主页 / user-339284

Wanderer's questions

Martin Hope
Wanderer
Asked: 2024-01-05 00:20:54 +0800 CST
  • 5

我试图了解当outboundTrafficPolicy模式设置为 REGISTRY_ONLY 时 Istio envoy 代理如何工作。通过下面定义的设置,我预计insidePod 将被阻止访问outsidePod,因为sidecar.istio.inject标签设置"false"为外部 Pod 和"true"内部 Pod。但是,当我执行到insidepod 并发出curl 命令时,我获得了成功。

kubectl -n istio-test exec -it inside-85f794ff76-7x44s -c sleep -- curl  http://outside
<html><body><h1>It works!</h1></body></html>

配置设置

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: outside
  name: outside
  namespace: istio-test
spec:
  ports:
  - name: 80-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: outside
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: inside
  name: inside
  namespace: istio-test
spec:
  ports:
  - name: 80-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: inside
  clusterIP: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: outside
  name: outside
  namespace: istio-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: outside
  template:
    metadata:
      labels:
        app: outside
        version: v1
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - image: httpd
        name: httpd
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: inside
  name: inside
  namespace: istio-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: inside
  template:
    metadata:
      labels:
        app: inside
        version: v1
        sidecar.istio.io/inject: "true"
    spec:
      containers:
      - image: curlimages/curl
        name: sleep
        command:
        - /bin/sleep
        - infinity
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: default
  namespace: istio-test
spec:
  workloadSelector:
    labels:
      app: inside
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

我期望需要一个ServiceEntry来注册外部 Pod。为什么情况似乎并非如此?

如何阻止从insidepod 到outsidepod 的流量?

kubernetes
Martin Hope
Wanderer
Asked: 2020-12-31 13:14:54 +0800 CST
  • 0

我正在容器化使用 SSL 客户端证书验证的旧版 Web 服务。我有一个 apache 2.4 容器和一个 PHP 7.4 FPM 容器。

我的 apache 虚拟主机 conf 看起来像

...
<VirtualHost *:8443>
  DocumentRoot /var/www/html/myapp
  ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://php:9000/var/www/html/myapp/$1
  SSLEngine on
  ....
  SSLCACertificateFile <PATH TO CA>
  SSLVerifyClient optional
  SSLVerifyDepth 2
  ...
  <Files ~ "\.(cgi|shtml||phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>
  <Directory "/var/www/html/myapp">
    SSLOptions +StdEnvVars +ExportCertData
    Require all granted
    DirectoryIndex index.php
  </Directory>
  ...
</VirtualHost>
....

索引.php

<?
   print_r($_SERVER);
?>
<html>
....
  <a href=go.php><img name=go src=="go.png" alt="GO!"></a>
....
</html>

去.php

<?php
  print_r($_SERVER);
  ... DO Authoriztion stuff with SSL_CLIENT_CERT ...
?>

码头工人-compose.yml

version: 3.4"
services:
  apache:\
    image: myappApache
    depends_on: php
    networks:
      - frontend
      - backend
    ports:
      - "80:8080"
      - "443:8443"
    volumes:
      - ./myapp/:/var/www/html/myapp:rw
  php:
    image: myappPHP
    networks:
      - backend
    volumes:
      - ./myapp/:/var/www/html/myapp:to
  networks:
    frontend:
    backend:

当我导航到我的 index.php 并打印出 with 的值时_SERVERprint_r($_SERVER) 我可以看到[SSL_CLIENT_CERT] => -----BEGIN CERTIFICARTE----- ... -----END CERTIFICATE-----。但是,当我单击该页面上的链接时,该链接会将我带到网站上的第二页,SSL_CLIENT_CERT_SERVER. 其他 SSL 相关项目也丢失了

  • SSL_SESSION_RESUMED
  • SSL_SESSION_ID
  • SSL_SERVER_A_SIG
  • SSL_SERVER_A_KEY
  • SSL_SERVER_I_DN

如何防止_SERVER配置设置在页面之间消失?

php-fpm mod-ssl apache-2.4 docker
Martin Hope
Wanderer
Asked: 2019-09-27 06:36:22 +0800 CST
  • 0

我正在尝试在 AWS EC2 实例上部署本地 docker 注册表。实例必须通过转发代理 (apache) 服务器进行访问。但是,我无法从正在运行的注册表容器实例中访问 s3 存储桶。我的 docker 注册表实例配置如下:

version: '3'
services:
  localRegistry:
    image: registry:2
    ports:
      - "5000:5000"
    volumes:
      - ./auth:/auth
    environment:
      - "REGISTRY_AUTH=htpasswd"
      - "REGISTRY_AUTH_HTPASSWD_REALM=MyRealm"
      - "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd"
      - "REGISTRY_STORAGE=s3"
      - "REGISTRY_STORAGE_S3_REGION={{ s3Region }}"
      - "REGISTRY_STORAGE_S3_BUCKET={{ s3BucketName }}"
      - "REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR=inmemory"
      - "REGISTRY_STORAGE_S3_ACCESSKEY={{ s3UserAccessID }}"
      - "REGISTRY_STORAGE_S3_SECRETKEY={{ s3UserAccessKey }}"
      - "REGISTRY_STORAGE_S3_ROOTDIRECTORY=/registry"
      - "REGISTRY_MIDDLEWARE_REDIRECT_BASEURL={{ proxyServerURL }}"
    restart: always

我可以使用主机上的 AWS CLI 与用户一起访问 S3 存储桶。我已在主机上禁用 SELinux。来自容器的错误消息是

localRegistry1  | time="2019-09-26T13:48:04.873569714Z" level=error msg="response completed with error" auth.user.name=<USER> err.code=unknown err.detail="s3aws: RequestError: send request failed
localRegistry1  | caused by: Put https://<s3BucketName>.s3.us-west-1.amazonaws.com/registry/docker/registry/v2/repositories/ubuntu/_uploads/34732c55-6be3-4741-bfa8-e084708eb2a1/startedat: dial tcp <s3BucketIP>:443: i/o timeout" err.message="unknown error" go.version=go1.11.2 http.request.host="localhost:5000" http.request.id=<requestID> http.request.method=POST http.request.remoteaddr="<docker0_iface_addr>:46102" http.request.uri="/v2/ubuntu/blobs/uploads/" http.request.useragent="docker/19.03.2 go/go1.12.8 git-commit/6a30dfc kernel/3.10.0-957.21.3.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.2 \(linux\))" http.response.contenttype="application/json; charset=utf-8" http.response.duration=2m0.357571388s http.response.status=500 http.response.written=104 vars.name=ubuntu 
localRegistry1  | <docker0_iface_addr> - - [26/Sep/2019:13:46:04 +0000] "POST /v2/ubuntu/blobs/uploads/ HTTP/1.1" 500 104 "" "docker/19.03.2 go/go1.12.8 git-commit/6a30dfc kernel/3.10.0-957.21.3.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.2 \\(linux\\))"

我认为这可能是转发代理 ec2 服务器和 docker 主机实例之间的 aws 安全组的问题。但是,我不太确定那会是什么。

proxy