mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Create a suite for HAProxy
This commit is contained in:
parent
c60904add7
commit
7dc4ac5cd9
|
@ -37,6 +37,9 @@ var hostEntries = []HostEntry{
|
||||||
// For Traefik suite
|
// For Traefik suite
|
||||||
HostEntry{Domain: "traefik.example.com", IP: "192.168.240.100"},
|
HostEntry{Domain: "traefik.example.com", IP: "192.168.240.100"},
|
||||||
|
|
||||||
|
// For HAProxy suite
|
||||||
|
HostEntry{Domain: "haproxy.example.com", IP: "192.168.240.100"},
|
||||||
|
|
||||||
// For testing network ACLs
|
// For testing network ACLs
|
||||||
HostEntry{Domain: "proxy-client1.example.com", IP: "192.168.240.201"},
|
HostEntry{Domain: "proxy-client1.example.com", IP: "192.168.240.201"},
|
||||||
HostEntry{Domain: "proxy-client2.example.com", IP: "192.168.240.202"},
|
HostEntry{Domain: "proxy-client2.example.com", IP: "192.168.240.202"},
|
||||||
|
|
11
example/compose/haproxy/Dockerfile
Normal file
11
example/compose/haproxy/Dockerfile
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
FROM haproxy:2.1-alpine
|
||||||
|
|
||||||
|
RUN \
|
||||||
|
apk add --no-cache \
|
||||||
|
curl \
|
||||||
|
lua5.3-socket \
|
||||||
|
openssl && \
|
||||||
|
curl -Lfs -o /usr/local/etc/haproxy/auth-request.lua "https://raw.githubusercontent.com/TimWolla/haproxy-auth-request/master/auth-request.lua" && \
|
||||||
|
sed -i 's/HEAD/GET/g' /usr/local/etc/haproxy/auth-request.lua && \
|
||||||
|
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=AU/ST=Victoria/L=Melbourne/O=Authelia/CN=*.example.com" -keyout haproxy.key -out haproxy.crt && \
|
||||||
|
cat haproxy.key haproxy.crt > /usr/local/etc/haproxy/haproxy.pem
|
10
example/compose/haproxy/docker-compose.yml
Normal file
10
example/compose/haproxy/docker-compose.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
version: '3'
|
||||||
|
services:
|
||||||
|
haproxy:
|
||||||
|
build: ./example/compose/haproxy/
|
||||||
|
volumes:
|
||||||
|
- ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
|
||||||
|
networks:
|
||||||
|
authelianet:
|
||||||
|
# Set the IP to be able to query on port 8080
|
||||||
|
ipv4_address: 192.168.240.100
|
54
example/compose/haproxy/haproxy.cfg
Normal file
54
example/compose/haproxy/haproxy.cfg
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
global
|
||||||
|
lua-load /usr/local/etc/haproxy/auth-request.lua
|
||||||
|
log stdout format raw local0 debug
|
||||||
|
|
||||||
|
defaults
|
||||||
|
mode http
|
||||||
|
log global
|
||||||
|
option httplog
|
||||||
|
option forwardfor
|
||||||
|
|
||||||
|
frontend fe_api
|
||||||
|
bind *:8081 ssl crt /usr/local/etc/haproxy/haproxy.pem
|
||||||
|
|
||||||
|
stats enable
|
||||||
|
stats uri /api
|
||||||
|
stats refresh 10s
|
||||||
|
stats admin if LOCALHOST
|
||||||
|
|
||||||
|
frontend fe_http
|
||||||
|
bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
|
||||||
|
|
||||||
|
acl host-authelia-portal hdr(host) -i login.example.com:8080
|
||||||
|
acl api-path path_beg -i /api
|
||||||
|
acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com
|
||||||
|
|
||||||
|
http-request set-var(req.scheme) str(https) if { ssl_fc }
|
||||||
|
http-request set-var(req.scheme) str(http) if !{ ssl_fc }
|
||||||
|
http-request set-var(req.questionmark) str(?) if { query -m found }
|
||||||
|
|
||||||
|
http-request set-header X-Real-IP %[src]
|
||||||
|
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
||||||
|
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||||
|
http-request add-header X-Forwarded-Port %[dst_port]
|
||||||
|
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
||||||
|
|
||||||
|
http-request lua.auth-request be_authelia /api/verify if protected-frontends
|
||||||
|
|
||||||
|
use_backend be_authelia if host-authelia-portal api-path
|
||||||
|
use_backend fe_authelia if host-authelia-portal !api-path
|
||||||
|
use_backend be_authelia if protected-frontends !{ var(txn.auth_response_successful) -m bool }
|
||||||
|
use_backend be_protected if protected-frontends
|
||||||
|
use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
|
||||||
|
|
||||||
|
backend be_authelia
|
||||||
|
server authelia-backend authelia-backend:9091
|
||||||
|
|
||||||
|
backend fe_authelia
|
||||||
|
server authelia-frontend authelia-frontend:3000
|
||||||
|
|
||||||
|
backend be_mail
|
||||||
|
server smtp-backend smtp:1080
|
||||||
|
|
||||||
|
backend be_protected
|
||||||
|
server nginx-backend nginx-backend:80
|
|
@ -10,5 +10,5 @@ services:
|
||||||
- traefik.port=8081
|
- traefik.port=8081
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
# Set the IP to be able to query on port 443
|
# Set the IP to be able to query on port 8080
|
||||||
ipv4_address: 192.168.240.100
|
ipv4_address: 192.168.240.100
|
41
internal/suites/HAProxy/configuration.yml
Normal file
41
internal/suites/HAProxy/configuration.yml
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
###############################################################
|
||||||
|
# Authelia minimal configuration #
|
||||||
|
###############################################################
|
||||||
|
|
||||||
|
port: 9091
|
||||||
|
|
||||||
|
logs_level: debug
|
