Oauth2-proxy 和 Traefik:重定向太多
Oauth2-proxy and Traefik: too many redirect
为了让这个东西与 Traefik 一起工作,我已经尝试了好几天和无数小时,但是无论我尝试了什么,到目前为止都没有任何效果。
我首先尝试使用 Nginx 入口控制器并设法让它工作,所以我确信我的提供商 (Cognito) 和 oauth2-proxy pod 工作正常。
所以,我使用的是 EKS 1.20 集群,我们通过 helm chart 安装了 Traefik
replicas: 1
rbac:
enabled: true
accessLogs:
enabled: false
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "my-certs"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
externalTrafficPolicy: Local
ssl:
enabled: true
enforced: true
upstream: true
helm upgrade -i traefik traefik/traefik -f traefik-values.yaml
这是我的 oauth 代理的配置,它与 Nginx 一起工作。
在 Oauth-proxy 中没有提到 Traefik 所以我想这也应该有效:
config:
clientID: "xxxxx"
clientSecret: "xxxxxx"
cookieSecret: "xxxx"
configFile: |-
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
extraArgs:
oidc-issuer-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>"
oidc-jwks-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>/.well-known/jwks.json"
provider: oidc
provider-display-name: "Cognito SSO"
cookie-secure: false
cookie-name: "_oauth2_proxy"
skip-provider-button: true
scope: openid
reverse-proxy: true
real-client-ip-header: X-Forwarded-For
whitelist-domain: mycompany.com
cookie-domain: mycompany.com
set-authorization-header: true
这些是他们转换为 Kubernetes 的文档中建议的配置:https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#configuring-for-use-with-the-traefik-v2-forwardauth-middleware
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-headers
spec:
headers:
sslRedirect: true
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: oauth-auth
spec:
forwardAuth:
address: https://mycompany.com/oauth2/auth
trustForwardHeader: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: oauth-errors
spec:
errors:
status:
- "401-403"
service:
name: oauth2-proxy
port: 80
query: "/oauth2/sign_in"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: oauth2-proxy
spec:
entryPoints:
- websecure
routes:
- match: "Host(`mycompany.com`) && PathPrefix(`/oauth2/`)"
kind: Rule
services:
- kind: Service
name: oauth2-proxy
port: 80
middlewares:
- name: auth-headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: linkerd-dashboard-ingress
annotations:
kubernetes.io/ingress.class: traefik
spec:
entryPoints:
- websecure
routes:
- match: "Host(`mycompany.com`)"
kind: Rule
services:
- name: nginx-service
kind: Service
port: 8080
priority: 1
middlewares:
- name: oauth-auth
- name: oauth-errors
现在有了这个配置,它会被重定向,但是它会进入循环,我有 ERR_TOO_MANY_REDIRECTS
如果我跟随 curl 它将进入循环:
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84
...
我已经通过简单地不使用显然不适用于 Traefik 的 oauth2-proxy 解决了问题,相反我找到了另一个项目:https://github.com/thomseddon/traefik-forward-auth
更简单一些,而且有效。
我已经设法让 Oauth-Proxy 与 Traefik 一起工作。查看此练习。
OAuth2 Proxy with k8s Treafik to protect Kafdrop subdomain URL
为了让这个东西与 Traefik 一起工作,我已经尝试了好几天和无数小时,但是无论我尝试了什么,到目前为止都没有任何效果。
我首先尝试使用 Nginx 入口控制器并设法让它工作,所以我确信我的提供商 (Cognito) 和 oauth2-proxy pod 工作正常。
所以,我使用的是 EKS 1.20 集群,我们通过 helm chart 安装了 Traefik
replicas: 1
rbac:
enabled: true
accessLogs:
enabled: false
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "my-certs"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
externalTrafficPolicy: Local
ssl:
enabled: true
enforced: true
upstream: true
helm upgrade -i traefik traefik/traefik -f traefik-values.yaml
这是我的 oauth 代理的配置,它与 Nginx 一起工作。 在 Oauth-proxy 中没有提到 Traefik 所以我想这也应该有效:
config:
clientID: "xxxxx"
clientSecret: "xxxxxx"
cookieSecret: "xxxx"
configFile: |-
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
extraArgs:
oidc-issuer-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>"
oidc-jwks-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>/.well-known/jwks.json"
provider: oidc
provider-display-name: "Cognito SSO"
cookie-secure: false
cookie-name: "_oauth2_proxy"
skip-provider-button: true
scope: openid
reverse-proxy: true
real-client-ip-header: X-Forwarded-For
whitelist-domain: mycompany.com
cookie-domain: mycompany.com
set-authorization-header: true
这些是他们转换为 Kubernetes 的文档中建议的配置:https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#configuring-for-use-with-the-traefik-v2-forwardauth-middleware
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-headers
spec:
headers:
sslRedirect: true
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: oauth-auth
spec:
forwardAuth:
address: https://mycompany.com/oauth2/auth
trustForwardHeader: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: oauth-errors
spec:
errors:
status:
- "401-403"
service:
name: oauth2-proxy
port: 80
query: "/oauth2/sign_in"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: oauth2-proxy
spec:
entryPoints:
- websecure
routes:
- match: "Host(`mycompany.com`) && PathPrefix(`/oauth2/`)"
kind: Rule
services:
- kind: Service
name: oauth2-proxy
port: 80
middlewares:
- name: auth-headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: linkerd-dashboard-ingress
annotations:
kubernetes.io/ingress.class: traefik
spec:
entryPoints:
- websecure
routes:
- match: "Host(`mycompany.com`)"
kind: Rule
services:
- name: nginx-service
kind: Service
port: 8080
priority: 1
middlewares:
- name: oauth-auth
- name: oauth-errors
现在有了这个配置,它会被重定向,但是它会进入循环,我有 ERR_TOO_MANY_REDIRECTS
如果我跟随 curl 它将进入循环:
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84
...
我已经通过简单地不使用显然不适用于 Traefik 的 oauth2-proxy 解决了问题,相反我找到了另一个项目:https://github.com/thomseddon/traefik-forward-auth
更简单一些,而且有效。
我已经设法让 Oauth-Proxy 与 Traefik 一起工作。查看此练习。
OAuth2 Proxy with k8s Treafik to protect Kafdrop subdomain URL