k8s Kubernetes Frp 内网WordPress穿透配置
之前的架构图前面添加了一个洛杉矶的服务器,访问会绕全国一圈,这次使用腾讯云hk节点部署frps,并且本地设置nginx proxy_pass代理frps端口。将流量数据采用tcp协议的方式,发送给老家的k8s网络中,其中frpc直接local ip修改为wordpress-svc,pod节点修改为2个pod进行访问测试,并且配置https。
架构图
环境说明
- Kubernetes 1.24
- WordPress 6.2
- frpc 0.33
- Nginx 1.22.1
博客测试环境运行在山东威海老家的内网的k8s容器网络中,有的时候需要在北京远程访问进行测试。显然,nat网络是无法直接远程通过80端口访问的,所以采用frp的方式进行访问,直接部署个pod快速配置!
关于frps部署可以参考博客其它文章,都是二进制文件,和frpc的配置基本上一模一样,修改一下对应的配置即可;我这里就不单独说了
创建frpc configmap
<span>apiVersion</span> <span>:</span> <span> v1</span><span>kind</span> <span>:</span> <span> </span> <span>ConfigMap</span><span>metadata</span> <span>:</span><span> name</span> <span>:</span> <span> frps</span><span> </span> <span>namespace</span> <span>:</span> <span> wordpress</span><span>data</span> <span>:</span><span> frpc</span> <span>.</span> <span>ini</span> <span>:</span> <span> </span> <span>|-</span><span> </span> <span>[</span> <span>common</span> <span>]</span><span> token</span> <span>=</span> <span>xxxx </span> <span>#token没有可以不写,frps中设置好了,这里就可以填写</span><span> server_addr </span> <span>=</span> <span> </span> <span>#公有云IP</span><span> server_port </span> <span>=</span> <span> </span> <span>#31000 公有云端口</span><span> log_level</span> <span>=</span> <span>info</span><span> </span> <span>[</span> <span>wordpress</span> <span>-</span> <span>i4t</span> <span>]</span><span> type </span> <span>=</span> <span> tcp</span><span> local_ip</span> <span>=</span> <span>wordpress</span> <span>-</span> <span>svc </span> <span>#这里我填写的是本地的svc地址</span><span> local_port</span> <span>=</span> <span>80</span><span> remote_port</span> <span>=</span> <span>31001</span>
创建frpc comfigmap
<span>[</span> <span>root@k8s</span> <span>-</span> <span>01</span> <span> frpc</span> <span>]#</span> <span> kubectl create </span> <span>-</span> <span>f frpc</span> <span>-</span> <span>cm</span> <span>.</span> <span>yaml</span><span>configmap</span> <span>/</span> <span>frpc created</span><span>[</span> <span>root@k8s</span> <span>-</span> <span>01</span> <span> frpc</span> <span>]#</span> <span> kubectl </span> <span>get</span> <span> cm </span> <span>-</span> <span>n wordpress</span><span>NAME DATA AGE</span><span>frpc </span> <span>1</span> <span> </span> <span>4s</span><span>istio</span> <span>-</span> <span>ca</span> <span>-</span> <span>root</span> <span>-</span> <span>cert </span> <span>1</span> <span> </span> <span>3d9h</span><span>kube</span> <span>-</span> <span>root</span> <span>-</span> <span>ca</span> <span>.</span> <span>crt </span> <span>1</span> <span> </span> <span>3d9h</span><span>wordpress</span> <span>-</span> <span>configmap </span> <span>2</span> <span> </span> <span>3d3h</span>
接下来我们创建frpc deployment,我这里还是统一的放在wordpress namespace下,后续方便统一管理
<span>[</span> <span>root@k8s</span> <span>-</span> <span>01</span> <span> frpc</span> <span>]#</span> <span> cat frpc</span> <span>-</span> <span>deployment</span> <span>.