gpt4 book ai didi

nginx - Kubernetes NGINX 入口 : Disable external auth for specific path

转载 作者:行者123 更新时间:2023-12-02 11:34:29 26 4
gpt4 key购买 nike

我希望能够为我的应用程序的特定路径禁用外部授权。

类似于此 SO:Kubernetes NGINX Ingress: Disable Basic Auth for specific path

唯一的区别是使用外部身份验证提供程序(通过 Microsoft Azure 的 OAuth),并且有一个

这是公众应该可以到达的路径
/MyPublicPath
我的 ingress.yaml:

apiVersion: extensions/v1beta1 
kind: Ingress
metadata:
name: myIngressName
annotations:
nginx.ingress.kubernetes.io/auth-signin: https://externalprovider/oauth2/sign_in
nginx.ingress.kubernetes.io/auth-url: https://externalprovider/oauth2/auth
nginx.ingress.kubernetes.io/auth-request-redirect: https://myapp/context_root/
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User, X-Auth-Request-Email, X-Auth-Request-Access-Token, Set-Cookie, Authorization
spec:
rules:
- host: myHostName
http:
paths:
- backend:
serviceName: myServiceName
servicePort: 9080
path: /

我能不能让它不打 https://externalprovider/oauth2/auth仅该路径的网址?

我尝试使用 ingress.kubernetes.io/configuration-snippet 将 auth_basic 设置为值“off”,但这似乎与基本 auth 指令相关,而不是外部指令。

最佳答案

我的实验表明不需要有两个 ingress-controllers喜欢 Crou之前的回答中提到过。
一个 Nginx ingress-controller和两个 Ingress objects足以做到这一点。
该实验并未涵盖整个解决方案:未部署身份验证提供程序,因此我们只会看到身份验证请求,但对于检查 Ingress 部分而言,这并不是真正必要的。

以下是详细信息 [TL; DR]:Ingress-controller根据官方manual部署.
两者 my1servicemy2service将流量转发到同一个 Nginx Pod。
我还加了 rewrite-target annotation因为我的目标 Pod 在路径 / 上提供内容只要。
入口 1:

apiVersion: extensions/v1beta1 
kind: Ingress
metadata:
name: myingress1
annotations:
nginx.ingress.kubernetes.io/auth-signin: https://externalprovider/oauth2/sign_in
nginx.ingress.kubernetes.io/auth-url: https://externalprovider/oauth2/auth
nginx.ingress.kubernetes.io/auth-request-redirect: https://myapp/context_root/
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User, X-Auth-Request-Email, X-Auth-Request-Access-Token, Set-Cookie, Authorization
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: myhost.com
http:
paths:
- backend:
serviceName: my1service
servicePort: 80
path: /

Ingress2 :
apiVersion: extensions/v1beta1 
kind: Ingress
metadata:
name: myingress2
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: myhost.com
http:
paths:
- backend:
serviceName: my2service
servicePort: 80
path: /somepath

将它们应用于集群为我们提供了以下 ingress-controller 配置:
(我从 nginx.conf 内容中跳过了不重要的行)
正如我们在此处看到的,每个位置使用不同的规则集,因此可以对某个路径进行身份验证并跳过对另一个路径的身份验证,甚至可以为同一 HTTP 主机上的不同位置使用不同的身份验证提供程序。
入口 Controller 的 nginx.conf:
$ kubectl exec -n ingress-nginx ingress-nginx-controller-7fd7d8df56-xx987 -- cat /etc/nginx/nginx.conf > nginx.conf
$ less nginx.conf

http {

## start server myhost.com
server {
server_name myhost.com ;

location /somepath {
# this location doesn't use authentication and responds with the backend content page.

set $namespace "default";
set $ingress_name "myingress2";
set $service_name "my2service";
set $service_port "80";
set $location_path "/somepath";

set $proxy_upstream_name "default-my2service-80";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;

}

location = /_external-auth-Lw {
internal;

# this location is used for executing authentication requests

set $proxy_upstream_name "default-my1service-80";

proxy_set_header Host externalprovider;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Sent-From "nginx-ingress-controller";
proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Auth-Request-Redirect https://myapp/context_root/;

set $target https://externalprovider/oauth2/auth;
proxy_pass $target;
}

location @64e7eef73f135f7a304693e85336f805005c5bc2 {
internal;

# this location suppose to return authentication error page

add_header Set-Cookie $auth_cookie;

return 302 https://externalprovider/oauth2/sign_in?rd=$pass_access_scheme://$http_host$escaped_request_uri;
}

location / {

# this location requests for authentication from external source before returning the backend content

set $namespace "default";
set $ingress_name "myingress1";
set $service_name "my1service";
set $service_port "80";
set $location_path "/";


set $balancer_ewma_score -1;
set $proxy_upstream_name "default-my1service-80";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;

set $pass_server_port $server_port;

set $best_http_host $http_host;
set $pass_port $pass_server_port;

set $proxy_alternative_upstream_name "";

# this location requires authentication
auth_request /_external-auth-Lw;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $authHeader0 $upstream_http_x_auth_request_user;
proxy_set_header 'X-Auth-Request-User' $authHeader0;
auth_request_set $authHeader1 $upstream_http_x_auth_request_email;
proxy_set_header 'X-Auth-Request-Email' $authHeader1;
auth_request_set $authHeader2 $upstream_http_x_auth_request_access_token;
proxy_set_header 'X-Auth-Request-Access-Token' $authHeader2;
auth_request_set $authHeader3 $upstream_http_set_cookie;
proxy_set_header 'Set-Cookie' $authHeader3;
auth_request_set $authHeader4 $upstream_http_authorization;
proxy_set_header 'Authorization' $authHeader4;

set_escape_uri $escaped_request_uri $request_uri;
error_page 401 = @64e7eef73f135f7a304693e85336f805005c5bc2;


}

}
## end server myhost.com

}
让我们测试一下它是如何工作的:
# ingress-controller IP address is 10.68.0.8

# here I requested / path and internal error and 'externalprovider could not be resolved (3: Host not found)'
# error tells us that authentication was required, but auth backend is not available.
# It's expected.

master-node$ curl http://10.68.0.8/ -H "Host: myhost.com"
<html>
<head><title>500 Internal Server Error</title></head>
<body>
<center><h1>500 Internal Server Error</h1></center>
<hr><center>nginx/1.19.1</center>
</body>
</html>

#controller logs:
$ kubectl logs -n ingress-nginx ingress-nginx-controller-7fd7d8df56-xx987

10.68.0.1 - - [21/Jul/2020:13:17:06 +0000] "GET / HTTP/1.1" 502 0 "-" "curl/7.47.0" 0 0.072 [default-my1service-80] [] - - - - 158e2f959af845b216c399b939d7c2b6
2020/07/21 13:17:06 [error] 689#689: *119718 externalprovider could not be resolved (3: Host not found), client: 10.68.0.1, server: myhost.com, request: "GET / HTTP/1.1", subrequest: "/_external-auth-Lw", host: "myhost.com"
2020/07/21 13:17:06 [error] 689#689: *119718 auth request unexpected status: 502 while sending to client, client: 10.68.0.1, server: myhost.com, request: "GET / HTTP/1.1", host: "myhost.com"
10.68.0.1 - - [21/Jul/2020:13:17:06 +0000] "GET / HTTP/1.1" 500 177 "-" "curl/7.47.0" 74 0.072 [default-my1service-80] [] - - - - 158e2f959af845b216c399b939d7c2b6

# Then I sent a request to /somepath and got a reply without necessity
# to provide any auth headers.

$ curl http://10.68.0.8/somepath -H "Host: myhost.com"
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
</body>
</html>

#controller logs show the successful reply:
10.68.0.1 - - [21/Jul/2020:13:18:29 +0000] "GET /somepath HTTP/1.1" 200 612 "-" "curl/7.47.0" 82 0.002 [default-my2service-80] [] 10.68.1.3:80 612 0.004 200 3af1d3d48c045be160e2cee8313ebf42

关于nginx - Kubernetes NGINX 入口 : Disable external auth for specific path,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62438259/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com