k8s-nginx
约 1061 字大约 4 分钟
# nginx
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: demo
spec:
externalTrafficPolicy: Local
type: NodePort
selector:
app: nginx
ports:
- port: 8843
name: server
protocol: TCP
targetPort: 8843
nodePort: 31843
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
client_max_body_size 5120m;
map $http_upgrade $connection_upgrade { #websocket 请求头配置
default upgrade;
'' close;
}
upstream backends {
least_conn;
server gateway.demo.svc:8201 max_fails=3 fail_timeout=10s;
}
upstream minio {
server minio.demo.svc:9000 max_fails=3 fail_timeout=10s;
}
upstream otatool {
server otatool.demo.svc:8099 max_fails=3 fail_timeout=10s;
}
upstream console_backend_ws{
hash $remote_addr consistent; #对IP hash,使同一个IP连接到同一个网关
server gateway:8201 max_fails=3; #转发到网关
}
server {
listen 8843;
server_name localhost;
charset 'utf-8';
ssl on;
ssl_certificate /data/nginx/ssl/certs/nginx-selfsigned.crt; #建议配置绝对路径
ssl_certificate_key /data/nginx/ssl/private/nginx-selfsigned.key; #建议配置绝对路径
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#access_log logs/host.access.log main;
location / {
add_header 'Access-Control-Allow-Origin' '*'; #允许跨域
root /usr/share/nginx/html;
index index.html index.htm;
}
# 添加静态资源
location /static/ {
add_header 'Access-Control-Allow-Origin' '*'; #允许跨域
alias /usr/share/nginx/static/;
autoindex on;
}
# 转发视频拉流的地址
location /video/ {
proxy_set_header Host $host; #主机名称
proxy_set_header X-Real-IP $remote_addr; #真实的用户IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #前端IP
rewrite ^/video/(.*)$ /$1 break;
proxy_pass http://192.168.0.120:31590/; #转发到srs
proxy_redirect https:// http://;
}
# 视频文件播放地址
location /play/ {
proxy_set_header Host $host:$server_port; #主机名称
proxy_set_header X-Real-IP $remote_addr; #真实的用户IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #前端IP
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
proxy_pass http://192.168.0.120:31900/play/; #转发到srs
proxy_redirect https:// http://;
}
# 视频文件播放地址
location /file/ {
#proxy_set_header Host $host; #主机名称
#proxy_set_header X-Real-IP $remote_addr; #真实的用户IP
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #前端IP
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_http_version 1.1;
#proxy_set_header Connection "";
#chunked_transfer_encoding off;
#rewrite ^/file/(.*)$ /$1 break;
#proxy_pass http://192.168.0.120:31900/; #转发到srs
#proxy_redirect https:// http://;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host:$server_port;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
rewrite ^/file/(.*)$ /$1 break;
proxy_pass http://192.168.0.120:31900/; #转发到srs
proxy_redirect https:// http://;
}
# 添加地图资源
location /map/ {
proxy_set_header Host $host; #主机名称
proxy_set_header X-Real-IP $remote_addr; #真实的用户IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #前端IP
proxy_pass http://192.168.0.120:31900/map/; #转发到网关地址+端口
proxy_redirect https:// http://;
}
# 添加意见反馈附件
location /feedbackfiles/ {
proxy_set_header Host $host; #主机名称
proxy_set_header X-Real-IP $remote_addr; #真实的用户IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #前端IP
proxy_pass http://minio/; #转发到网关地址+端口
proxy_redirect https:// http://;
}
# 添加意见反馈附件
location /otaApi/ {
proxy_set_header Host $host; #主机名称
proxy_set_header X-Real-IP $remote_addr; #真实的用户IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #前端IP
rewrite ^/otaApi/(.*)$ /$1 break;
proxy_pass http://otatool;
}
location /api/ {
proxy_set_header Host $host; #主机名称
proxy_set_header X-Real-IP $remote_addr; #真实的用户IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #前端IP
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://backends; #转发到网关地址+端口
}
location /apiserver/ {
proxy_pass http://ks-apiserver.kubesphere-system.svc:80/;
}
location /kapi/ {
proxy_pass http://ks-console.kubesphere-system.svc:80/;
}
location /xxl-job-admin/ {
proxy_pass http://job.demo.svc:9003; #https://192.168.0.188:31843/xxl-job-admin/
}
location /websocket/ { #websocket 代理
proxy_http_version 1.1;
proxy_pass http://console_backend_ws;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 3600s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /websocket-device/ { #websocket 代理
proxy_http_version 1.1;
proxy_pass http://console_backend_ws;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 3600s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
# 添加ioc
location /monitor {
add_header 'Access-Control-Allow-Origin' '*'; #允许跨域
alias /usr/share/nginx/monitor;
index index.html index.htm;
}
# 添加doc文档
location /doc {
add_header 'Access-Control-Allow-Origin' '*'; #允许跨域
alias /usr/share/nginx/doc;
index index.html index.htm;
}
# 添加ioc
location /edge {
add_header 'Access-Control-Allow-Origin' '*'; #允许跨域
alias /usr/share/nginx/edge;
index index.html index.htm;
}
# 添加ioc
location /center {
add_header 'Access-Control-Allow-Origin' '*'; #允许跨域
alias /usr/share/nginx/center;
index index.html index.htm;
}
# ota
location /ota {
add_header 'Access-Control-Allow-Origin' '*'; #允许跨域
alias /usr/share/nginx/ota;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: nginx
namespace: demo
labels:
app: nginx
spec:
serviceName: nginx
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
initContainers:
- name: init-gateway
image: yauritux/busybox-curl:latest
imagePullPolicy: IfNotPresent
command: [ 'sh', '-c', "until curl gateway:8201; do echo waiting for gateway; sleep 2; done" ]
containers:
- name: nginx
image: nginx:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8843
protocol: TCP
volumeMounts:
- mountPath: /etc/localtime
name: time-localtime
- mountPath: /usr/share/nginx
name: nginx-persistent-storage
readOnly: true
- mountPath: /etc/nginx/nginx.conf
name: nginx-conf
subPath: nginx.conf
readOnly: true
- mountPath: /data/nginx/ssl/certs/
name: nginxcrt
- mountPath: /data/nginx/ssl/private/
name: nginxkey
volumes:
- name: time-localtime
hostPath:
path: /etc/localtime
- name: nginx-persistent-storage
hostPath:
path: /opt/software/data/nginx
# persistentVolumeClaim:
# claimName: nginx-pvc-claim
- name: nginx-conf
configMap:
name: nginx-conf
items:
- key: nginx.conf
path: nginx.conf
- name: nginxcrt
hostPath:
path: /opt/software/data/nginx/ssl/certs/
- name: nginxkey
hostPath:
path: /opt/software/data/nginx/ssl/private/