Traefik 2 Basic Authorization Validation (Previous)
It is common to see that the system prompts users to perform authentication operations before accessing applications. For some reasons, applications that provide internal public network services need to hide behind some basic authentication to avoid direct disclosure to the public.
In addition to using various languages to implement authentication, Traefik can be used to quickly and easily meet these requirements.
Prepare a basic Web service Demo
Let’s take whoami as an example to start a Web service with the following configuration:
version: '3' services: whoami: image: containous/whoami labels: Enable =true" - "traefik.docker.network=traefik" # reference https://soulteary.com/2020/12/02/easier-way-to-use-traefik-2.html - "traefik.http.routers.test-auth-web.middlewares=https-redirect@file" - "traefik.http.routers.test-auth-web.entrypoints=http" - "traefik.http.routers.test-auth-web.rule=Host(`whoami.lab.com`, `whoami.lab.io`)" - "traefik.http.routers.test-auth-ssl.entrypoints=https" - "traefik.http.routers.test-auth-ssl.tls=true" - "traefik.http.routers.test-auth-ssl.rule=Host(`whoami.lab.com`, `whoami.lab.io`)" networks: - traefik networks: traefik: external: trueCopy the code
To ensure data transmission security, you are advised to use HTTPS for data exchange. You can use the HTTPs-redirect middleware to automatically forward HTTP requests to HTTPS.
After saving the configuration as docker-comemess. yml and starting the service with docker-compose up -d, you can see a page similar to the following.
Basic Auth
Adding Basic Auth to an application using Traefik is as simple as defining a middleware declaration that contains a basicAuth username and password, and then referencing it on service routes that require Basic Auth authentication, as follows:
labels: ... - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB $$4HxwgUir3HP4EsggP/QNo0" - "traefik.http.routers.test-auth-ssl.middlewares=test-auth@docker" ...Copy the code
After rebooting the service with docker-compose up -d, you’ll see a pop-up asking for your password.
If you enter the account and password as Test or unenter it, you will be prompted with an error message 401 Unauthorized. If you enter the account and password as Test and click OK, the Demo page can be viewed normally.
How to generate Basic Auth account password
If you are a macOS user, the apache htPasswd tool comes with you by default.
Htpasswd -nb test test:$APr1 $lH3nyBaa$/ wcu0v3.1kydpzphrbiyv /Copy the code
If you can’t find the command line on your system and you don’t want to install Apache Utils, then you can use Docker to generate the account password:
docker run --rm -it --entrypoint /usr/local/apache2/bin/htpasswd httpd:alpine -nb test test
Copy the code
Note, however, that in compose, the $in the password would need to be replaced with $$to solve the escape problem.
How do I configure multiple account passwords
You can configure multiple account passwords in either of the following ways:
- Use profiles that contain multiple accounts
- Use environment variables that contain multiple accounts
If you have multiple applications that want to use Basic Auth for Basic protection, you can add this “validation middleware” to the dynamic configuration of Traefik. If you don’t know how to configure Traefik, refer to this article.
To define and manage user passwords, you need to declare the following contents in the Labels field:
- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
Copy the code
And use a newline in a file to hold the username and password we generated:
test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
Copy the code
If you want each application to have a separate account password and do not want user accounts to be stored and managed together, you can solve this problem by using environment variables and project environment profiles.
Start by defining a validation middleware that reads environment variables:
- "traefik.http.middlewares.test-auth.basicauth.users=$AUTH_USER_LIST"
Copy the code
Create a. Env file in the compose directory, delimit it with a comma, and pass in the generated user authentication information:
test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
Copy the code
Manually select whether to pass through authentication information
By default, when we log in, Traefik sends the authorized authentication hair to the back service, and we can see something like the following in the header:
Authorization: Basic dGVzdDp0ZXN0
Copy the code
Some application supports the use of the data in the request header as the login authentication information, and we define user information is likely and system authentication information is different, this solution is not recommended for most cases application authentication scheme), so the application can’t normal login, so now we will this authentication operation scope for a limit, Make it effective only when traffic reaches Traefik before first accessing the application:
- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
Copy the code
After adding the above, we can see that Traefik does not pass through the Authorization request headers after entering the account password.
