问题[nginx-ingress](server)

以下是我的 ngnix 模板，运行良好：

enterapiVersion: networking.k8s.io/v1   
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/proxy-body-size: "15m"
    nginx.ingress.kubernetes.io/configuration-snippet: |
        set $a $http_x_correlation_id;
        set $my_header $request_id;
        proxy_set_header X_Correlation_Id $my_header;   
        rewrite ^/app-name(/|$)(.*) /$2 break;
  name: rtfp-ingress-template
  namespace: rtfp
spec:
  ingressClassName: rtf-nginx
 rules:
  - host: ap.abc.com
    http:
      paths:
      - path: /app-name
        pathType: ImplementationSpecific
        backend:
          service:
            name: service
            port:
              number: 80

但是一旦我引入 if 语句来选择性地添加标头，即。如果它不是来自客户端，则应添加标头，它会失败并显示 404

nginx.ingress.kubernetes.io/configuration-snippet: |
        set $a $http_x_correlation_id;
        if ($a = ''){
            set $my_header $request_id;
            proxy_set_header X_Correlation_Id $my_header;           
        }        
        rewrite ^/app-name(/|$)(.*) /$2 break;

如果通过配置片段无法做到这一点，请告诉我通过 lua 脚本实现它的步骤是什么，以及在 ngnix kubernetes 环境中使用 lua 脚本的任何好的教程。

我有以下通过 nodePort 32100 公开的入口配置。当我调用（卷曲）包含括号的 URL [1] 时，我收到 HTTP 500 错误。但是当我调用不包含括号的 URL [2] 时，请求通过 NGINX 入口控制器（v0.35.0）成功传递。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 0m
    name: test1-app-ingress
  namespace: test1
spec:
  rules:
  - host: ing1.example.com
    http:
      paths:
      - backend:
          serviceName: test1-app-1-ingress
          servicePort: 80
        path: /test1
  - host: ing2.example.com
    http:
      paths:
      - backend:
          serviceName: test1-app-2-ingress
          servicePort: 80
        path: /test1

[1]

curl  "http://ing1.example.com:32100/test1/test1.json/Streams(Type_4000000)" -X POST --data-binary @25kfile 
* About to connect() to ing1.example.com port 32100 (#0)
*   Trying 10.10.10.30...
* Connected to ing1.example.com (10.10.10.30) port 32100 (#0)
> POST /test1/test1.json/Streams(Type_4000000) HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ing1.example.com:32100
> Accept: */*
> Content-Length: 25000
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
< HTTP/1.1 500 Internal Server Error
< Server: nginx
< Date: Tue, 01 Mar 2022 20:08:07 GMT

应用程序日志：

10.113.4.0 - - [01/Mar/2022:20:08:07 +0000] "POST /test1/test1.json/Streams(Type_4000000) HTTP/1.0" 500 528 "-" "curl/7.29.0" 25283 0.004 [test1-test1-app-1-ingress-80] [] 10.113.4.157:80 528 0.003 500 4b3fd4d41fb8a2d26691bd2da78f24b

[2]

curl  "http://ing1.example.com:32100/test1/test1.json/StreamsType_4000000" -X POST --data-binary @25kfile 
* About to connect() to ing1.example.com port 32100 (#0)
*   Trying 10.10.10.30...
* Connected to ing1.example.com (10.10.10.30) port 32100 (#0)
> POST /test1/test1.json/StreamsType_4000000HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ing1.example.com:32100
> Accept: */*
> Content-Length: 25000
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 01 Mar 2022 20:09:59 GMT

应用程序日志：

172.28.120.65 - - [01/Mar/2022:20:09:59 +0000] "POST /test1/test1.json/StreamsType_4000000 HTTP/1.0" 200 0 "-" "curl/7.29.0" 25281 0.003 [test1-test1-app-1-ingress-80] [] 10.113.4.157:80 0 0.003 200 133bbb4f7149d31e75cf78158566efee

