在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1

默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:

apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.



The default configuration, though secure, does not support some older browsers and operating systems.

For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May , approximately % of Android devices are not compatible with nginx-ingress's default configuration.

To change this default behavior, use a ConfigMap.

A sample ConfigMap fragment to allow these older clients to connect could look something like the following:






kind: ConfigMap

apiVersion: v1

metadata:

  name: nginx-config

data:

  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"




为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!


在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可




apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-ciphers: >-

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  ssl-protocols: TLSv1 TLSv1. TLSv1.

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration




加上配置之后呢,需要重启下容器 nginx-ingress


验证,能正常相应即可:




$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com




下图是成功访问的响应:




下图是错误的响应:




参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls
												


											
k8s nginx ingress配置TLS的更多相关文章
	

    
								
  1. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
		
    更新:这里用的是 nginxinc/kubernetes-ingress ,还有个 kubernetes/ingress-nginx ,它们的区别见 Differences Between nginx ...
    
		
    2. 
						
  2. 微信小程序Nginx环境配置
		
    环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...
    
		
    3. 
						
  3. Nginx Ingress 高并发实践
		
    概述 Nginx Ingress Controller 基于 Nginx 实现了 Kubernetes Ingress API,Nginx 是公认的高性能网关,但如果不对其进行一些参数调优,就不能充分 ...
    
		
    4. 
						
  4. [转帖]在 k8s 中通过 Ingress 配置域名访问
		
    在 k8s 中通过 Ingress 配置域名访问 https://juejin.im/post/5db8da4b6fb9a0204520b310 在上篇文章中我们已经使用 k8s 部署了第一个应用,此 ...
    
		
    5. 
						
  5. 见异思迁:K8s 部署 Nginx Ingress Controller 之 kubernetes/ingress-nginx
		
    前天才发现,区区一个 nginx ingress controller 竟然2个不同的实现.一个叫 kubernetes/ingress-nginx ,是由 kubernetes 社区维护的,对应的容 ...
    
		
    6. 
						
  6. k8s的ingress使用
		
    ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...
    
		
    7. 
						
  7. Kubernetes 使用 ingress 配置 https 集群(十五)
		
    目录 一.背景 1.1 需求 1.2 Ingress 1.3 环境介绍 二.安装部署 2.1.创建后端 Pod 应用 2.2 创建后端 Pod Service 2.3.创建 ingress 资源 2. ...
    
		
    8. 
						
  8. 11. Ingress及Ingress Controller(主nginx ingress controller)
		
    11. Ingress,Ingress Controller拥有七层代理调度能力 什么是Ingress: Ingress是授权入站连接到达集群服务的规则集合 Ingress是一个Kubernetes资 ...
    
		
    9. 
						
  9. k8s系列---ingress资源和ingress-controller
		
    https://www.cnblogs.com/zhangeamon/p/7007076.html http://blog.itpub.net/28916011/viewspace-2214747/  ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. static作用,静态成员变量和静态成员函数
			
    static关键字有俩作用:(1).控制存储分配:(2).控制一个名字的可见性和连接.   随着C++名字空间的引入,我们有了更好的,更灵活的方法来控制一个大项目的名字增长.     在类的内部使用s ...
    
			
    2. 
						
  2. 基于firebird的数据转存
			
    功能:使用于相同的表从一个数据库转存到另一数据库: 方式:直连fdb并加载django,引用django的model完成: 原因:1.select * from *** 返回的数有很多None,直接i ...
    
			
    3. 
						
  3. 读书笔记三、pandas之重新索引
			
    
			
    4. 
						
  4. Java EE的优越性主要表现在哪些方面
			
    J2 EE的优越性主要表现在哪些方面 J2EE基于JAVA 技术,与平台无关. J2EE拥有开放标准,许多大型公司实现了对该规范支持的应用服务器.如BEA ,IBM,ORACLE等. J2EE提供相当 ...
    
			
    5. 
						
  5. 多边形面积计算公式  GPS经纬度计算面积
			
    最近在做地图相关面积计算显示工作,百度了很多关于多边形面积计算方面公式和代码,只能说贼费劲,最终完成了把结果展示下     原理:鞋带公式 定义:所述鞋带式或鞋带算法(也称为高斯的面积公式和测量员的式 ...
    
			
    6. 
						
  6. python学习笔记(二十):异常处理
			
    def calc(a,b): res=a/b return res def main(): money=input('输入多少钱:') months=input('还几个月:') try: res=c ...
    
			
    7. 
						
  7. App.after
			
    解释: App.after可以增加APP级的切面,触发的时机是在所拦截的对应生命周期方法执行之后. 方法参数:Object Object 参数说明: 参数名 类型 必填 默认值 说明 methods  ...
    
			
    8. 
						
  8. 【HDOJ6616】Divide the Stones(构造)
			
    题意:给定n堆石子,第i堆的个数为i,要求构造出一种方案将其分成k堆,使得这k堆每堆数量之和相等且堆数相等 保证k是n的一个约数 n<=1e5 思路:先把非法的情况判掉 n/k为偶数的方法及其简 ...
    
			
    9. 
						
  9. 20180712-Java Character类
			
    char ch = 'a';// Unicode for uppercase Greek omega characterchar uniChar = '\u039A';//字符数组char[] cha ...
    
			
    10. 
						
  10. loj#2333 「JOI 2017 Final」准高速电车
			
    分析 我们发现到达一个点一定是先快车再准快车再慢车 于是快车将1-n分为多个区间 每次取出每个区间当前能到达的点的数量 选剩余时间贡献最大的的一个取得贡献并且再能到达的最远点建立准快车 代码 #inc ...
    
			
    11.