ingress配置静态资源
应用场景
- 如果一个域名的配置存在多个lcoation,同时location配置了静态资源与向后端请求的转发(proxy_pass),在nginx的原始配置如下
server { listen 80; server_name dev01-channel.n-orange.com; access_log /var/log/nginx/dev01-channel.n-orange.com.log main; error_log /var/log/nginx/dev01-channel.n-orange.com_error.log; if ($request_uri ~* "^/down\?bizChannel=(\d+)$") { rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent; } location / { root /home/nflow/website/channel; index index.html index.htm; } location /loan-web { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://xc-loan-web/loan-web; proxy_connect_timeout 180; proxy_send_timeout 185; proxy_read_timeout 190; send_timeout 195; } }
ingress配置
ingress默认情况每段Server的配置都有一个默认的backend_server,即(proxy_pass http://upstream_balancer;)
如果在ingress上配置静态资源,但静态资源不能与proxy_pass并存,否则请求静态资源会转发到proxy_pass上(所以修改了一下默认配置,关闭了默认后端)
以上的使用场景,在ingress不能配置在一个ingress上,如果配置在一个ingress上,会出现如下情况该ingress
-
ingress配置如下
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: dev01-channel.n-orange.com namespace: dev annotations: # use the shared ingress-nginx kubernetes.io/ingress.class: "dev" nginx.ingress.kubernetes.io/server-snippet: | if ($request_uri ~* "^/down\?bizChannel=(\d+)$") { rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent; } nginx.ingress.kubernetes.io/configuration-snippet: | proxy_pass http://upstream_balancer; root /home/nflow/website/dev02/channel; index index.html index.htm; #nginx.ingress.kubernetes.io/enable-cors: "true" #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" labels: frontend: channel spec: rules: - host: dev01-channel.n-orange.com http: paths: #- path: / - path: /loan-web backend: serviceName: dev01-xc-loanweb servicePort: 8080
-
生成的nginx的配置文件如下
## start server dev01-channel.n-orange.com server { server_name dev01-channel.n-orange.com ; access_log /var/log/nginx/dev01-channel.n-orange.com.log upstreaminfo if=$loggable; listen 80 ; listen 443 ssl http2 ; set $proxy_upstream_name "-"; ssl_certificate_by_lua_block { certificate.call() } if ($request_uri ~* "^/down\?bizChannel=(\d+)$") { rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent; } location /loan-web { set $namespace "dev"; set $ingress_name "dev01-channel.n-orange.com"; set $service_name "dev01-xc-loanweb"; set $service_port "8080"; set $location_path "/loan-web"; rewrite_by_lua_block { lua_ingress.rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, use_port_in_redirects = false, }) balancer.rewrite() plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` # other authentication method such as basic auth or external auth useless - all requests will be allowed. #access_by_lua_block { #} header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { } log_by_lua_block { balancer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "dev-dev01-xc-loanweb-8080"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; set $pass_server_port $server_port; set $best_http_host $http_host; set $pass_port $pass_server_port; set $proxy_alternative_upstream_name ""; client_max_body_size 1m; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Scheme $pass_access_scheme; # Pass the original X-Forwarded-For proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_buffering off; proxy_buffer_size 4k; proxy_buffers 4 4k; proxy_max_temp_file_size 1024m; proxy_request_buffering on; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3; proxy_pass http://upstream_balancer; root /home/nflow/website/dev02/channel; index index.html index.htm; #proxy_pass http://upstream_balancer; proxy_redirect off; } location / { set $namespace ""; set $ingress_name ""; set $service_name ""; set $service_port ""; set $location_path "/"; rewrite_by_lua_block { lua_ingress.rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, use_port_in_redirects = false, }) balancer.rewrite() plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` # other authentication method such as basic auth or external auth useless - all requests will be allowed. #access_by_lua_block { #} header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { } log_by_lua_block { balancer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "upstream-default-backend"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; set $pass_server_port $server_port; set $best_http_host $http_host; set $pass_port $pass_server_port; set $proxy_alternative_upstream_name ""; client_max_body_size 1m; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Scheme $pass_access_scheme; # Pass the original X-Forwarded-For proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_buffering off; proxy_buffer_size 4k; proxy_buffers 4 4k; proxy_max_temp_file_size 1024m; proxy_request_buffering on; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3; proxy_pass http://upstream_balancer; root /home/nflow/website/dev02/channel; index index.html index.htm; #proxy_pass http://upstream_balancer; proxy_redirect off; } } ## end server dev01-channel.n-orange.com
配置示例
