Nginx,Traefik和转发身份验证

时间:2019-05-07 19:41:42

标签: authentication nginx traefik

我正在尝试使用nginx作为传统服务的反向代理,并使用traefik将流量路由到容器。某些服务通过nginx-ldap-auth进行了身份验证。

这是用于容器设置的docker-compose文件:

---
version: '3.7'

networks:
  backend: {}

services:    
  ldap_auth:
    command: >-
      python /usr/src/app/nginx-ldap-auth-daemon.py
      --host 0.0.0.0
      --url ldap://ldap.jumpcloud.com:389
      --starttls starttls
      -b "${LDAP_BASEDN}"
      -D "${LDAP_BINDDN}"
      -w "${LDAP_PASS}"
      --filter "uid=%(username)s"
    expose:
    - "8888"
    image: nginx-ldap-auth
    labels:
      traefik.port: "8888"
      traefik.backend: "nginx-ldap-auth"
      traefik.frontend.rule: "Host:dock.${DOMAIN};PathPrefix:/auth"
    networks:
    - backend
    restart: unless-stopped

  traefik:
    command:
    - --accesslog
    - --api # defaults to port 8080
    # docker
    - --docker
    - --docker.domain=dock.${DOMAIN}
    - --docker.network=${COMPOSE_PROJECT_NAME}_backend
    # acme
    - --acme.acmelogging=true
    - --acme.dnschallenge.provider=ovh
    - --acme.dnschallenge=true
    - --acme.domains=*.${DOMAIN},${DOMAIN}
    - --acme.email=${EMAIL}
    - --acme.entrypoint=https
    - --acme.storage=/etc/traefik/acme.json
    - --acme=true
    # - --acme.onhostrule=true # not usable with wildcard certs
    # entrypoints
    - --defaultentrypoints=http,https
    - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
    - --entryPoints=Name:https Address::443 Compress:true TLS Tls.minVersion:VersionTLS12
    # others
    - --keeptrailingslash=true
    # - --debug
    env_file:
    - ovh.env
    image: traefik:maroilles-alpine
    labels:
      traefik.api.port: "8080"
      traefik.api.frontend.entrypoints: "traefik"
      traefik.api.frontend.rule: "Host:dock.${DOMAIN};PathPrefixStrip:/traefik"
      traefik.frontend.auth.forward.address: "https://dock.${DOMAIN}/auth" # LDAP
    networks:
    - backend
    - default
    ports:
    # - "80:80"     # The HTTP port
    - "4433:443"   # The HTTPS port
    # - "8080:8080" # The Web UI (enabled by --api)
    restart: unless-stopped
    volumes:
    - "/var/run/docker.sock:/var/run/docker.sock:ro" # So that Traefik can listen to the Docker events
    - "${MOUNT}/docker/traefik:/etc/traefik"

这是其余服务的当前dock.conf

server {
    listen 80;
    server_name dock.domain.com;
    return 301 https://dock.domain.com$request_uri;
}

server {
    listen 443;
    server_name dock.domain.com;

    ssl on;
    include ssl/ssl.conf;

    root /var/www;

    location = / {
        try_files /dev/null @traefik; # no better way to solve this
    }

    location / {
        try_files $uri $uri/ @traefik;
    }

    location @traefik {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://localhost:4433;
    }

    location /otherlocation/ {
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_cache_bypass $http_upgrade;
        proxy_pass http://localhost:3000/;
    }

但是,该设置在转发给traefik并需要身份验证的任何位置返回500错误。
我该怎么解决?

0 个答案:

没有答案