</span> <span>yaml</span><span>apiVersion</span> <span>:</span> <span> apps</span> <span>/</span> <span>v1</span><span>kind</span> <span>:</span> <span> </span> <span>Deployment</span><span>metadata</span> <span>:</span><span> name</span> <span>:</span> <span> frpc</span><span> </span> <span>namespace</span> <span>:</span> <span> wordpress</span><span> labels</span> <span>:</span><span> app</span> <span>:</span> <span> frpc</span><span>spec</span> <span>:</span><span> replicas</span> <span>:</span> <span> </span> <span>1</span><span> selector</span> <span>:</span><span> matchLabels</span> <span>:</span><span> app</span> <span>:</span> <span> frpc</span><span> </span> <span>template</span> <span>:</span><span> metadata</span> <span>:</span><span> labels</span> <span>:</span><span> app</span> <span>:</span> <span> frpc</span><span> spec</span> <span>:</span><span> containers</span> <span>:</span><span> </span> <span>-</span> <span> name</span> <span>:</span> <span> frpc</span><span> image</span> <span>:</span> <span> snowdreamtech</span> <span>/</span> <span>frpc</span> <span>:</span> <span>0.33</span> <span>.</span> <span>0</span><span> volumeMounts</span> <span>:</span><span> </span> <span>-</span> <span> name</span> <span>:</span> <span> frpc</span><span> mountPath</span> <span>:</span> <span> </span> <span>"/etc/frp"</span><span> readOnly</span> <span>:</span> <span> </span> <span>true</span><span> volumes</span> <span>:</span><span> </span> <span>-</span> <span> configMap</span> <span>:</span><span> defaultMode</span> <span>:</span> <span> </span> <span>420</span><span> name</span> <span>:</span> <span> frpc</span><span> name</span> <span>:</span> <span> frpc</span><span>#这里挂载configmap,请根据名称自行修改</span>
检查pod启动日志
<span>[</span> <span>root@k8s</span> <span>-</span> <span>01</span> <span> frpc</span> <span>]#</span> <span> kubectl </span> <span>get</span> <span> pod </span> <span>-</span> <span>n wordpress</span><span>NAME READY STATUS RESTARTS AGE</span><span>centos</span> <span>-</span> <span>client</span> <span>-</span> <span>75f686d587</span> <span>-</span> <span>lv2b2 </span> <span>1</span> <span>/</span> <span>1</span> <span> </span> <span>Running</span> <span> </span> <span>0</span> <span> </span> <span>3d2h</span><span>frpc</span> <span>-</span> <span>5dffdf574</span> <span>-</span> <span>pqld7 </span> <span>1</span> <span>/</span> <span>1</span> <span> </span> <span>Running</span> <span> </span> <span>3</span> <span> </span> <span>(</span> <span>38s</span> <span> ago</span> <span>)</span> <span> </span> <span>66s</span><span>mysql</span> <span>-</span> <span>7fddbb85bb</span> <span>-</span> <span>xzcmf </span> <span>1</span> <span>/</span> <span>1</span> <span> </span> <span>Running</span> <span> </span> <span>0</span> <span> </span> <span>3d9h</span><span>wordpress</span> <span>-</span> <span>deployment</span> <span>-</span> <span>5748d8485</span> <span>-</span> <span>4bfzt</span> <span> </span> <span>1</span> <span>/</span> <span>1</span> <span> </span> <span>Running</span> <span> </span> <span>0</span> <span> </span> <span>2d6h</span><span>wordpress</span> <span>-</span> <span>deployment</span> <span>-</span> <span>5748d8485</span> <span>-</span> <span>9qvrb</span> <span> </span> <span>1</span> <span>/</span> <span>1</span> <span> </span> <span>Running</span> <span> </span> <span>0</span> <span> </span> <span>2d6h</span><span>#这里为frpc pod日志</span><span>[</span> <span>root@k8s</span> <span>-</span> <span>01</span> <span> frpc</span> <span>]#</span> <span> kubectl logs </span> <span>-</span> <span>f </span> <span>-</span> <span>n wordpress frpc</span> <span>-</span> <span>5dffdf574</span> <span>-</span> <span>pqld7</span><span>2023</span> <span>/</span> <span>08</span> <span>/</span> <span>12</span> <span> </span> <span>16</span> <span>:</span> <span>33</span> <span>:</span> <span>13</span> <span> </span> <span>[</span> <span>I</span> <span>]</span> <span> </span> <span>[</span> <span>service</span> <span>.