Kubernetes Helm Orangehrm HTTPS - 错误请求
Kubernetes Helm Orangehrm HTTPS - Bad Request
我对 kubernetes 技术有点陌生,抱歉,如果我问的问题真的很愚蠢。
我一直在尝试用 helm 安装 orangehrm,实际上没有什么大问题,而且 http 工作正常,但是当我尝试通过 https url 访问时,它显示错误请求错误。
已安装并修改 value.yaml 数据库配置以及用于登录的用户和密码。但其余部分与 github 存储库一样。秘密和登录在我的 kubernetes 配置中与这个 value.yaml 文件分开,因为秘密不起作用。
image:
registry: docker.io
repository: bitnami/orangehrm
tag: 4.3.1-0-debian-9-r8
pullPolicy: IfNotPresent
orangehrmUsername: admin
orangehrmPassword: admin
externalDatabase:
host: [REDACTED]
user: [REDACTED]
password: [REDACTED]
database: [REDACTED]
mariadb:
enabled: false
replication:
enabled: true
db:
name: orangehrm
user: [REDACTED]
password: [REDACTED]
master:
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 8Gi
service:
type: NodePort
port: 80
httpsPort: 443
nodePorts:
http: ""
https: ""
externalTrafficPolicy: Cluster
persistence:
enabled: true
orangehrm:
storageClass: slow
accessMode: ReadWriteOnce
size: 8Gi
apache:
storageClass: slow
accesMod: ReadWriteOnce
size: 16Gi
resources:
requests:
memory: 512Mi
cpu: 300m
podAnnotations: {}
ingress:
enabled: true
certManager: false
annotations:
kubernetes.io/ingress.class: nginx
hosts:
- name: [REDACTED].com
path: /
tls: false
tlsSecret: orangehrm-orangehrm
secrets:
metrics:
enabled: false
image:
registry: docker.io
repository: lusotycoon/apache-exporter
tag: v0.5.0
pullPolicy: IfNotPresent
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9117"
Bad Request
Your browser sent a request that this server could not understand. Reason: >You're speaking plain HTTP to an SSL-enabled server port.
curl -v 输出
* About to connect() to orangehrm.[REDACTED].com port 443 (#0)
* Trying 192.168.20.250...
* Connected to orangehrm.[REDACTED].com ([REDACTED]) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=orangehrm.[REDACTED].com,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
* start date: Jun 07 13:01:54 2019 GMT
* expire date: Jun 04 13:01:54 2029 GMT
* common name: orangehrm.[REDACTED].com
* issuer: O=[REDACTED],L=C.A.B.A.,ST=Buenos Aires,C=AR
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: orangehrm.[REDACTED].com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.15.8
< Date: Wed, 12 Jun 2019 13:49:43 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 362
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
</p>
</body></html>
* Connection #0 to host orangehrm.[REDACTED].com left intact
kubectl get -o yaml pods -l 图表输出:
apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2019-06-12T13:41:42Z"
generateName: orangehrm-orangehrm-76dfdf78f4-
labels:
app: orangehrm-orangehrm
chart: orangehrm-4.1.0
pod-template-hash: 76dfdf78f4
release: orangehrm
name: orangehrm-orangehrm-76dfdf78f4-hdnj9
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: orangehrm-orangehrm-76dfdf78f4
uid: d02765de-8d17-11e9-88b3-00155d00973f
resourceVersion: "19055796"
selfLink: /api/v1/namespaces/default/pods/orangehrm-orangehrm-76dfdf78f4-hdnj9
uid: d04480cd-8d17-11e9-88b3-00155d00973f
spec:
containers:
- env:
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MARIADB_HOST
value: 192.168.0.132
- name: MARIADB_PORT_NUMBER
value: "3306"
- name: ORANGEHRM_DATABASE_NAME
value: orangehrm
- name: ORANGEHRM_DATABASE_USER
value: orangehrm_user
- name: ORANGEHRM_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: db-password
name: orangehrm-externaldb
- name: ORANGEHRM_USERNAME
value: admin
- name: ORANGEHRM_PASSWORD
valueFrom:
secretKeyRef:
key: orangehrm-password
name: orangehrm-orangehrm
- name: SMTP_HOST
- name: SMTP_PORT
- name: SMTP_USER
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
key: smtp-password
name: orangehrm-orangehrm
- name: SMTP_PROTOCOL
value: none
image: docker.io/bitnami/orangehrm:4.3.0-0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /symfony/web/index.php
port: http
scheme: HTTP
initialDelaySeconds: 120
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: orangehrm-orangehrm
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /symfony/web/index.php
port: http
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 300m
memory: 512Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /bitnami/orangehrm
name: orangehrm-data
- mountPath: /bitnami/apache
name: apache-data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-r2gbm
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostAliases:
- hostnames:
- status.localhost
ip: 127.0.0.1
nodeName: l004
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: orangehrm-data
persistentVolumeClaim:
claimName: orangehrm-orangehrm-orangehrm
- name: apache-data
persistentVolumeClaim:
claimName: orangehrm-orangehrm-apache
- name: default-token-r2gbm
secret:
defaultMode: 420
secretName: default-token-r2gbm
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:41:49Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:42:52Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:42:52Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:41:42Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: docker://725ddef8da29d353006996d95b248f4ee5cea0bed2542350fc7d63d4dfb0fecb
image: bitnami/orangehrm:4.3.0-0
imageID: docker-pullable://bitnami/orangehrm@sha256:2f0bd90d975a22c7a6237c6fd86c7939df856cf74edd8dcf839df440a5c62606
lastState: {}
name: orangehrm-orangehrm
ready: true
restartCount: 0
state:
running:
startedAt: "2019-06-12T13:41:50Z"
hostIP: 192.168.0.137
phase: Running
podIP: 10.40.0.65
qosClass: Burstable
startTime: "2019-06-12T13:41:49Z"
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Pod 启动日志
Welcome to the Bitnami orangehrm container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-orangehrm
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-orangehrm/issues
nami INFO Initializing apache
apache INFO ==> Patching httpoxy...
apache INFO ==> Configuring dummy certificates...
nami INFO apache successfully initialized
nami INFO Initializing php
nami INFO php successfully initialized
nami INFO Initializing mysql-client
nami INFO mysql-client successfully initialized
nami INFO Initializing libphp
nami INFO libphp successfully initialized
nami INFO Initializing orangehrm
orangeh INFO Configuring permissions
orangeh INFO Creating the database...
mysql-c INFO Trying to connect to MySQL server
mysql-c INFO Found MySQL server listening at 192.168.0.132:3306
mysql-c INFO MySQL server listening and working at 192.168.0.132:3306
orangeh INFO Preparing webserver environment...
orangeh INFO Passing wizard, please be patient
orangeh INFO Configuring SMTP...
orangeh INFO Setting OrangeHRM version...
