如何使用 NGINX 入口注释保留重定向的身份验证标头

Question 1

这是我为克服授权标头的剥离所做的事情：

annotations:
  ... your other annotations
  nginx.ingress.kubernetes.io/configuration-snippet: |
    proxy_set_header Authorization $http_authorization;

这将强制设置一个新的授权标头，该标头从实际授权标头中读取其值。

我还没有尝试使用外部授权，只尝试了基本授权。

Answer

这是我为克服授权标头的剥离所做的事情：

annotations:
  ... your other annotations
  nginx.ingress.kubernetes.io/configuration-snippet: |
    proxy_set_header Authorization $http_authorization;

这将强制设置一个新的授权标头，该标头从实际授权标头中读取其值。

我还没有尝试使用外部授权，只尝试了基本授权。

Question 2

您可以使用外部身份验证将原始 URL 指向为 auth-url

annotations:
    nginx.ingress.kubernetes.io/auth-url: https://original/user/passwd

另请查看此例子

希望这会有所帮助

Answer

您可以使用外部身份验证将原始 URL 指向为 auth-url

annotations:
    nginx.ingress.kubernetes.io/auth-url: https://original/user/passwd

另请查看此例子

希望这会有所帮助

Question 3

设置nginx.ingress.kubernetes.io/auth-response-headers annotation对我有用

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-response-headers: >-
      X-Auth-Request-Email,X-Auth-Request-Preferred-,X-Auth-Request-Access-Token,
      X-Auth-Request-Roles,X-Auth-Request-User,X-Auth-Request-Groups,X-Forwarded-Groups,
      Authorization
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    #nginx.ingress.kubernetes.io/auth-cache-key: $remote_user$http_authorization
    ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $token $upstream_http_authorization;
      proxy_set_header Authorization $token;
      proxy_pass_header Authorization;
  name: external-auth-oauth2
  namespace: kubernetes-dashboard
spec:
  ingressClassName: nginx
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 443

Answer

设置nginx.ingress.kubernetes.io/auth-response-headers annotation对我有用

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-response-headers: >-
      X-Auth-Request-Email,X-Auth-Request-Preferred-,X-Auth-Request-Access-Token,
      X-Auth-Request-Roles,X-Auth-Request-User,X-Auth-Request-Groups,X-Forwarded-Groups,
      Authorization
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    #nginx.ingress.kubernetes.io/auth-cache-key: $remote_user$http_authorization
    ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $token $upstream_http_authorization;
      proxy_set_header Authorization $token;
      proxy_pass_header Authorization;
  name: external-auth-oauth2
  namespace: kubernetes-dashboard
spec:
  ingressClassName: nginx
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 443

如何使用 NGINX 入口注释保留重定向的身份验证标头

答案1

答案2

答案3

相关内容