在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1

默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:

apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.



The default configuration, though secure, does not support some older browsers and operating systems.

For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May , approximately % of Android devices are not compatible with nginx-ingress's default configuration.

To change this default behavior, use a ConfigMap.

A sample ConfigMap fragment to allow these older clients to connect could look something like the following:






kind: ConfigMap

apiVersion: v1

metadata:

  name: nginx-config

data:

  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"




为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!


在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可




apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-ciphers: >-

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  ssl-protocols: TLSv1 TLSv1. TLSv1.

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration




加上配置之后呢,需要重启下容器 nginx-ingress


验证,能正常相应即可:




$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com




下图是成功访问的响应:




下图是错误的响应:




参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls
												


											
k8s nginx ingress配置TLS的更多相关文章
	

    
								
  1. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
		
    更新:这里用的是 nginxinc/kubernetes-ingress ,还有个 kubernetes/ingress-nginx ,它们的区别见 Differences Between nginx ...
    
		
    2. 
						
  2. 微信小程序Nginx环境配置
		
    环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...
    
		
    3. 
						
  3. Nginx Ingress 高并发实践
		
    概述 Nginx Ingress Controller 基于 Nginx 实现了 Kubernetes Ingress API,Nginx 是公认的高性能网关,但如果不对其进行一些参数调优,就不能充分 ...
    
		
    4. 
						
  4. [转帖]在 k8s 中通过 Ingress 配置域名访问
		
    在 k8s 中通过 Ingress 配置域名访问 https://juejin.im/post/5db8da4b6fb9a0204520b310 在上篇文章中我们已经使用 k8s 部署了第一个应用,此 ...
    
		
    5. 
						
  5. 见异思迁:K8s 部署 Nginx Ingress Controller 之 kubernetes/ingress-nginx
		
    前天才发现,区区一个 nginx ingress controller 竟然2个不同的实现.一个叫 kubernetes/ingress-nginx ,是由 kubernetes 社区维护的,对应的容 ...
    
		
    6. 
						
  6. k8s的ingress使用
		
    ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...
    
		
    7. 
						
  7. Kubernetes 使用 ingress 配置 https 集群(十五)
		
    目录 一.背景 1.1 需求 1.2 Ingress 1.3 环境介绍 二.安装部署 2.1.创建后端 Pod 应用 2.2 创建后端 Pod Service 2.3.创建 ingress 资源 2. ...
    
		
    8. 
						
  8. 11. Ingress及Ingress Controller(主nginx ingress controller)
		
    11. Ingress,Ingress Controller拥有七层代理调度能力 什么是Ingress: Ingress是授权入站连接到达集群服务的规则集合 Ingress是一个Kubernetes资 ...
    
		
    9. 
						
  9. k8s系列---ingress资源和ingress-controller
		
    https://www.cnblogs.com/zhangeamon/p/7007076.html http://blog.itpub.net/28916011/viewspace-2214747/  ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 在虚拟机Linux中安装VMTools遇到的问题-小结
			
    总结: 遇到的问题:No support for locale: zh_CN.utf8 可能的解决方法:1.sudo dpkg-reconfigure locale (重新配置?) 2.上一步失败,提 ...
    
			
    2. 
						
  2. nodejs 更新代码自动刷新页面
			
    安装第三方工具: nodemon npm install --global nodemon 安装完毕后使用: 之前使用: node xxx.js 改成 nodemon xxx.js 只要通过nodem ...
    
			
    3. 
						
  3. python列表转json树菜单
			
    1.列表数据 data = [ { 'id': 1, 'parent_id': 2, 'name': "Node1" }, { 'id': 2, 'parent_id': 5, ' ...
    
			
    4. 
						
  4. Vue----项目增加百度统计
			
    到百度统计->注册账号->新增网址->获取代码 在Vue单页面开发中接入百度统计代码时,如果直接按照官网的走会出现错误,就是_hmt找不到,这是因为在一个js文件里声明的变量在另一个 ...
    
			
    5. 
						
  5. java连接redis5.0单机版报连接超时错误
			
    使用java代码测试redis5.0单机版时,报redis连接超时异常,而linux上的redis能正常访问: redis.clients.jedis.exceptions.JedisConnecti ...
    
			
    6. 
						
  6. maven构建docker镜像异常
			
    由于没有配置ip+2375端口,导致每次跑的时候,都是连接本地的,一直会报错 [ERROR] Failed to execute goal com.spotify:docker-maven-plugi ...
    
			
    7. 
						
  7. 数据导入导出mysql版本不同导致的问题
			
    5.6.16-log导出.5.5.47-log导入 `addtime` datetime DEFAULT CURRENT_TIMESTAMP COMMENT '记录生产时间', 需要修改为: `add ...
    
			
    8. 
						
  8. sqlalchemy.orm.exc.DetachedInstanceError: 错误解决
			
    使用sqlchemy查询出一个集合的时候第一个对象可以使用,后面的就报如下错误. sqlalchemy.orm.exc.DetachedInstanceError: Instance <Logi ...
    
			
    9. 
						
  9. SSL异常javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
			
    jdk 7 http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html jdk 8 http: ...
    
			
    10. 
						
  10. 【CDN+】 Spark入门---Handoop 中的MapReduce计算模型
			
    前言 项目中运用了Spark进行Kafka集群下面的数据消费,本文作为一个Spark入门文章/笔记,介绍下Spark基本概念以及MapReduce模型 Spark的基本概念: 官网: http://s ...
    
			
    11.