Nginx的双向认证
Nginx开启HTTPS访问如下(在nginx.conf或者conf.d文件夹中的配置文件中server部分):
1 2 3 4 5 6 7 8 9 10 11 12 13
| server { listen 443 ssl; server_name www.lemonlzy.cn; root /home/hexoBlog;
ssl_certificate "/etc/nginx/1_www.lemonlzy.cn_bundle.crt";
ssl_certificate_key "/etc/nginx/2_www.lemonlzy.cn.key"; ... }
|
Nginx开启双向认证如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| server { listen 443 ssl; server_name www.lemonlzy.cn; root /home/hexoBlog;
ssl_certificate "/etc/nginx/1_www.lemonlzy.cn_bundle.crt"; ssl_certificate_key "/etc/nginx/2_www.lemonlzy.cn.key"; ssl_client_certificate /etc/nginx/ca.crt; ssl_verify_client on; ... }
|
kubernetes的单向认证
kubernetes的单向、双向认证在ingress资源清单中定义,单向认证通俗理解就是开启https访问。
单向认证的配置比较容易,仅在ingress资源清单中加入tls即可(需注意,tls中的secretName为证书secret的名称):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-tomcat namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - your.hostname.cn secretName: tls-secret rules: - host: your.hostname.cn http: paths: - path: backend: serviceName: tomcat servicePort: 8280
|
证书的secret创建:
1 2 3 4 5
| [root@lemonlzy cert]# ls _.lemonlzy.cn.cer _.lemonlzy.cn.key ca.crt [root@lemonlzy cert]# kubectl create secret tls tls-secret --key _.lemonlzy.cn.key --cert _.lemonlzy.cn.cer secret/tls-secret created
|
kubernetes的双向认证
可参考客户端证书认证。
可参考客户端证书示例。
双向认证通俗理解就是在访问该网站时,需确认证书信息,以下仅描述需在ingress中开启的属性信息:
参数 |
值 |
nginx.ingress.kubernetes.io/auth-tls-verify-client |
启用客户端证书的验证,可定义参数值为off(默认)、on,作用:请求客户端证书,验证的证书由nginx.ingress.kubernetes.io/auth-tls-secret: secretName该参数定义。证书验证失败将导致状态码400(错误请求)。 |
nginx.ingress.kubernetes.io/auth-tls-secret: secretName |
填写证书secret的名称 |
示例
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
| apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-tomcat namespace: default annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/affinity-mode: "persistent" nginx.ingress.kubernetes.io/session-cookie-name: "route" nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" spec: tls: - hosts: - your.hostname.cn secretName: tls-secret rules: - host: your.hostname.cn http: paths: - path: backend: serviceName: tomcat servicePort: 8280
|