这是 NGINX IC 的问题吗？我应该转义入口配置上的任何字符，比如括号吗？

我在 VMWare Workstation 15 上配置了一个私有 2 节点 Kubernetes 集群。我使用的是 MetalLB 和 Calico。入口服务和入口看起来像：

xxx@c1-cp1:~/Desktop$ kubectl get svc -n ingress-controller-2
NAME                                         TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)                      AGE
wsnginx-ingress-nginx-controller             LoadBalancer   10.109.117.222   192.168.44.136   80:30167/TCP,443:30680/TCP   24h
wsnginx-ingress-nginx-controller-admission   ClusterIP      10.105.103.165   <none>           443/TCP                      24h
xxx@c1-cp1:~/Desktop$ kubectl get ing apollo-ingress
NAME             CLASS     HOSTS                ADDRESS          PORTS   AGE
apollo-ingress   wsnginx   test.xxx.com   192.168.44.136   80      3h17m

我正在使用 Nat 网络适配器和静态 IPS。我的端口转发配置如下

curl -D- http://192.168.44.136 -H 'Host: test.xxx.com'从 VM，返回 200 状态，但我无法从主机 Win10 上访问它，127.0.0.1:8080因为我得到一个404 NGINX NotFound.

你能帮帮我吗？我究竟做错了什么？我怎么能在我的私人网络中公开它？谢谢！

更新 我不确定这是否是正确的方法，但我设法通过更改一点 Ingress 资源从主机连接。我在注释中添加了主机参数，如

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: apollo-ingress
spec:
  ingressClassName: wsnginx
  rules:
    #- host: test.xxx.com
    - http:
        paths:
          - backend:
              service:
                name: apollo-service
                port: 
                  number: 80
            path: /
            pathType: Prefix

现在我的入口看起来像这样

NAMESPACE   NAME                                                   CLASS     HOSTS                        ADDRESS          PORTS     AGE
default     ingress.networking.k8s.io/apollo-ingress               wsnginx   *                            192.168.44.136   80        3h31m

看来我现在也可以从我的主机上访问它了。我有一个 Rest API，所以我刚刚从浏览器打开它http://127.0.0.1:8080

一般来说，我关于设置默认证书的问题在这里得到解答：Kubernetes ingress How to set default-ssl-certificate? .

我不明白的是这部分：我应该将标志添加--default-ssl-certificate=kube-system/host-cert为 Ingress 的参数。为了发现 NGINX 入口控制器的 YAML 配置文件设置，我应该使用以下命令检查它kubectl describe deployment/nginx-ingress-controller --namespace：但它不作为部署运行：

$ kubectl get deployments --all-namespaces
NAMESPACE     NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
kube-system   kubernetes-dashboard         1/1     1            1           3d
kube-system   kubernetes-metrics-scraper   1/1     1            1           3d

它只能作为一个 pod：

$ kubectl get pods --all-namespaces
NAMESPACE       NAME                                          READY   STATUS    RESTARTS       AGE
ingress-nginx   ingress-nginx-controller-8xcl9                1/1     Running   1 (2d ago)     3d
ingress-nginx   ingress-nginx-controller-hwhvk                1/1     Running   1 (2d ago)     3d
ingress-nginx   ingress-nginx-controller-xqdqx                1/1     Running   3 (2d ago)     3d
kube-system     kubernetes-dashboard-548847967d-66dwz         1/1     Running   2 (2d ago)     3d
kube-system     kubernetes-metrics-scraper-6d49f96c97-r6dz2   1/1     Running   1 (2d ago)     3d
[...]

