Authelia部署指南:Docker Compose与Kubernetes高可用配置
项目地址: https://gitcode.com/GitHub_Trending/au/authelia 概述
Authelia是一款开源的认证和授权服务器,为Web应用程序提供双因素认证(2FA)和单点登录(SSO)功能。作为反向代理的伴侣,Authelia能够允许、拒绝或重定向请求,是现代Web应用安全架构的重要组成部分。
本文将详细介绍Authelia在Docker Compose和Kubernetes环境下的高可用部署方案,帮助您构建安全、可靠的身份认证系统。
核心特性
Authelia提供以下核心安全特性:
| 特性 | 描述 | 优势 |
|---|---|---|
| OpenID Connect 1.0 / OAuth 2.0 | 支持标准认证协议 | 兼容性强,易于集成 |
| 多因素认证 | TOTP、WebAuthn、移动推送通知 | 提供多层次安全保障 |
| 密码重置 | 通过邮件确认进行身份验证 | 安全的密码恢复机制 |
| 访问控制 | 基于域、用户、用户组的精细控制 | 灵活的权限管理 |
| 高可用性 | 支持远程数据库和Redis KV存储 | 生产环境就绪 |
架构设计
Docker Compose部署方案
Lite模式部署(推荐生产环境)
Lite模式适用于暴露到互联网的场景,使用Let's Encrypt证书和最小外部依赖:
# docker-compose.yml
version: '3.8'
networks:
net:
driver: bridge
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
volumes:
- ./authelia:/config
networks:
net: {}
labels:
traefik.enable: 'true'
traefik.http.routers.authelia.rule: 'Host(`authelia.your-domain.com`)'
traefik.http.routers.authelia.entrypoints: 'https'
traefik.http.routers.authelia.tls: 'true'
traefik.http.routers.authelia.tls.certresolver: 'letsencrypt'
traefik.http.middlewares.authelia.forwardauth.address: 'http://authelia:9091/api/authz/forward-auth'
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: 'true'
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: 'Remote-User,Remote-Groups,Remote-Name,Remote-Email'
restart: unless-stopped
environment:
TZ: Asia/Shanghai
redis:
image: redis:alpine
container_name: redis
volumes:
- ./redis:/data
networks:
net: {}
restart: unless-stopped
environment:
TZ: Asia/Shanghai
traefik:
image: traefik:v3.5.0
container_name: traefik
volumes:
- ./traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock
networks:
net: {}
ports:
- '80:80'
- '443:443'
command:
- --api
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --entrypoints.http=true
- --entrypoints.http.address=:80
- --entrypoints.http.http.redirections.entrypoint.to=https
- --entrypoints.http.http.redirections.entrypoint.scheme=https
- --entrypoints.https=true
- --entrypoints.https.address=:443
- --certificatesResolvers.letsencrypt.acme.email=your-email@your-domain.com
- --certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme.json
- --certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http
配置文件示例
# authelia/configuration.yml
theme: light
server:
address: 'tcp://:9091/'
log:
level: info
format: text
identity_validation:
reset_password:
jwt_secret: 'your_very_secure_secret_here'
authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
session:
secret: 'another_very_secure_secret'
redis:
host: redis
port: 6379
storage:
local:
path: /config/db.sqlite3
access_control:
default_policy: deny
rules:
- domain: 'public.your-domain.com'
policy: bypass
- domain: 'secure.your-domain.com'
policy: two_factor
Kubernetes高可用部署
Helm Chart部署
Authelia提供官方的Helm Chart,简化Kubernetes部署:
# 添加Helm仓库
helm repo add authelia https://charts.authelia.com
helm repo update
# 查看可用版本
helm search repo authelia
# 创建values配置文件
cat > authelia-values.yaml << EOF
authelia:
config:
theme: light
default_2fa_method: totp
ingress:
enabled: true
className: nginx
hosts:
- host: authelia.your-domain.com
paths:
- path: /
pathType: Prefix
redis:
enabled: true
architecture: standalone
postgresql:
enabled: true
auth:
username: authelia
password: "secure_password"
database: authelia
EOF
# 部署Authelia
helm install authelia authelia/authelia -f authelia-values.yaml -n authelia --create-namespace
高可用配置示例
# authelia-high-availability.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
namespace: authelia
spec:
replicas: 3
selector:
matchLabels:
app: authelia
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: authelia
spec:
enableServiceLinks: false # 重要:必须设置为false
containers:
- name: authelia
