Fatal编程技术网
  • nginx/
  • Kubernetes中未找到具有OAuth2身份验证404页的Nginx入口

Kubernetes中未找到具有OAuth2身份验证404页的Nginx入口

nginx kubernetes oauth-2.0

Kubernetes中未找到具有OAuth2身份验证404页的Nginx入口,nginx,kubernetes,oauth-2.0,Nginx,Kubernetes,Oauth 2.0,在上一个关于堆栈溢出的问题之后,在成功的身份验证(在Github.com上)之后,我在浏览器上找到了404页 以下入口配置(由nginx入口控制器使用): 浏览器发送GET to 浏览器被重定向到Github登录页面 成功登录后,浏览器将重定向到 浏览器发送GET到,cookie\u oauth2\u代理已填充 响应为404页未找到 我试图通过oauth2访问的node.js web应用程序已经构建了两个路径(/和/v1)。Web应用程序位于服务Web服务之后 OAuth2 Github应

在上一个关于堆栈溢出的问题之后,在成功的身份验证(在Github.com上)之后,我在浏览器上找到了404页

以下入口配置(由nginx入口控制器使用):

  • 浏览器发送GET to
  • 浏览器被重定向到Github登录页面
  • 成功登录后,浏览器将重定向到
  • 浏览器发送GET到,cookie\u oauth2\u代理已填充
  • 响应为404页未找到
我试图通过oauth2访问的node.js web应用程序已经构建了两个路径(/和/v1)。Web应用程序位于服务Web服务之后

OAuth2 Github应用程序配置:

Homepage URL
https://site.example.com/

Authorization callback URL
https://site.example.com/oauth2/callback
OAuth2部署和服务:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
  namespace: nginx-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: oauth2-proxy
  template:
    metadata:
      labels:
        k8s-app: oauth2-proxy
    spec:
      containers:
      - args:
        - --provider=github
        - --email-domain=*
        - --upstream=file:///dev/null
        - --http-address=0.0.0.0:4180
        # Register a new application
        # https://github.com/settings/applications/new
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          value: 32066******52
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: ff2b0a***************9bd
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: deSF_t******03-HQ==
        image: quay.io/oauth2-proxy/oauth2-proxy:latest
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP
来自oauth2代理容器的日志:

[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51854 - - [2020/11/10 19:47:27] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0
[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51858 - - [2020/11/10 19:47:27] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:51864 - - [2020/11/10 19:47:28] site.example.com GET - "/oauth2/start?rd=%2F" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52004 - marco.***81@gmail.com [2020/11/10 19:48:33] [AuthSuccess] Authenticated via OAuth2: Session{email:marco.***81@gmail.com user:mafi81 PreferredUsername: token:true created:2020-11-10 19:48:32.494549621 +0000 UTC m=+137.822819581}
10.44.0.2:52004 - - [2020/11/10 19:48:32] site.example.com GET - "/oauth2/callback?code=da9c3af9d8f35728d2d1&state=e3280edf2430c507cd74f3d4655500c1%3A%2F" HTTP/1.1 "Mozilla/5.0 ...
10.44.0.2:52012 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52014 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 .... Chrome/86.0.4240.193 Safari/537.36" 404 19 0.000
测试环境:

NGINX Ingress controller
  Release:       v0.41.2
  Build:         d8a93551e6e5798fc4af3eb910cef62ecddc8938
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.4

OAuth2 Pod
  image: quay.io/oauth2-proxy/oauth2-proxy
  • 带有kubeadm v1.19.3的VirtualBox
  • NGINX入口控制器版本=1.9.0
我对入口资源下的路径配置仍然没有信心。 任何关于如何进行故障排除的建议都将非常好

更新

按照Matt的回答,给出了测试身份验证的正确方法,下面是新环境:

NGINX Ingress controller
  Release:       v0.41.2
  Build:         d8a93551e6e5798fc4af3eb910cef62ecddc8938
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.4

OAuth2 Pod
  image: quay.io/oauth2-proxy/oauth2-proxy
入口舱单:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  namespace: web
  annotations:
     nginx.ingress.kubernetes.io/auth-response-headers: Authorization
     nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.web.svc.cluster.local:4180/oauth2/auth
     nginx.ingress.kubernetes.io/auth-signin: https://site.example.com/oauth2/start?rd=$request_uri
     nginx.ingress.kubernetes.io/configuration-snippet: |
       auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;

       access_by_lua_block {
         if ngx.var.name_upstream_1 ~= "" then
           ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" ..  ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
         end
       }

spec:
  ingressClassName: nginx-oauth
  rules:
  - host: site.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: web-service
          servicePort: 8080
请注意,我必须更改一个注释才能使其正常工作:

  • 验证url:http://oauth2- proxy.web.svc.cluster.local:4180/oauth2/auth(这解决了解决方案失败的问题)
根据您必须使用的

在这里,你可以阅读更多关于

在oath2代理文件(前面提到)中,您可以找到以下内容:

在Kubernetes中使用ingress nginx时,必须使用Kubernetes/ingress nginx(包括Lua模块)和以下ingress配置片段。当位置通过代理程序处理,然后只能由Lua处理时,带有auth_request_set的变量集不能在普通nginx config中设置。请注意,nginxinc/kubernetes入口不包括Lua模块

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }
因此,如果我们可以信任文档,您的身份验证将无法工作,因为您使用了错误的nginx控制器,并且缺少注释。

您从许多响应中删除了状态代码,但在响应日志中看到您的电子邮件地址似乎使所有身份验证都成功进行;如果您导航到
site.example.com/v1/随便什么
,我希望您无需再次单独进行身份验证(当然,假设cookie已成功提供),尽管这不是您所要求的,但在您无法控制的项目上使用
:latest
的docker标记要求非常非常,非常奇怪的虫子开始出现了。该项目从v5到v6进行了几次专门的自我检修,您的集群将在pullYes上进行静默更新。是的,它可以工作!经过一些调整,将更新。谢谢你,马特 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  namespace: web
  annotations:
     nginx.ingress.kubernetes.io/auth-response-headers: Authorization
     nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.web.svc.cluster.local:4180/oauth2/auth
     nginx.ingress.kubernetes.io/auth-signin: https://site.example.com/oauth2/start?rd=$request_uri
     nginx.ingress.kubernetes.io/configuration-snippet: |
       auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;

       access_by_lua_block {
         if ngx.var.name_upstream_1 ~= "" then
           ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" ..  ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
         end
       }

spec:
  ingressClassName: nginx-oauth
  rules:
  - host: site.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: web-service
          servicePort: 8080

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: web

spec:
  ingressClassName: nginx-oauth

  rules:
  - host: site.example.com
    http:
      paths:
      - backend:
          serviceName: oauth2-proxy
          servicePort: 4180
        path: /oauth2

  tls:
  - hosts:
    - site.example.com
    secretName: tls

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }