nginx入口拒绝状态码为400的HTTP POST请求

问题描述 投票:0回答:2

我正在尝试以代理模式部署EJBCA PKI,并使用入口nginx终止所有SSL会话。我能够成功使它适用于Public / Admin Web访问,EJBCA Web Service和SCEP。

我需要验证的最后一个协议是EST,我需要一些帮助。首先,如果我从混音中删除了nginx并直接在EJBCA上终止SSL会话,则EST会起作用,因此我的EST RA和EJBCA配置会起作用。

[nginx终止与EST RA的SSL会话时,它抱怨HTTP请求有问题,并发回HTTP 400代码状态。我的EJBCA服务器什么都没收到。

下面是我的EST入口配置:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: pki-est
  annotations:
    kubernetes.io/ingress.class: "fanhe-ingress"
spec:
  tls:
  - hosts:
    - nginx-ingress-controller.ingress-nginx
    secretName: nginx-ingress-tls-ec-secret
  rules:
    - host: nginx-ingress-controller.ingress-nginx
      http:
        paths:
        - path: /.well-known/est
          backend:
           serviceName: pki-app
           servicePort: 8082

我在入口启用了所有调试,下面是我在error.log中看到的内容:

2020/05/18 10:06:52 [debug] 198#198: *15975 http process request line
2020/05/18 10:06:52 [debug] 198#198: *15975 http request line: "POST /.well-known/est/simpleenroll HTTP/1.1"
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2F:/'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:1 in:'2E:.'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:2 in:'77:w'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2D:-'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6B:k'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6E:n'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6F:o'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'77:w'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6E:n'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2F:/'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:1 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'73:s'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'74:t'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'2F:/'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:1 in:'73:s'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'69:i'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6D:m'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'70:p'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'65:e'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6E:n'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'72:r'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6F:o'
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
---
2020/05/18 10:06:52 [debug] 198#198: *15975 s:0 in:'6C:l'
2020/05/18 10:06:52 [debug] 198#198: *15975 http uri: "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 http args: ""
2020/05/18 10:06:52 [debug] 198#198: *15975 http exten: ""
2020/05/18 10:06:52 [debug] 198#198: *15975 http process request header line
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "User-Agent: libest 3.1.1"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Connection: close"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Host: nginx-ingress-controller.ingress-nginx:443"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Accept: */*"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Content-Type: application/pkcs10"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header: "Content-Length: 366"
2020/05/18 10:06:52 [debug] 198#198: *15975 http header done
2020/05/18 10:06:52 [info] 198#198: *15975 client SSL certificate verify error: (19:self signed certificate in certificate chain) while reading client request headers, client: fd10::1:165, server: nginx-ingress-controller.ingress-nginx, request: "POST /.well-known/est/simpleenroll HTTP/1.1", host: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 10:06:52 [debug] 198#198: *15975 http finalize request: 495, "/.well-known/est/simpleenroll?" a:1, c:1
2020/05/18 10:06:52 [debug] 198#198: *15975 event timer del: 3: 947664613
2020/05/18 10:06:52 [debug] 198#198: *15975 http special response: 495, "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 http set discard body
2020/05/18 10:06:52 [debug] 198#198: *15975 headers more header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua header filter for user lua code, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua capture header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 HTTP/1.1 400 Bad Request
Server: openresty/1.15.8.1
Date: Mon, 18 May 2020 10:06:52 GMT
Content-Type: text/html
Content-Length: 221
Connection: close

