All geek questions in one place

JWT validation in HAProxy

I have HAProxy configured to accept requests to * .mysubdomain.com. HAProxy will analyze the subdomain (prod or dev from prod.mysubdomain.com or dev.mysubdomain.com) and switch to the correct backend. There are two backends, one for prod and one for dev. Each server contains two server entries that point to instances of the LB marathon on each subdomain.

Subdomains require a JWT cookie for authentication on the server. I have a public key to validate the JWT, but would like to do it in HAProxy. Is there a way to add my own code to perform JWT validation in a HAProxy configuration?

The HAProxy configuration file is as follows:

global maxconn 256 defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend http-in bind *:80 mode http # Returns true when one of the headers contains one of the strings either isolated or delimited by dots. This is used to perform domain name matching. acl host_dev hdr_dom(host) -i dev acl host_prod hdr_dom(host) -i prod acl jwtPresent req.cook(JWT) -m found use_backend prod_domain if jwtPresent host_prod use_backend dev_domain if jwtPresent host_dev default_backend prod_domain backend prod_domain balance roundrobin server prodDomain1 "${MARATHON_LB_PROD_1}" maxconn 32 check server prodDomain2 "${MARATHON_LB_PROD_2}" maxconn 32 check backend dev_domain balance roundrobin server devDomain1 "${MARATHON_LB_DEV_1}" maxconn 32 check server devDomain2 "${MARATHON_LB_DEV_2}" maxconn 32 check
+5
source share
2 answers

As far as I could tell, HAProxy does not have the functionality to execute logic to validate JWT. Instead, I applied a script in Lua for haproxy.cfg to call for verification:

 global maxconn 256 lua-load /choose_backend.lua defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend http-in bind *:80 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn] http-request set-var(txn.backend_name) lua.backend_select() use_backend %[var(txn.backend_name)] backend prod_domain balance roundrobin server prodDomain1 "${MARATHON_LB_PROD_1}" maxconn 32 check server prodDomain2 "${MARATHON_LB_PROD_2}" maxconn 32 check backend dev_domain balance roundrobin server devDomain1 "${MARATHON_LB_DEV_1}" maxconn 32 check server devDomain2 "${MARATHON_LB_DEV_2}" maxconn 32 check
0
source

As another answer pointed out, you should use a Lua script. You can use existing implementations from lua-resty-jwt or Kong .

Notes:

  • These codebases are not concise. Simple copy and paste will not work. Therefore, you need to extract the minimum minimum that you need.
  • You have no dependencies in your Lua script. Just plain Lua vanilla. Therefore, you need to get rid of all require statements.
  • The tricky part is the implementation of the HMAC.
  • Avoid any I / O operations in your Lua script, for example. file, database, network operations.

This is not an easy task. Good luck This is something worth sharing.

0
source

Source: https://habr.com/ru/post/1265555/

More articles:


All Articles