authelia/internal/suites/example/compose/haproxy/haproxy.cfg

global
    lua-prepend-path /usr/local/etc/haproxy/?/http.lua
    lua-load /usr/local/etc/haproxy/auth-request.lua
    log stdout format raw local0 debug
	maxconn 2000

defaults
    default-server init-addr none
    mode http
	timeout connect 5000ms
	timeout client 50000ms
	timeout server 50000ms
    log global
    option forwardfor
    option httplog
    option httpchk
    http-check expect rstatus ^2

resolvers docker
    nameserver ip 127.0.0.11:53

frontend fe_api
    bind *:8081 ssl crt /pki/private.chain.pem

    stats enable
    stats uri /api
    stats refresh 10s
    stats admin if LOCALHOST

frontend fe_http
    bind *:8080 ssl crt /pki/private.chain.pem

    acl api-path path_beg -i /api
	acl devworkflow-path path -i -m end /devworkflow
    acl headers-path path -i -m end /headers
	acl jwks-path path -i -m end /jwks.json
	acl locales-path path_beg -i /locales
	acl wellknown-path path_beg -i /.well-known
    acl host-authelia-portal hdr(host) -i login.example.com:8080
    acl protected-frontends hdr(host) -m reg -i ^(?i)(admin|home|public|secure|singlefactor)\.example\.com

    http-request set-var(req.scheme) str(https) if { ssl_fc }
    http-request set-var(req.scheme) str(http) if !{ ssl_fc }
    http-request set-var(req.questionmark) str(?) if { query -m found }

    http-request set-header X-Real-IP %[src]
    http-request set-header X-Forwarded-Method %[method]
    http-request set-header X-Forwarded-Proto  %[var(req.scheme)]
    http-request set-header X-Forwarded-Host   %[req.hdr(Host)]
    http-request set-header X-Forwarded-URI    %[path]%[var(req.questionmark)]%[query]

    # be_auth_request is used to make HAProxy do the TLS termination since the Lua script
    # does not know how to handle it (see https://github.com/TimWolla/haproxy-auth-request/issues/12).
    http-request lua.auth-intercept be_auth_request /api/authz/forward-auth HEAD * authorization,proxy-authorization,remote_user,remote-user,remote-groups,remote-name,remote-email - if protected-frontends
    http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool }

    use_backend be_authelia if host-authelia-portal api-path || devworkflow-path || jwks-path || locales-path || wellknown-path
    use_backend fe_authelia if host-authelia-portal !api-path
    use_backend be_httpbin if protected-frontends headers-path
    use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
    use_backend be_protected if protected-frontends

backend be_auth_request
    server proxy 127.0.0.1:8085

listen be_auth_request_proxy
    bind 127.0.0.1:8085
    server authelia-backend authelia-backend:9091 resolvers docker ssl verify none

backend be_authelia
    server authelia-backend authelia-backend:9091 resolvers docker ssl verify none

backend fe_authelia
	option httpchk
	http-check expect rstatus ^2

    server authelia-frontend authelia-frontend:3000 check resolvers docker
    server authelia-backend authelia-backend:9091 check backup resolvers docker ssl verify none

backend be_httpbin
    ## Pass the Set-Cookie response headers to the user.
    acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
    http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist

    server httpbin-backend httpbin:8000 resolvers docker

backend be_mail
    server smtp-backend smtp:1080 resolvers docker

backend be_protected
    ## Pass the Set-Cookie response headers to the user.
    acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
    http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist

    server nginx-backend nginx-backend:80 resolvers docker
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`global`
[FEATURE] Support updated haproxy-auth-request (#1310) * [FEATURE] Support updated haproxy-auth-request This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments. * Fix docs indentation * Add haproxy-lua-http to TLS enabled configuration 2020-09-10 00:52:57 +00:00			`lua-prepend-path /usr/local/etc/haproxy/?/http.lua`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`lua-load /usr/local/etc/haproxy/auth-request.lua`
			`log stdout format raw local0 debug`
refactor(suites): utilise pki certs in haproxy suite (#4945) This utilises the certs provided within the pki section of the repo for the HAProxy suite. 2023-02-17 04:05:48 +00:00			`maxconn 2000`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
			`defaults`
refactor(suites): replace selenium with go-rod (#2534) * refactor(suites): replace selenium with go-rod This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod). We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser. Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives. 2021-11-05 13:14:42 +00:00			`default-server init-addr none`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`mode http`
refactor(suites): utilise pki certs in haproxy suite (#4945) This utilises the certs provided within the pki section of the repo for the HAProxy suite. 2023-02-17 04:05:48 +00:00			`timeout connect 5000ms`
			`timeout client 50000ms`
			`timeout server 50000ms`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`log global`
			`option forwardfor`
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`option httplog`
			`option httpchk`
			`http-check expect rstatus ^2`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
refactor(suites): replace selenium with go-rod (#2534) * refactor(suites): replace selenium with go-rod This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod). We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser. Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives. 2021-11-05 13:14:42 +00:00			`resolvers docker`
			`nameserver ip 127.0.0.11:53`

Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`frontend fe_api`
refactor(suites): utilise pki certs in haproxy suite (#4945) This utilises the certs provided within the pki section of the repo for the HAProxy suite. 2023-02-17 04:05:48 +00:00			`bind *:8081 ssl crt /pki/private.chain.pem`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
			`stats enable`
			`stats uri /api`
			`stats refresh 10s`
			`stats admin if LOCALHOST`

			`frontend fe_http`
refactor(suites): utilise pki certs in haproxy suite (#4945) This utilises the certs provided within the pki section of the repo for the HAProxy suite. 2023-02-17 04:05:48 +00:00			`bind *:8080 ssl crt /pki/private.chain.pem`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
			`acl api-path path_beg -i /api`
test(suites): load environment into suites (#4762) * test(suites): load environment into suites * test(suites): default setup suite * test(suites): create base suite * test(suites): fix nil ptr * test(suites): add logging * test: fix missing devworkflow path * refactor: apply suggestions * refactor: log * fix: dev workflow requires env file to trigger vite hmr * fix(suites): fix dynamic configuration in dev workflow for all proxies * refactor: apply final suggestions * fix: pass log level to suites * fix(suites): include pathprefix to prevent react router basename issues * fix: missing setup logging calls * fix: gate suite setup funcs * test: fix lint * test: fix tmp dir * fix(suites): fix gitignore of .env.development with vite hmr Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 04:11:05 +00:00			`acl devworkflow-path path -i -m end /devworkflow`
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00			`acl headers-path path -i -m end /headers`
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`acl jwks-path path -i -m end /jwks.json`
			`acl locales-path path_beg -i /locales`
			`acl wellknown-path path_beg -i /.well-known`
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00			`acl host-authelia-portal hdr(host) -i login.example.com:8080`
[DOCS] Make HAProxy regex case insensitive (#1478) 2020-11-24 01:35:38 +00:00			`acl protected-frontends hdr(host) -m reg -i ^(?i)(admin\|home\|public\|secure\|singlefactor)\.example\.com`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
			`http-request set-var(req.scheme) str(https) if { ssl_fc }`
			`http-request set-var(req.scheme) str(http) if !{ ssl_fc }`
			`http-request set-var(req.questionmark) str(?) if { query -m found }`

