大使给出 403 尝试连接到 Websocket
Ambassador Gives 403 Trying to Connect to Websocket
Ambassador 在尝试访问集群中的 websocket 端点时抛出 403。以下是重现问题的步骤:
[Kube 环境:Docker 桌面 Mac]
安装 Ambassador 和 Echo 服务
- 使用 Helm 部署 Ambassador
helm repo add datawire https://getambassador.io
helm install ambassador datawire/ambassador
- 部署 websocket echo deployment/service/mapping
---
apiVersion: v1
kind: Service
metadata:
name: websocket-echo
namespace: default
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: websocket-echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: websocket-echo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: websocket-echo
template:
metadata:
labels:
app: websocket-echo
spec:
containers:
- name: backend
image: jmalloc/echo-server
ports:
- name: http
containerPort: 8080
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: websocket-echo
namespace: default
spec:
prefix: /websocket/
service: websocket-echo
allow_upgrade:
- websocket
✅ 验证可以从集群中的 pod 访问 echo 服务器
- 在集群上创建一个节点shell
kubectl run my-shell --rm -i --tty --image node:12 -- bash
- 在shell,下载
wscat
npm i -g wscat
- 在shell中,通过集群服务端点连接到服务
wscat -c websocket-echo.default.svc.cluster.local
- 确认连接已建立并且消息可以回显
❌ 验证无法从集群外部访问回显服务器
- 在您的本地计算机上安装
wscat
npm i -g wscat
- 使用 wscat,使用映射连接到服务
wscat -c localhost/websocket-echo/
- 验证返回的错误是
error: Unexpected server response: 403
我是不是漏掉了一些简单的东西?
Ambassador 会将传入请求从 http 重定向到 https。
您可以通过
验证
$ curl localhost/websocket/ -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /websocket/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< location: https://localhost/websocket/
< date: Fri, 07 Aug 2020 08:25:38 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host localhost left intact
因此,您需要添加此配置以在 localhost
上禁用重定向
apiVersion: getambassador.io/v2
kind: Host
metadata:
name: localhost
namespace: default
spec:
hostname: localhost
acmeProvider:
authority: none
requestPolicy:
insecure:
action: Route
参考
Ambassador 在尝试访问集群中的 websocket 端点时抛出 403。以下是重现问题的步骤:
[Kube 环境:Docker 桌面 Mac]
安装 Ambassador 和 Echo 服务
- 使用 Helm 部署 Ambassador
helm repo add datawire https://getambassador.io
helm install ambassador datawire/ambassador
- 部署 websocket echo deployment/service/mapping
---
apiVersion: v1
kind: Service
metadata:
name: websocket-echo
namespace: default
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: websocket-echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: websocket-echo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: websocket-echo
template:
metadata:
labels:
app: websocket-echo
spec:
containers:
- name: backend
image: jmalloc/echo-server
ports:
- name: http
containerPort: 8080
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: websocket-echo
namespace: default
spec:
prefix: /websocket/
service: websocket-echo
allow_upgrade:
- websocket
✅ 验证可以从集群中的 pod 访问 echo 服务器
- 在集群上创建一个节点shell
kubectl run my-shell --rm -i --tty --image node:12 -- bash
- 在shell,下载
wscat
npm i -g wscat
- 在shell中,通过集群服务端点连接到服务
wscat -c websocket-echo.default.svc.cluster.local
- 确认连接已建立并且消息可以回显
❌ 验证无法从集群外部访问回显服务器
- 在您的本地计算机上安装
wscat
npm i -g wscat
- 使用 wscat,使用映射连接到服务
wscat -c localhost/websocket-echo/
- 验证返回的错误是
error: Unexpected server response: 403
我是不是漏掉了一些简单的东西?
Ambassador 会将传入请求从 http 重定向到 https。
您可以通过
验证$ curl localhost/websocket/ -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /websocket/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< location: https://localhost/websocket/
< date: Fri, 07 Aug 2020 08:25:38 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host localhost left intact
因此,您需要添加此配置以在 localhost
apiVersion: getambassador.io/v2
kind: Host
metadata:
name: localhost
namespace: default
spec:
hostname: localhost
acmeProvider:
authority: none
requestPolicy:
insecure:
action: Route