Basic auth
Authenticate requests against a basic dictionary of usernames and passwords.
About basic auth
Basic authentication sends encoded user credentials in a standard header within the request. Then, Gloo Gateway authenticates the request against a dictionary of usernames and passwords that is stored in an AuthConfig resource. If the credentials in the Authorization request header match the credentials in the AuthConfig resource, the request is authenticated and forwarded to the destination. If not, Gloo Gateway returns a 401 response.
Gloo Gateway requires the password that the user uses to authenticate to be hashed and salted by using the APR1 format. Passwords in this format follow the following pattern: $apr1$SALT$HASHED_PASSWORD. You can use tools, such as htpasswd to generate a salt and hashed password.
To set up basic auth, you use the following Gloo Gateway APIs:
- AuthConfig: Set up the basic dictionary of usernames and passwords that you want to allow.
- GlooTrafficPolicy: Instruct the Gateway to use the AuthConfig. This way, requests that this policy applies to, such as a Gateway or HTTPRoute, enforce external auth.
Before you begin
Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Step 1: Configure your auth rules
Use an AuthConfig resource to set up basic user credentials that you want to allow requests from.
Generate a salt and hashed password for your user credentials. The following example uses the
htpasswdtool for a user nameduser.htpasswd -nbm user passwordExample output:
user:$apr1$TYiryv0/$8BvzLUO9IfGPGGsPnAgSu1Retrieve the salt and hashed password from the output of the previous step.
- Salt: TYiryv0/
- Hashed password: 8BvzLUO9IfGPGGsPnAgSu1
Create an AuthConfig resource and add your external authentication rules. The following example configures basic authentication for the user
userby using the hashed password and salt that you created earlier.kubectl apply -f- <<EOF apiVersion: extauth.solo.io/v1 kind: AuthConfig metadata: name: basic-auth namespace: gloo-system spec: configs: - basicAuth: apr: users: user: salt: "TYiryv0/" hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1" EOFCreate a GlooTrafficPolicy resource that refers to the AuthConfig that you created. The following policy applies external auth to all routes that the Gateway serves.
kubectl apply -f - <<EOF apiVersion: gloo.solo.io/v1alpha1 kind: GlooTrafficPolicy metadata: name: test-extauth-policy namespace: gloo-system spec: targetRefs: - name: http group: gateway.networking.k8s.io kind: Gateway glooExtAuth: authConfigRef: name: basic-auth namespace: gloo-system EOF
Step 2: Verify that your routes are secured
Send various requests to verify that external auth is enforced for your routes.
Send a request to the httpbin app. Verify that your request is denied and that you get back a 401 HTTP response code.
Example output:
* Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < www-authenticate: Basic realm="" < date: Fri, 19 Apr 2024 17:41:01 GMT < server: envoy < content-length: 0Encode the expected user credentials in base64 format.
echo -n "user:password" | base64Example output:
dXNlcjpwYXNzd29yZA==Send another request to the httpbin app. This time, you include the base64-encoded
user:passwordcredentials in theAuthorizationheader. Verify that the request succeeds and that you get back a 200 HTTP response code.Example output:
* Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < access-control-allow-credentials: true < access-control-allow-origin: * < date: Fri, 19 Apr 2024 17:44:06 GMT < content-length: 0 < x-envoy-upstream-service-time: 0 < server: envoy
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete authconfig basic-auth -n gloo-system
kubectl delete glootrafficpolicy test-extauth-policy -n gloo-system