在没有配置任何nginx下,k8s的nginx默认只支持TLS1.2,不支持TLS1.0和TLS1.1

默认的 nginx-config(部分可能叫 nginx-configuration)的配置如下:

apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档,如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.



The default configuration, though secure, does not support some older browsers and operating systems.

For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May , approximately % of Android devices are not compatible with nginx-ingress's default configuration.

To change this default behavior, use a ConfigMap.

A sample ConfigMap fragment to allow these older clients to connect could look something like the following:






kind: ConfigMap

apiVersion: v1

metadata:

  name: nginx-config

data:

  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"




为了避免影响到之前的配置,切勿直接复制这个yaml配置替换你的配置!!!


在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可




apiVersion: v1

data:

  allow-backend-server-header: 'true'

  enable-underscores-in-headers: 'true'

  generate-request-id: 'true'

  http-redirect-code: ''

  ignore-invalid-headers: 'true'

  max-worker-connections: ''

  proxy-body-size: 20m

  proxy-connect-timeout: ''

  reuse-port: 'true'

  server-tokens: 'false'

  ssl-ciphers: >-

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  ssl-protocols: TLSv1 TLSv1. TLSv1.

  ssl-redirect: 'false'

  worker-cpu-affinity: auto

kind: ConfigMap

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: >

      {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"","proxy-body-size":"20m","proxy-connect-timeout":"","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}

  labels:

    app: ingress-nginx

  name: nginx-configuration

  namespace: kube-system

  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration




加上配置之后呢,需要重启下容器 nginx-ingress


验证,能正常相应即可:




$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com

$ curl -v --tlsv1. https://test.com




下图是成功访问的响应:




下图是错误的响应:




参考文档:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls
												


											
k8s nginx ingress配置TLS的更多相关文章
	

    
								
  1. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
		
    更新:这里用的是 nginxinc/kubernetes-ingress ,还有个 kubernetes/ingress-nginx ,它们的区别见 Differences Between nginx ...
    
		
    2. 
						
  2. 微信小程序Nginx环境配置
		
    环境配置概述 主要内容: SSL免费证书申请步骤 Nginx HTTPS 配置 TLS 1.2 升级过程 微信小程序要求使用 https 发送请求,那么Web服务器就要配置成支持 https,需要先申 ...
    
		
    3. 
						
  3. Nginx Ingress 高并发实践
		
    概述 Nginx Ingress Controller 基于 Nginx 实现了 Kubernetes Ingress API,Nginx 是公认的高性能网关,但如果不对其进行一些参数调优,就不能充分 ...
    
		
    4. 
						
  4. [转帖]在 k8s 中通过 Ingress 配置域名访问
		
    在 k8s 中通过 Ingress 配置域名访问 https://juejin.im/post/5db8da4b6fb9a0204520b310 在上篇文章中我们已经使用 k8s 部署了第一个应用,此 ...
    
		
    5. 
						
  5. 见异思迁:K8s 部署 Nginx Ingress Controller 之 kubernetes/ingress-nginx
		
    前天才发现,区区一个 nginx ingress controller 竟然2个不同的实现.一个叫 kubernetes/ingress-nginx ,是由 kubernetes 社区维护的,对应的容 ...
    
		
    6. 
						
  6. k8s的ingress使用
		
    ingress 可以配置一个入口来提供k8s上service从外部来访问的url.负载平衡流量.终止SSL和提供基于名称的虚拟主机. 配置ingress的yaml: 要求域名解析无误 要求servic ...
    
		
    7. 
						
  7. Kubernetes 使用 ingress 配置 https 集群(十五)
		
    目录 一.背景 1.1 需求 1.2 Ingress 1.3 环境介绍 二.安装部署 2.1.创建后端 Pod 应用 2.2 创建后端 Pod Service 2.3.创建 ingress 资源 2. ...
    
		
    8. 
						
  8. 11. Ingress及Ingress Controller(主nginx ingress controller)
		
    11. Ingress,Ingress Controller拥有七层代理调度能力 什么是Ingress: Ingress是授权入站连接到达集群服务的规则集合 Ingress是一个Kubernetes资 ...
    
		
    9. 
						
  9. k8s系列---ingress资源和ingress-controller
		
    https://www.cnblogs.com/zhangeamon/p/7007076.html http://blog.itpub.net/28916011/viewspace-2214747/  ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. tac反向显示文件内容
			
    1.命令功能 tac是cat的反向拼写功能是反向显示文件内容.cat是从文件第一行开始读取文件输出,tac是从最后一行开始读取文件并进行反向输出. 2.语法格式 tac  [option]  [fil ...
    
			
    2. 
						
  2. hdu 4082 Hou Yi's secret(暴力枚举)
			
    Hou Yi's secret Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Others)  ...
    
			
    3. 
						
  3. [POI2008]Sta(树形dp)
			
    [POI2008]Sta Description 给出一个N个点的树,找出一个点来,以这个点为根的树时,所有点的深度之和最大 Input 给出一个数字N,代表有N个点.N<=1000000 下面 ...
    
			
    4. 
						
  4. JS合并两个函数
			
    /** * 合并两个函数 * @param functionA 先执行 * @param functionB 执行完 functionA 后返回 * @returns {*} */ function  ...
    
			
    5. 
						
  5. rabbit-c编译 vs2013
			
    需要openssl的库
    
			
    6. 
						
  6. 理解uboot过程中的优秀博客
			
    To_run_away的博客 https://blog.csdn.net/qq_16777851/column/info/28098/5 加了微信好友,公众号也有文章. Camus https://c ...
    
			
    7. 
						
  7. Kettle日志级别
			
    Kettle的日志级别LogLevel分为以下几个: Nothing 没有日志 不显示任何输出 Error 错误日志 仅仅显示错误信息 Minimal 最小日志 使用最小的日志 Basic 基本日志  ...
    
			
    8. 
						
  8. Linux Crontab命令定时任务基本语法
			
    一.Crontab查看编辑重启 1.查看crontab定时执行任务列表 crontab -l 2.编辑crontab定时执行任务 crontab -e 3.删除crontab定时任务 crontab  ...
    
			
    9. 
						
  9. C#中给RICHTEXTBOX加上背景图片
			
    在系统自带的RichTextBox中是无法给它设置背景图片,但是我们在某些场合可能需要给RichTextBox设置背景图片.那么怎么实现这一想法呢?经过研究发现通过其它巧妙的途径可以给RichText ...
    
			
    10. 
						
  10. hadoop平台搭建
			
    前言 这是小的第一次搭建hadoop平台,写下这篇博客有以下几个目的(ps:本博只记录在linux系统下搭建hadoop的步骤,如果需要了解在其他平台上搭建hadoop的步骤,还请移步): 1.希望大 ...
    
			
    11.