Added an example

Author: haproxytechblog

README.md

@@ -20,17 +20,7 @@ chmod +x ./install.sh
 sudo ./install.sh luaoauth
 ```
 
-You have several installation modes:
-
-| Command                   | Meaning                                                                                   |
-|---------------------------|-------------------------------------------------------------------------------------------|
-| `sudo install.sh luaoauth`  | Installs jwtverify.lua and its dependencies to **/usr/local/share/lua/5.3/jwtverify.lua** |
-| `sudo install.sh haproxy` | Installs HAProxy                                                                          |
-| `sudo install.sh all`     | Installs HAProxy and jwtverify.lua and its dependencies                                   |
-
-## Sample
-
-A sample application can be found at https://github.com/haproxytechblog/haproxy-jwt-vagrant.
+This installs jwtverify.lua and its dependencies to **/usr/local/share/lua/5.3/jwtverify.lua**.
 
 ## Usage
 
@@ -72,3 +62,47 @@ After calling `http-request lua.jwtverify`, you get access to variables for each
 * `var(txn.oauth.scope)`
 
 For example, you could track rate limiting based on the clientId or set different rate limit thresholds based on the scope.
+
+## Example
+
+Try it out using the Docker Compose.
+
+1. Sign up for a free account at https://auth0.com/ and create a new API.
+1. Give the API any name, such as "My OAuth Test" and set the identifier to "https://api.mywebsite.com".
+1. Once created, go to the API's "Permissions" tab and add permissions (aka scopes) that grant users different levels of access. The colon syntax is just a personal style, and colons do not mean anything special.
+
+   | permission  | description           |
+   |-------------|-----------------------|
+   | read:myapp  | Read access to my app |
+   | write:myapp | Write access to myapp | 
+
+1. Now that you have an API defined in Auth0, add an application that is allowed to authenticate to it. Go to the "Applications" tab and add a new "Machine to Machine Application" and select the API you just created. Give it the "read:myapp" and "write:myapp"permissions (or only one or the other).
+1. On the Settings page for the new application, go to **Advanced Settings > Certificates** and download the certificate in PEM format. HAProxy will validate the access tokens against this certificate, which was signed by the OAuth provider, Auth0.
+
+1. Convert it first using `openssl x509 -pubkey -noout -in ./mycert.pem > pubkey.pem` and save **pubkey.pem** to **/example/haproxy/pem/pubkey.pem**.
+1. Edit **example/haproxy/haproxy.cfg**: 
+
+   * replace the `OAUTH_ISSUER` variable in the global section with the Auth0 domain URL with your own, such as https://myaccount.auth0.com/. 
+   * replace the `OAUTH_AUDIENCE` variable with your API name in Auth0, such as "https://api.mywebsite.com". 
+   * replace the `OAUTH_PUBKEY_PATH` variable with the path to your PEM certificate. (also update the docker-compose file)
+
+1. Create the environment with Docker Compose:
+    ```
+    $ docker-compose -f docker-compose.ubuntu.example.yml build
+    $ docker-compose -f docker-compose.ubuntu.example.yml up
+    ```
+1. Get a JSON web token (JWT) from your authentication server by going to your application on the Auth0 website and following the *Quick Start*.
+1. Make requests to https://localhost/api/myapp and attach the JWT in the Authorization header. You should get a successful response.