那我应该如何将标志提供给控制器？

我正在尝试在 DigitalOcean 上部署一个NestJS应用程序，并且我已按照本教程进行操作，但我总是从.Kubernetesnginx-ingress-controller

那是我的deployment.yaml

---
apiVersion: v1
kind: Service
metadata:
  name: nestjs-api
spec:
  ports:
    - port: 80
      targetPort: 3001
  selector:
    app: nestjs-api
---
# Create nestjs-api
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nestjs-api
  labels:
    app: nestjs-api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nestjs-api
  template:
    metadata:
      labels:
        app: nestjs-api
    spec:
      containers:
        - name: nestjs-api
          image: registry.digitalocean.com/nestjs-registry/nestjs-api
          ports:
            - containerPort: 3001
          envFrom:
            - secretRef:
                name: api-env
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nestjs-ingress
spec:
  rules:
    - host: api.mydomain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nestjs-api
                port:
                  number: 80

那是 Docker 镜像registry.digitalocean.com/nestjs-registry/nestjs-api

FROM node:14-alpine3.14 AS BUILD_IMAGE

RUN apk update && apk add yarn curl bash make && rm -rf /var/cache/apk/*

RUN curl -sfL https://install.goreleaser.com/github.com/tj/node-prune.sh | bash -s -- -b /usr/local/bin

WORKDIR /usr/src/app

# install dependencies
RUN yarn --frozen-lockfile

COPY . .
RUN yarn install
RUN yarn build

RUN npm prune --production

RUN /usr/local/bin/node-prune

FROM node:14-alpine3.14

USER 1000
RUN mkdir -p /home/node/app/
RUN mkdir -p /home/node/app/node_modules
RUN mkdir -p /home/node/app/dist

RUN chown -R 1000:1000 /home/node/app
RUN chown -R 1000:1000 /home/node/app/node_modules
RUN chown -R 1000:1000 /home/node/app/dist

WORKDIR /home/node/app

COPY --from=BUILD_IMAGE /usr/src/app/dist /home/node/app/dist
COPY --from=BUILD_IMAGE /usr/src/app/node_modules /home/node/app/node_modules

EXPOSE 3001
ENTRYPOINT ["node"]
CMD ["/home/node/app/dist/main.js"]

这是我的日志nginx-ingress-controller

2021/09/29 18:37:12 [error] 590#590: *147263 connect() failed (111: Connection refused) while connecting to upstream, client: MY_HOME_IP, server: api.mydomain.com, request: "GET / HTTP/1.1", upstream: "http://10.244.0.229:3001/", host: "api.mydomain.com"
2021/09/29 18:37:12 [error] 590#590: *147263 connect() failed (111: Connection refused) while connecting to upstream, client: MY_HOME_IP, server: api.mydomain.com, request: "GET / HTTP/1.1", upstream: "http://10.244.0.229:3001/", host: "api.mydomain.com"
2021/09/29 18:37:12 [error] 590#590: *147263 connect() failed (111: Connection refused) while connecting to upstream, client: MY_HOME_IP, server: api.mydomain.com, request: "GET / HTTP/1.1", upstream: "http://10.244.0.229:3001/", host: "api.mydomain.com"
MY_HOME_IP - - [29/Sep/2021:18:37:12 +0000] "GET / HTTP/1.1" 502 150 "-" "PostmanRuntime/7.28.4" 204 0.000 [default-nestjs-api-80] [] 10.244.0.229:3001, 10.244.0.229:3001, 10.244.0.229:3001 0, 0, 0 0.000, 0.000, 0.000 502, 502, 502 a54bfdae6e0b77bf894e53d8ac8fa29e

以下是一些输出kubectl

$ kubectl get pods -o wide
NAME                            READY   STATUS    RESTARTS   AGE   IP             NODE                  NOMINATED NODE   READINESS GATES
nestjs-api-6bcccbdbd5-zmdqg   1/1     Running   0          61m   10.244.0.238   api-wn5e3n2u8-u3j8q   <none>           <none>

$ kubectl get service -o wide
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE    SELECTOR
nestjs-api   ClusterIP   10.245.37.142   <none>        80/TCP    3h     app=nestjs-api
kubernetes     ClusterIP   10.245.0.1      <none>        443/TCP   5d6h   <none>


