mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
4dce8f9496
* adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
91 lines
3.8 KiB
INI
91 lines
3.8 KiB
INI
global
|
|
lua-prepend-path /usr/local/etc/haproxy/?/http.lua
|
|
lua-load /usr/local/etc/haproxy/auth-request.lua
|
|
log stdout format raw local0 debug
|
|
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option forwardfor
|
|
|
|
frontend fe_api
|
|
bind *:8081 ssl crt /usr/local/etc/haproxy/haproxy.pem
|
|
|
|
stats enable
|
|
stats uri /api
|
|
stats refresh 10s
|
|
stats admin if LOCALHOST
|
|
|
|
frontend fe_http
|
|
bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
|
|
|
|
acl api-path path_beg -i /api
|
|
acl headers-path path -i -m end /headers
|
|
acl host-authelia-portal hdr(host) -i login.example.com:8080
|
|
acl protected-frontends hdr(host) -m reg -i ^(?i)(admin|home|public|secure|singlefactor)\.example\.com
|
|
|
|
http-request set-var(req.scheme) str(https) if { ssl_fc }
|
|
http-request set-var(req.scheme) str(http) if !{ ssl_fc }
|
|
http-request set-var(req.questionmark) str(?) if { query -m found }
|
|
http-request set-var(req.method) str(CONNECT) if { method CONNECT }
|
|
http-request set-var(req.method) str(GET) if { method GET }
|
|
http-request set-var(req.method) str(HEAD) if { method HEAD }
|
|
http-request set-var(req.method) str(OPTIONS) if { method OPTIONS }
|
|
http-request set-var(req.method) str(POST) if { method POST }
|
|
http-request set-var(req.method) str(TRACE) if { method TRACE }
|
|
http-request set-var(req.method) str(PUT) if { method PUT }
|
|
http-request set-var(req.method) str(PATCH) if { method PATCH }
|
|
http-request set-var(req.method) str(DELETE) if { method DELETE }
|
|
http-request set-header X-Forwarded-Method %[var(req.method)]
|
|
|
|
http-request set-header X-Real-IP %[src]
|
|
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
|
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
|
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
|
|
|
# be_auth_request is used to make HAProxy do the TLS termination since the Lua script
|
|
# does not know how to handle it (see https://github.com/TimWolla/haproxy-auth-request/issues/12).
|
|
http-request lua.auth-request be_auth_request /api/verify if protected-frontends
|
|
|
|
http-request redirect location https://login.example.com:8080/?rd=%[var(req.scheme)]://%[base]%[var(req.questionmark)]%[query] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
|
|
|
|
use_backend be_authelia if host-authelia-portal api-path
|
|
use_backend fe_authelia if host-authelia-portal !api-path
|
|
use_backend be_httpbin if protected-frontends headers-path
|
|
use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
|
|
use_backend be_protected if protected-frontends
|
|
|
|
backend be_auth_request
|
|
mode http
|
|
server proxy 127.0.0.1:8085
|
|
|
|
listen be_auth_request_proxy
|
|
mode http
|
|
bind 127.0.0.1:8085
|
|
server authelia-backend authelia-backend:9091 ssl verify none
|
|
|
|
backend be_authelia
|
|
server authelia-backend authelia-backend:9091 ssl verify none
|
|
|
|
backend fe_authelia
|
|
server authelia-frontend authelia-frontend:3000
|
|
|
|
backend be_httpbin
|
|
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
|
|
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
|
|
acl remote_name_exist var(req.auth_response_header.remote_name) -m found
|
|
acl remote_email_exist var(req.auth_response_header.remote_email) -m found
|
|
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
|
|
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
|
|
http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
|
|
http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist
|
|
|
|
server httpbin-backend httpbin:8000
|
|
|
|
backend be_mail
|
|
server smtp-backend smtp:1080
|
|
|
|
backend be_protected
|
|
server nginx-backend nginx-backend:80
|