+
+   ```
+   $ curl --request GET \
+      -k \
+      --url https://localhost/api/myapp \
+      --header 'authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJEVkNSVFZHTmpZNU5rVTJSVUV3TnpoRk56UkJRalU0TjBFeU5EWTNSRU01TWtaRFJqTkNNUSJ9.eyJpc3MiOiJodHRwczovL25pY2tyYW00NC5hdXRoMC5jb20vIiwic3ViIjoicm9DTHRDTlZycW0zNmVYTzJxcE84cjEzeFBmQno1NklAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vYXBpLm15d2Vic2l0ZS5jb20iLCJpYXQiOjE2NDgzMTQ2NjAsImV4cCI6MTY0ODQwMTA2MCwiYXpwIjoicm9DTHRDTlZycW0zNmVYTzJxcE84cjEzeFBmQno1NkkiLCJzY29wZSI6InJlYWQ6bXlhcHAgd3JpdGU6bXlhcHAiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.tEhJ0hKlqy9KRrS00we1Z6Y0CwGg5tAOmZ3qQYLYEwl1uymZ8OfJD9iGgPe5QhLJCTD-iwC18hWSwBMzNRLrjcjp1__hHOOyJRRoqekezS7NoHCMOKGLRis5EcfXMyb58yVxwrKIovHSRaEf0emg5NovQ2bdI3UpMThXnzlLhIH_SX5yRUtTxQ_qvO7xS9lZBNVYG9lYlNtU_Ih6dKCKNRUrMm8xsj2jLyR5_v3LcxgwzhK2VF01DZ9wyEgfHgs3H2AP6yJEZkmd9B1chO5Xf3f4klujsxvAb6RqTCwpGWmjRPY6SENkY2QX-PHOYVAc4zPvuauwx9Ojd4khA_KKfA'
+   ```
+
+   A successful response:
+
+   ```
+   ["robo-hamster","space-hamster","commando-hamster","pirate-hmaster"]
+   ```

docker-compose.ubuntu.example.yml

@@ -0,0 +1,27 @@
+---
+version: "3"
+services:
+
+  server1:
+    image: example/web:latest
+    build:
+      context: example/web
+    environment:
+    - "name=server1"
+
+  haproxy:
+    image: example/haproxy-ubuntu
+    build:
+      context: example/haproxy
+      dockerfile: Dockerfile-ubuntu
+    volumes:
+       - ./example/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
+       - ./example/haproxy/pem/pubkey.pem:/etc/haproxy/pem/pubkey.pem
+       - ./example/haproxy/pem/test.com.pem:/etc/haproxy/pem/test.com.pem
+    ports:
+    - "80:80"
+    - "443:443"
+    - "8080:8080"
+    - "9000:9000"
+    depends_on:
+    - server1

example/haproxy/Dockerfile-ubuntu

@@ -0,0 +1,4 @@
+FROM haproxytech/haproxy-ubuntu:2.5
+WORKDIR /usr/src
+COPY . .
+RUN ./install.sh luaoauth

example/haproxy/haproxy.cfg

@@ -0,0 +1,35 @@
+global
+    log stdout format raw local0
+    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+    ssl-default-bind-options ssl-min-ver TLSv1.1
+    chroot /var/lib/haproxy
+    user haproxy
+    group haproxy
+    lua-load /usr/local/share/lua/5.3/jwtverify.lua
+
+    # Replace the Auth0 URL with your own:
+    setenv OAUTH_ISSUER https://nickram44.auth0.com/
+    setenv OAUTH_AUDIENCE https://api.mywebsite.com
+    setenv OAUTH_PUBKEY_PATH /etc/haproxy/pem/pubkey.pem
+
+defaults
+    log global
+    mode http
+    option httplog
+    timeout connect 10s
+    timeout client 30s
+    timeout server 30s
+    option http-buffer-request
+
+frontend api_gateway
+    bind :443 ssl crt /etc/haproxy/pem/test.com.pem alpn h2,http1.1
+    default_backend apiservers
+    http-request deny unless { req.hdr(authorization) -m found }
+    http-request lua.jwtverify
+    http-request deny unless { var(txn.authorized) -m bool }
+    http-request deny if { path_beg /api/myapp } { method GET }             ! { var(txn.oauth.scope) -m sub read:myapp }
+    http-request deny if { path_beg /api/myapp } { method POST PUT DELETE } ! { var(txn.oauth.scope) -m sub write:myapp }
+    
+backend apiservers
+    balance roundrobin
+    server server1 server1:80

example/haproxy/install.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+SOURCE_DIR=/usr/src
+LUA_VERSION=5.3.5
+
+install_luaoauth_var=false
+rhel_based=false
+debian_based=false
+lua_installed=false
+lua_dep_dir=/usr/local/share/lua/5.3/
+
+if [ -f /etc/redhat-release ]; then
+    rhel_based=true
+elif [ -f /etc/debian_version ]; then
+    debian_based=true
+fi
+
+cd $SOURCE_DIR
+
+display_working() {
+    pid=$1
+    spin='-\|/'
+    i=0
+    while kill -0 $pid 2>/dev/null
+    do
+        i=$(( (i+1) %4 ))
