Ingress-nginx随记
来自三线的随记
Ingress nginx annotation doc
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
UseForwardedHeaders (configmap配置键: use-forwarded-headers, default: false)
- If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers.
- If false, NGINX ignores incoming
X-Forwarded-*headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets.
当 use_forwarded_headers 开启后, x-forwarded-proto 及 x-forwarded-port 及 x-forwarded-host header将会被传递到后端。
且由于 rewrite_by_lua_block 是在 ngx_http_rewrite_module 之后运行的,所以我们可以结合 Ingress-Nginx 的 annotation 实现对 hosts 字段的修改
例如在ingress cr中利用以下的 annotation,这样假设到 ingress 中的请求,带有 Name 为 realdomain 的 cookie,那么该请求的 hosts 及 x-forwarded-host 就会被改写为 realdomain 相应的值,然后再转发给相应的 Backend
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($cookie_realdomain != "") {
set $http_x_forwarded_host $cookie_realdomain;
}
Ingress-Nginx 中 Lua 关联实现如下:
-- rewrite gets called in every location context.
-- This is where we do variable assignments to be used in subsequent
-- phases or redirection
function _M.rewrite(location_config)
ngx.var.pass_access_scheme = ngx.var.scheme
ngx.var.best_http_host = ngx.var.http_host or ngx.var.host
if config.use_forwarded_headers then
-- trust http_x_forwarded_proto headers correctly indicate ssl offloading
if ngx.var.http_x_forwarded_proto then
ngx.var.pass_access_scheme = ngx.var.http_x_forwarded_proto
end
if ngx.var.http_x_forwarded_port then
ngx.var.pass_server_port = ngx.var.http_x_forwarded_port
end
-- Obtain best http host
if ngx.var.http_x_forwarded_host then
ngx.var.best_http_host = parse_x_forwarded_host()
end
end
...........
关联的渲染后的 Nginx conf 如下:
Lua 相关
nginx 原生是不支持Lua的, Ingress nginx能用lua是因为引用了 openresty/lua-nginx-module
需要特别注意的是 rewrite_by_lua_block always runs after the standard ngx_http_rewrite_module.
