抱歉,您的浏览器无法访问本站

本页面需要浏览器支持(启用)JavaScript


了解详情 >

前言

作为一名工程师,在这个繁杂的网络世界中,想有自己的一片净土。自己有很多的网站,方便自己工作生活,但是苦于网络安全问题不敢轻易部署在公网中,所以发掘了这块一款SSO工具:authelia,他能很方便的在nginx层给你的网站加上独属于你的防火墙,账号密码,如果网站很多,并且没有自己独立的账号系统,那这款工具可以说非常适合你了。

关于authelia

Authelia是一个开源身份验证和授权服务器,可通过Web门户为您的应用程序提供2要素身份验证和单点登录(SSO)。它充当反向代理(如nginxTraefikHAProxy)的伴侣,以使他们知道查询是否应该通过。未经身份验证的用户将重定向到Authelia登录门户。
目前主要可用功能

  • 几种第二因素方法:
  • 使用电子邮件确认通过身份验证重置密码。
  • 仅单因素身份验证方法可用。
  • 尝试过多身份验证后的访问限制。
  • 每个子域,用户,资源和网络的细粒度访问控制。
  • 支持受单一因素保护的端点的基本身份验证。
  • Beta对OpenID Connect的支持。
  • 使用远程数据库具有很高的可用性,Redis可作为高可用性KV存储使用。
  • 开箱即用与Kubernetesingress-nginx控制器兼容。

    最佳实践-部署

    使用容器化部署Authelia是比较简单快捷的方法,可以直接拉取对应的镜像,编辑自定义配置文件即可完成部署,超简单的哦。

    1、拉取authelia镜像:

    docker pull authelia/authelia
    如果存在国内拉取镜像过慢的方法,可以使用以下的命令拉取,是直接使用github actions拉取到国内来的
    docker pull registry.cn-shanghai.aliyuncs.com/bosong/autheli

    2、编写docker compose文件

    docker-compose.yaml文件:
    ---
    version: '3.3'

    services:
    authelia:
    image: registry.cn-shanghai.aliyuncs.com/bosong/authelia
    container_name: authelia
    volumes:
    - /data-colum/authelia:/config
    healthcheck:
    disable: false
    environment:
    - TZ=Asia/Shanghai
    ports:
    - 9999:9091
    ...

注意

  • /data-colum/authelia:/config 此处是直接使用docker部署的配置,需要提前将对应配置放入到对应的文件夹中

    3、配置authelia

    具体的文件排列如下,以 文件夹为例:
    ├── /data-colum/authelia/
    │ ├── configuration.yml #配置文件
    │ └── users_database.yml #用户数据文件
    └── docker-compose.yaml
    configuration.yml模板文件如下:
    ---
    ###############################################################
    # Authelia configuration #
    ###############################################################
    #基本配置:配置端口、jwt秘钥、默认的跳转地址、totp对应的域名
    host: 0.0.0.0
    port: 9091
    log_level: debug
    # This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
    jwt_secret: adakusdhhadsk
    default_redirection_url: https://www.abcd.com
    totp:
    issuer: abcd.com

    # duo_api:
    # hostname: api-123456789.example.com
    # integration_key: ABCDEF
    # # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
    # secret_key: 1234567890abcdefghifjkl

    #用户文件配置:目前Authelia只支持ldap和使用文件形式的用户列表
    authentication_backend:
    file:
    path: /config/users_database.yml

    access_control:
    default_policy: one_factor
    rules:
    # Rules applied to everyone
    - domain: abcd.abcd.com
    policy: one_factor

    #seesion 配置
    session:
    name: authelia
    # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
    secret: asdasfjjhas
    expiration: 3600 # 1 hour
    inactivity: 300 # 5 minutes
    domain: abcd.com # Should match whatever your root protected domain is

    redis:
    host: redis.xxxx.com
    port: 6379
    password: abcdhasd
    database_index: 5
    maximum_active_connections: 100
    minimum_idle_connections: 0

    regulation:
    max_retries: 3
    find_time: 120
    ban_time: 300
    #存储配置
    storage:
    mysql:
    host: mysql.abcd.com
    port: 3306
    database: authelia
    username: authelia
    ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
    password: 123456
    #邮件发件配置,主要用于修改密码等操作
    notifier:
    smtp:
    username: noreply@abcd.com
    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
    password: abcdaklfdj
    host: smtp.exmail.qq.com
    port: 465
    sender: noreply@abcd.com
    ...
    用户文件模板文件如下:
    users:
    authelia:
    password: $argon2id$v=19$m=65536,t=1,p=8$RUFuRGFEY291UGdaU0Jxqwqe$zqTCjJKc2Ka0MDA3OMQ8rX6HAMyLOppFQl1HPmN8mMI
    displayname: Authelia
    email: abcd@abcd.com
    groups:
    - admins
    - dev

