Create a suite for HAProxy

cmd/authelia-scripts/cmd_bootstrap.go

@@ -37,6 +37,9 @@ var hostEntries = []HostEntry{
 	// For Traefik suite
 	HostEntry{Domain: "traefik.example.com", IP: "192.168.240.100"},
 
+	// For HAProxy suite
+	HostEntry{Domain: "haproxy.example.com", IP: "192.168.240.100"},
+
 	// For testing network ACLs
 	HostEntry{Domain: "proxy-client1.example.com", IP: "192.168.240.201"},
 	HostEntry{Domain: "proxy-client2.example.com", IP: "192.168.240.202"},

example/compose/haproxy/Dockerfile

@@ -0,0 +1,11 @@
+FROM haproxy:2.1-alpine
+
+RUN \
+apk add --no-cache \
+  curl \
+  lua5.3-socket \
+  openssl && \
+curl -Lfs -o /usr/local/etc/haproxy/auth-request.lua "https://raw.githubusercontent.com/TimWolla/haproxy-auth-request/master/auth-request.lua" && \
+sed -i 's/HEAD/GET/g' /usr/local/etc/haproxy/auth-request.lua && \
+openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=AU/ST=Victoria/L=Melbourne/O=Authelia/CN=*.example.com" -keyout haproxy.key -out haproxy.crt && \
+cat haproxy.key haproxy.crt > /usr/local/etc/haproxy/haproxy.pem

example/compose/haproxy/docker-compose.yml

@@ -0,0 +1,10 @@
+version: '3'
+services:
+  haproxy:
+    build: ./example/compose/haproxy/
+    volumes:
+      - ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
+    networks:
+      authelianet:
+        # Set the IP to be able to query on port 8080
+        ipv4_address: 192.168.240.100

example/compose/haproxy/haproxy.cfg

@@ -0,0 +1,54 @@
+global
+    lua-load /usr/local/etc/haproxy/auth-request.lua
+    log stdout format raw local0 debug
+
+defaults
+    mode http
+    log global
+    option httplog
+    option forwardfor
+
+frontend fe_api
+    bind *:8081 ssl crt /usr/local/etc/haproxy/haproxy.pem
+
+    stats enable
+    stats uri /api
+    stats refresh 10s
+    stats admin if LOCALHOST
+
+frontend fe_http
+    bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
+
+    acl host-authelia-portal hdr(host) -i login.example.com:8080
+    acl api-path path_beg -i /api
+    acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com
+
+    http-request set-var(req.scheme) str(https) if { ssl_fc }
+    http-request set-var(req.scheme) str(http) if !{ ssl_fc }
+    http-request set-var(req.questionmark) str(?) if { query -m found }
+
+    http-request set-header X-Real-IP %[src]
+    http-request set-header X-Forwarded-Proto %[var(req.scheme)]
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+    http-request add-header X-Forwarded-Port %[dst_port]
+    http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
+
+    http-request lua.auth-request be_authelia /api/verify if protected-frontends
+
+    use_backend be_authelia if host-authelia-portal api-path
+    use_backend fe_authelia if host-authelia-portal !api-path
+    use_backend be_authelia if protected-frontends !{ var(txn.auth_response_successful) -m bool }
+    use_backend be_protected if protected-frontends
+    use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
+
+backend be_authelia
+    server authelia-backend authelia-backend:9091
+
+backend fe_authelia
+    server authelia-frontend authelia-frontend:3000
+
+backend be_mail
+    server smtp-backend smtp:1080
+
+backend be_protected
+    server nginx-backend nginx-backend:80

example/compose/traefik/docker-compose.yml

@@ -10,5 +10,5 @@ services:
       - traefik.port=8081
     networks:
       authelianet:
-        # Set the IP to be able to query on port 443
+        # Set the IP to be able to query on port 8080
         ipv4_address: 192.168.240.100

