ingress配置静态资源

应用场景


  1. 如果一个域名的配置存在多个lcoation,同时location配置了静态资源与向后端请求的转发(proxy_pass),在nginx的原始配置如下
    server {
            listen       80;
            server_name  dev01-channel.n-orange.com;
     
            access_log  /var/log/nginx/dev01-channel.n-orange.com.log main;
            error_log   /var/log/nginx/dev01-channel.n-orange.com_error.log;
     
            if ($request_uri ~* "^/down\?bizChannel=(\d+)$") {
                rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent;
            }
     
            location / {
            root /home/nflow/website/channel;
                index  index.html index.htm;
            }
     
            location /loan-web {
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Scheme  $scheme;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass http://xc-loan-web/loan-web;
                proxy_connect_timeout       180;
                proxy_send_timeout          185;
                proxy_read_timeout          190;
                send_timeout                195;
            }
        }

ingress配置


ingress默认情况每段Server的配置都有一个默认的backend_server,即(proxy_pass http://upstream_balancer;)

如果在ingress上配置静态资源,但静态资源不能与proxy_pass并存,否则请求静态资源会转发到proxy_pass上(所以修改了一下默认配置,关闭了默认后端

以上的使用场景,在ingress不能配置在一个ingress上,如果配置在一个ingress上,会出现如下情况该ingress

  1. ingress配置如下

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: dev01-channel.n-orange.com
      namespace: dev
      annotations:
        # use the shared ingress-nginx
        kubernetes.io/ingress.class: "dev"
        nginx.ingress.kubernetes.io/server-snippet: |
          if ($request_uri ~* "^/down\?bizChannel=(\d+)$") {
                rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent;
            }
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_pass http://upstream_balancer;
          root /home/nflow/website/dev02/channel;
          index  index.html index.htm;
        #nginx.ingress.kubernetes.io/enable-cors: "true"
        #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
      labels:
        frontend: channel
    spec:
      rules:
      - host: dev01-channel.n-orange.com
        http:
          paths:
          #- path: /
          - path: /loan-web
            backend:
              serviceName: dev01-xc-loanweb
              servicePort: 8080
  2. 生成的nginx的配置文件如下

    ## start server dev01-channel.n-orange.com
            server {
                    server_name dev01-channel.n-orange.com ;
                     
                    access_log /var/log/nginx/dev01-channel.n-orange.com.log upstreaminfo  if=$loggable;
                     
                    listen 80  ;                           
                    listen 443  ssl http2 ;
                     
                    set $proxy_upstream_name "-";
                     
                    ssl_certificate_by_lua_block {
                            certificate.call()
                    }
                     
                    if ($request_uri ~* "^/down\?bizChannel=(\d+)$") {
                            rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent;
                    }
                     
                    location /loan-web {
                             
                            set $namespace      "dev";
                            set $ingress_name   "dev01-channel.n-orange.com";
                            set $service_name   "dev01-xc-loanweb";
                            set $service_port   "8080";
                            set $location_path  "/loan-web";
                             
                            rewrite_by_lua_block {
                                    lua_ingress.rewrite({
                                            force_ssl_redirect = false,
                                            ssl_redirect = true,
                                            force_no_ssl_redirect = false,
                                            use_port_in_redirects = false,
                                    })
                                    balancer.rewrite()
                                    plugins.run()
                            }
                             
                            # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
                            # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
                            # other authentication method such as basic auth or external auth useless - all requests will be allowed.
                            #access_by_lua_block {
                            #}
                             
                            header_filter_by_lua_block {
                                    lua_ingress.header()
                                    plugins.run()
                            }
                             
                            body_filter_by_lua_block {
                            }
                             
                            log_by_lua_block {
                                    balancer.log()
                                     
                                    monitor.call()
                                     
                                    plugins.run()
                            }
                                  
                            port_in_redirect off;
                             
                            set $balancer_ewma_score -1;
                            set $proxy_upstream_name "dev-dev01-xc-loanweb-8080";
                            set $proxy_host          $proxy_upstream_name;
                            set $pass_access_scheme  $scheme;
                             
                            set $pass_server_port    $server_port;
                             
                            set $best_http_host      $http_host;
                            set $pass_port           $pass_server_port;
                             
                            set $proxy_alternative_upstream_name "";
                             
                            client_max_body_size                    1m;
                             
                            proxy_set_header Host                   $best_http_host;
                             
                            # Pass the extracted client certificate to the backend
                             
                            # Allow websocket connections
                            proxy_set_header                        Upgrade           $http_upgrade;
                             
                            proxy_set_header                        Connection        $connection_upgrade;
                             
