Vouch-proxy 实现 Zabbix 对接 SSO
Zabbix 自身不支持 SSO 对接,我使用 Nginx 代理 Zabbix,将请求转发至 Vouch-proxy,由 Vouch-proxy 对接 SSO,对接完毕 Vouch-proxy 将返回 Nginx,Nginx 获取到用户信息,使用 HTTP Basic Auth 完成用户认证,访问 Zabbix。
注意
Zabbix 5 已经支持了 SAML 协议
示例环境
Zabbix 192.168.10.227:80
Nginx 192.168.10.227:8080
Vouch-proxy 192.168.10.227:9090
SSO ssohost:80
创建 OIDC 客户端
在单点登录服务端,创建 OIDC 客户端,将得到以下信息
# 客户端ID,创建时自己指定
myzabbix
# 秘钥,从创建的客户端中拷贝
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# 三个 OIDC 协议的 URL 地址,替换域名即可
http://ssohost/auth/realms/master/protocol/openid-connect/auth
http://ssohost/auth/realms/master/protocol/openid-connect/token
http://ssohost/auth/realms/master/protocol/openid-connect/userinfo
在创建客户端时,指定重定地址为 Vouch-proxy 地址
http://192.168.10.227:9090/auth
搭建 Vouch-proxy
并添加配置文件 config.yml,模板来自 config.yml_example_oidc
# domains 中指定 Zabbix 和 SSO 的域名
vouch:
domains:
- 192.168.10.227
- ssohost
allowAllUsers: true
headers:
claims:
- groups
- given_name
- preferred_username
# client_id 客户端ID
# client_secret 客户端秘钥
# auth_url 替换 SSO 域名即可
# token_url 替换 SSO 域名即可
# user_info_url 替换 SSO 域名即可
# callback_url 回调地址,IP 端口替换为 Vouch-proxy 的 IP 端口
oauth:
provider: oidc
client_id: myzabbix
client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
auth_url: http://ssohost/auth/realms/master/protocol/openid-connect/auth
token_url: http://ssohost/auth/realms/master/protocol/openid-connect/token
user_info_url: http://ssohost/auth/realms/master/protocol/openid-connect/userinfo
scopes:
- openid
- email
- profile
callback_url: http://192.168.10.227:9090/auth
搭建 OpenResty(Nginx)
Nginx 需要安装 Lua 和 其它插件,直接使用 OpenResty 它内置了需要的一切
搭建好之后,修改 default.conf
配置文件
http://192.168.10.227:9090
是 Vouch-proxy 地址
http://192.168.10.227/
是 zabbix 的地址
根据实际情况替换这两个地址
server {
listen 80;
server_name localhost;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
auth_request /validate;
location = /validate {
# forward the /validate request to Vouch Proxy
proxy_pass http://192.168.10.227:9090/validate;
# be sure to pass the original host header
proxy_set_header Host $http_host;
# Vouch Proxy only acts on the request headers
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# optionally add X-Vouch-User as returned by Vouch Proxy along with the request
# auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
# these return values are used by the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
# if validate returns `401 not authorized` then forward the request to the error401block
error_page 401 = @error401;
location @error401 {
# redirect to Vouch Proxy for login
return 302 http://192.168.10.227:9090/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
# you usually *want* to redirect to Vouch running behind the same Nginx config proteced by https
# but to get started you can just forward the end user to the port that vouch is running on
}
# proxy pass authorized requests to your service
location / {
# forward authorized requests to your service protectedapp.yourdomain.com
# proxy_pass http://192.168.10.227:9091/header/show_headers;
proxy_pass http://192.168.10.227/;
# you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
# auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
# auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_x_vouch_preferred_username $upstream_http_x_vouch_idp_claims_preferred_username;
# set user header (usually an email)
proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
# 这是登陆用户名
proxy_set_header X-Vouch-Preferred-Username $auth_resp_x_vouch_preferred_username;
# 设置 Zabbix 需要的 HTTP Basic Auth 请求头
# 最终的效果是在访问 Zabbix 的请求头中添加 Authorization = 'Basic QWRtaW46MTIzNDU2Nzg5MDExMQ==';
default_type text/html;
set $encode_username "";
access_by_lua_block {
ngx.var.encode_username = ngx.encode_base64(ngx.var.auth_resp_x_vouch_preferred_username..":1234567890113")
}
proxy_set_header Authorization "Basic $encode_username";
}
}
Zabbix 开启 HTTP Auth
访问
直接访问 Nginx 地址,验证配置结果
http://192.168.10.227:8080/