可以让HTTP与Azure前门,AK和Traefik一起工作
我试图将Azure前门溢价在AKS群集前面使用Traefik 2.5.3作为入口控制器。
这是AFD中的相关配置:
我有以下indressRoute s和证书 aks中的设置:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: my-domain-web
spec:
entryPoints:
- web
routes:
- match: Host(`my-domain.com`)
kind: Rule
services:
- name: whoami
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: my-domain
spec:
entryPoints:
- websecure
routes:
- match: Host(`my-domain.com`)
kind: Rule
services:
- name: whoami
port: 80
tls:
secretName: my-domain-com-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-domain-com-cert
spec:
commonName: my-domain.com
secretName: my-domain-com-cert
dnsNames:
- my-domain.com
issuerRef:
name: letsencrypt
kind: ClusterIssuer
通过http请求http works:
> curl http://my-domain.com
Hostname: whoami-84d974bbd6-ff77m
IP: 127.0.0.1
IP: ::1
IP: 10.9.0.56
IP: fe80::4467:5bff:fee0:731b
RemoteAddr: 10.9.1.106:58076
GET / HTTP/1.1
Host: my-domain.com
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
Via: 1.1 Azure
X-Azure-Clientip: <redacted>
X-Azure-Fdid: <redacted>
X-Azure-Ref: <redacted>
X-Azure-Requestchain: hops=1
X-Azure-Socketip: <redacted>
X-Forwarded-For: 10.9.0.4
X-Forwarded-Host: my-domain.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-6f49dccb4b-kv5c7
X-Real-Ip: 10.9.0.4
但是通过https请求https不起作用:
> curl https://my-domain.com
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta content='text/html; charset=utf-8' http-equiv='content-type'/><style type='text/css'>body {font-family:Arial; margin-left:40px; }img { border:0 none; }#content { margin-left: auto; margin-right: auto }#message h2 { font-size: 20px; font-weight: normal; color: #000000; margin: 34px 0px 0px 0px }#message p { font-size: 13px; color: #000000; margin: 7px 0px 0px0px}#errorref { font-size: 11px; color: #737373; margin-top: 41px }</style><title>Service unavailable</title></head><body><div id='content'><div id='message'><h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p></div><div id='errorref'><span>0ksK6YgAAAADgd38yzqpIQasLDS0yNDFmYTUxODMyMjk=</span></div></div></body></html>%
在Traefik日志中,我可以看到以下内容:
time="2022-06-28T09:05:22Z" level=debug msg="Serving default certificate for request: \"\""
time="2022-06-28T09:05:22Z" level=debug msg="http: TLS handshake error from 10.9.0.4:20734: EOF"
以下是Azure前门的诊断日志:
我无法真正弄清楚问题是什么...可能是主机标头无法正确传播,以便Traefik不知道该如何路由它?我启用了Traefik中的访问日志,但它们没有记录任何内容(我想请求永远不会达到这么远)。
编辑: 事实证明,这与Traefik使用默认的自签名(无效)Traefik证书有关。
我可以通过在traefik中设置有效的默认证书来解决此问题(使用tlsstore crd),并禁用“证书主题名称验证”。我不确定预期的主题名称是什么,但不是my-domain.com,因为这是证书所包含的。
I'm trying to setup Azure Front Door Premium in front of an AKS cluster with Traefik 2.5.3 as an ingress controller.
This is the relevant configuration in AFD:
I've got the following IngressRoutes and Certificate setup in AKS:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: my-domain-web
spec:
entryPoints:
- web
routes:
- match: Host(`my-domain.com`)
kind: Rule
services:
- name: whoami
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: my-domain
spec:
entryPoints:
- websecure
routes:
- match: Host(`my-domain.com`)
kind: Rule
services:
- name: whoami
port: 80
tls:
secretName: my-domain-com-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-domain-com-cert
spec:
commonName: my-domain.com
secretName: my-domain-com-cert
dnsNames:
- my-domain.com
issuerRef:
name: letsencrypt
kind: ClusterIssuer
Requesting over HTTP works:
> curl http://my-domain.com
Hostname: whoami-84d974bbd6-ff77m
IP: 127.0.0.1
IP: ::1
IP: 10.9.0.56
IP: fe80::4467:5bff:fee0:731b
RemoteAddr: 10.9.1.106:58076
GET / HTTP/1.1
Host: my-domain.com
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
Via: 1.1 Azure
X-Azure-Clientip: <redacted>
X-Azure-Fdid: <redacted>
X-Azure-Ref: <redacted>
X-Azure-Requestchain: hops=1
X-Azure-Socketip: <redacted>
X-Forwarded-For: 10.9.0.4
X-Forwarded-Host: my-domain.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-6f49dccb4b-kv5c7
X-Real-Ip: 10.9.0.4
But requesting over HTTPS doesn't work:
> curl https://my-domain.com
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta content='text/html; charset=utf-8' http-equiv='content-type'/><style type='text/css'>body {font-family:Arial; margin-left:40px; }img { border:0 none; }#content { margin-left: auto; margin-right: auto }#message h2 { font-size: 20px; font-weight: normal; color: #000000; margin: 34px 0px 0px 0px }#message p { font-size: 13px; color: #000000; margin: 7px 0px 0px0px}#errorref { font-size: 11px; color: #737373; margin-top: 41px }</style><title>Service unavailable</title></head><body><div id='content'><div id='message'><h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p></div><div id='errorref'><span>0ksK6YgAAAADgd38yzqpIQasLDS0yNDFmYTUxODMyMjk=</span></div></div></body></html>%
In the Traefik logs I can see the following:
time="2022-06-28T09:05:22Z" level=debug msg="Serving default certificate for request: \"\""
time="2022-06-28T09:05:22Z" level=debug msg="http: TLS handshake error from 10.9.0.4:20734: EOF"
Here are the diagnostic logs from Azure Front Door:
I can't really figure out what the issue is... Could it be that the host header isn't propagated correctly so that Traefik doesn't know how to route it? I have enabled access logs in Traefik, but they don't log anything (I guess the request never reaches that far).
EDIT:
Turns out it's related to Traefik serving the request using the default self signed (invalid) Traefik cert.
I can get around this by setting a valid default cert in Traefik (using a TLSStore CRD), and disabling "Certificate subject name validation". I'm not sure what subject name is expected, but it isn't my-domain.com since that's what the cert contains.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论