Hi Tim,
Wanted to say thank you for your help, I got every thing working.
in case it helps others new to this figure out how to accomplish the
task, here is the config I ended up with:
frontend httpfront
bind ${ADDRESS}:80 v4v6
bind ${ADDRESS}:443 v4v6 ssl crt /Computerisms/config/certificates/
redirect scheme https code 301 if !{ ssl_fc }
mode http
option httplog
log global
http-request lua.auth-request auth_request /index.html
## ACLs
acl test.computerisms.ca ssl_fc_sni -i test.computerisms.ca
## AUTHREQ
use_backend auth_request if ! { var(txn.auth_response_successful) -m
bool } test.computerisms.ca
## AUTHBACKEND
use_backend test.computerisms.ca if test.computerisms.ca
default_backend mooglehttps
On 2018-09-04 02:42 PM, Tim Düsterhus wrote:
Bob,
Am 04.09.2018 um 23:27 schrieb Computerisms Corporation:
First, apologies for the breach in etiquette, will use reply-all on this
list.
FWIW: I removed Thierry again, because at this point this is no longer
about Lua itself :-)
After following the thread in github and your hint that a apt-gettable
package for luasocket exists, I purged everything from luarocks and
installed from debian repos and the script is no longer producing errors
and the backend is successfully logging connections.
Perfect!
A follow up question, if I may: my backend leads to a simple apache
Sure.
DocumentRoot with auth that works as expected when accessed directly. I
was expecting when accessing through haproxy that when the auth-request
script did its subrequest, I would get the apache credentials pop up in
the browser. However, no pop up happens, and the backend immediately
fails. Did I misunderstand how this would work?
The only thing my script does is checking the response code of some
subrequest. What you do with it is entirely up to you. The example in
the README on GitHub denies the request.
Instead of denying the request you could select a different backend
(i.e. Apache) which then would be able to show the authentication screen.
In my blog post I use this to force the request to go to OAuth Proxy if
the verification fails:
use_backend oauth_proxy if ! { var(txn.auth_response_successful) -m
bool }
Instead of `oauth_proxy` you would use `auth_request` based on the
configuration you gave previously.
I thought that maybe the user/pass needs to be included in the url
(http://user:p...@domain.tld), but the behaviour remains the same....
HTTP Basic authentication should work out of the box, because all the
request headers are forwarded to the backend.
Best regards
Tim Düsterhus
