版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/moxiaomomo/article/details/83894772
问题描述
通过traefik添加了服务域名代理,如:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: common-service
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: test.example.com
http:
paths:
- path: /
backend:
serviceName: test-server
servicePort: 8080
访问该服务时, http://test.example.com, 陷入了302重定向的死循环:
location: https://test.example.com:443/
问题跟踪解决
经过排查后,发现是在自己的traefik.toml配置中,所有的http请求都会被转发到https处理,如:
defaultEntryPoints = ["http","https"]
insecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/k8s/ssl/ssl.crt"
keyFile = "/opt/k8s/ssl/ssl.key"
因为我的服务test-server是隐藏在nginx代理之后的,大概就经历了这么一个流程:
用户 --(https://test.example.com)--> nginx --(http://192.168.x.xx)--> test-server (返回302地址:https://test.example.com:443)
用户 --(https://test.example.com:443)--> nginx --(http://192.168.x.xx)--> test-server (返回302:https://test.example.com:443)
// 死循环
当前的解决方法: 取消http强制转https的逻辑, 或者只对指定的域名转https协议。
#注释traefik.toml以下两行, 更新configmap及test-server
# [entryPoints.http.redirect]
# entryPoint = "https"
# 或加上过滤规则,如:
[entryPoints.http.redirect]
regex = "^http://test2.example.com/(.*)"
replacement = "https://test2.example.com/$1"