Re: haproxy-auth-request
Hi Tim,
Wanted to say thank you for your help, I got every thing working.
in case it helps others new to this figure out how to accomplish the
task, here is the config I ended up with:
frontendhttpfront
bind ${ADDRESS}:80 v4v6
bind ${ADDRESS}:443 v4v6 ssl crt /Computerisms/config/certificates/
redirect scheme https code 301 if !{ ssl_fc }
mode http
option httplog
log global
http-request lua.auth-requestauth_request/index.html
## ACLs
acl test.computerisms.ca ssl_fc_sni -i test.computerisms.ca
## AUTHREQ
use_backend auth_request if ! { var(txn.auth_response_successful) -m
bool } test.computerisms.ca
## AUTHBACKEND
use_backendtest.computerisms.caif test.computerisms.ca
default_backendmooglehttps
On 2018-09-04 02:42 PM, Tim Düsterhus wrote:
Bob,
Am 04.09.2018 um 23:27 schrieb Computerisms Corporation:
First, apologies for the breach in etiquette, will use reply-all on this
list.
FWIW: I removed Thierry again, because at this point this is no longer
about Lua itself :-)
After following the thread in github and your hint that a apt-gettable
package for luasocket exists, I purged everything from luarocks and
installed from debian repos and the script is no longer producing errors
and the backend is successfully logging connections.
Perfect!
A follow up question, if I may: my backend leads to a simple apache
Sure.
DocumentRoot with auth that works as expected when accessed directly. I
was expecting when accessing through haproxy that when the auth-request
script did its subrequest, I would get the apache credentials pop up in
the browser. However, no pop up happens, and the backend immediately
fails. Did I misunderstand how this would work?
The only thing my script does is checking the response code of some
subrequest. What you do with it is entirely up to you. The example in
the README on GitHub denies the request.
Instead of denying the request you could select a different backend
(i.e. Apache) which then would be able to show the authentication screen.
In my blog post I use this to force the request to go to OAuth Proxy if
the verification fails:
use_backend oauth_proxy if ! { var(txn.auth_response_successful) -m
bool }
Instead of `oauth_proxy` you would use `auth_request` based on the
configuration you gave previously.
I thought that maybe the user/pass needs to be included in the url
(http://user:p...@domain.tld), but the behaviour remains the same
HTTP Basic authentication should work out of the box, because all the
request headers are forwarded to the backend.
Best regards
Tim Düsterhus
Re: haproxy-auth-request
Bob,
Am 04.09.2018 um 23:27 schrieb Computerisms Corporation:
> First, apologies for the breach in etiquette, will use reply-all on this
> list.
FWIW: I removed Thierry again, because at this point this is no longer
about Lua itself :-)
> After following the thread in github and your hint that a apt-gettable
> package for luasocket exists, I purged everything from luarocks and
> installed from debian repos and the script is no longer producing errors
> and the backend is successfully logging connections.
Perfect!
> A follow up question, if I may: my backend leads to a simple apache
Sure.
> DocumentRoot with auth that works as expected when accessed directly. I
> was expecting when accessing through haproxy that when the auth-request
> script did its subrequest, I would get the apache credentials pop up in
> the browser. However, no pop up happens, and the backend immediately
> fails. Did I misunderstand how this would work?
The only thing my script does is checking the response code of some
subrequest. What you do with it is entirely up to you. The example in
the README on GitHub denies the request.
Instead of denying the request you could select a different backend
(i.e. Apache) which then would be able to show the authentication screen.
In my blog post I use this to force the request to go to OAuth Proxy if
the verification fails:
use_backend oauth_proxy if ! { var(txn.auth_response_successful) -m
bool }
Instead of `oauth_proxy` you would use `auth_request` based on the
configuration you gave previously.
> I thought that maybe the user/pass needs to be included in the url
> (http://user:p...@domain.tld), but the behaviour remains the same
>
HTTP Basic authentication should work out of the box, because all the
request headers are forwarded to the backend.