$ kubectl get pods -n ingress-nginx -o wide
NAME                                        READY   STATUS      RESTARTS   AGE     IP             NODE                  NOMINATED NODE   READINESS GATES
ingress-nginx-admission-create-psdn2        0/1     Completed   0          6h34m   10.244.0.251   api-wn5e3n2u8-u3j8q   <none>           <none>
ingress-nginx-admission-patch-x8vvs         0/1     Completed   1          6h34m   10.244.0.252   api-wn5e3n2u8-u3j8q   <none>           <none>
ingress-nginx-controller-68649d49b8-bj7vp   1/1     Running     0          6h34m   10.244.0.175   api-wn5e3n2u8-u3j8q   <none>           <none>

更新

我的日志main.js显示该应用正在侦听端口3001

{"message":"Application is running on: http://127.0.0.1:3001"}

来自以下代码

// Get Server IP and PORT from configuration
const ip = process.env.SERVER_IP;
const port = parseInt(process.env.SERVER_PORT, 10);

// Start server
await app.listen(port, ip);
logger.log(`Application is running on: ${await app.getUrl()}`);
logger.log(`Environment: ${environment}`);

这些是api-env在 k8s 上作为 Secret 保存的变量。

SERVER_IP: 127.0.0.1
SERVER_PORT: 3001

无论如何，正如@mdaniel 所建议的那样，我已将其添加到我和 Pod 崩溃livenessProbe的规范中。Deployment

    spec:
      containers:
        - name: nestjs-api
          image: registry.digitalocean.com/nestjs-registry/nestjs-api
          ports:
            - containerPort: 3001
          livenessProbe:
            httpGet:
              port: 3001
              path: '/'
          envFrom:
            - secretRef:
                name: api-env

现在我真的很困惑。我的配置有问题，但我不知道是什么。

提前致谢。

我正在尝试为通过 helm chart 部署的 ingress-nginx 编写自动缩放配置。

我的目标是：

• 最少 3 个副本（因为我最少有 3 个节点）
• 确保每个节点只有一个 nginx，但是：
• 要有弹性，如果自动缩放说我们需要 4 个 nginx 允许集群中的一个节点有 2 个
• 如果添加了第四个节点，请确保生成新的 nginx

https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L326 https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress -nginx/values.yaml#L343 https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L256

我尝试使用以下设置和它们的组合，但总是有一些问题，例如现在我有第四个 nginx 出于某种原因想要生成，但由于反关联规则而不能生成。

任何人都可以分享一些如何实现这一目标的想法吗？

• 每个节点总是一个 nginx，如果创建了一个新节点，则会创建一个新的 nginx
• 保留自动缩放，如果 hpa 想在 3 节点集群上生成第四个 nginx，它应该可以自由地这样做

      replicaCount: 3
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app.kubernetes.io/name
                operator: In
                values:
                - ingress-nginx
              - key: app.kubernetes.io/instance
                operator: In
                values:
                - ingress-nginx
              - key: app.kubernetes.io/component
                operator: In
                values:
                - controller
            topologyKey: "kubernetes.io/hostname"

      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: ScheduleAnyway
          labelSelector:
            matchLabels:
              app.kubernetes.io/instance: ingress-nginx

      autoscaling:
        enabled: true
        minReplicas: 3
        maxReplicas: 6
        targetCPUUtilizationPercentage: 75
        targetMemoryUtilizationPercentage: 100

我使用 nginx ingress 作为负载均衡器部署了 bitnami/wordpress helm，就像这里一样。一切正常，但问题出在一些 pod 是手动创建或通过自动缩放自动创建时。其中一些（不是全部）一直处于“ContainerCreating”状态，日志如下所示：

  Normal   Scheduled    33m                  default-scheduler  Successfully assigned default/wordpress-69c8f65d96-wnkfv to main-node-d29388
  Warning  FailedMount  4m28s (x6 over 29m)  kubelet            Unable to attach or mount volumes: unmounted volumes=[wordpress-data], unattached volumes=[default-token-s4gdj wordpress-data]: timed out waiting for the condition
  Warning  FailedMount  0s (x9 over 31m)     kubelet            Unable to attach or mount volumes: unmounted volumes=[wordpress-data], unattached volumes=[wordpress-data default-token-s4gdj]: timed out waiting for the condition

