BasicAuth¶
添加 Basic Auth 认证
BasicAuth 中间件是一种限制访问权限的简单方法。
配置示例¶
# 声明用户列表
#
# 注意: hash 值中的所有 $ 符号需要两个才能转义。
# 为了创建 user:password 键值对,可以使用下面的命令
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
labels:
- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# 声明用户列表
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
secret: secretName
# Kubernetes 中使用 secret 来进行认证,可以用下面得命令来生成:
# htpasswd -bc auth admin admin321
# kubectl create secret generic secretName --from-file=auth
# 声明用户列表
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
# 声明用户列表
http:
middlewares:
test-auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
配置选项¶
常规¶
密码必须用 MD5,SHA1 或者 BCrypt 编码。
Tip
用 htpasswd
来生成密码。
users
¶
users
选项是认证用户的列表。每个用户都需要用 name:encoded-password
的格式进行声明。
- 如果同时提供了
users
和usersFile
,则二者会被合并,usersFile
得内容优先于users
中得值。 - 出于安全考虑,Kubernetes IngressRoute 得用户字段
users
取消了,而应该使用secret
字段。
# 声明用户列表
#
# 注意: hash 值中的所有 $ 符号需要两个才能转义。
# 为了创建 user:password 键值对,可以使用下面的命令
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
labels:
- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# 声明用户列表
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
# 声明用户列表
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
# 声明用户列表
http:
middlewares:
test-auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
usersFile
¶
usersFile
选项是指向外部文件的路径,该文件中包含中间件的授权用户。
该文件内容是一个 name:encoded-password
格式得列表。
- 如果同时提供了
users
和usersFile
,则二者会被合并,usersFile
得内容优先于users
中得值。 - 由于在 Kubernetes 上引用文件路径没有多大意义,所以 Kubernetes IngressRoute 的用户字段
usersFile
取消了,而应该使用secret
字段。
labels:
- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
usersFile = "/path/to/my/usersfile"
http:
middlewares:
test-auth:
basicAuth:
usersFile: "/path/to/my/usersfile"
A file containing test/test and test2/test2
test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
realm
¶
你也可以使用 realm
选项自定义身份验证领域,默认值是 traefik
。
labels:
- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
realm: MyRealm
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
realm = "MyRealm"
http:
middlewares:
test-auth:
basicAuth:
realm: "MyRealm"
headerField
¶
你可以使用 headerField
选项定义 Header 字段来存储经过身份验证得用户。
labels:
- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
basicAuth:
# ...
headerField: X-WebAuth-User
[http.middlewares.my-auth.basicAuth]
# ...
headerField = "X-WebAuth-User"
http:
middlewares:
my-auth:
basicAuth:
# ...
headerField: "X-WebAuth-User"
removeHeader
¶
设置 removeHeader
选项为 true
,可以将请求转发到你的服务之前删除授权得 Header。(默认值为 false
。)
labels:
- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
removeHeader: true
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
removeHeader = true
http:
middlewares:
test-auth:
basicAuth:
removeHeader: true