On 01.05.21 19:45, Julien Pivotto wrote:
On 01 May 18:40, Aleksandar Lazic wrote:
On 01.05.21 14:38, Julien Pivotto wrote:
I do not know what you are trying to achieve.
I try to add on the first line of defense => HAProxy, the possibility to protect
the backend attack without to talk outside of HAProxy.
Did you see https://github.com/criteo/haproxy-spoe-auth ?
Yes. This requires also some external script like lua.
I would like to have the verify in HAProxy.
Well yes, thanks for shareing.
There are some envirnoments where you can't use SPOE and therfore it would be
nice
to have the option to verify the Token before any connections goes to any
backend or
SPOE agent.
Did you also see the other approach
https://github.com/haproxytech/haproxy-lua-jwt then?
On 01 May 13:42, Aleksandar Lazic wrote:
On 30.04.21 02:01, Aleksandar Lazic wrote:
Hi.
I think about to integrate the "l8w8jwt_decode(...)" into HAProxy.
https://github.com/GlitchedPolygons/l8w8jwt
The RS* methods requires some "RSA_PRIVATE_KEY[] = ..." and I'm not sure
what's the best method for a sample to read such a key in HAProxy converters.
My suggestion for the converter name.
jwt_verify(alg,key) : boolean
Example call:
http-request set-var(txn.jwt_verified)
req.hdr(Authorization),ub64dec,jwt_verify(alg,HSKEY)
http-request set-var(txn.jwt_verified)
req.hdr(Authorization),ub64dec,jwt_verify(alg,"path_to_RS_PEM")
Any opinions?
Some more examples and questions.
I have such a sequence in mind.
```
# check if the request have a Bearer Token
# https://tools.ietf.org/html/rfc6750
acl bearer_header_exist if req.hdr(Authorization) -m beg Bearer
# Get the right HMAC or PEM-File into the variable jwt_verify_value
http-request set-var(txn.jwt_verify_value)
req.hdr(host),map_str(jwt_pem.lst),read_file_to_string if bearer_header_exist
# Extract the JSON Web Algorithms (JWA) from Bearer Token.
http-request set-var(txn.jwt_algo)
req.hdr(Authorization),word(1,.),ub64dec,json_query('$.alg') if
bearer_header_exist
# Verify the JWT Token with the right HMAC and PEM
http-request set-var(txn.jwt_check)
req.hdr(Authorization),ub64dec,jwt_verify(%[var(txn.jwt_algo)],%[var(txn.jwt_verify_value)])
\
if bearer_header_exist {
jwt_valid_algo(%[var(txn.jwt_algo)]) }
```
jwt_valid_algo will be similar like fix_is_valid.
jwt_valid_algo will check if the '$.alg' is a supported JSON Web Algorithms
Do I need to call some functions in the converters (jwt_verify,jwt_valid_algo)
to lookup '%[var(...)]'?
I haven't found a function which do the read_file_to_string, does such a
function exist in HAProxy?
Can I create a $MAP or $DATA_STRUCTURE to prevent to read the file on very
request?
Is there a max size of a variable in HAProxy?
Any feedback is very welcome.
Regards
Alex