我部署了 bitnami/wordpress，然后使用以下设置进行了升级：

helm install wordpress bitnami/wordpress --set service.type=ClusterIP --set ingress.enabled=true --set ingress.certManager=true --set ingress.annotations."kubernetes\.io/ingress\.class"=nginx --set ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-prod --set ingress.hostname=DOMAIN.com --set ingress.extraTls[0].hosts[0]=DOMAIN.com --set ingress.extraTls[0].secretName=wordpress.local-tls --set wordpressPassword=PASSWORD --set autoscaling.enabled=true --set autoscaling.minReplicas=1 autoscaling.maxReplicas=30

kubectl get pods 看起来像这样

ingress-nginx-ingress-controller-84bff86888-f4tpb                 1/1     Running             0          2d3h
ingress-nginx-ingress-controller-default-backend-c5b786dbbqw5xz   1/1     Running             0          2d3h
load-generator                                                    1/1     Running             0          71s
wordpress-69c8f65d96-48jd9                                        0/1     ContainerCreating   0          18m
wordpress-69c8f65d96-66ftt                                        0/1     ContainerCreating   0          56m
wordpress-69c8f65d96-dq7xq                                        1/1     Running             0          100m
wordpress-69c8f65d96-fbnt6                                        1/1     Running             0          101m
wordpress-69c8f65d96-wnkfv                                        0/1     ContainerCreating   0          56m
wordpress-mariadb-0                                               1/1     Running             0          8h

怎样做才能使新 pod 没有这个问题并让它们启动？

我正在尝试使用 NGINX INGRESS 访问 Kubernetes 仪表板，但由于某种原因，我收到了 503 错误。

我正在使用 docker 桌面在我的 macbook 中本地运行 Kubernetes。

我做的第一件事是应用/安装 NGINX 入口控制器

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml

我做的第二件事是应用/安装 kubernetes 仪表板 YML 文件

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml

第三步是应用入口服务

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/configuration-snippet: |-
      proxy_ssl_server_name on;
      proxy_ssl_name $host;
spec:
  rules:
    - http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 433

当我尝试访问 http://localhost 和/或 https://localhost 时，我从 nginx 收到 503 Service Temporarily Unavailable 错误

