Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
533 views
in Technique[技术] by (71.8m points)

ssl - kubernetes +入口控制器+让加密+阻止混合内容(kubernetes + ingress controller + lets encrypt + block mixed content)

Thanks for taking the time to read this.

(感谢您抽时间阅读。)

I am testing a cluster of kubernetes in digitalocean.

(我正在Digitalocean中测试Kubernetes集群。)

I have installed an ingress controler with cert-manager and letsencript (I followed this guide https://cert-manager.io/docs/tutorials/acme/ingress/ ) and when I launch some deployment I have problems with the files that are not in the root (Blocked loading mixed active content).

(我已经安装了带有cert-manager和letencript的入口控制程序(我遵循了本指南https://cert-manager.io/docs/tutorials/acme/ingress/ ),当我启动某些部署时,我的文件存在问题不在根目录中(阻止加载混合的活动内容)。)

To give a more concrete example, I'm trying to put the application bookstack, if I not active tls, I see everything correctly.

(举一个更具体的例子,我试图放置应用程序书架,如果我不活跃tls,我会正确地看到一切。)

On the other hand if I activate tls I see everything without css and in the console I see that there are files that have been blocked by the browser.

(另一方面,如果我激活tls,我会看到没有css的所有内容,并且在控制台中,我看到有些文件已被浏览器阻止。) 在此处输入图片说明

On the other hand if I do a port-forward I see it correctly ( http://localhost:8080/ ) -> note http and not https

(另一方面,如果我进行端口转发,则可以正确看到它( http:// localhost:8080 / )->注意http而不是https) 在此处输入图片说明

I have done the test also with a wordpress, with the same problem, the main page is seen without the styles.

(我也用wordpress做过测试,有同样的问题,看到的主页没有样式。)

In this case, for wordpress there is a plugin, that if you get into the backend (browsing the page without css is a torture) and install it solves the problem (this is the plugin https://es.wordpress.org/plugins/ssl-insecure-content-fixer/ ).

(在这种情况下,对于wordpress,有一个插件,如果您进入后端(浏览没有CSS的页面是一种折磨)并安装它可以解决问题(这是插件https://es.wordpress.org/plugins / ssl-insecure-content-fixer / )。)

On plugin i have to check "HTTP_X_FORWARDED_PROTO" to make it work.

(在插件上,我必须检查“ HTTP_X_FORWARDED_PROTO”以使其起作用。)

But I'm realizing that it's a recurring problem, and I think there are concepts that are not clear to me and I do not know very well what I have to do.

(但是我意识到这是一个反复出现的问题,我认为有些概念对我来说并不明确,我也不知道该怎么做。)

Here is an example of the ingress controller

(这是入口控制器的示例)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: bookstack
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    # cert-manager.io/issuer: "letsencrypt-staging"
    cert-manager.io/issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - k1.athosnetwork.es
    secretName: tls-bookstack
  rules:
  - host: k1.athosnetwork.es
    http:
      paths:
      - path: /
        backend:
          serviceName: bookstack
          servicePort: 80

Thanks very much for your time

(非常感谢你花时间陪伴)

  ask by Athos Oc translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

you can try the following approach for the same, it works fine.

(您也可以尝试以下方法,效果很好。)

  1. Install cert-mananger from here , using helm chart based steps.

    (使用基于舵图的步骤从此处安装cert-mananger。)

  2. Then follow this stackoverflow post , following this you will have to perform three steps as follows -

    (然后按照以下stackoverflow帖子进行操作 ,之后您将必须执行以下三个步骤-)

a.

(一种。)

apply the certificate yaml b.

(申请证书yaml b。)

apply the clusterissuer yaml ( try using cert-manager.io/v1alpha2 as the apiVersion, if the one mentioned in that post is not acceptable) c.

(应用clusterissuer yaml(如果该文章中提到的内容不可接受,请尝试使用cert-manager.io/v1alpha2作为apiVersion)c。)

Add the secret name, mentioned in the certificate to the ingress rule, under the TLS, this will make the cert-manager to perform an internal acme-challenge.

(在TLS下,将证书中提到的秘密名称添加到入口规则中,这将使证书管理器执行内部攻击。)

Once the acme challenge is completed successfully by cert-manager , then you can see

(一旦cert-manager成功完成了acme挑战,那么您可以看到)

kubectl get certificate

The status of the certificate shall be ready.

(证书的状态应准备就绪。)

And your host name will get encrypted via LetsEncrypt.

(您的主机名将通过LetsEncrypt加密。)

Note that - cert-manager will create the TLS secret on its own, you have nothing to do with that, just place it in the ingress rule

(请注意-cert-manager将自行创建TLS机密,与您无关,只需将其放在入口规则中)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...