{"id":19243746,"url":"https://github.com/lukaszbudnik/haproxy-auth-gateway","last_synced_at":"2025-06-11T13:33:56.639Z","repository":{"id":47555571,"uuid":"340031586","full_name":"lukaszbudnik/haproxy-auth-gateway","owner":"lukaszbudnik","description":"haproxy-auth-gateway is an authentication and authorization gateway for cloud native apps.","archived":false,"fork":false,"pushed_at":"2021-08-24T10:08:55.000Z","size":24,"stargazers_count":17,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-01T12:11:11.038Z","etag":null,"topics":["authentication","authentication-middleware","authorization","docker","haproxy","keycloak"],"latest_commit_sha":null,"homepage":"","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lukaszbudnik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-02-18T11:39:46.000Z","updated_at":"2024-12-09T09:04:13.000Z","dependencies_parsed_at":"2022-09-11T09:52:06.911Z","dependency_job_id":null,"html_url":"https://github.com/lukaszbudnik/haproxy-auth-gateway","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukaszbudnik%2Fhaproxy-auth-gateway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukaszbudnik%2Fhaproxy-auth-gateway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukaszbudnik%2Fhaproxy-auth-gateway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukaszbudnik%2Fhaproxy-auth-gateway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lukaszbudnik","download_url":"https://codeload.github.com/lukaszbudnik/haproxy-auth-gateway/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250032387,"owners_count":21363828,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authentication-middleware","authorization","docker","haproxy","keycloak"],"created_at":"2024-11-09T17:19:32.484Z","updated_at":"2025-04-21T09:33:13.635Z","avatar_url":"https://github.com/lukaszbudnik.png","language":"Lua","funding_links":[],"categories":[],"sub_categories":[],"readme":"# haproxy-auth-gateway ![Docker](https://github.com/lukaszbudnik/haproxy-auth-gateway/workflows/Docker%20Image%20CI/badge.svg)\n\nhaproxy-auth-gateway is an authentication and authorization gateway for cloud native apps.\n\nhaproxy-auth-gateway features include:\n\n- parsing JWT token from the HTTP Authorization header\n- Keycloak realm roles support\n- RS256, HS256, HS512 signature verification\n- expiration time verification\n- issuer verification\n- audience verification\n\nhaproxy-auth-gateway can be configured with the following env variables:\n\n- `OAUTH_PUBKEY_PATH` - contains location to issuer public key (mandatory)\n- `OAUTH_ISSUER` - contains name of the issuer (optional)\n- `OAUTH_AUDIENCE` - contains name of the audience (optional)\n\n# Docker image\n\nhaproxy-auth-gateway is available on docker hub:\n\n```\ndocker pull lukasz/haproxy-auth-gateway\n```\n\nor on ghcr.io:\n\n```\ndocker pull ghcr.io/lukaszbudnik/haproxy-auth-gateway\n```\n\n# Example\n\nThe below example shows how to deploy \u0026 configure `lukasz/haproxy-auth-gateway` in Kubernetes. It also shows how to invoke the Lua verify script and write ACLs.