2020/05/18 10:06:52 [debug] 198#198: *15975 write new buf t:1 f:0 0000558A2B30B250, pos 0000558A2B30B250, size: 158 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter: l:0 f:0 s:158
2020/05/18 10:06:52 [debug] 198#198: *15975 http output filter "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 http copy filter: "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua body filter for user lua code, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 lua capture body filter, uri "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 http postpone filter "/.well-known/est/simpleenroll?" 0000558A2B30B438
2020/05/18 10:06:52 [debug] 198#198: *15975 write old buf t:1 f:0 0000558A2B30B250, pos 0000558A2B30B250, size: 158 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 write new buf t:0 f:0 0000000000000000, pos 0000558A2A15AEA0, size: 162 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 write new buf t:0 f:0 0000000000000000, pos 0000558A2A15BE20, size: 59 file: 0, size: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter: l:1 f:0 s:379
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter limit 0
2020/05/18 10:06:52 [debug] 198#198: *15975 malloc: 0000558A2B318CC0:4096
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL buf copy: 158
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL buf copy: 162
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL buf copy: 59
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL to write: 379
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL_write: 379
2020/05/18 10:06:52 [debug] 198#198: *15975 http write filter 0000000000000000
2020/05/18 10:06:52 [debug] 198#198: *15975 http copy filter: 0 "/.well-known/est/simpleenroll?"
2020/05/18 10:06:52 [debug] 198#198: *15975 http finalize request: 0, "/.well-known/est/simpleenroll?" a:1, c:1
2020/05/18 10:06:52 [debug] 198#198: *15975 event timer add: 3: 5000:947609618
2020/05/18 10:06:52 [debug] 198#198: *15975 http lingering close handler
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL_read: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 SSL_get_error: 6
2020/05/18 10:06:52 [debug] 198#198: *15975 peer shutdown SSL cleanly
2020/05/18 10:06:52 [debug] 198#198: *15975 lingering read: 0
2020/05/18 10:06:52 [debug] 198#198: *15975 http request count:1 blk:0
2020/05/18 10:06:52 [debug] 198#198: *15975 http close request
2020/05/18 10:06:52 [debug] 198#198: *15975 lua log handler, uri:"/.well-known/est/simpleenroll" c:0
2020/05/18 10:06:52 [debug] 198#198: *15975 http log handler
2020/05/18 10:06:52 [debug] 198#198: *15975 http map started
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "/.well-known/est/simpleenroll"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map: "/.well-known/est/simpleenroll" "1"
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "1"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map started
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "fd10::1:165"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map: "" "fd10::1:165"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map started
2020/05/18 10:06:52 [debug] 198#198: *15975 http script var: "39bef9f98c79778373515fb72f84e249"
2020/05/18 10:06:52 [debug] 198#198: *15975 http map: "" "39bef9f98c79778373515fb72f84e249"
2020/05/18 10:06:52 [debug] 198#198: *15975 free: 0000558A2B30A480, unused: 7
2020/05/18 10:06:52 [debug] 198#198: *15975 free: 0000558A2B279FC0, unused: 1974
2020/05/18 10:06:52 [debug] 198#198: *15975 close http connection: 3

从这些日志中,我看不出任何明显的原因导致Nginx拒绝该请求。

我确实使用与est-ra完全相同的证书与Postman尝试了相同的HTTP请求,并且有效!!请参阅下面的日志:

