运维

运维相关知识和内容

零信任落地实践:用Nginx+Authelia替换VPN,开源方案全流程教程

零信任:渐进式落地,从IAP开始

零信任不是一个产品,是架构理念。最高ROI的起点:用IAP替换VPN。

一、Nginx+Authelia实现IAP

# docker-compose.yml
services:
  authelia:
    image: authelia/authelia:latest
    volumes:
      - ./authelia:/config
    ports:
      - "9091:9091"

  nginx:
    image: nginx:alpine
    ports:
      - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf

server {
    listen 443 ssl;
    server_name *.internal.company.com;

    location / {
        auth_request /authelia;
        auth_request_set $user $upstream_http_remote_user;
        error_page 401 = @authelia_login;
        proxy_pass http://backend-service;
        proxy_set_header X-Remote-User $user;
    }

    location /authelia {
        internal;
        proxy_pass http://authelia:9091/api/verify;
        proxy_set_header X-Original-URL $scheme://$host$request_uri;
    }

    location @authelia_login {
        return 302 https://auth.internal.company.com?rd=$scheme://$host$request_uri;
    }
}

二、Authelia多因子+LDAP配置

authentication_backend:
  ldap:
    url: ldap://ldap.company.com
    base_dn: DC=company,DC=com
    username_attribute: sAMAccountName

access_control:
  default_policy: deny  # 默认拒绝一切

  rules:
  - domain: "*.production.company.com"
    policy: two_factor   # 生产环境双因素
    subject: "group:sre-team"

  - domain: "*.dev.company.com"
    policy: one_factor   # 开发环境单因素
    subject:
      - "group:dev-team"
      - "group:sre-team"

session:
  expiration: 8h
  inactivity: 30m

三、K8s NetworkPolicy微隔离

# 默认拒绝所有Pod间通信
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
# 明确允许前端->后端API
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-api
spec:
  podSelector:
    matchLabels:
      app: backend-api
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - port: 8080

四、设备健康度评分

def calculate_device_trust(device) -> int:
    score = 100
    if device.os_days_since_update > 30: score -= 20
    if device.os_days_since_update > 90: score -= 30
    if not device.disk_encrypted: score -= 30
    if not device.antivirus_active: score -= 20
    if device.screen_lock_timeout > 300: score -= 10
    return max(score, 0)

def get_access_level(user, device):
    score = calculate_device_trust(device)
    if score >= 80: return AccessLevel.FULL
    elif score >= 60: return AccessLevel.LIMITED
    else: return AccessLevel.BLOCKED

五、6个月渐进式路线图

阶段 时间 主要工作
Phase 1 1-2月 部署IAP替换VPN(从对外服务开始)
Phase 2 2-3月 K8s微隔离网络策略
Phase 3 3-4月 设备健康度检查接入
Phase 4 4-6月 全内部服务接入IAP

从IAP开始,是零信任落地中投入产出比最高的起点。Nginx+Authelia几周内搭建完成,成本极低。