Ingress-nginx随记
来自三线的随记
Ingress nginx annotation doc
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
UseForwardedHeaders (configmap配置键: use-forwarded-headers, default: false)
- If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers.
- If false, NGINX ignores incoming
X-Forwarded-*
headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets.
当 use_forwarded_headers 开启后, x-forwarded-proto
及 x-forwarded-port
及 x-forwarded-host
header将会被传递到后端。
且由于 rewrite_by_lua_block
是在 ngx_http_rewrite_module
之后运行的,所以我们可以结合 Ingress-Nginx 的 annotation 实现对 hosts 字段的修改
例如在ingress cr中利用以下的 annotation,这样假设到 ingress 中的请求,带有 Name 为 realdomain 的 cookie,那么该请求的 hosts
及 x-forwarded-host
就会被改写为 realdomain 相应的值,然后再转发给相应的 Backend
annotations: nginx.ingress.kubernetes.io/configuration-snippet: | if ($cookie_realdomain != "") { set $http_x_forwarded_host $cookie_realdomain; }
Ingress-Nginx 中 Lua 关联实现如下:
-- rewrite gets called in every location context. -- This is where we do variable assignments to be used in subsequent -- phases or redirection function _M.rewrite(location_config) ngx.var.pass_access_scheme = ngx.var.scheme ngx.var.best_http_host = ngx.var.http_host or ngx.var.host if config.use_forwarded_headers then -- trust http_x_forwarded_proto headers correctly indicate ssl offloading if ngx.var.http_x_forwarded_proto then ngx.var.pass_access_scheme = ngx.var.http_x_forwarded_proto end if ngx.var.http_x_forwarded_port then ngx.var.pass_server_port = ngx.var.http_x_forwarded_port end -- Obtain best http host if ngx.var.http_x_forwarded_host then ngx.var.best_http_host = parse_x_forwarded_host() end end ...........
关联的渲染后的 Nginx conf 如下:
Lua 相关
nginx 原生是不支持Lua的, Ingress nginx能用lua是因为引用了 openresty/lua-nginx-module
需要特别注意的是 rewrite_by_lua_block
always runs after the standard ngx_http_rewrite_module.