Nginx

在從上游讀取響應標頭時,入口 nginx 上游未發送有效的 HTTP/1.0 標頭

  • June 3, 2020

我正在嘗試為我的命名空間中的服務設置一個 nginx 入口控制器。其中一個後端服務接受埠 80 上的 HTTP 流量,另一個僅接受埠 443 上的 HTTPS 流量。請參閱這兩個服務的描述

$ kubectl describe svc service-1 -n monit
Name:              service-1
Namespace:         monit
Labels:            app=service-1
Annotations:       <none>
Selector:          app=service-1
Type:              ClusterIP
IP:                10.104.185.173
Port:              https  443/TCP
TargetPort:        8443/TCP
Endpoints:         10.1.0.95:8443
Session Affinity:  None
Events:            <none>

$ kubectl describe svc service-2 -n monit
Name:              service-2
Namespace:         monit
Labels:            app=service-2
Annotations:       <none>
Selector:          app=service-2
Type:              ClusterIP
IP:                10.110.93.64
Port:              service  80/TCP
TargetPort:        3000/TCP
Endpoints:         10.1.0.87:3000
Session Affinity:  None
Events:            <none>

這是我的入口配置

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: ingress-monit
spec:
 rules:
 - host: service-2.localhost
   http:
     paths:
     - path: /
       backend:
         serviceName: service-2
         servicePort: 80
 - host: service-1.localhost
   http:
     paths:
     - path: /
       backend:
         serviceName: service-1
         servicePort: 443

當我查看 Nginx 配置時,一切正常

$ kubectl describe ingress ingress-monit -n monit                  
Name:             ingress-monit
Namespace:        monit
Address:          localhost
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
 Host                            Path  Backends
 ----                            ----  --------
 service-2.localhost               
                                 /   service-2:80 (10.1.0.87:3000)
 service-1.localhost  
                                 /   service-1:443 (10.1.0.95:8443)
Annotations:                      Events:
 Type                            Reason  Age   From                      Message
 ----                            ------  ----  ----                      -------
 Normal                          CREATE  31m   nginx-ingress-controller  Ingress monit/ingress-monit
 Normal                          UPDATE  30m   nginx-ingress-controller  Ingress monit/ingress-monit

現在的問題是我可以使用http://service-2.localhost/正確訪問我的 service-2,但我無法訪問 service-1。在 chrome 上訪問http://service-1.localhost/給了我

This site can’t be reachedThe webpage at https://service-1.localhost/ might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE

當我查看 Nginx 日誌時,我看到:

$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-8crdm -f
-------------------------------------------------------------------------------
NGINX Ingress controller
 Release:       0.32.0
 Build:         git-446845114
 Repository:    https://github.com/kubernetes/ingress-nginx
 nginx version: nginx/1.17.10

-------------------------------------------------------------------------------
. . .
2020/06/02 22:56:47 [error] 2363#2363: *64928 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 192.168.65.3, server: service-1.localhost, request: "GET / HTTP/1.1", upstream: "http://10.1.0.95:8443/", host: "service-1.localhost"
192.168.65.3 - - [02/Jun/2020:22:58:13 +0000] "GET / HTTP/1.1" 200 7817 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 594 0.005 [monit-service-2-80] [] 10.1.0.87:3000 30520 0.005 200 2baefff713047b14a81643650cb50c4c

該錯誤似乎與 service-1 返回 bad response 相關upstream sent no valid HTTP/1.0 header while reading response header from upstream。問題是如果我使用kubectl proxy我可以正確訪問該服務!

有什麼想法可以讓我弄清楚真正的問題是什麼?

您將需要nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"通過 SSL 連接上游的 Ingress 上的註釋,因為預設情況下,入口控制器假定所有集群內上游都使用 HTTP

據我所知,您不能添加該註釋,rule:因此您必須為其創建第二個 Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: ingress-monit-service-1
 annotations:
   nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
 rules:
 - host: service-1.localhost
   http:
     paths:
     - path: /
       backend:
         serviceName: service-1
         servicePort: 443

引用自:https://serverfault.com/questions/1019778