curlで名前解決のメモ。
Nginx Ingress Controllerを使って以下のようなIngressリソースを作成したとする。
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: tls: - hosts: - secure-ingress.com secretName: secure-ingress rules: - host: secure-ingress.com http: paths: - path: /service1 pathType: Prefix backend: service: name: service1 port: number: 80 - path: /service2 pathType: Prefix backend: service: name: service2 port: number: 80
secure-ingress.com
は適当なドメイン名なので、/etc/hosts
に名前解決を書けばよいが、それが面倒なときは以下のようにHost
ヘッダーをつけてあげればよいと思っていた。
curl -H 'Host: secure-ingress.com:30300' https://34.84.27.122:30300/service2 -kv
ただしこれだと、ルーティングは機能するが、Ingressで指定した証明書は使われない。Host
ヘッダーが意味を持つのは、証明書が選択されてTLSでの通信が始まったあとだからと思われる。
$ curl -H 'Host: secure-ingress.com:30300' https://34.84.27.122:30300/service2 -kv * Trying 34.84.27.122... * TCP_NODELAY set * Connected to 34.84.27.122 (34.84.27.122) port 30300 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate * start date: Dec 22 17:55:31 2020 GMT * expire date: Dec 22 17:55:31 2021 GMT * issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fc74d003c00) > GET /service2 HTTP/2 > Host: secure-ingress.com:30300 > User-Agent: curl/7.54.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 200 < date: Tue, 22 Dec 2020 18:42:18 GMT < content-type: text/html < content-length: 45 < last-modified: Mon, 11 Jun 2007 18:53:14 GMT < etag: "2d-432a5e4a73a80" < accept-ranges: bytes < strict-transport-security: max-age=15724800; includeSubDomains < <html><body><h1>It works!</h1></body></html> * Connection #0 to host 34.84.27.122 left intact
以下の--resolve
を使う方法だと指定した証明書が使われる。
curl https://secure-ingress.com:30300/service2 -kv --resolve secure-ingress.com:30300:34.84.27.122
$ curl https://secure-ingress.com:30300/service2 -kv --resolve secure-ingress.com:30300:34.84.27.122 * Added secure-ingress.com:30300:34.84.27.122 to DNS cache * Hostname secure-ingress.com was found in DNS cache * Trying 34.84.27.122... * TCP_NODELAY set * Connected to secure-ingress.com (34.84.27.122) port 30300 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=secure-ingress.com * start date: Dec 22 18:23:45 2020 GMT * expire date: Dec 22 18:23:45 2021 GMT * issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=secure-ingress.com * SSL certificate verify result: self signed certificate (18), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fb49c002600) > GET /service2 HTTP/2 > Host: secure-ingress.com:30300 > User-Agent: curl/7.54.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 200 < date: Tue, 22 Dec 2020 18:41:06 GMT < content-type: text/html < content-length: 45 < last-modified: Mon, 11 Jun 2007 18:53:14 GMT < etag: "2d-432a5e4a73a80" < accept-ranges: bytes < strict-transport-security: max-age=15724800; includeSubDomains < <html><body><h1>It works!</h1></body></html> * Connection #0 to host secure-ingress.com left intact