diff --git a/docs/deployment/supported-proxies/haproxy.md b/docs/deployment/supported-proxies/haproxy.md index 71ea3745..e1fc03b0 100644 --- a/docs/deployment/supported-proxies/haproxy.md +++ b/docs/deployment/supported-proxies/haproxy.md @@ -62,7 +62,7 @@ backend upon successful authentication, for example: ### Secure Authelia with TLS There is a [known limitation](https://github.com/TimWolla/haproxy-auth-request/issues/12) with haproxy-auth-request with regard to TLS-enabled backends. If you want to run Authelia TLS enabled the recommended workaround utilises HAProxy itself to proxy the requests. -This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexbility with regard +This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexibility with regard to TLS verification as well as header rewriting. An example of this configuration is also be provided below. #### Configuration @@ -98,7 +98,6 @@ frontend fe_http http-request set-header X-Real-IP %[src] http-request set-header X-Forwarded-Proto %[var(req.scheme)] http-request set-header X-Forwarded-Host %[req.hdr(Host)] - http-request add-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query] # Protect endpoints with haproxy-auth-request and Authelia @@ -155,7 +154,6 @@ frontend fe_http http-request set-header X-Real-IP %[src] http-request set-header X-Forwarded-Proto %[var(req.scheme)] http-request set-header X-Forwarded-Host %[req.hdr(Host)] - http-request add-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query] # Protect endpoints with haproxy-auth-request and Authelia diff --git a/internal/suites/example/compose/haproxy/haproxy.cfg b/internal/suites/example/compose/haproxy/haproxy.cfg index f05bce6c..d810e56d 100644 --- a/internal/suites/example/compose/haproxy/haproxy.cfg +++ b/internal/suites/example/compose/haproxy/haproxy.cfg @@ -20,10 +20,10 @@ frontend fe_api frontend fe_http bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem - acl host-authelia-portal hdr(host) -i login.example.com:8080 acl api-path path_beg -i /api + acl headers-path path -i -m end /headers + acl host-authelia-portal hdr(host) -i login.example.com:8080 acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com - acl is_headers path -i -m end /headers http-request set-var(req.scheme) str(https) if { ssl_fc } http-request set-var(req.scheme) str(http) if !{ ssl_fc } @@ -32,7 +32,6 @@ frontend fe_http http-request set-header X-Real-IP %[src] http-request set-header X-Forwarded-Proto %[var(req.scheme)] http-request set-header X-Forwarded-Host %[req.hdr(Host)] - http-request add-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query] # be_auth_request is used to make HAProxy do the TLS termination since the Lua script @@ -43,12 +42,9 @@ frontend fe_http use_backend be_authelia if host-authelia-portal api-path use_backend fe_authelia if host-authelia-portal !api-path - use_backend be_httpbin if protected-frontends is_headers - use_backend be_protected if protected-frontends + use_backend be_httpbin if protected-frontends headers-path use_backend be_mail if { hdr(host) -i mail.example.com:8080 } - -backend be_authelia - server authelia-backend authelia-backend:9091 ssl verify none + use_backend be_protected if protected-frontends backend be_auth_request mode http @@ -59,19 +55,22 @@ listen be_auth_request_proxy bind 127.0.0.1:8085 server authelia-backend authelia-backend:9091 ssl verify none +backend be_authelia + server authelia-backend authelia-backend:9091 ssl verify none + backend fe_authelia server authelia-frontend authelia-frontend:3000 -backend be_mail - server smtp-backend smtp:1080 - -backend be_protected - server nginx-backend nginx-backend:80 - backend be_httpbin acl remote_user_exist var(req.auth_response_header.remote_user) -m found acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist - server httpbin-backend httpbin:8000 \ No newline at end of file + server httpbin-backend httpbin:8000 + +backend be_mail + server smtp-backend smtp:1080 + +backend be_protected + server nginx-backend nginx-backend:80 \ No newline at end of file