                            proxy_set_header X-Request-ID           $req_id;
                            proxy_set_header X-Real-IP              $remote_addr;
                             
                            proxy_set_header X-Forwarded-For        $remote_addr;
                             
                            proxy_set_header X-Forwarded-Host       $best_http_host;
                            proxy_set_header X-Forwarded-Port       $pass_port;
                            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
                             
                            proxy_set_header X-Scheme               $pass_access_scheme;
                             
                            # Pass the original X-Forwarded-For
                            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
                             
                            # mitigate HTTPoxy Vulnerability
                            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
                            proxy_set_header Proxy                  "";
                             
                            # Custom headers to proxied server
                             
                            proxy_connect_timeout                   5s;
                            proxy_send_timeout                      60s;
                            proxy_read_timeout                      60s;
                             
                            proxy_buffering                         off;
                            proxy_buffer_size                       4k;
                            proxy_buffers                           4 4k;
                             
                            proxy_max_temp_file_size                1024m;
                             
                            proxy_request_buffering                 on;
                            proxy_http_version                      1.1;
                             
                            proxy_cookie_domain                     off;
                            proxy_cookie_path                       off;
                             
                            # In case of errors try the next upstream server before returning an error
                            proxy_next_upstream                     error timeout;
                            proxy_next_upstream_timeout             0;
                            proxy_next_upstream_tries               3;
                             
                            proxy_pass http://upstream_balancer;
                            root /home/nflow/website/dev02/channel;
                            index  index.html index.htm;
                             
                            #proxy_pass http://upstream_balancer;
                             
                            proxy_redirect                          off;
                             
                    }
                     
                    location / {
                             
                            set $namespace      "";
                            set $ingress_name   "";
                            set $service_name   "";
                            set $service_port   "";
                            set $location_path  "/";
                             
                            rewrite_by_lua_block {
                                    lua_ingress.rewrite({
                                            force_ssl_redirect = false,
                                            ssl_redirect = true,
                                            force_no_ssl_redirect = false,
                                            use_port_in_redirects = false,
                                    })
                                    balancer.rewrite()
                                    plugins.run()
                            }
                             
                            # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
                            # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
                            # other authentication method such as basic auth or external auth useless - all requests will be allowed.
                            #access_by_lua_block {
                            #}
                             
                            header_filter_by_lua_block {
                                    lua_ingress.header()
                                    plugins.run()
                            }
                             
                            body_filter_by_lua_block {
                            }
                             
                            log_by_lua_block {
                                    balancer.log()
                                     
                                    monitor.call()
                                     
                                    plugins.run()
                            }
                             
                            port_in_redirect off;
                             
                            set $balancer_ewma_score -1;
                            set $proxy_upstream_name "upstream-default-backend";
                            set $proxy_host          $proxy_upstream_name;
                            set $pass_access_scheme  $scheme;
                             
                            set $pass_server_port    $server_port;
                             
                            set $best_http_host      $http_host;
                            set $pass_port           $pass_server_port;
                             
                            set $proxy_alternative_upstream_name "";
                             
                            client_max_body_size                    1m;
                             
                            proxy_set_header Host                   $best_http_host;
                             
                            # Pass the extracted client certificate to the backend
                             
                            # Allow websocket connections
                            proxy_set_header                        Upgrade           $http_upgrade;
                             
                            proxy_set_header                        Connection        $connection_upgrade;
                             
                            proxy_set_header X-Request-ID           $req_id;
                            proxy_set_header X-Real-IP              $remote_addr;
                             
                            proxy_set_header X-Forwarded-For        $remote_addr;
                             
                            proxy_set_header X-Forwarded-Host       $best_http_host;
                            proxy_set_header X-Forwarded-Port       $pass_port;
                            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
                             
                            proxy_set_header X-Scheme               $pass_access_scheme;
                             
                            # Pass the original X-Forwarded-For
                            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
                                  
                            # mitigate HTTPoxy Vulnerability
                            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
                            proxy_set_header Proxy                  "";
                             
                            # Custom headers to proxied server
                             
                            proxy_connect_timeout                   5s;
                            proxy_send_timeout                      60s;
                            proxy_read_timeout                      60s;
                             
                            proxy_buffering                         off;
                            proxy_buffer_size                       4k;
                            proxy_buffers                           4 4k;
                             
                            proxy_max_temp_file_size                1024m;
                             
                            proxy_request_buffering                 on;
                            proxy_http_version                      1.1;
                             
                            proxy_cookie_domain                     off;
                            proxy_cookie_path                       off;
                             
                            # In case of errors try the next upstream server before returning an error
                            proxy_next_upstream                     error timeout;
                            proxy_next_upstream_timeout             0;
                            proxy_next_upstream_tries               3;
                             