不知道我做错了什么。

这是来自 NGINX POD 的部分日志

I0630 23:36:42.049398      10 main.go:112] "successfully validated configuration, accepting" ingress="dashboard-ingress/kubernetes-dashboard"
I0630 23:36:42.055306      10 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"kubernetes-dashboard", Name:"dashboard-ingress", UID:"85e7bd9e-308d-4848-8b70-4a3591415464", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"47868", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0630 23:36:42.056435      10 controller.go:146] "Configuration changes detected, backend reload required"
I0630 23:36:42.124850      10 controller.go:163] "Backend successfully reloaded"
I0630 23:36:42.125333      10 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-5b74bc9868-gplcq", UID:"bbd70716-b843-403b-a8f9-2add0f63f63f", APIVersion:"v1", ResourceVersion:"46315", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
192.168.65.3 - - [30/Jun/2021:23:36:44 +0000] "GET / HTTP/1.1" 400 54 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.003 [kubernetes-dashboard-kubernetes-dashboard-80] [] 10.1.0.25:8443 48 0.002 400 395aec46af3b21e79cd650f2f86722f3
2021/06/30 23:36:44 [error] 1222#1222: *17477 recv() failed (104: Connection reset by peer) while sending to client, client: 192.168.65.3, server: _, request: "GET / HTTP/1.1", upstream: "http://10.1.0.25:8443/", host: "localhost"
2021/06/30 23:36:45 [error] 1222#1222: *17512 recv() failed (104: Connection reset by peer) while sending to client, client: 192.168.65.3, server: _, request: "GET / HTTP/1.1", upstream: "http://10.1.0.25:8443/", host: "localhost"
192.168.65.3 - - [30/Jun/2021:23:36:45 +0000] "GET / HTTP/1.1" 400 54 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.002 [kubernetes-dashboard-kubernetes-dashboard-80] [] 10.1.0.25:8443 48 0.001 400 a15e1e48987948cb93503b494d188654
2021/07/01 00:09:31 [error] 1224#1224: *49299 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.65.3, server: _, request: "GET / HTTP/1.1", upstream: "http://10.1.0.25:8443/", host: "localhost"
192.168.65.3 - - [01/Jul/2021:00:09:31 +0000] "GET / HTTP/1.1" 400 54 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.002 [kubernetes-dashboard-kubernetes-dashboard-80] [] 10.1.0.25:8443 48 0.001 400 ac6b88ca52b73358c39371cb4422761d
2021/07/01 00:09:32 [error] 1221#1221: *49336 recv() failed (104: Connection reset by peer) while sending to client, client: 192.168.65.3, server: _, request: "GET / HTTP/1.1", upstream: "http://10.1.0.25:8443/", host: "localhost"
192.168.65.3 - - [01/Jul/2021:00:09:32 +0000] "GET / HTTP/1.1" 400 54 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.001 [kubernetes-dashboard-kubernetes-dashboard-80] [] 10.1.0.25:8443 48 0.001 400 2c5cd2d9403a8e50a77fdc897c694792
2021/07/01 00:09:33 [error] 1221#1221: *49338 recv() failed (104: Connection reset by peer) while sending to client, client: 192.168.65.3, server: _, request: "GET / HTTP/1.1", upstream: "http://10.1.0.25:8443/", host: "localhost"
192.168.65.3 - - [01/Jul/2021:00:09:33 +0000] "GET / HTTP/1.1" 400 54 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.001 [kubernetes-dashboard-kubernetes-dashboard-80] [] 10.1.0.25:8443 48 0.000 400 f1f630c886d20b9b9c59bd9e0e0e3860
2021/07/01 00:09:33 [error] 1224#1224: *49344 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.65.3, server: _, request: "GET / HTTP/1.1", upstream: "http://10.1.0.25:8443/", host: "localhost"
192.168.65.3 - - [01/Jul/2021:00:09:33 +0000] "GET / HTTP/1.1" 400 54 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.001 [kubernetes-dashboard-kubernetes-dashboard-80] [] 10.1.0.25:8443 48 0.001 400 2ab6774dec6e2a89599c4745d24b9661
192.168.65.3 - - [01/Jul/2021:00:09:33 +0000] "GET / HTTP/1.1" 400 54 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.001 [kubernetes-dashboard-kubernetes-dashboard-80] [] 10.1.0.25:8443 48 0.000 400 c9147e08203d9ec8e7b0d0debab8d556
2021/07/01 00:09:33 [error] 1222#1222: *49360 recv() failed (104: Connection reset by peer) while sending to client, client: 192.168.65.3, server: _, request: "GET / HTTP/1.1", upstream: "http://10.1.0.25:8443/", host: "localhost"
I0701 00:10:19.024220      10 main.go:112] "successfully validated configuration, accepting" ingress="dashboard-ingress/kubernetes-dashboard"
I0701 00:10:19.026772      10 controller.go:146] "Configuration changes detected, backend reload required"
