【一线大厂Java面试题解析+后端开发学习笔记+最新架构讲解视频+实战项目源码讲义】
**开源地址:https://docs.qq.com/doc/DSmxTbFJ1cmN1R2dB **
在新创建的 realm 中创建一个user:
保存成功后,设置初始密码,点击 Credentials,其中Temporary 处点击为 OFF,完成密码重置。
完成后,配置要单点的应用程序。Keycloak管理控制台Clients新建客户端: 用上面Keycloak 实例注册一个应用程序:
3>修改grafana配置:
编辑 /etc/grafana/grafana.ini,修改以下配置:
[server]
root_url = http://localhost:3000/
[auth.generic_oauth]
allow_sign_up = true
api_url = http://localhost:8080/realms/grafana/protocol/openid-connect/userinfo
auth_url = http://localhost:8080/realms/grafana/protocol/openid-connect/auth
client_id = grafana
client_secret = B1dllYApv88FHkkLQDqCwv2aRH5hHwoU
enabled = true
name = grafana
role_attribute_path = role
root_url = http://localhost:3000/
scopes = openid email
token_url = http://localhost:8080/realms/grafana/protocol/openid-connect/token
在 keycloak 中配置好正确的 用户名、密码 后,重新访问 grafana,就可以看到类似如下界面:
4)nginx密码限制访问
#htpasswd是开源的http服务器Apache Http Server的一个命令行工具.可以用来创建和更新基本认证的用户认证密码文件.其中htpasswd必须对密码文件有读写权限,配置了基本身份验证后,会从浏览器弹出简单的登录窗口,但对于面向终端用户的前台来说,确实不够友好,故只适用于部分内部用户使用的页面
#htpasswd总共有4种加密算法,分别是MD5、bcrypt、CRYPT、SHA,在httpd-tools 2.2的版本中,默认使用的是CRYPT加密算法来进行密码加密的,而httpd-tools 2.4的版本中,默认是使用MD5来进行密码加密的,现场默认就是MD5
#安装 htpasswd 工具
yum -y install httpd-tools #或npm install -g htpasswd
#如果报错:“error: unpacking of archive failed on file /usr/bin/xxxx: cpio: open Failed”,请检查/usr/bin目录是否设置特殊权限
chattr -i /usr/bin #再次安装即可
which htpasswd #/usr/bin/htpasswd
#htpasswd用法及参数
htpasswd [-cimB25dpsDv] [-C cost] [-r rounds] passwordfile username
htpasswd -b[cmB25dpsDv] [-C cost] [-r rounds] passwordfile username password
htpasswd -n[imB25dps] [-C cost] [-r rounds] username
htpasswd -nb[mB25dps] [-C cost] [-r rounds] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-2 Force SHA-256 crypt() hash of the password (secure).
-5 Force SHA-512 crypt() hash of the password (secure).
-B Force bcrypt aencryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-r Set the number of rounds used for the SHA-256, SHA-512 algorithms
(higher is more secure but slower, default: 5000).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA-1 encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
#创建认证用户 ,会在/etx/nginx/passwd.db文件中生成用户名和加密的密码,格式类似: admin:YlmaHlkJnzhxG
htpasswd -c lip_htpasswd.db admin //输入密码,生成的数据文件建议放入web运行目录,比如nginx配置文件目录下,注意这种交互式输入密码可能会出现配置无效的情况,报错如下:
htpasswd后{"message": "invalid username or password","traceID":""}
#用一下命令重新生成,注意-d采用,因Nginx采用解密,如果不兼容,即使能看到了 Auth 提示,但当输入了正确的密码,也会收到 403或401,500,400等错误。
htpasswd -cbd lip_htpasswd.db admin password #用 crypt()函数加密,但密码不能超狗8位;或
openssl passwd -crypt "password" #-crypt:UNIX标准加密算法,也是默认的算法
#nginx的ngx\_http\_auth\_basic\_module可以帮助我们在 http 资源没有任何保护的情况下,添加基础的认证;修改配置,增加: auth\_basic 和 auth\_basic\_user\_file
vim /usr/local/nginx/conf/nginx.conf
……
server {
listen 80;
server_name local.server.com;
#auth\_basic "Please input password"; #这里是验证时的提示信息
#auth\_basic\_user\_file /usr/local/nginx/conf/third\_htpasswd.db;
location / {
root /data/www; #或如下
auth_basic "Please input password"; #这里是验证时的提示信息
auth_basic_user_file /usr/local/nginx/conf/third_htpasswd.db;
index index.html;
rewrite ^/$ https://new_uri permanent;
}
location /public {
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4M;
proxy_busy_buffers_size 4M;
# websocket处理
proxy_http_version 1.1;
proxy_set_header Upgrade $http\_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote\_addr;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
#add\_header Access-Control-Allow-Credentials true;
proxy_set_header Authorization "Bearer grafana\_API\_token";
auth_basic "Please input password"; #这里是验证时的提示信息
auth_basic_user_file third_htpasswd.db;
proxy_pass http://grafana_ip:3000;
}
}
#重启nginx服务
nginx -s reload
#grafana配置调整
sed -i "s/;allow\_embedding = false/allow\_embedding = true/g" /etc/grafana/grafana.ini
cat /etc/grafana/grafana.ini | grep allow_embedding
systemctl restart grafana-server
Grafana配置新增服务账户API:
#验证
curl -H "Authorization: Bearer eyJrIjoiRnJjVmNURW1vdnlxQkdOTExqM29DcnJJV3g4TnQ0SEwiLCJuIjoid2Vidmlld2VyIiwiaWQiOjF9" http://grafana_ip:3000/api/dashboards/home
#防火墙
firewall-cmd --permanent --zone=public --remove-port=80/tcp
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address='你的网站ip' port port="80" protocol="tcp" accept'
firewall-cmd --reload
#配置主页,安装插件yesoreyeram-boomtheme-panel
grafana-cli plugins install yesoreyeram-boomtheme-panel #或
grafana-cli --pluginUrl https://github.com/yesoreyeram/yesoreyeram-boomtheme-panel/releases/download/v0.2.1/yesoreyeram-boomtheme-panel-0.2.1.zip plugins install yesoreyeram-boomtheme-panel
cd /usr/share/grafana/public #grafana插件位置
上面能添加外部CSS地址,地址栏输入:https://github.com/gilbN/theme.park/tree/master/CSS/themes/grafana或https://github.com/GilbN/theme.park/tree/master/css/theme-options就会看到多个CSS:
https://gilbn.github.io/theme.park/CSS/themes/grafana/hotline.css
https://gilbn.github.io/theme.park/CSS/themes/grafana/aquamarine.css
https://gilbn.github.io/theme.park/CSS/themes/grafana/organizr-dark.css
https://gilbn.github.io/theme.park/CSS/themes/grafana/organizr-dashboard.css
https://gilbn.github.io/theme.park/CSS/themes/grafana/plex.css
https://gilbn.github.io/theme.park/CSS/themes/grafana/space-gray.css
#优化css加载速度
wget https://gilbn.github.io/theme.park/CSS/themes/grafana/hotline.css
然后重新配置grafana的CSS,修改成本地的地址,比如:/public/css/hotline.css