利用Authelia实现SSO

2021-08-20 • 预计阅读时间 2 分钟

使用容器搭建环境的时候,会遇到鉴权的问题.如果能够像Apereo CAS那样实现SSO的话就会更安全方便了.Auth0提供了类似的功能,但是由于和traefik的配合,导致使用起来还是有点麻烦.最终选择了用Authelia.

这个的默认有如下的规则

  • bypass // 跳过安全检查
  • one_factor // 仅密码
  • two_factor // 密码加TOTP

我用的仅是他提供的功能中的很小一个部分,为容器增加SSO.如果想做一般网站的SSO的话也是可以的.

搭建

docker-compose.yaml中增加如下的服务

authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`login.wentao.org`)'
      - 'traefik.http.routers.authelia.entrypoints=websecure'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.wentao.org/'
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
    restart: unless-stopped
    depends_on: 
      - service.redis
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Shanghai

建议搭建一个redis的缓存用来存储session信息。

配置

默认会生成一个配置文件,请务必修改其中的内容,否则无法启动。官方有如下的两个例子:

如果只是想体验的话,建议用第二个无依赖的。

---
###############################################################
#                   Authelia configuration                    #
###############################################################

host: 0.0.0.0
port: 9091
log_level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: a_very_important_secret
default_redirection_url: https://public.example.com
totp:
  issuer: authelia.com

# duo_api:
#  hostname: api-123456789.example.com
#  integration_key: ABCDEF
#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
#  secret_key: 1234567890abcdefghifjkl

authentication_backend:
  file:
    path: /config/users_database.yml

access_control:
  default_policy: deny
  rules:
    # Rules applied to everyone
    - domain: public.example.com
      policy: bypass
    - domain: traefik.example.com
      policy: one_factor
    - domain: secure.example.com
      policy: two_factor

session:
  name: authelia_session
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
  secret: unsecure_session_secret
  expiration: 3600  # 1 hour
  inactivity: 300  # 5 minutes
  domain: example.com  # Should match whatever your root protected domain is

  redis:
    host: redis
    port: 6379
    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
    # password: authelia

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300

storage:
  local:
    path: /config/db.sqlite3

notifier:
  smtp:
    username: test
    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
    password: password
    host: mail.example.com
    port: 25
    sender: admin@example.com
...

其中的jwt_secret一定要修改而且不要泄漏。其他的按照提示配置即可。

用户的信息存储在/config/users_database.yml.可以通过下面的生成密码来配置。

authentication_backend:
  file:
    path: /config/users_database.yml

生成密码

docker run --rm authelia/authelia:latest authelia hash-password <yourpassword>
devdocker

wentao

写点代码,解决点问题。

关于双重认证

Podcasts 推荐