\n\n\u003e If you are interested in running a complete distributed demo app on Kubernetes check out: [lukaszbudnik/keycloak-kubernetes](https://github.com/lukaszbudnik/keycloak-kubernetes). This demo app uses Keycloak as Identity and Access Management solution and haproxy-auth-gateway for transparent authentication and authorization for backend services.\n\n## Kubernetes deployment\n\nhaproxy-auth-gateway requires:\n\n- your haproxy config (_file_)\n- public key of the JWT issuer (_file_)\n- `OAUTH_PUBKEY_PATH` set to the path of the public key of the JWT issuer (_env variable_)\n- `OAUTH_ISSUER` and `OAUTH_AUDIENCE` are optional should you want a more fine-grained JWT verification (_env variable_)\n\nYou can create haproxy config and public key files as config maps:\n\n```bash\nkubectl create configmap haproxy-auth-gateway-iss-cert --from-file=config/hotel.pem\nkubectl create configmap haproxy-auth-gateway-haproxy-cfg --from-file=config/haproxy.cfg\n```\n\nThen you can map them to volumes and then mount them into haproxy-auth-gateway container. In the container spec you also set the env variables:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: gateway\n  labels:\n    app.kubernetes.io/name: gateway\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app.kubernetes.io/name: gateway\n  template:\n    metadata:\n      labels:\n        app.kubernetes.io/name: gateway\n    spec:\n      containers:\n        - name: gateway\n          image: lukasz/haproxy-auth-gateway\n          env:\n            - name: OAUTH_PUBKEY_PATH\n              value: /etc/certs/hotel.pem\n            - name: OAUTH_ISSUER\n              value: issuer_is_optional\n            - name: OAUTH_AUDIENCE\n              value: audience_is_optional\n          ports:\n            - containerPort: 80\n          volumeMounts:\n            - name: iss-cert\n              mountPath: /etc/certs\n            - name: haproxy-cfg\n              mountPath: /usr/local/etc/haproxy\n      volumes:\n        - name: haproxy-cfg\n          configMap:\n            name: haproxy-auth-gateway-haproxy-cfg\n        - name: iss-cert\n          configMap:\n            name: haproxy-auth-gateway-iss-cert\n---\napiVersion: v1\nkind: Service\nmetadata:\n  name: gateway\n  labels:\n    app.kubernetes.io/name: gateway\nspec:\n  type: ClusterIP\n  clusterIP: None\n  selector:\n    app.kubernetes.io/name: gateway\n  ports:\n    - protocol: TCP\n      port: 80\n```\n\nThen we are ready to deploy haproxy-auth-gateway:\n\n```\nkubectl apply -f gateway.yaml\n```\n\n## haproxy ACL\n\nhaproxy-auth-gateway will verify passed JWT and will (if all good):\n\n- set `txn.authorized` variable to `true`\n- set `txn.roles` variable to a comma separated list of `realm_access.roles`\n\nAbove variables can be used in haproxy ACLs.\n\nFor example:\n\n```\n# deny if no Authorization header sent\nhttp-request deny unless { req.hdr(authorization) -m found }\n# invoke the jwtverify Lua script\nhttp-request lua.jwtverify\n# check if authorized successfully\nhttp-request deny unless { var(txn.authorized) -m bool }\n# check roles\nhttp-request deny if PATH_camarero ! { var(txn.roles) -m sub camarero }\n```\n\n# Troubleshooting\n\nThe script outputs many useful debug messages. To enable debug add the following configuration to you `haproxy.cfg`:\n\n```\nglobal\n    log stdout local0 debug\n\ndefaults\n    