haproxytech / haproxy-lua-oauth Goto Github PK

I was using HMAC512 to verify the JWT token. Therefore I did not set the env variable OAUTH_PUBKEY_PATH. The script fails when loaded as seen in the following error message:

runtime error: '/usr/local/share/lua/5.3/jwtverify.lua:81: attempt to concatenate a nil value (local 'file')' from /usr/local/share/lua/5.3/jwtverify.lua:81: in upvalue 'readAll', /usr/local/share/lua/5.3/jwtverify.lua:273: in function line 267

It fails in the readAll method as it tries to concatenate the file name for a logging message. The logging message isn't the sole problem but rather the general assumption in the script, that this env variable is set to anything.

Hi,
Is it possible to return a h2 response inside 'register_service'?

i have a grpc client calling haproxy that forwards the request to a backend grpc server.
all works fine.

if for some reason i want to deny the request, the deny directive doesnt give the grpc client much info what went wrong. how do i provide more info? (currently setting headers in a service)

this doesnot work:
http-request deny deny_status 429 content-type text/plain lf-string "too_many_requests"
i was hoping i could construct a h2 response from inside a service?

something like...

local protobuf = require('protobuf')
    local input = { code = "403", message = "denied" }
    local message = pb.encode('api.v1.status', input)
    local data = "\x00"..message

applet:add_header("content-type", "application/grpc+proto")
applet:start_response()
applet:send([headers])
applet:send("data ")

Hello,
I would like to thank you for this great opensource project, it helped me a lot.
I'm experiencing the same issue as #31 but using example with Docker Compose:

haproxy-lua-oauth-haproxy-1  | [NOTICE]   (1) : haproxy version is 2.6.15-446b02c
haproxy-lua-oauth-haproxy-1  | [NOTICE]   (1) : path to executable is /usr/local/sbin/haproxy
haproxy-lua-oauth-haproxy-1  | [ALERT]    (1) : config : parsing [/usr/local/etc/haproxy/haproxy.cfg:8] : Lua runtime error: error loading module '_openssl.pkey' from file '/usr/local/lib/lua/5.3/_openssl.so':
haproxy-lua-oauth-haproxy-1  |  /usr/local/lib/lua/5.3/_openssl.so: undefined symbol: lua_newuserdata

Using Centos 8.2.2004
When installing using ./install.sh luajwt the following error is generated during luaossl installation

/usr/src/luaossl-master/src/openssl.c:12146:5: note: in expansion of macro ‘EVP_KDF_HKDF_MODE_EXPAND_ONLY’
     EVP_KDF_HKDF_MODE_EXPAND_ONLY,
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make: *** [/usr/src/luaossl-master/src/GNUmakefile:63: /usr/src/luaossl-master/src/5.3/openssl.o] Error 1

I believe this is related to https://github.com/wahern/luaossl/issues/175 but I don't understand how to fix the installer so that the install completes.

[WARNING] 047/022214 (7) : parsing [/opt/haproxy-lua-oauth/haproxy-example.cfg:49]: Missing LF on last line, file might have been truncated at position 34. This will become a hard error in HAProxy 2.3.

Hi,

First of all thanks for this project, and the excellent documentation. We're trying to use keycloak with this setup, and are having problems because of the default signing algorithm:

[debug] 328/151714 (32616) : RS256 supported. Incorrect alg in JWT: HS256
[debug] 328/151714 (32616) : Algorithm not valid.
[debug] 328/151714 (32616) : req.authorized = false

Would it be possible to support HS256 ?

haproxy -v
HA-Proxy version 1.6.0 2015/10/13
Copyright 2000-2015 Willy Tarreau [email protected]

lua -v
Lua 5.3.3 Copyright (C) 1994-2016 Lua.org, PUC-Rio

whereis lua
lua: /usr/bin/lua /usr/lib64/lua /usr/local/bin/lua /usr/local/lib/lua /usr/share/lua /usr/share/man/man1/lua.1.gz
echo $LUA_PATH
/usr/local/bin/lua;;

echo $LUA_CPATH
./?.so;/usr/local/lib/lua/5.3/?.so;/usr/local/share/lua/5.3/?.so;/usr/local/bin/lua

haproxy -c -f haproxy1.cfg
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:3] : lua runtime error: error loading module 'json' from file '/usr/local/bin/lua':
/usr/local/bin/lua:1: unexpected symbol near '<\127>'

