Skip to content
This repository has been archived by the owner on Jan 16, 2024. It is now read-only.

kudelskisecurity/haproxy-cloudflare-jwt-validator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Name

haproxy-cloudflare-jwt-validator - JSON Web Token validation for haproxy

Description

This was tested & developed with HAProxy version 2.3 & Lua version 5.3. This library provides the ability to validate JWT headers sent by Cloudflare Access.

Based off of haproxytech/haproxy-lua-jwt

Installation

Install the following dependencies:

Extract base64.lua & jwtverify.lua to the same directory like so:

git clone [email protected]:kudelskisecurity/haproxy-cloudflare-jwt-validator.git
sudo cp haproxy-cloudflare-jwt-validator/src/* /usr/local/share/lua/5.3

Version

0.3.1

Usage

JWT Issuer: https://test.cloudflareaccess.com (replace with yours in the config below)

Add the following settings in your /etc/haproxy/haproxy.cfg file:

Define a HAProxy backend, DNS Resolver, and ENV variables with the following names:

global
  lua-load  /usr/local/share/lua/5.3/jwtverify.lua
    setenv  OAUTH_HOST     test.cloudflareaccess.com
    setenv  OAUTH_JWKS_URL https://|cloudflare_jwt|/cdn-cgi/access/certs
    setenv  OAUTH_ISSUER   https://"${OAUTH_HOST}"

backend cloudflare_jwt
  mode http
  default-server inter 10s rise 2 fall 2
  server "${OAUTH_HOST}" "${OAUTH_HOST}":443 check resolvers dnsresolver resolve-prefer ipv4

resolvers dnsresolver
  nameserver dns1 1.1.1.1:53
  nameserver dns2 1.0.0.1:53
  resolve_retries 3
  timeout retry 1s
  hold nx 10s
  hold valid 10s

Obtain your Application Audience (AUD) Tag from Cloudflare and define your backend with JWT validation:

backend my_jwt_validated_app
  mode http
  http-request deny unless { req.hdr(Cf-Access-Jwt-Assertion) -m found }
  http-request set-var(txn.audience) str("1234567890abcde1234567890abcde1234567890abcde")
  http-request lua.jwtverify
  http-request deny unless { var(txn.authorized) -m bool }
  server haproxy 127.0.0.1:8080

Docker

docker run \
-v path_to/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg \
kudelskisecurity/haproxy-cloudflare-jwt-validator:0.3.0 

Blogpost

This work has been publish in our Kudelskisecurity Research blog