网站增加零信任验证示例

https://github.com/authelia/authelia
authelia部署参考：https://blog.bosong.online/authelia-based-best-practices.html?keyword=auth
依赖组件：K8s、Rancher、Dns、Nginx、Authenticator
首先部署：authelia、Rancher、dns等相关组件

需求：
xunjian的网站， IP地址：1.1.1.1，通过IP可访问，需增加零信任验证功能

以下用xunjian web增加authelia认证功能为例
一、authelia配置
1、在k8s01服务器，加xunjian.conf 文件
cd /home/work/k8s/project/sso-authelia/nginx/conf.d
+ xunjian.conf 文件

    upstream xunjian {
        server 1.1.1.1:50015;   -----对应修改为xunjian页面的ip:端口
    }
    server {
        listen 80;
        server_name xunjian.if.net;
        return 301 https://$server_name$request_uri;
    }
    server {
        listen 443 ssl;
        server_name xunjian.if.net;
        charset utf-8;
        #ssl on;
        ssl_certificate      /etc/nginx/server.crt;
        ssl_certificate_key  /etc/nginx/server.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        access_log  /var/nginx/bjzt-k8s_access.log  main;
        include /etc/nginx/authelia.conf;
        location / {
            proxy_pass http://xunjian/;
            include /etc/nginx/auth.conf;
            include /etc/nginx/proxy.conf;
        }
    }

2.nginx.conf加内容
/home/work/k8s/project/sso-authelia/nginx/conf.d/nginx.conf
+ include /etc/nginx/xunjian.conf

image.png

3.nginx-service.yaml 加内容
/home/work/k8s/project/sso-authelia/nginx/nginx-service.yaml
+key:xunjian.conf
+path:xunjian.conf

image.png

4.重启服务

#删除配置映射
cd /home/work/k8s/project/sso-authelia/nginx/conf.d
kubectl delete configmap nginx-config -n operate

#删除部署的应用
cd /home/work/k8s/project/sso-authelia
kubectl delete deployment nginx -n operate

#创建namespace=operate配置映射
kubectl create configmap nginx-config --from-file=/home/work/k8s/project/sso-authelia/nginx/conf.d/ --namespace='operate'

#启动pod
cd /home/work/k8s/project/sso-authelia/nginx
kubectl apply -f nginx-service.yaml 

二、配置域名xunjian.if.net 解析到authelia服务部署地址

三、rancher 负载均衡在命名空间operate增加域名解析配置

image.png

结果：访问https://xunjian.if.net页面跳转到auth登录页面，输入账号密码后，再输入手机端获取的6位随机数后，可跳转到xunjian网站页面

image.png

image.png

手机安装Authenticator：

image.png

Note:
1.源站做iptables acl策略限制仅rancher、authelia部署机器可访问源站，即实现零信任验证功能
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 7163 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7163 -j DROP

2.如果源站通过nginx发布服务，可以指定servername限制

server {
        listen       50015;
        server_name  xunjian.if.net;  
        charset      utf-8;
        location / {
            root    /opt/xunjian/;
            index   lvs_checker_daily.html;
        }
    }
server {
    listen 50015 default;
    server_name _;
    return 403;
}