From 02b91b1821d672c745ea532369ec40b5b619a859 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Budnik?= Date: Tue, 24 Aug 2021 12:02:24 +0200 Subject: [PATCH] updated documentation --- README.md | 82 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 45 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 8e81ee5..a3a31d4 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -# haproxy-auth-gateway ![Docker Hub](https://img.shields.io/docker/cloud/build/lukasz/haproxy-auth-gateway) ![Docker](https://github.com/lukaszbudnik/haproxy-auth-gateway/workflows/Docker%20Image%20CI/badge.svg) +# haproxy-auth-gateway ![Docker](https://github.com/lukaszbudnik/haproxy-auth-gateway/workflows/Docker%20Image%20CI/badge.svg) haproxy-auth-gateway is an authentication and authorization gateway for cloud native apps. -haproxy-auth-gateway features are: +haproxy-auth-gateway features include: - parsing JWT token from the HTTP Authorization header - Keycloak realm roles support @@ -22,12 +22,18 @@ haproxy-auth-gateway can be configured with the following env variables: haproxy-auth-gateway is available on docker hub: ``` -lukasz/haproxy-auth-gateway +docker pull lukasz/haproxy-auth-gateway +``` + +or on ghcr.io: + +``` +docker pull ghcr.io/lukaszbudnik/haproxy-auth-gateway ``` # Example -The below example shows how to deploy & configure `lukasz/haproxy-auth-gateway` in Kubernetes. It also shows how to invoke the Lua verify script and write ACLs using variables set by it. +The below example shows how to deploy & configure `lukasz/haproxy-auth-gateway` in Kubernetes. It also shows how to invoke the Lua verify script and write ACLs. > If you are interested in running a complete distributed demo app on Kubernetes check out: [lukaszbudnik/keycloak-kubernetes](https://github.com/lukaszbudnik/keycloak-kubernetes). This demo app uses Keycloak as Identity and Access Management solution and haproxy-auth-gateway for transparent authentication and authorization for backend services. @@ -113,6 +119,40 @@ Then we are ready to deploy haproxy-auth-gateway: kubectl apply -f gateway.yaml ``` +## haproxy ACL + +haproxy-auth-gateway will verify passed JWT and will (if all good): + +- set `txn.authorized` variable to `true` +- set `txn.roles` variable to a comma separated list of `realm_access.roles` + +Above variables can be used in haproxy ACLs. + +For example: + +``` +# deny if no Authorization header sent +http-request deny unless { req.hdr(authorization) -m found } +# invoke the jwtverify Lua script +http-request lua.jwtverify +# check if authorized successfully +http-request deny unless { var(txn.authorized) -m bool } +# check roles +http-request deny if PATH_camarero ! { var(txn.roles) -m sub camarero } +``` + +# Troubleshooting + +The script outputs many useful debug messages. To enable debug add the following configuration to you `haproxy.cfg`: + +``` +global + log stdout local0 debug + +defaults + log global +``` + ## Sample JWT A sample JWT token generated by Keycloak looks like this: @@ -174,40 +214,8 @@ ewIDAQAB -----END PUBLIC KEY----- ``` -## haproxy ACL - -haproxy-auth-gateway will verify the above JWT correctly and will: - -- set `txn.authorized` variable to `true` -- set `txn.roles` variable to a comma separated list of `realm_access.roles` - -Later above variables can be used in haproxy ACLs, for example: - -``` -# deny if no Authorization header sent -http-request deny unless { req.hdr(authorization) -m found } -# invoke the jwtverify Lua script -http-request lua.jwtverify -# check if authorized successfully -http-request deny unless { var(txn.authorized) -m bool } -# check roles -http-request deny if PATH_camarero ! { var(txn.roles) -m sub camarero } -``` - -# Troubleshooting - -The script outputs many useful debug messages. To enable debug add the following configuration to you `haproxy.cfg`: - -``` -global - log stdout local0 debug - -defaults - log global -``` - # Original project -haproxy-auth-gateway is based on great project from haproxytech folks: https://github.com/haproxytech/haproxy-lua-oauth +haproxy-auth-gateway is based on great project from haproxytech folks: https://github.com/haproxytech/haproxy-lua-oauth. haproxy-auth-gateway contains changes to support Keycloak realm roles out of the box.