HAproxy authelia

unf0rg0tt3n

Hi,

I want to run authelia but I have a hard time to get the prerequisites done.
They are as following:

HAProxy 1.8.4+ (2.2.0+ recommended)
USE_LUA=1 set at compile time
haproxy-lua-http must be available within the Lua path
A json library within the Lua path (dependency of haproxy-lua-http, usually found as OS package lua-json)
With HAProxy 2.1.3+ you can use the [lua-prepend-path] configuration option to specify the search path.
haproxy-auth-request

Where do I add the

USE_LUA=1

When I try to add the http.lua from: here
and apply, it throws:

Errors found while starting haproxy
[NOTICE] 334/113109 (3042) : haproxy version is 2.2.14-a07ac36
[ALERT] 334/113109 (3042) : parsing [/var/etc/haproxy_test/haproxy.cfg:16] : Lua runtime error: /var/etc/haproxy_test/luascript_http.lua:33: module 'json' not found:
no field package.preload['json']
no file '/usr/local/share/lua/5.3/json.lua'
no file '/usr/local/share/lua/5.3/json/init.lua'
no file '/usr/local/lib/lua/5.3/json.lua'
no file '/usr/local/lib/lua/5.3/json/init.lua'
no file './json.lua'
no file './json/init.lua'
no file '/usr/local/lib/lua/5.3/json.so'
no file '/usr/local/lib/lua/5.3/loadall.so'
no file './json.so'

[ALERT] 334/113109 (3042) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] 334/113109 (3042) : Fatal errors found in configuration.

Can I use pfsense haproxy for this kind of workflow?

johnpoz

@unf0rg0tt3n said in HAproxy authelia:

Can I use pfsense haproxy for this kind of workflow?

I show lua support there.

[21.05.2-RELEASE][admin@sg4860.local.lan]/root: haproxy -vv | grep Lua
Built with Lua version : Lua 5.3.6

unf0rg0tt3n

@johnpoz said in HAproxy authelia:

haproxy -vv | grep Lua

Thanks, got the same output: Built with Lua version : Lua 5.3.6
But why do I get those errors, and how to fix them?

I also installed this: https://freebsd.pkgs.org/12/freebsd-amd64/lua53-luasocket-3.0.r1_5,1.txz.html which I saw in another post (which was his solution)

johnpoz

@unf0rg0tt3n looks like to me just can not find your script - where did you put it?

I do not use this - but from searching for that json.ula I find a copy here

[21.05.2-RELEASE][admin@sg4860.local.lan]/: find / -name json.lua
/usr/local/share/nmap/nselib/json.lua
[21.05.2-RELEASE][admin@sg4860.local.lan]/:

For pfsense I see these packages for lua

[21.05.2-RELEASE][admin@sg4860.local.lan]/: pkg search lua
lua-resty-core-0.1.21_1        New FFI-based Lua API for OpenResty NGINX Lua modules
lua-resty-lrucache-0.10        Lua-land LRU cache based on the LuaJIT FFI
lua52-5.2.4                    Small, compilable scripting language providing easy access to C code
lua53-5.3.6                    Powerful, efficient, lightweight, embeddable scripting language
luajit-openresty-2.1.20201027  Just-In-Time Compiler for Lua (OpenResty branch)
[21.05.2-RELEASE][admin@sg4860.local.lan]/:

If had to guess, I would think you want to install lua53-5.3.6, vs whatever pkg you installed.

It is normally not a good idea to install packages direct from the freebsd repositories.. If there is some package you need for pfsense to do something it designed to do but outside normal use, you could request specific packages get added to the pfsense repository.

I know they have done in the past for some misc packages, etc.

edit: As I said I don't do any of this stuff, but guessing you might also need the lua53-json package which I do not see listed in the repository..

unf0rg0tt3n

@johnpoz said in HAproxy authelia:

@unf0rg0tt3n looks like to me just can not find your script - where did you put it?

