DigestAuth¶
增加 Digest 身份认证
DigestAuth 中间件是一种将访问权限限制到已知用户的快速方法。
配置示例¶
# 声明用户列表
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"# 声明用户列表
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: userssecret
# Kubernetes 中使用 secret 来进行认证,可以用下面得命令来生成:
# 用户 admin123 在 qq.com 的认证文件
# htdigets -c auth qq.com admin123
# kubectl create secret generic userssecret --from-file=auth# 声明用户列表
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e""labels": {
"traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
}# 声明用户列表
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"# 声明用户列表
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]# 声明用户列表
http:
middlewares:
test-auth:
digestAuth:
users:
- "test:traefik:a2688e031edb4be6a3797f3882655c05"
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"配置选项¶
Tip
使用 htdigest 生成密码。
users¶
The users 是授权用户的数组。每个用户需要使用这种 name:realm:encoded-password 格式声明。
- 如果同时提供了
users和usersFile,则两者将合并。usersFile的内容优先于users中的值。 - 出于安全原因,Kubernetes IngressRoute 的用户字段
users不存在,而应该使用secret字段。
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e""labels": {
"traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
}labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]http:
middlewares:
test-auth:
digestAuth:
users:
- "test:traefik:a2688e031edb4be6a3797f3882655c05"
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"usersFile¶
usersFile 选项是指向外部文件的路径,该文件包含中间件的授权用户。
文件内容是 name:realm:encoded-password 格式的列表。
labels:
- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile""labels": {
"traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
}labels:
- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"[http.middlewares]
[http.middlewares.test-auth.digestAuth]
usersFile = "/path/to/my/usersfile"http:
middlewares:
test-auth:
digestAuth:
usersFile: "/path/to/my/usersfile"A file containing test/test and test2/test2
test:traefik:a2688e031edb4be6a3797f3882655c05
test2:traefik:518845800f9e2bfb1f1f740ec24f074erealm¶
您可以使用 realm 选项自定义身份验证领域。 默认值为 traefik。
labels:
- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
realm: MyRealm- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm""labels": {
"traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
}labels:
- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"[http.middlewares]
[http.middlewares.test-auth.digestAuth]
realm = "MyRealm"http:
middlewares:
test-auth:
digestAuth:
realm: "MyRealm"headerField¶
您可以使用 headerField 选项为经过身份验证的用户自定义标题字段。
labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
digestAuth:
# ...
headerField: X-WebAuth-User- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User""labels": {
"traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
}labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"[http.middlewares.my-auth.digestAuth]
# ...
headerField = "X-WebAuth-User"http:
middlewares:
my-auth:
digestAuth:
# ...
headerField: "X-WebAuth-User"removeHeader¶
将 removeHeader 选项设置为 true 以在将请求转发到您的服务之前删除授权标头。 (默认值为 false )
labels:
- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
removeHeader: true- "traefik.http.middlewares.test-auth.digestauth.removeheader=true""labels": {
"traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
}labels:
- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"[http.middlewares]
[http.middlewares.test-auth.digestAuth]
removeHeader = truehttp:
middlewares:
test-auth:
digestAuth:
removeHeader: true本节翻译作者:@罗立志