Load-Balancing

Cloud Load Balancing HTTPS 重定向不適用於特定主機

  • September 16, 2020

在我的負載均衡器中,我有 6 台主機,在所有主機中,除了一台之外,HTTPS 重定向都能完美執行。我嘗試了所有可能的配置並閱讀了 Google 提供的所有文件(概念、操作指南、參考),例如https://cloud.google.com/load-balancing/docs/https/setting-up-http-https-重定向#setting_up_the_http_load_balancer無濟於事…

讓我發瘋的是,在同一url-map台主機中,它的 HTTPS 重定向工作 100%,這是一個不起作用的主機的“相同”副本。這是我url-map的兩台主機隔離:

defaultUrlRedirect:
 httpsRedirect: true
 redirectResponseCode: MOVED_PERMANENTLY_DEFAULT
 stripQuery: false

hostRules:
- hosts:
  # I'm not using an actual record for this particular host, the following two are real
- app.rocketseat.dev
 pathMatcher: path-matcher-staging
- hosts:
- app.rocketseat.com.br
 pathMatcher: path-matcher-production
- hosts:
- umbriel.rocketseat.dev
 pathMatcher: path-matcher-umbriel


pathMatchers:
- defaultService: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/student-client-staging
 name: path-matcher-staging
 pathRules:
 - paths:
   - /api/*
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendServices/app-staging
 - paths:
   - /*
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/student-client-staging
 - paths:
   - /admin
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /index.html
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/admin-client-staging
 - paths:
   - /admin/*
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/admin-client-staging
 - paths:
   - /h
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /index.html
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/hubble-client-staging
 - paths:
   - /h/*
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/hubble-client-staging
 - paths:
   - /favicon.ico
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /favicon.png
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/student-client-staging


- defaultService: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/student-client
 name: path-matcher-production
 pathRules:
 - paths:
   - /api/*
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendServices/app
 - paths:
   - /*
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/student-client
 - paths:
   - /admin
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /index.html
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/admin-client
 - paths:
   - /admin/*
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/admin-client
 - paths:
   - /h
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /index.html
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/hubble-client
 - paths:
   - /h/*
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/hubble-client
 - paths:
   - /favicon.ico
   routeAction:
     urlRewrite:
       pathPrefixRewrite: /favicon.png
   service: https://www.googleapis.com/compute/v1/projects/my-project-id/global/backendBuckets/student-client

http://app.rocketseat.dev/api/hello返回:

{
 "jsonPayload": {
   "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
   "statusDetails": "response_sent_by_backend"
 },
 "resource": {
   "type": "http_load_balancer",
   "labels": {
     "backend_service_name": "app-staging",
     "forwarding_rule_name": "app-forwarding-rule-2",
     "target_proxy_name": "app-target-https-proxy",
     "url_map_name": "app-url-map"
   }
 },
 "severity": "INFO"
}

http://app.rocketseat.com.br/api/hello返回

{
 "jsonPayload": {
   "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
   "statusDetails": "response_sent_by_backend"
 },
 "resource": {
   "type": "http_load_balancer",
   "labels": {
     "backend_service_name": "app",
     "forwarding_rule_name": "app-forwarding-rule",
     "target_proxy_name": "app-target-http-proxy",
     "url_map_name": "app-url-map"
   }
 },
 "severity": "INFO"
}

我想,也許後端服務/儲存桶配置可能有所不同,但它們也是相同的。

附加輸出:

# gcloud compute url-maps describe app-http-url-map

defaultUrlRedirect:
 httpsRedirect: true
 redirectResponseCode: MOVED_PERMANENTLY_DEFAULT
kind: compute#urlMap
name: app-http-url-map
selfLink: https://www.googleapis.com/compute/v1/projects/my-project-id/global/urlMaps/app-http-url-map

---
# gcloud compute target-http-proxies describe app-target-http-proxy

kind: compute#targetHttpProxy
name: app-target-http-proxy
selfLink: https://www.googleapis.com/compute/v1/projects/my-project-id/global/targetHttpProxies/app-target-http-proxy
urlMap: https://www.googleapis.com/compute/v1/projects/my-project-id/global/urlMaps/app-url-map

---
# gcloud compute target-https-proxies describe app-target-https-proxy

kind: compute#targetHttpsProxy
name: app-target-https-proxy
quicOverride: NONE
selfLink: https://www.googleapis.com/compute/v1/projects/my-project-id/global/targetHttpsProxies/app-target-https-proxy
sslCertificates:
- https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/xesque
- https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/europa
- https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/umbriel
- https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/flexbalancer
- https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/dev
- https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/app
urlMap: https://www.googleapis.com/compute/v1/projects/my-project-id/global/urlMaps/app-url-map

我最終意識到問題不在於主機本身,而是我的 URL 映射中的 HTTPS 重定向僅適用於來自Google Domains的域。我嘗試將其餘域遷移到相同的 DNS 提供程序/服務(Google Cloud DNS),但重定向仍然無效。某種較低級別的 HTTP 重定向,或者可能是 GCP 和 Google Domains 之間的集成?我不知道,我從來沒有見過這樣的事情。

我再次嘗試遵循 HTTP-to-HTTPS 重定向範例。同樣,它不起作用,如果您按照範例進行操作,您在訪問 HTTP URL 時總是會遇到 404 錯誤。

但是,如果您在 URL 映射中添加帶有路徑匹配器的主機規則:

defaultUrlRedirect:
 httpsRedirect: true
 redirectResponseCode: MOVED_PERMANENTLY_DEFAULT
 stripQuery: false
hostRules:
- hosts:
 - '*'
 pathMatcher: path-matcher-wildcard
kind: compute#urlMap
name: app-http-url-map
pathMatchers:
- defaultUrlRedirect:
   httpsRedirect: true
   redirectResponseCode: MOVED_PERMANENTLY_DEFAULT
   stripQuery: false
 name: path-matcher-wildcard
selfLink: https://www.googleapis.com/compute/v1/projects/my-project-id/global/urlMaps/app-http-url-map

您的所有流量都將重定向到 HTTPS。:)

根據您提供的資訊和類似情況,您可能為 HTTP 到 HTTPS 重定向配置了一個 URL 映射。然而,您需要創建一個 HTTP URL 映射,其唯一目的是將流量重定向到您配置 hostRules 和 pathMatchers 的 HTTPS URL 映射。

在此範例中,“web-map-http”僅用於將 HTTP 流量重定向到 HTTPS URL 映射“web-map-https”,而“web-map-https”是您配置 hostRules 和 pathMatchers 的位置。

Cloud Console 應顯示兩個負載平衡器

為 HTTP 到 HTTPS 重定向和主機規則創建一個 url 映射可能有效,但不是推薦的方式。

引用自:https://serverfault.com/questions/1030788

相關問答

Ssl

你能在沒有負載平衡的情況下使用 SSL - Google Cloud Platform

  • January 13, 2022
檢視問答
Google-Cloud-Platform

dist-upgrade 後負載均衡器標記“unhealthy”新組成員實例(ubuntu)

  • November 23, 2021
檢視問答
Load-Balancing

託管實例組實例是否需要外部 IP 作為 GLB 後端?

  • October 27, 2021
檢視問答
Nginx

不知道中間代理 IP 地址時使用 Nginx real_ip

  • October 25, 2021
檢視問答
Load-Balancing

GCP負載均衡器非常高的健康檢查頻率

  • September 26, 2021
檢視問答
Networking

GCP Layer3 負載均衡器

  • September 24, 2021
檢視問答