                            proxy_pass http://upstream_balancer;
                            root /home/nflow/website/dev02/channel;
                            index  index.html index.htm;
                             
                            #proxy_pass http://upstream_balancer;
                             
                            proxy_redirect                          off;
                             
                    }
                     
            }
            ## end server dev01-channel.n-orange.com

配置示例

  1. 首先创建一个静态资源的ingress,如下

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: dev01-channel.n-orange.com
      namespace: dev
      annotations:
        # use the shared ingress-nginx
        kubernetes.io/ingress.class: "dev"
        nginx.ingress.kubernetes.io/server-snippet: |
          if ($request_uri ~* "^/down\?bizChannel=(\d+)$") {
                rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent;
            }
        nginx.ingress.kubernetes.io/configuration-snippet: |
          root /home/nflow/website/dev02/channel;
          index  index.html index.htm;
        #nginx.ingress.kubernetes.io/enable-cors: "true"
        #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
      labels:
        frontend: channel
    spec:
      rules:
      - host: dev01-channel.n-orange.com
        http:
  2. 创建一个带有proxy_pass向后端转发的ingress,如下

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: dev01-channel.n-orange.com
      namespace: dev
      annotations:
        # use the shared ingress-nginx
        kubernetes.io/ingress.class: "dev"
        nginx.ingress.kubernetes.io/server-snippet: |
          if ($request_uri ~* "^/down\?bizChannel=(\d+)$") {
                rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent;
            }
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_pass http://upstream_balancer;
        #nginx.ingress.kubernetes.io/enable-cors: "true"
        #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
      labels:
        frontend: channel
    spec:
      rules:
      - host: dev01-channel.n-orange.com
        http:
          paths:
          - path: /loan-web
            backend:
              serviceName: dev01-xc-loanweb
              servicePort: 8080
  3. 生成的nginx配置文件如下

    ## start server dev01-channel.n-orange.com
    server {
            server_name dev01-channel.n-orange.com ;
             
            access_log /var/log/nginx/dev01-channel.n-orange.com.log upstreaminfo  if=$loggable;
             
            listen 80  ;
            listen 443  ssl http2 ;
             
            set $proxy_upstream_name "-";
             
            ssl_certificate_by_lua_block {
                    certificate.call()
            }
             
            if ($request_uri ~* "^/down\?bizChannel=(\d+)$") {
                    rewrite .* https://dev01-channel.n-orange.com/#/channeldown?$1 permanent;
            }
             
            location /loan-web {
                     
                    set $namespace      "dev";
                    set $ingress_name   "dev01-channel.n-orange.com";
                    set $service_name   "dev01-xc-loanweb";
                    set $service_port   "8080";
                    set $location_path  "/loan-web";
                     
                    rewrite_by_lua_block {
                            lua_ingress.rewrite({
                                    force_ssl_redirect = false,
                                    ssl_redirect = true,
                                    force_no_ssl_redirect = false,
                                    use_port_in_redirects = false,
                            })
                            balancer.rewrite()
                            plugins.run()
                    }
                     
                    # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
                    # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
                    # other authentication method such as basic auth or external auth useless - all requests will be allowed.
                    #access_by_lua_block {
                    #}
                     
                    header_filter_by_lua_block {
                            lua_ingress.header()
                            plugins.run()
                    }
                     
                    body_filter_by_lua_block {
                    }
                     
                    log_by_lua_block {
                            balancer.log()
                             
                            monitor.call()
                             
                            plugins.run()
                    }   
                     
                    port_in_redirect off;
                     
                    set $balancer_ewma_score -1;
                    set $proxy_upstream_name "dev-dev01-xc-loanweb-8080";
                    set $proxy_host          $proxy_upstream_name;
                    set $pass_access_scheme  $scheme;
                     
                    set $pass_server_port    $server_port;
                     
                    set $best_http_host      $http_host;
                    set $pass_port           $pass_server_port;
                     
                    set $proxy_alternative_upstream_name "";
                     
                    client_max_body_size                    1m;
                     
                    proxy_set_header Host                   $best_http_host;
                     
                    # Pass the extracted client certificate to the backend
                     
                    # Allow websocket connections
                    proxy_set_header                        Upgrade           $http_upgrade;
                     
                    proxy_set_header                        Connection        $connection_upgrade;
                     
                    proxy_set_header X-Request-ID           $req_id;
                    proxy_set_header X-Real-IP              $remote_addr;
                     
                    proxy_set_header X-Forwarded-For        $remote_addr;
                     
                    proxy_set_header X-Forwarded-Host       $best_http_host;
                    proxy_set_header X-Forwarded-Port       $pass_port;
                    proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
                     
                    proxy_set_header X-Scheme               $pass_access_scheme;
                     