</span> <span>go</span> <span>:</span> <span>282</span> <span>]</span> <span> </span> <span>[</span> <span>47ead06b4b174641</span> <span>]</span> <span> login to server success</span> <span>,</span> <span> </span> <span>get</span> <span> run id </span> <span>[</span> <span>47ead06b4b174641</span> <span>],</span> <span> server udp port </span> <span>[</span> <span>0</span> <span>]</span><span>2023</span> <span>/</span> <span>08</span> <span>/</span> <span>12</span> <span> </span> <span>16</span> <span>:</span> <span>33</span> <span>:</span> <span>13</span> <span> </span> <span>[</span> <span>I</span> <span>]</span> <span> </span> <span>[</span> <span>proxy_manager</span> <span>.</span> <span>go</span> <span>:</span> <span>144</span> <span>]</span> <span> </span> <span>[</span> <span>47ead06b4b174641</span> <span>]</span> <span> proxy added</span> <span>:</span> <span> </span> <span>[</span> <span>wordpress</span> <span>-</span> <span>i4t</span> <span>]</span><span>2023</span> <span>/</span> <span>08</span> <span>/</span> <span>12</span> <span> </span> <span>16</span> <span>:</span> <span>33</span> <span>:</span> <span>13</span> <span> </span> <span>[</span> <span>I</span> <span>]</span> <span> </span> <span>[</span> <span>control</span> <span>.</span> <span>go</span> <span>:</span> <span>179</span> <span>]</span> <span> </span> <span>[</span> <span>47ead06b4b174641</span> <span>]</span> <span> </span> <span>[</span> <span>wordpress</span> <span>-</span> <span>i4t</span> <span>]</span> <span> start proxy success</span><span>^</span> <span>C</span>
访问测试
frp 服务器:frpc配置端口
实际上到这里已经配置完毕,因为frpc不需要svc访问地址。 只是一个客户端~
根据情况配置,如果需要nginx这里可以提供nginx upsteam配置文件,代理本地ip:xxx 端口
nginx 需要在frps服务器上配置
我这里需要使用nginx配置文件,这里我就直接在frps服务器上添加了
- 这里是代理的80端口,443可以参考下面的
<span>[</span> <span>root@VM</span> <span>-</span> <span>8</span> <span>-</span> <span>10</span> <span>-</span> <span>centos conf</span> <span>.</span> <span>d</span> <span>]#</span> <span> cat wp</span> <span>-</span> <span>test</span> <span>.</span> <span>conf</span><span> server </span> <span>{</span><span> listen </span> <span>80</span> <span>;</span><span> listen </span> <span>[::]:</span> <span>80</span> <span>;</span><span> server_name i4t</span> <span>.</span> <span>cn www</span> <span>.</span> <span>i4t</span> <span>.</span> <span>cn</span> <span>;</span><span> location </span> <span>/</span><span> </span> <span>{</span><span> proxy_pass http</span> <span>:</span> <span>//127.0.0.1:31001;</span><span> proxy_http_version </span> <span>1.1</span> <span>;</span><span> proxy_set_header X</span> <span>-</span> <span>Real</span> <span>-</span> <span>IP $remote_addr</span> <span>;</span><span> proxy_set_header X</span> <span>-</span> <span>Forwarded</span> <span>-</span> <span>For</span> <span> $proxy_add_x_forwarded_for</span> <span>;</span><span> proxy_set_header </span> <span>Upgrade</span> <span> $http_upgrade</span> <span>;</span><span> proxy_set_header </span> <span>Connection</span> <span> </span> <span>"upgrade"</span> <span>;</span><span> proxy_set_header </span> <span>Host</span> <span> $http_host</span> <span>;</span><span> </span> <span>}</span><span>}</span>
效果图
- 添加nginx 443端口
- wp-config.php添加https开启代码 (这两个选择一个即可)
- 还需要提前在wordpress上开启https
编辑wordpress wp-config.php文件
