一、NodePort暴露Service原理

 二、物理机192.168.1.111上部属nginx

生成 SSL 证书
mkdir -p /etc/nginx/cert/
cd /etc/nginx/cert/
1.创建服务器证书密钥文件 server.key：
openssl genrsa -des3 -out server.key 1024
输入密码，确认密码，自己随便定义，但是要记住，后面会用到。
2.创建服务器证书的申请文件 server.csr
openssl req -new -key server.key -out server.csr
输出内容为：
Enter pass phrase for root.key: ← 输入前面创建的密码
Country Name (2 letter code) [AU]:CN ← 国家代号，中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名，拼音
Locality Name (eg, city) []:BeiJing ← 市的全名，拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: ← 此时不输入
Email Address []:admin@mycompany.com ← 电子邮箱，可随意填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
4.备份一份服务器密钥文件
cp server.key server.key.org
5.去除文件口令
openssl rsa -in server.key.org -out server.key
6.生成证书文件server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

#查看gcc版本 
gcc -v
#没有安装的话会提示命令找不到
yum -y install gcc
#pcre、pcre-devel安装
yum install -y pcre pcre-devel
#zlib安装
yum install -y zlib zlib-devel
#安装openssl
yum install -y openssl openssl-devel
#安装nginx
yum install -y wget
wget http://nginx.org/download/nginx-1.9.9.tar.gz  
#把压缩包解压到/application/nginx-1.9.9
tar -zxvf  nginx-1.9.9.tar.gz
#切换到cd /application/nginx-1.9.9/下面
chmod +x configure
./configure --with-http_ssl_module
make
make install
#切换到/usr/local/nginx安装目录
#配置nginx的配置文件nginx.conf文件
#覆盖使用自己的配置文件（copy 到服务器！！！）
#启动nginx服务 切换目录到/usr/local/nginx/sbin
./nginx -c /usr/local/nginx/conf/nginx.conf #启动nginx 或使用 /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
./nginx -s quit #优雅的关闭
./nginx -s stop #关闭
./nginx -s reload  #重新加载配置文件
#检查配置文件语法是否正确
./nginx -t  
#查看nginx版本信息
./nginx -v  
#查看nginx服务是否启动成功
ps -ef | grep nginx
Kill 1234

#防火墙允许443和80
#开放端口
firewall-cmd --zone=public --add-port=443/tcp --permanent   # 开放443端口
firewall-cmd --zone=public --add-port=80/tcp --permanent   # 开放80端口
firewall-cmd --reload   # 配置立即生效
#查看防火墙所有开放的端口
firewall-cmd --zone=public --list-ports
#关闭防火墙
如果要开放的端口太多，嫌麻烦，可以关闭防火墙，安全性自行评估
systemctl stop firewalld.service
#查看防火墙状态
firewall-cmd --state

nginx 设置开机启动

touch /usr/lib/systemd/system/nginx.service
nano /usr/lib/systemd/system/nginx.service

2、写入内容如下：

[Unit]
Description=nginx
After=network.target
  
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
  
[Install]
WantedBy=multi-user.target

[Unit]:服务的说明
Description:描述服务
After:描述服务类别
[Service]服务运行参数的设置
Type=forking是后台运行的形式
ExecStart为服务的具体运行命令
ExecReload为重启命令
ExecStop为停止命令
PrivateTmp=True表示给服务分配独立的临时空间
注意：[Service]的启动、重启、停止命令全部要求使用绝对路径
systemctl enable nginx.service
systemctl status nginx.service

配置Nginx配置文件：覆盖使用自己的配置文件（copy 到服务器！！！），此处说明具体文件：

/usr/local/nginx/conf

                             --nginx.conf

                             --sites

                                  --api.demo.com.conf

nginx.conf

worker_processes 1;
worker_rlimit_nofile 60000;

events 
{
  use epoll;
  worker_connections 60000;
}


http 
{
  include       mime.types;
  default_type  application/octet-stream;
  charset  utf-8;

  sendfile        on;
  client_max_body_size 60m;
  keepalive_timeout  90s;
  proxy_connect_timeout 300s;
  proxy_send_timeout 360s;
  proxy_read_timeout 360s; 

  proxy_buffers         4 256k;
  proxy_buffer_size     128k;
  proxy_busy_buffers_size   256k;
  large_client_header_buffers 4 128k;


  log_format main '$host $remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" $http_x_forwarded_for $request_time';

  map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
  }


  upstream kubernetes  {
    server 192.168.31.107:30088; #k8s 暴露的NodePort（nginx Service）
  }

 upstream netcoreweb  {
    server 192.168.31.180:5000;
 }

  include sites/*.conf;

}

api.demo.com.conf

指向k8s中nginx暴露的地址

server {
    listen 80;
    server_name api.demo.com;
    access_log off;
    rewrite ^/(.*) https://api.demo.com/$1 permanent;
}

server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/cert/server.crt;
    ssl_certificate_key /etc/nginx/cert/server.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    server_name   api.demo.com;
    access_log    logs/api.demo.com.log main;

    location / {
        proxy_pass http://kubernetes;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
    }
}

 不用k8s

server {
    listen 80;
    server_name api.demo.com;
    access_log off;
    rewrite ^/(.*) https://api.demo.com/$1 permanent;
}

server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/cert/server.crt;
    ssl_certificate_key /etc/nginx/cert/server.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    server_name   api.demo.com;
    access_log    logs/api.demo.com.log main;

    location / {
        proxy_pass http://netcoreweb;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
    }
}

cd /usr/local/nginx/sbin
./nginx -s reload

三、windowns客户Pc配置host:

运行效果：