使用Kubernete+Nginx做反向代理
整体说明
有两个服务:
- oauth服务:端口为 31047, 示例:http://ip:31047/oauth/token
- madrids服务:端口为 31046,http://ip:31010/v1/tenants
方式1:使用2个不同的端口映射两个服务
思路:
k8s配置文件中,配置两个不同的nodePort,进行映射
k8s配置文件:
apiVersion: v1
kind: Service
metadata:
name: nginx-tyyy
labels:
app: nginx
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
nodePort: 31010 #用于映射madrids服务
name: madrids
- port: 81
targetPort: 81
protocol: TCP
nodePort: 31009 #用于映射oauth服务
name: oauth
type: NodePort
selector:
app: nginx
tier: nginx-tyyy
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-tyyy
labels:
app: nginx
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: nginx
tier: nginx-tyyy
spec:
containers:
- image: xxxx/library/nginx:latest
name: nginx-tyyy
ports:
- containerPort: 80
name: nginx-tyyy
volumeMounts:
- mountPath: "/etc/nginx/conf.d"
name: nginx-config
volumes:
- name: nginx-config
hostPath:
path: "/opt/data/config/tyyy/nginx" #Nginx配置文件放置位置
nginx配置文件:(default.conf)
server {
keepalive_requests 120; #单连接请求上限次数。
listen 81; #监听端口
server_name localhost; #监听地址
location / { #请求的url过滤,正则匹配,~为区分大小写,~*为不区分大小写。
proxy_pass http://10.254.9.21:31047/; #请求转向mysvr 定义的服务器列表
}
}
server {
listen 80;
server_name localhost;
client_max_body_size 40960M;
client_body_timeout 6000s;
keepalive_timeout 60000;
proxy_connect_timeout 60000;
proxy_read_timeout 60000;
#使用frame
add_header X-Frame-Options SAMEORIGIN;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/html application/javascript text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
location / {
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.254.9.21:31046/;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache‘s document root
# concurs with nginx‘s one
#
#location ~ /\.ht {
# deny all;
#}
}
结果演示:
代理流程
k8s的配置文件中:
- port: 80
targetPort: 80
protocol: TCP
nodePort: 31010 #用于映射madrids服务
name: madrids
- port: 81
targetPort: 81
protocol: TCP
nodePort: 31009 #用于映射oauth服务
name: oauth
- 31010端口映射为Nginx服务的80端口
- 31009端口映射为Nginx服务的81端口
80和81端口会在Nginx配置文件中体现;
server {
keepalive_requests 120;
listen 81; #监听端口, 当请求k8s服务的31009端口时,会转发到Nginx内部端口 81,所以这里针对81端口进行监听
server_name localhost;
location / {
proxy_pass http://10.254.9.21:31047/; # 转发到31047服务,即madrids服务
}
}
server {
listen 80; #监听端口, 当请求k8s服务的31010端口时,会转发到Nginx内部端口 80,所以这里针对80端口进行监听
server_name localhost;
...
location / {
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.254.9.21:31046/; # 转发到31046服务,即oauth服务
}
...
}
方式2:使用相同的端口映射两个服务
Nginx配置文件:(default.conf)
server {
listen 80;
server_name localhost;
client_max_body_size 40960M;
client_body_timeout 6000s;
keepalive_timeout 60000;
proxy_connect_timeout 60000;
proxy_read_timeout 60000;
#使用frame
add_header X-Frame-Options SAMEORIGIN;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/html application/javascript text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
location ~* /v1/(users|tenants|organizations|frontend|roles|districts|userSubusers|pods|providers|capacity|applications)/ {
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.254.9.21:31046; #注意,后面没有 "/"
}
location ~* /v1/(users|tenants|organizations|frontend|roles|districts|userSubusers|pods|providers|capacity|applications) {
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.254.9.21:31046; #注意,后面没有 "/"
}
location /oauth/token/ {
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.254.9.21:31047; #注意,后面没有 "/"
}
location /oauth/token {
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.254.9.21:31047; #注意,后面没有 "/"
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache‘s document root
# concurs with nginx‘s one
#
#location ~ /\.ht {
# deny all;
#}
}
location中proxy_pass说明
- 当proxy_pass添加 "/" 后缀时,则 location的匹配路径不会作为URL的一部分
- 当proxy_pass没有 "/" 后缀时,则 location的匹配路径会作为URL的一部分