7

I have a microservice deployed on 3 nodes sitting behind a HAProxy load balancer all inside internal network. The services are protected using OAuth2 APIS authorization server. Now, I want to move the HAProxy to DMZ. And I want to reject requests that do not have auth token in the header and also validate the auth token by calling OAuth REST API.

In HAProxy I couldn't find a way to do this. There is an option httpchk which can be used for healthcheck. I'm looking for a similar feature that can be used to validate each incoming request.

Can anyone please help suggest me on how to implement this using HAProxy or Apache mod_proxy?

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
Ambal
  • 215
  • 2
  • 10

2 Answers2

6

There's the Apache module mod_auth_openidc that would allow you to validate OAuth 2.0 tokens against an Authorization Server, see: https://github.com/zmartzone/mod_auth_openidc. That module can be combined with mod_proxy to achieve what you are looking for.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Excellent! Do you have any plans to integrate with [OAuth-apis](https://github.com/OAuth-Apis/apis)? Also, do you have compiled binaries (rpm) for CentOS/RHEL? Thanks! – Ambal Oct 27 '15 at 20:43
  • binaries are in the "releases" section; I'll investigate OAuth-apis and let you know – Hans Z. Oct 27 '15 at 20:49
  • You should be able to configure mod_auth_openidc so that it works against OAuth-apis; use `OIDCOAuthIntrospectionEndpointMethod GET`, set the key in `OIDCOAuthClientID`, set the secret in `OIDCOAuthClientSecret`, set `OIDCOAuthIntrospectionTokenParamName access_token` and `OIDCOAuthIntrospectionEndpoint` to `https:///v1/tokeninfo`, see: https://github.com/pingidentity/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server – Hans Z. Oct 27 '15 at 20:55
  • Thank you. I will try this. – Ambal Oct 27 '15 at 21:08
3

In HAProxy I couldn't find a way to do this.

For the record, as of 2021 you can. Here's a HAProxy official blog post about using OAuth https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/.

TL;DR: install this haproxy-lua-oauth script, then you can come up with conf like this snippet

frontend api_gateway
   # Always use HTTPS to protect the secrecy of the token
   bind :443 ssl crt /usr/local/etc/haproxy/pem/test.com.pem

   # Accept GET requests and skip further checks
   http-request allow if { method GET }
   
   # Deny the request if it's missing an Authorization header
   http-request deny unless { req.hdr(authorization) -m found }
   
   # Verify the token by invoking the jwtverify Lua script 
   http-request lua.jwtverify
   
   # Deny the request unless 'authorized' is true
   http-request deny unless { var(txn.authorized) -m bool }
   
   # (Optional) Deny the request if it's a POST/DELETE to a 
   # path beginning with /api/hamsters, but the token doesn't 
   # include the "write:hamsters" scope
   http-request deny if { path_beg /api/hamsters } { method POST DELETE } ! { var(txn.oauth_scopes) -m sub write:hamsters }
   
   # If no problems, send to the apiservers backend
   default_backend apiservers
Rémy
  • 364
  • 1
  • 14