orangeh INFO
orangeh INFO ########################################################################
orangeh INFO Installation parameters for orangehrm:
orangeh INFO Username: admin
orangeh INFO Password: **********
orangeh INFO Site URL: http://127.0.0.1/
orangeh INFO (Passwords are not shown for security reasons)
orangeh INFO ########################################################################
orangeh INFO
nami INFO orangehrm successfully initialized
我有一个 nginx 负载均衡器,Ingress 是这样的:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "0"
name: https
spec:
rules:
- host: orangehrm.[REDACTED].com
http:
paths:
- backend:
serviceName: orangehrm-orangehrm
servicePort: 443
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- orangehrm.[REDACTED].com
secretName: orangehrm-https
据我所知,您正在 Ingress 控制器处终止 TLS,然后它将上游代理为 HTTP,但 在端口 443 上;所以你需要更新 Ingress 说 servicePort: 80 而不是 :443
如果您真的想将 TLS 一直连接到 Pod,则需要 enable SSL passthrough or perhaps switch to use the HTTPS backend
我对 kubernetes 技术有点陌生,抱歉,如果我问的问题真的很愚蠢。 我一直在尝试用 helm 安装 orangehrm,实际上没有什么大问题,而且 http 工作正常,但是当我尝试通过 https url 访问时,它显示错误请求错误。
已安装并修改 value.yaml 数据库配置以及用于登录的用户和密码。但其余部分与 github 存储库一样。秘密和登录在我的 kubernetes 配置中与这个 value.yaml 文件分开,因为秘密不起作用。
image:
registry: docker.io
repository: bitnami/orangehrm
tag: 4.3.1-0-debian-9-r8
pullPolicy: IfNotPresent
orangehrmUsername: admin
orangehrmPassword: admin
externalDatabase:
host: [REDACTED]
user: [REDACTED]
password: [REDACTED]
database: [REDACTED]
mariadb:
enabled: false
replication:
enabled: true
db:
name: orangehrm
user: [REDACTED]
password: [REDACTED]
master:
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 8Gi
service:
type: NodePort
port: 80
httpsPort: 443
nodePorts:
http: ""
https: ""
externalTrafficPolicy: Cluster
persistence:
enabled: true
orangehrm:
storageClass: slow
accessMode: ReadWriteOnce
size: 8Gi
apache:
storageClass: slow
accesMod: ReadWriteOnce
size: 16Gi
resources:
requests:
memory: 512Mi
cpu: 300m
podAnnotations: {}
ingress:
enabled: true
certManager: false
annotations:
kubernetes.io/ingress.class: nginx
hosts:
- name: [REDACTED].com
path: /
tls: false
tlsSecret: orangehrm-orangehrm
secrets:
metrics:
enabled: false
image:
registry: docker.io
repository: lusotycoon/apache-exporter
tag: v0.5.0
pullPolicy: IfNotPresent
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9117"
Bad Request
Your browser sent a request that this server could not understand. Reason: >You're speaking plain HTTP to an SSL-enabled server port.
curl -v 输出
* About to connect() to orangehrm.[REDACTED].com port 443 (#0)
* Trying 192.168.20.250...
* Connected to orangehrm.[REDACTED].com ([REDACTED]) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=orangehrm.[REDACTED].com,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
* start date: Jun 07 13:01:54 2019 GMT
* expire date: Jun 04 13:01:54 2029 GMT
* common name: orangehrm.[REDACTED].com
* issuer: O=[REDACTED],L=C.A.B.A.,ST=Buenos Aires,C=AR
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: orangehrm.[REDACTED].com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.15.8
< Date: Wed, 12 Jun 2019 13:49:43 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 362
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
</p>
</body></html>
* Connection #0 to host orangehrm.[REDACTED].com left intact
kubectl get -o yaml pods -l 图表输出:
apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2019-06-12T13:41:42Z"
generateName: orangehrm-orangehrm-76dfdf78f4-
labels:
app: orangehrm-orangehrm
chart: orangehrm-4.1.0
pod-template-hash: 76dfdf78f4
release: orangehrm
name: orangehrm-orangehrm-76dfdf78f4-hdnj9
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: orangehrm-orangehrm-76dfdf78f4
uid: d02765de-8d17-11e9-88b3-00155d00973f
resourceVersion: "19055796"
selfLink: /api/v1/namespaces/default/pods/orangehrm-orangehrm-76dfdf78f4-hdnj9
uid: d04480cd-8d17-11e9-88b3-00155d00973f
spec:
containers:
- env:
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MARIADB_HOST
value: 192.168.0.132
- name: MARIADB_PORT_NUMBER
value: "3306"
- name: ORANGEHRM_DATABASE_NAME
value: orangehrm
- name: ORANGEHRM_DATABASE_USER
value: orangehrm_user
- name: ORANGEHRM_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: db-password
