我正在尝试为受基本身份验证保护的后端服务设置简单的规则。当我尝试使用 curl 或邮递员发送请求时,它工作得很好,问题是当我的前端应用程序尝试做同样的事情时。据我了解,浏览器发送用于 CORS 策略检查的预检请求(OPTIONS 方法(。问题是授权标头未添加到此请求中,该请求通过服务器响应 401 进行解析。有没有办法让入口省略特定方法的授权?
这是我的入口(nginx(配置:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: somesome-routing
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
rules:
- host: somesome.com
http:
paths:
- path: /
backend:
serviceName: backend-service
servicePort: 80
我最终得到了解决方法,包括两个入口 - 一个是安全的,它将流量路由到前端应用程序,第二个是不安全的,它路由到我自己的基于 nginx 的 API 网关,它本身定义了身份验证规则:
#secure-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: secure-routing
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
rules:
- host: somesome.com
http:
paths:
- path: /
backend:
serviceName: frontend-service
servicePort: 80
#ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: routing
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
rules:
- host: api.somesome.com
http:
paths:
- path: /
backend:
serviceName: api-gateway-service
servicePort: 80
# api-gateway/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
log_format timed_combined '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
access_log /var/log/nginx/access.log timed_combined;
client_max_body_size 20M;
default_type application/octet-stream;
include mime.types;
keepalive_timeout 65;
resolver ${RESOLVER} ipv6=off;
sendfile on;
server {
listen 80;
server_name localhost;
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain application/json application/xml;
location ~* ^/backend_path {
add_header 'Access-Control-Allow-Headers' 'authorization,content-type,iplanetdirectorypro';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, OPTIONS, DELETE';
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_send_timeout 6000;
proxy_read_timeout 6000;
proxy_pass http://${BACKEND}$request_uri;
}
}
}
身份验证或外部身份验证会中断预检/CORS,因为默认模板未以正确的方式处理选项请求。事实上,所有 HTTP 方法的身份验证处理都是相同的。
因此,要回答的问题是"我如何以不同的方式处理 OPTIONS 请求?"或"我如何仅将身份验证应用于特定方法"。 您可以通过配置片段实现此目的。(看这里:nginx-ingress docs(
你可以在这里找到一个类似的问题:如何在ngnix入口中的特定HTTP方法上放置基本身份验证?