Re: HttpClient in Lua
On Tue, Jun 21, 2022 at 08:33:04AM +1000, Philip Young wrote: > I don’t mind the idea, it would reduce having a separate service/ > proxy. If creating it inside HAProxy then wouldn’t that mess with the > threading and it blocking? > That's just a proxy in your haproxy configuration so there is no reason it will block. -- William Lallemand
Re: HttpClient in Lua
I don’t mind the idea, it would reduce having a separate service/ proxy. If creating it inside HAProxy then wouldn’t that mess with the threading and it blocking? > On 20 Jun 2022, at 9:47 pm, William Lallemand wrote: > > On Mon, Jun 20, 2022 at 08:27:22PM +1000, Philip Young wrote: >> Thanks for the answer William, it is very much appreciated. It is good to >> get some clarification and will stop me continuing to spend time trying to >> get it to work. >> >> In the meantime, I am working around the problem by calling out to a local >> python service running on the same machine as HAProxy over http, which is >> then making the authorisation request with a client certificate. Not ideal, >> but will switch out the hack once it is supported in HAProxy. >> >> Thanks again >> Phil >> > If you want to take the hackish road, you can just simply create a proxy > in your haproxy which does this, with an SSL server and a crt. This way > you can still use the httpclient or the socket API directly with this > proxy. > > -- > William Lallemand
Re: HttpClient in Lua
On Mon, Jun 20, 2022 at 08:27:22PM +1000, Philip Young wrote: > Thanks for the answer William, it is very much appreciated. It is good to get > some clarification and will stop me continuing to spend time trying to get it > to work. > > In the meantime, I am working around the problem by calling out to a local > python service running on the same machine as HAProxy over http, which is > then making the authorisation request with a client certificate. Not ideal, > but will switch out the hack once it is supported in HAProxy. > > Thanks again > Phil > If you want to take the hackish road, you can just simply create a proxy in your haproxy which does this, with an SSL server and a crt. This way you can still use the httpclient or the socket API directly with this proxy. -- William Lallemand
Re: HttpClient in Lua
Thanks for the answer William, it is very much appreciated. It is good to get some clarification and will stop me continuing to spend time trying to get it to work. In the meantime, I am working around the problem by calling out to a local python service running on the same machine as HAProxy over http, which is then making the authorisation request with a client certificate. Not ideal, but will switch out the hack once it is supported in HAProxy. Thanks again Phil > On 20 Jun 2022, at 7:38 pm, William Lallemand wrote: > > On Wed, Jun 15, 2022 at 11:33:27PM +1000, Philip Young wrote: >> Hi >> I am currently writing a LUA module to make authorisation decisions on >> whether a request is allowed, by calling out to another service to make the >> authorisation decision. >> In the Lua module, I am using Socket.connect_ssl() to connect to the >> authorisation service but I am struggling to work out how to set the path to >> the certificate I want to use to connect to the authorisation service. >> Does anybody know how to set the path to the certificate that is used when >> using Socket.connect_ssl() >> Is it possible to do this using the httpclient? >> I have tried asking the Slack chat channel and on the commercial site but no >> one knows. >> >> Cheers Phil > > Hello Phil, > > Unfortunately the Socket and the HTTPClient lua class are not able to > use a client certificate right now. This should evolve in the future but > the current architecture is not able to do it. > > -- > William Lallemand
Re: HttpClient in Lua
On Wed, Jun 15, 2022 at 11:33:27PM +1000, Philip Young wrote: > Hi > I am currently writing a LUA module to make authorisation decisions on > whether a request is allowed, by calling out to another service to make the > authorisation decision. > In the Lua module, I am using Socket.connect_ssl() to connect to the > authorisation service but I am struggling to work out how to set the path to > the certificate I want to use to connect to the authorisation service. > Does anybody know how to set the path to the certificate that is used when > using Socket.connect_ssl() > Is it possible to do this using the httpclient? > I have tried asking the Slack chat channel and on the commercial site but no > one knows. > > Cheers Phil Hello Phil, Unfortunately the Socket and the HTTPClient lua class are not able to use a client certificate right now. This should evolve in the future but the current architecture is not able to do it. -- William Lallemand
Re: HttpClient in Lua
Hi Phil, please keep the ML in the loop. On Thu, 16 Jun 2022 00:19:57 +1000 Philip Young wrote: > Hi Alex > > Thanks for the reply, but unfortunately that only sets the CA certs that > issued the server certs. I need a way to specify a client certificate that > will be used to talk to authz service. Ah okay sorry haven't understood that you want to send client certificate. I would try to use http://docs.haproxy.org/2.6/configuration.html#5.2-crt with the Client Certificate in the pem and set it on the server line. It's my conclusion of that code. https://git.haproxy.org/?p=haproxy.git;a=blob;f=src/hlua.c;hb=HEAD#l12530 Again it's just a assumption as I had never the requirements to use client certificates with haproxy. Regards Alex > Thanks anyway > > Sent from my iPhone > > > On 16 Jun 2022, at 12:03 am, Aleksandar Lazic wrote: > > > > HI. > > > >> On Wed, 15 Jun 2022 23:33:27 +1000 > >> Philip Young wrote: > >> > >> Hi > >> I am currently writing a LUA module to make authorisation decisions on > >> whether a request is allowed, by calling out to another service to make the > >> authorisation decision. > >> In the Lua module, I am using Socket.connect_ssl() to > >> connect to the authorisation service but I am struggling to work out how to > >> set the path to the certificate I want to use to connect to the > >> authorisation service. > >> Does anybody know how to set the path to the certificate that is > >> used when using Socket.connect_ssl() Is it possible to do this using the > >> httpclient? > > > > As I'm not a lua nor httpclient expert but maybe this could help. > > https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.ca-file > > > > Also check if you mabye need to adopt this at least for the beginning. > > https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.verify > > > >> I have tried asking the Slack chat channel and on the commercial > >> site but no one knows. > >> > >> Cheers Phil > > > > Hth > > Alex
Re: HttpClient in Lua
HI. On Wed, 15 Jun 2022 23:33:27 +1000 Philip Young wrote: > Hi > I am currently writing a LUA module to make authorisation decisions on > whether a request is allowed, by calling out to another service to make the > authorisation decision. > In the Lua module, I am using Socket.connect_ssl() to > connect to the authorisation service but I am struggling to work out how to > set the path to the certificate I want to use to connect to the authorisation > service. > Does anybody know how to set the path to the certificate that is > used when using Socket.connect_ssl() Is it possible to do this using the > httpclient? As I'm not a lua nor httpclient expert but maybe this could help. https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.ca-file Also check if you mabye need to adopt this at least for the beginning. https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.verify > I have tried asking the Slack chat channel and on the commercial > site but no one knows. > > Cheers Phil Hth Alex
HttpClient in Lua
Hi I am currently writing a LUA module to make authorisation decisions on whether a request is allowed, by calling out to another service to make the authorisation decision. In the Lua module, I am using Socket.connect_ssl() to connect to the authorisation service but I am struggling to work out how to set the path to the certificate I want to use to connect to the authorisation service. Does anybody know how to set the path to the certificate that is used when using Socket.connect_ssl() Is it possible to do this using the httpclient? I have tried asking the Slack chat channel and on the commercial site but no one knows. Cheers Phil