Having read https://github.com/containous/traefik/issues/751 and https://github.com/containous/traefik/pull/1147 that are mentioning traefik.frontend.auth.basic I'm trying to set basic auth per traefik frontend (not entrypoint).
Neither
[frontends.kibana]
backend = "kibana"
[frontends.kibana.routes.nas]
rule = "Host:kibana.mydomain.io"
[frontends.kibana.auth]
basic = "kibana:$apr1$cHAIJt0o$..."
nor
[frontends.kibana]
backend = "kibana"
auth.basic = "kibana:$apr1$cHAIJt0o$..."
[frontends.kibana.routes.nas]
rule = "Host:kibana.mydomain.io"
is working. How can I specify basic auth on frontend level?
Like that:
[frontends.kibana]
backend = "kibana"
basicAuth = ["kibana:$apr1...", "anabik:$apr1..."]
[frontends.kibana.routes.nas]
rule = "Host:kibana.mydomain.io"
Related
I have splunk and try to enable splunk SSO instead of nornal authentiation. I have configuraitons as follows:
In /opt/splunk/etc/system/local/server.conf
[general]
trustedIP = 192.168.1.208
serverName = Splunk_Core_02
pass4SymmKey = $7$RRvdYDdIlj4P2geQdtHluTRb7OfvZhTFTZGJ7z5JiZAkJ6Q1at6j0Q==
sessionTimeout = 30s
[sslConfig]
sslPassword = $7$m6pB5a0PWFg64VlNZGgunhGElO3qLiAc6NrhfLO+tpX2jR7WC7qm1Q==
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[license]
active_group = Enterprise
[diskUsage]
minFreeSpace = 1024
[lmpool:test_splunk]
quota = MAX
slaves = *
stack_id = enterprise
In /opt/splunk/etc/system/local/web.conf
[settings]
#SSO
SSOMode = permissive
trustedIP = 192.168.1.208,192.168.2.15,127.0.0.1
remoteUser = REMOTE-USER
#tools.proxy.on = False
root_endpoint = /splunk
#SSL
enableSplunkWebSSL = 0
httpport = 8000
mgmtHostPort = 127.0.0.1:8089
appServerPorts = 8065
splunkdConnectionTimeout = 30
enableSplunkWebClientNetloc = False
# SSL certificate files.
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem
...
I see http://192.168.1.208:8000/debug/sso page, I see SSO is not enabled. What's wrong with my configurations?
There are several documentations says in server.conf, the trustedIP is 127.0.0.1. But none of them mention that only 127.0.0.1 is eligible to enable/activate SSO. So do not configure other IP address, instead of 127.0.0.1.
And in server.conf(/opt/splunk/etc/system/local/), you could only configure one trustedIP, and it is 127.0.0.1.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkSSO
Have you restarted splunk after making these changes?
In /opt/splunk/etc/system/local/web.conf,
remoteUser = REMOTE-USER is more likley to be REMOTE_USER
You have to use SAML.. I am using SAML for SSO purpose.. You need to contact IT guy and he will provide you IDP file upload it and share with your Splunk Connection file. You can download it from same window. Go to Users -> Authentication Method > SAML. Once everything is placed Then you have to create groups on AD and same thing you need to do on Splunk under SAML configuration.. Let me know if you need more details..
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/HowSAMLSSOworks
I have a software package from a vendor that uses Jetty to provide web services. When I put Traefik infront of it and access the frontend I get redirected to the backend URL. For example the frontend URL is https://program.example.com/ and the backend (software) URL is http://192.168.1.1:8088/ when I browse to https://program.example.com/ i automatically get redirected to http://192.168.1.1:8088/. Thoughts?
[backends.sample]
[backends.sample.servers.sample]
url = "http://192.168.1.1:8088/"
[frontends.sample]
backend = "sample"
[frontends.sample.routes.sample]
rule = "Host:program.sample.com"
passHostHeader = true
useXForwardedFor = true
[frontends.sample.redirect]
entryPoint = "https"
permanent = true
I figured it out.
I had 'passHostHeader' in the wrong place.
[frontends.sample]
backend = "sample"
passHostHeader = true
[frontends.sample.routes.sample]
rule = "Host:program.sample.com"
useXForwardedFor = true
[frontends.sample.redirect]
entryPoint = "https"
permanent = true
I use this Traefik (v1.7) file code to generate a basic auth:
[frontends]
[frontends.whoami]
backend = "whoami"
[frontends.whoami.routes]
[frontends.whoami.routes.route0]
rule = "Host:whoami.local"
[frontends.whoami.auth]
[frontends.whoami.auth.basic]
usersFile = ".htpasswd"
Is it possible to deactivate the basic auth for the following path with all his sub paths?
http://whoami.local/api
http://whoami.local/api/xxx
If someone could point me in the right direction I would be very grateful. I am trying to use the requests module to interact with Reddit's APIs, but for some reason I am getting HTTP status 403 codes. I am able to successfully log in I believe (since I get HTTP 200), but I cannot perform a successful API request. I am very new to this so please use small words. Thanks.
import requests
import json
from pprint import pprint
# URLs
url_base = r'https://www.reddit.com'
url_login = '/api/login'
url_me = '/api/v1/me'
# Credentials
user = '__kitten_mittens__'
passwd = 'password'
params = {'user': user,
'passwd': passwd,
'api_type': 'json',}
headers = {'user-agent': '/u/__kitten_mittens__ practice api bot'}
# Set up the session/headers
client = requests.session()
client.headers = headers
response = client.post(url_base + url_login, data = params)
j = json.loads(response.content.decode('utf-8'))
mh = j['json']['data']['modhash']
print("The modhash for {USER} is {mh}".format(USER=user, mh=mh))
# THIS CODE GIVES HTTP STATUS CODE 403
response = client.get(url_base + url_me)
me_json = json.loads(r.content.decode('utf-8'))
pprint(me_json)
EDIT: I fixed the missing single quote from the password field. That was not part of the problem.
Whats is the python urllib equivallent of
curl -u username:password status="abcd" http://example.com/update.json
I did this:
handle = urllib2.Request(url)
authheader = "Basic %s" % base64.encodestring('%s:%s' % (username, password))
handle.add_header("Authorization", authheader)
Is there a better / simpler way?
The trick is to create a password manager, and then tell urllib about it. Usually, you won't care about the realm of the authentication, just the host/url part. For example, the following:
password_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
top_level_url = "http://example.com/"
password_mgr.add_password(None, top_level_url, 'user', 'password')
handler = urllib2.HTTPBasicAuthHandler(password_mgr)
opener = urllib2.build_opener(urllib2.HTTPHandler, handler)
request = urllib2.Request(url)
Will set the user name and password to every URL starting with top_level_url. Other options are to specify a host name or more complete URL here.
A good document describing this and more is at http://www.voidspace.org.uk/python/articles/urllib2.shtml#id6.
Yes, have a look at the urllib2.HTTP*AuthHandlers.
Example from the documentation:
import urllib2
# Create an OpenerDirector with support for Basic HTTP Authentication...
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(realm='PDQ Application',
uri='https://mahler:8092/site-updates.py',
user='klem',
passwd='kadidd!ehopper')
opener = urllib2.build_opener(auth_handler)
# ...and install it globally so it can be used with urlopen.
urllib2.install_opener(opener)
urllib2.urlopen('http://www.example.com/login.html')