使用nginx作为ranchert服务代理
背景
rke2集群安装rancher,ingress-nginx为集群业务统一入口,前端使用nginx做7层代理,发现rancher-webUI界面无法查看容器日志,无法进入容器,无法使用kubectl shell
view log或者进入容器窗口直接现实已断开,浏览器后台调试发现是websocket连接,代理没有做相应配置导致
官方示例如下
worker_processes 4;
worker_rlimit_nofile 40000;
events {
worker_connections 8192;
}
stream {
upstream rancher_servers_http {
least_conn;
server <IP_NODE_1>:80 max_fails=3 fail_timeout=5s;
server <IP_NODE_2>:80 max_fails=3 fail_timeout=5s;
server <IP_NODE_3>:80 max_fails=3 fail_timeout=5s;
}
server {
listen 80;
proxy_pass rancher_servers_http;
}
}
http {
upstream rancher_servers_https {
least_conn;
server <IP_NODE_1>:443 max_fails=3 fail_timeout=5s;
server <IP_NODE_2>:443 max_fails=3 fail_timeout=5s;
server <IP_NODE_3>:443 max_fails=3 fail_timeout=5s;
}
server {
listen 443 ssl;
proxy_pass rancher_servers_https;
ssl_certificate /path/to/tls.crt;
ssl_certificate_key /path/to/key.key;
location / {
proxy_pass https://rancher_servers_https;
proxy_set_header Host <rancher UI URL>;
proxy_ssl_server_name on;
proxy_ssl_name <rancher UI URL>
}
}
}
解决
添加websocket相关代理配置
location / {
# 我本地 8443 会把流量转发到k8s集群443
proxy_pass https://127.0.0.1:8443/;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#启用SNI
proxy_ssl_server_name on;
proxy_ssl_name rancher.duoyou.xyz;
#设置websocket
proxy_http_version 1.1; # 必须使用 HTTP/1.1
proxy_set_header Upgrade $http_upgrade; # 传递 Upgrade 头
proxy_set_header Connection "upgrade"; # 设置 Connection 头为 "upgrade"
proxy_read_timeout 3600; # 延长读取超时(避免连接断开)
}
浙公网安备 33010602011771号