diff --git a/README.md b/README.md index 8e81ee5..a3a31d4 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -# haproxy-auth-gateway ![Docker Hub](https://img.shields.io/docker/cloud/build/lukasz/haproxy-auth-gateway) ![Docker](https://github.com/lukaszbudnik/haproxy-auth-gateway/workflows/Docker%20Image%20CI/badge.svg) +# haproxy-auth-gateway ![Docker](https://github.com/lukaszbudnik/haproxy-auth-gateway/workflows/Docker%20Image%20CI/badge.svg) haproxy-auth-gateway is an authentication and authorization gateway for cloud native apps. -haproxy-auth-gateway features are: +haproxy-auth-gateway features include: - parsing JWT token from the HTTP Authorization header - Keycloak realm roles support @@ -22,12 +22,18 @@ haproxy-auth-gateway can be configured with the following env variables: haproxy-auth-gateway is available on docker hub: ``` -lukasz/haproxy-auth-gateway +docker pull lukasz/haproxy-auth-gateway +``` + +or on ghcr.io: + +``` +docker pull ghcr.io/lukaszbudnik/haproxy-auth-gateway ``` # Example -The below example shows how to deploy & configure `lukasz/haproxy-auth-gateway` in Kubernetes. It also shows how to invoke the Lua verify script and write ACLs using variables set by it. +The below example shows how to deploy & configure `lukasz/haproxy-auth-gateway` in Kubernetes. It also shows how to invoke the Lua verify script and write ACLs. > If you are interested in running a complete distributed demo app on Kubernetes check out: [lukaszbudnik/keycloak-kubernetes](https://github.com/lukaszbudnik/keycloak-kubernetes). This demo app uses Keycloak as Identity and Access Management solution and haproxy-auth-gateway for transparent authentication and authorization for backend services. @@ -113,6 +119,40 @@ Then we are ready to deploy haproxy-auth-gateway: kubectl apply -f gateway.yaml ``` +## haproxy ACL + +haproxy-auth-gateway will verify passed JWT and will (if all good): + +- set `txn.authorized` variable to `true` +- set `txn.roles` variable to a comma separated list of `realm_access.roles` + +Above variables can be used in haproxy ACLs. + +For example: + +``` +# deny if no Authorization header sent +http-request deny unless { req.hdr(authorization) -m found } +# invoke the jwtverify Lua script +http-request lua.jwtverify +# check if authorized successfully +http-request deny unless { var(txn.authorized) -m bool } +# check roles +http-request deny if PATH_camarero ! { var(txn.roles) -m sub camarero } +``` + +# Troubleshooting + +The script outputs many useful debug messages. To enable debug add the following configuration to you `haproxy.cfg`: + +``` +global + log stdout local0 debug + +defaults + log global +``` + ## Sample JWT A sample JWT token generated by Keycloak looks like this: @@ -174,40 +214,8 @@ ewIDAQAB -----END PUBLIC KEY----- ``` -## haproxy ACL - -haproxy-auth-gateway will verify the above JWT correctly and will: - -- set `txn.authorized` variable to `true` -- set `txn.roles` variable to a comma separated list of `realm_access.roles` - -Later above variables can be used in haproxy ACLs, for example: - -``` -# deny if no Authorization header sent -http-request deny unless { req.hdr(authorization) -m found } -# invoke the jwtverify Lua script -http-request lua.jwtverify -# check if authorized successfully -http-request deny unless { var(txn.authorized) -m bool } -# check roles -http-request deny if PATH_camarero ! { var(txn.roles) -m sub camarero } -``` - -# Troubleshooting - -The script outputs many useful debug messages. To enable debug add the following configuration to you `haproxy.cfg`: - -``` -global - log stdout local0 debug - -defaults - log global -``` - # Original project -haproxy-auth-gateway is based on great project from haproxytech folks: https://github.com/haproxytech/haproxy-lua-oauth +haproxy-auth-gateway is based on great project from haproxytech folks: https://github.com/haproxytech/haproxy-lua-oauth. haproxy-auth-gateway contains changes to support Keycloak realm roles out of the box.