                    # Pass the original X-Forwarded-For
                    proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
                     
                    # mitigate HTTPoxy Vulnerability
                    # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
                    proxy_set_header Proxy                  "";
                     
                    # Custom headers to proxied server
                     
                    proxy_connect_timeout                   5s;
                    proxy_send_timeout                      60s;
                    proxy_read_timeout                      60s;
                     
                    proxy_buffering                         off;
                    proxy_buffer_size                       4k;
                    proxy_buffers                           4 4k;
                     
                    proxy_max_temp_file_size                1024m;
                     
                    proxy_request_buffering                 on;
                    proxy_http_version                      1.1;
                     
                    proxy_cookie_domain                     off;
                    proxy_cookie_path                       off;
                     
                    # In case of errors try the next upstream server before returning an error
                    proxy_next_upstream                     error timeout;
                    proxy_next_upstream_timeout             0;
                    proxy_next_upstream_tries               3;
                     
                    proxy_pass http://upstream_balancer;
                     
                    #proxy_pass http://upstream_balancer;
                     
                    proxy_redirect                          off;
                     
            }
             
            location / {
                     
                    set $namespace      "";
                    set $ingress_name   "";
                    set $service_name   "";
                    set $service_port   "";
                    set $location_path  "/";
                     
                    rewrite_by_lua_block {
                            lua_ingress.rewrite({
                                    force_ssl_redirect = false,
                                    ssl_redirect = true,
                                    force_no_ssl_redirect = false,
                                    use_port_in_redirects = false,
                            })
                            balancer.rewrite()
                            plugins.run()
                    }
                     
                    # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
                    # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
                    # other authentication method such as basic auth or external auth useless - all requests will be allowed.
                    #access_by_lua_block {
                    #}
                     
                    header_filter_by_lua_block {
                            lua_ingress.header()
                            plugins.run()
                    }   
                     
                    body_filter_by_lua_block {
                    }
                     
                    log_by_lua_block {
                            balancer.log()
                             
                            monitor.call()
                             
                            plugins.run()
                    }
                     
                    port_in_redirect off;
                     
                    set $balancer_ewma_score -1;
                    set $proxy_upstream_name "upstream-default-backend";
                    set $proxy_host          $proxy_upstream_name;
                    set $pass_access_scheme  $scheme;
                     
                    set $pass_server_port    $server_port;
                     
                    set $best_http_host      $http_host;
                    set $pass_port           $pass_server_port;
                     
                    set $proxy_alternative_upstream_name "";
                     
                    client_max_body_size                    1m;
                     
                    proxy_set_header Host                   $best_http_host;
                     
                    # Pass the extracted client certificate to the backend
                     
                    # Allow websocket connections
                    proxy_set_header                        Upgrade           $http_upgrade;
                     
                    proxy_set_header                        Connection        $connection_upgrade;
                     
                    proxy_set_header X-Request-ID           $req_id;
                    proxy_set_header X-Real-IP              $remote_addr;
                     
                    proxy_set_header X-Forwarded-For        $remote_addr;
                     
                    proxy_set_header X-Forwarded-Host       $best_http_host;
                    proxy_set_header X-Forwarded-Port       $pass_port;
                    proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
                     
                    proxy_set_header X-Scheme               $pass_access_scheme;
                     
                    # Pass the original X-Forwarded-For
                    proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
                     
                    # mitigate HTTPoxy Vulnerability
                    # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
                    proxy_set_header Proxy                  "";
                     
                    # Custom headers to proxied server
                     
                    proxy_connect_timeout                   5s;
                    proxy_send_timeout                      60s;
                    proxy_read_timeout                      60s;
                     
                    proxy_buffering                         off;
                    proxy_buffer_size                       4k;
                    proxy_buffers                           4 4k;
                     
                    proxy_max_temp_file_size                1024m;
                     
                    proxy_request_buffering                 on;
                    proxy_http_version                      1.1;
                     
                    proxy_cookie_domain                     off;
                    proxy_cookie_path                       off;
                     
                    # In case of errors try the next upstream server before returning an error
                    proxy_next_upstream                     error timeout;
                    proxy_next_upstream_timeout             0;
                    proxy_next_upstream_tries               3;
                     
                    root /home/nflow/website/dev02/channel;
                    index  index.html index.htm;
                     
                    #proxy_pass http://upstream_balancer;
                     
                    proxy_redirect                          off;
                     
            }
             
    }
    ## end server dev01-channel.n-orange.com

     

posted @ 2022-05-19 22:53  MacoPlus  阅读(4017)  评论(2编辑  收藏  举报