Traefik+Docker 反向代理 - 不同路径的不同授权?
Traefik+Docker Reverse Proxy - Different Auth For Different Paths?
我是运行一个Docker服务(OwnTracks Recorder),使用Traefik作为身份验证的反向代理。它的设置是通过 docker-compose;这是服务上的标签:
labels:
- traefik.enable=true
- traefik.frontend.rule=PathPrefixStrip:/owntracks
- traefik.frontend.auth.basic=user1:hash1,user2:hash2
这按预期工作。我要解决的问题是 Owntracks 实际上有两个元素:一个仪表板,位于 https://example.com/owntracks, and an api, at https://example.com/owntracks/pub. Although owntracks itself has no built-in authentication, I'd like to limit the dashboard to only user1, while allowing all authenticated users to reach the api. Owntrack's documentation 以 ngnix 为例,我认为在我的情况下可能看起来像:
location /owntracks/dashboard/ {
auth_basic ....;
proxy_pass http://127.0.0.1:8083/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location /owntracks/pub/ {
auth_basic ....;
proxy_pass http://127.0.0.1:8083/pub/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
问题是,我不知道如何在 Traefik 中配置这样的东西。据我了解,您为整个容器获得了一个 traefik.frontend.auth.basic “标签”?理想情况下,我更愿意通过 Owntracks 的 docker-compose 文件中的标签来设置它,以避免在 Traefik 本身中需要自定义每个服务配置(即我可以依赖 Traefik 自动发现服务).
任何指点将不胜感激。
解决方案是使用分段。 Traefik 的 documentation 有点误导:
Segment labels are used to define routes to a container exposing multiple ports. A segment is a group of labels that apply to a port exposed by a container. You can define as many segments as ports exposed in a container.
其实Segment不仅可以用于容器多端口的使用,你可以定义比容器暴露的端口更多的Segment。在这种情况下,它很简单:
labels:
- traefik.enable=true
- traefik.segment1.frontend.rule=PathPrefix:/owntracks/pub;ReplacePath:/pub
- traefik.segment1.frontend.auth.basic=user1:hash1,user2:hash2
- traefik.segment2.frontend.rule=PathPrefixStrip:/owntracks
- traefik.segment2.frontend.auth.basic=user1:hash1
我是运行一个Docker服务(OwnTracks Recorder),使用Traefik作为身份验证的反向代理。它的设置是通过 docker-compose;这是服务上的标签:
labels:
- traefik.enable=true
- traefik.frontend.rule=PathPrefixStrip:/owntracks
- traefik.frontend.auth.basic=user1:hash1,user2:hash2
这按预期工作。我要解决的问题是 Owntracks 实际上有两个元素:一个仪表板,位于 https://example.com/owntracks, and an api, at https://example.com/owntracks/pub. Although owntracks itself has no built-in authentication, I'd like to limit the dashboard to only user1, while allowing all authenticated users to reach the api. Owntrack's documentation 以 ngnix 为例,我认为在我的情况下可能看起来像:
location /owntracks/dashboard/ {
auth_basic ....;
proxy_pass http://127.0.0.1:8083/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location /owntracks/pub/ {
auth_basic ....;
proxy_pass http://127.0.0.1:8083/pub/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
问题是,我不知道如何在 Traefik 中配置这样的东西。据我了解,您为整个容器获得了一个 traefik.frontend.auth.basic “标签”?理想情况下,我更愿意通过 Owntracks 的 docker-compose 文件中的标签来设置它,以避免在 Traefik 本身中需要自定义每个服务配置(即我可以依赖 Traefik 自动发现服务).
任何指点将不胜感激。
解决方案是使用分段。 Traefik 的 documentation 有点误导:
Segment labels are used to define routes to a container exposing multiple ports. A segment is a group of labels that apply to a port exposed by a container. You can define as many segments as ports exposed in a container.
其实Segment不仅可以用于容器多端口的使用,你可以定义比容器暴露的端口更多的Segment。在这种情况下,它很简单:
labels:
- traefik.enable=true
- traefik.segment1.frontend.rule=PathPrefix:/owntracks/pub;ReplacePath:/pub
- traefik.segment1.frontend.auth.basic=user1:hash1,user2:hash2
- traefik.segment2.frontend.rule=PathPrefixStrip:/owntracks
- traefik.segment2.frontend.auth.basic=user1:hash1