这是this question和this one的副本,但这些答案对我不起作用。
我正在将Nginx入口控制器与EKS结合使用。我希望所有路由一个除外受基本身份验证保护。一条路由完全不应该进行身份验证。
这是我的入口规则。在除一条路由之外的所有路由上的身份验证都可以正常工作,但是当我尝试击中不应经过身份验证的一条路由时,我会收到网关超时。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: banana-ingress1
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: banana.example.org
http:
paths:
- path: /api/v1/ecslog
backend:
serviceName: banana-service
servicePort: 5678
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: banana-ingress2
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: banana-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - test'
spec:
rules:
- host: banana.example.org
http:
paths:
- path: /
backend:
serviceName: banana-service
servicePort: 5678
转发控制器:
kubectl port-forward nginx-ingress-controller-controller-65466d6f67-cvpbh 2112:80
在另一个窗口中测试:
# most routes are protected:
$ curl -I -H "Host: banana.example.org" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Port: 443" http://localhost:2112/foo/bar/baz
HTTP/1.1 401 Unauthorized
Server: openresty/1.15.8.2
Date: Sat, 18 Jan 2020 20:10:08 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
WWW-Authenticate: Basic realm="Authentication Required - test"
但是一个不应该受到保护的路由(期望值为200)却返回网关超时(504):
$ curl -I -H "Host: banana.example.org" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Port: 443" http://localhost:2112/api/v1/ecslog
HTTP/1.1 504 Gateway Time-out
Server: openresty/1.15.8.2
Date: Sat, 18 Jan 2020 20:11:05 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
就像无法找到控制该路线的规则一样?
我已经尝试过反转入口对象的顺序,并且没有什么区别。
并且为了使事情变得更有趣,当我为经过身份验证的路由提供正确的凭据时,我仍然收到401:
$ curl -u 'foo:bar' -I -H "Host: banana.example.org" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Port: 443" http://localhost:2112/
HTTP/1.1 401 Unauthorized
Server: openresty/1.15.8.2
Date: Sat, 18 Jan 2020 20:30:52 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
WWW-Authenticate: Basic realm="Authentication Required - test"
似乎是关于我的集群的某些配置错误。从全新的集群和全新安装的入口控制器开始,此操作正常。