-
-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Add option to retrieve username from HTTP header #219
Conversation
If the connection comes from a trusted ip, the username is pulled from a configured header
OK, it looks like this change breaks a bunch of the tests in Travis CI. I'll see what I can do to resolve this and update the PR. |
Update identification tests to handle new IpBasedIdentification args TODO: Write tests for new functionality
Hi @andrewheberle, great thanks for the contribution! |
hi @andrewheberle , could you please provide an example configuration for HAProxy? we are testing it on our company but we're not really experienced (we usually use apache proxypass). |
Hi @muzzol There are a few parts to this which are:
Could I also mention this is not really battle tested...we use it internally for our small team (approx 30 users) and it works fine, but to be honest I am sure someone with more LUA scripting and Go experience will probably cringe at the changes made to "haproxy-auth-request" and my "go-http-auth-sso" daemon...but moving on... The config we use in HAProxy is as follows (some edits for privacy/brevity):
The basic flow of the authentication process is as follows:
There is quite a lot going on in the above and it took a fair amount of tinkering to get right...and I probably haven't explained things very well either. SAML 2.0 Service Provider (in Golang): https://gitlab.com/andrewheberle/go-http-auth-sso Example JSON response from our service from an authenticated user:
The map file that is used in the LUA script to map the above JSON data to HAProxy variables:
The mapping of "claims" to "variables" above is then what is used in the "http-request set-header" lines in the "main" frontend. Hoping this all makes some sort of sense. |
Hi @muzzol, for apache proxy I've found this question: May be you could give it a try. |
The equivalent option in HAproxy to extract the username from any basic auth you have done via the reverse proxy would be as follows:
My overly complex example is how we are delegating authentication to another service, which is a SAML 2.0 service provider that then authenticates users against Azure AD, rather than using the authentication built into HAProxy, which is limited to just basic auth. |
This PR extends the IP based identification to allow the username to be extracted from a specific HTTP request header defined in the server config as follows:
This header is only used if the request comes from a trusted IP.
If the configured header does not exist, the identification falls back to the IP based method.
The use case for this, in our case, is an instance of script-server that sits behind a reverse proxy (HAProxy in this case) that does authentication itself, then adds various headers to the request (username, email address, display name etc).