Best regards
Tim Düsterhus
Re: haproxy-auth-request
Hi Tim, First, apologies for the breach in etiquette, will use reply-all on this list. After following the thread in github and your hint that a apt-gettable package for luasocket exists, I purged everything from luarocks and installed from debian repos and the script is no longer producing errors and the backend is successfully logging connections. A follow up question, if I may: my backend leads to a simple apache DocumentRoot with auth that works as expected when accessed directly. I was expecting when accessing through haproxy that when the auth-request script did its subrequest, I would get the apache credentials pop up in the browser. However, no pop up happens, and the backend immediately fails. Did I misunderstand how this would work? I thought that maybe the user/pass needs to be included in the url (http://user:p...@domain.tld), but the behaviour remains the same On 2018-09-04 07:35 AM, Tim Düsterhus wrote: Hi all, Am 04.09.2018 um 13:50 schrieb Tim Düsterhus: Someone reported the same error in the issue tracker on GitHub: https://github.com/TimWolla/haproxy-auth-request/issues/4 The issue in the bug tracker was caused by an old version of lua-socket. Unfortunately the author of lua-socket does not seem to do regular releases (at least there are no git tags) which makes it hard to specify what a supported version is. Best regards Tim Düsterhus
Re: haproxy-auth-request
Hi all, Am 04.09.2018 um 13:50 schrieb Tim Düsterhus: > Someone reported the same error in the issue tracker on GitHub: > https://github.com/TimWolla/haproxy-auth-request/issues/4 > The issue in the bug tracker was caused by an old version of lua-socket. Unfortunately the author of lua-socket does not seem to do regular releases (at least there are no git tags) which makes it hard to specify what a supported version is. Best regards Tim Düsterhus
Re: haproxy-auth-request
Hi all, Am 02.09.2018 um 22:47 schrieb Tim Düsterhus: >> Lua function 'auth-request': runtime error: attempt to yield across a >> C-call boundary from [C] field 'request', >> /Computerisms/config/etc/haproxy.auth.lua:95 C function line 56. > Someone reported the same error in the issue tracker on GitHub: https://github.com/TimWolla/haproxy-auth-request/issues/4 Best regards Tim Düsterhus
Re: haproxy-auth-request
Bob, Am 02.09.2018 um 21:59 schrieb Computerisms Corporation: > Lua function 'auth-request': runtime error: attempt to yield across a > C-call boundary from [C] field 'request', > /Computerisms/config/etc/haproxy.auth.lua:95 C function line 56. This is interesting. I don't know anything about Lua internals, thus adding Thierry as the Lua maintainer in haproxy to the Cc-list. Please use "Reply All" to ensure that the people participating in the thread don't miss any emails. :-) > As per luarocks: > > root@sand2lian:/etc/apache2# luarocks list > Installed rocks: > > luasocket > 3.0rc1-2 (installed) - /usr/local/lib/luarocks/rocks > > As per dpkg: > > root@sand2lian:/etc/apache2# dpkg -l lua5.3 > ii lua5.3 5.3.3-1 Personally I installed lua-socket using apt: $ dpkg -l |grep lua ii liblua5.3-0:amd64 5.3.3-1 amd64Shared library for the Lua interpreter version 5.3 ii lua-socket:amd64 3.0~rc1+git+ac3201d-4 amd64TCP/UDP socket library for the Lua language Bob, can you give your `haproxy -vv`? Best regards Tim Düsterhus
Re: haproxy-auth-request
Hi Tim, Joseph,
Thank you both very much for answering; so very much appreciated.
Am 02.09.2018 um 00:12 schrieb Joseph Sible:
Try removing the highlighted block of code:
https://github.com/TimWolla/haproxy-auth-request/blob/e6a686e6f192200a6c7001c303b87d2d6e9d4788/auth-request.lua#L45-L51
It's a monkey-patch to haproxy's socket that you might not need.
Yes, it's obsolete as of haproxy 1.8.4. But I don't believe it to be the
cause of the issues. It looks like the monkey patched function itself is
given invalid parameters.
so, this is good to know, but for the sake of completeness, I will
mention that I have commented that particular block of code, as well as
just the :old_settimeout line, as well as the block of code above it,
and I commented the timeout in the http.lua file, as suggested in the
blog post, plus I tried commenting and changing several other lines in
the auth-request.lua file.
the commenting and changing mostly(always?) ended up in the following error:
Lua function 'auth-request': runtime error: attempt to yield across a
C-call boundary from [C] field 'request',
/Computerisms/config/etc/haproxy.auth.lua:95 C function line 56.
I believe the issue might be that your version of LuaSocket calls
`settimeout` differently that I anticipated in haproxy-auth-request.
What version of LuaSocket are you using? Can you give your configuration?
Absolutely! I am really new to lua and haproxy both, so very possibly I
didn't do something as I was supposed to. I installed luasocket via
luarocks, I had to do some digging around to get it to install the
lua5.3 version, on debian it apparently has preference over lua5.1.
As per luarocks:
root@sand2lian:/etc/apache2# luarocks list
Installed rocks:
luasocket
3.0rc1-2 (installed) - /usr/local/lib/luarocks/rocks
As per dpkg:
root@sand2lian:/etc/apache2# dpkg -l lua5.3
ii lua5.3 5.3.3-1
my haproxy.cfg file is largely by the book as per your instructions on
github:
backend auth_request
modehttp
option forwardfor
server auth-request127.0.0.1:8044
frontendhttpfront
bind${ADDRESS}:80
modehttp
option httplog
log global
http-requestlua.auth-request auth_request /index.html
http-request deny if ! { var(txn.auth_response_successful) -m bool }
# redirectscheme https code 301 if !{ ssl_fc }
default_backend mooglehttp
hm, Tim, what you say about different versions actually might be the
right track; in your blog post the http.lua file you link to shows the line:
h.try(c:settimeout(_M.TIMEOUT))
as line 119, but in my file, that line is number 116, so doesn't seem to
be the same file... will see if I can follow this trail to a solution...
