从认证到透传:用 Nginx 为 EasySearch 构建一体化认证网关
在构建本地或云端搜索引擎系统时,EasySearch 凭借其轻量、高性能、易部署等优势,逐渐成为众多开发者和技术爱好者的首选。但在实际部署过程中,如何借助 Nginx 为 EasySearch 提供高效、稳定且安全的访问入口,尤其是在身份认证方面,仍然是一个关键技术环节。
本教程将围绕 Basic Auth 认证机制展开,系统讲解如何通过 Nginx 实现安全防护、认证信息透传等常见配置场景,帮助你在多种实际部署环境中快速搭建可靠的访问控制机制。
无论你是在搭建家庭 NAS 服务,还是在企业环境中集成搜索引擎系统,本教程都能为你提供一套可落地、可复用的 Nginx 安全认证解决方案。。
下面是我的 Nginx 配置文件示例。我们通过 Docker 启动 Nginx 容器,并将本地编写好的配置文件挂载到容器中,从而实现自定义的反向代理和认证逻辑:
docker run -d \--name my-nginx \-p 80:80 \-v $(pwd)/default.conf:/etc/nginx/conf.d/default.conf \nginx
default.conf配置如下:
server {listen 80;server_name localhost;# 根路径可选配置,如果你要一个欢迎页location / {return 200 'Nginx is running.\n';add_header Content-Type text/plain;}# 反向代理 EasySearch location /es/ {proxy_pass https://backend:9200/;# 修正请求头proxy_http_version 1.1;# proxy_pass_request_headers on; ÷proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 如果需要保活连接proxy_set_header Connection "";# 可选:允许跨域访问(用于前端 AJAX 调试)add_header Access-Control-Allow-Origin *;add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';add_header Access-Control-Allow-Headers 'Authorization,Content-Type';# proxy_set_header Authorization "Basic YWRtaW46MTIzNDU2";# 清理路径前缀 `/es/`rewrite ^/es/(.*)$ /$1 break;}# 可选:静态资源支持# location /static/ {# root /usr/share/nginx/html;# }
}
🌐 配置整体结构
server {listen 80;server_name localhost;
- 监听端口:监听本地
80端口(HTTP 默认端口) - 服务名称:用于匹配请求的
Host,这里是localhost
🎉 欢迎页(根路径 /)
location / {return 200 'Nginx is running.\n';add_header Content-Type text/plain;
}
- 请求
/会返回纯文本响应"Nginx is running.",可用于验证 Nginx 是否启动正常。 add_header Content-Type text/plain:指定响应内容为纯文本。
🔁 /es/ 代理 EasySearch 后端服务
🚚 请求头处理
proxy_http_version 1.1;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header Connection "";
proxy_http_version 1.1:确保代理使用 HTTP/1.1,支持长连接。Host:保留原始请求的主机名。X-Real-IP/X-Forwarded-For:传递客户端真实 IP。X-Forwarded-Proto:传递原始协议(http / https)。Connection "":用于避免默认的keep-alive设置引起错误(推荐保留)。
🔐 可选的认证头(注释中)
# proxy_set_header Authorization "Basic YWRtaW46MTIzNDU2";
- 可选开启,用于将认证信息转发到后端。
- 上面的字符串是
admin:123456的 base64 编码。可以根据需要开启。
🌍 CORS 设置(跨域)
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers 'Authorization,Content-Type';
- 允许任意源访问(前端页面可以跨域请求
/es/)。 - 支持的方法:GET、POST、OPTIONS。
- 允许传递的请求头:Authorization 和 Content-Type。
- ✅ 适用于 AJAX 调试、前后端分离等场景。
🔧 URL 重写
rewrite ^/es/(.*)$ /$1 break;
- 移除
/es/前缀,转发给后端。例如:
用户请求/es/_cat/indices实际转发到/cat/indices。 break表示在当前 location 中中止后续重写检查。
📦 可选静态资源(被注释掉)
# location /static/ {
# root /usr/share/nginx/html;
# }
- 若开启,可以直接通过
/static/xxx.js访问 Nginx 本地/usr/share/nginx/html/static/xxx.js文件。
🔁 如果你想保留 /es/ 前缀,则删除 rewrite 行。
在启动服务后,当我们通过浏览器访问 Nginx 时,页面会弹出身份验证窗口。需要注意的是,这里的认证提示实际上来自后端的 EasySearch 服务,而非 Nginx 本身,说明请求中的认证信息未在 Nginx 层被处理或透传,因此由 EasySearch 发起了再次认证的要求。
在输入正确的用户名和密码后,我们可以看到 Nginx 成功代理请求,并返回了来自 EasySearch 的 API 响应,说明认证流程已顺利通过,后端服务正常可用。
如果希望由 Nginx 代为完成 EasySearch 的身份验证,也就是实现自动登录的效果,可以在配置文件中添加如下指令,将认证信息通过 HTTP 头部传递给后端:
