Re: lua haproxy-auth-request - round 2

Fri, 05 Oct 2018 13:10:59 -0700 

Hi Tim,
Thanks for the response, and apologies for the delay. Popularity is advertised as a good thing, but I have my doubts. Regardless, I am back on track with this project for the moment. 
While I don't have any idea from the top of my head your configuration
surely would be helpful.



right, should have included that the first time, will put it at the 
bottom of this mail.



You might also want to check whether the webbrowser is able to:
a) Set-Up the Websocket with auth-request in between (you should see a
101 Switching Protocols in it's network console).



Okay, this is something I hadn't looked at.  Not 100% sure I am 
interpreting correctly, but assuming I am, then the browser is reporting 
that the connection is successfully upgrading to websockets both with 
and without the Lua script enabled.  As far as I can tell, the only 
thing that changes is the cookies and keys.  There is a significant 
difference in the "waiting" response, though; ~350ms with the lua 
script, but less than 5ms without it.



b) Send credentials for basic authentication for Websockets.



hm, so I don't seem to be able to connect to etherpad directly using a 
ws:// schematic in chrome or firefox, and I think that is what you mean. 
 not sure if that is just me, though, will work some more on that and 
see if I can figure out if I am doing something wrong there...


My haproxy.cfg:


Note in the front end I have two lines commented; with these lines 
commented, everything works, can reload hundreds of times with no error. 
 With the lines uncommented, the auth works, the main landing page 
works, but accessing the actual pad does not work.  the tables entries 
seem to work fine either way.



I have uncommented these lines to induce failure, and pasted a copy of 
the haproxy logs of the event at

http://www.computerisms.ca/haproxy.txt


At the bottom of the log file, it appears to me that I get a 200 after 
the websocket upgrade, which I interpret to mean it was successful, but 
at that point the page spins and some 150-300 seconds later I get the 
error page displayed on the screen with no more log entries in haproxy.



global
        debug
        log             /dev/log                local1          debug
        chroot          /var/lib/haproxy
        user            haproxy
        group           haproxy
        daemon
        ca-base         /etc/ssl/certs
        crt-base        /etc/ssl/private
        ssl-default-bind-options        no-sslv3
        lua-load        /Computerisms/config/etc/haproxy.auth.lua

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull

frontend        httpfront
        bind            ${ADDRESS}:80   v4v6
        bind ${ADDRESS}:443 v4v6 ssl crt /Computerisms/config/certificates/
        redirect        scheme       https   code 301 if     !{ ssl_fc }
        mode            http
        option          httplog
        log             global
#       http-request    lua.auth-request        auth_request /index.html
        ## ACLs
        acl tables.computerisms.ca ssl_fc_sni -i tables.computerisms.ca
        acl pad.computerisms.ca ssl_fc_sni -i pad.computerisms.ca
        ## AUTHREQ

        use_backend auth_request if ! { 
var(txn.auth_response_successful) -m bool } tables.computerisms.ca
#       use_backend auth_request if ! { 
var(txn.auth_response_successful) -m bool } pad.computerisms.ca

        ## AUTHBACKEND
        use_backend tables.computerisms.ca if tables.computerisms.ca
        use_backend pad.computerisms.ca if pad.computerisms.ca
        default_backend mooglehttps

backend         auth_request
        mode            http
        server          auth-request    127.0.0.1:8044 check
#       option          httpclose
#       option          forwardfor

backend         mooglehttps
        balance         leastconn
        mode            http
        option          httpclose
        option          forwardfor
        option          log-health-checks
        option          httpchk

        server sand1lian 192.168.25.52:48443 check send-proxy-v2 ssl 
verify none
        server sand2lian 192.168.25.53:48443 check send-proxy-v2 ssl 
verify none


## BEGIN pad.computerisms.ca
backend         pad.computerisms.ca
         balance         leastconn
         mode            http
         cookie sessionID insert nocache indirect
#        option          httpclose
         option          forwardfor
         server sand1lian 192.168.25.52:19008 cookie sand1pad
         server sand2lian 192.168.25.53:19008 cookie sand2pad
## END pad.computerisms.ca
## BEGIN tables.computerisms.ca
backend         tables.computerisms.ca
         balance         leastconn
         mode            http
         cookie sessionID insert nocache indirect
         option          httpclose
         option          forwardfor
         server sand1lian 192.168.25.52:29000 check cookie sand1tables
         server sand2lian 192.168.25.53:29000 check cookie sand2tables
## END tables.computerisms.ca

Thanks again for taking a look, truly appreciated...



Best regards
Tim Düsterhus

























					Reply via email to