Haproxy with Keycloak and JWT

Hello, i need help at the configuration file of haproxy. The new config setup without lua-script doesnt work for me or i might be dont understand how to use it. → Verify OAuth JWT Tokens with HAProxy - HAProxy Technologies

I want to secure my internal Testwebsites which are hostet by an Apache Server with a Keycloak Login and a HaProxy as a Reverse Proxy in front of the Keycloak using JWT for authentification.

frontend myapi
  bind :9080
  bind :9443  ssl crt /etc/letsencrypt/live/website/ssl.pem alpn h2
  http-request redirect scheme https unless { ssl_fc }

  http-request deny content-type 'text/html' string 'Missing Authorization HTTP header' unless { req.hdr(authorization) -m found }

  # get header part of the JWT
  http-request set-var(txn.alg) http_auth_bearer,jwt_header_query('$.alg')

  # get payload part of the JWT
  http-request set-var(txn.iss) http_auth_bearer,jwt_payload_query('$.iss')
  http-request set-var(txn.aud) http_auth_bearer,jwt_payload_query('$.aud')
  http-request set-var(txn.exp) http_auth_bearer,jwt_payload_query('$.exp','int')
  http-request set-var(txn.scope) http_auth_bearer,jwt_payload_query('$.scope')

  # Validate the JWT
  http-request deny content-type 'text/html' string 'Unsupported JWT signing algorithm'  unless { var(txn.alg) -m str RS256 }
  http-request deny content-type 'text/html' string 'Invalid JWT issuer'  unless { var(txn.iss) -m str https://mywebsite.domain/auth/realms/haproxy }
  http-request deny content-type 'text/html' string 'Invalid JWT audience'  unless { var(txn.aud) -m str account }
  http-request deny content-type 'text/html' string 'Invalid JWT signature'  unless { http_auth_bearer,jwt_verify(txn.alg,"/etc/haproxy/jwt/pubkey.pem") -m int 1 }

  http-request set-var(txn.now) date()
  http-request deny content-type 'text/html' string 'JWT has expired' if { var(txn.exp),sub(txn.now) -m int lt 0 }

  http-request deny if { path_beg /api/ } { method GET } ! { var(txn.scope) -m sub read }
  http-request deny if { path_beg /api/ } { method DELETE POST PUT } ! { var(txn.scope) -m sub write }

  default_backend servers

backend servers
  balance roundrobin
  server web1 127.0.0.5:7082 check maxconn 30 # Website hostet by Apache

I got a JWT with curl my Keycloak like in the instructions in the link before.

But if i run my haproxy and get on the haproxy IP/Domain i dont need to verify and instantly get on the Websites from Apache.
How can i change the config file to reach the authentification with the keycloak webpage?

Thanks for helping

FYI: I run this whole setup on CentOS 7, the Keycloak is running in an Docker Container and i can only log into Keycloak via Domainname.

If you need more information just let me know!

1 post - 1 participant

Read full topic