我一直在Kubernetes集群上使用Traefik进行自动化https,并且运行良好!现在,我实际上想在Traefik级别禁用终止,只让后端处理https以及客户端证书身份验证。
目前,这是我的设置
配置文件
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
这是我对Kubernetes的看法
apiVersion: v1
kind: Service
metadata:
name: backend-svc
spec:
ports:
- port: 80
targetPort: 80
selector:
app: backend
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: backend-ingress
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- secretName: tls-cert
rules:
- host: somewhere.com
http:
paths:
backend:
serviceName: backend-svc
servicePort: 80
在过去的三个月中,这为我提供了很好的服务,但是通过这种配置,我的后端无法在传入的请求中找到客户端证书。
通常,我从端口80重定向到443升级。现在,当我尝试直接进入443时,会出现内部服务器错误。当我尝试将其添加到入口注释中时 …