如何从密钥泄露安全代理(登录)保护Jaeger UI
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何从密钥泄露安全代理(登录)保护Jaeger UI相关的知识,希望对你有一定的参考价值。
登录到Keycloak Jaeger(realm)客户端后,keycloak服务器不会导航到Jaeger UI路径 - > localhost:16686。
Request URL: http://localhost:8080/auth/realms/jaeger/protocol/openid-connect/auth?response_type=code&client_id=proxy-jaeger&redirect_uri=http%3A%2F%2Flocalhost%3A8180%2F&state=79c00178-ca7c-4dfd-9c22-5007690486de&login=true&scope=openid
Request Method: GET
Status Code: 302 Found
似乎keycloak验证用户(见下面的代码)
HTTP/1.1 302 Found
Connection: keep-alive
Cache-Control: no-store, must-revalidate, max-age=0
Set-Cookie: AUTH_SESSION_ID=139b5028-8d19-4ab4-b657-b08ff810a8eb.f3faed1bab38; Version=1; Path=/auth/realms/jaeger/; HttpOnly
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNDEzYjIyMzEtZmVlMi00ZWJiLWI3YjktNzU2YTcxNzNiZTc5In0.eyJjaWQiOiJwcm94eS1qYWVnZXIiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvamFlZ2VyIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJjb2RlX2NoYWxsZW5nZV9tZXRob2QiOiJwbGFpbiIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODE4MC8iLCJzdGF0ZSI6Ijc5YzAwMTc4LWNhN2MtNGRmZC05YzIyLTUwMDc2OTA0ODZkZSIsImNsaWVudF9yZXF1ZXN0X3BhcmFtX2xvZ2luIjoidHJ1ZSJ9fQ.mdWPMhPcEVFVTwoYDpTC_hHspdSOZrek-CLU05Whx74; Version=1; Path=/auth/realms/jaeger/; HttpOnly
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/jaeger/; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNDEzYjIyMzEtZmVlMi00ZWJiLWI3YjktNzU2YTcxNzNiZTc5In0.eyJqdGkiOiI3NGIyMzQxMi03MmRmLTRjNzMtYjlkNS0yNDM4NTQxNjcwZjkiLCJleHAiOjE1MzQyNzU4MzksIm5iZiI6MCwiaWF0IjoxNTM0MjM5ODM5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvamFlZ2VyIiwic3ViIjoiZDJjN2IxODQtODRiZi00MmUyLTg0Y2YtODNkYTg4OThhYjhjIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTM5YjUwMjgtOGQxOS00YWI0LWI2NTctYjA4ZmY4MTBhOGViIiwicmVzb3VyY2VfYWNjZXNzIjp7fSwic3RhdGVfY2hlY2tlciI6ImhNSkJQRm1UVVNUY1FqVmE3N2lWSk40U1hJcTI4UUwtbEZoWXZyR1NsWGMifQ.hNT-J7z3wV7DRobLgpDdQuNQXKDK0TvpF3deVf5evPo; Version=1; Path=/auth/realms/jaeger/; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=jaeger/d2c7b184-84bf-42e2-84cf-83da8898ab8c/139b5028-8d19-4ab4-b657-b08ff810a8eb; Version=1; Expires=Tue, 14-Aug-2018 19:43:59 GMT; Max-Age=36000; Path=/auth/realms/jaeger/
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/jaeger/; HttpOnly
P3P: CP="This is not a P3P policy!"
Location: http://localhost:8180/?state=79c00178-ca7c-4dfd-9c22-5007690486de&session_state=139b5028-8d19-4ab4-b657-b08ff810a8eb&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..mHMPVn10n8vOWRnxu1SmtQ.vznK3zyDudPN9mXkfIHAUsG0TR_3YWSxif-uaMIMErjIPeqDEPVXbwC5GS30DENYkY6kDtY3aFChZ_4FJ3vquXQ_CiL_QcxEgn13UMYuqyGrnoEiq3l_F4jATUxNZ3XzrBThuWIKvzcpA3TyKCKwHhcvL1dJ2Z5OJscisIyrl426ug7JfK8YuCT90sJVrqBExQs5Mjx3Ws0EsE42rruHhQhi7nyOdu3khEWdMrEedGW2ZHIsEvBcYBrlK-CohJA-.psSj4X4yaqsGxcenlBSyHw
Content-Length: 0
Date: Tue, 14 Aug 2018 09:43:59 GMT
proxy.json
{
"target-url": "http://localhost:16686",
"bind-address": "0.0.0.0",
"http-port": "8080",
"applications": [
{
"base-path": "/",
"adapter-config": {
"realm": "jaeger",
"auth-server-url": "http://localhost:8080/auth",
"public-client": true,
"resource": "proxy-jaeger",
"ssl-required": "external",
"confidential-port": 0
},
"constraints": [
{
"pattern": "/*",
"roles-allowed": [
"application"
]
}
]
}
]
}
keycloak.json
{
"realm": "jaeger",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "proxy-jaeger",
"public-client": true,
"confidential-port": 0
}
答案
- 检查Keycloak中的有效重定向URI是否正确。添加*如果你想确定,那不是问题;出于安全原因,它应该在生产中尽可能准确。
- 您的proxy.json限制对“应用程序”角色的访问。检查该角色是否已在Keycloak中添加到角色映射中。
另外,你收到错误信息吗?如果是,请发布。
以上是关于如何从密钥泄露安全代理(登录)保护Jaeger UI的主要内容,如果未能解决你的问题,请参考以下文章
如何使用 .NET Core 安全地加/解密文件 #yyds干货盘点#
您如何保护 API 密钥和第 3 方站点凭据 (LAMP)?