2020/05/18 22:52:02 [debug] 671#671: *172624 http process request line
2020/05/18 22:52:02 [debug] 671#671: *172624 http request line: "POST /.well-known/est/simpleenroll HTTP/1.1"
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2F:/'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:1 in:'2E:.'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:2 in:'77:w'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2D:-'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6B:k'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6E:n'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6F:o'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'77:w'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6E:n'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2F:/'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:1 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'73:s'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'74:t'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'2F:/'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:1 in:'73:s'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'69:i'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6D:m'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'70:p'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'65:e'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6E:n'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'72:r'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6F:o'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 s:0 in:'6C:l'
2020/05/18 22:52:02 [debug] 671#671: *172624 http uri: "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 http args: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http exten: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http process request header line
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "User-Agent: libest 3.1.1"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Connection: close"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Host: nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Accept: */*"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Content-Type: application/pkcs10"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Authorization: Basic cmEtYXBwOkZiV241M2p3"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header: "Content-Length: 280"
2020/05/18 22:52:02 [debug] 671#671: *172624 http header done
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer del: 6: 993574054
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 0
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 1
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 2
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "-"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_upstream_name
2020/05/18 22:52:02 [debug] 671#671: *172624 test location: "/"
2020/05/18 22:52:02 [debug] 671#671: *172624 test location: "ejbca/ejbcaws"
2020/05/18 22:52:02 [debug] 671#671: *172624 test location: ".well-known/est"
2020/05/18 22:52:02 [debug] 671#671: *172624 using configuration "/.well-known/est"
2020/05/18 22:52:02 [debug] 671#671: *172624 http cl:280 max:0
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 4
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 5
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "default"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $namespace
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "pki-est"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $ingress_name
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "pki-app"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $service_name
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "{0 8082 }"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $service_port
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "/.well-known/est"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $location_path
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script equal
2020/05/18 22:52:02 [debug] 671#671: *172624 http script if
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "-1"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $balancer_ewma_score
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: "default-pki-app-8082"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_upstream_name
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "default-pki-app-8082"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_host
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $pass_access_scheme
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $pass_server_port
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $best_http_host
2020/05/18 22:52:02 [debug] 671#671: *172624 http script complex value
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $pass_port
2020/05/18 22:52:02 [debug] 671#671: *172624 http script value: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script set $proxy_alternative_upstream_name
2020/05/18 22:52:02 [debug] 671#671: *172624 rewrite phase: 6
2020/05/18 22:52:02 [debug] 671#671: *172624 lua rewrite handler, uri:"/.well-known/est/simpleenroll" c:1
2020/05/18 22:52:02 [debug] 671#671: *172624 looking up Lua code cache with key '=rewrite_by_lua(nginx.conf:1274)nhli_dbdd52ba6d647a948759533fd68b064c'
2020/05/18 22:52:02 [debug] 671#671: *172624 lua creating new thread
2020/05/18 22:52:02 [debug] 671#671: *172624 lua reset ctx
2020/05/18 22:52:02 [debug] 671#671: *172624 http cleanup add: 0000558A2B3E0AB0
2020/05/18 22:52:02 [debug] 671#671: *172624 lua run thread, top:0 c:1
2020/05/18 22:52:02 [debug] 671#671: *172624 add cleanup: 0000558A2B3348A0
2020/05/18 22:52:02 [debug] 671#671: *172624 lua resume returned 0
2020/05/18 22:52:02 [debug] 671#671: *172624 lua light thread ended normally
2020/05/18 22:52:02 [debug] 671#671: *172624 lua deleting light thread
2020/05/18 22:52:02 [debug] 671#671: *172624 post rewrite phase: 7
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 8
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 9
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 10
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 11
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 12
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 13
2020/05/18 22:52:02 [debug] 671#671: *172624 access phase: 14
2020/05/18 22:52:02 [debug] 671#671: *172624 post access phase: 15
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 16
2020/05/18 22:52:02 [debug] 671#671: *172624 generic phase: 17
2020/05/18 22:52:02 [debug] 671#671: *172624 http client request body preread 280
2020/05/18 22:52:02 [debug] 671#671: *172624 http request body content length filter
2020/05/18 22:52:02 [debug] 671#671: *172624 http body new buf t:1 f:0 0000558A2B42FB5D, pos 0000558A2B42FB5D, size: 280 file: 0, size: 0
2020/05/18 22:52:02 [debug] 671#671: *172624 http init upstream, client timer: 0
2020/05/18 22:52:02 [debug] 671#671: *172624 epoll add event: fd:6 op:3 ev:80002005
2020/05/18 22:52:02 [debug] 671#671: *172624 http map started
2020/05/18 22:52:02 [debug] 671#671: *172624 http map: "" ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http map started
2020/05/18 22:52:02 [debug] 671#671: *172624 posix_memalign: 0000558A2B2F54F0:4096 @16
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "80e3ae7c2495fcdc7ebe9b658dd579bc"
2020/05/18 22:52:02 [debug] 671#671: *172624 http map: "" "80e3ae7c2495fcdc7ebe9b658dd579bc"
2020/05/18 22:52:02 [debug] 671#671: *172624 http map started
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http map: "" "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "Host"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "ssl-client-verify"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "NONE"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Request-ID"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "80e3ae7c2495fcdc7ebe9b658dd579bc"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Real-IP"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-For"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "fdff::a3d:fafb"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-Host"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "nginx-ingress-controller.ingress-nginx:443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-Port"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "443"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Forwarded-Proto"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Original-URI"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "X-Scheme"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "https"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: "Content-Length"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script var: "280"
2020/05/18 22:52:02 [debug] 671#671: *172624 http script copy: ""
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "User-Agent: libest 3.1.1"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Accept: */*"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Type: application/pkcs10"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Authorization: Basic cmEtYXBwOkZiV241M2p3"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header:
"POST /.well-known/est/simpleenroll HTTP/1.1
Host: nginx-ingress-controller.ingress-nginx:443
ssl-client-verify: NONE
X-Request-ID: 80e3ae7c2495fcdc7ebe9b658dd579bc
X-Real-IP: fdff::a3d:fafb
X-Forwarded-For: fdff::a3d:fafb
X-Forwarded-Host: nginx-ingress-controller.ingress-nginx:443
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Original-URI: /.well-known/est/simpleenroll
X-Scheme: https
Content-Length: 280
User-Agent: libest 3.1.1
Accept: */*
Content-Type: application/pkcs10
Authorization: Basic cmEtYXBwOkZiV241M2p3

