Hashi-UI和Nomad身份验证

时间:2017-11-08 21:07:58

标签: docker nginx consul nomad

我需要建议如何为管理Nomad和Consul设置Hashi-UI身份验证。我有Debian 8服务器,我安装了Terraform,我创建了terraform文件。这个下载并运行Nomad和Consul。这是有效的,但如果我访问Hashi-UI没有登录,所以每个人都可以访问它。我喜欢游牧工作。它在Nginx上运行。如何为apache设置this之类的用户登录?

我的Nomad文件:

job "hashi-ui" {
  region      = "global"
  datacenters = ["dc1"]
  type        = "service"

  update {
    stagger      = "30s"
    max_parallel = 2
  }
group "server" {
  count = 1

    task "hashi-ui" {
      driver = "docker"

      config {
        image        = "jippi/hashi-ui"
        network_mode = "host"
      }

      service {
        port = "http"

        check {
          type     = "http"
          path     = "/"
          interval = "10s"
          timeout  = "2s"
        }
      }

      env {
        NOMAD_ENABLE = 1
        NOMAD_ADDR   = "http://0.0.0.0:4646"

        CONSUL_ENABLE = 1
        CONSUL_ADDR = "http://0.0.0.0:8500"
      }

      resources {
        cpu    = 500
        memory = 512

        network {
          mbits = 5

          port "http" {
            static = 3000
          }
        }
      }
    }
     task "nginx" {
            driver = "docker"
            config {
                image = "ygersie/nginx-ldap-lua:1.11.3"
                network_mode = "host"
                volumes = [
                    "local/config/nginx.conf:/etc/nginx/nginx.conf"
                ]
            }

            template {
                data = <<EOF
worker_processes 2;

events {
  worker_connections 1024;
}

env NS_IP;
env NS_PORT;

http {
  access_log /dev/stdout;
  error_log /dev/stderr;

  auth_ldap_cache_enabled on;
  auth_ldap_cache_expiration_time 300000;
  auth_ldap_cache_size 10000;

  ldap_server ldap_server1 {
    url ldaps://ldap.example.com/ou=People,dc=example,dc=com?uid?sub?(objectClass=inetOrgPerson);
    group_attribute_is_dn on;
    group_attribute member;
    satisfy any;
    require group "cn=secure-group,ou=Group,dc=example,dc=com";
  }

  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }

  server {
    listen 15080;

    location / {
      auth_ldap "Login";
      auth_ldap_servers ldap_server1;

      set $target '';
      set $service "hashi-ui.service.consul";
      set_by_lua_block $ns_ip { return os.getenv("NS_IP") or "127.0.0.1" }
      set_by_lua_block $ns_port { return os.getenv("NS_PORT") or 53 }

      access_by_lua_file /etc/nginx/srv_router.lua;

      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

      proxy_read_timeout 31d;

      proxy_pass http://$target;
    }
  }
}
EOF
                destination = "local/config/nginx.conf"
                change_mode = "noop"
            }

            service {
                port = "http"

                tags = [
                    "urlprefix-hashi-ui.example.com/"
                ]

                check {
                    type = "tcp"
                    interval = "5s"
                    timeout = "2s"
                }
            }

            resources {
                cpu = 100
                memory = 64
                network {
                    mbits = 1
                    port "http" {
                        static = "15080"
                    }
                }
            }
        }
    }
}

感谢您的任何建议。

1 个答案:

答案 0 :(得分:1)

由于您使用的是Nginx,因此可以在Nginx中轻松启用身份验证。这里有一些有用的链接:

有趣的是,这个问题也在HashiUI GitHub回购中讨论过。看看这种方法: https://github.com/jippi/hashi-ui/blob/master/docs/authentication_example.md

谢谢, 了Arul