log global\n```\n\n## Sample JWT\n\nA sample JWT token generated by Keycloak looks like this:\n\n```\neyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXejFuaDNCWDI4UHMxVEMzSDRoOW52Q1VWRXpjVVBzQms4Z1NmeEp4ZS1JIn0.eyJleHAiOjE2MTM4NTQ3OTgsImlhdCI6MTYxMzg1Mzg5OCwiYXV0aF90aW1lIjoxNjEzODUzNjk2LCJqdGkiOiIxMmI1YTMxYS1hYjM1LTQxMDMtYTkxNC0wZjRlODUzMzg4ZjUiLCJpc3MiOiJodHRwczovL2F1dGgubG9jYWx0ZXN0Lm1lL2F1dGgvcmVhbG1zL2hvdGVsIiwic3ViIjoiMWE1NWUxMjktZjliYi00ZDYwLWJlZDEtMGJhYmIwOWJlZTNlIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicmVhY3QiLCJub25jZSI6Ijg4NGNiMzY1LTRjMTQtNDZhYS04ZTBjLWViM2Q3ZjBjYTRmMCIsInNlc3Npb25fc3RhdGUiOiI3NDZhNDZhZC1hY2Y3LTRhMTYtYWI2Yy1iMWZhNWE1YTgxZDMiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY29jaW5lcmEiLCJkb25jZWxsYSIsImNhbWFyZXJvIl19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiQW5nZWxhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYW5nZWxhIiwiZ2l2ZW5fbmFtZSI6IkFuZ2VsYSJ9.kkv2K-XYpHexnKmCoyNED_pO7G8hNI8hi2WCUzhpErkvrazNNZmUYZ8ZAjiybpi1u6ouc2EsHGykTNhUBD2jRhb2dWHYqcEEDaIn9MUq62B-nbTIcB-6vf1SrKnY_Vdnq_olmV_MhIJSQjPbDfcCVKKiUxHYmSBc9Vuno-enPehfUb_EpoRaM24SfJ0WDU281rTPxsgAJBdB4Yg0E9KMfCgaXkwRaHXMEGVpzHHqdi8S1lWwxs12Par-Qz4HqP-Tsw6KqNPU11dG3v6H_Q2fWmDsX5vvMqnmWkMQOFzco2fffsx7lcClPxNw3VghSVT-qB_7dMKUoT-DfyIo1Rcbqw\n```\n\nWhen parsed and decoded becomes the following.\n\nHeader:\n\n```json\n{\n  \"alg\": \"RS256\",\n  \"typ\": \"JWT\",\n  \"kid\": \"Wz1nh3BX28Ps1TC3H4h9nvCUVEzcUPsBk8gSfxJxe-I\"\n}\n```\n\nPayload:\n\n```json\n{\n  \"exp\": 1613854798,\n  \"iat\": 1613853898,\n  \"auth_time\": 1613853696,\n  \"jti\": \"12b5a31a-ab35-4103-a914-0f4e853388f5\",\n  \"iss\": \"https://auth.localtest.me/auth/realms/hotel\",\n  \"sub\": \"1a55e129-f9bb-4d60-bed1-0babb09bee3e\",\n  \"typ\": \"Bearer\",\n  \"azp\": \"react\",\n  \"nonce\": \"884cb365-4c14-46aa-8e0c-eb3d7f0ca4f0\",\n  \"session_state\": \"746a46ad-acf7-4a16-ab6c-b1fa5a5a81d3\",\n  \"acr\": \"0\",\n  \"allowed-origins\": [\"http://localhost:3000\"],\n  \"realm_access\": {\n    \"roles\": [\"cocinera\", \"doncella\", \"camarero\"]\n  },\n  \"scope\": \"openid email profile\",\n  \"email_verified\": false,\n  \"name\": \"Angela\",\n  \"preferred_username\": \"angela\",\n  \"given_name\": \"Angela\"\n}\n```\n\nPublic key:\n\n```\n-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn1SYrKiXgJembEG1emG\nlUw/NliK0tOTeKr8eBp7TZxI8D9k9FUkfzEeQyWekShPt3yTG9boZ9Sq/K7FAfs7\nvXFG+kTKYYXysvfdkHHKJnPWEAJgqj3vDEpHB/Xqw5OtqOkSNPNYOxJ65ZmmZVNB\n77NpGK5xW5s7xc7XXvLuILhfbOQXlObPbMnjVcnQSGHjmfbtTKsQ/im6ayxtShsL\nFQgEJycplJU21WRy3T9cDHpGOMF3LehFIOmsxspcuC/idS0Nber3Fuw9QndSHZQL\nKPTkDlyacPu9SyOJiMmD9S4QOZo9UVQWA8JlKa+KuL6TXyZ1OZdSkPSX1o1xeH7L\newIDAQAB\n-----END PUBLIC KEY-----\n```\n\n# Original project\n\nhaproxy-auth-gateway is based on great project from haproxytech folks: https://github.com/haproxytech/haproxy-lua-oauth.\n\nhaproxy-auth-gateway contains changes to support Keycloak realm roles out of the box.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukaszbudnik%2Fhaproxy-auth-gateway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flukaszbudnik%2Fhaproxy-auth-gateway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukaszbudnik%2Fhaproxy-auth-gateway/lists"}