HAProxy中的JWT验证 [英] JWT Validation in HAProxy

问题描述

我将HAProxy配置为接受对* .mysubdomain.com的请求. HAProxy将解析子域(来自prod.mysubdomain.com或dev.mysubdomain.com的prod或dev)，然后转发到正确的后端.存在两个后端，一个用于生产，一个用于开发.每个后端包含两个指向每个子域上的Marathon LB实例的服务器条目.

I have an HAProxy configured to accept requests to *.mysubdomain.com. The HAProxy will parse the subdomain (prod or dev from prod.mysubdomain.com or dev.mysubdomain.com) and forward to the correct backend. Two backends exist, one for prod and one for dev. Each backend contains two server entries pointing towards Marathon LB instances on each subdomain.

子域在后端需要JWT Cookie进行身份验证.我有公共密钥来检查JWT的有效性，但想在HAProxy中进行检查.有没有办法添加我自己的代码以在HAProxy配置中执行JWT有效性检查?

The subdomains require a JWT cookie for authentication on the backend. I have the public key to check the validity of the JWT, but would like to do so in the HAProxy. Is there a way to add my own code to perform the JWT validity check within the HAProxy configuration?

HAProxy配置文件如下:

The HAProxy configuration file is as follows:

global
    maxconn 256

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    mode http

    # Returns true when one of the headers contains one of the strings either isolated or delimited by dots. This is used to perform domain name matching.
    acl host_dev hdr_dom(host) -i dev
    acl host_prod hdr_dom(host) -i prod

    acl jwtPresent req.cook(JWT) -m found

    use_backend prod_domain if jwtPresent host_prod
    use_backend dev_domain if jwtPresent host_dev

    default_backend prod_domain

backend prod_domain
    balance roundrobin
    server prodDomain1 "${MARATHON_LB_PROD_1}" maxconn 32 check
    server prodDomain2 "${MARATHON_LB_PROD_2}" maxconn 32 check

backend dev_domain
    balance roundrobin
    server devDomain1 "${MARATHON_LB_DEV_1}" maxconn 32 check
    server devDomain2 "${MARATHON_LB_DEV_2}" maxconn 32 check

推荐答案

HAProxy可以充当API网关并针对公钥验证JWT令牌.他们写了一篇博客文章，并提供了示例代码来向您展示如何操作.

HAProxy can act as an API gateway and validate JWT tokens against a public key. They have written a blog post and provided sample code to show you how.

帖子在这里: https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/

示例lua代码在此处: https://github.com/haproxytech/haproxy- lua-jwt

The sample lua code is here: https://github.com/haproxytech/haproxy-lua-jwt

这篇关于HAProxy中的JWT验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！