릴리스 정보 및 공지 사항

릴리스 노트

제품 공지

제품 소개

제품 개요

제품 장점

시나리오

기술 원리

Product Comparison

사용 제한

Service Regions and Service Providers

구매 가이드

과금 개요

비용 계산 항목

구매 방식

연체 안내

제품 속성 선택

시작하기

도메인 이름 기반 CLB 시작하기

CLB 시작하기

CentOS에서 Nginx 배포하기

CentOS에서 Java Web 배포하기

운영 가이드

CLB 인스턴스

CLB 리스너

리얼 서버

상태 확인

인증서 관리

로그 관리

모니터링 및 알람

액세스 관리

사례 튜토리얼

CLB에 인증서 배치(양방향 인증)

HTTPS 포워딩 구성

리얼 클라이언트 IP 가져오기

로드 밸런싱 구성 모니터링 및 알람에 대한 모범 사례

다중 가용존에서 HA 구현

로드 밸런싱 알고리즘 선택 및 가중치 구성 예시

CLB 수신 도메인 이름에 대한 WAF 보호 구성하기

OPS 가이드

과도한 TIME_WAIT 상태의 클라이언트에 대한 솔루션

CLB HTTPS 서비스 성능 테스트

스트레스 테스트 FAQ

CLB 인증서 작업 권한

문제 해결

UDP 상태 확인 예외 발생

API 참조

History

Introduction

API Category

Instance APIs

Listener APIs

Backend Service APIs

Target Group APIs

Redirection APIs

Other APIs

Classic CLB APIs

Load Balancing APIs

Making API Requests

Data Types

Error Codes

CLB API 2017

FAQ

과금 관련

CLB 구성

헬스체크 이상 점검

HTTPS

WS/WSS 프로토콜 지원

HTTP/2 프로토콜 지원

연락처

용어집

Configure IAP to authenticate programmatic access to CLB's domain and path

포커스 모드

폰트 크기

마지막 업데이트 시간: 2024-11-07 09:17:46

﻿Identity Aware Platform (IAP) binds to the CLB listener via domain names and paths, enabling authentication and permission control for HTTPS programmatic traffic passing through the CLB listener. This document will describe how to authenticate the domain names and paths already added to CLB by using IAP.
Prerequisites
You have successfully created an HTTP or HTTPS listener, and the domain name can be normally accessed. For more information, please refer to Getting Started with CLB.
Directions
Step 1: Confirm the CLB Domain Name Configuration
This document takes the protection www.example.com domain name as an example.
1. Log in to the CLB console and click Instance Management in the left sidebar.
2. On the Instance Management page, select the region. In the instance list, click the Operation column on the right side of the target instance, then select Configure Listener.
3. In the HTTP/HTTPS Listener area on the Listener Management tab, click + on the left of the target listener to view domain name details.
﻿
4. Check the CLB domain name configuration: The CLB instance ID is "lb-****", the listener name is "test", and the domain name monitored by the listener forwarding rule is www.example.com. The details page on the right provides a link to the IAP configuration.
Step 2: In the IAP, Enable or Disable the Authentication Feature for the Domain Name and Path
By clicking the IAP link in Step 1, you can enter the IAP configuration page, where you can enable or disable the IAP feature for the domain name and path under the CLB instance.
1. Log in to IAP console and select Instance Management in the left sidebar.
2. On the Instance Management page, select CLB Instance > Listener > URL, to enable/disable IAP.
﻿
Field Description
Domain name: The domain name that needs IAP configuration www.example.com.
URL:  The specific path /.
IAP Authentication: The switch for IAP authentication.
Policy: The forwarding behavior of CLB when the IAP authentication service is unavailable.
Note:
It is "Reject" by default. When the IAP service is unavailable in extreme cases, CLB will block customer requests.
Step 3: Navigate to CAM to Configure the Relevant Policies
This document uses the configuration of authentication for www.example.com/ as an example.
1. Log in to the CAM console. In the left navigation bar, click Policies.
2. On the Policies page, click Create Custom Policy.
3. On the Create Custom Policy tab, select Allow for the effect, select Cloud Load Balancer Identity Auth(clbia) for the service, and select All for the action. Fill in resource content based on the 6-Segment Resource Description format.
﻿
The generated policy JSON format is as follows:
﻿
Field Description:
CLB Six-Segment Resource Description: qcs::clbia:${region}:uin/${uin}:clb/${loadbalancerid}/${vport}/${protocol}/${domain}/${uLocationId}
Step 4: Associate the Policy with a User or User Group
1. On the Policy Management page, select Policy Usage.
2. Associate users or user groups.
﻿
Step 5: Validate the Result
Note:
Python SDK is used in this example.
1. Install or upgrade the SDK:
  pip install tencentcloud-simple-sign
2. Call the SDK in the program and send the request:
When sending a request, you need to include the "Tencent-Proxy-Authorization:" field in the HTTP header. This field is generated by using the sign method in the SDK. The definition of this method is as follows:
Below is a complete example of sending a GET request to CLB. In actual use, you only need to replace SECRET_ID, SECRET_KEY, HOST, and timestamp with your actual configuration values. If you are using temporary credentials, you also need to pass TOKEN when calling the sign method.
﻿
    import requests
    from simple_sign.sign import sign
    
    SECRET_ID = "your_secret_id"
    SECRET_KEY = "your_secret_key"
    TOKEN = "your_token" # only for temporary key
    HOST = "test.com"
﻿
    hour = 3600
    expiration = hour * 2
    now = int(time.time())
    
    sig = sign(SECRET_ID, SECRET_KEY, HOST, now, now + expiration, TOKEN)
﻿
    url = "https://www.example/"
    headers = {
        'Tencent-Proxy-Authorization:': sig,
        'Host': HOST
    }
﻿
    response = requests.get(url, headers=headers, verify=False)
﻿
    print(sig)
    print(response.status_code)
    print(response.text)
3. By initiating the request from the program by the above SDK, you can receive a normal response code 200, which indicates that the IAP authentication feature is functioning correctly.
Note:
www.example.com is the domain name used in this example. You need to replace this domain name with the actual domain name you have added.
﻿
﻿
﻿