"
2020/05/18 22:52:02 [debug] 671#671: *172624 http cleanup add: 0000558A2B2F58A8
2020/05/18 22:52:02 [debug] 671#671: *172624 init keepalive peer
2020/05/18 22:52:02 [debug] 671#671: *172624 get keepalive peer
2020/05/18 22:52:02 [debug] 671#671: *172624 lua balancer peer, tries: 1
2020/05/18 22:52:02 [debug] 671#671: *172624 lua reset ctx
2020/05/18 22:52:02 [debug] 671#671: *172624 looking up Lua code cache with key 'balancer_by_luanhli_0f29762dfd828b8baa4d895affbc4b90'
2020/05/18 22:52:02 [debug] 671#671: *172624 stream socket 10
2020/05/18 22:52:02 [debug] 671#671: *172624 epoll add connection: fd:10 ev:80002005
2020/05/18 22:52:02 [debug] 671#671: *172624 connect to [fd10::1:169]:8082, fd:10 #172625
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream connect: -2
2020/05/18 22:52:02 [debug] 671#671: *172624 posix_memalign: 0000558A2B34D0A0:128 @16
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer add: 10: 5000:993519304
2020/05/18 22:52:02 [debug] 671#671: *172624 http finalize request: -4, "/.well-known/est/simpleenroll?" a:1, c:2
2020/05/18 22:52:02 [debug] 671#671: *172624 http request count:2 blk:0
2020/05/18 22:52:02 [debug] 671#671: *172624 http run request: "/.well-known/est/simpleenroll?"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream check client, write event:1, "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream request: "/.well-known/est/simpleenroll?"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream send request handler
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream send request
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream send request body
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer buf fl:0 s:542
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer buf fl:1 s:280
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer in: 0000558A2B2F59F8
2020/05/18 22:52:02 [debug] 671#671: *172624 writev: 822 of 822
2020/05/18 22:52:02 [debug] 671#671: *172624 chain writer out: 0000000000000000
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer del: 10: 993519304
2020/05/18 22:52:02 [debug] 671#671: *172624 event timer add: 10: 60000:993574308
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream request: "/.well-known/est/simpleenroll?"
2020/05/18 22:52:02 [debug] 671#671: *172624 http upstream process header
2020/05/18 22:52:02 [debug] 671#671: *172624 malloc: 0000558A2B33E000:4096
2020/05/18 22:52:02 [debug] 671#671: *172624 recv: eof:0, avail:1
2020/05/18 22:52:02 [debug] 671#671: *172624 recv: fd:10 911 of 4096
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy status 200 "200 OK"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Connection: keep-alive"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Transfer-Encoding: base64"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Type: application/pkcs7-mime; smime-type=certs-only"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Content-Length: 714"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header: "Date: Mon, 18 May 2020 22:52:02 GMT"
2020/05/18 22:52:02 [debug] 671#671: *172624 http proxy header done
2020/05/18 22:52:02 [debug] 671#671: *172624 headers more header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 lua header filter for user lua code, uri "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 looking up Lua code cache with key 'header_filter_by_luanhli_537482850bfc85b842f10d9c3d0521aa'
2020/05/18 22:52:02 [debug] 671#671: *172624 lua capture header filter, uri "/.well-known/est/simpleenroll"
2020/05/18 22:52:02 [debug] 671#671: *172624 HTTP/1.1 200 OK
Server: openresty/1.15.8.1
Date: Mon, 18 May 2020 22:52:02 GMT
Content-Type: application/pkcs7-mime; smime-type=certs-only
Content-Length: 714
Connection: close
Content-Transfer-Encoding: base64
Strict-Transport-Security: max-age=15724800; includeSubDomains

