k8s nginx ingress 后面的 SignalR 在连接后立即断开连接
SignalR behind k8s nginx ingress disconnects immediately upon connection
这是我的 nginx 入口:
nginx.ingress.kubernetes.io/proxy-set-headers: xyz/proxy-headers
nginx.ingress.kubernetes.io/read-timeout: 3600
nginx.ingress.kubernetes.io/session-cookie-expires: 14400
nginx.ingress.kubernetes.io/ssl-protocols: TLSv1.3 TLSv1.2
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/configuration-snippet: if ($host = 'example.com' ) {
rewrite ^ https://www.example
.com$request_uri permanent;
}
nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
nginx.ingress.kubernetes.io/force-ssl-redirect: true
nginx.ingress.kubernetes.io/proxy-body-size: 8m
nginx.ingress.kubernetes.io/proxy-send-timeout: 3600
nginx.ingress.kubernetes.io/server-alias: example.com
nginx.ingress.kubernetes.io/session-cookie-max-age: 14400
nginx.ingress.kubernetes.io/session-cookie-name: affinity
...
}
这是代理 headers:
apiVersion: v1
kind: ConfigMap
metadata:
name: proxy-headers
namespace: xyz
data:
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
Referrer-Policy: "no-referrer-when-downgrade"
Feature-Policy: "notifications 'self'; usemedia *;gyroscope: 'none'"
直接连接时,websocket没问题。当它在 nginx 后面时,我得到以下信息:
main.5f9ab0903b48ce06734b.js:6 [2020-04-20T18:54:39.190Z] Information: Connection disconnected.
main.5f9ab0903b48ce06734b.js:6 Could not connect Error: Cannot send data if the connection is not in the 'Connected' State.
main.5f9ab0903b48ce06734b.js:6 ERROR Error: Uncaught (in promise): [object Undefined]
at _ (polyfills.d1de8a43b27b04443379.js:1)
at t.handshakeRejecter (polyfills.d1de8a43b27b04443379.js:1)
at t.connectionClosed (main.5f9ab0903b48ce06734b.js:6)
at t.connection.onclose (main.5f9ab0903b48ce06734b.js:6)
at t.stopConnection (main.5f9ab0903b48ce06734b.js:6)
at t.Y.transport.onclose (main.5f9ab0903b48ce06734b.js:6)
at t.close (main.5f9ab0903b48ce06734b.js:6)
at t.stop (main.5f9ab0903b48ce06734b.js:6)
at t.<anonymous> (main.5f9ab0903b48ce06734b.js:6)
at main.5f9ab0903b48ce06734b.js:6
我找不到任何会导致它做它正在做的事情的东西,我也无法更深入地了解是什么导致了它。想法?
这是我最终得出的结论:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/x-forwarded-proto: https
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
nginx.ingress.kubernetes.io/read-timeout: "3600"
nginx.ingress.kubernetes.io/send-timeout: "3600"
nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.3 TLSv1.2"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/session-cookie-name: "affinity"
nginx.ingress.kubernetes.io/session-cookie-expires: "14400"
nginx.ingress.kubernetes.io/session-cookie-max-age: "14400"
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 16m
nginx.ingress.kubernetes.io/add-headers: "yournamespace/add-headers"
然后 add-headers 配置映射中的以下内容:
apiVersion: v1
kind: ConfigMap
metadata:
name: add-headers
namespace: yournamespace
data:
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
Referrer-Policy: "no-referrer-when-downgrade"
Feature-Policy: "notifications 'self'; usemedia *;gyroscope: 'none'"
kind: ConfigMap
这使 SignalR 能够在代理后面正常工作,处理亲和力(这显然是原始问题)并为您提供完整的 HSTS 加密和加密测试的 A+ 评级。
这是我的 nginx 入口:
nginx.ingress.kubernetes.io/proxy-set-headers: xyz/proxy-headers
nginx.ingress.kubernetes.io/read-timeout: 3600
nginx.ingress.kubernetes.io/session-cookie-expires: 14400
nginx.ingress.kubernetes.io/ssl-protocols: TLSv1.3 TLSv1.2
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/configuration-snippet: if ($host = 'example.com' ) {
rewrite ^ https://www.example
.com$request_uri permanent;
}
nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
nginx.ingress.kubernetes.io/force-ssl-redirect: true
nginx.ingress.kubernetes.io/proxy-body-size: 8m
nginx.ingress.kubernetes.io/proxy-send-timeout: 3600
nginx.ingress.kubernetes.io/server-alias: example.com
nginx.ingress.kubernetes.io/session-cookie-max-age: 14400
nginx.ingress.kubernetes.io/session-cookie-name: affinity
...
}
这是代理 headers:
apiVersion: v1
kind: ConfigMap
metadata:
name: proxy-headers
namespace: xyz
data:
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
Referrer-Policy: "no-referrer-when-downgrade"
Feature-Policy: "notifications 'self'; usemedia *;gyroscope: 'none'"
直接连接时,websocket没问题。当它在 nginx 后面时,我得到以下信息:
main.5f9ab0903b48ce06734b.js:6 [2020-04-20T18:54:39.190Z] Information: Connection disconnected.
main.5f9ab0903b48ce06734b.js:6 Could not connect Error: Cannot send data if the connection is not in the 'Connected' State.
main.5f9ab0903b48ce06734b.js:6 ERROR Error: Uncaught (in promise): [object Undefined]
at _ (polyfills.d1de8a43b27b04443379.js:1)
at t.handshakeRejecter (polyfills.d1de8a43b27b04443379.js:1)
at t.connectionClosed (main.5f9ab0903b48ce06734b.js:6)
at t.connection.onclose (main.5f9ab0903b48ce06734b.js:6)
at t.stopConnection (main.5f9ab0903b48ce06734b.js:6)
at t.Y.transport.onclose (main.5f9ab0903b48ce06734b.js:6)
at t.close (main.5f9ab0903b48ce06734b.js:6)
at t.stop (main.5f9ab0903b48ce06734b.js:6)
at t.<anonymous> (main.5f9ab0903b48ce06734b.js:6)
at main.5f9ab0903b48ce06734b.js:6
我找不到任何会导致它做它正在做的事情的东西,我也无法更深入地了解是什么导致了它。想法?
这是我最终得出的结论:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/x-forwarded-proto: https
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
nginx.ingress.kubernetes.io/read-timeout: "3600"
nginx.ingress.kubernetes.io/send-timeout: "3600"
nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.3 TLSv1.2"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/session-cookie-name: "affinity"
nginx.ingress.kubernetes.io/session-cookie-expires: "14400"
nginx.ingress.kubernetes.io/session-cookie-max-age: "14400"
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 16m
nginx.ingress.kubernetes.io/add-headers: "yournamespace/add-headers"
然后 add-headers 配置映射中的以下内容:
apiVersion: v1
kind: ConfigMap
metadata:
name: add-headers
namespace: yournamespace
data:
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
Referrer-Policy: "no-referrer-when-downgrade"
Feature-Policy: "notifications 'self'; usemedia *;gyroscope: 'none'"
kind: ConfigMap
这使 SignalR 能够在代理后面正常工作,处理亲和力(这显然是原始问题)并为您提供完整的 HSTS 加密和加密测试的 A+ 评级。