當前位置：首頁 >

k8s nginx ingress配置TLS

發布時間：2025/6/17 22 豆豆

生活随笔收集整理的這篇文章主要介紹了 k8s nginx ingress配置TLS 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

在沒有配置任何nginx下，k8s的nginx默認只支持TLS1.2，不支持TLS1.0和TLS1.1

默認的 nginx-config（部分可能叫 nginx-configuration）的配置如下：

看了下官方的文檔，如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同時重啟下容器即可

To provide the most secure baseline configuration possible,

? nginx-ingress defaults to using TLS 1.2 only and a?secure set of TLS ciphers.

The default configuration, though secure, does not support some older browsers and operating systems.For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May 2018, approximately 15% of Android devices are not compatible with nginx-ingress's default configuration. To change this default behavior, use a ConfigMap.A sample ConfigMap fragment to allow these older clients to connect could look something like the following: kind: ConfigMap apiVersion: v1 metadata:name: nginx-config data:ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

為了避免影響到之前的配置，切勿直接復制這個yaml配置替換你的配置！！！

在你原有的配置上加上?ssl-ciphers 和 ssl-protocols 配置即可

apiVersion: v1 data:allow-backend-server-header: 'true'enable-underscores-in-headers: 'true'generate-request-id: 'true'http-redirect-code: '301'ignore-invalid-headers: 'true'max-worker-connections: '65536'proxy-body-size: 20mproxy-connect-timeout: '10'reuse-port: 'true'server-tokens: 'false'ssl-ciphers: >-ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHAssl-protocols: TLSv1 TLSv1.1 TLSv1.2ssl-redirect: 'false'worker-cpu-affinity: auto kind: ConfigMap metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: >{"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}}labels:app: ingress-nginxname: nginx-configurationnamespace: kube-systemselfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

加上配置之后呢，需要重啟下容器 nginx-ingress

驗證，能正常相應即可：

$ curl -v --tlsv1.0 https://test.com $ curl -v --tlsv1.1 https://test.com $ curl -v --tlsv1.2 https://test.com

下圖是成功訪問的響應：

?下圖是錯誤的響應：

參考文檔：https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls

轉載于:https://www.cnblogs.com/lyc94620/p/11345124.html

總結

以上是生活随笔為你收集整理的k8s nginx ingress配置TLS的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： WPF解决WindowsFormsHos
下一篇： Spring @CrossOrigin