proxy_set_header Authorization "Basic YWRtaW46YWRtaW4=";
其中,YWRtaW46YWRtaW4xMjM= 是使用 Base64 编码后的 用户名:密码 字符串(例如 admin:admin)。Nginx 在转发请求时会自动携带该 Header,从而实现对 EasySearch 的自动认证。
需要注意的是,Nginx 的配置文件修改后不会自动生效。为了确保配置被正确加载,需在每次更改配置文件后重启对应的容器服务。这是容器化部署中常见的操作流程,确保新配置被正确应用。
为了更直观地观察请求行为,我们使用了 Postman 进行测试。可以发现,即使在 Postman 中未显式添加任何认证信息,依然能够成功访问 EasySearch 集群。这说明前端未输入认证信息,但由于 Nginx 曾经缓存了认证状态,或配置了自动透传,导致后端依旧接收到了有效的认证头,从而允许了访问。
这种现象虽然在测试中提升了访问便利性,但在实际部署中可能带来安全风险,因此在生产环境中建议对认证流程进行严格控制,确保后端服务不会因为前端认证机制的疏漏而被绕过。
在一些教程中,常会提到一个名为 .htpasswd 的文件,它用于在 Nginx 层实现基本认证。当启用该机制后,Nginx 会对所有访问进行用户身份验证。
此时,是否将认证信息透传给后端服务,则由 proxy_pass_request_headers 参数决定。该参数默认值为 on,也就是说,当认证通过后,客户端发送的 Authorization 头部信息会被 Nginx 一并转发给后端服务。
为了验证这一行为,我编写了一个简单的 Flask 程序作为后端,用于观察请求中的 Header 内容。在真正将请求代理至 EasySearch 之前,我先让 Nginx 将请求反向代理到这个 Flask 应用,从而可以直观地查看是否存在 Authorization 头被透传的情况。
from flask import Flask, request,abort
import base64
app = Flask(__name__)@app.route('/')
def hello_world():print("📥 Headers received from Nginx:")print("Host:", request.headers.get('Host'))print("X-Real-IP:", request.headers.get('X-Real-IP'))print("X-Forwarded-For:", request.headers.get('X-Forwarded-For'))print("X-Forwarded-Proto:", request.headers.get('X-Forwarded-Proto'))print(request.headers)auth_header = request.headers.get('Authorization')print("Authorization:", auth_header)if not auth_header or not auth_header.startswith('Basic '):abort(401, description="Missing or invalid Authorization header")# 解码 base64encoded = auth_header.split(' ')[1]decoded = base64.b64decode(encoded).decode('utf-8') # e.g. admin:123456username, password = decoded.split(':', 1)print(username, password)return 'Hello World!'if __name__ == '__main__':app.run(host='0.0.0.0', port=8000,debug=True)这个是flask的打印的结果.
Host: secure-nginx.orb.local
X-Real-IP: 192.168.215.1
X-Forwarded-For: 192.168.215.1
X-Forwarded-Proto: http
Host: secure-nginx.orb.local
X-Real-Ip: 192.168.215.1
X-Forwarded-For: 192.168.215.1
X-Forwarded-Proto: http
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8
Cookie: perf_dv6Tr4n=1Authorization: Basic YWRtaW46YWRtaW4=
admin admin
192.168.X.X - - [24/Apr/2025 15:55:59] "GET / HTTP/1.1" 200 -
为了解决双重认证的问题,我们启用了认证信息透传的配置(默认的roxy_pass_request_headers on;)。启用该配置后,用户只需在访问 Nginx 时进行一次手动身份验证。Nginx 会将用户提供的凭证通过 HTTP Header 透传至后端的 EasySearch 服务,从而避免二次认证。当用户直接访问 EasySearch 时,依然需要单独输入凭证进行认证;但通过 Nginx 访问时,只需在前端认证一次即可完成整个请求流程。
curl -k https://easysearch:9200 {"error":{"root_cause":[{"type":"security_exception","reason":"Missing authentication information for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"Security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"Missing authentication information for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"Security\" charset=\"UTF-8\""}},"status":401}⏎
-------curl -v -u "admin:admin" http://nginxhost/es/* Trying 192.168.5.171:9201...
