【问题标题】:How do I configure HTTP basic auth on an Elastic Beanstalk Docker environment?如何在 Elastic Beanstalk Docker 环境中配置 HTTP 基本身份验证?
【发布时间】:2019-01-13 14:19:01
【问题描述】:
我正在尝试在使用 Docker 的 EB 部署上配置 HTTP 基本身份验证。我关注了这个帖子:http://sarahcassady.com/2016/09/18/deploy-aws-eb-app-with-auth-and-ssl/
但这种方法似乎只适用于常规 EB 部署,不适用于 docker。我在 AWS EB 控制台中收到以下错误消息:
[2018-08-06T14:15:35.874Z] ERROR [26161] : Command execution failed: Activity failed. (ElasticBeanstalk::ActivityFatalError)
caused by: nginx: [warn] duplicate MIME type "text/html" in /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf:11
nginx: [emerg] host not found in upstream "my_app" in /etc/nginx/conf.d/dev.conf:5
nginx: configuration file /etc/nginx/nginx.conf test failed
(ElasticBeanstalk::ExternalInvocationError)
【问题讨论】:
标签:
docker
nginx
amazon-elastic-beanstalk
basic-authentication
【解决方案1】:
我让它与以下 .ebextensions/01-http_basic_auth.config 文件一起工作:
files:
/etc/nginx/.htpasswd:
mode: "000755"
owner: root
group: root
content: |
username:$apr1$k5WkOMBL$0FZNIWOLQMsHJAOREjemC/
/etc/nginx/conf.d/dev.conf:
mode: "000755"
owner: root
group: root
content: |
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://docker;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
/tmp/deployment/nginx_auth.sh:
mode: "000755"
content: |
sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n auth_basic "Restricted";\n auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /etc/nginx/conf.d/dev.conf
container_commands:
01nginx_auth:
command: "/tmp/deployment/nginx_auth.sh"
02restart_nginx:
command: "service nginx restart"
注意:问题是在EB上使用Docker部署时,proxy_pass必须设置为http://docker;而不是http://my_app;
【解决方案2】:
我认为 AWS EB 更新了它的配置,因为我尝试了 nerdinand 和这个 article 于 2019 年 2 月更新的解决方案都没有成功。
我发现现在 nginx 配置是从这个可以扩展的模板文件创建的,但是没有空间来添加基本的 http 身份验证(除非我错过了什么):/opt/elasticbeanstalk/config/private/nginx/nginx.template
[...]
include conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
listen {{.InstancePort}} default_server;
gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/*.conf;
[...]
所以我想出了这个技巧:在 .ebextensions 中添加这个脚本,它会直接更新模板并将这两行添加到 server{location{ 中,紧跟在 $proxy_add_x_forwarded_for; 之后
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
.ebextensions/01-http_basic_auth_mlflow.config
files:
/etc/nginx/.htpasswd:
mode: "000755"
owner: root
group: root
content: |
mlflow:$apr1$f3D.agib$OUM5soeHzMazKYYRRWXQW/
/tmp/nginx_auth.sh:
mode: "000777"
content: |
match=$(grep Restricted /opt/elasticbeanstalk/config/private/nginx/nginx.template)
if [ -z "$match" ];
then
sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n auth_basic "Restricted";\n auth_basic_user_file \/etc\/nginx\/.htpasswd;/' /opt/elasticbeanstalk/config/private/nginx/nginx.template
fi
container_commands:
01nginx_auth:
command: "sudo /tmp/nginx_auth.sh"