ssl - kubernetes +入口控制器+让加密+阻止混合内容(kubernetes + ingress controller + lets encrypt + block mixed content)

Question

Thanks for taking the time to read this.

(感谢您抽时间阅读。)

I am testing a cluster of kubernetes in digitalocean.

(我正在Digitalocean中测试Kubernetes集群。)

I have installed an ingress controler with cert-manager and letsencript (I followed this guide https://cert-manager.io/docs/tutorials/acme/ingress/ ) and when I launch some deployment I have problems with the files that are not in the root (Blocked loading mixed active content).

(我已经安装了带有cert-manager和letencript的入口控制程序（我遵循了本指南https://cert-manager.io/docs/tutorials/acme/ingress/ ），当我启动某些部署时，我的文件存在问题不在根目录中（阻止加载混合的活动内容）。)

To give a more concrete example, I'm trying to put the application bookstack, if I not active tls, I see everything correctly.

(举一个更具体的例子，我试图放置应用程序书架，如果我不活跃tls，我会正确地看到一切。)

On the other hand if I activate tls I see everything without css and in the console I see that there are files that have been blocked by the browser.

(另一方面，如果我激活tls，我会看到没有css的所有内容，并且在控制台中，我看到有些文件已被浏览器阻止。)

On the other hand if I do a port-forward I see it correctly ( http://localhost:8080/ ) -> note http and not https

(另一方面，如果我进行端口转发，则可以正确看到它（ http：// localhost：8080 / ）->注意http而不是https)

I have done the test also with a wordpress, with the same problem, the main page is seen without the styles.

(我也用wordpress做过测试，有同样的问题，看到的主页没有样式。)

In this case, for wordpress there is a plugin, that if you get into the backend (browsing the page without css is a torture) and install it solves the problem (this is the plugin https://es.wordpress.org/plugins/ssl-insecure-content-fixer/ ).

(在这种情况下，对于wordpress，有一个插件，如果您进入后端（浏览没有CSS的页面是一种折磨）并安装它可以解决问题（这是插件https://es.wordpress.org/plugins / ssl-insecure-content-fixer / ）。)

On plugin i have to check "HTTP_X_FORWARDED_PROTO" to make it work.

(在插件上，我必须检查“ HTTP_X_FORWARDED_PROTO”以使其起作用。)

But I'm realizing that it's a recurring problem, and I think there are concepts that are not clear to me and I do not know very well what I have to do.

(但是我意识到这是一个反复出现的问题，我认为有些概念对我来说并不明确，我也不知道该怎么做。)

Here is an example of the ingress controller

(这是入口控制器的示例)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: bookstack
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    # cert-manager.io/issuer: "letsencrypt-staging"
    cert-manager.io/issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - k1.athosnetwork.es
    secretName: tls-bookstack
  rules:
  - host: k1.athosnetwork.es
    http:
      paths:
      - path: /
        backend:
          serviceName: bookstack
          servicePort: 80

Thanks very much for your time

(非常感谢你花时间陪伴)

  ask by Athos Oc translate from so

Answer 1

you can try the following approach for the same, it works fine.

(您也可以尝试以下方法，效果很好。)

1. Install cert-mananger from here , using helm chart based steps.

   (使用基于舵图的步骤从此处安装cert-mananger。)

2. Then follow this stackoverflow post , following this you will have to perform three steps as follows -

   (然后按照以下stackoverflow帖子进行操作 ，之后您将必须执行以下三个步骤-)

a.

(一种。)

apply the certificate yaml b.

(申请证书yaml b。)

apply the clusterissuer yaml ( try using cert-manager.io/v1alpha2 as the apiVersion, if the one mentioned in that post is not acceptable) c.

(应用clusterissuer yaml（如果该文章中提到的内容不可接受，请尝试使用cert-manager.io/v1alpha2作为apiVersion）c。)

Add the secret name, mentioned in the certificate to the ingress rule, under the TLS, this will make the cert-manager to perform an internal acme-challenge.

(在TLS下，将证书中提到的秘密名称添加到入口规则中，这将使证书管理器执行内部攻击。)

Once the acme challenge is completed successfully by cert-manager , then you can see

(一旦cert-manager成功完成了acme挑战，那么您可以看到)

kubectl get certificate

The status of the certificate shall be ready.

(证书的状态应准备就绪。)

And your host name will get encrypted via LetsEncrypt.

(您的主机名将通过LetsEncrypt加密。)

Note that - cert-manager will create the TLS secret on its own, you have nothing to do with that, just place it in the ingress rule

(请注意-cert-manager将自行创建TLS机密，与您无关，只需将其放在入口规则中)