前言

Traefik 是一个古代的 HTTP 反向代理和负载均衡器,使部署微服务变得容易。

Traefik 能够与现有的多种基础设施组件(Docker、Swarm 模式、Kubernetes、Marathon、Consul、Etcd、Rancher、Amazon ECS...)集成,并主动和动静地配置本人。

系列文章:

  • 《Traefik 系列文章》

明天咱们基于 Traefik on K8S 来具体阐明如何通过 forwardauth 实现认证性能,并通过 ForwardAuth 和 OAuth 2.0 或 CAS 进行集成。

ForwardAuth 中间件将身份验证委托给内部服务。如果服务响应代码为 2XX,则授予拜访权限并执行原始申请。否则,将返回身份验证服务器的响应。

ForwardAuth 的简略配置

创立 ForwardAuth 中间件,具体如下:

apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:  name: forward-authspec:  forwardAuth:    # 门路视具体情况而定    address: http://your_auth_server/oauth2.0/validate    authResponseHeaders:      - Authorization    trustForwardHeader: true

另外个别出于平安,会再加一些平安相干的 header, 如下:

apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:  name: secure-headerspec:  headers:    browserXssFilter: true    contentTypeNosniff: true    customResponseHeaders:      Cache-Control: max-age=31536000      Pragma: no-cache      Set-Cookie: secure    forceSTSHeader: true    stsIncludeSubdomains: true    stsSeconds: 14400

当然,也是出于平安,会用到 HTTP 重定向到 HTTPS.

之后,创立 IngressRoute 的示例配置如下:

apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:  name: alertmanagerspec:  routes:    - kind: Rule      match: Host(`ewhisper.cn`) && PathPrefix(`/alertmanager/`)      middlewares:        - name: redirectshttps        - name: secure-header        - name: forward-auth      services:        - name: alertmanager          port: 9093

实现!

应用 OAuth Proxy 和 Traefik ForwardAuth 集成

创立 ForwardAuth 401 谬误的中间件

Traefik v2 ForwardAuth 中间件容许 Traefik 通过 oauth2-agent 的 /oauth2/auth 端点对每个申请进行身份验证,该端点只返回 202 Accepted 响应或401 Unauthorized的响应,而不代理整个申请。

oauth-errorsoauth-auth 中间件

---# 用处:给 oauth url 加 headersapiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:  name: auth-headersspec:  headers:    sslRedirect: true    stsSeconds: 315360000    browserXssFilter: true    contentTypeNosniff: true    forceSTSHeader: true    sslHost: ewhisper.cn    stsIncludeSubdomains: true    stsPreload: true    frameDeny: true---# 用处:forwardauthapiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:  name: oauth-authspec:  forwardAuth:    address: https://oauth.ewhisper.cn/oauth2/auth    trustForwardHeader: true---# 用处:forwardauth 返回 401-403 后重定向到登录页面apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:  name: oauth-errorsspec:  errors:    status:      - "401-403"    service: oauth-backend    query: "/oauth2/sign_in"

oauth 的 IngressRoute 配置:

apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:  name: oauthspec:  routes:    - kind: Rule      match: "Host(`ewhisper.cn`, `oauth.ewhisper.cn`) && PathPrefix(`/oauth2/`)"      middlewares:        - name: auth-headers      services:        - name: oauth-backend          port: 4180

须要用到 oauth 的其余利用的 IngressRoute 配置:

apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:  name: alertmanagerspec:  routes:    - kind: Rule      match: Host(`ewhisper.cn`) && PathPrefix(`/alertmanager/`)      middlewares:        - name: redirectshttps             - name: oauth-errors        - name: oauth-auth      services:        - name: alertmanager          port: 9093

实现!

️参考文档

  • ForwardAuth | Traefik | v2.0
  • Overview | OAuth2 Proxy (oauth2-proxy.github.io)

EOF

三人行, 必有我师; 常识共享, 天下为公. 本文由东风微鸣技术博客 EWhisper.cn 编写.