之前的架构图前面添加了一个洛杉矶的服务器,访问会绕全国一圈,这次使用腾讯云hk节点部署frps,并且本地设置nginx proxy_pass代理frps端口。将流量数据采用tcp协议的方式,发送给老家的k8s网络中,其中frpc直接local ip修改为wordpress-svc,pod节点修改为2个pod进行访问测试,并且配置https。
架构图
环境说明
- Kubernetes 1.24
- WordPress 6.2
- frpc 0.33
- Nginx 1.22.1
博客测试环境运行在山东威海老家的内网的k8s容器网络中,有的时候需要在北京远程访问进行测试。显然,nat网络是无法直接远程通过80端口访问的,所以采用frp的方式进行访问,直接部署个pod快速配置!
关于frps部署可以参考博客其它文章,都是二进制文件,和frpc的配置基本上一模一样,修改一下对应的配置即可;我这里就不单独说了
创建frpc configmap
apiVersion: v1
kind: ConfigMap
metadata:
name: frps
namespace: wordpress
data:
frpc.ini: |-
[common]
token=xxxx #token没有可以不写,frps中设置好了,这里就可以填写
server_addr = #公有云IP
server_port = #31000 公有云端口
log_level=info
[wordpress-i4t]
type = tcp
local_ip=wordpress-svc #这里我填写的是本地的svc地址
local_port=80
remote_port=31001
创建frpc comfigmap
[root@k8s-01 frpc]# kubectl create -f frpc-cm.yaml
configmap/frpc created
[root@k8s-01 frpc]# kubectl get cm -n wordpress
NAME DATA AGE
frpc 1 4s
istio-ca-root-cert 1 3d9h
kube-root-ca.crt 1 3d9h
wordpress-configmap 2 3d3h
接下来我们创建frpc deployment,我这里还是统一的放在wordpress namespace下,后续方便统一管理
[root@k8s-01 frpc]# cat frpc-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: frpc
namespace: wordpress
labels:
app: frpc
spec:
replicas: 1
selector:
matchLabels:
app: frpc
template:
metadata:
labels:
app: frpc
spec:
containers:
- name: frpc
image: snowdreamtech/frpc:0.33.0
volumeMounts:
- name: frpc
mountPath: "/etc/frp"
readOnly: true
volumes:
- configMap:
defaultMode: 420
name: frpc
name: frpc
#这里挂载configmap,请根据名称自行修改
检查pod启动日志
[root@k8s-01 frpc]# kubectl get pod -n wordpress
NAME READY STATUS RESTARTS AGE
centos-client-75f686d587-lv2b2 1/1 Running 0 3d2h
frpc-5dffdf574-pqld7 1/1 Running 3 (38s ago) 66s
mysql-7fddbb85bb-xzcmf 1/1 Running 0 3d9h
wordpress-deployment-5748d8485-4bfzt 1/1 Running 0 2d6h
wordpress-deployment-5748d8485-9qvrb 1/1 Running 0 2d6h
#这里为frpc pod日志
[root@k8s-01 frpc]# kubectl logs -f -n wordpress frpc-5dffdf574-pqld7
2023/08/12 16:33:13 [I] [service.go:282] [47ead06b4b174641] login to server success, get run id [47ead06b4b174641], server udp port [0]
2023/08/12 16:33:13 [I] [proxy_manager.go:144] [47ead06b4b174641] proxy added: [wordpress-i4t]
2023/08/12 16:33:13 [I] [control.go:179] [47ead06b4b174641] [wordpress-i4t] start proxy success
^C
访问测试
frp 服务器:frpc配置端口
实际上到这里已经配置完毕,因为frpc不需要svc访问地址。 只是一个客户端~
根据情况配置,如果需要nginx这里可以提供nginx upsteam配置文件,代理本地ip:xxx 端口
nginx 需要在frps服务器上配置
我这里需要使用nginx配置文件,这里我就直接在frps服务器上添加了
- 这里是代理的80端口,443可以参考下面的
[root@VM-8-10-centos conf.d]# cat wp-test.conf
server {
listen 80;
listen [::]:80;
server_name i4t.cn www.i4t.cn;
location /
{
proxy_pass http://127.0.0.1:31001;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
}
效果图
- 添加nginx 443端口
- wp-config.php添加https开启代码 (这两个选择一个即可)
- 还需要提前在wordpress上开启https
编辑wordpress wp-config.php
文件
$_SERVER['HTTPS'] = 'ON'; //设置Wordpress https
#找到下面的配置,在它上面添加SERVER [HTTPS] = ON选项
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
证书路径/data/i4t.crt
和/data/i4t.key
,请注意自行替换
- proxy_pass 地址需要自行修改
[root@VM-8-10-centos conf.d]# cat wp-test.conf
server {
listen 80;
listen [::]:80;
server_name www.i4t.cn i4t.cn;
return 301 https://i4t.cn$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 http2;
ssl_certificate /data/i4t.crt;
ssl_certificate_key /data/i4t.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
server_name i4t.cn www.i4t.cn;
index index.html index.htm;
error_page 400 = /400.html;
ssl_early_data on;
ssl_stapling on;
ssl_stapling_verify on;
location /
{
#防止跨域
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,web-token,app-token,Authorization,Accept,Origin,Keep-Alive,User-Agent,X-Mx-ReqToken,X-Data-Type,X-Auth-Token,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
proxy_pass http://127.0.0.1:31001;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
}
访问效果图