Welcome! Log In Create A New Profile

Advanced

haproxy-auth-request

Posted by Computerisms Corporation 
Computerisms Corporation
haproxy-auth-request
September 01, 2018 02:10AM
Hi Gurus;

I was in the IRC channel the other day looking for a way to get
authentication through apache's authnz-external working from haproxy;
specifically I have a few nodejs applications and I want to put an
authentication system using imap in front. I already have
authnz-external working so it would be convenient to continue using it.
dcorbett suggested I investigate lua, which led me to finding
https://github.com/TimWolla/haproxy-auth-request. seems like just the
thing I need.

After I checked that I met all the criteria and installed it and got
every thing setup and worked out my mistakes, I was left with log
entries like: Lua function 'auth-request': runtime error:
haproxy.auth.lua:48: bad argument #1 to 'old_settimeout' (number
expected, got nil) from [C] field 'request', haproxy.auth.lua:95 C
function line 56.

Fortunately, the author was most excellent and documented the history of
this script here: https://bl.duesterhus.eu/20180119/, specifically the
section regarding haproxy's sockets. Through that post and also
comments in the github script containing links to
https://www.mail-archive.com/[email protected]/msg28604.html and
https://www.mail-archive.com/[email protected]/msg28574.html, I am
lead to believe this should be an fixed in my apt-installed version of
haproxy 1.8.13-1.

I have been investigating, commenting code, and hacking by trial and
error to find a solution, but so far I am not able to get past this
point. Clearly my skills and understanding are not yet where they need
to be, being relatively new to both haproxy and lua.

It occurs that this could be a lua problem (as opposed to haproxy), but
according to what I have read and understood, it seems that this is
related to haproxy's implementation of lua more than lua itself. Hence
I am asking here first.

Wondering if anyone can offer some insight, or point me at some required
reading that might shed some light on this but isn't aimed at a
developer level of understanding? I have read through
https://www.arpalert.org/haproxy-lua.html#h211 a time or two, but if
there is a shining light bulb in there it hasn't blinded me yet.


--
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca
Joseph Sible
Re: haproxy-auth-request
September 02, 2018 12:20AM
Try removing the highlighted block of code:
https://github.com/TimWolla/haproxy-auth-request/blob/e6a686e6f192200a6c7001c303b87d2d6e9d4788/auth-request.lua#L45-L51

It's a monkey-patch to haproxy's socket that you might not need.
On Fri, Aug 31, 2018 at 8:05 PM Computerisms Corporation
<[email protected]> wrote:
>
> Hi Gurus;
>
> I was in the IRC channel the other day looking for a way to get
> authentication through apache's authnz-external working from haproxy;
> specifically I have a few nodejs applications and I want to put an
> authentication system using imap in front. I already have
> authnz-external working so it would be convenient to continue using it.
> dcorbett suggested I investigate lua, which led me to finding
> https://github.com/TimWolla/haproxy-auth-request. seems like just the
> thing I need.
>
> After I checked that I met all the criteria and installed it and got
> every thing setup and worked out my mistakes, I was left with log
> entries like: Lua function 'auth-request': runtime error:
> haproxy.auth.lua:48: bad argument #1 to 'old_settimeout' (number
> expected, got nil) from [C] field 'request', haproxy.auth.lua:95 C
> function line 56.
>
> Fortunately, the author was most excellent and documented the history of
> this script here: https://bl.duesterhus.eu/20180119/, specifically the
> section regarding haproxy's sockets. Through that post and also
> comments in the github script containing links to
> https://www.mail-archive.com/[email protected]/msg28604.html and
> https://www.mail-archive.com/[email protected]/msg28574.html, I am
> lead to believe this should be an fixed in my apt-installed version of
> haproxy 1.8.13-1.
>
> I have been investigating, commenting code, and hacking by trial and
> error to find a solution, but so far I am not able to get past this
> point. Clearly my skills and understanding are not yet where they need
> to be, being relatively new to both haproxy and lua.
>
> It occurs that this could be a lua problem (as opposed to haproxy), but
> according to what I have read and understood, it seems that this is
> related to haproxy's implementation of lua more than lua itself. Hence
> I am asking here first.
>
> Wondering if anyone can offer some insight, or point me at some required
> reading that might shed some light on this but isn't aimed at a
> developer level of understanding? I have read through
> https://www.arpalert.org/haproxy-lua.html#h211 a time or two, but if
> there is a shining light bulb in there it hasn't blinded me yet.
>
>
> --
> Bob Miller
> Cell: 867-334-7117
> Office: 867-633-3760
> www.computerisms.ca
>
Tim Düsterhus
Re: haproxy-auth-request
September 02, 2018 04:10PM
Bob,
Joseph,

author of haproxy-auth-request here.

