Ingress

简体中文

English

简体中文

English

Appearance

SSL/TLS 示例

SSL/TLS 相关配置示例。

配置文件:examples/ssl-tls/

基本 HTTPS

yaml
version: v1
port: 8080

https:
  port: 8443
  ssl:
    - domain: example.com
      cert:
        certificate: /etc/ssl/example.com/fullchain.pem
        certificate_key: /etc/ssl/example.com/privkey.pem

多域名

yaml
version: v1
port: 8080

https:
  port: 8443
  ssl:
    - domain: example.com
      cert:
        certificate: /etc/ssl/example.com/fullchain.pem
        certificate_key: /etc/ssl/example.com/privkey.pem
    - domain: api.example.com
      cert:
        certificate: /etc/ssl/api.example.com/fullchain.pem
        certificate_key: /etc/ssl/api.example.com/privkey.pem
    - domain: admin.example.com
      cert:
        certificate: /etc/ssl/admin.example.com/fullchain.pem
        certificate_key: /etc/ssl/admin.example.com/privkey.pem

Let's Encrypt

yaml
version: v1
port: 8080

https:
  port: 8443
  ssl:
    - domain: example.com
      cert:
        certificate: /etc/letsencrypt/live/example.com/fullchain.pem
        certificate_key: /etc/letsencrypt/live/example.com/privkey.pem

带后端服务的 HTTPS

yaml
version: v1
port: 8080

https:
  port: 8443
  ssl:
    - domain: example.com
      cert:
        certificate: /etc/ssl/example.com/fullchain.pem
        certificate_key: /etc/ssl/example.com/privkey.pem

rules:
  - host: example.com
    backend:
      service:
        name: backend-service
        port: 8080
        protocol: http

全局 HTTP → HTTPS 强跳

配置了 https.port 时,可在路由匹配之前把明文 HTTP 强制跳到 HTTPS。使用 https.redirect_from_http(不要用 rules[].backend.redirect 代替全局强跳):

yaml
version: v1
port: 8080

https:
  port: 8443
  redirect_from_http:
    enabled: true
    permanent: true
  ssl:
    - domain: example.com
      cert:
        certificate: /etc/ssl/example.com/fullchain.pem
        certificate_key: /etc/ssl/example.com/privkey.pem

rules:
  - host: example.com
    backend:
      service:
        name: backend-service
        port: 8080
        protocol: http

可选字段(在自有配置里按需写上注释即可):

  • with_origin_method_and_bodyfalse → 301/302 系列;true → 307/308
  • exclude_paths:跳过强跳的精确路径列表

按路由重定向(rules[].backend.redirect

当某个 host 或 path 需要直接返回跳转而不是反代时,使用 backend.redirect通常省略 backend.type——仅在配置了 redirect 时会推断。可运行对照: examples/ssl-tls/route-redirect.yaml 用两个 host 分别演示 type: redirect 与省略;校验报告歧义时再显式写 backend.type: redirect。详见 路由servicehandlerredirect 与各配置块的对应关系。

yaml
version: v1
port: 8080

rules:
  - host: old-explicit.example.com
    backend:
      type: redirect
      redirect:
        url: https://new.example.com
        duration: permanent
  - host: old-inferred.example.com
    backend:
      redirect:
        url: https://new.example.com
        duration: permanent

redirect.url 中使用正则捕获占位(如 $1${path.1})的示例见 重定向

测试

HTTPS 请求

bash
curl https://example.com:8443/api

验证证书

bash
openssl s_client -connect example.com:8443 -servername example.com

证书热加载

bash
kill -HUP $(cat /tmp/gozoox.ingress.pid)

Released under the MIT License.

Copyright © 2024 GoZoox