+        printf "\r${spin:$i:1}"
+        sleep .1
+    done
+}
+
+download_rhel_lua() {
+    printf "\r[+] Downloading Lua\n"
+    curl -sLO https://www.lua.org/ftp/lua-$LUA_VERSION.tar.gz
+    tar xf lua-$LUA_VERSION.tar.gz && rm lua-$LUA_VERSION.tar.gz
+}
+
+install_yum_deps() {
+    printf "\r[+] Installing yum dependencies\n"
+    yum -y install gcc openssl-devel readline-devel systemd-devel unzip >/dev/null 2>&1
+}
+
+build_lua() {
+    printf "\r[+] Building Lua\n"
+    cd $SOURCE_DIR/lua-$LUA_VERSION
+    make linux test >/dev/null
+}
+
+install_rhel_lua() {
+    printf "\r[+] Installing Lua\n"
+    cd $SOURCE_DIR/lua-$LUA_VERSION
+    make install >/dev/null
+}
+
+install_deb_lua() {
+    printf "\r[+] Installing Lua\n"
+    apt-get update >/dev/null 2>&1
+    apt-get install -y software-properties-common unzip build-essential libssl-dev lua5.3 liblua5.3-dev >/dev/null 2>&1
+}
+
+install_luaoauth_deps() {
+    printf "\r[+] Installing haproxy-lua-oauth dependencies\n"
+
+    if [ ! -e $lua_dep_dir ]; then
+        mkdir -p $lua_dep_dir;
+    fi;
+
+    apt-get update >/dev/null 2>&1
+    apt-get install -y build-essential liblua5.3-dev libssl-dev unzip >/dev/null 2>&1
+
+    cd $SOURCE_DIR
+
+    curl -sLO https://github.com/rxi/json.lua/archive/refs/heads/master.zip
+    unzip -qo master.zip && rm master.zip
+    mv json.lua-master/json.lua $lua_dep_dir 
+
+    curl -sLO https://github.com/lunarmodules/luasocket/archive/refs/heads/master.zip
+    unzip -qo master.zip && rm master.zip
+    cd luasocket-master/
+    make clean all install-both LUAINC=/usr/include/lua5.3/ >/dev/null
+    cd ..
+
+    curl -sLO https://github.com/wahern/luaossl/archive/refs/heads/master.zip
+    unzip -qo master.zip && rm master.zip
+    cd luaossl-master/
+    make install >/dev/null
+    cd ..
+}
+
+install_luaoauth() {
+    printf "\r[+] Installing haproxy-lua-oauth\n"
+    if [ ! -e $lua_dep_dir ]; then
+        mkdir -p $lua_dep_dir;
+    fi;
+
+    cd $SOURCE_DIR
+
+    mv ./lib/*.lua $lua_dep_dir
+}
+
+case $1 in
+    luaoauth)
+        install_luaoauth_var=true
+        ;;
+    *)
+        echo "Usage: install.sh luaoauth"
+esac
+
+if $install_luaoauth_var; then
+    # Install Lua JWT
+    # if ! $lua_installed; then
+    #     if $rhel_based; then
+    #         download_and_install_lua=(install_yum_deps download_rhel_lua build_lua install_rhel_lua)
+    #     elif $debian_based; then
+    #         download_and_install_lua=(install_deb_lua)
+    #     fi
+    #     for func in ${download_and_install_lua[*]}; do
+    #         $func &
+    #         display_working $!
+    #     done
+    # fi 
+    download_and_install_luaoauth=(install_luaoauth_deps install_luaoauth)
+    for func in ${download_and_install_luaoauth[*]}; do
+        $func &
+        display_working $!
+    done
+fi

example/haproxy/lib/base64.lua

@@ -0,0 +1,43 @@
+--
+-- base64.lua
+--
+-- URL safe base64 encoder/decoder
+--
+
+-- https://github.com/diegonehab/luasocket
+local mime = require 'mime'
+local _M = {}
+
+--- base64 encoder
+--
+-- @param s String to encode (can be binary data)
+-- @return Encoded string
+function _M.encode(s)
+    local u
+    local padding_len = 2 - ((#s-1) % 3)
+
+    if padding_len > 0 then
+        u = mime.b64(s):sub(1, - padding_len - 1)
+    else
+        u = mime.b64(s)
+    end
+
+    if u then
+        return u:gsub('[+]', '-'):gsub('[/]', '_')
+    else
+        return nil
+    end
+end
+
+--- base64 decoder
+--
+-- @param s String to decode
+-- @return Decoded string (can be binary data)
+function _M.decode(s)
+    local e = s:gsub('[-]', '+'):gsub('[_]', '/')
+    local u, _ = mime.unb64(e .. string.rep('=', 3 - ((#s - 1) % 4)))
+
+    return u
+end
+
+return _M