How does one use nginx to solve the cross-origin problem of basic auth in k8s traefik ?, Nginxk8s

Source: Internet
Author: User
Tags k8s

Nginx ingress controller setup

How does one use nginx to solve the cross-origin problem of basic auth in k8s traefik ?, Nginxk8s
Purpose
Nginx ingress controller
Currently, k8s ingress is used in combination with traefik. At this time, you need to add a basic auth Security Authentication for a domain name. The original traefik can also be configured normally (many production environments already use traefik basic auth ), however, because the domain name here needs to be called in other web domains and involves cross-domain issues, refer to the traefik documentation for the Cross-Domain issues related to basic auth that are not found in k8s. Later, I analyzed the basic auth in nginx and finally solved this problem using nginx + ingress + traefik.

Procedure
Generate the basic auth User Password File
Ingress nginx kubernetes
htpasswd -bc ngauth username password
Configure k8s configMap of nginx: nginx ingress controller kubernetes

kind: ConfigMapapiVersion: v1metadata:  name: nginx-conf  namespace: kube-appsdata:  nginx.conf: |    user  nginx;    worker_processes  1;    error_log  /var/log/nginx/error.log warn;    pid        /var/run/nginx.pid;    events {        worker_connections  1024;    }    http {        default_type  application/octet-stream;        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '                          '$status $body_bytes_sent "$http_referer" '                          '"$http_user_agent" "$http_x_forwarded_for"';        access_log  /var/log/nginx/access.log  main;        sendfile        on;        #tcp_nopush     on;        keepalive_timeout  65;        #gzip  on;        upstream monitors {            server monitoring-system-service.kube-apps:8080;        }        server {            listen 80;            auth_basic           "closed site";            auth_basic_user_file ngauth;            location / {              if ($request_method = OPTIONS ) {                add_header Access-Control-Allow-Origin "null"; # <- needs to be updated                add_header Access-Control-Allow-Methods "GET, OPTIONS";                add_header Access-Control-Allow-Headers "Authorization";   # <- You may not need this...it's for Basic Auth                add_header Access-Control-Allow-Credentials "true";        # <- Basic Auth stuff, again                add_header Content-Length 0;                add_header Content-Type text/plain;                return 200;              }              proxy_pass https://monitors;            }        }    }  ngauth: |    username:password
Note: Replace the username and password in ngauth with the username and password used to generate the file in step 1.

3. We recommend that you use docker for local debugging. If there is no problem, you can proceed to the next step and deploy it to k8s.

docker run --name nginx-container -v /home/user/nginx/:/etc/nginx/nginx.conf:ro -d nginx:1.12.2
Deploy to k8s

Nginx. yaml is as follows: kubernetes ingress nginx master

apiVersion: v1kind: Servicemetadata:  name: nginx  labels:    app: nginx  namespace: kube-appsspec:  type: NodePort  selector:    app: nginx  ports:  - name: http    port: 80    targetPort: 80---apiVersion: extensions/v1beta1kind: Deploymentmetadata:  name: nginx  namespace: kube-apps  labels:    addonmanager.kubernetes.io/mode: Reconcilespec:  template:    metadata:      labels:        app: nginx    spec:      containers:      - name: nginx        image: nginx:1.12.2        ports:        - containerPort: 80        volumeMounts:        - name: config-volume          mountPath: /etc/nginx/      volumes:      - name: config-volume        configMap:          name: nginx-conf          items:          - key: nginx.conf            path: nginx.conf          - key: ngauth            path: ngauth
Run:

$ kubectl create -f configMap.yaml $ kubectl create -f nginx.yaml 
Configure traefik to point to the nginx service address.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.