[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:7] : unknown keyword 'setenv' in 'global' section
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:10] : unknown keyword 'setenv' in 'global' section
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:13] : unknown keyword 'setenv' in 'global' section
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:30]: 'http-request' expects 'allow', 'deny', 'auth', 'redirect', 'tarpit', 'add-header', 'set-header', 'replace-header', 'replace-value', 'set-nice', 'set-tos', 'set-mark', 'set-log-level', 'add-acl', 'del-acl', 'del-map', 'set-map', 'set-src', 'sc-inc-gpc0()', 'sc-set-gpt0()', 'capture', 'set-method', 'set-path', 'set-query', 'set-uri', 'silent-drop', 'use-service', 'set-var(*)', but got 'lua.jwtverify'.
[ALERT] 112/115434 (1758) : Error(s) found in configuration file : haproxy1.cfg

haproxy1.cfg is the same file the haproxy-example.cfg of the repository.
I am trying to install this on Amzon linux

Hello
following the installation instructions I am trying to install the haproxy and the luasocket.
I did sudo ./install.sh luaoauth
and it errored out saying:
[+] Installing haproxy-lua-oauth dependencies |In file included from luasocket.c:15:0: luasocket.h:27:10: fatal error: lua.h: No such file or directory #include "lua.h" ^~~~~~~ compilation terminated.

Hello
I'm struggling to get Haproxy-lua-oauth working with Centos 7.
I have fixed install.sh to provide dependences.
But haproxy won't run anyways:

[ALERT] 184/181506 (969) : parsing [/etc/haproxy/haproxy.conf:10] : Lua runtime error: error loading module 'mime.core' from file '/usr/local/lib/lua/5.3/mime/core.so':
/usr/local/lib/lua/5.3/mime/core.so: undefined symbol: luaL_prepbuffer

and then http-request won't take lua.jwtverify

HA-Proxy version 2.3.2-d522db7

Is there a way to get it working with Centos 7?

I use haproxy with only JWT verify without OAuth, so i have no OAUTH_PUBKEY_PATH to configure, it will cause exception when initialize the config.
To workaround this issue, i must config a valid OAUTH_PUBKEY_PATH !

just a minor gripe: if an unexpected argument is passed to install.sh it results in this error:

./install.sh: line 164: print_help: command not found

as there is no print_help function

Hi,

I got the following error:

1. When I try to load jwtverify.lua in global section:
   Starting HAProxy Load Balancer...
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: [ALERT] 066/192002 (715142) : parsing [/etc/haproxy/haproxy.cfg:10] : lua runtime error: /usr/local/share/lua/5.>Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no field package.preload['openssl.pkey']
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/share/lua/5.3/openssl/pkey.lua'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/share/lua/5.3/openssl/pkey/init.lua'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/lib64/lua/5.3/openssl/pkey.lua'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/lib64/lua/5.3/openssl/pkey/init.lua'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file './openssl/pkey.lua'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file './openssl/pkey/init.lua'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/lib64/lua/5.3/openssl/pkey.so'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/lib64/lua/5.3/loadall.so'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file './openssl/pkey.so'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/lib64/lua/5.3/openssl.so'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file '/usr/lib64/lua/5.3/loadall.so'
   Mar 08 19:20:02 r5testsapp1 haproxy[715142]: no file './openssl.so'

Best regards,
Ivan Adamov

Hi team, as said by in issue #11, thanks for this great job and associated documentation.
I was wondering if there is any chance you also add support for HS512 ?

thanks

Hi it seems that there is an issue with the install.sh due to a commit last month:

Using DEBIAN:2.8.2-debian-11-r10 @yaronr

#0 0.305 Cloning into 'haproxy-lua-oauth'...
#0 1.382 Debian based system detected
#0 1.382 false
#0 1.382 Debian based system detected
#0 1.383 ./install.sh: 37: Bad substitution

Hello!

Can you please add instructions on how to configure example for HS256?
Should OAUTH_HMAC_SECRET environment variable be set to the same public key that was generated in Auth0?

• Thanks in advance

Since the public key of the token is assigned in the 'global' section, using multiple different tokens (from different authentication servers) seems impossible. However, it may be necessary.