任何建议将不胜感激!!

谢谢,

nginx kubernetes kubernetes-ingress nginx-ingress pki
2个回答
0
投票

此行是原因

2020/05/18 10:06:52 [info] 198#198: *15975 client SSL certificate verify error: (19:self signed certificate in certificate chain) while reading client request headers, client: fd10::1:165, server: nginx-ingress-controller.ingress-nginx, request: "POST /.well-known/est/simpleenroll HTTP/1.1", host: "nginx-ingress-controller.ingress-nginx:443"

似乎您的协议正在使用TLS客户端证书。无法使用TLS客户端证书反向代理连接,因为nginx-ingress没有私钥。

您可以配置nginx-ingress以使用带有某些注释(docs)的客户端证书,但是您的后端服务器将无法“看到”客户端证书,因此它可能会拒绝该请求。

我要么找到一种不使用客户端证书的方式(看起来像EST也可以使用user + password?),要么直接公开TCP服务。

0
投票

在您的入口中,我想评论几件事,可能会导致您遇到问题:

kubernetes.io/ingress.class: "fanhe-ingress"

此字段应使用在kubernetes.io下注册的预定义ingress.class名称填充,而不是您创建的名称。

您必须使用kubernetes.io/ingress.class: "nginx"

spec:
  tls:
  - hosts:
    - nginx-ingress-controller.ingress-nginx
    secretName: nginx-ingress-tls-ec-secret
  rules:
    - host: nginx-ingress-controller.ingress-nginx

主机和主机应该是您用于从外部访问应用程序的域名。该名称应与创建tls证书时使用的名称相同。

应该看起来像这样:

spec:
 tls:
 - hosts:
   - yourwebsiteurl.com
   secretName: nginx-ingress-tls-ec-secret
 rules:
   - host: yourwebsiteurl.com

也请仔细检查您的路径,路径可以包含.(点),但这并不经常使用。 

path: /.well-known/est

应该看起来像这样:

path: /well-known/est

打包所有内容,您的入口应该类似于以下内容。 

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 name: pki-est
 annotations:
   kubernetes.io/ingress.class: "nginx"
spec:
 tls:
 - hosts:
   - yourwebsiteurl.com
   secretName: nginx-ingress-tls-ec-secret
 rules:
   - host: yourwebsiteurl.com
     http:
       paths:
       - path: /well-known/est
         backend:
          serviceName: pki-app
          servicePort: 8082
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.