DigestAuth¶
增加 Digest 身份认证
DigestAuth 中间件是一种将访问权限限制到已知用户的快速方法。
配置示例¶
# 声明用户列表
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
# 声明用户列表
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: userssecret
# Kubernetes 中使用 secret 来进行认证,可以用下面得命令来生成:
# 用户 admin123 在 qq.com 的认证文件
# htdigets -c auth qq.com admin123
# kubectl create secret generic userssecret --from-file=auth
# 声明用户列表
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
"labels": {
"traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
}
# 声明用户列表
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
# 声明用户列表
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
# 声明用户列表
http:
middlewares:
test-auth:
digestAuth:
users:
- "test:traefik:a2688e031edb4be6a3797f3882655c05"
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
配置选项¶
Tip
使用 htdigest
生成密码。
users
¶
The users
是授权用户的数组。每个用户需要使用这种 name:realm:encoded-password
格式声明。
- 如果同时提供了
users
和usersFile
,则两者将合并。usersFile
的内容优先于users
中的值。 - 出于安全原因,Kubernetes IngressRoute 的用户字段
users
不存在,而应该使用secret
字段。
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
"labels": {
"traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
}
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
http:
middlewares:
test-auth:
digestAuth:
users:
- "test:traefik:a2688e031edb4be6a3797f3882655c05"
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
usersFile
¶
usersFile
选项是指向外部文件的路径,该文件包含中间件的授权用户。
文件内容是 name:realm:encoded-password
格式的列表。
labels:
- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
"labels": {
"traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
}
labels:
- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
usersFile = "/path/to/my/usersfile"
http:
middlewares:
test-auth:
digestAuth:
usersFile: "/path/to/my/usersfile"
A file containing test/test and test2/test2
test:traefik:a2688e031edb4be6a3797f3882655c05
test2:traefik:518845800f9e2bfb1f1f740ec24f074e
realm
¶
您可以使用 realm
选项自定义身份验证领域。 默认值为 traefik
。
labels:
- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
realm: MyRealm
- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
"labels": {
"traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
}
labels:
- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
realm = "MyRealm"
http:
middlewares:
test-auth:
digestAuth:
realm: "MyRealm"
headerField
¶
您可以使用 headerField
选项为经过身份验证的用户自定义标题字段。
labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
digestAuth:
# ...
headerField: X-WebAuth-User
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
"labels": {
"traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
}
labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
[http.middlewares.my-auth.digestAuth]
# ...
headerField = "X-WebAuth-User"
http:
middlewares:
my-auth:
digestAuth:
# ...
headerField: "X-WebAuth-User"
removeHeader
¶
将 removeHeader
选项设置为 true
以在将请求转发到您的服务之前删除授权标头。 (默认值为 false
)
labels:
- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
removeHeader: true
- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
"labels": {
"traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
}
labels:
- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
removeHeader = true
http:
middlewares:
test-auth:
digestAuth:
removeHeader: true
本节翻译作者:@罗立志