-
Notifications
You must be signed in to change notification settings - Fork 52
Expand file tree
/
Copy pathhaproxy.cfg
More file actions
37 lines (33 loc) · 1.43 KB
/
haproxy.cfg
File metadata and controls
37 lines (33 loc) · 1.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
global
log stdout format raw local0
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options ssl-min-ver TLSv1.1
chroot /var/lib/haproxy
user haproxy
group haproxy
lua-load /usr/local/share/lua/5.4/jwtverify.lua
# Replace the Auth0 URL with your own:
setenv OAUTH_ISSUER https://youraccount.auth0.com/
setenv OAUTH_AUDIENCE https://api.mywebsite.com
# Note that that you can use multiple keys, just make sure that kid length matches the number of keys
setenv OAUTH_PUBKEY_PATH "/etc/haproxy/pem/pubkey.pem /etc/haproxy/pem/pubkey2.pem"
setenv OAUTH_KID "key1 key2"
defaults
log global
mode http
option httplog
timeout connect 10s
timeout client 30s
timeout server 30s
option http-buffer-request
frontend api_gateway
bind :443 ssl crt /etc/haproxy/pem/test.com.pem alpn h2,http1.1
default_backend apiservers
http-request deny unless { req.hdr(authorization) -m found }
http-request lua.jwtverify
http-request deny unless { var(txn.authorized) -m bool }
http-request deny if { path_beg /api/myapp } { method GET } ! { var(txn.oauth.scope) -m sub read:myapp }
http-request deny if { path_beg /api/myapp } { method POST PUT DELETE } ! { var(txn.oauth.scope) -m sub write:myapp }
backend apiservers
balance roundrobin
server server1 server1:80