RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[DOCS] Clean HAProxy examples (#1338) 

Remove headers that are not required and fix a typo.
pull/1335/head
Amir Zarrinkafsh 2020-09-23 17:29:46 +10:00 committed by GitHub
parent 5b98b4d090
commit 607f829431
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/deployment/supported-proxies/haproxy.md
View File

@ -62,7 +62,7 @@ backend upon successful authentication, for example:
### Secure Authelia with TLS
There is a [known limitation](https://github.com/TimWolla/haproxy-auth-request/issues/12) with haproxy-auth-request with regard to TLS-enabled backends.
If you want to run Authelia TLS enabled the recommended workaround utilises HAProxy itself to proxy the requests.
This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexbility with regard
This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexibility with regard
to TLS verification as well as header rewriting. An example of this configuration is also be provided below.
#### Configuration
@ -98,7 +98,6 @@ frontend fe_http
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
# Protect endpoints with haproxy-auth-request and Authelia
@ -155,7 +154,6 @@ frontend fe_http
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
# Protect endpoints with haproxy-auth-request and Authelia

29
internal/suites/example/compose/haproxy/haproxy.cfg
View File

@ -20,10 +20,10 @@ frontend fe_api
frontend fe_http
bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
acl host-authelia-portal hdr(host) -i login.example.com:8080
acl api-path path_beg -i /api
acl headers-path path -i -m end /headers
acl host-authelia-portal hdr(host) -i login.example.com:8080
acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com
acl is_headers path -i -m end /headers
http-request set-var(req.scheme) str(https) if { ssl_fc }
http-request set-var(req.scheme) str(http) if !{ ssl_fc }
@ -32,7 +32,6 @@ frontend fe_http
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
# be_auth_request is used to make HAProxy do the TLS termination since the Lua script
@ -43,12 +42,9 @@ frontend fe_http
use_backend be_authelia if host-authelia-portal api-path
use_backend fe_authelia if host-authelia-portal !api-path
use_backend be_httpbin if protected-frontends is_headers
use_backend be_protected if protected-frontends
use_backend be_httpbin if protected-frontends headers-path
use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
backend be_authelia
server authelia-backend authelia-backend:9091 ssl verify none
use_backend be_protected if protected-frontends
backend be_auth_request
mode http
@ -59,19 +55,22 @@ listen be_auth_request_proxy
bind 127.0.0.1:8085
server authelia-backend authelia-backend:9091 ssl verify none
backend be_authelia
server authelia-backend authelia-backend:9091 ssl verify none
backend fe_authelia
server authelia-frontend authelia-frontend:3000
backend be_mail
server smtp-backend smtp:1080
backend be_protected
server nginx-backend nginx-backend:80
backend be_httpbin
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
server httpbin-backend httpbin:8000
server httpbin-backend httpbin:8000
backend be_mail
server smtp-backend smtp:1080
backend be_protected
server nginx-backend nginx-backend:80