Skip to content

Instantly share code, notes, and snippets.

@strigazi

strigazi/nginx-ssl-passthrough-no-access-log.yaml

Created June 18, 2020 17:03
Show Gist options
  • Save strigazi/ccc0861e3cdabb326398a8f0791aa541 to your computer and use it in GitHub Desktop.
Save strigazi/ccc0861e3cdabb326398a8f0791aa541 to your computer and use it in GitHub Desktop.
Download ZIP
For issue in nginx ingress "SSL passthrough does not produce access log"
Raw
nginx-ssl-passthrough-no-access-log.yaml
#CERTS_DIR="./certs"
#mkdir -p "${CERTS_DIR}"
#rm -rf ${CERTS_DIR}/*
## https port ssl passthrough
#suffix="https-p-sp"
#
## Private CA key
#openssl genrsa -out "${CERTS_DIR}/ca.key.pem" 4096
#
## CA public cert
#openssl req -key "${CERTS_DIR}/ca.key.pem" -new -x509 -days 7300 -sha256 -out "${CERTS_DIR}/ca.cert.pem" -extensions v3_ca -subj "/CN=example-CA-backend-$suffix"
#
## Private server-server key
#openssl genrsa -out "${CERTS_DIR}/server.key.pem" 4096
#
## Request for server-server cert
#openssl req -key "${CERTS_DIR}/server.key.pem" -new -sha256 -out "${CERTS_DIR}/server.csr.pem" -subj "/CN=server-backend-$suffix"
#
## Sign server-server cert
#openssl x509 -req -CA "${CERTS_DIR}/ca.cert.pem" -CAkey "${CERTS_DIR}/ca.key.pem" -CAcreateserial -in "${CERTS_DIR}/server.csr.pem" -out "${CERTS_DIR}/server.cert.pem" -days 365
#
#kubectl delete secret $suffix
#kubectl create secret generic $suffix --from-file=certs/server.key.pem --from-file=certs/server.cert.pem
---
apiVersion: v1
kind: ConfigMap
metadata:
name: https-p-sp
data:
nginx.conf: |
#
# It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
# section and adds this directive:
# `include /etc/nginx/conf.d/*.conf;`
#
# The `docker-openresty` file `nginx.vh.default.conf` is copied to
# `/etc/nginx/conf.d/default.conf`. It contains the `server section
# of the upstream `nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$ssl_protocol/$ssl_cipher '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" '
'"http_x_forward_for: " $http_x_forward_for';
header_filter_by_lua_block {
local h = ngx.req.get_headers()
for k, v in pairs(h) do
ngx.log(ngx.ERR, "Got header "..k..": "..v..";")
end
}
access_log logs/access.log main;
# See Move default writable paths to a dedicated directory (#119)
# https://github.com/openresty/docker-openresty/issues/119
client_body_temp_path /var/run/openresty/nginx-client-body;
proxy_temp_path /var/run/openresty/nginx-proxy;
fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
scgi_temp_path /var/run/openresty/nginx-scgi;
#sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
example-site.conf: |
server {
#listen 80 default_server;
#listen [::]:80 default_server;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#listen 443 ssl proxy_protocol;
#listen [::]:443 ssl proxy_protocol;
#real_ip_header proxy_protocol;
# set_real_ip_from <address or CIDR see http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from >;
ssl on;
ssl_certificate /etc/ssl-secret/server.cert.pem;
ssl_certificate_key /etc/ssl-secret/server.key.pem;
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
#root /var/www/html;
root /usr/local/openresty/nginx/html;
#root /usr/local/openresty/nginx/html/index.html
# Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
index index.html index.nginx-debian.html;
#server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: https-p-sp
labels:
app: https-p-sp
spec:
replicas: 1
selector:
matchLabels:
app: https-p-sp
template:
metadata:
labels:
app: https-p-sp
spec:
containers:
- name: nginx
#image: k8s.gcr.io/nginx
image: docker.io/openresty/openresty:stretch-fat
volumeMounts:
- name: ssl-secret
mountPath: "/etc/ssl-secret"
readOnly: true
- name: https-p-sp
mountPath: /etc/nginx/conf.d/
#mountPath: /etc/nginx/sites-enabled/
readOnly: true
- name: nginx-usr-local-cm
mountPath: /usr/local/openresty/nginx/conf/nginx.conf
subPath: nginx.conf
readOnly: true
ports:
- containerPort: 443
volumes:
- name: ssl-secret
secret:
secretName: https-p-sp
- name: https-p-sp
configMap:
name: https-p-sp
items:
- key: example-site.conf
path: example-site.conf
- name: nginx-usr-local-cm
configMap:
name: https-p-sp
items:
- key: nginx.conf
path: nginx.conf
---
apiVersion: v1
kind: Service
metadata:
name: https-p-sp
spec:
type: ClusterIP
ports:
- name: https
protocol: TCP
port: 443
targetPort: 443
selector:
app: https-p-sp
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https-p-sp
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
#nginx.ingress.kubernetes.io/use-proxy-protocol: "true"
#nginx.ingress.kubernetes.io/ssl-redirect: "false"
#nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
#nginx.ingress.kubernetes.io/compute-full-forwarded-for: "true"
#nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
#nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: https-p-sp.example.com
http:
paths:
- path: /
backend:
serviceName: https-p-sp
servicePort: 443
tls:
- hosts:
- https-p-sp.example.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment