使用Traefik与Authelia作为认证器,我得不到登录界面。

huangapple
go评论104阅读模式
英文:

Using Traefik with Authelia as authenticator, I get no login screen

问题

安装情况如下:

  • 一个 Docker 主机,运行 Kibana/Elasticsearch、Traefik 和 Authelia 的 Docker 容器。
  • 配置没有标签(因为我想要在其他不运行在 Docker 上的设置中使用这个反向代理配置,一旦它能正常工作)。
  • 有两个 Dockerfile(一个用于 Kibana/Elasticsearch,一个用于 Traefik/Authelia)。Kibana 在 Docker 网络上对 Traefik 可访问。我只包括 Traefik/Authelia 的 Dockerfile,因为我不怀疑 Kibana 的可访问性会有问题,而且我想把重点放在我认为有问题的地方(Traefik 配置)上。

我希望发生以下情况:

发生了什么情况:

如果我启用中间件,使得当我访问 https://dockerhost.company.local:5601/ 时,Authelia 应该介入,我在浏览器中得到一个 401 未授权的错误。

  • Traefik 中的日志:
    远程错误 "http://authelia:9091/api/verify"。StatusCode: 401" middlewareName=auth@file middlewareType=ForwardedAuthType

  • Authelia 中的日志:
    "对用户 <anonymous>,未经授权访问 https://dockerhost.company.local:5601/(方法 GET),响应状态码为 401" method=GET path=/api/verify remote_ip=10.2.120.251

这使得 'anonymous' 用户未经授权是有道理的,但我首先没有收到身份验证的登录提示。

我尝试过的故障排除方法:

  • 如果我禁用中间件,Traefik 可以通过访问 Kibana。
  • 如果我直接访问,Authelia 可以工作并能够进行身份验证。

我已经尝试了一周了,但我搞不清楚出了什么问题。我漏掉了什么?有人知道这个配置中有什么问题吗?

Traefik/Authelia 的 Dockerfile:

  1. version: '3.8'
  3. services:
  4.   traefik:
  5.     image: traefik
  6.     container_name: kibana_traefik
  7.     command:
  8.       - "--api=true"
  9.       - "--api.insecure=true"
  10.       - "--api.dashboard=true"
  11.       - "--entrypoints.kibana-entrypoint.address=:5601"
  12.       - "--providers.file.filename=/traefik-config/dynamic.toml"
  13.       - "--providers.file.watch=true"
  14.       - "--log.level=DEBUG"
  15.     ports:
  16.       - "8080:8080"
  17.       - "5601:5601"
  18.     volumes:
  19.       - "/var/run/docker.sock:/var/run/docker.sock:ro"
  20.       - ./traefik-config:/traefik-config
  21.     networks:
  22.       - ods_dev_bridge_network
  23.     depends_on:
  24.       - authelia
  25.     restart: unless-stopped
  26.   authelia:
  27.     container_name: kibana_authelia
  28.     image: authelia/authelia:latest
  29.     volumes:
  30.       - ./authelia-config:/config
  31.     ports:
  32.       - "9091:9091"
  33.     networks:
  34.       - ods_dev_bridge_network
  35.     restart: unless-stopped
  37. networks:
  38.    ods_dev_bridge_network:
  39.       external: true

Authelia 的配置文件 configuration.yml:

  1. server.port: 9091
  2. log.level: debug
  3. jwt_secret: insecure_secret
  4. authentication_backend:
  5.   ldap:
  6.     implementation: activedirectory
  7.     url: ldap://ldapserver.company.local
  8.     timeout: 5s
  9.     start_tls: false
  10.     base_dn: DC=company,DC=local
  11. #    additional_users_dn: OU=Users,OU=COMPANY
  12.     users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))"
  13.     username_attribute: sAMAccountName
  14.     mail_attribute: mail
  15.     display_name_attribute: displayName
  16.     groups_filter: "(&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))"
  17.     group_name_attribute: cn
  18.     permit_referrals: false
  19.     permit_unauthenticated_bind: false
  20.     user: CN=dockeruser_sa,OU=ServiceAccounts,OU=Users,OU=COMPANY,DC=company,DC=local
  21.     password: "<password>"
  22. totp:
  23.   disable: true
  24. session:
  25.   name: authelia_session
  26.   domain: company.local
  27.   same_site: lax
  28.   secret: unsecure_session_secret
  29.   expiration: 1h
  30.   inactivity: 5m
  31.   remember_me_duration: 1M
  32. storage:
  33.   encryption_key: a_very_important_secret
  34.   local:
  35.     path: /config/db.sqlite3
  36. access_control:
  37.   default_policy: one_factor
  38.   rules:
  39.     - domain: dockerhost.company.local
  40.       policy: one_factor
  41. notifier:
  42.   filesystem:
  43.     filename: /var/lib/authelia/emails.txt

Traefik 的 dynamic.toml:

