docs: fix haproxy examples for /api/verify?auth=basic (#1835)

The previous examples did not appropriately pass through the WWW-Authenticate header and 401 when the user was unauthenticated therefore not resulting in a basic auth login prompt.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
This commit is contained in:
Amir Zarrinkafsh 2021-03-18 19:56:08 +11:00 committed by GitHub
parent 8ff018c82f
commit 66b010cb59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -98,6 +98,9 @@ frontend fe_http
acl host-nextcloud hdr(host) -i nextcloud.example.com acl host-nextcloud hdr(host) -i nextcloud.example.com
acl host-heimdall hdr(host) -i heimdall.example.com acl host-heimdall hdr(host) -i heimdall.example.com
# This is required if utilising basic auth with /api/verify?auth=basic
http-request set-var(txn.host) hdr(Host)
http-request set-var(req.scheme) str(https) if { ssl_fc } http-request set-var(req.scheme) str(https) if { ssl_fc }
http-request set-var(req.scheme) str(http) if !{ ssl_fc } http-request set-var(req.scheme) str(http) if !{ ssl_fc }
http-request set-var(req.questionmark) str(?) if { query -m found } http-request set-var(req.questionmark) str(?) if { query -m found }
@ -126,10 +129,15 @@ frontend fe_http
# Force `Authorization` header via query arg to /api/verify # Force `Authorization` header via query arg to /api/verify
http-request lua.auth-request be_authelia /api/verify?auth=basic if protected-frontends-basic http-request lua.auth-request be_authelia /api/verify?auth=basic if protected-frontends-basic
# Redirect protected-frontends to Authelia if not authenticated
http-request redirect location https://auth.example.com/?rd=%[var(req.scheme)]://%[base]%[var(req.questionmark)]%[query] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
# Send 401 and pass `WWW-Authenticate` header on protected-frontend-basic if not pre-authenticated
http-request set-var(txn.auth) var(req.auth_response_header.www_authenticate) if protected-frontends-basic !{ var(txn.auth_response_successful) -m bool }
http-response deny deny_status 401 hdr WWW-Authenticate %[var(txn.auth)] if { var(txn.host) -m reg -i ^(?i)(heimdall)\.example\.com } !{ var(txn.auth_response_successful) -m bool }
# Authelia backend route # Authelia backend route
use_backend be_authelia if host-authelia use_backend be_authelia if host-authelia
# Redirect protected-frontends to Authelia if not authenticated
http-request redirect location https://auth.example.com/?rd=%[var(req.scheme)]://%[base]%[var(req.questionmark)]%[query] if (protected-frontends || protected-frontends-basic) !{ var(txn.auth_response_successful) -m bool }
# Service backend route(s) # Service backend route(s)
use_backend be_nextcloud if host-nextcloud use_backend be_nextcloud if host-nextcloud
use_backend be_heimdall if host-heimdall use_backend be_heimdall if host-heimdall
@ -189,6 +197,9 @@ frontend fe_http
acl host-nextcloud hdr(host) -i nextcloud.example.com acl host-nextcloud hdr(host) -i nextcloud.example.com
acl host-heimdall hdr(host) -i heimdall.example.com acl host-heimdall hdr(host) -i heimdall.example.com
# This is required if utilising basic auth with /api/verify?auth=basic
http-request set-var(txn.host) hdr(Host)
http-request set-var(req.scheme) str(https) if { ssl_fc } http-request set-var(req.scheme) str(https) if { ssl_fc }
http-request set-var(req.scheme) str(http) if !{ ssl_fc } http-request set-var(req.scheme) str(http) if !{ ssl_fc }
http-request set-var(req.questionmark) str(?) if { query -m found } http-request set-var(req.questionmark) str(?) if { query -m found }
@ -214,12 +225,17 @@ frontend fe_http
# Protect endpoints with haproxy-auth-request and Authelia # Protect endpoints with haproxy-auth-request and Authelia
http-request lua.auth-request be_authelia_proxy /api/verify if protected-frontends http-request lua.auth-request be_authelia_proxy /api/verify if protected-frontends
# Force `Authorization` header via query arg to /api/verify # Force `Authorization` header via query arg to /api/verify
http-request lua.auth-request be_authelia /api/verify?auth=basic if protected-frontends-basic http-request lua.auth-request be_authelia_proxy /api/verify?auth=basic if protected-frontends-basic
# Redirect protected-frontends to Authelia if not authenticated
http-request redirect location https://auth.example.com/?rd=%[var(req.scheme)]://%[base]%[var(req.questionmark)]%[query] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
# Send 401 and pass `WWW-Authenticate` header on protected-frontend-basic if not pre-authenticated
http-request set-var(txn.auth) var(req.auth_response_header.www_authenticate) if protected-frontends-basic !{ var(txn.auth_response_successful) -m bool }
http-response deny deny_status 401 hdr WWW-Authenticate %[var(txn.auth)] if { var(txn.host) -m reg -i ^(?i)(heimdall)\.example\.com } !{ var(txn.auth_response_successful) -m bool }
# Authelia backend route # Authelia backend route
use_backend be_authelia if host-authelia use_backend be_authelia if host-authelia
# Redirect protected-frontends to Authelia if not authenticated
http-request redirect location https://auth.example.com/?rd=%[var(req.scheme)]://%[base]%[var(req.questionmark)]%[query] if (protected-frontends || protected-frontends-basic) !{ var(txn.auth_response_successful) -m bool }
# Service backend route(s) # Service backend route(s)
use_backend be_nextcloud if host-nextcloud use_backend be_nextcloud if host-nextcloud
use_backend be_heimdall if host-heimdall use_backend be_heimdall if host-heimdall