image: authelia/authelia:latest
ports:
- containerPort: 9091
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
livenessProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 5
periodSeconds: 5
volumeMounts:
- name: config
mountPath: /config
volumes:
- name: config
configMap:
name: authelia-config
---
apiVersion: v1
kind: Service
metadata:
name: authelia
namespace: authelia
spec:
selector:
app: authelia
ports:
- port: 9091
targetPort: 9091
type: ClusterIP
Ingress配置示例
# ingress-nginx配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authelia-ingress
namespace: authelia
annotations:
nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify?rd=https://$host$request_uri
nginx.ingress.kubernetes.io/auth-signin: https://authelia.your-domain.com/?rd=https://$host$request_uri
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Groups,Remote-Name,Remote-Email
spec:
ingressClassName: nginx
rules:
- host: authelia.your-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: authelia
port:
number: 9091
数据库配置最佳实践
PostgreSQL高可用配置
# postgresql-values.yaml
global:
postgresql:
auth:
username: authelia
password: "secure_password"
database: authelia
primary:
persistence:
enabled: true
size: 10Gi
storageClass: fast-ssd
readReplicas:
replicaCount: 2
persistence:
enabled: true
size: 10Gi
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 512Mi
cpu: 500m
Redis集群配置
# redis-values.yaml
architecture: replication
replicaCount: 3
sentinel:
enabled: true
quorum: 2
persistence:
enabled: true
size: 5Gi
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
cpu: 250m
监控与日志
Prometheus监控配置
# authelia-monitoring.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: authelia
namespace: authelia
spec:
selector:
matchLabels:
app: authelia
endpoints:
- port: metrics
interval: 30s
path: /metrics
Grafana仪表板
{
"dashboard": {
"title": "Authelia Metrics",
"panels": [
{
"title": "Authentication Requests",
"type": "graph",
"targets": [
{
"expr": "rate(authelia_authentication_requests_total[5m])",
"legendFormat": "Total Requests"
}
]
}
]
}
}
安全最佳实践
密钥管理
# 使用Kubernetes Secrets管理敏感信息
apiVersion: v1
kind: Secret
metadata:
name: authelia-secrets
namespace: authelia
type: Opaque
data:
jwt_secret: $(echo -n "your_jwt_secret" | base64)
session_secret: $(echo -n "your_session_secret" | base64)
redis_password: $(echo -n "redis_password" | base64)
网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: authelia-network-policy
namespace: authelia
spec:
podSelector:
matchLabels:
app: authelia
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 9091
egress:
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
- to:
- podSelector:
matchLabels:
app: postgresql
ports:
- protocol: TCP
port: 5432
故障排除指南
常见问题及解决方案
| 问题 | 可能原因 | 解决方案 |
|---|---|---|
| 认证循环 | 反向代理配置错误 | 检查auth-url和auth-signin配置 |
| Redis连接失败 | 网络策略限制 | 检查NetworkPolicy配置 |
| 性能问题 | 内存不足 | 调整argon2内存参数 |
| 证书问题 | Let's Encrypt挑战失败 | 检查域名解析和网络连通性 |
健康检查配置
# 健康检查脚本
#!/bin/sh
if wget -q -O - http://localhost:9091/api/health | grep -q '"status":"OK"'; then
exit 0
else
exit 1
fi
性能优化建议
资源分配建议
# 资源请求和限制
resources:
requests:
memory: "512Mi" # 最低内存要求
cpu: "250m" # 最低CPU要求
limits:
memory: "1Gi" # 内存上限
cpu: "500m" # CPU上限
缓存优化
# Redis缓存配置
session:
expiration: 3600 # 会话过期时间(秒)
redis:
host: redis
port: 6379
database_index: 0
maximum_active_connections: 10
总结
Authelia作为现代Web应用的安全卫士,通过Docker Compose和Kubernetes两种部署方式,为不同规模的应用场景提供了灵活的解决方案。本文详细介绍了从基础部署到高可用架构的全过程,包括:
- Docker Compose轻量级部署 - 适合中小型项目快速上手
- Kubernetes高可用部署 - 满足企业级生产环境需求
- 数据库集群配置 - 确保数据持久性和高可用性
- 监控与安全 - 全面的运维保障体系
通过合理的架构设计和配置优化,Authelia能够为您的应用提供企业级的安全认证能力,同时保持出色的性能和可靠性。
提示: 在生产环境部署前,请务必进行充分的测试,并定期备份关键数据。建议使用版本控制管理配置文件,便于追踪变更和快速恢复。
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
