On 01 May 18:40, Aleksandar Lazic wrote: > > On 01.05.21 14:38, Julien Pivotto wrote: > > I do not know what you are trying to achieve. > > I try to add on the first line of defense => HAProxy, the possibility to > protect > the backend attack without to talk outside of HAProxy. > > > Did you see https://github.com/criteo/haproxy-spoe-auth ? > > > Well yes, thanks for shareing. > > There are some envirnoments where you can't use SPOE and therfore it would be > nice > to have the option to verify the Token before any connections goes to any > backend or > SPOE agent.
Did you also see the other approach https://github.com/haproxytech/haproxy-lua-jwt then? > > > > > On 01 May 13:42, Aleksandar Lazic wrote: > > > > > > On 30.04.21 02:01, Aleksandar Lazic wrote: > > > > Hi. > > > > > > > > I think about to integrate the "l8w8jwt_decode(...)" into HAProxy. > > > > https://github.com/GlitchedPolygons/l8w8jwt > > > > > > > > The RS* methods requires some "RSA_PRIVATE_KEY[] = ..." and I'm not sure > > > > what's the best method for a sample to read such a key in HAProxy > > > > converters. > > > > > > > > My suggestion for the converter name. > > > > > > > > jwt_verify(alg,key) : boolean > > > > > > > > Example call: > > > > http-request set-var(txn.jwt_verified) > > > > req.hdr(Authorization),ub64dec,jwt_verify(alg,HSKEY) > > > > http-request set-var(txn.jwt_verified) > > > > req.hdr(Authorization),ub64dec,jwt_verify(alg,"path_to_RS_PEM") > > > > > > > > Any opinions? > > > > > > Some more examples and questions. > > > > > > I have such a sequence in mind. > > > ``` > > > > > > # check if the request have a Bearer Token > > > # https://tools.ietf.org/html/rfc6750 > > > acl bearer_header_exist if req.hdr(Authorization) -m beg Bearer > > > > > > # Get the right HMAC or PEM-File into the variable jwt_verify_value > > > http-request set-var(txn.jwt_verify_value) > > > req.hdr(host),map_str(jwt_pem.lst),read_file_to_string if > > > bearer_header_exist > > > > > > # Extract the JSON Web Algorithms (JWA) from Bearer Token. > > > http-request set-var(txn.jwt_algo) > > > req.hdr(Authorization),word(1,.),ub64dec,json_query('$.alg') if > > > bearer_header_exist > > > > > > > > > # Verify the JWT Token with the right HMAC and PEM > > > http-request set-var(txn.jwt_check) > > > req.hdr(Authorization),ub64dec,jwt_verify(%[var(txn.jwt_algo)],%[var(txn.jwt_verify_value)]) > > > \ > > > > > > if bearer_header_exist { > > > jwt_valid_algo(%[var(txn.jwt_algo)]) } > > > > > > ``` > > > > > > jwt_valid_algo will be similar like fix_is_valid. > > > jwt_valid_algo will check if the '$.alg' is a supported JSON Web > > > Algorithms > > > > > > Do I need to call some functions in the converters > > > (jwt_verify,jwt_valid_algo) to lookup '%[var(...)]'? > > > I haven't found a function which do the read_file_to_string, does such a > > > function exist in HAProxy? > > > Can I create a $MAP or $DATA_STRUCTURE to prevent to read the file on > > > very request? > > > Is there a max size of a variable in HAProxy? > > > > > > Any feedback is very welcome. > > > > > > Regards > > > Alex > > > > > > > -- (o- Julien Pivotto //\ Open-Source Consultant V_/_ Inuits - https://www.inuits.eu
signature.asc
Description: PGP signature