Skip to content
/ haproxy-auth-request Public
forked from TimWolla/haproxy-auth-request

auth-request allows you to add access control to your HTTP services based on a subrequest to a configured haproxy backend.

bl.duesterhus.eu/20180119/

License

MIT license
1 star 28 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

voyagermesh/haproxy-auth-request

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
debian
debian
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
auth-request.lua
auth-request.lua
 
 

Repository files navigation

auth-request

auth-request allows you to add access control to your HTTP services based on a subrequest to a configured haproxy backend. The workings of this Lua script are loosely based on the ngx_http_auth_request_module module for nginx.

Requirements

Required

  • haproxy 1.8.0+
  • USE_LUA=1 set at compile time.
  • LuaSocket in your Lua library path (LUA_PATH).

Recommended

Set-Up

  1. Load this Lua script in the global section of your haproxy.cfg:
global
	# *snip*
	lua-load /usr/share/haproxy/auth-request.lua
  1. Define a backend that is used for the subrequests:
backend auth_request
	mode http
	server auth_request 127.0.0.1:8080 check
  1. Execute the subrequest in your frontend (as early as possible):
frontend http
	mode http
	listen :::80 v4v6
	# *snip*

	#                             Backend name     Path to request
	http-request lua.auth-request auth_request     /is-allowed
  1. Act on the results:
frontend http
	# *snip*
	
	http-request deny if ! { var(txn.auth_response_successful) -m bool }

The Details

The Lua script will make a HTTP request to the first server in the given backend that is not marked as DOWN. This allows for basic health checking of the auth-request backend. If you need more complex processing of the request forward the auth-request to a separate haproxy frontend that performs the required modifications to the request and response.

The requested URL is the one given in the second parameter.

Any request headers will be forwarded as-is to the auth-request backend.

The Lua script will define the txn.auth_response_successful variable as true iff the subrequest returns an HTTP status code of 2xx. The status code of the subrequest will be returned in txn.auth_response_code. If the subrequest does not return a valid HTTP response the status code is set to 500 Internal Server Error.

Known limitations

  • The Lua script only supports basic health checking, without redispatching or load balancing of any kind.
  • The response headers of the subrequest are not exposed outside the script.
  • The backend must not be using TLS.
  • IPv6 is only supported in haproxy 1.8.4+ (released on 2018-02-08), due do a bug. You can monkeypatch by reverting commit 57950b4.

About

auth-request allows you to add access control to your HTTP services based on a subrequest to a configured haproxy backend.

bl.duesterhus.eu/20180119/

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Lua 96.4%
  • Makefile 3.6%