internal/suites/HAProxy/configuration.yml

@@ -0,0 +1,41 @@
+###############################################################
+#                Authelia minimal configuration               #
+###############################################################
+
+port: 9091
+
+logs_level: debug
+
+jwt_secret: unsecure_secret
+
+authentication_backend:
+  file:
+    path: /var/lib/authelia/users.yml
+
+session:
+  secret: unsecure_session_secret
+  domain: example.com
+  expiration: 3600 # 1 hour
+  inactivity: 300 # 5 minutes
+
+storage:
+  local:
+    path: /var/lib/authelia/db.sqlite
+
+access_control:
+  default_policy: bypass
+  rules:
+    - domain: "public.example.com"
+      policy: bypass
+    - domain: "admin.example.com"
+      policy: two_factor
+    - domain: "secure.example.com"
+      policy: two_factor
+    - domain: "singlefactor.example.com"
+      policy: one_factor
+
+notifier:
+  smtp:
+    host: smtp
+    port: 1025
+    sender: admin@example.com

internal/suites/HAProxy/docker-compose.yml

@@ -0,0 +1,6 @@
+version: "3"
+services:
+  authelia-backend:
+    volumes:
+      - "./internal/suites/HAProxy/configuration.yml:/etc/authelia/configuration.yml:ro"
+      - "./internal/suites/HAProxy/users.yml:/var/lib/authelia/users.yml"

internal/suites/HAProxy/users.yml

@@ -0,0 +1,29 @@
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  john:
+    password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
+    email: john.doe@authelia.com
+    groups:
+      - admins
+      - dev
+
+  harry:
+    password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
+    email: harry.potter@authelia.com
+    groups: []
+
+  bob:
+    password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
+    email: bob.dylan@authelia.com
+    groups:
+      - dev
+
+  james:
+    password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
+    email: james.dean@authelia.com

internal/suites/suite_haproxy.go

@@ -0,0 +1,59 @@
+package suites
+
+import (
+	"fmt"
+	"time"
+)
+
+var haproxySuiteName = "HAProxy"
+
+func init() {
+	dockerEnvironment := NewDockerEnvironment([]string{
+		"docker-compose.yml",
+		"internal/suites/HAProxy/docker-compose.yml",
+		"example/compose/authelia/docker-compose.backend.yml",
+		"example/compose/authelia/docker-compose.frontend.yml",
+		"example/compose/nginx/backend/docker-compose.yml",
+		"example/compose/haproxy/docker-compose.yml",
+		"example/compose/smtp/docker-compose.yml",
+	})
+
+	setup := func(suitePath string) error {
+		err := dockerEnvironment.Up()
+
+		if err != nil {
+			return err
+		}
+
+		return waitUntilAutheliaIsReady(dockerEnvironment)
+	}
+
+	onSetupTimeout := func() error {
+		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
+		if err != nil {
+			return err
+		}
+		fmt.Println(backendLogs)
+
+		frontendLogs, err := dockerEnvironment.Logs("authelia-frontend", nil)
+		if err != nil {
+			return err
+		}
+		fmt.Println(frontendLogs)
+		return nil
+	}
+
+	teardown := func(suitePath string) error {
+		err := dockerEnvironment.Down()
+		return err
+	}
+
+	GlobalRegistry.Register(haproxySuiteName, Suite{
+		SetUp:           setup,
+		SetUpTimeout:    5 * time.Minute,
+		OnSetupTimeout:  onSetupTimeout,
+		TestTimeout:     2 * time.Minute,
+		TearDown:        teardown,
+		TearDownTimeout: 2 * time.Minute,
+	})
+}

internal/suites/suite_haproxy_test.go

@@ -0,0 +1,27 @@
+package suites
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+)
+
+type HAProxySuite struct {
+	*SeleniumSuite
+}
+
+func NewHAProxySuite() *HAProxySuite {
+	return &HAProxySuite{SeleniumSuite: new(SeleniumSuite)}
+}
+
+func (s *HAProxySuite) TestOneFactorScenario() {
+	suite.Run(s.T(), NewOneFactorScenario())
+}
+
+func (s *HAProxySuite) TestTwoFactorScenario() {
+	suite.Run(s.T(), NewTwoFactorScenario())
+}
+
+func TestHAProxySuite(t *testing.T) {
+	suite.Run(t, NewHAProxySuite())
+}