[DOCS] Clean HAProxy examples (#1338)

Remove headers that are not required and fix a typo.
This commit is contained in:
Amir Zarrinkafsh 2020-09-23 17:29:46 +10:00 committed by GitHub
parent 5b98b4d090
commit 607f829431
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 18 deletions

View File

@ -62,7 +62,7 @@ backend upon successful authentication, for example:
### Secure Authelia with TLS ### Secure Authelia with TLS
There is a [known limitation](https://github.com/TimWolla/haproxy-auth-request/issues/12) with haproxy-auth-request with regard to TLS-enabled backends. There is a [known limitation](https://github.com/TimWolla/haproxy-auth-request/issues/12) with haproxy-auth-request with regard to TLS-enabled backends.
If you want to run Authelia TLS enabled the recommended workaround utilises HAProxy itself to proxy the requests. If you want to run Authelia TLS enabled the recommended workaround utilises HAProxy itself to proxy the requests.
This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexbility with regard This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexibility with regard
to TLS verification as well as header rewriting. An example of this configuration is also be provided below. to TLS verification as well as header rewriting. An example of this configuration is also be provided below.
#### Configuration #### Configuration
@ -98,7 +98,6 @@ frontend fe_http
http-request set-header X-Real-IP %[src] http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[var(req.scheme)] http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)] http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query] http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
# Protect endpoints with haproxy-auth-request and Authelia # Protect endpoints with haproxy-auth-request and Authelia
@ -155,7 +154,6 @@ frontend fe_http
http-request set-header X-Real-IP %[src] http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[var(req.scheme)] http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)] http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query] http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
# Protect endpoints with haproxy-auth-request and Authelia # Protect endpoints with haproxy-auth-request and Authelia

View File

@ -20,10 +20,10 @@ frontend fe_api
frontend fe_http frontend fe_http
bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
acl host-authelia-portal hdr(host) -i login.example.com:8080
acl api-path path_beg -i /api acl api-path path_beg -i /api
acl headers-path path -i -m end /headers
acl host-authelia-portal hdr(host) -i login.example.com:8080
acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com
acl is_headers path -i -m end /headers
http-request set-var(req.scheme) str(https) if { ssl_fc } http-request set-var(req.scheme) str(https) if { ssl_fc }
http-request set-var(req.scheme) str(http) if !{ ssl_fc } http-request set-var(req.scheme) str(http) if !{ ssl_fc }
@ -32,7 +32,6 @@ frontend fe_http
http-request set-header X-Real-IP %[src] http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[var(req.scheme)] http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)] http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query] http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
# be_auth_request is used to make HAProxy do the TLS termination since the Lua script # be_auth_request is used to make HAProxy do the TLS termination since the Lua script
@ -43,12 +42,9 @@ frontend fe_http
use_backend be_authelia if host-authelia-portal api-path use_backend be_authelia if host-authelia-portal api-path
use_backend fe_authelia if host-authelia-portal !api-path use_backend fe_authelia if host-authelia-portal !api-path
use_backend be_httpbin if protected-frontends is_headers use_backend be_httpbin if protected-frontends headers-path
use_backend be_protected if protected-frontends
use_backend be_mail if { hdr(host) -i mail.example.com:8080 } use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
use_backend be_protected if protected-frontends
backend be_authelia
server authelia-backend authelia-backend:9091 ssl verify none
backend be_auth_request backend be_auth_request
mode http mode http
@ -59,19 +55,22 @@ listen be_auth_request_proxy
bind 127.0.0.1:8085 bind 127.0.0.1:8085
server authelia-backend authelia-backend:9091 ssl verify none server authelia-backend authelia-backend:9091 ssl verify none
backend be_authelia
server authelia-backend authelia-backend:9091 ssl verify none
backend fe_authelia backend fe_authelia
server authelia-frontend authelia-frontend:3000 server authelia-frontend authelia-frontend:3000
backend be_mail
server smtp-backend smtp:1080
backend be_protected
server nginx-backend nginx-backend:80
backend be_httpbin backend be_httpbin
acl remote_user_exist var(req.auth_response_header.remote_user) -m found acl remote_user_exist var(req.auth_response_header.remote_user) -m found
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
server httpbin-backend httpbin:8000 server httpbin-backend httpbin:8000
backend be_mail
server smtp-backend smtp:1080
backend be_protected
server nginx-backend nginx-backend:80