name: orangehrm-externaldb
- name: ORANGEHRM_USERNAME
value: admin
- name: ORANGEHRM_PASSWORD
valueFrom:
secretKeyRef:
key: orangehrm-password
name: orangehrm-orangehrm
- name: SMTP_HOST
- name: SMTP_PORT
- name: SMTP_USER
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
key: smtp-password
name: orangehrm-orangehrm
- name: SMTP_PROTOCOL
value: none
image: docker.io/bitnami/orangehrm:4.3.0-0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /symfony/web/index.php
port: http
scheme: HTTP
initialDelaySeconds: 120
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: orangehrm-orangehrm
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /symfony/web/index.php
port: http
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 300m
memory: 512Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /bitnami/orangehrm
name: orangehrm-data
- mountPath: /bitnami/apache
name: apache-data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-r2gbm
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostAliases:
- hostnames:
- status.localhost
ip: 127.0.0.1
nodeName: l004
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: orangehrm-data
persistentVolumeClaim:
claimName: orangehrm-orangehrm-orangehrm
- name: apache-data
persistentVolumeClaim:
claimName: orangehrm-orangehrm-apache
- name: default-token-r2gbm
secret:
defaultMode: 420
secretName: default-token-r2gbm
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:41:49Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:42:52Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:42:52Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2019-06-12T13:41:42Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: docker://725ddef8da29d353006996d95b248f4ee5cea0bed2542350fc7d63d4dfb0fecb
image: bitnami/orangehrm:4.3.0-0
imageID: docker-pullable://bitnami/orangehrm@sha256:2f0bd90d975a22c7a6237c6fd86c7939df856cf74edd8dcf839df440a5c62606
lastState: {}
name: orangehrm-orangehrm
ready: true
restartCount: 0
state:
running:
startedAt: "2019-06-12T13:41:50Z"
hostIP: 192.168.0.137
phase: Running
podIP: 10.40.0.65
qosClass: Burstable
startTime: "2019-06-12T13:41:49Z"
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Pod 启动日志
Welcome to the Bitnami orangehrm container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-orangehrm
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-orangehrm/issues
nami INFO Initializing apache
apache INFO ==> Patching httpoxy...
apache INFO ==> Configuring dummy certificates...
nami INFO apache successfully initialized
nami INFO Initializing php
nami INFO php successfully initialized
nami INFO Initializing mysql-client
nami INFO mysql-client successfully initialized
nami INFO Initializing libphp
nami INFO libphp successfully initialized
nami INFO Initializing orangehrm
orangeh INFO Configuring permissions
orangeh INFO Creating the database...
mysql-c INFO Trying to connect to MySQL server
mysql-c INFO Found MySQL server listening at 192.168.0.132:3306
mysql-c INFO MySQL server listening and working at 192.168.0.132:3306
orangeh INFO Preparing webserver environment...
orangeh INFO Passing wizard, please be patient
orangeh INFO Configuring SMTP...
orangeh INFO Setting OrangeHRM version...
orangeh INFO
orangeh INFO ########################################################################
orangeh INFO Installation parameters for orangehrm:
orangeh INFO Username: admin
orangeh INFO Password: **********
orangeh INFO Site URL: http://127.0.0.1/
orangeh INFO (Passwords are not shown for security reasons)
orangeh INFO ########################################################################
orangeh INFO
nami INFO orangehrm successfully initialized
我有一个 nginx 负载均衡器,Ingress 是这样的:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "0"
name: https
spec:
rules:
- host: orangehrm.[REDACTED].com
http:
paths:
- backend:
serviceName: orangehrm-orangehrm
servicePort: 443
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- orangehrm.[REDACTED].com
secretName: orangehrm-https
据我所知,您正在 Ingress 控制器处终止 TLS,然后它将上游代理为 HTTP,但 在端口 443 上;所以你需要更新 Ingress 说 servicePort: 80 而不是 :443
如果您真的想将 TLS 一直连接到 Pod,则需要 enable SSL passthrough or perhaps switch to use the HTTPS backend