通过nginx来验证k8s中externalTrafficPolicy策略

过nginx来验证k8s中externalTrafficPolicy策略

在https://www.cnblogs.com/zoujiaojiao/p/18044324 文章中，我们介绍过externalTrafficPolicy策略。这篇博客是通过nginx的日志，再次展示下externalTrafficPolicy策略的区别。

域名---> 172.16.80.32(域名解析反向代理) -----> nginx-pod1(Local模式，模拟前端代理到nginx2-pod2) -----> nginx2-pod2(Cluster模式，实际后端服务)

nginx的日志格式

    log_format main  '"$remote_addr" "$remote_user" "$time_local" "$status" "$request" '
                     '"$http_referer" "$body_bytes_sent" "$bytes_sent" "$connection" '
                     '"$connection_requests" "$content_type" "$cookie_jsessionid" '
                     '"$http_x_forwarded_for" "$limit_rate" "$proxy_add_x_forwarded_for" '
                     '"$remote_port" "$request_body_file" "$request_filename" "$request_length" '
                     '"$request_time" "$host" "-" "-" "$upstream_addr" '
                     '"$upstream_response_time" "$args" "$http_user_agent" "$http_request_from" "$upstream_status
"';

日志结果：

nginx-6dc9796684-zhvcx 的日志，获取到客户端ip
nginx2-755998b95f-fh26v 的日志，获取到上一层nginx的pod ip

部署情况

模拟前端nginx-svc(Local)

模拟后端nginx2-svc

虚拟主机配置nginx（172.16.80.32）文件tmp.conf

upstream  tmp32653 {
          server 172.16.80.53:32653  weight=10 max_fails=3  fail_timeout=30s;
              }
server {
    listen       80;
    listen       443 ssl;
    server_name  tmp.shengydt.com;

    ssl_certificate /usr/local/nginx/cert/shengydt.com.pem;
    ssl_certificate_key /usr/local/nginx/cert/shengydt.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 10m;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_buffer_size 1400;
    add_header Strict-Transport-Security max-age=15768000;
    ssl_stapling on;
    ssl_stapling_verify on;
    if ($ssl_protocol = "") { return 301 https://$host$request_uri; }    

    # 日志中时间戳设置固定格式：2023-09-28 15:57:01
    if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})") {
                set $year $1;
                set $month $2;
                set $day $3;
                set $hour $4;
                set $minutes $5;
                set $seconds $6;
    }


    location / {
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-Nginx-Proxy true;
                proxy_pass http://tmp32653;
                proxy_set_header X-Forwarded-Proto $scheme;
               access_log   /prod-meta-logs/nginx-logs/tmp.access.log json;
               error_log    /prod-meta-logs/nginx-logs/tmp.error.log ;
}


}

通过浏览器访问tmp.shengydt.com域名，查看容器日志，可以看到，local模式下可以获取到客户端ip，cluster下只能获取到pod 的ip。