Am 02.09.2018 um 00:12 schrieb Joseph Sible:
> Try removing the highlighted block of code:
> https://github.com/TimWolla/haproxy-auth-request/blob/e6a686e6f192200a6c7001c303b87d2d6e9d4788/auth-request.lua#L45-L51
>
> It's a monkey-patch to haproxy's socket that you might not need.

Yes, it's obsolete as of haproxy 1.8.4. But I don't believe it to be the
cause of the issues. It looks like the monkey patched function itself is
given invalid parameters.

> On Fri, Aug 31, 2018 at 8:05 PM Computerisms Corporation
> <[email protected]> wrote:
>> https://www.mail-archive.com/[email protected]/msg28604.html and
>> https://www.mail-archive.com/[email protected]/msg28574.html, I am
>> lead to believe this should be an fixed in my apt-installed version of
>> haproxy 1.8.13-1.

Yes, see above.

>> I have been investigating, commenting code, and hacking by trial and
>> error to find a solution, but so far I am not able to get past this
>> point. Clearly my skills and understanding are not yet where they need
>> to be, being relatively new to both haproxy and lua.
>>
>> It occurs that this could be a lua problem (as opposed to haproxy), but
>> according to what I have read and understood, it seems that this is
>> related to haproxy's implementation of lua more than lua itself. Hence
>> I am asking here first.
>>
>> Wondering if anyone can offer some insight, or point me at some required
>> reading that might shed some light on this but isn't aimed at a
>> developer level of understanding? I have read through
>> https://www.arpalert.org/haproxy-lua.html#h211 a time or two, but if
>> there is a shining light bulb in there it hasn't blinded me yet.
>>

I believe the issue might be that your version of LuaSocket calls
`settimeout` differently that I anticipated in haproxy-auth-request.
What version of LuaSocket are you using? Can you give your configuration?

Best regards
Tim Düsterhus
Computerisms Corporation
Re: haproxy-auth-request
September 02, 2018 10:10PM
Hi Tim, Joseph,

Thank you both very much for answering; so very much appreciated.

> Am 02.09.2018 um 00:12 schrieb Joseph Sible:
>> Try removing the highlighted block of code:
>> https://github.com/TimWolla/haproxy-auth-request/blob/e6a686e6f192200a6c7001c303b87d2d6e9d4788/auth-request.lua#L45-L51
>>
>> It's a monkey-patch to haproxy's socket that you might not need.
>
> Yes, it's obsolete as of haproxy 1.8.4. But I don't believe it to be the
> cause of the issues. It looks like the monkey patched function itself is
> given invalid parameters.

so, this is good to know, but for the sake of completeness, I will
mention that I have commented that particular block of code, as well as
just the :old_settimeout line, as well as the block of code above it,
and I commented the timeout in the http.lua file, as suggested in the
blog post, plus I tried commenting and changing several other lines in
the auth-request.lua file.

the commenting and changing mostly(always?) ended up in the following error:

Lua function 'auth-request': runtime error: attempt to yield across a
C-call boundary from [C] field 'request',
/Computerisms/config/etc/haproxy.auth.lua:95 C function line 56.
>
> I believe the issue might be that your version of LuaSocket calls
> `settimeout` differently that I anticipated in haproxy-auth-request.
> What version of LuaSocket are you using? Can you give your configuration?

Absolutely! I am really new to lua and haproxy both, so very possibly I
didn't do something as I was supposed to. I installed luasocket via
luarocks, I had to do some digging around to get it to install the
lua5.3 version, on debian it apparently has preference over lua5.1.