  1. [http.routers]
  2.   [http.routers.kibana]
  3.     entryPoints = ["kibana-entrypoint"]
  4.     rule = "Host(`dockerhost.company.local`)"
  5.     service = "kibana-service"
  6.     middlewares = ["auth@file"]
  7.     [http.routers.kibana.tls]
  9. [http.services]
  10.   [http.services.kibana-service]
  11.     [[http.services.kibana-service.loadBalancer.servers]]
  12.       url = "http://kibana:5601/"
  14. [http.middlewares]
  15.   [http.middlewares.auth.forwardAuth]
  16.     address = "http://authelia:9091/api/verify"
  17.     trustForwardHeader = true
  18.     authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]
英文:

The setup is this:

  • One dockerhost, running dockers for Kibana/Elasticsearch, Traefik and Authelia
  • Configuration is without labels (because I want to use this reverse proxy configuration (when it finally works) for other setups that don't run on dockers)
  • Two dockerfiles (one for Kibana/Elasticsearch and one for Traefik/Authelia). Kibana is accessible to Traefik on the docker network. I only include the dockerfile for Traefik/Authelia because I don't suspect the accessibilty of Kibana to be an issue, and to keep focus on what I think is the problem (Traefik configuration).

I want the following to happen:

What happens:

If I enable the middleware so that Authelia should jump in when I go to https://dockerhost.company.local:5601/, I get an 401 unauthorized in the browser.

  • Log in Traefik:
    Remote error ``http://authelia:9091/api/verify``. StatusCode: 401&quot; middlewareName=auth@file middlewareType=ForwardedAuthType

  • Log in Authelia:
    &quot;Access to ``https://dockerhost.company.local:5601/`` (method GET) is not authorized to user &lt;anonymous&gt;, responding with status code 401&quot; method=GET path=/api/verify remote_ip=10.2.120.251

It makes sense that the user 'anonymous' is not authorized, but I don't get a login prompt to authenticate in the first place.

What I tried for troubleshooting:

  • Kibana is accessible through Traefik if I disable the middleware

  • Authelia works and is able to authenticate if I access it directly

I've been trying to get this to work for the last week, but I can't figure out what goes wrong.
What am I missing? Anyone know what's wrong in this config?

Dockerfile for Traefik/Authelia:

  1. version: &#39;3.8&#39;
  3. services:
  4.   traefik:
  5.     image: traefik
  6.     container_name: kibana_traefik
  7.     command:
  8.       - &quot;--api=true&quot;
  9.       - &quot;--api.insecure=true&quot;
  10.       - &quot;--api.dashboard=true&quot;
  11.       - &quot;--entrypoints.kibana-entrypoint.address=:5601&quot;
  12.       - &quot;--providers.file.filename=/traefik-config/dynamic.toml&quot;
  13.       - &quot;--providers.file.watch=true&quot;
  14.       - &quot;--log.level=DEBUG&quot;
  15.     ports:
  16.       - &quot;8080:8080&quot;
  17.       - &quot;5601:5601&quot;
  18.     volumes:
  19.       - &quot;/var/run/docker.sock:/var/run/docker.sock:ro&quot;
  20.       - ./traefik-config:/traefik-config
  21.     networks:
  22.       - ods_dev_bridge_network
  23.     depends_on:
  24.       - authelia
  25.     restart: unless-stopped
  26.   authelia:
  27.     container_name: kibana_authelia
  28.     image: authelia/authelia:latest
  29.     volumes:
  30.       - ./authelia-config:/config
  31.     ports:
  32.       - &quot;9091:9091&quot;
  33.     networks:
  34.       - ods_dev_bridge_network
  35.     restart: unless-stopped
  37. networks:
  38.    ods_dev_bridge_network:
  39.       external: true

Authelia configuration.yml

  1. server.port: 9091
  2. log.level: debug
  3. jwt_secret: insecure_secret
  4. authentication_backend:
  5.   ldap:
  6.     implementation: activedirectory
  7.     url: ldap://ldapserver.company.local
  8.     timeout: 5s
  9.     start_tls: false
  10.     base_dn: DC=company,DC=local
  11. #    additional_users_dn: OU=Users,OU=COMPANY
  12.     users_filter: (&amp;(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))
  13.     username_attribute: sAMAccountName
  14.     mail_attribute: mail
  15.     display_name_attribute: displayName
  16.     groups_filter: (&amp;(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))
  17.     group_name_attribute: cn
  18.     permit_referrals: false
  19.     permit_unauthenticated_bind: false
  20.     user: CN=dockeruser_sa,OU=ServiceAccounts,OU=Users,OU=COMPANY,DC=company,DC=local
  21.     password: &lt;password&gt;
  22. totp:
  23.   disable: true
  24. session:
  25.   name: authelia_session
  26.   domain: company.local
  27.   same_site: lax
  28.   secret: unsecure_session_secret
  29.   expiration: 1h
  30.   inactivity: 5m
  31.   remember_me_duration:  1M
  32. storage:
  33.   encryption_key: a_very_important_secret
  34.   local:
  35.     path: /config/db.sqlite3
  36. access_control:
  37.   default_policy: one_factor
  38.   rules:
  39.     - domain: dockerhost.company.local
  40.       policy: one_factor
  41. notifier:
  42.   filesystem:
  43.     filename: /var/lib/authelia/emails.txt

