk-8u172-linux-x64.tar.gz       点此下载   2.解压 tar -zxvf jdk-8u172-linux ...

  10. vue分页练习

    <!doctype html> <html> <head> <meta charset="UTF-8"> <title> ...