frp配置内网穿透暴露kubernetes集群
前言
1核2G的服务器太垃圾了,搭了kubernetes,但是各种组件都吃性能,研究了一下内网穿透,尝试让电脑在开机的时候可以用公网ip访问服务,这样就完全没有性能瓶颈了
折腾了很久。。。对于rancher,helm装完有一大大大大堆的资源被安装下来了,也不知道它的流量是怎么走的,会重定向一次host,导致循环重定向,排查了半天,最终放弃挣扎了,但是正常的服务是可以用的,同时放弃了ingress-nginx,换用了apisix,这一步也折腾了很久
frp
server和client都要有
1
| wget https://github.com/fatedier/frp/releases/download/v0.48.0/frp_0.48.0_linux_amd64.tar.gz
|
1
| tar -zxvf frp_0.48.0_linux_amd64.tar.gz
|
配置server
vim frps.ini
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| [common]
bind_port = 7000
token = b3rpf5Gm
dashboard_port = 7001
dashboard_user = admin dashboard_pwd = admin enable_prometheus = true
log_file = /var/log/frps.log log_level = info log_max_days = 3
|
添加到systemctl命令组,保证开机自启动,当然你也可以用docker跑服务
1 2 3 4
| sudo mkdir -p /etc/frp
sudo ln -s /root/frp/frps.ini /etc/frp/frps.ini sudo cp frps /usr/bin
|
vim /usr/lib/systemd/system/frps.service
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| [Unit] Description=The nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target
[Service] Type=simple ExecStart=/usr/local/frp/frps -c /usr/local/frp/frps.ini KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=process PrivateTmp=true StandardOutput=syslog StandardError=inherit
[Install] WantedBy=multi-user.target
|
1 2 3
| systemctl daemon-reload systemctl enable frps systemctl start frps
|
记得打开需要的端口安全组和防火墙
配置client
vim frpc.ini
1 2 3 4 5 6 7 8 9 10 11
| [common] server_addr = <ip> server_port = 7000 token = b3rpf5Gm
[ssh] type = tcp local_ip = 127.0.0.1 local_port = 22
remote_port = 7002
|
1 2 3
| sudo cp -r frp /usr/local/
sudo vim /usr/lib/systemd/system/frpc.service
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| [Unit] Description=The nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target
[Service] Type=simple ExecStart=/usr/local/frp/frpc -c /usr/local/frp/frpc.ini KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=process PrivateTmp=true StandardOutput=syslog StandardError=inherit
[Install] WantedBy=multi-user.target
|
1 2 3
| systemctl daemon-reload systemctl enable frpc systemctl start frpc
|
配置完后,可以通过ssh来测试是否能登陆自己的机器
k8s
配置fpcs,添加
公网server nginx配置,将请求转发到frp的http端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| map $http_upgrade $connection_upgrade { default upgrade; '' close; }
server { listen 80; server_name *.k8s.ryaoknw.site k8s.ryaoknw.site; return 301 https://$host$request_uri; }
server { listen 443 ssl; server_name *.k8s.ryaoknw.site k8s.ryaoknw.site; ssl_certificate /etc/letsencrypt/live/k8s.ryaoknw.site-0001/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/k8s.ryaoknw.site-0001/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://127.0.0.1:7080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } }
|
配置frpc,frpc.ini
1 2 3 4 5 6
| [http] type = http local_ip = 127.0.0.1 local_port = 80 custom_domains = *.k8s.ryaoknw.site,k8s.ryaoknw.site remote_port = 7080
|
内网nginx配置,对应http端口(7080)会被frpc转发到127.0.01:80,nginx代理了80端口,将请求转发到上游node
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| upstream k8s { server 192.168.199.111:80; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; server_name *.k8s.ryaoknw.site k8s.ryaoknw.site; location / { proxy_pass http://k8s; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } }
|
至此配置完毕,可以部署服务在本地集群,然后用ingress暴露即可访问