英文:
Using Traefik with Authelia as authenticator, I get no login screen
问题
安装情况如下:
- 一个 Docker 主机,运行 Kibana/Elasticsearch、Traefik 和 Authelia 的 Docker 容器。
- 配置没有标签(因为我想要在其他不运行在 Docker 上的设置中使用这个反向代理配置,一旦它能正常工作)。
- 有两个 Dockerfile(一个用于 Kibana/Elasticsearch,一个用于 Traefik/Authelia)。Kibana 在 Docker 网络上对 Traefik 可访问。我只包括 Traefik/Authelia 的 Dockerfile,因为我不怀疑 Kibana 的可访问性会有问题,而且我想把重点放在我认为有问题的地方(Traefik 配置)上。
我希望发生以下情况:
- 用户打开 URL https://dockerhost.company.local:5601/
- 用户看到 Authelia 的登录窗口
- 在成功(单因素)认证后,出现 Kibana
发生了什么情况:
如果我启用中间件,使得当我访问 https://dockerhost.company.local:5601/ 时,Authelia 应该介入,我在浏览器中得到一个 401 未授权的错误。
-
Traefik 中的日志:
远程错误 "http://authelia:9091/api/verify"。StatusCode: 401" middlewareName=auth@file middlewareType=ForwardedAuthType
-
Authelia 中的日志:
"对用户 <anonymous>,未经授权访问 https://dockerhost.company.local:5601/(方法 GET),响应状态码为 401" method=GET path=/api/verify remote_ip=10.2.120.251
这使得 'anonymous' 用户未经授权是有道理的,但我首先没有收到身份验证的登录提示。
我尝试过的故障排除方法:
- 如果我禁用中间件,Traefik 可以通过访问 Kibana。
- 如果我直接访问,Authelia 可以工作并能够进行身份验证。
我已经尝试了一周了,但我搞不清楚出了什么问题。我漏掉了什么?有人知道这个配置中有什么问题吗?
Traefik/Authelia 的 Dockerfile:
version: '3.8'
services:
traefik:
image: traefik
container_name: kibana_traefik
command:
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--entrypoints.kibana-entrypoint.address=:5601"
- "--providers.file.filename=/traefik-config/dynamic.toml"
- "--providers.file.watch=true"
- "--log.level=DEBUG"
ports:
- "8080:8080"
- "5601:5601"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./traefik-config:/traefik-config
networks:
- ods_dev_bridge_network
depends_on:
- authelia
restart: unless-stopped
authelia:
container_name: kibana_authelia
image: authelia/authelia:latest
volumes:
- ./authelia-config:/config
ports:
- "9091:9091"
networks:
- ods_dev_bridge_network
restart: unless-stopped
networks:
ods_dev_bridge_network:
external: true
Authelia 的配置文件 configuration.yml:
server.port: 9091
log.level: debug
jwt_secret: insecure_secret
authentication_backend:
ldap:
implementation: activedirectory
url: ldap://ldapserver.company.local
timeout: 5s
start_tls: false
base_dn: DC=company,DC=local
# additional_users_dn: OU=Users,OU=COMPANY
users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))"
username_attribute: sAMAccountName
mail_attribute: mail
display_name_attribute: displayName
groups_filter: "(&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))"
group_name_attribute: cn
permit_referrals: false
permit_unauthenticated_bind: false
user: CN=dockeruser_sa,OU=ServiceAccounts,OU=Users,OU=COMPANY,DC=company,DC=local
password: "<password>"
totp:
disable: true
session:
name: authelia_session
domain: company.local
same_site: lax
secret: unsecure_session_secret
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
storage:
encryption_key: a_very_important_secret
local:
path: /config/db.sqlite3
access_control:
default_policy: one_factor
rules:
- domain: dockerhost.company.local
policy: one_factor
notifier:
filesystem:
filename: /var/lib/authelia/emails.txt
Traefik 的 dynamic.toml:
[http.routers]
[http.routers.kibana]
entryPoints = ["kibana-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "kibana-service"
middlewares = ["auth@file"]
[http.routers.kibana.tls]
[http.services]
[http.services.kibana-service]
[[http.services.kibana-service.loadBalancer.servers]]
url = "http://kibana:5601/"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://authelia:9091/api/verify"
trustForwardHeader = true
authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]
英文:
The setup is this:
- One dockerhost, running dockers for Kibana/Elasticsearch, Traefik and Authelia
- Configuration is without labels (because I want to use this reverse proxy configuration (when it finally works) for other setups that don't run on dockers)
- Two dockerfiles (one for Kibana/Elasticsearch and one for Traefik/Authelia). Kibana is accessible to Traefik on the docker network. I only include the dockerfile for Traefik/Authelia because I don't suspect the accessibilty of Kibana to be an issue, and to keep focus on what I think is the problem (Traefik configuration).
I want the following to happen:
- User opens url https://dockerhost.company.local:5601/
- User is presented with a login window of Authelia
- After succesful (single-factor) authentication, Kibana appears
What happens:
If I enable the middleware so that Authelia should jump in when I go to https://dockerhost.company.local:5601/, I get an 401 unauthorized in the browser.
-
Log in Traefik:
Remote error ``http://authelia:9091/api/verify``. StatusCode: 401" middlewareName=auth@file middlewareType=ForwardedAuthType
-
Log in Authelia:
"Access to ``https://dockerhost.company.local:5601/`` (method GET) is not authorized to user <anonymous>, responding with status code 401" method=GET path=/api/verify remote_ip=10.2.120.251
It makes sense that the user 'anonymous' is not authorized, but I don't get a login prompt to authenticate in the first place.
What I tried for troubleshooting:
-
Kibana is accessible through Traefik if I disable the middleware
-
Authelia works and is able to authenticate if I access it directly
I've been trying to get this to work for the last week, but I can't figure out what goes wrong.
What am I missing? Anyone know what's wrong in this config?
Dockerfile for Traefik/Authelia:
version: '3.8'
services:
traefik:
image: traefik
container_name: kibana_traefik
command:
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--entrypoints.kibana-entrypoint.address=:5601"
- "--providers.file.filename=/traefik-config/dynamic.toml"
- "--providers.file.watch=true"
- "--log.level=DEBUG"
ports:
- "8080:8080"
- "5601:5601"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./traefik-config:/traefik-config
networks:
- ods_dev_bridge_network
depends_on:
- authelia
restart: unless-stopped
authelia:
container_name: kibana_authelia
image: authelia/authelia:latest
volumes:
- ./authelia-config:/config
ports:
- "9091:9091"
networks:
- ods_dev_bridge_network
restart: unless-stopped
networks:
ods_dev_bridge_network:
external: true
Authelia configuration.yml
server.port: 9091
log.level: debug
jwt_secret: insecure_secret
authentication_backend:
ldap:
implementation: activedirectory
url: ldap://ldapserver.company.local
timeout: 5s
start_tls: false
base_dn: DC=company,DC=local
# additional_users_dn: OU=Users,OU=COMPANY
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))
username_attribute: sAMAccountName
mail_attribute: mail
display_name_attribute: displayName
groups_filter: (&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))
group_name_attribute: cn
permit_referrals: false
permit_unauthenticated_bind: false
user: CN=dockeruser_sa,OU=ServiceAccounts,OU=Users,OU=COMPANY,DC=company,DC=local
password: <password>
totp:
disable: true
session:
name: authelia_session
domain: company.local
same_site: lax
secret: unsecure_session_secret
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
storage:
encryption_key: a_very_important_secret
local:
path: /config/db.sqlite3
access_control:
default_policy: one_factor
rules:
- domain: dockerhost.company.local
policy: one_factor
notifier:
filesystem:
filename: /var/lib/authelia/emails.txt
Traefik dynamic.toml:
[http.routers]
[http.routers.kibana]
entryPoints = ["kibana-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "kibana-service"
middlewares = ["auth@file"]
[http.routers.kibana.tls]
[http.services]
[http.services.kibana-service]
[[http.services.kibana-service.loadBalancer.servers]]
url = "http://kibana:5601/"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://authelia:9091/api/verify"
trustForwardHeader = true
authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]
答案1
得分: 0
为了回答我自己的问题,经过维护Authelia的人的帮助,我能够弄清楚我所缺少的内容。我没有弄清楚的是中间件部分中使用的URL。首先,它需要一个 rd
参数,但我卡在了该参数的内容上。原来它应该指向自身,就像这样:
address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.nl:9091/"
这两个URL都指向Authelia,第一个是内部的,第二个是外部的。因为外部URL,Authelia还需要一个路由器+服务。
这是关于Traefik动态配置的最终结果:
[http.routers]
[http.routers.kibana-router]
entryPoints = ["kibana-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "kibana-service"
middlewares = "auth"
[http.routers.kibana-router.tls]
[http.routers.authelia-router]
entryPoints = ["authelia-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "authelia-service"
[http.routers.authelia-router.tls]
[http.services]
[http.services.kibana-service]
[[http.services.kibana-service.loadBalancer.servers]]
url = "http://kibana:5601/"
[http.services.authelia-service]
[[http.services.authelia-service.loadBalancer.servers]]
url = "http://authelia:9091/"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.local:9091/"
trustForwardHeader = true
authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]
通过这个配置,Traefik调用Authelia进行身份验证,成功认证后返回原始URL并提供Kibana服务。
英文:
To answer my own question, after help from the guy who maintains Authelia I've been able to figure out what I was missing. The thing that I didn't get was the URL used in the middleware part. First of all it needs an rd
parameter, but I got stuck on the content of that parameter. Turns out it should refer to itself, like so:
address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.nl:9091/"
Both URLs point to Authelia, first one is internal, second is external. Because of the external URL, Authelia needs a router+service as well.
This is the end result regarding the Traefik dynamic config:
[http.routers]
[http.routers.kibana-router]
entryPoints = ["kibana-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "kibana-service"
middlewares = "auth"
[http.routers.kibana-router.tls]
[http.routers.authelia-router]
entryPoints = ["authelia-entrypoint"]
rule = "Host(`dockerhost.company.local`)"
service = "authelia-service"
[http.routers.authelia-router.tls]
[http.services]
[http.services.kibana-service]
[[http.services.kibana-service.loadBalancer.servers]]
url = "http://kibana:5601/"
[http.services.authelia-service]
[[http.services.authelia-service.loadBalancer.servers]]
url = "http://authelia:9091/"
[http.middlewares]
[http.middlewares.auth.forwardAuth]
address = "http://authelia:9091/api/verify?rd=https://dockerhost.company.local:9091/"
trustForwardHeader = true
authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]
With this config Traefik calls Authelia for authentication, and after success authentication it returns to the original url and serves Kibana.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论