是否有一种方法可以通过Nginx侵入和oauth2代理来配置SSO oauth2 Prometheus?
是否有一种方法可以通过Nginx侵入和oauth2代理来配置SSO oauth2 Prometheus?
提问于 2022-02-03 17:08:47
我希望所有访问Prometheus的用户都能够通过支持oauth2协议的SSO密钥披风登录,但目前的配置是,在到达prometheus之前,有一个nginx服务器,在我的上游有几个网站: grafana、prometheus等。我搜索了谷歌的最佳解决方案,我找到了可以这样做的OAuth2代理,但是在认证之后,O2授权代理将我重定向到prometheus页面,而不是prometheus,一切正常,但没有重定向url。
nginx.conf
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
listen 443 ssl default_server;
server_name example.com;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect "https://example.com/prometheus";
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location ^~ /prometheus/ {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
if ($auth_cookie ~* "(; .*)") {
set $auth_cookie_name_0 $auth_cookie;
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}
if ($auth_cookie_name_upstream_1) {
add_header Set-Cookie $auth_cookie_name_0;
add_header Set-Cookie $auth_cookie_name_1;
}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://192.168.1.20:9090/prometheus/"; # This is where my web server is hosted
}oauth2-proxy.cfg
provider="keycloak"
provider_display_name="SSO connect"
ssl_insecure_skip_verify=true
login_url="https://auth.keycloak/oauth2/authorize"
redeem_url="https://auth.keycloak/oauth2/token"
validate_url="https://auth.keycloak/oauth2/userinfo"
client_id="8m67vhg34hgj-232k-786j-90cf-45656gjh5f64g"
client_secret="sd;kfposdfk546idfj;"
cookie_secure="true"
redirect_url="https://example.com/prometheus/oauth2/callback"
upstreams="http://192.168.1.20:9090/prometheus/" # My website server
email_domains="*"
cookie_secret="AkaBxYPzIvMdQziWECV6Ow=="
http_address = "127.0.0.1:4180"
https_address = ":443"
reverse_proxy = trueoauth2 bin命令:
[root@nginx]# ./oauth2-proxy --config=/etc/nginx/oauth2-proxy.cfg
[2022/02/03 17:23:54] [proxy.go:89] mapping path "/prometheus/" => upstream "http://192.168.1.20:9090/prometheus/"
[2022/02/03 17:23:54] [oauthproxy.go:148] OAuthProxy configured for Keycloak Client ID: 8m67vhg34hgj-232k-786j-90cf-45656gjh5f64g
[2022/02/03 17:23:54] [oauthproxy.go:154] Cookie settings: name:_oauth2_proxy secure(https):true httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:disabledOAuth2-代理端口4180正在监听ok :
[root@nginx]# netstat -naptu | grep 4180
tcp 0 0 127.0.0.1:4180 0.0.0.0:* LISTEN 26031/./oauth2-prox 这里是prometheus的登录页面,在OAuth2-代理认证上指出
认证后的,将我重定向到 页面,而不是上游 。
当我想访问"https://example.com/prometheus"时,我就有了这个输出。
9 Safari/537.36" 401 13 0.000
[2022/02/03 17:29:59] [validator.go:77] Rejecting invalid redirect "https://example.com": domain / port not in whitelist
[2022/02/03 17:29:59] [director.go:85] Invalid redirect provided in X-Auth-Request-Redirect header: https://example.com
[2022/02/03 17:29:59] [validator.go:77] Rejecting invalid redirect "https://example.com": domain / port not in whitelist
[2022/02/03 17:29:59] [director.go:85] Invalid redirect provided in X-Auth-Request-Redirect header: https://example.com我在这里缺少的..。我已经没有任何想法了。
回答 1
Stack Overflow用户
发布于 2022-02-10 08:41:56
我找到了解决办法:
Step1.下载OAuth2-代理二进制文件-我的版本是oauth2-proxy v7.2.1
Step2.创建OAuth2-代理作为服务,以运行“start\\ services”。
[root@nginx]# cat oauth2_proxy.service
[Unit]
Description=oauth2_proxy daemon
After=syslog.target network.target
[Service]
ExecStart=/var/opt/oauth2-proxy --config=/etc/nginx/oauth2-proxy.cfg
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
[Install]
WantedBy=multi-user.target运行状态oauth2_proxy命令
[root@nginx]# systemctl status oauth2_proxy
● oauth2_proxy.service - oauth2_proxy daemon
Loaded: loaded (/etc/systemd/system/multi-user.target.wants/oauth2_proxy.service; bad; vendor preset: disabled)
Active: active (running) since Tue 2022-02-08 11:03:05 CET; 1 day 22h ago
Main PID: 34114 (oauth2-proxy)
CGroup: /system.slice/oauth2_proxy.service
└─34114 /var/opt/oauth2-proxy --config=/etc/nginx/oauth2-proxy.cfg
Feb 08 11:03:05 nginx.local systemd[1]: Started oauth2_proxy daemon.
Feb 08 11:03:05 nginx.local oauth2-proxy[34114]: [2022/02/08 11:03:05] [logging.go:27] Redirecting logging to file: /var/log/oauth2/oauth2_proxy.logouath2-proxy.cfg创建Step3.并添加以下行:
provider="oidc"
provider_display_name="SSO Connect"
login_url="https://auth.keycloak/oauth2/authorize"
validate_url="https://auth.keycloak/oauth2/token"
profile_url="https://auth.keycloak/oauth2/userinfo"
client_id="8m67vhg34hgj-232k-786j-90cf-45656gjh5f64g"
client_secret="sd;kfposdfk546idfj"
redirect_url="https://example.com/oauth2/callback"
upstreams=["http://192.168.1.20:9090/prometheus/"] # My website server
###OIDC settings
#reverse_proxy=true
oidc_issuer_url="https://auth.keycloak"
insecure_oidc_allow_unverified_email=true
email_domains=["*"]
cookie_secret="AkaBxYPzIvMdQziWECV6Ow=="
http_address="127.0.0.1:4180"
whitelist_domains="tool.example.com"
cookie_domains=["tool.example.com"]
cookie_secure="false"
cookie_samesite="lax"
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
set_xauthrequest = true
cookie_refresh = "1m"
cookie_expire = "30m"
scope="openid email profile"Step4.在nginx.conf下面添加行以使身份验证和重定向到普罗米修斯上游。
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location ^~ /prometheus/ {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_pass http://prometheus_backend/prometheus/;
}我希望你没有任何问题,让它发挥作用。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/70975460
复制相关文章
相似问题
腾讯云开发者
