Enable skywalking identity security authentication

SkyWalking has deprecated its own security verification function since version 8.0.0. Prior to this, SkyWalking provided a simple authentication method based on HTTP Basic Auth, which can protect the SkyWalking interface and API through username and password.

To use Nginx on Centos to deploy SkyWalking 9.3.0 and set up browser-side access, you need to enter the account and password, you can follow the steps below:

1. Nginx deployment

1.1 Update system software package

# Before installing any new packages, make sure all existing packages are updated on your system.

sudo yum update

1.2 Install the EPEL repository

#By default, the Nginx package is not included in the CentOS repository. Therefore, we need to install the EPEL (Extra Packages for Enterprise Linux) repository, which contains a large number of extra packages, including Nginx.

sudo yum install epel-release

1.3 Install Nginx

#Once the EPEL repository is enabled, you can use yum to install Nginx.

yum install nginx

2. Modify the Nginx configuration file

vim /etc/nginx/nginx.conf. Add the following configuration:

server {

    listen       80;

    server_name example.com; # Replace with your own domain name or IP address

    location / {

        proxy_pass http://localhost:18080; # forward the request to the SkyWalking server

        auth_basic "Restricted"; # Enable basic authentication, display prompt information

        auth_basic_user_file /etc/nginx/htpasswd; # Specify the file path to store username and password

    }

}

2.1. Field Explanation

The proxy_pass field specifies to forward all requests to port 18080 on the SkyWalking server.
The auth_basic field specifies the prompt information displayed by the browser, and the auth_basic_user_file field specifies the file path to store the user name and password.

3. Create a file to store username and password

3.1 Install the htpasswd tool

#Run the following command to install the httpd-tools package:

yum install httpd-tools

3.2 Verification

#After the installation is complete, you can run the following command to verify whether the htpasswd tool has been successfully installed:

htpasswd –v

#If hthtpasswd is successfully installed, the version information of htpasswd will be displayed. Otherwise, you may need to restart your system and try the installation again.

# create encrypted file

touch /etc/nginx/htpasswd。

# Execute the following commands:

htpasswd -c /etc/nginx/htpasswd admin

Then enter the password to create a user admin with administrator privileges.

4. Authentication Proxy and Identity Authentication

Check SELinux status

First, check that SELinux is enabled:

Getenforce

If the output is "Enforcing", it means that SELinux is enabled.

Temporarily disable SELinux

To temporarily disable SELinux, run the following command:

setenforce 0

# This command sets SELinux to "loose" mode (i.e. no mandatory access control is enforced) and allows the NGINX proxy server to connect to the upstream server. Note that this action may reduce system security and should be used with caution.

Permanently change SELinux configuration

If you want to permanently change the SELinux configuration, you must edit the /etc/selinux/config file and change its SELINUX value to "permissive" or "disabled".

If SELINUX is set to "permissive", SELinux is still enabled, but only logs warnings and errors, and does not enforce mandatory access control.

If SELINUX is set to "disabled", SELinux is completely disabled. (Need to restart the server)

restart nginx

systemctl restart nginx

#Enter the domain name or IP address specified in nginx.conf in the browser, for example: http://example.com. You will see a login page, enter the username and password you created earlier to log in.

Through the above steps, you can use Nginx to deploy SkyWalking 9.3.0 and set the account and password for identity authentication when accessing from the browser.

4. Common errors and solutions

After using nginx to configure the account for skywalking, an error is reported on the browser side after logging in. It may be because Nginx cannot forward the request to the port on the SkyWalking server.

In order to fix this, you need to check the following:

4.1. Check monitoring

Port Check that the SkyWalking server has been started correctly and is listening on the correct port. It can be checked with the following command:

netstat -tlnp | grep "8080" # Check if there is a process listening on port 8080

4.2. Check configuration file field address

Check whether the proxy_pass field in the Nginx configuration file correctly specifies the address and port of the SkyWalking server. You can try to directly access the IP address and port of the SkyWalking server to confirm whether it can be accessed normally.

4.3. Check firewall settings

Make sure to allow requests from Nginx through. For example, if you use firewalld, you can execute the following command to allow ports:

firewall-cmd --zone=public --add-port=80/tcp --permanent # Release HTTP port

firewall-cmd --reload # Reload firewall rules

4.4. Checking Nginx logs

/var/log/nginx/error.log to see if there are other error messages. The logs can be monitored in real time with the following command:

tail -f /var/log/nginx/error.log

4.5. Troubleshoot proxy type

If none of the above steps solve the problem, you can try to modify the proxy type in the Nginx configuration file. For example, if the SkyWalking server uses the HTTPS protocol, you can add the following configuration in location /:

proxy_ssl_server_name on;

proxy_pass https://localhost:8443;

Among them, proxy_ssl_server_name means to send the Host header in the original request header to the backend server, and proxy_pass specifies the address and port of the SkyWalking server to be forwarded to.

5. Common 502 error reports

If you encounter a "connect() to [::1]:18080 failed (13: Permission denied) while connecting to upstream" error message when using NGINX to proxy to an upstream server, this is usually due to SELinux restrictions. You can fix this by disabling or configuring SELinux.

5.1. Check SELinux status

First, check that SELinux is enabled:

getenforce

If the output is "Enforcing", it means that SELinux is enabled.

5.2. Temporarily disable SELinux

To temporarily disable SELinux, run the following command:

setenforce 0

This command sets SELinux to "lenient" mode (i.e. does not enforce mandatory access controls) and allows the NGINX proxy server to connect to the upstream server. Note that this action may reduce system security and should be used with caution.

5.3. Permanently changing the SELinux configuration

If you want to permanently change the SELinux configuration, you must edit the /etc/selinux/config file and change its SELINUX value to "permissive" or "disabled".

• If SELINUX is set to "permissive", SELinux is still enabled, but only logs warnings and errors, and does not enforce mandatory access control.

• If SELINUX is set to "disabled", SELinux is completely disabled.

Note that changing this configuration may affect system security and make the system vulnerable, so it should be used with caution.

5.4. Restart the server

After making SELinux configuration changes, the server needs to be restarted for the changes to take effect:

reboot

If you don't want to reboot the server, you can temporarily disable SELinux with the following command:

sudo setenforce 0

This will put SELinux in "permissive" mode temporarily. Note that this action may reduce system security.