过nginx来验证k8s中externalTrafficPolicy策略
域名---> 172.16.80.32(域名解析反向代理) -----> nginx-pod1(Local模式,模拟前端代理到nginx2-pod2) -----> nginx2-pod2(Cluster模式,实际后端服务)
nginx的日志格式
log_format main '"$remote_addr" "$remote_user" "$time_local" "$status" "$request" '
'"$http_referer" "$body_bytes_sent" "$bytes_sent" "$connection" '
'"$connection_requests" "$content_type" "$cookie_jsessionid" '
'"$http_x_forwarded_for" "$limit_rate" "$proxy_add_x_forwarded_for" '
'"$remote_port" "$request_body_file" "$request_filename" "$request_length" '
'"$request_time" "$host" "-" "-" "$upstream_addr" '
'"$upstream_response_time" "$args" "$http_user_agent" "$http_request_from" "$upstream_status
"';
日志结果:
nginx-6dc9796684-zhvcx 的日志,获取到客户端ip
nginx2-755998b95f-fh26v 的日志,获取到上一层nginx的pod ip
部署情况
模拟前端nginx-svc(Local)
模拟后端nginx2-svc
虚拟主机配置nginx(172.16.80.32)文件tmp.conf
upstream tmp32653 {
server 172.16.80.53:32653 weight=10 max_fails=3 fail_timeout=30s;
}
server {
listen 80;
listen 443 ssl;
server_name tmp.shengydt.com;
ssl_certificate /usr/local/nginx/cert/shengydt.com.pem;
ssl_certificate_key /usr/local/nginx/cert/shengydt.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
# 日志中时间戳设置固定格式:2023-09-28 15:57:01
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
set $minutes $5;
set $seconds $6;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Nginx-Proxy true;
proxy_pass http://tmp32653;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /prod-meta-logs/nginx-logs/tmp.access.log json;
error_log /prod-meta-logs/nginx-logs/tmp.error.log ;
}
}
标签:set,ssl,header,request,externalTrafficPolicy,nginx,proxy,k8s
From: https://www.cnblogs.com/zoujiaojiao/p/18083489