NGINX Ingress Controller
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm pull ingress-nginx/ingress-nginx --version 4.2.5
tar xf ingress-nginx-4.2.5.tgz
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx --version 4.2.5 -f values.yaml \
--namespace ingress-nginx --create-namespace
kubectl create secret tls vimll-com --cert=/etc/ssl/wildcard_.vimll.com.crt --key=/etc/ssl/wildcard_.vimll.com.key
# cat ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-nginx
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "1024m"
nginx.ingress.kubernetes.io/limit-connections: "50"
nginx.ingress.kubernetes.io/limit-rps: "10"
nginx.ingress.kubernetes.io/limit-rpm: "100"
nginx.ingress.kubernetes.io/limit-burst-multiplier: "20"
nginx.ingress.kubernetes.io/limit-rate: "100"
nginx.ingress.kubernetes.io/limit-rate-after: "10240"
nginx.ingress.kubernetes.io/limit-whitelist: "192.168.9.11"
#nginx.ingress.kubernetes.io/proxy-http-version: "1.0"
#nginx.ingress.kubernetes.io/denylist-source-range: "192.168.9.11,192.168.9.12"
#nginx.ingress.kubernetes.io/rewrite-target: /$2
#nginx.ingress.kubernetes.io/ssl-passthrough: "true"
#nginx.ingress.kubernetes.io/auth-type: basic
### htpasswd -c auth foo ;kubectl create secret generic basic-auth --from-file=auth
#nginx.ingress.kubernetes.io/auth-secret: basic-auth
#nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - HAHA'
spec:
ingressClassName: nginx
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- ingress.vimll.com
secretName: vimll-com
rules:
- host: ingress.vimll.com
http:
paths:
- pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
path: /
# - host: api.vimll.com
# http:
# paths:
# - path: /app1(/|$)(.*)
# pathType: Prefix
# backend:
# service:
# name: nginx
# port:
# number: 80
# - path: /app2(/|$)(.*)
# pathType: Prefix
# backend:
# service:
# name: nginx
# port:
# number: 80
kubectl apply -f ingress.yaml
灰度
# cat ingress-canary.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-nginx-canary
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "20"
# 基于cookie转发流量 nginx.ingress.kubernetes.io/canary-by-cookie: "test"
# 基于请求头转发流量 nginx.ingress.kubernetes.io/canary-by-header: "canary"
# 基于请求头和请求头的值转发流量 nginx.ingress.kubernetes.io/canary-by-header-value: "haha"
# 基于权重转发流量 nginx.ingress.kubernetes.io/canary-weight: "30"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "1024m"
nginx.ingress.kubernetes.io/limit-connections: "50"
nginx.ingress.kubernetes.io/limit-rps: "10"
nginx.ingress.kubernetes.io/limit-rpm: "100"
nginx.ingress.kubernetes.io/limit-burst-multiplier: "20"
nginx.ingress.kubernetes.io/limit-rate: "100"
nginx.ingress.kubernetes.io/limit-rate-after: "10240"
nginx.ingress.kubernetes.io/limit-whitelist: "192.168.9.11"
#nginx.ingress.kubernetes.io/proxy-http-version: "1.0"
#nginx.ingress.kubernetes.io/denylist-source-range: "192.168.9.11,192.168.9.12"
#nginx.ingress.kubernetes.io/rewrite-target: /$2
#nginx.ingress.kubernetes.io/ssl-passthrough: "true"
#nginx.ingress.kubernetes.io/auth-type: basic
### htpasswd -c auth foo ;kubectl create secret generic basic-auth --from-file=auth
#nginx.ingress.kubernetes.io/auth-secret: basic-auth
#nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - HAHA'
spec:
ingressClassName: nginx
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- ingress.vimll.com
secretName: vimll-com
rules:
- host: ingress.vimll.com
http:
paths:
- pathType: Prefix
backend:
service:
name: techxuexi
port:
number: 80
path: /
跨域相关配置:
metadata:
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,access_token
nginx.ingress.kubernetes.io/cors-allow-origin: '*'
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 2048m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "180"
nginx.ingress.kubernetes.io/proxy-read-timeout: "180"
nginx.ingress.kubernetes.io/proxy-send-timeout: "180"
nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "true"
nginx.ingress.kubernetes.io/session-cookie-name: SSNONE
nginx.ingress.kubernetes.io/session-cookie-samesite: None
nginx.ingress.kubernetes.io/session-cookie-secure: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
常用配置项:
enable-underscores-in-headers: "true"
generate-request-id: "true"
ignore-invalid-headers: "true"
log-format-upstream: $remote_addr - [$remote_addr] - $remote_user [$time_local]
"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length
$request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length
$upstream_response_time $upstream_status $req_id $host [$proxy_alternative_upstream_name]
max-worker-connections: "65536"
proxy-body-size: 20m
proxy-connect-timeout: "10"
proxy-cookie-path: / "/; httponly; secure; SameSite=None"
reuse-port: "true"
server-tokens: "false"
ssl-redirect: "false"
upstream-keepalive-timeout: "900"
worker-cpu-affinity: auto
allow-snippet-annotations: "true"
client_max_body_size: 100m
#custom-http-errors: 404,415
#use-proxy-protocol: true
#block-cidrs: 192.168.9.11
上传大小配置:
proxy-body-size: 300m
获取真实ip配置:
compute-full-forwarded-for: true
forwarded-for-header: X-Forwarded-For
use-forwarded-headers: true
开启gzip压缩:
use-gzip: true
gzip-level: "5"
gzip-types: "*"
VIM Linux Life