注意

  • default_redirection_url 是直接在auth.abcd.com登录后默认跳转的地址
  • 存储数据库可支持 mysql、sqlite等,结合官方文档来看即可
  • 邮件发送配置如果使用即配置,不使用不配置。
  • 如果需要修改对应的密码,使用docker exec -it 容器名 sh 后执行 authelia hash-password 123456 即可修改密码再进行填充
  • 对应的jwt_secretsession.secret 一定记得更换

    4、部署启动authelia

    在3中已经给出了对应的文件层级,直接根据使用docker-compose执行执行对应命令即可启动
    docker-comose -f docker-compose.yaml up -d

    5、按照文档编写对应nginx的配置文件,以nginx为例,需要编写三个文件:

    ├── /authelia/
    │ ├── authelia.conf authelia文件
    | ├── auth.conf auth文件
    │ └── proxy.conf 代理文件
    └── nginx.conf

authelia.conf文件内容如下

set $upstream_authelia http://127.0.0.1:9999/api/verify;
# Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

auth.conf文件内容如下:

# Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /authelia;
# Set the `target_url` variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
# If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://auth.alidaodao.com/?rd=$target_url;

**proxy.conf **文件内容如下:

client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
#proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

# If behind reverse proxy, forwards the correct IP
#set_real_ip_from 10.0.0.0/8;
#set_real_ip_from 172.16.0.0/12;
#set_real_ip_from 192.168.0.0/16;
#set_real_ip_from fc00::/7;
#real_ip_header X-Forwarded-For;
#real_ip_recursive on;

注意:

  • auth.confproxy.conf 文件不需要进行改动,直接保存放入文件夹中即可

  • authelia.conf upstream_authelia 如果authelia使用的是远程的服务,则修改为对应远程地址即可,其他的不用改动

    6、使用nginx配置auth.abcd.com 域名

    文件配置阶段结束了,可以进行实际的应用,除了配置auth的服务域名之外,另外配置一个demo域名来验证auth的sso服务是否可用。

    upstream authelia {
    server localhost:9999;
    }
    server {
    listen 80;
    server_name auth.abcd.com;
    return 301 https://$server_name$request_uri;
    }
    server {
    listen 443 ssl;
    server_name auth.abcd.com;
    charset utf-8;
    ssl_certificate cert/authelia.pem;
    ssl_certificate_key cert/authelia.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    access_log logs/authelia_access.log main;

    location / {
    proxy_pass http://authelia;
    include /data/nginx/authelia/proxy.conf;
    }
    }

    使用以上配置来使auth域名对应的服务生效,可以访问auth.abcd.com来验证服务是否正常对外提供服务。

    7、配置demo.abcd.com域名

    demo.abcd.com域名配置上SSO服务,在访问demo.abcd.com时,如果未进行登录则会跳转到auth.abcd.com进行登录,登录成功后会重定向回demo.abcd.com,配置文件如下:

    upstream demo {
    server localhost:8880;
    }
    server {
    listen 80;
    server_name demo.abcd.com;
    return 301 https://$server_name$request_uri;
    }
    server {
    listen 443 ssl;
    server_name demo.abcd.com;
    charset utf-8;
    #ssl on;
    ssl_certificate cert/demo.pem;
    ssl_certificate_key cert/demo.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    access_log logs/demo_access.log main;
    #将authelia.conf配置在此处
    include /data/nginx/authelia/authelia.conf;
    location / {
    proxy_pass http://demo;
    #配置auth和代理
    include /data/nginx/authelia/auth.conf;
    include /data/nginx/authelia/proxy.conf;
    }
    }

    使用以上配置即可成功让demo.abcd.com网站接入sso服务,来保障demo.abcd.com对应的服务不被匿名访问到

    总结

    没有十全十美的工具,只看怎么使用,在使用authelia的过程中也发现了很多的不足:

  • 非ldap模式下配置用户比较麻烦,修改完文件后还需要进行重启

  • 如果出现如下警告: nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size 在nginx.conf 配置文件中加上 以下配置即可。

    proxy_headers_hash_max_size 51200;
    proxy_headers_hash_bucket_size 6400;
  • 这篇文章是自己根据实际经验编写的,如果有错漏之处可以参考官方文档

评论