我需要你帮我解决这个问题。
我正在Docker Swarm环境中设置一个身份验证服务,使用Keycloak作为提供者,使用OAuth2-proxy和forwardauth和errors中间件。实际上,我在几个月前为3台服务器设置了这些服务,它们工作正常,但当我尝试在新服务器上设置时,我得到了500个HTTP错误。
即使我将traefik日志级别设置为DEBUG,也没有更多关于错误的日志信息,当我查看traefik时,我只看到了它。
14.168.51.149 - - [26/Sep/2022:04:29:09 +0000] "GET / HTTP/2.0" 500 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" 2412 "auth_testing@docker" "-" 30000ms同时附加我的测试服务和oauth的配置:
oauth:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.1
deploy:
placement:
constraints: [node.labels.web==web]
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth.rule=Host(`oauth.${HOST_ABBR}.domain.org`) || PathPrefix(`/oauth2`)"
- "traefik.http.routers.oauth.entrypoints=websecure"
- "traefik.http.routers.oauth.tls=true"
- "traefik.http.routers.oauth.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.oauth.service=oauth@docker"
- "traefik.http.services.oauth.loadbalancer.server.port=4185"
# Set up middlewares
- 'traefik.http.middlewares.oauth.forwardauth.address=https://oauth.${HOST_ABBR}.doamin.org/oauth2/auth'
- 'traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email, X-Auth-Request-Preferred-Username, X-Auth-Request-Access-Token'
- "traefik.http.middlewares.oauth-signin.errors.service=oauth@docker"
- "traefik.http.middlewares.oauth-signin.errors.status=401,403"
- "traefik.http.middlewares.oauth-signin.errors.query=/oauth2/sign_in"
environment:
OAUTH2_PROXY_CLIENT_ID: 'coffee_authentication'
OAUTH2_PROXY_CLIENT_SECRET: 'xxxxxxx99af13b51'
OAUTH2_PROXY_PROVIDER: 'keycloak'
OAUTH2_PROXY_SCOPE: 'openid profile email'
OAUTH2_PROXY_OIDC_ISSUER_URL: '${MY_DOMAIN}/auth/realms/coffee'
OAUTH2_PROXY_LOGIN_URL: '${MY_DOMAIN}/auth/realms/coffee/protocol/openid-connect/auth'
OAUTH2_PROXY_REDEEM_URL: '${MY_DOMAIN}/auth/realms/coffee/protocol/openid-connect/token'
OAUTH2_PROXY_PROFILE_URL: '${MY_DOMAIN}/auth/realms/coffee/protocol/openid-connect/userinfo'
OAUTH2_PROXY_VALIDATE_URL: '${MY_DOMAIN}/auth/realms/coffee/protocol/openid-connect/userinfo'
OAUTH2_PROXY_PASS_ACCESS_TOKEN: 'true'
OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
OAUTH2_PROXY_PASS_BASIC_AUTH: 'true'
OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
OAUTH2_PROXY_COOKIE_DOMAINS: '${MY_DOMAIN}'
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
OAUTH2_PROXY_COOKIE_REFRESH: '12h'
OAUTH2_PROXY_COOKIE_SECURE: 'false'
# python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
OAUTH2_PROXY_COOKIE_SECRET: '${SECRET_COOKIE}'
OAUTH2_PROXY_AUTHENTICATED_EMAILS_FILE: '/oauth-conf/authorized_emails.txt'
#OAUTH2_PROXY_EMAIL_DOMAINS: '*'
OAUTH2_PROXY_WHITELIST_DOMAINS: '*'
OAUTH2_PROXY_REVERSE_PROXY: 'true'这里是我的服务与traefik标签:
labels:
- "traefik.enable=true"
- "traefik.http.routers.auth_testing.rule=Host(`test.${HOST_ABBR}.domain.org`)"
- "traefik.http.routers.auth_testing.entrypoints=websecure"
- "traefik.http.routers.auth_testing.tls=true"
- "traefik.http.routers.auth_testing.tls.certresolver=leresolver"
#- "traefik.http.middlewares.auth_testing_auth.basicauth.users=${HOST_USER}:${HOST_HASHED_PASS}"
#- "traefik.http.routers.auth_testing.middlewares=auth_testing_auth"
- "traefik.http.routers.auth_testing.middlewares=oauth-signin,oauth"
# Set up service
- "traefik.http.services.auth_testing_svc.loadbalancer.server.port=5000"
- "traefik.http.routers.auth_testing.service=auth_testing_svc"希望你能帮忙,我已经遇到这个问题一个星期了,仍然在检查它或建议一些地方,我可以把调试代码。
非常感谢你。
1条答案
按热度按时间bgibtngc1#
由于某种原因,此服务器中的Traefik无法将请求路由到HTTPS URL为
https://oauth.${HOST_ABBR}.doamin.org/oauth2/auth的OAuth,因此我尝试使用内部请求:http://oauth:4185/oauth2/auth,它对我很有效。替换此行
执行人