Hashi-UI和Nomadauthentication
我需要build议如何为pipe理Nomad和Consul设置Hashi-UI的身份validation。 我有Debian 8服务器,在那里我安装了Terraform,我创build了terraform文件。 此下载并运行游牧和领事。 这是有效的,但如果我访问Hashi-UI没有login,所以每个人都可以访问它。 我像游牧民族工作一样运行哈希。 它在Nginx上运行。 我如何设置用户的login像这样的Apache?
我的游牧文件:
job "hashi-ui" { region = "global" datacenters = ["dc1"] type = "service" update { stagger = "30s" max_parallel = 2 } group "server" { count = 1 task "hashi-ui" { driver = "docker" config { image = "jippi/hashi-ui" network_mode = "host" } service { port = "http" check { type = "http" path = "/" interval = "10s" timeout = "2s" } } env { NOMAD_ENABLE = 1 NOMAD_ADDR = "http://0.0.0.0:4646" CONSUL_ENABLE = 1 CONSUL_ADDR = "http://0.0.0.0:8500" } resources { cpu = 500 memory = 512 network { mbits = 5 port "http" { static = 3000 } } } } task "nginx" { driver = "docker" config { image = "ygersie/nginx-ldap-lua:1.11.3" network_mode = "host" volumes = [ "local/config/nginx.conf:/etc/nginx/nginx.conf" ] } template { data = <<EOF worker_processes 2; events { worker_connections 1024; } env NS_IP; env NS_PORT; http { access_log /dev/stdout; error_log /dev/stderr; auth_ldap_cache_enabled on; auth_ldap_cache_expiration_time 300000; auth_ldap_cache_size 10000; ldap_server ldap_server1 { url ldaps://ldap.example.com/ou=People,dc=example,dc=com?uid?sub?(objectClass=inetOrgPerson); group_attribute_is_dn on; group_attribute member; satisfy any; require group "cn=secure-group,ou=Group,dc=example,dc=com"; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 15080; location / { auth_ldap "Login"; auth_ldap_servers ldap_server1; set $target ''; set $service "hashi-ui.service.consul"; set_by_lua_block $ns_ip { return os.getenv("NS_IP") or "127.0.0.1" } set_by_lua_block $ns_port { return os.getenv("NS_PORT") or 53 } access_by_lua_file /etc/nginx/srv_router.lua; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_read_timeout 31d; proxy_pass http://$target; } } } EOF destination = "local/config/nginx.conf" change_mode = "noop" } service { port = "http" tags = [ "urlprefix-hashi-ui.example.com/" ] check { type = "tcp" interval = "5s" timeout = "2s" } } resources { cpu = 100 memory = 64 network { mbits = 1 port "http" { static = "15080" } } } } } } 谢谢你的任何build议。
由于您使用的是Nginx,因此您可以在Nginx中轻松启用身份validation。 这里有一些有用的链接
- 使用Nginx的基本身份validation: http : //nginx.org/en/docs/http/ngx_http_auth_basic_module.html
- LDAPauthentication使用Nginx: http : //www.allgoodbits.org/articles/view/29
有趣的是,这个问题在HashiUI GitHub仓库中也有讨论。 看看这个方法: https : //github.com/jippi/hashi-ui/blob/master/docs/authentication_example.md
谢谢,阿鲁