haproxy-ingress 总是发送 404
haproxy-ingress always sends 404
我在 aws 托管的 kubernetes 集群 (v1.21.2-eks-06eac09) 和单个 service/deployment 中有一个 haproxy-ingress(v0.13.5,默认 helm 设置)。该服务已启动并且 运行 并且可以通过 curl 成功调用并且 haproxy 统计页面显示具有正确 ip 的绿色后端。对我来说一切看起来都不错,但是如果我调用 url 我会得到默认的 404 后端,除非我使用相同的服务配置默认后端。这让我得出结论,主机或路径映射一定有问题,对吧?。是我的配置有问题还是其他地方有问题?
这是我的入口资源:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-service
namespace: my-service
annotations:
haproxy-ingress.github.io/affinity: "cookie"
haproxy-ingress.github.io/backend-server-naming: "pod"
haproxy-ingress.github.io/secure-backends: "true"
haproxy-ingress.github.io/session-cookie-dynamic: "true"
haproxy-ingress.github.io/session-cookie-keywords: "indirect nocache httponly maxidle 900"
haproxy-ingress.github.io/session-cookie-preserve: "true"
haproxy-ingress.github.io/session-cookie-same-site: "true"
haproxy-ingress.github.io/slots-min-free: "0"
haproxy-ingress.github.io/ssl-redirect: "false"
haproxy-ingress.github.io/strict-host: "true"
spec:
ingressClassName: haproxy-ingress
tls:
- secretName: my-service-tls
rules:
- http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: my-service
port:
number: 443
host: my-service.dev.aws.company.local
# defaultBackend:
# service:
# name: my-service
# port:
# number: 443
入口类:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: haproxy-ingress
spec:
controller: haproxy-ingress.github.io/controller
helm 安装命令:
helm install haproxy-ingress haproxy-ingress/haproxy-ingress --create-namespace --namespace ingress-controller --set controller.service.type=ClusterIP --version 0.13.5
从haproxy.conf
生成的后端
backend my-service_my-service_https
mode http
balance roundrobin
acl https-request ssl_fc
http-request set-header X-Original-Forwarded-For %[hdr(x-forwarded-for)] if { hdr(x-forwarded-for) -m found }
http-request del-header x-forwarded-for
option forwardfor
cookie INGRESSCOOKIE insert preserve attr SameSite=None secure indirect nocache httponly maxidle 900 dynamic
dynamic-cookie-key "Ingress"
http-response set-header Strict-Transport-Security "max-age=15768000" if https-request
server my-service-0 10.19.25.214:443 weight 1 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets verify none check inter 2s
从 haproxy.conf
生成的前端
frontend _front_https
mode http
bind :443 ssl alpn h2,http/1.1 crt-list /etc/haproxy/maps/_front_bind_crt.list ca-ignore-err all crt-ignore-err all
option httplog
http-request set-var(req.path) path
http-request set-var(req.host) hdr(host),field(1,:),lower
http-request set-var(req.base) var(req.host),concat(\#,req.path)
http-request set-var(req.hostbackend) var(req.base),map_dir(/etc/haproxy/maps/_front_https_host__prefix.map)
http-request set-header X-Forwarded-Proto https
http-request del-header X-SSL-Client-CN
http-request del-header X-SSL-Client-DN
http-request del-header X-SSL-Client-SHA1
http-request del-header X-SSL-Client-Cert
use_backend %[var(req.hostbackend)] if { var(req.hostbackend) -m found }
use_backend %[var(req.defaultbackend)]
default_backend _error404
生成maps/_front_https_host__prefix.map
my-service.dev.aws.company.local#/ my-service_my-service_https
我找到问题了!我的 tls 定义中的主机部分丢失了。这样就没有生成 /etc/haproxy/maps_front_https_host__begin.map 并且在我生成的前端部分 (http-request set-var(req.hostbackend) var(req.base),lower,map_beg(/etc/haproxy/maps/_front_https_host__begin.map)) 中没有映射配置。
我完全正常工作的 ingress 现在看起来像这样(我将注释移到了配置映射中):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-service
namespace: my-service
spec:
ingressClassName: haproxy-ingress
tls:
- secretName: my-service-tls
hosts:
- my-service.dev.aws.company.local
rules:
- http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: my-service
port:
number: 443
host: my-service.dev.aws.company.local
我在 aws 托管的 kubernetes 集群 (v1.21.2-eks-06eac09) 和单个 service/deployment 中有一个 haproxy-ingress(v0.13.5,默认 helm 设置)。该服务已启动并且 运行 并且可以通过 curl 成功调用并且 haproxy 统计页面显示具有正确 ip 的绿色后端。对我来说一切看起来都不错,但是如果我调用 url 我会得到默认的 404 后端,除非我使用相同的服务配置默认后端。这让我得出结论,主机或路径映射一定有问题,对吧?。是我的配置有问题还是其他地方有问题?
这是我的入口资源:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-service
namespace: my-service
annotations:
haproxy-ingress.github.io/affinity: "cookie"
haproxy-ingress.github.io/backend-server-naming: "pod"
haproxy-ingress.github.io/secure-backends: "true"
haproxy-ingress.github.io/session-cookie-dynamic: "true"
haproxy-ingress.github.io/session-cookie-keywords: "indirect nocache httponly maxidle 900"
haproxy-ingress.github.io/session-cookie-preserve: "true"
haproxy-ingress.github.io/session-cookie-same-site: "true"
haproxy-ingress.github.io/slots-min-free: "0"
haproxy-ingress.github.io/ssl-redirect: "false"
haproxy-ingress.github.io/strict-host: "true"
spec:
ingressClassName: haproxy-ingress
tls:
- secretName: my-service-tls
rules:
- http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: my-service
port:
number: 443
host: my-service.dev.aws.company.local
# defaultBackend:
# service:
# name: my-service
# port:
# number: 443
入口类:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: haproxy-ingress
spec:
controller: haproxy-ingress.github.io/controller
helm 安装命令:
helm install haproxy-ingress haproxy-ingress/haproxy-ingress --create-namespace --namespace ingress-controller --set controller.service.type=ClusterIP --version 0.13.5
从haproxy.conf
生成的后端backend my-service_my-service_https
mode http
balance roundrobin
acl https-request ssl_fc
http-request set-header X-Original-Forwarded-For %[hdr(x-forwarded-for)] if { hdr(x-forwarded-for) -m found }
http-request del-header x-forwarded-for
option forwardfor
cookie INGRESSCOOKIE insert preserve attr SameSite=None secure indirect nocache httponly maxidle 900 dynamic
dynamic-cookie-key "Ingress"
http-response set-header Strict-Transport-Security "max-age=15768000" if https-request
server my-service-0 10.19.25.214:443 weight 1 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets verify none check inter 2s
从 haproxy.conf
生成的前端frontend _front_https
mode http
bind :443 ssl alpn h2,http/1.1 crt-list /etc/haproxy/maps/_front_bind_crt.list ca-ignore-err all crt-ignore-err all
option httplog
http-request set-var(req.path) path
http-request set-var(req.host) hdr(host),field(1,:),lower
http-request set-var(req.base) var(req.host),concat(\#,req.path)
http-request set-var(req.hostbackend) var(req.base),map_dir(/etc/haproxy/maps/_front_https_host__prefix.map)
http-request set-header X-Forwarded-Proto https
http-request del-header X-SSL-Client-CN
http-request del-header X-SSL-Client-DN
http-request del-header X-SSL-Client-SHA1
http-request del-header X-SSL-Client-Cert
use_backend %[var(req.hostbackend)] if { var(req.hostbackend) -m found }
use_backend %[var(req.defaultbackend)]
default_backend _error404
生成maps/_front_https_host__prefix.map
my-service.dev.aws.company.local#/ my-service_my-service_https
我找到问题了!我的 tls 定义中的主机部分丢失了。这样就没有生成 /etc/haproxy/maps_front_https_host__begin.map 并且在我生成的前端部分 (http-request set-var(req.hostbackend) var(req.base),lower,map_beg(/etc/haproxy/maps/_front_https_host__begin.map)) 中没有映射配置。
我完全正常工作的 ingress 现在看起来像这样(我将注释移到了配置映射中):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-service
namespace: my-service
spec:
ingressClassName: haproxy-ingress
tls:
- secretName: my-service-tls
hosts:
- my-service.dev.aws.company.local
rules:
- http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: my-service
port:
number: 443
host: my-service.dev.aws.company.local