白名单
nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123
设置buffer大小
kubernetes.io/ingress.class: nginxnginx.ingress.kubernetes.io/proxy-body-size: 200m
同域名 配置多个 后端节点
kubernetes.io/ingress.class: nginxnginx.ingress.kubernetes.io/rewrite-target: /$1nginx.ingress.kubernetes.io/use-regex: 'true'kubernetes.io/ingress.class: nginxnginx.ingress.kubernetes.io/cors-allow-credentials: 'true'nginx.ingress.kubernetes.io/cors-allow-headers: '*'nginx.ingress.kubernetes.io/cors-allow-methods: 'PUT, GET, POST, OPTIONS,HEAD'nginx.ingress.kubernetes.io/cors-allow-origin: 'http://tms.test.qq.com'nginx.ingress.kubernetes.io/enable-cors: 'true'nginx.ingress.kubernetes.io/proxy-body-size: 300mnginx.ingress.kubernetes.io/rewrite-target: /$1nginx.ingress.kubernetes.io/service-weight: 'custom-hs: 100'nginx.ingress.kubernetes.io/use-regex: 'true'# 指定了我们使用后端ingress controller的类别,如果后端有多个ingress controller的时候很重要kubernetes.io/ingress.class: "nginx"# 指定我们的rules的path可以使用正则表达式,如果我们没有使用正则表达式,此项则可不使用nginx.ingress.kubernetes.io/use-regex: "true"# 启用CORS kubernetes-ingress跨域设置 ---# https://www.lemonlzy.cn/2020/10/12/kubernetes-ingress%E8%B7%A8%E5%9F%9F%E8%AE%BE%E7%BD%AE/kubernetes中的跨域设置在Ingress中进行配置,要在Ingress规则中启用跨域资源共享(CORS),请添加注释 nginx.ingress.kubernetes.io/enable-cors: “true”。这将在服务器位置中添加一个部分以启用此功能。# 控制在CORS操作期间是否可以传递凭据。默认: true,例: nginx.ingress.kubernetes.io/cors-allow-credentials: “false”# 控制接受哪些方法。这是一个多值字段,以“,”分隔,仅接受字母(大写和小写),默认GET, PUT, POST, DELETE, PATCH, OPTIONS。# 启用CORS kubernetes-ingress跨域设置 ---
自动跳转https
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
设置上传文件大小
nginx.ingress.kubernetes.io/proxy-body-size: 600M#超时nginx.ingress.kubernetes.io/proxy-connect-timeout: '600'nginx.ingress.kubernetes.io/proxy-read-timeout: '600'nginx.ingress.kubernetes.io/proxy-send-timeout: '600'#保持连接时长nginx.ingress.kubernetes.io/upstream-keepalive-timeout: '60'
ingress的监控
https://help.aliyun.com/document_detail/195702.html
阿里云ingress启动
["/bin/sh","-c","mount -o remount rw /proc/sys\nsysctl -w net.core.somaxconn=65535\nsysctl -w net.ipv4.ip_local_port_range=\"1024 65535\"\n"]["/nginx-ingress-controller","--election-id=ingress-controller-leader","--ingress-class=nginx","--configmap=$(POD_NAMESPACE)/nginx-configuration","--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services","--udp-services-configmap=$(POD_NAMESPACE)/udp-services","--annotations-prefix=nginx.ingress.kubernetes.io","--publish-service=$(POD_NAMESPACE)/nginx-ingress-lb","--validating-webhook=:8443","--validating-webhook-certificate=/usr/local/certificates/cert","--validating-webhook-key=/usr/local/certificates/key","--v=2"]
保持一个pod连接
nginx.ingress.kubernetes.io/affinity: cookie # 实现会话亲和的方式,目前只支持cookienginx.ingress.kubernetes.io/affinity-mode: persistent # 默认是balanced平衡的,伸缩应用时会重新分配一些session, 以确保每个pod处理的会话数均衡;persistent持续的, 保持最大限度的会话亲和nginx.ingress.kubernetes.io/session-cookie-hash: sha1 #nginx.ingress.kubernetes.io/session-cookie-name: awesome-java # 自定义cookie名字, 默认为INGRESSCOOKIEnginx.ingress.kubernetes.io/affinity: "cookie"nginx.ingress.kubernetes.io/affinity-mode: "persistent"nginx.ingress.kubernetes.io/session-cookie-name: "route"
ingress中一个域名配置配置不同路径指向不容域名 中nginx的配置
## start server xxx.xxx.com
server {
server_name xxx.xxx.com ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location ~* "^/admin_xpx/templates/xpx_web/dist/(.*)" {
set $namespace "xpx-shopcode";
set $ingress_name "app-xpx-shopcode-ingress";
set $service_name "ingress-a96ccef57f18a180821b5e98c35b4b87";
set $service_port "80";
set $location_path "/admin_xpx/templates/xpx_web/dist/(.*)";
set $global_rate_limit_exceeding n;
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = false,
force_no_ssl_redirect = false,
use_port_in_redirects = false,
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
})
balancer.rewrite()
plugins.run()
}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
body_filter_by_lua_block {
plugins.run()
}
log_by_lua_block {
balancer.log()
monitor.call()
plugins.run()
}
port_in_redirect off;
set $balancer_ewma_score -1;
set $proxy_upstream_name "xpx-shopcode-ingress-a96ccef57f18a180821b5e98c35b4b87-80";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;
set $pass_server_port $server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
client_max_body_size 500M;
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
rewrite "(?i)/admin_xpx/templates/xpx_web/dist/(.*)" /$1 break;
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
若有收获,就点个赞吧
0 人点赞