||||||
|
|
||||||
|
jwt_secret: unsecure_secret
|
||||||
|
|
||||||
|
authentication_backend:
|
||||||
|
file:
|
||||||
|
path: /var/lib/authelia/users.yml
|
||||||
|
|
||||||
|
session:
|
||||||
|
secret: unsecure_session_secret
|
||||||
|
domain: example.com
|
||||||
|
expiration: 3600 # 1 hour
|
||||||
|
inactivity: 300 # 5 minutes
|
||||||
|
|
||||||
|
storage:
|
||||||
|
local:
|
||||||
|
path: /var/lib/authelia/db.sqlite
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
default_policy: bypass
|
||||||
|
rules:
|
||||||
|
- domain: "public.example.com"
|
||||||
|
policy: bypass
|
||||||
|
- domain: "admin.example.com"
|
||||||
|
policy: two_factor
|
||||||
|
- domain: "secure.example.com"
|
||||||
|
policy: two_factor
|
||||||
|
- domain: "singlefactor.example.com"
|
||||||
|
policy: one_factor
|
||||||
|
|
||||||
|
notifier:
|
||||||
|
smtp:
|
||||||
|
host: smtp
|
||||||
|
port: 1025
|
||||||
|
sender: admin@example.com
|
6
internal/suites/HAProxy/docker-compose.yml
Normal file
6
internal/suites/HAProxy/docker-compose.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
version: "3"
|
||||||
|
services:
|
||||||
|
authelia-backend:
|
||||||
|
volumes:
|
||||||
|
- "./internal/suites/HAProxy/configuration.yml:/etc/authelia/configuration.yml:ro"
|
||||||
|
- "./internal/suites/HAProxy/users.yml:/var/lib/authelia/users.yml"
|
29
internal/suites/HAProxy/users.yml
Normal file
29
internal/suites/HAProxy/users.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
###############################################################
|
||||||
|
# Users Database #
|
||||||
|
###############################################################
|
||||||
|
|
||||||
|
# This file can be used if you do not have an LDAP set up.
|
||||||
|
|
||||||
|
# List of users
|
||||||
|
users:
|
||||||
|
john:
|
||||||
|
password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
|
||||||
|
email: john.doe@authelia.com
|
||||||
|
groups:
|
||||||
|
- admins
|
||||||
|
- dev
|
||||||
|
|
||||||
|
harry:
|
||||||
|
password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
|
||||||
|
email: harry.potter@authelia.com
|
||||||
|
groups: []
|
||||||
|
|
||||||
|
bob:
|
||||||
|
password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
|
||||||
|
email: bob.dylan@authelia.com
|
||||||
|
groups:
|
||||||
|
- dev
|
||||||
|
|
||||||
|
james:
|
||||||
|
password: "{CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/"
|
||||||
|
email: james.dean@authelia.com
|
59
internal/suites/suite_haproxy.go
Normal file
59
internal/suites/suite_haproxy.go
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
package suites
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
var haproxySuiteName = "HAProxy"
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
dockerEnvironment := NewDockerEnvironment([]string{
|
||||||
|
"docker-compose.yml",
|
||||||
|
"internal/suites/HAProxy/docker-compose.yml",
|
||||||
|
"example/compose/authelia/docker-compose.backend.yml",
|
||||||
|
"example/compose/authelia/docker-compose.frontend.yml",
|
||||||
|
"example/compose/nginx/backend/docker-compose.yml",
|
||||||
|
"example/compose/haproxy/docker-compose.yml",
|
||||||
|
"example/compose/smtp/docker-compose.yml",
|
||||||
|
})
|
||||||
|
|
||||||
|
setup := func(suitePath string) error {
|
||||||
|
err := dockerEnvironment.Up()
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return waitUntilAutheliaIsReady(dockerEnvironment)
|
||||||
|
}
|
||||||
|
|
||||||
|
onSetupTimeout := func() error {
|
||||||
|
backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
fmt.Println(backendLogs)
|
||||||
|
|
||||||
|
frontendLogs, err := dockerEnvironment.Logs("authelia-frontend", nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
fmt.Println(frontendLogs)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
teardown := func(suitePath string) error {
|
||||||
|
err := dockerEnvironment.Down()
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
GlobalRegistry.Register(haproxySuiteName, Suite{
|
||||||
|
SetUp: setup,
|
||||||
|
SetUpTimeout: 5 * time.Minute,
|
||||||
|
OnSetupTimeout: onSetupTimeout,
|
||||||
|
TestTimeout: 2 * time.Minute,
|
||||||
|
TearDown: teardown,
|
||||||
|
TearDownTimeout: 2 * time.Minute,
|
||||||
|
})
|
||||||
|
}
|
27
internal/suites/suite_haproxy_test.go
Normal file
27
internal/suites/suite_haproxy_test.go
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
package suites
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
)
|
||||||
|
|
||||||
|
type HAProxySuite struct {
|
||||||
|
*SeleniumSuite
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewHAProxySuite() *HAProxySuite {
|
||||||
|
return &HAProxySuite{SeleniumSuite: new(SeleniumSuite)}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HAProxySuite) TestOneFactorScenario() {
|
||||||
|
suite.Run(s.T(), NewOneFactorScenario())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HAProxySuite) TestTwoFactorScenario() {
|
||||||
|
suite.Run(s.T(), NewTwoFactorScenario())
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestHAProxySuite(t *testing.T) {
|
||||||
|
suite.Run(t, NewHAProxySuite())
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user