I use traefik 1.7.14 and I want use basic auth for my grafana-docker-compose service.
I followed e.g. https://medium.com/#xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
but I also looked at other sources.
In my docker-compose.yml I have for grafana:
grafana:
image: grafana/grafana
labels:
- "traefik.enable=true"
- "traefik.backend=grafana"
- "traefik.port=3000"
- "traefik.frontend.rule=Host:grafana.my-domain.io"
- "traefik.frontend.entryPoints=http,https"
- "traefik.frontend.auth.basic.users=${ADMIN_CREDS}
ADMIN_CREDS is in my .env file. I created the content with htpasswd -nbm my_user my_password I also tried htpasswd -nbB my_user my_password for not md5 but bcrypt encryption.
In .env
ADMIN_CREDS=test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0
You see: I did not escape $ signs in the .env file.
When I inspect my container at runtime I see exactly the same encrypted password as in my .env file!
docker inspect 47aa3dbc3623 | grep test
gives me:
"traefik.frontend.auth.basic.users": "test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0",
I also tried to put the user/password string directly into the docker-compose.yml. this time by escaping the $ sign.
The inspect command was successful too.
BUT: When I call my grafana-URL I get a basic auth dialog-box and when I type in my user/password combination I get always a
{"message":"Invalid username or password"}
What could be still wrong here? I have currently no idea.
This message actually means that you passed the basic auth of traefik. Because the basic auth window would pop up again if you would enter invalid credentials.
Grafana on its own uses basic auth and this one is failing.
DO NOT DO IT IN PRODUCTION: To prove it you could configure grafana to ask for the same user and password. Then it will accept the forwarded basic auth of traefik and would allow access.
However, you should either setup basic auth using traefik OR using the grafana basic auth.
You also might want to check the information on running grafana behind a reverse proxy: https://grafana.com/tutorials/run-grafana-behind-a-proxy/#1
and escpecially https://grafana.com/docs/grafana/latest/auth/auth-proxy/
Another option besides forwarding the auth headers would be to disable forwording it:
labels:
...
- "traefik.http.middlewares.authGrafana.basicauth.removeheader=true"
Now you should see the grafana login page.
Related
I am trying to containerize my keycloak application and I am trying to make it so that the keycloak instance connects to the psotgres socket instead of its hostname. But the keycloak instance crashes almost instantly.
Is it not possible to make keycloak connect to postgres socket? or am I using the wrong connection params?
POSTGRES_ENV:
POSTGRES_DB=keycloak
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
KEYCLOAK_ENV:
DB_VENDOR=POSTGRES
DB_ADDR=/var/run/postgresql/.s.PGSQL.5432
DB_DATABASE=keycloak
DB_USER=postgres
DB_SCHEMA=public
DB_PASSWORD=postgres # change this in prod
I have tried changing my docker mount from bind into volumes. Tried changing the file permissions, and even tried different keycloak versions. It is always the same class of error.
I have been trying to figure how to get client authentication working using x509 certificates in the Quarkus version of Keycloak. #dasniko has a helpful video of doing it with the legacy version of Keycloak. I tried to follow what he and the Keycloak server admin guide suggests.
The expected behavior, based on #dasniko 's video is a certificate selection window should open up upon visiting the login url. However, only the login screen is displayed.
I have created a simple example to demonstrate what I'm attempting. There is a script to generate the certificates and import them into a jks. The script then copies the jks files to a directory. The compose.yml file mounts the cert directory when starting Keycloak up and points Keycloak to them as a keystore and truststore. Their is also a realm export to configure things.
Has anyone been able to figure this out? I haven't seen anything helpful on Keycloak's github forums or discourse.
My yaml file looks like the following
services:
keycloak:
image: quay.io/keycloak/keycloak:latest
command: [ "start-dev" ]
environment:
JAVA_OPTS_APPEND: "-Dcom.redhat.fips=false"
KC_HOSTNAME_STRICT: "false"
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KC_LOG_LEVEL: info,org.infinispan:error,org.hibernate:warn
KC_HTTPS_KEY_STORE_FILE: /genCerts/server-keystore.jks
KC_HTTPS_KEY_STORE_PASSWORD: changeit
KC_HTTPS_TRUST_STORE_FILE: /genCerts/truststore.jks
KC_HTTPS_TRUST_STORE_PASSWORD: changeit
HTTPS_CLIENT_AUTH: require
ports:
- 8080:8080
- 8443:8443
volumes:
- ./genCerts:/genCerts
I would really appreciate some help with the current issue I am experiencing.
Context:
I have been upgrading my instance of keycloak from 16.x to 18.x.
After many hours of research, I have been defeated by this one issue.
Issue:
When I go to the site URL for this example https://thing.com/ I am greeted with the following "Resource not found", instead of the keycloak welcome page.
In my chrome network monitoring it will show the following:
Error with network monitor
Infra:
Keycloak lives on its machine. The URL reaches keycloak through a Caddy Service as a reverse proxy.
