Comments (6)
k8s-ci-robot
commented on August 31, 2024
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
from ingress-nginx.
strongjz
commented on August 31, 2024
Just checking the version of openssl
docker run -it registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a openssl version
OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024)
Can you output the nginx.conf and see how the directive for test.domain.com looks and what version of TLS is configured?
https://kubernetes.github.io/ingress-nginx/troubleshooting/#check-the-nginx-configuration
from ingress-nginx.
davidt-gh
commented on August 31, 2024
## start server test.domain.com
server {
server_name test.domain.com ;
http2 on;
listen 80 ;
listen [::]:80 ;
listen 443 ssl;
listen [::]:443 ssl;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default";
set $ingress_name "kuard";
set $service_name "kuard";
set $service_port "80";
set $location_path "/";
set $global_rate_limit_exceeding n;
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = true,
force_no_ssl_redirect = false,
preserve_trailing_slash = false,
use_port_in_redirects = false,
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
})
balancer.rewrite()
plugins.run()
}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
body_filter_by_lua_block {
plugins.run()
}
log_by_lua_block {
balancer.log()
plugins.run()
}
port_in_redirect off;
set $balancer_ewma_score -1;
set $proxy_upstream_name "default-kuard-80";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;
set $pass_server_port $server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
client_max_body_size 1m;
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Forwarded-Scheme $pass_access_scheme;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
# Custom Response Headers
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
}
## end server test.domain.com
Sure @strongjz
from ingress-nginx.
longwuyuan
commented on August 31, 2024
The information you providing is indicating only but not ample data for analyzing or reproducing problem in minikube or kind cluster.
If you look at the template of a new bug report, and edit your issue description here, to answer all the questions asked in the template of a new bug report, then it provides data that can be analyzed.
/kind support
/triage needs-information
from ingress-nginx.
davidt-gh
commented on August 31, 2024
my issue was in the full values file (which not provided here), I've added:
controller:
service:
targetPorts:
https: http
which cause all https to use http port.
Thank you for your time and good willing.
from ingress-nginx.
longwuyuan
commented on August 31, 2024
Thanks for updating. Glad resolved. The static manifest published by project for termnating on LB is different from the manifest for terminating on controller. If you see the diff, those port related values are truly the significant ones.
from ingress-nginx.
Related Issues (20)
- Docs: Update documentation of auth-tls-match-cn annotation to add possible check on all DN fields HOT 1
- When change svc type from ExternalName to ClusterIp, the route is still going to ExternalName。 HOT 2
- We are deploying one UI application to k8s. Deployment looks good and I am able to get the proper response after port-forwarding to the pod as well as to the service but getting 502 Bad Gateway after hitting the ingress. HOT 3
- proxy-read-timeout annotations getting ignored after v1.11.1 upgrade from 1.10.1 HOT 5
- proxy-next-upstream (including default on error and timeout) does not always pick a different upstream depending on load balancer and concurrent requests HOT 7
- Not enough Lua modules included HOT 4
- Support logging incoming requests HOT 3
- After Modified service targetPort, the targetPort not sync to cooresponing backend HOT 4
- Ingress session affinity HOT 7
- Unmentioned breaking change in 1.11 for GRPC HOT 2
- Turn off returning HTTP OK for /healthz endpoint during preStop hook to allow AWS NLB unhealthy draining HOT 9
- preStop hook should account for AWS NLB deregistration delay HOT 4
- Some metrics are not exposed HOT 7
- Re-add global-rate-limit feature HOT 3
- Sticky learn and Wildfly HOT 1
- disableLeaderElection code changes missing in nginx-ingress-controller-v1.10.4 HOT 4
- Version 1.11.2 not work on RKE HOT 3
- Pod IP Address/Name is not visible into ingress-nginx access-logs HOT 13
- Not able to use LUA script HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.