This Lua middleware script is made for use with HAProxy and a CeReSys backend.
CeReSys is a Dutch made CRM for text-television. It provides a backend for editors to log in, but unfortunately no Active Directory or LDAP integration. That is what this middleware is here to resolve.
The CeReSys backend uses basic authentication as login, combined with a session token. This part of the script will intercept this authentication and will do the following.
- Decode the authentication response
- Compare to the blacklist
- Verify it is for our domain
- Authenticate to LDAP backend
- Generate backend authentication token
- Set headers and forward response to backend
The backend should have the users set up with a username of domain-username. The password is a salted SHA1 hash of the username, which is inserted by the script to authenticate to the backend.
This string can be generated on the commandline using the following command:
echo -n '{salt}{username}' | sha1sum | tr '[:lower:]' '[:upper:]'
Where username is the username without the domain prefix.
Alternatively, you could use this CyberChef recipe to generate the password. Enter the salt on the fist line, and username on the second.
In the WWW-Authenticate header send by CeReSys, there is a timestamp included. As this breaks any password managers, this script can be used to remove this timestamp.
An example of a valid backend configuration can be found below:
backend ceresys-srv.zfm.lan
option httpchk
http-request lua.ceresys_auth
http-response lua.ceresys_realm
http-request deny if { var(txn.auth_deny) -m bool }
server srv ceresys-srv.zfm.lan:8080
For LDAP authentication, we depend on nginx-ldap-auth project, handling the LDAP backend, providing a HTTP interface to interact with.