I do not use this - but from searching for that json.ula I find a copy here
[21.05.2-RELEASE][admin@sg4860.local.lan]/: find / -name json.lua
/usr/local/share/nmap/nselib/json.lua
[21.05.2-RELEASE][admin@sg4860.local.lan]/: 
For pfsense I see these packages for lua
[21.05.2-RELEASE][admin@sg4860.local.lan]/: pkg search lua
lua-resty-core-0.1.21_1        New FFI-based Lua API for OpenResty NGINX Lua modules
lua-resty-lrucache-0.10        Lua-land LRU cache based on the LuaJIT FFI
lua52-5.2.4                    Small, compilable scripting language providing easy access to C code
lua53-5.3.6                    Powerful, efficient, lightweight, embeddable scripting language
luajit-openresty-2.1.20201027  Just-In-Time Compiler for Lua (OpenResty branch)
[21.05.2-RELEASE][admin@sg4860.local.lan]/: 
If had to guess, I would think you want to install lua53-5.3.6, vs whatever pkg you installed.

It is normally not a good idea to install packages direct from the freebsd repositories.. If there is some package you need for pfsense to do something it designed to do but outside normal use, you could request specific packages get added to the pfsense repository.

I know they have done in the past for some misc packages, etc.

I put the lua files in the files section. not the correct path?

Removed the entry because it didn't wok, but it was there.

I will try the lua53-5.3.6 package

johnpoz

@unf0rg0tt3n I think what it is looking for is json.lua

Not your actual lua script.. I think that lua.json is a dependency for your script to work. From the errors you posted, that is what it was looking for that json.lua which it could not find in your path. I show it on my system, but from nmap not anything to do with haproxy, etc. or lua53

I do show that included in the lua53-json-1.3.4_1.txz package.. But again not normally a good idea to go installing packages straight from freebsd..

But I do show that package contains json.lua which is what your error was looking for.

unf0rg0tt3n

@johnpoz I Tried to followup on the json; it can be found in some github repository and needs to be placed inside the "/usr/local/share/lua/5.3/" directory.
It isn't throwing any errors anymore :)

johnpoz

@unf0rg0tt3n said in HAproxy authelia:

It isn't throwing any errors anymore :)

That is good - so it everything you were trying to do now working?

unf0rg0tt3n

@johnpoz The requirements are met now. Didn't try to run authelia with the acl's yet.

unf0rg0tt3n

@johnpoz So I tried to add the following:

global
    # Path to haproxy-lua-http, below example assumes /usr/local/etc/haproxy/haproxy-lua-http/http.lua
    lua-prepend-path /usr/local/share/lua/5.3/haproxy-lua-http.lua
    # Path to haproxy-auth-request
    lua-load /usr/local/share/lua/5.3/auth-request.lua
    log stdout format raw local0 debug

But when I edit this, I can't really use the web interface anymore because every edit I apply, the file gets overwritten.
Don't really know howto add this or every other entry like:

# Host ACLs
    acl protected-frontends hdr(host) -m reg -i ^(?i)(nextcloud)\.example\.com
    acl protected-frontends-basic hdr(host) -m reg -i ^(?i)(heimdall)\.example\.com
    acl host-authelia hdr(host) -i auth.example.com
    acl host-nextcloud hdr(host) -i nextcloud.example.com
    acl host-heimdall hdr(host) -i heimdall.example.com

    # This is required if utilising basic auth with /api/verify?auth=basic
    http-request set-var(txn.host) hdr(Host)

    http-request set-var(req.scheme) str(https) if { ssl_fc }
    http-request set-var(req.scheme) str(http) if !{ ssl_fc }
    http-request set-var(req.questionmark) str(?) if { query -m found }

And like this:

backend be_nextcloud
    # Pass Remote-User, Remote-Name, Remote-Email and Remote-Groups headers
    acl remote_user_exist var(req.auth_response_header.remote_user) -m found
    acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
    acl remote_name_exist var(req.auth_response_header.remote_name) -m found
    acl remote_email_exist var(req.auth_response_header.remote_email) -m found
    http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
    http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
    http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
    http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist

    server nextcloud nextcloud:443 ssl verify none

I have like 30+ entries made with the web interface and everything is working great. But I want to secure everything

unf0rg0tt3n

Got it working like a week ago after a while not thinking about it. For future reference I have created a manual.
It was quite hard to find out the what and how. But it can be done from gui.

https://dkict.com/pfsense-haproxy-authelia/

Pfsense haproxy + authelia