0

我需要建议如何设置对 Hashi-UI 的身份验证以管理 Nomad 和 Consul。我有 Debian 8 服务器,在那里我安装了 Terraform,我创建了 terraform 文件。下载并运行 Nomad 和 Consul。那行得通,但是如果我访问 Hashi-UI,则没有登录,因此每个人都可以访问它。我像游牧工作一样经营哈希。它在 Nginx 上运行。如何为 apache设置这样的用户登录名?

我的游牧档案:

job "hashi-ui" {
  region      = "global"
  datacenters = ["dc1"]
  type        = "service"

  update {
    stagger      = "30s"
    max_parallel = 2
  }
group "server" {
  count = 1

    task "hashi-ui" {
      driver = "docker"

      config {
        image        = "jippi/hashi-ui"
        network_mode = "host"
      }

      service {
        port = "http"

        check {
          type     = "http"
          path     = "/"
          interval = "10s"
          timeout  = "2s"
        }
      }

      env {
        NOMAD_ENABLE = 1
        NOMAD_ADDR   = "http://0.0.0.0:4646"

        CONSUL_ENABLE = 1
        CONSUL_ADDR = "http://0.0.0.0:8500"
      }

      resources {
        cpu    = 500
        memory = 512

        network {
          mbits = 5

          port "http" {
            static = 3000
          }
        }
      }
    }
     task "nginx" {
            driver = "docker"
            config {
                image = "ygersie/nginx-ldap-lua:1.11.3"
                network_mode = "host"
                volumes = [
                    "local/config/nginx.conf:/etc/nginx/nginx.conf"
                ]
            }

            template {
                data = <<EOF
worker_processes 2;

events {
  worker_connections 1024;
}

env NS_IP;
env NS_PORT;

http {
  access_log /dev/stdout;
  error_log /dev/stderr;

  auth_ldap_cache_enabled on;
  auth_ldap_cache_expiration_time 300000;
  auth_ldap_cache_size 10000;

  ldap_server ldap_server1 {
    url ldaps://ldap.example.com/ou=People,dc=example,dc=com?uid?sub?(objectClass=inetOrgPerson);
    group_attribute_is_dn on;
    group_attribute member;
    satisfy any;
    require group "cn=secure-group,ou=Group,dc=example,dc=com";
  }

  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }

  server {
    listen 15080;

    location / {
      auth_ldap "Login";
      auth_ldap_servers ldap_server1;

      set $target '';
      set $service "hashi-ui.service.consul";
      set_by_lua_block $ns_ip { return os.getenv("NS_IP") or "127.0.0.1" }
      set_by_lua_block $ns_port { return os.getenv("NS_PORT") or 53 }

      access_by_lua_file /etc/nginx/srv_router.lua;

      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

      proxy_read_timeout 31d;

      proxy_pass http://$target;
    }
  }
}
EOF
                destination = "local/config/nginx.conf"
                change_mode = "noop"
            }

            service {
                port = "http"

                tags = [
                    "urlprefix-hashi-ui.example.com/"
                ]

                check {
                    type = "tcp"
                    interval = "5s"
                    timeout = "2s"
                }
            }

            resources {
                cpu = 100
                memory = 64
                network {
                    mbits = 1
                    port "http" {
                        static = "15080"
                    }
                }
            }
        }
    }
}

谢谢你的任何建议。

4

1 回答 1

1

由于您使用的是 Nginx,因此您可以轻松地在 Nginx 中启用身份验证。这里有一些有用的链接:

有趣的是,HashiUI GitHub repo 中也讨论了这个问题。也看看这种方法: https ://github.com/jippi/hashi-ui/blob/master/docs/authentication_example.md

谢谢,阿鲁

于 2017-11-09T23:05:52.957 回答