* Connected to 192.168.5.171 (192.168.5.171) port 9201
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: self signed certificate
* Closing connection
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:80...
* Connected to localhost (::1) port 80
* Server auth using Basic with user 'admin'
> GET /es/ HTTP/1.1
> Host: localhost
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx/1.27.4
< Date: Thu, 24 Apr 2025 07:45:10 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 552
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Allow-Headers: Authorization,Content-Type
<
{"name" : "easysearch-node1","cluster_name" : "infinilabs","cluster_uuid" : "VcMD__DwSYSUqear8wp-XA","version" : {"distribution" : "easysearch","number" : "1.11.1","distributor" : "INFINI Labs","build_hash" : "4d0be0343919fb1a605e3c8284326b7e069eb9bf","build_date" : "2025-03-14T09:33:12.182925Z","build_snapshot" : false,"lucene_version" : "8.11.4","minimum_wire_lucene_version" : "7.7.0","minimum_lucene_index_compatibility_version" : "7.7.0"},"tagline" : "You Know, For Easy Search!"
}
* Connection #0 to host localhost left intact本次将 Nginx 的访问认证密码修改为 admin123 后,发现在请求过程中出现了两次身份验证的提示。具体表现为:当用户输入错误的密码时,Nginx 会首先返回一次 401 Unauthorized。由于 Nginx 与 EasySearch 使用了不同的认证信息,Nginx 在将请求头(包括 Authorization 字段)转发至 EasySearch 时,EasySearch 检测到凭据不匹配,也会返回一次 401。由此导致了双重身份认证失败的现象,影响了正常访问流程。
curl -v -u "admin:admin" http://localhost/es/* Trying 192.168.5.171:9201...
* Connected to 192.168.5.171 (192.168.5.171) port 9201
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: self signed certificate
* Closing connection
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:80...
* Connected to localhost (::1) port 80
* Server auth using Basic with user 'admin'
> GET /es/ HTTP/1.1
> Host: localhost
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.27.4
< Date: Thu, 24 Apr 2025 09:21:09 GMT
< Content-Type: text/html
< Content-Length: 179
< Connection: keep-alive
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Restricted Area"
<
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.27.4</center>
</body>
</html>
* Connection #0 to host localhost left intact
❰xu❙~/OrbStack/docker/containers/secure-nginx/etc/nginx❱✔≻ curl -v https://192.168.5.171:9201/ (base) 17:21:09curl -v -u "admin:admin123" http://localhost/es/* Trying 192.168.5.171:9201...
* Connected to 192.168.5.171 (192.168.5.171) port 9201
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: self signed certificate
* Closing connection
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:80...
* Connected to localhost (::1) port 80
* Server auth using Basic with user 'admin'
> GET /es/ HTTP/1.1
> Host: localhost
> Authorization: Basic YWRtaW46YWRtaW4xMjM=
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.27.4
< Date: Thu, 24 Apr 2025 09:21:16 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 381
< Connection: keep-alive
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Security" charset="UTF-8"
<
* Connection #0 to host localhost left intact
{"error":{"root_cause":[{"type":"security_exception","reason":"Missing authentication information for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"Security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"Missing authentication information for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"Security\" charset=\"UTF-8\""}},"status":401}⏎
| 场景编号 | Nginx 是否开启认证 | EasySearch 是否开启认证 | 实际认证次数 | 说明 |
|---|---|---|---|---|
| ① | 否 | 否 | 0 次 | 完全开放,任何请求无需验证。 |
| ② | 否 | ✅ 是 | 1 次 | 访问时直接弹出 EasySearch 的认证窗口,用户需输入凭证。 |
| ③ | ✅ 是 | 否 | 1 次 | 仅在 Nginx 层验证,验证通过后直接访问后端。 |
| ④ | ✅ 是 | ✅ 是 | 2 次(默认) | Nginx 和 EasySearch 各自认证,用户需连续输入两次密码。 |
| ⑤ | ✅ 是 | ✅ 是 | 1 次(透传,proxy_pass_request_headers on;) | Nginx 开启认证,并通过 proxy_set_header Authorization 透传给 EasySearch,用户仅需输入一次密码即可完成认证。 |