Vouch-proxy 實現 Zabbix4.4 對接 SSO

Vouch-proxy 實現 Zabbix 對接 SSO

Zabbix 自身不支持 SSO 對接，我使用 Nginx 代理 Zabbix，將請求轉發至 Vouch-proxy，由 Vouch-proxy 對接 SSO，對接完畢 Vouch-proxy 將返回 Nginx，Nginx 獲取到用戶信息，使用 HTTP Basic Auth 完成用戶認證，訪問 Zabbix。

注意

Zabbix 5 已經支持了 SAML 協議

示例環境

Zabbix            192.168.10.227:80
Nginx             192.168.10.227:8080
Vouch-proxy       192.168.10.227:9090
SSO               ssohost:80

創建 OIDC 客戶端

在單點登錄服務端，創建 OIDC 客戶端，將得到以下信息

# 客戶端ID，創建時自己指定
myzabbix
# 秘鑰，從創建的客戶端中拷貝
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# 三個 OIDC 協議的 URL 地址，替換域名即可
http://ssohost/auth/realms/master/protocol/openid-connect/auth
http://ssohost/auth/realms/master/protocol/openid-connect/token
http://ssohost/auth/realms/master/protocol/openid-connect/userinfo

在創建客戶端時，指定重定地址為 Vouch-proxy 地址

http://192.168.10.227:9090/auth

搭建 Vouch-proxy

並添加配置文件 config.yml，模板來自 config.yml_example_oidc

# domains 中指定 Zabbix 和 SSO 的域名
vouch:
  domains:
  - 192.168.10.227
  - ssohost

  allowAllUsers: true

  headers:
    claims:
      - groups
      - given_name
      - preferred_username

# client_id       客戶端ID
# client_secret   客戶端秘鑰
# auth_url        替換 SSO 域名即可
# token_url       替換 SSO 域名即可
# user_info_url   替換 SSO 域名即可
# callback_url    回調地址，IP 端口替換為 Vouch-proxy 的 IP 端口
oauth:
  provider: oidc
  client_id: myzabbix
  client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  auth_url: http://ssohost/auth/realms/master/protocol/openid-connect/auth
  token_url: http://ssohost/auth/realms/master/protocol/openid-connect/token
  user_info_url: http://ssohost/auth/realms/master/protocol/openid-connect/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: http://192.168.10.227:9090/auth

搭建 OpenResty（Nginx）

Nginx 需要安裝 Lua 和 其它插件，直接使用 OpenResty 它內置了需要的一切

搭建好之后，修改 default.conf 配置文件

http://192.168.10.227:9090 是 Vouch-proxy 地址

http://192.168.10.227/ 是 zabbix 的地址

根據實際情況替換這兩個地址

server {
    listen       80;
    server_name  localhost;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    auth_request /validate;

    location = /validate {
      # forward the /validate request to Vouch Proxy
      proxy_pass http://192.168.10.227:9090/validate;

      # be sure to pass the original host header
      proxy_set_header Host $http_host;

      # Vouch Proxy only acts on the request headers
      proxy_pass_request_body off;
      proxy_set_header Content-Length "";

      # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
      # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;

      # these return values are used by the @error401 call
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
    }

    # if validate returns `401 not authorized` then forward the request to the error401block
    error_page 401 = @error401;

    location @error401 {
        # redirect to Vouch Proxy for login
        return 302 http://192.168.10.227:9090/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
        # you usually *want* to redirect to Vouch running behind the same Nginx config proteced by https
        # but to get started you can just forward the end user to the port that vouch is running on
    }

    # proxy pass authorized requests to your service
    location / {
      # forward authorized requests to your service protectedapp.yourdomain.com
      # proxy_pass http://192.168.10.227:9091/header/show_headers;
      proxy_pass http://192.168.10.227/;
      # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
      # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
      # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;

      auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
      auth_request_set $auth_resp_x_vouch_preferred_username $upstream_http_x_vouch_idp_claims_preferred_username;

      # set user header (usually an email)
      proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
      # 這是登陸用戶名
      proxy_set_header X-Vouch-Preferred-Username $auth_resp_x_vouch_preferred_username;

      # 設置 Zabbix 需要的 HTTP Basic Auth 請求頭
      # 最終的效果是在訪問 Zabbix 的請求頭中添加 Authorization = 'Basic QWRtaW46MTIzNDU2Nzg5MDExMQ==';
      
      default_type text/html;
      set $encode_username "";
      access_by_lua_block {
          ngx.var.encode_username = ngx.encode_base64(ngx.var.auth_resp_x_vouch_preferred_username..":1234567890113")
      }
      proxy_set_header Authorization "Basic $encode_username";

    }
}

Zabbix 開啟 HTTP Auth

訪問

直接訪問 Nginx 地址，驗證配置結果

http://192.168.10.227:8080/