As per luarocks:

[email protected]:/etc/apache2# luarocks list
Installed rocks:
----------------
luasocket
3.0rc1-2 (installed) - /usr/local/lib/luarocks/rocks

As per dpkg:

[email protected]:/etc/apache2# dpkg -l lua5.3
ii lua5.3 5.3.3-1



my haproxy.cfg file is largely by the book as per your instructions on
github:

backend auth_request
mode http
option forwardfor
server auth-request 127.0.0.1:8044

frontend httpfront
bind ${ADDRESS}:80
mode http
option httplog
log global
http-request lua.auth-request auth_request /index.html
http-request deny if ! { var(txn.auth_response_successful) -m bool }
# redirect scheme https code 301 if !{ ssl_fc }
default_backend mooglehttp



hm, Tim, what you say about different versions actually might be the
right track; in your blog post the http.lua file you link to shows the line:

h.try(c:settimeout(_M.TIMEOUT))

as line 119, but in my file, that line is number 116, so doesn't seem to
be the same file... will see if I can follow this trail to a solution...


>
> Best regards
> Tim Düsterhus
>
Tim Düsterhus
Re: haproxy-auth-request
September 02, 2018 11:00PM
Bob,

Am 02.09.2018 um 21:59 schrieb Computerisms Corporation:
> Lua function 'auth-request': runtime error: attempt to yield across a
> C-call boundary from [C] field 'request',
> /Computerisms/config/etc/haproxy.auth.lua:95 C function line 56.

This is interesting. I don't know anything about Lua internals, thus
adding Thierry as the Lua maintainer in haproxy to the Cc-list.

Please use "Reply All" to ensure that the people participating in the
thread don't miss any emails. :-)

> As per luarocks:
>
> [email protected]d2lian:/etc/apache2# luarocks list
> Installed rocks:
> ----------------
> luasocket
>    3.0rc1-2 (installed) - /usr/local/lib/luarocks/rocks
>
> As per dpkg:
>
> [email protected]:/etc/apache2# dpkg -l lua5.3
> ii  lua5.3                               5.3.3-1

Personally I installed lua-socket using apt:

$ dpkg -l |grep lua
ii liblua5.3-0:amd64 5.3.3-1
amd64 Shared library for the Lua interpreter version 5.3
ii lua-socket:amd64 3.0~rc1+git+ac3201d-4
amd64 TCP/UDP socket library for the Lua language


Bob, can you give your `haproxy -vv`?

Best regards
Tim Düsterhus
Tim Düsterhus
Re: haproxy-auth-request
September 04, 2018 02:00PM
Hi all,

Am 02.09.2018 um 22:47 schrieb Tim Düsterhus:
>> Lua function 'auth-request': runtime error: attempt to yield across a
>> C-call boundary from [C] field 'request',
>> /Computerisms/config/etc/haproxy.auth.lua:95 C function line 56.
>

Someone reported the same error in the issue tracker on GitHub:
https://github.com/TimWolla/haproxy-auth-request/issues/4

Best regards
Tim Düsterhus
Tim Düsterhus
Re: haproxy-auth-request
September 04, 2018 04:40PM
Hi all,

Am 04.09.2018 um 13:50 schrieb Tim Düsterhus:
> Someone reported the same error in the issue tracker on GitHub:
> https://github.com/TimWolla/haproxy-auth-request/issues/4
>

The issue in the bug tracker was caused by an old version of lua-socket.
Unfortunately the author of lua-socket does not seem to do regular
releases (at least there are no git tags) which makes it hard to specify
what a supported version is.

Best regards
Tim Düsterhus
Computerisms Corporation
Re: haproxy-auth-request
September 04, 2018 11:40PM
Hi Tim,

First, apologies for the breach in etiquette, will use reply-all on this
list.

After following the thread in github and your hint that a apt-gettable
package for luasocket exists, I purged everything from luarocks and
installed from debian repos and the script is no longer producing errors
and the backend is successfully logging connections.

A follow up question, if I may: my backend leads to a simple apache
DocumentRoot with auth that works as expected when accessed directly. I
was expecting when accessing through haproxy that when the auth-request
script did its subrequest, I would get the apache credentials pop up in
the browser. However, no pop up happens, and the backend immediately
fails. Did I misunderstand how this would work?

I thought that maybe the user/pass needs to be included in the url
(http://user:[email protected]), but the behaviour remains the same....

On 2018-09-04 07:35 AM, Tim Düsterhus wrote:
> Hi all,
>
> Am 04.09.2018 um 13:50 schrieb Tim Düsterhus:
>> Someone reported the same error in the issue tracker on GitHub:
>> https://github.com/TimWolla/haproxy-auth-request/issues/4
>>
>
> The issue in the bug tracker was caused by an old version of lua-socket.
> Unfortunately the author of lua-socket does not seem to do regular
> releases (at least there are no git tags) which makes it hard to specify
> what a supported version is.
>
> Best regards
> Tim Düsterhus
>
Tim Düsterhus
Re: haproxy-auth-request
September 04, 2018 11:50PM
Bob,

Am 04.09.2018 um 23:27 schrieb Computerisms Corporation:
> First, apologies for the breach in etiquette, will use reply-all on this
> list.