<span>$_SERVER</span> <span>[</span> <span>'HTTPS'</span> <span>]</span> <span> </span> <span>=</span> <span> </span> <span>'ON'</span> <span>;</span> <span> </span> <span>//设置Wordpress https</span><span>#找到下面的配置,在它上面添加SERVER [HTTPS] = ON选项</span><span>/** Absolute path to the WordPress directory. */</span> <span> </span><span>if</span> <span> </span> <span>(</span> <span> </span> <span>!</span> <span> </span> <span>defined</span> <span>(</span> <span> </span> <span>'ABSPATH'</span> <span> </span> <span>)</span> <span> </span> <span>)</span> <span> </span> <span>{</span><span> define</span> <span>(</span> <span> </span> <span>'ABSPATH'</span> <span>,</span> <span> __DIR__ </span> <span>.</span> <span> </span> <span>'/'</span> <span> </span> <span>);</span><span>}</span>
证书路径/data/i4t.crt和/data/i4t.key,请注意自行替换
- proxy_pass 地址需要自行修改
<span>[</span> <span>root@VM</span> <span>-</span> <span>8</span> <span>-</span> <span>10</span> <span>-</span> <span>centos conf</span> <span>.</span> <span>d</span> <span>]#</span> <span> cat wp</span> <span>-</span> <span>test</span> <span>.</span> <span>conf</span><span> server </span> <span>{</span><span> listen </span> <span>80</span> <span>;</span><span> listen </span> <span>[::]:</span> <span>80</span> <span>;</span><span> server_name www</span> <span>.</span> <span>i4t</span> <span>.</span> <span>cn i4t</span> <span>.</span> <span>cn</span> <span>;</span><span> </span> <span>return</span> <span> </span> <span>301</span> <span> https</span> <span>:</span> <span>//i4t.cn$request_uri;</span><span> </span> <span>}</span><span> server </span> <span>{</span><span> listen </span> <span>443</span> <span> ssl http2</span> <span>;</span><span> listen </span> <span>[::]:</span> <span>443</span> <span> http2</span> <span>;</span><span> ssl_certificate </span> <span>/</span> <span>data</span> <span>/</span> <span>i4t</span> <span>.</span> <span>crt</span> <span>;</span><span> ssl_certificate_key </span> <span>/</span> <span>data</span> <span>/</span> <span>i4t</span> <span>.</span> <span>key</span> <span>;</span><span> ssl_protocols </span> <span>TLSv1</span> <span>.</span> <span>1</span> <span> </span> <span>TLSv1</span> <span>.</span> <span>2</span> <span> </span> <span>TLSv1</span> <span>.</span> <span>3</span> <span>;</span><span> ssl_ciphers TLS13</span> <span>-</span> <span>AES</span> <span>-</span> <span>256</span> <span>-</span> <span>GCM</span> <span>-</span> <span>SHA384</span> <span>:</span> <span>TLS13</span> <span>-</span> <span>CHACHA20</span> <span>-</span> <span>POLY1305</span> <span>-</span> <span>SHA256</span> <span>:</span> <span>TLS13</span> <span>-</span> <span>AES</span> <span>-</span> <span>128</span> <span>-</span> <span>GCM</span> <span>-</span> <span>SHA256</span> <span>:</span> <span>TLS13</span> <span>-</span> <span>AES</span> <span>-</span> <span>128</span> <span>-</span> <span>CCM</span> <span>-</span> <span>8</span> <span>-</span> <span>SHA256</span> <span>:</span> <span>TLS13</span> <span>-</span> <span>AES</span> <span>-</span> <span>128</span> <span>-</span> <span>CCM</span> <span>-</span> <span>SHA256</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>CHACHA20</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>CHACHA20</span> <span>-</span> <span>draft</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>ECDSA</span> <span>+</span> <span>AES128</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>aRSA</span> <span>+</span> <span>AES128</span> <span>:</span> <span>RSA</span> <span