Ingress-nginx随记:修订间差异

来自三线的随记
(创建页面,内容为“Ingress nginx annotation doc https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ === Lua 相关 === nginx 原生是不支持Lua的, Ingress nginx能用lua是因为引用了 [https://github.com/openresty/lua-nginx-module openresty/lua-nginx-module] 需要特别注意的是 ''<code>rewrite_by_lua_block</code>'' always runs ''after'' the standard ngx_http_rewrite_module. -- TO DO -- 分类:Ingress 分类:K8s”)
 
无编辑摘要
 
(未显示同一用户的4个中间版本)
第2行: 第2行:


https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
=== UseForwardedHeaders (configmap配置键: use-forwarded-headers, default: false) ===
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers
* If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers.
* If false, NGINX ignores incoming <code>X-Forwarded-*</code> headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets.
当 use_forwarded_headers 开启后, <code>x-forwarded-proto</code> 及 <code>x-forwarded-port</code> 及 <code>x-forwarded-host</code> header将会被传递到后端。
且由于 ''<code>rewrite_by_lua_block</code>''  是在 <code>ngx_http_rewrite_module</code> 之后运行的(set 指令位于ngx_http_rewrite_module),所以我们可以结合 Ingress-Nginx 的 annotation 实现对 hosts 字段的修改
例如在ingress cr中利用以下的 annotation,这样假设到 ingress 中的请求,带有 Name 为 realdomain 的 cookie,那么该请求的 <code>hosts</code> 及 <code>x-forwarded-host</code>  就会被改写为 realdomain 相应的值,然后再转发给相应的 Backend
annotations:
  nginx.ingress.kubernetes.io/configuration-snippet: |
      if ($cookie_realdomain != "") {
        set $http_x_forwarded_host $cookie_realdomain;
      }
以下以 ingress-nginx-controller v0.49.3版本为例:
Ingress-Nginx 中 Lua 关联实现如下:
-- rewrite gets called in every location context.
-- This is where we do variable assignments to be used in subsequent
-- phases or redirection
function _M.rewrite(location_config)
  ngx.var.pass_access_scheme = ngx.var.scheme
  ngx.var.best_http_host = ngx.var.http_host or ngx.var.host
  if config.use_forwarded_headers then
    -- trust http_x_forwarded_proto headers correctly indicate ssl offloading
    if ngx.var.http_x_forwarded_proto then
      ngx.var.pass_access_scheme = ngx.var.http_x_forwarded_proto
    end
    if ngx.var.http_x_forwarded_port then
      ngx.var.pass_server_port = ngx.var.http_x_forwarded_port
    end
    -- Obtain best http host
    if ngx.var.http_x_forwarded_host then
      ngx.var.best_http_host = parse_x_forwarded_host()
    end
  end
...........
关联的渲染后的 Nginx conf 如下:
[[文件:Ingress-nginx-configuration-snippet.png|替代=Ingress-nginx-configuration-snippet|无框|800x800像素]]
[[文件:Ingress-Nginx-raw-snippet.png|替代=Ingress-Nginx-raw-snippet|无框|800x800像素]]


=== Lua 相关 ===
=== Lua 相关 ===
第9行: 第62行:




-- TO DO --
[[分类:Ingress]]
[[分类:Ingress]]
[[分类:K8s]]
[[分类:K8s]]

2024年7月4日 (四) 14:53的最新版本

Ingress nginx annotation doc

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

UseForwardedHeaders (configmap配置键: use-forwarded-headers, default: false)

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers

  • If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers.
  • If false, NGINX ignores incoming X-Forwarded-* headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets.

当 use_forwarded_headers 开启后, x-forwarded-protox-forwarded-portx-forwarded-host header将会被传递到后端。

且由于 rewrite_by_lua_block 是在 ngx_http_rewrite_module 之后运行的(set 指令位于ngx_http_rewrite_module),所以我们可以结合 Ingress-Nginx 的 annotation 实现对 hosts 字段的修改

例如在ingress cr中利用以下的 annotation,这样假设到 ingress 中的请求,带有 Name 为 realdomain 的 cookie,那么该请求的 hostsx-forwarded-host 就会被改写为 realdomain 相应的值,然后再转发给相应的 Backend

annotations:
  nginx.ingress.kubernetes.io/configuration-snippet: |
      if ($cookie_realdomain != "") {
        set $http_x_forwarded_host $cookie_realdomain;
      }

以下以 ingress-nginx-controller v0.49.3版本为例:

Ingress-Nginx 中 Lua 关联实现如下:

-- rewrite gets called in every location context.
-- This is where we do variable assignments to be used in subsequent
-- phases or redirection
function _M.rewrite(location_config)
  ngx.var.pass_access_scheme = ngx.var.scheme

  ngx.var.best_http_host = ngx.var.http_host or ngx.var.host

  if config.use_forwarded_headers then
    -- trust http_x_forwarded_proto headers correctly indicate ssl offloading
    if ngx.var.http_x_forwarded_proto then
      ngx.var.pass_access_scheme = ngx.var.http_x_forwarded_proto
    end

    if ngx.var.http_x_forwarded_port then
      ngx.var.pass_server_port = ngx.var.http_x_forwarded_port
    end

    -- Obtain best http host
    if ngx.var.http_x_forwarded_host then
      ngx.var.best_http_host = parse_x_forwarded_host()
    end
  end
...........


关联的渲染后的 Nginx conf 如下:

Ingress-nginx-configuration-snippet

Ingress-Nginx-raw-snippet

Lua 相关

nginx 原生是不支持Lua的, Ingress nginx能用lua是因为引用了 openresty/lua-nginx-module

需要特别注意的是 rewrite_by_lua_block always runs after the standard ngx_http_rewrite_module.