For example, we have a cluster of three Haproxy+Keepalived load balancers. When everything is ok each load balancer serves as an API gateway for one environment - dev, test, or production. But if one of the load balancers fails, its virtual IP address switches to the next one, and - since it has the same configuration as the failed one - it starts serving two environments instead of one.

However, the REST API of each environment is protected by its own token, meaning the public key in OAUTH_PUBKEY_PATH is different for each environment. And this variable is specified in the 'global' section, so there cannot be multiple of them. Hence, our cluster scheme with JWT is not applicable. Can't we embed these parameters in the 'frontend' section instead?

HAproxy v2.4 is getting Lua Runtime Error

Lua runtime error: error loading module '_openssl.pkey' from file '/usr/local/lib/lua/5.4/_openssl.so':
        /usr/local/lib/lua/5.4/_openssl.so: undefined symbol: lua_setuservalue

The same setup is working fine with HAproxy 1.9.1

I saw that you switched the licence from GPLv2 to the Apache License 2.0 recently https://github.com/haproxytech/haproxy-lua-jwt/blob/master/LICENSE. But your code there https://github.com/haproxytech/haproxy-lua-jwt/blob/master/lib/jwtverify.lua still references GPLv2, so I'm wondering which one I should use for my work based on this repo not void one or the other.

Hello,
First I would like to thank you for this great opensource project, it helped me a lot.
I am creating a new authentication module for Prosody, all lua-jwt functions are working as expected. but when I try to validate the token signature I am getting errors.
I am pasting everything below, what I am missing here??
PLEASE HELP !!

JWT TOKEN
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJrUXhPVEk0UmpJMU1FRXhSREpDTVRoQ1F6WXlPRVk1UlVNNU1UZ3pNamt6UkRZeU16aEZRUSJ9.eyJpc3MiOiJodHRwczovL2x5YW1yYS5hdXRoMC5jb20vIiwic3ViIjoieTZzdEQxUHFqTE9aTDhxMVh1VmFxNkNPZTJ1QUpDblBAY2xpZW50cyIsImF1ZCI6Im15and0LWFwaSIsImlhdCI6MTYwMTIzMjU5NCwiZXhwIjoxNjAxMzE4OTk0LCJhenAiOiJ5NnN0RDFQcWpMT1pMOHExWHVWYXE2Q09lMnVBSkNuUCIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.oKFlhC1uIzKucxFNSJIIIMGAIXFvLsaOgFoqxrIGT4S_j_Wym0lBgUIVFFxpXDsXPg1o6y1g4dQP0xwlVqezXp5GXt6eZa3HHUlzQiMHBBVTFEyqmUSETXRBfBlyzAh-C5H4XwfQ5ySFJ46m8LiIPtU5lezlIIsBvAjk-IYjs0q3wLQpyEk0QtfkOKekdWV_r6U5vI06OTXJZh077ud9YXwZ2sL1890u16fH8Gz_rBO9PjKhtf2C0IUs0_sIw1ja6dzttI4fELlGwNdvYEO1R5NZd8juyttJb0BfQ3BD3f0Y0MI0gIorkHZkDCEH-1g7F77DIR-hgSBUv7HlzCDexQ

mycert.pm
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIJNMP7yqiyHYHIMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMTEGx5YW1yYS5hdXRoMC5jb20wHhcNMTkwNjI1MTUzNzA1WhcNMzMwMzAzMTUz
NzA1WjAbMRkwFwYDVQQDExBseWFtcmEuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH6hSYvKEkijVHir3c7c6I
WsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3nP1XDPimP+L6fwLQArCD
u7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4BMcQqEKEKeD1tUNdG55K
75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgiKKMBAx76clEbaHJRnRV2
CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WWkrS9S4+7DAaq8rV3C1VF
kXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOTJwIDAQABo0IwQDAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQuwEFJQWuBCbL6IF7a3WkLhekwwzAOBgNV
HQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBAFOP/iwFTUayUtcIBNZR4zTj
V7+OdfTrJtswgBYqzdp1OAL63K8iAjtVDFhIIINEMcoVz2ESNOGjHxeFhwxYRVD3
CibZWZrV1TJ3TfbZNyBAojQJNJmqE4/hfXZriYutEdt9sJb+jyr2jk/aGSgLsr4F
MHnKaseVjgf6SvFsX/9AnHDwIeH9e1Z/4ayBnGNRErW+XOX/CqcRc7LzKrReGf/B
D/oHJoiEZew7ZW+NzOPSulwrdF2fLHOlBw56rhJjXxqdMoRgl1+i0P7DvOyEXiB0
sfmqtJjw94iCGw9xL50y0V90eOo0oJFQVlXLCxfXRPFP3oAmThKTWFu7o8czk5A=
-----END CERTIFICATE-----

