gpt4 book ai didi

kubernetes - Istio:如何重定向到 HTTPS,除了/.well-known/acme-challenge

转载 作者:行者123 更新时间:2023-12-04 13:31:23 27 4
gpt4 key购买 nike

我希望作为 HTTP 重定向到 HTTPS 的流量到达我的集群。但是,集群接收来自数百个动态更改的域的请求(使用 cert-manager 创建新证书)。所以我希望重定向仅在 URI 没有前缀 /.well-known/acme-challenge 时发生
我正在使用监听 443 的网关和监听 80 并将 HTTP 发送到 acme-solver 虚拟服务的其他网关。

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: default-gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- site1.com
port:
name: https-site1.com
number: 443
protocol: HTTPS
tls:
credentialName: cert-site1.com
mode: SIMPLE
- hosts:
- site2.com
port:
name: https-site2.com
number: 443
protocol: HTTPS
tls:
credentialName: cert-site2.com
mode: SIMPLE
...
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: acme-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: acme-solver
namespace: istio-system
spec:
hosts:
- "*"
gateways:
- acme-gateway
http:
- match:
- uri:
prefix: /.well-known/acme-challenge
route:
- destination:
host: acme-solver.istio-system.svc.cluster.local
port:
number: 8089
- redirect:
authority: # Should redirect to https://$HOST, but I don't know how to get the $HOST
我怎样才能使用 istio 做到这一点?

最佳答案

查看文档:

  • HTTP-01 质询只能在端口 80 上完成。允许客户端指定任意端口会降低质询的安全性,因此 ACME 标准不允许这样做。

  • 作为解决方法:
  • 请考虑使用 DNS-01 挑战:

  • a) 只有当您的 DNS 提供商具有可用于自动化的 API 时,才可以使用 DNS-01 挑战 updates .
    b) 使用这种方法时,您应该考虑额外的安全风险,如 docs 中所述。 :
    优点:
    您可以使用此质询来颁发包含通配符域名的证书。
    即使您有多个 Web 服务器,它也能很好地工作。
    缺点:
    * 在您的 Web 服务器上保留 API 凭据是有风险的。
    您的 DNS 提供商可能不提供 API。
    您的 DNS API 可能不提供有关传播时间的信息。
    如前所述 here :

    In order to be automatic, though, the software that requests the certificate will also need to be able to modify the DNS records for that domain. In order to modify the DNS records, that software will also need to have access to the credentials for the DNS service (e.g. the login and password, or a cryptographic token), and those credentials will have to be stored wherever the automation takes place. In many cases, this means that if the machine handling the process gets compromised, so will the DNS credentials, and this is where the real danger lies.


  • 我还建议使用另一种方法来使用一些简单的 nginx pod,它将所有 http 流量重定向到 https。

  • medium上有教程使用 nginx 配置,您可能会尝试使用。
    apiVersion: v1
    kind: ConfigMap
    metadata:
    name: nginx-config
    data:
    nginx.conf: |
    server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
    }
    ---
    apiVersion: v1
    kind: Service
    metadata:
    name: redirect
    labels:
    app: redirect
    spec:
    ports:
    - port: 80
    name: http
    selector:
    app: redirect
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: redirect
    spec:
    replicas: 1
    selector:
    matchLabels:
    app: redirect
    template:
    metadata:
    labels:
    app: redirect
    spec:
    containers:
    - name: redirect
    image: nginx:stable
    resources:
    requests:
    cpu: "100m"
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /etc/nginx/conf.d
    name: config
    volumes:
    - name: config
    configMap:
    name: nginx-config
    此外,您必须更改虚拟服务以发送除 prefix: /.well-known/acme-challenge 之外的所有流量。到 Nginx。
    apiVersion: networking.istio.io/v1alpha3
    kind: VirtualService
    metadata:
    name: acme-solver
    namespace: istio-system
    spec:
    hosts:
    - "*"
    gateways:
    - acme-gateway
    http:
    - name: "acmesolver"
    match:
    - uri:
    prefix: /.well-known/acme-challenge
    route:
    - destination:
    host: reviews.prod.svc.cluster.local
    port:
    number: 8089
    - name: "nginx"
    route:
    - destination:
    host: nginx

    关于kubernetes - Istio:如何重定向到 HTTPS,除了/.well-known/acme-challenge,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64877650/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com