I0701 00:10:19.027392      10 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"kubernetes-dashboard", Name:"dashboard-ingress", UID:"85e7bd9e-308d-4848-8b70-4a3591415464", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"50637", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0701 00:10:19.102759      10 controller.go:163] "Backend successfully reloaded"
I0701 00:10:19.103246      10 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-5b74bc9868-gplcq", UID:"bbd70716-b843-403b-a8f9-2add0f63f63f", APIVersion:"v1", ResourceVersion:"46315", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
192.168.65.3 - - [01/Jul/2021:00:11:27 +0000] "GET / HTTP/1.1" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - c449f6e8082761ddc3432f956f4701f2
192.168.65.3 - - [01/Jul/2021:00:11:29 +0000] "GET / HTTP/1.1" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 657 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - 3a41974b01c5e63e734fce6e37b98e4c
192.168.65.3 - - [01/Jul/2021:00:11:56 +0000] "GET / HTTP/2.0" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 408 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - c01f7bec83d3be6b26703b8808f9922a
192.168.65.3 - - [01/Jul/2021:00:11:58 +0000] "GET / HTTP/2.0" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 24 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - dc39bcddd4ecfdefe931bf16fe3c1557
192.168.65.3 - - [01/Jul/2021:00:16:36 +0000] "GET / HTTP/1.1" 503 190 "-" "curl/7.64.1" 73 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - 82aad4321afbccb3fc54ac75d96b66ee
192.168.65.3 - - [01/Jul/2021:00:31:47 +0000] "GET / HTTP/2.0" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 417 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - c4ab3d2f272be4d38df62c0ffd50bfe9
I0701 00:48:02.059067      10 main.go:112] "successfully validated configuration, accepting" ingress="dashboard-ingress/kubernetes-dashboard"
I0701 00:48:02.062292      10 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"kubernetes-dashboard", Name:"dashboard-ingress", UID:"85e7bd9e-308d-4848-8b70-4a3591415464", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"53737", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0701 00:48:02.062876      10 controller.go:146] "Configuration changes detected, backend reload required"
I0701 00:48:02.131494      10 controller.go:163] "Backend successfully reloaded"
I0701 00:48:02.131787      10 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-5b74bc9868-gplcq", UID:"bbd70716-b843-403b-a8f9-2add0f63f63f", APIVersion:"v1", ResourceVersion:"46315", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
192.168.65.3 - - [01/Jul/2021:00:48:12 +0000] "GET / HTTP/2.0" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 417 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - d50e3bb0db3a5fa7581c405b8c50d5c8
192.168.65.3 - - [01/Jul/2021:00:48:14 +0000] "GET / HTTP/2.0" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 15 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - c8d8752fb4d79d5bc084839ef9a767b2
I0701 00:49:50.908720      10 main.go:112] "successfully validated configuration, accepting" ingress="dashboard-ingress/kubernetes-dashboard"
I0701 00:49:50.911044      10 controller.go:146] "Configuration changes detected, backend reload required"
I0701 00:49:50.911350      10 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"kubernetes-dashboard", Name:"dashboard-ingress", UID:"85e7bd9e-308d-4848-8b70-4a3591415464", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"53896", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0701 00:49:50.979935      10 controller.go:163] "Backend successfully reloaded"
I0701 00:49:50.980213      10 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-5b74bc9868-gplcq", UID:"bbd70716-b843-403b-a8f9-2add0f63f63f", APIVersion:"v1", ResourceVersion:"46315", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
192.168.65.3 - - [01/Jul/2021:00:50:55 +0000] "GET / HTTP/2.0" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 417 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - d62a8012bc23bbc35a47621d54d68a62
192.168.65.3 - - [01/Jul/2021:00:51:00 +0000] "GET / HTTP/2.0" 503 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" 15 0.000 [kubernetes-dashboard-kubernetes-dashboard-433] [] - - - - 0cbfd2274ad687fc1aaff76dbc483659

任何帮助将不胜感激。

我有一个 SOLR 集群，它设置了一个 LoadBalancer 类型的服务来公开端口 8983。一个要求是 SSL 终止，所以我设置了一个 nginx 入口控制器，其中包含到后端服务的路由。所有这些都按预期工作，但是我现在想限制对某些 IP 的访问。

当我尝试使用 nginx.ingress.kubernetes.io/whitelist-source-range 注解时，我注意到请求都来自节点的内部 IP，而不是像预期的那样来自客户端。这是否意味着需要在流量到达 AKS 群集之前对其进行过滤？如果是这样，那么最好的方法是什么，因为似乎不建议修改自动创建的 NSG。

您好是否可以在 Nginx Ingress（社区）中阻止或允许某些国家/地区。在安装在服务器上的 Nginx 上似乎是可能的（链接）但我想在 Nginx Ingress 上应用类似的方法。