after penssl x509 -pubkey -noout -in ./mycert.pem > pubkey.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH
6hSYvKEkijVHir3c7c6IWsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3
nP1XDPimP+L6fwLQArCDu7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4
BMcQqEKEKeD1tUNdG55K75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgi
KKMBAx76clEbaHJRnRV2CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WW
krS9S4+7DAaq8rV3C1VFkXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOT
JwIDAQAB
-----END PUBLIC KEY-----

DECLARATION IN MUY LUA CODE [PLEASE NOTE THAT I AM USING cjson, json library is throwing many errors]

local config = {

publicKey = [[-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH
6hSYvKEkijVHir3c7c6IWsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3
nP1XDPimP+L6fwLQArCDu7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4
BMcQqEKEKeD1tUNdG55K75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgi
KKMBAx76clEbaHJRnRV2CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WW
krS9S4+7DAaq8rV3C1VFkXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOT
JwIDAQAB
-----END PUBLIC KEY-----]],
issuer = 'https://lyamra.auth0.com/',
audience = 'myjwt-api'
}

local json = require 'cjson'
local base64 = require 'modules.mod_auth_auth0.base64'
local openssl = {
pkey = require 'openssl.pkey',
digest = require 'openssl.digest',
x509 = require 'openssl.x509'
}

local function signatureIsValid(token, publicKey)
local digest = openssl.digest.new('SHA256')
digest:update(token.header .. '.' .. token.payload)
local vkey = openssl.pkey.new(publicKey)
local isVerified = vkey:verify(token.signaturedecoded, digest)
return isVerified
end

ERROR
Sep 27 14:29:09 c2s562ec904ed80 error Traceback[c2s]: pkey.new: tasn_dec.c:1130:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
stack traceback:
[C]: in function 'new'
/usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:137: in function 'signatureIsValid'
/usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:183: in function </usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:163>
(...tail calls...)
/usr/lib/prosody/modules/mod_auth_auth0/mod_auth_auth0.lua:45: in function 'plain_test'
/usr/lib/prosody/util/sasl/plain.lua:75: in function </usr/lib/prosody/util/sasl/plain.lua:39>
(...tail calls...)
/usr/lib/prosody/modules/mod_saslauth.lua:77: in function </usr/lib/prosody/modules/mod_saslauth.lua:66>
(...tail calls...)
/usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
(...tail calls...)
/usr/lib/prosody/core/stanza_router.lua:142: in function 'core_process_stanza'
/usr/lib/prosody/modules/mod_c2s.lua:275: in function 'func'
/usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>

Thanks for this great addition, is it possible to have an option (config.debug via env variable) to enable the log messages in the script? At the moment when HAProxy rejects a request due to invalid issuer/audience etc i cannot determine the root cause of the rejection, at least HAProxy does not provide enough info.

Thank you!

Hi there,

I wanted to install your package on my haproxy which is running on my pfsense, I was wondering if you have done so before and if you perhaps have some install instructions for me?

Hi there

I'ld like to replace our basic auth by a Google based OAuth. This look like the way to go, but I'm a bit lost adapting the Auth0 based explanations to Google's auth stuff. So in case you tried it, mind sharing notes about it ? That would also make a fine documentation with some polish :)

Best regards,

Hello
I'm experiencing an issue after haproxy update to latest stable LTS version.
haproxy 2.6.2-16a3646 compiled with lua support

[ALERT] (20995) : config : parsing [/etc/haproxy//00-global.cfg:10] : Lua runtime error: error loading module '_openssl.pkey' from file '/usr/local/lib/lua/5.3/_openssl.so':
/usr/local/lib/lua/5.3/_openssl.so: undefined symbol: lua_setuservalue

I've tried to reinstall haproxy-lua-oauth using luaossl:rel-20220711 with no luck.

Is there something I can do? This is a latest LTS branch of Haproxy, so I'd think haproxy-lua-oauth should work fine...