BasicAuth¶

添加 Basic Auth 认证

BasicAuth

BasicAuth 中间件是一种限制访问权限的简单方法。

配置示例¶

Docker

# 声明用户列表
#
# 注意: hash 值中的所有 $ 符号需要两个才能转义。
# 为了创建 user:password 键值对，可以使用下面的命令
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"

Kubernetes

# 声明用户列表
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-auth
spec:
  basicAuth:
    secret: secretName

# Kubernetes 中使用 secret 来进行认证，可以用下面得命令来生成：
# htpasswd -bc auth admin admin321  
# kubectl create secret generic secretName --from-file=auth

File (TOML)

# 声明用户列表
[http.middlewares]
  [http.middlewares.test-auth.basicAuth]
  users = [
    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  ]

File (YAML)

# 声明用户列表
http:
  middlewares:
    test-auth:
      basicAuth:
        users:
          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"

配置选项¶

常规¶

密码必须用 MD5，SHA1 或者 BCrypt 编码。

Tip

用 htpasswd 来生成密码。

`users`¶

users 选项是认证用户的列表。每个用户都需要用 name:encoded-password 的格式进行声明。

如果同时提供了 users 和 usersFile，则二者会被合并，usersFile 得内容优先于 users 中得值。
出于安全考虑，Kubernetes IngressRoute 得用户字段 users 取消了，而应该使用 secret 字段。

Docker

# 声明用户列表
#
# 注意: hash 值中的所有 $ 符号需要两个才能转义。
# 为了创建 user:password 键值对，可以使用下面的命令
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"

Kubernetes

# 声明用户列表
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-auth
spec:
  basicAuth:
    secret: authsecret

---
apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: default

data:
  users: |2
    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK

File (TOML)

# 声明用户列表
[http.middlewares]
  [http.middlewares.test-auth.basicAuth]
    users = [
      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
    ]

File (YAML)

# 声明用户列表
http:
  middlewares:
    test-auth:
      basicAuth:
        users:
          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"

`usersFile`¶

usersFile 选项是指向外部文件的路径，该文件中包含中间件的授权用户。

该文件内容是一个 name:encoded-password 格式得列表。

如果同时提供了 users 和 usersFile，则二者会被合并，usersFile 得内容优先于 users 中得值。
由于在 Kubernetes 上引用文件路径没有多大意义，所以 Kubernetes IngressRoute 的用户字段 usersFile 取消了，而应该使用 secret 字段。

Docker

labels:
  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-auth
spec:
  basicAuth:
    secret: authsecret

---
apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: default

data:
  users: |2
    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK

File (TOML)

[http.middlewares]
  [http.middlewares.test-auth.basicAuth]
    usersFile = "/path/to/my/usersfile"

File (YAML)

http:
  middlewares:
    test-auth:
      basicAuth:
        usersFile: "/path/to/my/usersfile"

A file containing test/test and test2/test2

test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0

`realm`¶

你也可以使用 realm 选项自定义身份验证领域，默认值是 traefik。

Docker

labels:
  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-auth
spec:
  basicAuth:
    realm: MyRealm

File (TOML)

[http.middlewares]
  [http.middlewares.test-auth.basicAuth]
    realm = "MyRealm"

File (YAML)

http:
  middlewares:
    test-auth:
      basicAuth:
        realm: "MyRealm"

`headerField`¶

你可以使用 headerField 选项定义 Header 字段来存储经过身份验证得用户。

Docker

labels:
  - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: my-auth
spec:
  basicAuth:
    # ...
    headerField: X-WebAuth-User

File (TOML)

[http.middlewares.my-auth.basicAuth]
  # ...
  headerField = "X-WebAuth-User"

File (YAML)

http:
  middlewares:
    my-auth:
      basicAuth:
        # ...
        headerField: "X-WebAuth-User"

`removeHeader`¶

设置 removeHeader 选项为 true，可以将请求转发到你的服务之前删除授权得 Header。（默认值为 false。）

Docker

labels:
  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-auth
spec:
  basicAuth:
    removeHeader: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-auth.basicAuth]
    removeHeader = true

File (YAML)

http:
  middlewares:
    test-auth:
      basicAuth:
        removeHeader: true

BasicAuth¶

配置示例¶

配置选项¶

常规¶

users¶

usersFile¶

realm¶

headerField¶

removeHeader¶

`users`¶

`usersFile`¶

`realm`¶

`headerField`¶

`removeHeader`¶