forked from haproxytech/haproxy-lua-oauth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy-example.cfg
45 lines (33 loc) · 1.61 KB
/
haproxy-example.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
global
daemon
lua-load /usr/local/share/lua/5.3/jwtverify.lua
# Set env variables used by Lua file
# Path to public key certificate tokens are signed with (get from your token issuer, like auth0.com):
setenv OAUTH_PUBKEY_PATH /etc/haproxy/pem/pubkey.pem
# OPTIONAL: OAuth issuer
setenv OAUTH_ISSUER https://youraccount.auth0.com/
# OPTIONAL: OAuth audience - should match what you set on the Auth0 website for your API
setenv OAUTH_AUDIENCE https://api.mywebsite.com
defaults
timeout connect 5s
timeout client 5s
timeout server 5s
mode http
frontend api_gateway
# Good practice to secure communication when passing tokens
# bind :443 ssl crt /etc/haproxy/pem/test.com.pem alpn h2,http1.1
bind :80
# Deny if no Authorization header sent
http-request deny unless { req.hdr(authorization) -m found }
# Invoke the jwtverify Lua file
http-request lua.jwtverify
# Deny unless jwtverify set 'authorized' to true
http-request deny unless { var(txn.authorized) -m bool }
# OPTIONAL: Deny if GET request, but JWT does not contain 'read:myservice' scope
http-request deny if { path_beg /api/myservice } { method GET } ! { var(txn.oauth_scopes) -m sub read:myservice }
# OPTIONAL: Deny if POST, PUT, or DELETE request, but JWT does not contain 'write:myservice' scope
http-request deny if { path_beg /api/myservice } { method POST PUT DELETE } ! { var(txn.oauth_scopes) -m sub write:myservice }
default_backend apiservers
backend apiservers
balance roundrobin
server server1 127.0.0.1:8080