authelia/internal/suites/example/compose/haproxy/haproxy.cfg

118 lines
5.2 KiB
INI
Raw Normal View History

2020-01-10 04:49:30 +00:00
global
lua-prepend-path /usr/local/etc/haproxy/?/http.lua
2020-01-10 04:49:30 +00:00
lua-load /usr/local/etc/haproxy/auth-request.lua
log stdout format raw local0 debug
maxconn 2000
2020-01-10 04:49:30 +00:00
defaults
default-server init-addr none
2020-01-10 04:49:30 +00:00
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
2020-01-10 04:49:30 +00:00
log global
option forwardfor
option httplog
option httpchk
http-check expect rstatus ^2
2020-01-10 04:49:30 +00:00
resolvers docker
nameserver ip 127.0.0.11:53
2020-01-10 04:49:30 +00:00
frontend fe_api
bind *:8081 ssl crt /pki/private.chain.pem
2020-01-10 04:49:30 +00:00
stats enable
stats uri /api
stats refresh 10s
stats admin if LOCALHOST
frontend fe_http
bind *:8080 ssl crt /pki/private.chain.pem
2020-01-10 04:49:30 +00:00
acl api-path path_beg -i /api
acl devworkflow-path path -i -m end /devworkflow
acl headers-path path -i -m end /headers
acl jwks-path path -i -m end /jwks.json
acl locales-path path_beg -i /locales
acl wellknown-path path_beg -i /.well-known
acl host-authelia-portal hdr(host) -i login.example.com:8080
acl protected-frontends hdr(host) -m reg -i ^(?i)(admin|home|public|secure|singlefactor)\.example\.com
2020-01-10 04:49:30 +00:00
http-request set-var(req.scheme) str(https) if { ssl_fc }
http-request set-var(req.scheme) str(http) if !{ ssl_fc }
http-request set-var(req.questionmark) str(?) if { query -m found }
http-request set-var(req.method) str(CONNECT) if { method CONNECT }
http-request set-var(req.method) str(GET) if { method GET }
http-request set-var(req.method) str(HEAD) if { method HEAD }
http-request set-var(req.method) str(OPTIONS) if { method OPTIONS }
http-request set-var(req.method) str(POST) if { method POST }
http-request set-var(req.method) str(TRACE) if { method TRACE }
http-request set-var(req.method) str(PUT) if { method PUT }
http-request set-var(req.method) str(PATCH) if { method PATCH }
http-request set-var(req.method) str(DELETE) if { method DELETE }
2020-01-10 04:49:30 +00:00
http-request set-header X-Real-IP %[src]
http-request set-header X-Original-Method %[var(req.method)]
http-request set-header X-Original-URL %[var(req.scheme)]://%[req.hdr(Host)]%[path]%[var(req.questionmark)]%[query]
2020-01-10 04:49:30 +00:00
# be_auth_request is used to make HAProxy do the TLS termination since the Lua script
# does not know how to handle it (see https://github.com/TimWolla/haproxy-auth-request/issues/12).
http-request lua.auth-request be_auth_request /api/authz/auth-request if protected-frontends
2020-01-10 04:49:30 +00:00
http-request redirect location https://login.example.com:8080/?rd=%[var(req.scheme)]://%[base]%[var(req.questionmark)]%[query]&rm=%[var(req.method)] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
use_backend be_authelia if host-authelia-portal api-path || devworkflow-path || jwks-path || locales-path || wellknown-path
2020-01-10 04:49:30 +00:00
use_backend fe_authelia if host-authelia-portal !api-path
use_backend be_httpbin if protected-frontends headers-path
2020-01-10 04:49:30 +00:00
use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
use_backend be_protected if protected-frontends
backend be_auth_request
server proxy 127.0.0.1:8085
listen be_auth_request_proxy
bind 127.0.0.1:8085
server authelia-backend authelia-backend:9091 resolvers docker ssl verify none
2020-01-10 04:49:30 +00:00
backend be_authelia
server authelia-backend authelia-backend:9091 resolvers docker ssl verify none
2020-01-10 04:49:30 +00:00
backend fe_authelia
option httpchk
http-check expect rstatus ^2
server authelia-frontend authelia-frontend:3000 check resolvers docker
server authelia-backend authelia-backend:9091 check backup resolvers docker ssl verify none
2020-01-10 04:49:30 +00:00
backend be_httpbin
## Pass the special authorization response headers to the protected application.
acl authorization_exist var(req.auth_response_header.authorization) -m found
acl proxy_authorization_exist var(req.auth_response_header.proxy_authorization) -m found
http-request set-header Authorization %[var(req.auth_response_header.authorization)] if authorization_exist
http-request set-header Proxy-Authorization %[var(req.auth_response_header.proxy_authorization)] if proxy_authorization_exist
## Pass the special metadata response headers to the protected application.
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
acl remote_name_exist var(req.auth_response_header.remote_name) -m found
acl remote_email_exist var(req.auth_response_header.remote_email) -m found
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist
## Pass the Set-Cookie response headers to the user.
acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist
server httpbin-backend httpbin:8000 resolvers docker
backend be_mail
server smtp-backend smtp:1080 resolvers docker
backend be_protected
server nginx-backend nginx-backend:80 resolvers docker