To use it or not to use it, that’s the question
Although Basic Auth is described in relative detail, it is not recommended to use it extensively or as a unique authentication tool.
Because in the standard specification, it encodes the username password using Base64 and passes it on to other applications. As is known to all, Base64 is reversible encoding, so it is not safe to use Basic Auth to protect applications. For example, we use the Authorization mentioned above: Basic dGVzdDp0ZXN0 the last section of dGVzdDp0ZXN0 can be decoded directly to get the plaintext test:test.
However, if your system is not publicly exposed to the network and has limited users, or provides open services but simply does not want to be captured by search engines, you can put a layer of Basic Auth in the front end of the application. Compared with the users and crawlers, they can directly access the machine, which can also save a lot of unnecessary waste of computing resources.
Do not simply listen to the network echo, completely do not use, restrained use in the right scene, get twice the result with half the effort.
Digest Auth
With a detailed introduction to Basic Auth, it’s easier to get to know Digest Auth. As mentioned earlier, Basic Auth has some security issues, so this “upgrade” supports replacing simple Base64 “encryption” with MD5 / SHA encryption algorithms.
It is interesting to note that the Mozilla community buglist has been open for 12 years now that it does not support SHA encryption. In recent days, one of the people mentioned PR, and perhaps firefox will support Digest Auth (SHA) soon.
The Digest Auth middleware and Basic Auth middleware in Traefik use the same middleware, so you can basically replace basicAuth with Digestauth to achieve the same goal:
# to use Basic Auth - "traefik. HTTP. Middlewares. Test - Auth. Basicauth. Users = $AUTH_USER_LIST" # using Digital Auth - "traefik.http.middlewares.test-auth.digestauth.users=$AUTH_USER_LIST"Copy the code
How do I generate a Digital Auth account password
If you are a macOS user, the system also carries apache HTDigest by default, which can directly generate the password in the above configuration. However, it is a bit more complicated than htapasswd. You need to manually enter the password in the process of using it, because the default tool generates a file. In our scenario, it is not necessary to create a file, so point the output to /dev/stdout to show the result at the end of the run.
htdigest -c /dev/stdout test test
Adding password for test in realm test.
New password:
Re-type new password:
test:test:3c7ca779a9504185a7b86c8b1c388e90
Copy the code
Similarly, if you can’t find the command line on your system and you don’t want to install Apache Utils, you can use Docker to generate the account password:
docker run --rm -it --entrypoint /usr/local/apache2/bin/htdigest httpd:alpine -c /dev/stdout test test
Adding password for test in realm test.
New password:
Re-type new password:
test:test:3c7ca779a9504185a7b86c8b1c388e90
Copy the code
To use it or not to use it? Is that a question
As mentioned above, current browsers have various “compatibility” issues with this type of authentication, some do not support SHA1, some do not support SHA 256, and some only support MD5… And frankly, if you use digest algorithm for authentication, there is not much difference under SHA 256. The advantages of SHA series compared to MD5 are only hardware (CPU instruction set) calculation speed, higher attack cost, and relatively less collision resistance.
If you want to use Digest as an authentication option, it is also not recommended. You can use Basic Auth for reasons described in the last section of Basic Auth.
Forward Auth
Forward Auth is actually qualitative different from the above two schemes. The above two encryption middleware essentially provides the interaction protocol under THE RFC standard, while this middleware provides a general authentication service capability: You are free to interface with any of your own authentication systems, user data sources, and even implement a common SSO authorization page.
Limited by space, we will talk about this part in the next chapter.
The last
I just wanted to talk about how to quickly build SSO based on open source code for personal, team, and infrastructure use, but I didn’t realize I needed to lay down so much prior knowledge.
–EOF
I now have a small toss group, which gathered some like to toss small partners.
In the case of no advertisement, we will talk about software, HomeLab and some programming problems together, and also share some technical salon information in the group from time to time.
Like to toss small partners welcome to scan code to add friends. (Please specify source and purpose, otherwise it will not be approved)
All this stuff about getting into groups
This article is published under a SIGNATURE 4.0 International (CC BY 4.0) license. Signature 4.0 International (CC BY 4.0)
Author: Su Yang
Creation time: on December 2nd 2020 statistical word count: 5232 words reading time: 11 minutes to read this article links: soulteary.com/2020/12/02/…