Traefik dynamic.toml:

  1. [http.routers]
  2.   [http.routers.kibana]
  3.     entryPoints = [&quot;kibana-entrypoint&quot;]
  4.     rule = &quot;Host(`dockerhost.company.local`)&quot;
  5.     service = &quot;kibana-service&quot;
  6.     middlewares = [&quot;auth@file&quot;]
  7.     [http.routers.kibana.tls]
  9. [http.services]
  10.   [http.services.kibana-service]
  11.     [[http.services.kibana-service.loadBalancer.servers]]
  12.       url = &quot;http://kibana:5601/&quot;
  14. [http.middlewares]
  15.   [http.middlewares.auth.forwardAuth]
  16.     address = &quot;http://authelia:9091/api/verify&quot;
  17.     trustForwardHeader = true
  18.     authResponseHeaders = [&quot;Remote-User&quot;, &quot;Remote-Groups&quot;, &quot;Remote-Name&quot;, &quot;Remote-Email&quot;]

答案1

得分: 0

为了回答我自己的问题,经过维护Authelia的人的帮助,我能够弄清楚我所缺少的内容。我没有弄清楚的是中间件部分中使用的URL。首先,它需要一个 rd 参数,但我卡在了该参数的内容上。原来它应该指向自身,就像这样:

address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.nl:9091/"

这两个URL都指向Authelia,第一个是内部的,第二个是外部的。因为外部URL,Authelia还需要一个路由器+服务。

这是关于Traefik动态配置的最终结果:

  1. [http.routers]
  2.   [http.routers.kibana-router]
  3.     entryPoints = ["kibana-entrypoint"]
  4.     rule = "Host(`dockerhost.company.local`)"
  5.     service = "kibana-service"
  6.     middlewares = "auth"
  7.     [http.routers.kibana-router.tls]
  8.   [http.routers.authelia-router]
  9.     entryPoints = ["authelia-entrypoint"]
  10.     rule = "Host(`dockerhost.company.local`)"
  11.     service = "authelia-service"
  12.     [http.routers.authelia-router.tls]
  14. [http.services]
  15.   [http.services.kibana-service]
  16.     [[http.services.kibana-service.loadBalancer.servers]]
  17.       url = "http://kibana:5601/"
  18.   [http.services.authelia-service]
  19.     [[http.services.authelia-service.loadBalancer.servers]]
  20.       url = "http://authelia:9091/"
  22. [http.middlewares]
  23.   [http.middlewares.auth.forwardAuth]
  24.     address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.local:9091/"
  25.     trustForwardHeader = true
  26.     authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]

通过这个配置,Traefik调用Authelia进行身份验证,成功认证后返回原始URL并提供Kibana服务。

英文:

To answer my own question, after help from the guy who maintains Authelia I've been able to figure out what I was missing. The thing that I didn't get was the URL used in the middleware part. First of all it needs an rd parameter, but I got stuck on the content of that parameter. Turns out it should refer to itself, like so:

address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.nl:9091/"

Both URLs point to Authelia, first one is internal, second is external. Because of the external URL, Authelia needs a router+service as well.

This is the end result regarding the Traefik dynamic config:

  1. [http.routers]
  2.   [http.routers.kibana-router]
  3.     entryPoints = [&quot;kibana-entrypoint&quot;]
  4.     rule = &quot;Host(`dockerhost.company.local`)&quot;
  5.     service = &quot;kibana-service&quot;
  6.     middlewares = &quot;auth&quot;
  7.     [http.routers.kibana-router.tls]
  8.   [http.routers.authelia-router]
  9.     entryPoints = [&quot;authelia-entrypoint&quot;]
  10.     rule = &quot;Host(`dockerhost.company.local`)&quot;
  11.     service = &quot;authelia-service&quot;
  12.     [http.routers.authelia-router.tls]
  14. [http.services]
  15.   [http.services.kibana-service]
  16.     [[http.services.kibana-service.loadBalancer.servers]]
  17.       url = &quot;http://kibana:5601/&quot;
  18.   [http.services.authelia-service]
  19.     [[http.services.authelia-service.loadBalancer.servers]]
  20.       url = &quot;http://authelia:9091/&quot;
  22. [http.middlewares]
  23.   [http.middlewares.auth.forwardAuth]
  24.     address = &quot;http://authelia:9091/api/verify?rd=https://dockerhost.company.local:9091/&quot;
  25.     trustForwardHeader = true
  26.     authResponseHeaders = [&quot;Remote-User&quot;, &quot;Remote-Groups&quot;, &quot;Remote-Name&quot;, &quot;Remote-Email&quot;]

With this config Traefik calls Authelia for authentication, and after success authentication it returns to the original url and serves Kibana.

huangapple
  • 本文由 发表于 2023年4月11日 16:10:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/75983734.html
  • authentication
  • docker
  • dockerfile
  • reverse-proxy
  • traefik
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定