22<html lang="en">
33 <head>
44 <meta charset="utf-8" />
5- <title>HAProxy version 3.3-dev2-5 - Configuration Manual</title>
5+ <title>HAProxy version 3.3-dev2-22 - Configuration Manual</title>
66 <link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
77 <link href="https://raw.githubusercontent.com/thomaspark/bootswatch/v3.3.7/cerulean/bootstrap.min.css" rel="stylesheet" />
88 <link href="../css/page.css?0.4.2-15" rel="stylesheet" />
45934593 You can use <strong>left</strong> and <strong>right</strong> arrow keys to navigate between chapters.<br>
45944594 </p>
45954595 <p class="text-right">
4596- <small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/06/26 </b></small>
4596+ <small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/06/30 </b></small>
45974597 </p>
45984598 </div>
45994599 <!-- /.sidebar -->
46044604 <div class="text-center">
46054605 <h1><a href="http://www.haproxy.org/" title="HAProxy"><img src="../img/HAProxyCommunityEdition_60px.png?0.4.2-15" /></a></h1>
46064606 <h2>Configuration Manual</h2>
4607- <p><strong>version 3.3-dev2-5 </strong></p>
4607+ <p><strong>version 3.3-dev2-22 </strong></p>
46084608 <p>
46094609 2025/06/26<br>
46104610
@@ -24462,11 +24462,19 @@ <h3 id="chapter-7.3.1" data-target="7.3.1"><small><a class="small" href="#7.3.1"
2446224462compiled with USE_OPENSSL.
2446324463</pre><a class="anchor" name="jwt_verify"></a><a class="anchor" name="7-jwt_verify"></a><a class="anchor" name="7.3.1-jwt_verify"></a><a class="anchor" name="jwt_verify (Using ACLs and fetching samples)"></a><a class="anchor" name="jwt_verify (Converters)"></a><div class="keyword"><b><a class="anchor" name="jwt_verify"></a><a href="#7.3.1-jwt_verify">jwt_verify</a></b>(<span style="color: #080"><alg></span>,<span style="color: #080"><key></span>)</div><pre class="text">Performs a signature verification for the JSON Web Token (JWT) given in input
2446424464by using the <alg> algorithm and the <key> parameter, which should either
24465- hold a secret or a path to a public certificate. Returns 1 in case of
24466- verification success, 0 in case of verification error and a strictly negative
24467- value for any other error. Because of all those non-null error return values,
24468- the result of this converter should never be converted to a boolean. See
24469- below for a full list of the possible return values.
24465+ hold a secret, a path to a public key or a path to a public certificate. When
24466+ using a public key, it should either be in the PKCS#1 format (for RSA keys,
24467+ starting with BEGIN RSA PUBLIC KEY) or SPKI format (Subject Public Key Info,
24468+ starting with BEGIN PUBLIC KEY). Certificates should be a regular PEM
24469+ certificate (starting with BEGIN CERTIFICATE). If a full-on certificate is
24470+ used, it can either be used directly in the converter or passed via a
24471+ variable if it was already known by haproxy (previously loaded in a crt-store
24472+ for instance).
24473+ Returns 1 in case of verification success, 0 in case of verification failure
24474+ and a strictly negative value for any other error. Because of all those
24475+ non-null error return values, the result of this converter should never be
24476+ converted to a boolean. See below for a full list of the possible return
24477+ values.
2447024478
2447124479For now, only JWS tokens using the Compact Serialization format can be
2447224480processed (three dot-separated base64-url encoded strings). All the
@@ -24475,16 +24483,19 @@ <h3 id="chapter-7.3.1" data-target="7.3.1"><small><a class="small" href="#7.3.1"
2447524483
2447624484If the used algorithm is of the HMAC family, <key> should be the secret used
2447724485in the HMAC signature calculation. Otherwise, <key> should be the path to the
24478- public certificate that can be used to validate the token's signature. All
24479- the certificates that might be used to verify JWTs must be known during init
24480- in order to be added into a dedicated certificate cache so that no disk
24481- access is required during runtime. For this reason, any used certificate must
24482- be mentioned explicitly at least once in a jwt_verify call. Passing an
24483- intermediate variable as second parameter is then not advised.
24486+ public key or certificate that can be used to validate the token's signature.
24487+ All the public keys and certificates that might be used to verify JWTs must
24488+ be known during init in order to be added into a dedicated cache so that no
24489+ disk access is required during runtime. For this reason, any used public key
24490+ must be mentioned explicitly at least once in a jwt_verify call and every
24491+ certificate used must be loaded by haproxy (in a crt-store or mentioned
24492+ explicitly in a 'jwt_verify' call). Passing a variable as second parameter is
24493+ then not advised unless you only use certificates that fill one of those
24494+ prerequisites.
2448424495
2448524496This converter only verifies the signature of the token and does not perform
2448624497a full JWT validation as specified in <a href="#7.2">section 7.2</a> of RFC7519. We do not
24487- ensure that the header and payload contents are fully valid JSON's once
24498+ ensure that the header and payload contents are fully valid JSONs once
2448824499decoded for instance, and no checks are performed regarding their respective
2448924500contents.
2449024501
@@ -24500,6 +24511,7 @@ <h3 id="chapter-7.3.1" data-target="7.3.1"><small><a class="small" href="#7.3.1"
2450024511| -3 | "Invalid token" |
2450124512| -4 | "Out of memory" |
2450224513| -5 | "Unknown certificate" |
24514+ | -6 | "Internal error" |
2450324515+----+----------------------------------------------------------------------+
2450424516
2450524517Please note that this converter is only available when HAProxy has been
@@ -24512,7 +24524,7 @@ <h3 id="chapter-7.3.1" data-target="7.3.1"><small><a class="small" href="#7.3.1"
2451224524http-request set-var(txn.bearer) http_auth_bearer
2451324525http-request set-var(txn.jwt_alg) var(txn.bearer),jwt_header_query('$.alg')
2451424526http-request deny unless { var(txn.jwt_alg) -m str "RS256" }
24515- http-request deny unless { var(txn.bearer),jwt_verify(txn.jwt_alg,"/path/to/crt .pem") 1 }
24527+ http-request deny unless { var(txn.bearer),jwt_verify(txn.jwt_alg,"/path/to/cert .pem") 1 }
2451624528</code></pre>
2451724529</div><a class="anchor" name="language"></a><a class="anchor" name="7-language"></a><a class="anchor" name="7.3.1-language"></a><a class="anchor" name="language (Using ACLs and fetching samples)"></a><a class="anchor" name="language (Converters)"></a><div class="keyword"><b><a class="anchor" name="language"></a><a href="#7.3.1-language">language</a></b>(<span style="color: #080"><value></span><span style="color: #008">[,<span style="color: #080"><default></span>]</span>)</div><pre class="text">Returns the value with the highest q-factor from a list as extracted from the
2451824530"accept-language" header using "<a href="#req.fhdr">req.fhdr</a>". Values with no q-factor have a
@@ -33062,7 +33074,7 @@ <h2 id="chapter-12.8" data-target="12.8"><small><a class="small" href="#12.8">12
3306233074 <br>
3306333075 <hr>
3306433076 <div class="text-right">
33065- HAProxy 3.3-dev2-5 – Configuration Manual<br>
33077+ HAProxy 3.3-dev2-22 – Configuration Manual<br>
3306633078 <small>, 2025/06/26</small>
3306733079 </div>
3306833080 </div>
0 commit comments