建议用范域名证书 *.jd.com
多创建一个负载主机 10.0.0.5
把主机解析改为10.0.0.5 nginx.weiyongdong.com
添加记录 去申请证书
主机记录 nginx A记录 记录值10.0.0.5
签发证书
把证书放在配置文件的目录里/opt/Nginx/1_nginx.weiyongdong.com_bundle.crt;
yum -y install nginx
vim /etc/nginx/conf.d/nginx.weiyongdong.conf
upstream tomcat {
server 10.0.0.12
}
server {
listen 443 ssl;
server_name nginx.weiyongdong.com;
ssl_certificate /opt/Nginx/1_nginx.weiyongdong.com_bundle.crt;
ssl_certificate_key /opt/Nginx/2_nginx.weiyongdong.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://tomcat;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
server_name nginx.weiyongdong.com;
location / {
return 302 https://nginx.weiyongdong.com$request_uri;
}
}
systemctl restart nginx
确保ingress资源的域名访问正常
kubectl exec -it nginx-xxxx /bin/bash 进入pod改首页配置测试
echo 'test' >/usr/share/nginx/html/index.html
访问nginx.weiyongdong.com欢迎光临小魏的运维日常!
一名被运维耽误的广东靓仔