			`http-request set-header X-Real-IP %[src]`
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-08 04:48:55 +00:00			`http-request set-header X-Forwarded-Method %[method]`
			`http-request set-header X-Forwarded-Proto %[var(req.scheme)]`
			`http-request set-header X-Forwarded-Host %[req.hdr(Host)]`
			`http-request set-header X-Forwarded-URI %[path]%[var(req.questionmark)]%[query]`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
[FEATURE] Make Authelia serve over TLS in all suites (#864) * [BUGFIX] Fix dev workflow by using TLS for all suites. * Fix traefik 1.x and 2.x suites. * Display authelia logs on suite failure. * Fix HAProxy suite. * Extend timeout of test case. * Display current URL in verify assertion. * fix doLoginTwoFactor by adding a timeout * when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal * fix by adding one second timeout * bump go version to 1.14.2 * Fix Kube suite and bump dashboard. * Update dist authelia-frontend to proxy_pass with variable * Apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * Apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * Remove debug logs since it's polluting logs. Also set timeout back to 5 seconds in HA suite. Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-04-13 23:57:28 +00:00			`# be_auth_request is used to make HAProxy do the TLS termination since the Lua script`
			`# does not know how to handle it (see https://github.com/TimWolla/haproxy-auth-request/issues/12).`
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-08 04:48:55 +00:00			`http-request lua.auth-intercept be_auth_request /api/authz/forward-auth HEAD * authorization,proxy-authorization,remote_user,remote-user,remote-groups,remote-name,remote-email - if protected-frontends`
			`http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool }`
[MISC] Add coverage for Remote-User and Remote-Groups (#982) * Fix dev workflow. * Fix dev workflow. * Cover Remote-User and Remote-Groups using Traefik. * Cover Remote-User and Remote-Groups using HAProxy. * Fix redirection after unauthorized response when using HAProxy. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-05-06 01:50:37 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`use_backend be_authelia if host-authelia-portal api-path \|\| devworkflow-path \|\| jwks-path \|\| locales-path \|\| wellknown-path`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`use_backend fe_authelia if host-authelia-portal !api-path`
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00			`use_backend be_httpbin if protected-frontends headers-path`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`use_backend be_mail if { hdr(host) -i mail.example.com:8080 }`
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00			`use_backend be_protected if protected-frontends`
[FEATURE] Make Authelia serve over TLS in all suites (#864) * [BUGFIX] Fix dev workflow by using TLS for all suites. * Fix traefik 1.x and 2.x suites. * Display authelia logs on suite failure. * Fix HAProxy suite. * Extend timeout of test case. * Display current URL in verify assertion. * fix doLoginTwoFactor by adding a timeout * when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal * fix by adding one second timeout * bump go version to 1.14.2 * Fix Kube suite and bump dashboard. * Update dist authelia-frontend to proxy_pass with variable * Apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * Apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * Remove debug logs since it's polluting logs. Also set timeout back to 5 seconds in HA suite. Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-04-13 23:57:28 +00:00
			`backend be_auth_request`
[BUGFIX] Fix HAProxy redirects (#1333) Including updates to docs examples. 2020-09-22 23:06:26 +00:00			`server proxy 127.0.0.1:8085`
[FEATURE] Make Authelia serve over TLS in all suites (#864) * [BUGFIX] Fix dev workflow by using TLS for all suites. * Fix traefik 1.x and 2.x suites. * Display authelia logs on suite failure. * Fix HAProxy suite. * Extend timeout of test case. * Display current URL in verify assertion. * fix doLoginTwoFactor by adding a timeout * when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal * fix by adding one second timeout * bump go version to 1.14.2 * Fix Kube suite and bump dashboard. * Update dist authelia-frontend to proxy_pass with variable * Apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * Apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * Remove debug logs since it's polluting logs. Also set timeout back to 5 seconds in HA suite. Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-04-13 23:57:28 +00:00
			`listen be_auth_request_proxy`
[BUGFIX] Fix HAProxy redirects (#1333) Including updates to docs examples. 2020-09-22 23:06:26 +00:00			`bind 127.0.0.1:8085`
refactor(suites): replace selenium with go-rod (#2534) * refactor(suites): replace selenium with go-rod This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod). We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser. Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives. 2021-11-05 13:14:42 +00:00			`server authelia-backend authelia-backend:9091 resolvers docker ssl verify none`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00			`backend be_authelia`
refactor(suites): replace selenium with go-rod (#2534) * refactor(suites): replace selenium with go-rod This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod). We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser. Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives. 2021-11-05 13:14:42 +00:00			`server authelia-backend authelia-backend:9091 resolvers docker ssl verify none`
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00			`backend fe_authelia`
test(suites): load environment into suites (#4762) * test(suites): load environment into suites * test(suites): default setup suite * test(suites): create base suite * test(suites): fix nil ptr * test(suites): add logging * test: fix missing devworkflow path * refactor: apply suggestions * refactor: log * fix: dev workflow requires env file to trigger vite hmr * fix(suites): fix dynamic configuration in dev workflow for all proxies * refactor: apply final suggestions * fix: pass log level to suites * fix(suites): include pathprefix to prevent react router basename issues * fix: missing setup logging calls * fix: gate suite setup funcs * test: fix lint * test: fix tmp dir * fix(suites): fix gitignore of .env.development with vite hmr Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 04:11:05 +00:00			`option httpchk`
			`http-check expect rstatus ^2`

refactor(suites): stop integration tests on first failure (#3270) * refactor(suites): stop integration tests on first failure * refactor(suites): remove additional nginx instance * refactor(suites): log relevant containers * refactor(suites): add traefik2 logs to stdout * refactor(suites): explicitly enable traefik for tests * refactor(suites): remove redis restart and duplicate pathprefix tests * ci(buildkite): allow manual retry on integration tests 2022-05-02 04:50:37 +00:00			`server authelia-frontend authelia-frontend:3000 check resolvers docker`
			`server authelia-backend authelia-backend:9091 check backup resolvers docker ssl verify none`
Create a suite for HAProxy 2020-01-10 04:49:30 +00:00
[MISC] Add coverage for Remote-User and Remote-Groups (#982) * Fix dev workflow. * Fix dev workflow. * Cover Remote-User and Remote-Groups using Traefik. * Cover Remote-User and Remote-Groups using HAProxy. * Fix redirection after unauthorized response when using HAProxy. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-05-06 01:50:37 +00:00			`backend be_httpbin`
test: adjust tests and docs to be similar (#4856) 2023-02-02 07:13:18 +00:00			`## Pass the Set-Cookie response headers to the user.`
			`acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found`
			`http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist`

refactor(suites): replace selenium with go-rod (#2534) * refactor(suites): replace selenium with go-rod This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod). We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser. Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives. 2021-11-05 13:14:42 +00:00			`server httpbin-backend httpbin:8000 resolvers docker`
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00
			`backend be_mail`
refactor(suites): replace selenium with go-rod (#2534) * refactor(suites): replace selenium with go-rod This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod). We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser. Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives. 2021-11-05 13:14:42 +00:00			`server smtp-backend smtp:1080 resolvers docker`
[DOCS] Clean HAProxy examples (#1338) Remove headers that are not required and fix a typo. 2020-09-23 07:29:46 +00:00
			`backend be_protected`
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-08 04:48:55 +00:00			`## Pass the Set-Cookie response headers to the user.`
			`acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found`
			`http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist`

refactor(suites): replace selenium with go-rod (#2534) * refactor(suites): replace selenium with go-rod This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod). We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser. Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives. 2021-11-05 13:14:42 +00:00			`server nginx-backend nginx-backend:80 resolvers docker`