FWIW: I removed Thierry again, because at this point this is no longer
about Lua itself :-)

> After following the thread in github and your hint that a apt-gettable
> package for luasocket exists, I purged everything from luarocks and
> installed from debian repos and the script is no longer producing errors
> and the backend is successfully logging connections.

Perfect!

> A follow up question, if I may: my backend leads to a simple apache

Sure.

> DocumentRoot with auth that works as expected when accessed directly.  I
> was expecting when accessing through haproxy that when the auth-request
> script did its subrequest, I would get the apache credentials pop up in
> the browser.  However, no pop up happens, and the backend immediately
> fails.  Did I misunderstand how this would work?

The only thing my script does is checking the response code of some
subrequest. What you do with it is entirely up to you. The example in
the README on GitHub denies the request.
Instead of denying the request you could select a different backend
(i.e. Apache) which then would be able to show the authentication screen.

In my blog post I use this to force the request to go to OAuth Proxy if
the verification fails:

use_backend oauth_proxy if ! { var(txn.auth_response_successful) -m
bool }

Instead of `oauth_proxy` you would use `auth_request` based on the
configuration you gave previously.

> I thought that maybe the user/pass needs to be included in the url
> (http://user:[email protected]), but the behaviour remains the same....
>

HTTP Basic authentication should work out of the box, because all the
request headers are forwarded to the backend.

Best regards
Tim Düsterhus
Computerisms Corporation
Re: haproxy-auth-request
September 11, 2018 12:30AM
Hi Tim,

Wanted to say thank you for your help, I got every thing working.

in case it helps others new to this figure out how to accomplish the
task, here is the config I ended up with:


frontend httpfront
bind ${ADDRESS}:80 v4v6
bind ${ADDRESS}:443 v4v6 ssl crt /Computerisms/config/certificates/
redirect scheme https code 301 if !{ ssl_fc }
mode http
option httplog
log global
http-request lua.auth-request auth_request /index.html
## ACLs
acl test.computerisms.ca ssl_fc_sni -i test.computerisms.ca
## AUTHREQ
use_backend auth_request if ! { var(txn.auth_response_successful) -m
bool } test.computerisms.ca
## AUTHBACKEND
use_backend test.computerisms.ca if test.computerisms.ca
default_backend mooglehttps








On 2018-09-04 02:42 PM, Tim Düsterhus wrote:
> Bob,
>
> Am 04.09.2018 um 23:27 schrieb Computerisms Corporation:
>> First, apologies for the breach in etiquette, will use reply-all on this
>> list.
>
> FWIW: I removed Thierry again, because at this point this is no longer
> about Lua itself :-)
>
>> After following the thread in github and your hint that a apt-gettable
>> package for luasocket exists, I purged everything from luarocks and
>> installed from debian repos and the script is no longer producing errors
>> and the backend is successfully logging connections.
>
> Perfect!
>
>> A follow up question, if I may: my backend leads to a simple apache
>
> Sure.
>
>> DocumentRoot with auth that works as expected when accessed directly.  I
>> was expecting when accessing through haproxy that when the auth-request
>> script did its subrequest, I would get the apache credentials pop up in
>> the browser.  However, no pop up happens, and the backend immediately
>> fails.  Did I misunderstand how this would work?
>
> The only thing my script does is checking the response code of some
> subrequest. What you do with it is entirely up to you. The example in
> the README on GitHub denies the request.
> Instead of denying the request you could select a different backend
> (i.e. Apache) which then would be able to show the authentication screen.
>
> In my blog post I use this to force the request to go to OAuth Proxy if
> the verification fails:
>
> use_backend oauth_proxy if ! { var(txn.auth_response_successful) -m
> bool }
>
> Instead of `oauth_proxy` you would use `auth_request` based on the
> configuration you gave previously.
>
>> I thought that maybe the user/pass needs to be included in the url
>> (http://user:[email protected]), but the behaviour remains the same....
>>
>
> HTTP Basic authentication should work out of the box, because all the
> request headers are forwarded to the backend.
>
> Best regards
> Tim Düsterhus
>
Sorry, only registered users may post in this forum.

Click here to login