-
首先创建一个静态资源的ingress,如下
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: dev01-channel.n-orange.com namespace: dev annotations: # use the shared ingress-nginx kubernetes.io/ingress.class: "dev" nginx.ingress.kubernetes.io/server-snippet: | if ($request_uri ~* "^/down\?bizChannel=(\d+)$") { rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent; } nginx.ingress.kubernetes.io/configuration-snippet: | root /home/nflow/website/dev02/channel; index index.html index.htm; #nginx.ingress.kubernetes.io/enable-cors: "true" #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" labels: frontend: channel spec: rules: - host: dev01-channel.n-orange.com http:
-
创建一个带有proxy_pass向后端转发的ingress,如下
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: dev01-channel.n-orange.com namespace: dev annotations: # use the shared ingress-nginx kubernetes.io/ingress.class: "dev" nginx.ingress.kubernetes.io/server-snippet: | if ($request_uri ~* "^/down\?bizChannel=(\d+)$") { rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent; } nginx.ingress.kubernetes.io/configuration-snippet: | proxy_pass http://upstream_balancer; #nginx.ingress.kubernetes.io/enable-cors: "true" #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" labels: frontend: channel spec: rules: - host: dev01-channel.n-orange.com http: paths: - path: /loan-web backend: serviceName: dev01-xc-loanweb servicePort: 8080
-
生成的nginx配置文件如下
## start server dev01-channel.n-orange.com server { server_name dev01-channel.n-orange.com ; access_log /var/log/nginx/dev01-channel.n-orange.com.log upstreaminfo if=$loggable; listen 80 ; listen 443 ssl http2 ; set $proxy_upstream_name "-"; ssl_certificate_by_lua_block { certificate.call() } if ($request_uri ~* "^/down\?bizChannel=(\d+)$") { rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent; } location /loan-web { set $namespace "dev"; set $ingress_name "dev01-channel.n-orange.com"; set $service_name "dev01-xc-loanweb"; set $service_port "8080"; set $location_path "/loan-web"; rewrite_by_lua_block { lua_ingress.rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, use_port_in_redirects = false, }) balancer.rewrite() plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` # other authentication method such as basic auth or external auth useless - all requests will be allowed. #access_by_lua_block { #} header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { } log_by_lua_block { balancer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "dev-dev01-xc-loanweb-8080"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; set $pass_server_port $server_port; set $best_http_host $http_host; set $pass_port $pass_server_port; set $proxy_alternative_upstream_name ""; client_max_body_size 1m; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Scheme $pass_access_scheme; # Pass the original X-Forwarded-For proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_buffering off; proxy_buffer_size 4k; proxy_buffers 4 4k; proxy_max_temp_file_size 1024m; proxy_request_buffering on; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3; proxy_pass http://upstream_balancer; #proxy_pass http://upstream_balancer; proxy_redirect off; } location / { set $namespace ""; set $ingress_name ""; set $service_name ""; set $service_port ""; set $location_path "/"; rewrite_by_lua_block { lua_ingress.rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, use_port_in_redirects = false, }) balancer.rewrite() plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` # other authentication method such as basic auth or external auth useless - all requests will be allowed. #access_by_lua_block { #} header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { } log_by_lua_block { balancer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "upstream-default-backend"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; set $pass_server_port $server_port; set $best_http_host $http_host; set $pass_port $pass_server_port; set $proxy_alternative_upstream_name ""; client_max_body_size 1m; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Scheme $pass_access_scheme; # Pass the original X-Forwarded-For proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_buffering off; proxy_buffer_size 4k; proxy_buffers 4 4k; proxy_max_temp_file_size 1024m; proxy_request_buffering on; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3; root /home/nflow/website/dev02/channel; index index.html index.htm; #proxy_pass http://upstream_balancer; proxy_redirect off; } } ## end server dev01-channel.n-orange.com