>+</span> <span>AES128</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>ECDSA</span> <span>+</span> <span>AES256</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>aRSA</span> <span>+</span> <span>AES256</span> <span>:</span> <span>RSA</span> <span>+</span> <span>AES256</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>ECDSA</span> <span>+</span> <span>3DES</span> <span>:</span> <span>EECDH</span> <span>+</span> <span>aRSA</span> <span>+</span> <span>3DES</span> <span>:</span> <span>RSA</span> <span>+</span> <span>3DES</span> <span>:!</span> <span>MD5</span> <span>;</span><span> server_name i4t</span> <span>.</span> <span>cn www</span> <span>.</span> <span>i4t</span> <span>.</span> <span>cn</span> <span>;</span><span> index index</span> <span>.</span> <span>html index</span> <span>.</span> <span>htm</span> <span>;</span><span> error_page </span> <span>400</span> <span> </span> <span>=</span> <span> </span> <span>/</span> <span>400.html</span> <span>;</span><span> ssl_early_data on</span> <span>;</span><span> ssl_stapling on</span> <span>;</span><span> ssl_stapling_verify on</span> <span>;</span><span> location </span> <span>/</span><span> </span> <span>{</span><span> </span> <span>#防止跨域</span><span> add_header </span> <span>'Access-Control-Allow-Origin'</span> <span> $http_origin</span> <span>;</span><span> add_header </span> <span>'Access-Control-Allow-Credentials'</span> <span> </span> <span>'true'</span> <span>;</span><span> add_header </span> <span>'Access-Control-Allow-Methods'</span> <span> </span> <span>'GET, POST, OPTIONS'</span> <span>;</span><span> add_header </span> <span>'Access-Control-Allow-Headers'</span> <span> </span> <span>'DNT,web-token,app-token,Authorization,Accept,Origin,Keep-Alive,User-Agent,X-Mx-ReqToken,X-Data-Type,X-Auth-Token,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'</span> <span>;</span><span> add_header </span> <span>'Access-Control-Expose-Headers'</span> <span> </span> <span>'Content-Length,Content-Range'</span> <span>;</span><span> </span> <span>if</span> <span> </span> <span>(</span> <span>$request_method </span> <span>=</span> <span> </span> <span>'OPTIONS'</span> <span>)</span> <span> </span> <span>{</span><span> add_header </span> <span>'Access-Control-Max-Age'</span> <span> </span> <span>1728000</span> <span>;</span><span> add_header </span> <span>'Content-Type'</span> <span> </span> <span>'text/plain; charset=utf-8'</span> <span>;</span><span> add_header </span> <span>'Content-Length'</span> <span> </span> <span>0</span> <span>;</span><span> </span> <span>return</span> <span> </span> <span>204</span> <span>;</span><span> </span> <span>}</span><span> proxy_pass http</span> <span>:</span> <span>//127.0.0.1:31001;</span><span> proxy_http_version </span> <span>1.1</span> <span>;</span><span> proxy_set_header X</span> <span>-</span> <span>Real</span> <span>-</span> <span>IP $remote_addr</span> <span>;</span><span> proxy_set_header X</span> <span>-</span> <span>Forwarded</span> <span>-</span> <span>For</span> <span> $proxy_add_x_forwarded_for</span> <span>;</span><span> proxy_set_header </span> <span>Upgrade</span> <span> $http_upgrade</span> <span>;</span><span> proxy_set_header </span> <span>Connection</span> <span> </span> <span>"upgrade"</span> <span>;</span><span> proxy_set_header </span> <span>Host</span> <span> $http_host</span> <span>;</span><span> </span> <span>}</span><span>}</span>
访问效果图
