Ingress-nginx随记:修订间差异
来自三线的随记
小无编辑摘要 |
小无编辑摘要 |
||
| 第3行: | 第3行: | ||
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ | https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ | ||
=== use-forwarded-headers === | === UseForwardedHeaders (configmap配置键: use-forwarded-headers, default: false) === | ||
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers | https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers | ||
If false, NGINX ignores incoming <code>X-Forwarded-*</code> headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets. | * If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers. | ||
* If false, NGINX ignores incoming <code>X-Forwarded-*</code> headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets. | |||
当 use_forwarded_headers 开启后, <code>x-forwarded-proto</code> 及 <code>x-forwarded-port</code> 及 <code>x-forwarded-host</code> header将会被传递到后端。 | |||
且由于 ''<code>rewrite_by_lua_block</code>'' 是在 <code>ngx_http_rewrite_module</code> 之后运行的,所以我们可以结合 Ingress-Nginx 的 annotation 实现对 hosts 字段的修改 | |||
例如在ingress cr中利用以下的 annotation,这样假设到 ingress 中的请求,带有 Name 为 realdomain 的 cookie,那么该请求的 <code>hosts</code> 及 <code>x-forwarded-host</code> 就会被改写为 realdomain 相应的值,然后再转发给相应的 Backend | |||
annotations: | |||
nginx.ingress.kubernetes.io/configuration-snippet: | | |||
if ($cookie_realdomain != "") { | |||
set $http_x_forwarded_host $cookie_realdomain; | |||
} | |||
Ingress-Nginx 中 Lua 关联实现如下: | |||
-- rewrite gets called in every location context. | |||
-- This is where we do variable assignments to be used in subsequent | |||
-- phases or redirection | |||
function _M.rewrite(location_config) | |||
ngx.var.pass_access_scheme = ngx.var.scheme | |||
ngx.var.best_http_host = ngx.var.http_host or ngx.var.host | |||
if config.use_forwarded_headers then | |||
-- trust http_x_forwarded_proto headers correctly indicate ssl offloading | |||
if ngx.var.http_x_forwarded_proto then | |||
ngx.var.pass_access_scheme = ngx.var.http_x_forwarded_proto | |||
end | |||
if ngx.var.http_x_forwarded_port then | |||
ngx.var.pass_server_port = ngx.var.http_x_forwarded_port | |||
end | |||
-- Obtain best http host | |||
if ngx.var.http_x_forwarded_host then | |||
ngx.var.best_http_host = parse_x_forwarded_host() | |||
end | |||
end | |||
........... | |||
关联的渲染后的 Nginx conf 如下: | |||
[[文件:Ingress-nginx-configuration-snippet.png|替代=Ingress-nginx-configuration-snippet|无框|800x800像素]] | |||
[[文件:Ingress-Nginx-raw-snippet.png|替代=Ingress-Nginx-raw-snippet|无框|800x800像素]] | |||
=== Lua 相关 === | === Lua 相关 === | ||
| 第12行: | 第53行: | ||
需要特别注意的是 ''<code>rewrite_by_lua_block</code>'' always runs ''after'' the standard ngx_http_rewrite_module. | 需要特别注意的是 ''<code>rewrite_by_lua_block</code>'' always runs ''after'' the standard ngx_http_rewrite_module. | ||
-- TO DO -- | -- TO DO -- | ||
[[分类:Ingress]] | [[分类:Ingress]] | ||
[[分类:K8s]] | [[分类:K8s]] | ||
2024年7月4日 (四) 14:46的版本
Ingress nginx annotation doc
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
UseForwardedHeaders (configmap配置键: use-forwarded-headers, default: false)
- If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers.
- If false, NGINX ignores incoming
X-Forwarded-*headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets.
当 use_forwarded_headers 开启后, x-forwarded-proto 及 x-forwarded-port 及 x-forwarded-host header将会被传递到后端。
且由于 rewrite_by_lua_block 是在 ngx_http_rewrite_module 之后运行的,所以我们可以结合 Ingress-Nginx 的 annotation 实现对 hosts 字段的修改
例如在ingress cr中利用以下的 annotation,这样假设到 ingress 中的请求,带有 Name 为 realdomain 的 cookie,那么该请求的 hosts 及 x-forwarded-host 就会被改写为 realdomain 相应的值,然后再转发给相应的 Backend
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($cookie_realdomain != "") {
set $http_x_forwarded_host $cookie_realdomain;
}
Ingress-Nginx 中 Lua 关联实现如下:
-- rewrite gets called in every location context.
-- This is where we do variable assignments to be used in subsequent
-- phases or redirection
function _M.rewrite(location_config)
ngx.var.pass_access_scheme = ngx.var.scheme
ngx.var.best_http_host = ngx.var.http_host or ngx.var.host
if config.use_forwarded_headers then
-- trust http_x_forwarded_proto headers correctly indicate ssl offloading
if ngx.var.http_x_forwarded_proto then
ngx.var.pass_access_scheme = ngx.var.http_x_forwarded_proto
end
if ngx.var.http_x_forwarded_port then
ngx.var.pass_server_port = ngx.var.http_x_forwarded_port
end
-- Obtain best http host
if ngx.var.http_x_forwarded_host then
ngx.var.best_http_host = parse_x_forwarded_host()
end
end
...........
关联的渲染后的 Nginx conf 如下:
Lua 相关
nginx 原生是不支持Lua的, Ingress nginx能用lua是因为引用了 openresty/lua-nginx-module
需要特别注意的是 rewrite_by_lua_block always runs after the standard ngx_http_rewrite_module.
-- TO DO --