Best regards
Tim Düsterhus
Re: haproxy-auth-request
Bob, Joseph, author of haproxy-auth-request here. Am 02.09.2018 um 00:12 schrieb Joseph Sible: > Try removing the highlighted block of code: > https://github.com/TimWolla/haproxy-auth-request/blob/e6a686e6f192200a6c7001c303b87d2d6e9d4788/auth-request.lua#L45-L51 > > It's a monkey-patch to haproxy's socket that you might not need. Yes, it's obsolete as of haproxy 1.8.4. But I don't believe it to be the cause of the issues. It looks like the monkey patched function itself is given invalid parameters. > On Fri, Aug 31, 2018 at 8:05 PM Computerisms Corporation > wrote: >> https://www.mail-archive.com/haproxy@formilux.org/msg28604.html and >> https://www.mail-archive.com/haproxy@formilux.org/msg28574.html, I am >> lead to believe this should be an fixed in my apt-installed version of >> haproxy 1.8.13-1. Yes, see above. >> I have been investigating, commenting code, and hacking by trial and >> error to find a solution, but so far I am not able to get past this >> point. Clearly my skills and understanding are not yet where they need >> to be, being relatively new to both haproxy and lua. >> >> It occurs that this could be a lua problem (as opposed to haproxy), but >> according to what I have read and understood, it seems that this is >> related to haproxy's implementation of lua more than lua itself. Hence >> I am asking here first. >> >> Wondering if anyone can offer some insight, or point me at some required >> reading that might shed some light on this but isn't aimed at a >> developer level of understanding? I have read through >> https://www.arpalert.org/haproxy-lua.html#h211 a time or two, but if >> there is a shining light bulb in there it hasn't blinded me yet. >> I believe the issue might be that your version of LuaSocket calls `settimeout` differently that I anticipated in haproxy-auth-request. What version of LuaSocket are you using? Can you give your configuration? Best regards Tim Düsterhus
Re: haproxy-auth-request
Try removing the highlighted block of code: https://github.com/TimWolla/haproxy-auth-request/blob/e6a686e6f192200a6c7001c303b87d2d6e9d4788/auth-request.lua#L45-L51 It's a monkey-patch to haproxy's socket that you might not need. On Fri, Aug 31, 2018 at 8:05 PM Computerisms Corporation wrote: > > Hi Gurus; > > I was in the IRC channel the other day looking for a way to get > authentication through apache's authnz-external working from haproxy; > specifically I have a few nodejs applications and I want to put an > authentication system using imap in front. I already have > authnz-external working so it would be convenient to continue using it. > dcorbett suggested I investigate lua, which led me to finding > https://github.com/TimWolla/haproxy-auth-request. seems like just the > thing I need. > > After I checked that I met all the criteria and installed it and got > every thing setup and worked out my mistakes, I was left with log > entries like: Lua function 'auth-request': runtime error: > haproxy.auth.lua:48: bad argument #1 to 'old_settimeout' (number > expected, got nil) from [C] field 'request', haproxy.auth.lua:95 C > function line 56. > > Fortunately, the author was most excellent and documented the history of > this script here: https://bl.duesterhus.eu/20180119/, specifically the > section regarding haproxy's sockets. Through that post and also > comments in the github script containing links to > https://www.mail-archive.com/haproxy@formilux.org/msg28604.html and > https://www.mail-archive.com/haproxy@formilux.org/msg28574.html, I am > lead to believe this should be an fixed in my apt-installed version of > haproxy 1.8.13-1. > > I have been investigating, commenting code, and hacking by trial and > error to find a solution, but so far I am not able to get past this > point. Clearly my skills and understanding are not yet where they need > to be, being relatively new to both haproxy and lua. > > It occurs that this could be a lua problem (as opposed to haproxy), but > according to what I have read and understood, it seems that this is > related to haproxy's implementation of lua more than lua itself. Hence > I am asking here first. > > Wondering if anyone can offer some insight, or point me at some required > reading that might shed some light on this but isn't aimed at a > developer level of understanding? I have read through > https://www.arpalert.org/haproxy-lua.html#h211 a time or two, but if > there is a shining light bulb in there it hasn't blinded me yet. > > > -- > Bob Miller > Cell: 867-334-7117 > Office: 867-633-3760 > www.computerisms.ca >
