如何解决根据来电在入口控制器中添加条件请求头
我正在使用 auth-url 注释添加外部身份验证。如何为依赖于来电的 auth-url api 设置条件请求标头?我可以根据来电在 Nginx 控制器中设置请求头吗?
已编辑:
嗨, 这是关于在 auth-url 中添加预期的自定义标头(Id)。我正在设置授权 auth-url api 所需但未在 api 中接收的 Id 标头。这是正确的设置方法吗?我的下一个问题是如果已设置,我如何根据请求来自哪个主机服务器有条件地设置它?
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Metadata:
name: hello-kubernetes-ingress
annotations:
kubernetes.io/ingress.class: Nginx
Nginx.ingress.kubernetes.io/auth-url: http://ca6dd3adc439.ngrok.io/authorize
Nginx.ingress.kubernetes.io/auth-method: POST
Nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header Id "queryApps";
spec:
rules:
- host: "hw1.yourdomain"
http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: hello-netcore-k8s
servicePort: 80
- host: "hw2.yourdomain"
http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: hello-kubernetes-second
servicePort: 80
解决方法
我的下一个问题是如果设置了,我如何根据请求来自哪个主机服务器有条件地设置它?
最好的方法是创建两个入口对象,其中一个为主机 hw1.yourdoman 启用外部身份验证。出于某种原因,在测试时 auth-snippet 没有传递标头,但它与 configuration-snippet 一起工作正常:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: hello-kubernetes-ingress-auth-on
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: http://ca6dd3adc439.ngrok.io/authorize
nginx.ingress.kubernetes.io/auth-method: POST
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Id "queryApps";
spec:
rules:
- host: "hw1.yourdomain"
http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: hello-netcore-k8s
servicePort: 80
正如您在此处看到的,它传递了所需的标头:
"path": "/","headers": {
"host": "hw1.yourdomain","x-request-id": "5e91333bed960802a67958d71e787b75","x-real-ip": "192.168.49.1","x-forwarded-for": "192.168.49.1","x-forwarded-host": "hw1.yourdomain","x-forwarded-port": "80","x-forwarded-proto": "http","x-scheme": "http","id": "queryApps","user-agent": "curl/7.52.1","accept": "*/*"
},"method": "GET","body": "","fresh": false,继续,第二个入口对象必须配置为禁用主机 hw2.yourdomain 的身份验证:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: hello-kubernetes-ingress-auth-off
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: "hw2.yourdomain"
http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: hello-kubernetes-second
servicePort: 80
然后您可以查看 nginx.conf 以检查这两个入口对象是如何在控制器级别配置的。这是第一个入口:
## start server hw1.yourdomain
server {
server_name hw1.yourdomain ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
location = /_external-auth-Lw {
internal;
set $proxy_upstream_name "default-hello-netcore-k8s-80";
hello-netcore-k8s.default.svc.cluster.local;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
--------
--------
# Pass the extracted client certificate to the auth provider
set $target http://hello-netcore-k8s.default.svc.cluster.local;
proxy_pass $target;
location / {
set $namespace "default";
set $ingress_name "hello-kubernetes-ingress-auth-on";
set $service_name "hello-netcore-k8s";
set $service_port "80";
set $location_path "/";
set $balancer_ewma_score -1;
set $proxy_upstream_name "default-hello-netcore-k8s-80";
# this location requires authentication
auth_request /_external-auth-Lw;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
--------
proxy_set_header Id "queryApps";
----
这是第二个:
## start server hw2.yourdomain
server {
server_name hw2.yourdomain ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default";
set $ingress_name "hello-kubernetes-ingress-auth-off";
set $service_name "hello-kubernetes-second";
set $service_port "80";
set $location_path "/";
您的问题不是很清楚,所以我认为它与身份验证和标头注入有关。对于 NGINX 入口,有几种方法可以设置身份验证。下面的第二种方式会讲到header注入。
第一种方法将是最简单的方法。您只需在入口上设置密钥和注释即可。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-ingress
annotations:
nginx.ingress.kubernetes.io/auth-secret: my-secret
nginx.ingress.kubernetes.io/auth-type: basic
spec:
rules:
- http:
paths:
- path: /auth-url
backend:
service:
name: test
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: normal-ingress
spec:
rules:
- http:
paths:
- path: /
backend:
service:
name: test
port:
number: 80
第二个会更复杂,但如果您使用特定标头进行身份验证,它将很有用。您可以将 NGINX 配置片段注入入口。当然,如果你想做更多的操作,比如添加header,也可以这样操作。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-ingress
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
if ( $some_condtion ) {
return 403;
}
spec:
rules:
- http:
paths:
- path: /auth-url
backend:
service:
name: test
port:80
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