Relative scripts:
Docker-compose
version: "3.1"
services:
keycloak:
image: quay.io/keycloak/keycloak:18.0.2
environment:
JAVA_OPTS: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0 -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=\"org.jboss.byteman\" -Djava.awt.headless=true"
KC_HOSTNAME_PORT: 8080
KC_HOSTNAME: ${KC_HOME}
KC_PROXY: edge
KC_DB_URL: 'jdbc:postgresql://${KEYCLOAK_DB_ADDR}/${KEYCLOAK_DB_DATABASE}?sslmode=require'
KC_DB: postgres
KC_DB_USERNAME: ${KEYCLOAK_DB_USER}
KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
KC_HTTP_RELATIVE_PATH: /auth
KC_HOSTNAME_STRICT_HTTPS: 'false'
command: start --auto-build
ports:
- 8080:8080
- 8443:8443
volumes:
- backup:/var/backup
healthcheck:
test: curl -I http://127.0.0.1:8080/
volumes:
backup:
NOTE: If I remove this KC_HTTP_RELATIVE_PATH: /auth it will behave as intended. However, I would prefer I do not remove this aspect of the service as it is tied to that relative path for a lot of the services using keycloak.
I can replicate this with a local docker image built using the same environment variables.
Does anyone perhaps know some secret ninja moves I could do to get it to direct to the welcome page?
Automatic redirect from / to KC_HTTP_RELATIVE_PATH is not supported in Keycloak 18 (see https://github.com/keycloak/keycloak/discussions/10274).
You have to add the redirect in the reverse proxy, in Caddy there is redir.
Im trying to Install kibana 8.1.1 on windows10 the thing is when it starts installions it stops on an error like that
[2022-04-16T01:16:59.744+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes? filter_path=nodes..version%2Cnodes..http.publish_address%2Cnodes.*.ip]
i tried so many solutions like, I did change the elastisearch.yml file
xpack.security.enabled: false
but it is still doesn't work an i did it on kibana.yml too still same
i did add this folowing lines too
`xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.monitoring.ui.enabled: true
xpack.security.encryptionKey: "XXX"`
still nothing.
i removed the # on kibana.yml too before the
elasticsearch.hosts: ["http://localhost:9200"]
and stiiiill noothing
here is
kibana.yml:
server.port: 5601 server.host: "localhost" server.name: "your-hostname" elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.yml:
`cluster.name: my-application
network.host: 192.168.0.1
node.name: node-1
discovery.seed_hosts: ["host1", "host2"]
cluster.initial_master_nodes: ["node-1", "node-2"]`
im soo sorry about my english its not my first langage and for not knowing what to do its for studies project and im still a beginner
google is not helping too
thank u for helping me
A more detailed steps as below,
Step 1 is required only when you made some changes to both yml files.
Comment everything in elastic and Kibana yml and save
Start Elasticsearch
Open another command prompt from the directory elasticsearch-8.0.0\bin and run the below command.
Note: We are resetting password for user "kibana_system" not "elastic".
.\elasticsearch-reset-password.bat -u kibana_system --auto
This command will give you password for user "kibana_system". Copy and store the password somewhere.
Edit kibana yml file in kibana-8.0.0\bin directory by setting below values.
elasticsearch.username: "kibana_system"
elasticsearch.password: "the kibana_system password generated above, not the elastic password"
Then save the yml file.
start kibana, wait till you see everything is fine and no error.
open http://localhost:5601/app/home#/ in the browser.
Enter username as "elastic"
Enter the password as "the elastic password, not kibana password"
elasticsearch.username: "kibana_system"
elasticsearch.password: <my-kibana_system-password>
I'm trying to get keycloak set up as a helm chart requirement to run some integration tests. I can get it to bring it up and run it, but I can't figure out how to set up the realm and client I need. I've switched over to the 1.0.0 stable release that came out today:
https://github.com/kubernetes/charts/tree/master/stable/keycloak
I wanted to use the keycloak.preStartScript defined in the chart and use the /opt/jboss/keycloak/bin/kcadm.sh admin script to do this, but apparently by "pre start" they mean before the server is brought up, so kcadm.sh can't authenticate. If I leave out the keycloak.preStartScript I can shell into the keycloak container and run the kcadm.sh scripts I want to use after it's up and running, but they fail as part of the pre start script.
Here's my requirements.yaml for my chart:
dependencies:
- name: keycloak
repository: https://kubernetes-charts.storage.googleapis.com/
version: 1.0.0
Here's my values.yaml file for my chart:
keycloak:
keycloak:
persistence:
dbVendor: H2
deployPostgres: false
username: 'admin'
password: 'test'
preStartScript: |
/opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password 'test'
/opt/jboss/keycloak/bin/kcadm.sh create realms -s realm=foo -s enabled=true -o
CID=$(/opt/jboss/keycloak/bin/kcadm.sh create clients -r foo -s clientId=foo -s 'redirectUris=["http://localhost:8080/*"]' -i)
/opt/jboss/keycloak/bin/kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json
persistence:
dbVendor: H2
deployPostgres: false
Also a side annoyance is that I need to define the persistence settings in both places or it either fails or brings up postgresql in addition to keycloak
I tried this too and also hit this problem so have raised an issue. I prefer to use -Dimport with a realm .json file but your points suggest a postStartScript option would make sense so I've included both in the PR on that issue
the Keycloak chart has been updated. Have a look at these PRs:
https://github.com/kubernetes/charts/pull/5887
https://github.com/kubernetes/charts/pull/5950