oliyh/haproxy-cert-jwt

Stars
2
Language
Lua
Created almost 2 years ago
Updated almost 2 years ago

oliyh/haproxy-cert-jwt

oliyh

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

A Lua extension for HAProxy to turn an SSL client certificate into a JWT for the backend

haproxy-cert-jwt

A Lua extension to HAProxy supporting encoding of a client SSL certificate into a JWT in the Authorization header for the backend server.

Note that the JWT produced is of the JSON Web Signature (JWS) variant. Your backend will need the secret key in order to verify the signature.

Pre-requesites

HAProxy compiled with Lua support
luarocks for downloading dependencies

Usage

Install lua dependencies:

git clone https://github.com/oliyh/luajwt.git
luarocks install --tree rocks luajwt/luajwt-1.0-1.rockspec

Then run haproxy setting the CERT_JWT_KEY environment variable.

CERT_JWT_KEY=mysecret haproxy -f haproxy.cfg

Example

Build the example docker image

docker build . -t cert-jwt-example -f example/Dockerfile

Start a Docker image

docker run -it --rm cert-jwt-example

Start HAProxy with the example config:

CERT_JWT_KEY=some-long-and-secure-secret-key! haproxy -f haproxy.cfg &

And try it out:

curl --cert localhost.crt --key localhost.crt.key --cacert myCA.pem https://localhost/anything

You will see the backend request echoed back to you. Note the Authorization header which has been populated with the JWT. You can use https://token.dev/ to verify the contents and signing of the JWT.

Example JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2Njk4Mjg2ODEsImlzcyI6IlwvQz1BVVwvU1Q9U29tZS1TdGF0ZVwvTz1vbGl5aFwvQ049aGFwcm94eS1jZXJ0LWp3dC1leGFtcGxlIiwiaWF0IjoxNjY5ODI4NzExLCJleHAiOjE3NDExMDg2ODEsInN1YiI6ImhhcHJveHktY2VydC1qd3QtZXhhbXBsZSJ9.0osWZg5ecOAdJFvwh-IbTKr8oAienTF81MT1WwLpRIo

Decoded on https://token.dev/

{
  "nbf": 1669828681,
  "iss": "/C=AU/ST=Some-State/O=oliyh/CN=haproxy-cert-jwt-example",
  "iat": 1669828711,
  "exp": 1741108681,
  "sub": "haproxy-cert-jwt-example"
}

martian

The HTTP abstraction library for Clojure/script, supporting OpenAPI, Swagger, Schema, re-frame and more

re-graph

A graphql client for clojurescript and clojure

superlifter

A DataLoader for Clojure/script

re-learn

A library for integrating tutorials into your re-frame/reagent application

pedestal-api

Easily build APIs in Pedestal using Schema and Swagger

kamera

UI testing via image comparison and devcards

lacinia-gen

Generators for GraphQL

re-jump.el

emacs navigation for re-frame projects

locksmith

Want to use GraphQL with Clojure/script but don't want keBab or snake_keys everywhere? Use locksmith to change all the keys!

slacky

Memes as a Slack Service

angel-interceptor

Express relations between Pedestal interceptors and decouple scope from execution order

doo-chrome-devprotocol

A runner for doo which runs tests in Chrome, using the Chrome Dev Protocol with no need for karma or npm.

carmine-streams

Utility functions for working with Redis streams in carmine

fixa

Better test fixtures for clojure

oxbow

A Server Sent Events (SSE) client for Clojurescript based on js/fetch

spa-skeleton

A skeleton project for a ClojureScript Single Page Application backed by a Swagger API

re-partee

How I build Clojurescript apps

carve.el

Emacs plugin for borkdude/carve

alrightee

Tee for re-frame

learning-clojure

Learning materials for Clojure

tinybeans-archive

Create an archive of a tinybeans journal

cljockwork

A REST API for cron4j, written in Clojure

stardev-feedback

Capturing feedback for https://stardev.io

one-route

A Ring webserver with one route

slacky-bot

All the memes for Slack

cljs-webapp-from-scratch

ingred

Search recipes by ingredient - a REST api written in Clojure with data scraped from the BBC

sunshine

fast-feedback

A presentation giving guidance on how to optimise your feedback loop and improve efficiency

a-taste-of-clojure

A talk to introduce (Java) developers to Clojure

sanakone

masvn

Subversion integration for emacs based on dsvn and inspired by magit