小贝子编程

使用Traefik与Authelia作为验证器,我没有登录屏幕



设置如下:

  • 一个dockerhost,运行Kibana/Elasticsearch, Traefik和Authelia的dockers
  • 配置没有标签(因为我想使用这个反向代理配置(当它最终工作时),不运行在dockers上的其他设置)
  • 两个dockerfile(一个用于Kibana/Elasticsearch,一个用于Traefik/Authelia)通过docker网络,trafik可以访问Kibana。我只包括dockerfile for Traefik/Authelia,因为我不怀疑Kibana的可访问性是一个问题,并保持专注于我认为是什么问题(Traefik配置)。

我希望发生以下事情:

  • 用户打开url https://dockerhost.company.local:5601/
  • 用户显示autelia登录窗口
  • (单因素)认证成功后,Kibana出现

会发生什么:

如果我启用中间件,以便当我访问https://dockerhost.company.local:5601/时Authelia应该跳进来,我在浏览器中得到一个未授权的401。

  • 登录Traefik:
    Remote error ``http://authelia:9091/api/verify``. StatusCode: 401" middlewareName=auth@file middlewareType=ForwardedAuthType

  • 登录Authelia:
    "Access to ``https://dockerhost.company.local:5601/`` (method GET) is not authorized to user <anonymous>, responding with status code 401" method=GET path=/api/verify remote_ip=10.2.120.251

用户"匿名"没有被授权是有道理的,但是我没有得到一个登录提示,首先进行身份验证。

我尝试的故障排除:

  • 如果我禁用中间件,Kibana可以通过Traefik访问

  • Authelia工作,如果我直接访问它,它可以进行身份验证

上周我一直在努力让这个工作,但我不知道出了什么问题。
我错过了什么?有人知道这个配置有什么问题吗?

Dockerfile for Traefik/Authelia: 

version: '3.8'
services:
traefik:
image: traefik
container_name: kibana_traefik
command:
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--entrypoints.kibana-entrypoint.address=:5601"
- "--providers.file.filename=/traefik-config/dynamic.toml"
- "--providers.file.watch=true"
- "--log.level=DEBUG"
ports:
- "8080:8080"
- "5601:5601"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./traefik-config:/traefik-config
networks:
- ods_dev_bridge_network
depends_on:
- authelia
restart: unless-stopped
authelia:
container_name: kibana_authelia
image: authelia/authelia:latest
volumes:
- ./authelia-config:/config
ports:
- "9091:9091"
networks:
- ods_dev_bridge_network
restart: unless-stopped
networks:
ods_dev_bridge_network:
external: true

Authelia configuration.yml

server.port: 9091
log.level: debug
jwt_secret: insecure_secret
authentication_backend:
ldap:
implementation: activedirectory
url: ldap://ldapserver.company.local
timeout: 5s
start_tls: false
base_dn: DC=company,DC=local
#    additional_users_dn: OU=Users,OU=COMPANY
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))
username_attribute: sAMAccountName
mail_attribute: mail
display_name_attribute: displayName
groups_filter: (&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))
group_name_attribute: cn
permit_referrals: false
permit_unauthenticated_bind: false
user: CN=dockeruser_sa,OU=ServiceAccounts,OU=Users,OU=COMPANY,DC=company,DC=local
password: <password>
totp:
disable: true
session:
name: authelia_session
domain: company.local
same_site: lax
secret: unsecure_session_secret
expiration: 1h
inactivity: 5m
remember_me_duration:  1M
storage:
encryption_key: a_very_important_secret
local:
path: /config/db.sqlite3
access_control:
default_policy: one_factor
rules:
- domain: dockerhost.company.local
policy: one_factor
notifier:
filesystem:
filename: /var/lib/authelia/emails.txt

Traefik dynamic.toml:

[http.routers]
[http.routers.kibana]
entryPoints = ["kibana-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "kibana-service"
middlewares = ["auth@file"]
[http.routers.kibana.tls]
[http.services]
[http.services.kibana-service]
[[http.services.kibana-service.loadBalancer.servers]]
url = "http://kibana:5601/"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://authelia:9091/api/verify"
trustForwardHeader = true
authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]

回答我自己的问题,在维护Authelia的家伙的帮助下,我已经能够弄清楚我错过了什么。我没有得到的是中间件部分中使用的URL。首先,它需要一个rd参数,但我在该参数的内容上卡住了。结果是它应该引用自己,像这样:

address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.nl:9091/">

两个url都指向Authelia,第一个是内部的,第二个是外部的。因为外部URL, Authelia还需要一个router+服务。

这是关于Traefik动态配置的最终结果:

[http.routers]
[http.routers.kibana-router]
entryPoints = ["kibana-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "kibana-service"
middlewares = "auth"
[http.routers.kibana-router.tls]
[http.routers.authelia-router]
entryPoints = ["authelia-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "authelia-service"
[http.routers.authelia-router.tls]
[http.services]
[http.services.kibana-service]
[[http.services.kibana-service.loadBalancer.servers]]
url = "http://kibana:5601/"
[http.services.authelia-service]
[[http.services.authelia-service.loadBalancer.servers]]
url = "http://authelia:9091/"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.local:9091/"
trustForwardHeader = true
authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]

通过此配置,Traefik调用Authelia进行身份验证,身份验证成功后返回到原始url并为Kibana提供服务。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium