基本身份验证不适用于 Traefik v2.1

Question

我的问题是我无法通过 traefik 设置前端应用程序的基本身份验证

这就是我配置 traefik 的方式

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

entryPoints:
  https:
    address: :443
  http:
    address: :80
  traefik:
    address: :8080

tls:
  options:
    foo:
      minVersion: VersionTLS12
      cipherSuites:
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_RSA_WITH_AES_256_GCM_SHA384"

providers:
  providersThrottleDuration: 2s
  docker:
    watch: true
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
    network: web

api:
  insecure: true
  dashboard: true

log:
  level: INFO

certificatesResolvers:
  default:
    acme:
      storage: /acme.json
      httpChallenge:
        entryPoint: http

docker-compose.yml

version: '3'
services:
  traefik:
    image: traefik:v2.0
    restart: always
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "/srv/traefik/traefik.yml:/etc/traefik/traefik.yml"
      - "/srv/traefik/acme.json:/acme.json"
    networks:
      - web

networks:
  web:
    external: true

这里是我作为 traefik 提供商运行的前端应用程序以及我的基本身份验证标签的地方

version: '3.7'
services:
  frontend:
    image: git.xxxx.com:7000/dockerregistry/registry/xxxx
    restart: "always"
    networks:
      - web
    volumes:
      - "/srv/config/api.js:/var/www/htdocs/api.js"
      - "/srv/efs/workspace:/var/www/htdocs/stock"
    labels:
      - traefik.enable=true
      - traefik.http.routers.frontend-http.rule=Host(`test.xxxx.com`)
      - traefik.http.routers.frontend-http.service=frontend
      - traefik.http.routers.frontend-http.entrypoints=http
      - traefik.http.routers.frontend.tls=true
      - traefik.http.routers.frontend.tls.certresolver=default
      - traefik.http.routers.frontend.entrypoints=http
      - traefik.http.routers.frontend.rule=Host(`test.xxxx.com`)
      - traefik.http.routers.frontend.service=frontend
      - traefik.http.middlewares.frontend.basicAuth.users=test:$$2y$$05$$c45HvbP0Sq9EzcfaXiGNsuuWMfPhyoFZVYgiTylpMMLtJY2nP1P6m
      - traefik.http.services.frontend.loadbalancer.server.port=8080

networks:
  web:
    external: true

我无法收到登录提示，所以我想知道是否缺少一些容器标签。

提前致谢！华金

Answer 1

首先，标签应该用引号括起来，例如“”

其次，我认为您在前端应用程序中缺少标签。使用基本身份验证时，需要两个步骤，应如下所示：

  - "traefik.http.routers.frontend.middlewares=frontend-auth"
  - "traefik.http.middlewares.frontend-auth.basicauth.users=test:$$2y$$05$$c45HvbP0Sq9EzcfaXiGNsuuWMfPhyoFZVYgiTylpMMLtJY2nP1P6m"

Answer 2

在您的 Docker Compose 文件中，不要添加 的“中间件”标签，traefik而是使用traefik.yml传递选项的文件来执行此providers.file操作，您应该在其中定义路由器、服务、中间件等。在该“providers 文件”中，您应该在下middlewares设置http.routes.traefik\xe2\x80\x93 这在一开始听起来可能非常混乱，但并不难，相信我。

\n

让我们做一个 YAML 案例（您可以在此处将其转换为“TOML” ）。

\n

此示例假设您有一个专门用于 Traefik \xe2\x80\x93 的 Docker Compose 文件，我还没有尝试将相同的 Docker Compose 文件与其中的任何其他服务（如 Wordpress、数据库或其他服务）一起使用，因为我已经有一个不同的这些文件的路径。

\n

docker-compose.yml

\n

version: \'3.1\'\n\nservices:\n  reverse-proxy:\n    image: traefik:v2.4\n    [ ... ]\n    volumes:\n      - /var/run/docker.sock:/var/run/docker.sock:ro\n      # Map the dynamic conf into the container\n      - ./traefik/config.yml:/etc/traefik/config.yml:ro\n      # Map the static conf into the container\n      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro\n      # Note you don\'t use "traefik.http.routers.<service>.middlewares etc." here\n[ ... ]\n

\n

在本例中，我设置/获取 Traefik 的配置文件./traefik（相对于该docker-compose.yml文件）。

\n

./traefik/config.yml

\n

http:\n  routers:\n    traefik:\n      middlewares: "basicauth"\n      [ ... ]\n  middlewares:\n    basicauth:\n      basicAuth:\n        removeHeader: true\n        users:\n          - <user>:<password>\n          # password should be generated using `htpasswd` (md5, sha1 or bcrypt)\n[ ... ]\n

\n

在这里，您可以根据basicauth需要设置名称（因为这是您将在仪表板中看到的中间件名称），因此您可以执行以下操作：

\n

http:\n  routers:\n    traefik:\n      middlewares: "super-dashboard-auth"\n      [ ... ]\n  middlewares:\n    super-dashboard-auth:\n      basicAuth:\n        removeHeader: true\n        users:\n          - <user>:<password>\n          # password should be generated using `htpasswd` (md5, sha1 or bcrypt)\n[ ... ]\n

\n

注意basicAuth必须保持原样。另外，在这里您不需要使用“双美元方法”来转义它（如标签方法中所示），因此在创建用户密码后，您应该像htpasswd创建它一样输入它。

\n

# BAD\nuser:$$2y$$10$$nRLqyZT.64JI/CD/ym65UGDn8HaY0D6CBTxhe6JXf9u4wi5bEMdh.\n\n# GOOD\nuser:$2y$10$nRLqyZT.64JI/CD/ym65UGDn8HaY0D6CBTxhe6JXf9u4wi5bEMdh.\n

\n

当然，您可能希望从文件中获取这些数据.env，而不是对这些字符串进行硬编码，在这种情况下，您需要从 using 中传递环境变量，docker-compose.yml如下environment所示：

\n

# BAD\nuser:$$2y$$10$$nRLqyZT.64JI/CD/ym65UGDn8HaY0D6CBTxhe6JXf9u4wi5bEMdh.\n\n# GOOD\nuser:$2y$10$nRLqyZT.64JI/CD/ym65UGDn8HaY0D6CBTxhe6JXf9u4wi5bEMdh.\n

\n

并在文件中像这样使用它traefik/config.yml：

\n

services:\n  reverse-proxy:\n    image: traefik:v2.4\n    container_name: traefik\n    [ ... ]\n    environment:\n      TRAEFIK_DASHBOARD_USER: "${TRAEFIK_DASHBOARD_USER}"\n      TRAEFIK_DASHBOARD_PWD: "${TRAEFIK_DASHBOARD_PWD}"\n      # And any other env. var. you may need\n[ ... ]\n

\n

之后将之前的文件包含在providers.file.filename

\n

./traefik/traefik.yml

\n

[ ... ]\nmiddlewares:\n    super-dashboard-auth:\n      basicAuth:\n        removeHeader: true\n        users:\n          - "{{env "TRAEFIK_DASHBOARD_USER"}}:{{env "TRAEFIK_DASHBOARD_PWD"}}"\n[ ... ]\n

\n

然后简单地docker-compose up -d

\n