基于Secret实现nginx的tls认证、私有仓库认证
2022/8/5 5:22:47
本文主要是介绍基于Secret实现nginx的tls认证、私有仓库认证,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
tls证书加密
创建类型为tls的secret为nginx提供https证书访问
#创建ca公钥和私钥 openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test.com' #创建客户端公钥和私钥 openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test.com' #ca签发客户端私钥生成证书 openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
创建secret
root@deploy:~/secret# kubectl create secret tls nginx-tls --cert=./server.crt --key=./server.key
查看secret,检查创建的私钥和公钥
root@deploy:~/secret# kubectl get secrets nginx-tls -o yaml
创建configmap添加nginx配置文件
root@deploy:~/secret# vim nginx-https.yaml apiVersion: v1 kind: ConfigMap metadata: name: nginx-config data: https: | server { listen 80; server_name www.test.com; listen 443 ssl; ssl_certificate /etc/nginx/conf.d/certs/tls.crt; ssl_certificate_key /etc/nginx/conf.d/certs/tls.key; location / { root /usr/share/nginx/html; index index.html; if ($scheme = http ){ rewrite / https://www.test.com permanent; } if (!-e $request_filename) { rewrite ^/(.*) /index.html last; } } } root@deploy:~/secret# kubectl apply -f nginx-https.yaml
创建应用和service,绑定configmap和secret
root@deploy:~/secret# vim deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: web name: web-deployment namespace: default spec: replicas: 2 selector: matchLabels: app: web template: metadata: labels: app: web spec: containers: - image: nginx name: nginx imagePullPolicy: IfNotPresent volumeMounts: - name: nginx-conf mountPath: "/etc/nginx/conf.d" - name: nginx-secret mountPath: "/etc/nginx/conf.d/certs" volumes: - name: nginx-conf configMap: name: nginx-config items: - key: https path: https.conf - name: nginx-secret secret: secretName: nginx-tls --- apiVersion: v1 kind: Service metadata: labels: app: web-svc name: web-svc namespace: default spec: ports: - name: web1 port: 80 protocol: TCP targetPort: 80 nodePort: 30080 - name: web2 port: 443 protocol: TCP targetPort: 443 nodePort: 30443 selector: app: web type: NodePort root@deploy:~/secret# kubectl apply -f deployment.yaml
查看pod和svc
配置haproxy设置反向代理
root@haproxyA:~# vim /etc/haproxy/haproxy.cfg. listen http bind 192.168.100.20:80 mode tcp server node1 192.168.100.5:30080 check inter 3s fall 3 rise 3 server node2 192.168.100.6:30080 check inter 3s fall 3 rise 3 listen https bind 192.168.100.20:443 mode tcp server node1 192.168.100.5:30443 check inter 3s fall 3 rise 3 server node2 192.168.100.6:30443 check inter 3s fall 3 rise 3 root@haproxyA:~# systemctl restart haproxy
客户端配置hosts本地域名解析
服务器配置hosts解析curl测试
root@deploy:~/secret# grep 'www.test.com' /etc/hosts 192.168.100.20 www.test.com root@deploy:~/secret# curl -k -L www.test.com
访问www.test.com
查看证书签发信息
这篇关于基于Secret实现nginx的tls认证、私有仓库认证的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-12-13用Nginx防范DDoS攻击的那些事儿
- 2024-12-13用Terraform在AWS上搭建简单NGINX服务器指南
- 2024-10-29Nginx发布学习:从入门到实践的简单教程
- 2024-10-28Nginx发布:新手入门教程
- 2024-10-21nginx 怎么设置文件上传最大20M限制-icode9专业技术文章分享
- 2024-10-17关闭 nginx的命令是什么?-icode9专业技术文章分享
- 2024-09-17Nginx实用篇:实现负载均衡、限流与动静分离
- 2024-08-21宝塔nginx新增8022端口方法步骤-icode9专业技术文章分享
- 2024-08-21nginx配置,让ws升级为wss访问的方法步骤-icode9专业技术文章分享
- 2024-08-15nginx ws代理配置方法步骤-icode9专业技术文章分享