在Kubernetes中找不到带有OAuth2身份验证404页的Nginx入侵
按照前面关于这个链接的堆栈溢出的问题,经过成功的身份验证(在Github.com),我的浏览器上找不到404页。
下面的入侵配置(由nginx-ingress控制器使用):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: nginx-ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
spec:
ingressClassName: nginx
rules:
- host: site.example.com
http:
paths:
- path: /v1
backend:
serviceName: web-service
servicePort: 8080
- path: /
backend:
serviceName: oauth2-proxy
servicePort: 4180
tls:
- hosts:
- site.example.com
secretName: example-tls$ kubectl get ing -n nginx-ingress
NAME CLASS HOSTS ADDRESS PORTS
ingress nginx site.example.com 80, 443 - 浏览器将GET发送到https://site.example.com/,
- 浏览器被重定向到Github登录页面,
- 成功登录后,浏览器被重定向到https://site.example.com/,
- 浏览器发送GET到https://site.example.com/并填充cookie _oauth2_proxy
- 未找到响应404页。
我正在尝试访问的node.js web应用程序是使用两条路径(/和/v1)构建的。Web应用程序是服务web服务的背后。
OAuth2 Github应用程序配置:
Homepage URL
https://site.example.com/
Authorization callback URL
https://site.example.com/oauth2/callbackOAuth2部署和服务:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: nginx-ingress
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=github
- --email-domain=*
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
# Register a new application
# https://github.com/settings/applications/new
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: 32066******52
- name: OAUTH2_PROXY_CLIENT_SECRET
value: ff2b0a***************9bd
- name: OAUTH2_PROXY_COOKIE_SECRET
value: deSF_t******03-HQ==
image: quay.io/oauth2-proxy/oauth2-proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCPapiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: nginx-ingress
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy来自OAuth2-代理容器的日志:
[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51854 - - [2020/11/10 19:47:27] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0
[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51858 - - [2020/11/10 19:47:27] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:51864 - - [2020/11/10 19:47:28] site.example.com GET - "/oauth2/start?rd=%2F" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52004 - marco.***81@gmail.com [2020/11/10 19:48:33] [AuthSuccess] Authenticated via OAuth2: Session{email:marco.***81@gmail.com user:mafi81 PreferredUsername: token:true created:2020-11-10 19:48:32.494549621 +0000 UTC m=+137.822819581}
10.44.0.2:52004 - - [2020/11/10 19:48:32] site.example.com GET - "/oauth2/callback?code=da9c3af9d8f35728d2d1&state=e3280edf2430c507cd74f3d4655500c1%3A%2F" HTTP/1.1 "Mozilla/5.0 ...
10.44.0.2:52012 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52014 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 .... Chrome/86.0.4240.193 Safari/537.36" 404 19 0.000测试环境:
- 带有kubeadm v1.19.3的VirtualBox
- NGINX入侵控制器Version=1.9.0。
我仍然不相信在侵入资源下的路径配置。任何关于如何进行故障排除的建议都是很好的。
更新
按照Matt的回答,给出了测试身份验证的正确方法,下面是新的环境:
NGINX Ingress controller
Release: v0.41.2
Build: d8a93551e6e5798fc4af3eb910cef62ecddc8938
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.4
OAuth2 Pod
image: quay.io/oauth2-proxy/oauth2-proxy进境清单:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: web
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.web.svc.cluster.local:4180/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://site.example.com/oauth2/start?rd=$request_uri
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;
access_by_lua_block {
if ngx.var.name_upstream_1 ~= "" then
ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
end
}
spec:
ingressClassName: nginx-oauth
rules:
- host: site.example.com
http:
paths:
- path: /
backend:
serviceName: web-service
servicePort: 8080apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: web
spec:
ingressClassName: nginx-oauth
rules:
- host: site.example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
tls:
- hosts:
- site.example.com
secretName: tls请注意,我必须更改一个注释才能正常工作:
- auth:http://oauth2- proxy.web.svc.cluster.local:4180/oauth2/auth (这解决了分辨率故障)
回答 1
Stack Overflow用户
发布于 2020-11-12 12:35:10
根据oauth-代理文档,您必须使用kubernetes/入口-nginx。
在这里,您可以阅读更多关于nginxinc/kubernetes-ingress和kubernetes/ Ingress nginx侵入控制器的差异的内容。
在Oath2-代理文档(前面提到)中,您可以找到以下内容:
当您在Kubernetes中使用Ingress nginx时,您必须使用kubernetes/Ingress(其中包括Lua模块)和您的攻题的以下配置片段。当通过auth_request_set处理位置时,使用proxy_pass设置的变量在普通nginx配置中是不可设置的,然后只能由Lua处理。注意,nginxinc/kubernetes-ingress不包括Lua模块。 nginx.ingress.kubernetes.io/auth-response-headers:授权nginx.ingress.kubernetes.io/auth-signin:uri nginx.ingress.kubernetes.io/auth-url:https://$host/oauth2/auth nginx.ingress.kubernetes.io/configuration-snippet: auth_request_set $name_upstream_1 $upstream_cookie_name_1;access_by_lua_block {如果ngx.var.name_upstream_1 ~=“那么ngx.header-Cookie”= "name_1=“ngx.var.name_upstream_1 ..Ngx.var.auth_cookie:match(“;.*)") end }
因此,如果我们可以信任文档,您的身份验证将无法工作,因为您使用的是错误的nginx控制器,并且缺少注释。
https://stackoverflow.com/questions/64776399
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号