Created
August 21, 2025 06:28
-
-
Save matejaputic/52a0716da980f992800ba53202274884 to your computer and use it in GitHub Desktop.
HAProxy Anubis Authelia integration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| # all file names are relative to the directory containing this config | |
| # file by default | |
| default-path config | |
| # refuse to start if any warning is emitted at boot (keep configs clean) | |
| zero-warning | |
| # Security hardening: isolate and drop privileges | |
| chroot /var/lib/haproxy | |
| user haproxy | |
| group haproxy | |
| # daemonize | |
| # daemon | |
| # pidfile /var/run/haproxy-svc1.pid | |
| # do not keep old processes longer than that after a reload | |
| hard-stop-after 5m | |
| # The command-line-interface (CLI) used by the admin, by provisionning | |
| # tools, and to transfer sockets during reloads | |
| stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners | |
| stats timeout 1h | |
| # send logs to stderr for logging via the service manager | |
| log stderr local0 info | |
| # intermediate security for SSL, from https://ssl-config.mozilla.org/ | |
| ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
| ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | |
| ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets | |
| lua-prepend-path /usr/share/haproxy/?/http.lua | |
| lua-load /usr/share/haproxy/auth-request.lua | |
| log stdout format raw local0 debug | |
| # default settings common to all HTTP proxies below | |
| defaults http | |
| mode http | |
| option httplog | |
| log global | |
| timeout client 1m | |
| timeout server 1m | |
| timeout connect 10s | |
| timeout http-keep-alive 2m | |
| timeout queue 15s | |
| timeout tunnel 4h # for websocket | |
| frontend public | |
| bind *:443 name secure ssl crt /etc/haproxy/certs/ | |
| option socket-stats # provide per-bind line stats | |
| option http-ignore-probes | |
| ## Trusted Proxies | |
| acl src-trusted_proxies src -f /etc/haproxy/trusted_proxies.src.acl | |
| http-request del-header X-Forwarded-For if !src-trusted_proxies | |
| acl hdr-xff_exists req.hdr(X-Forwarded-For) -m found | |
| http-request set-header X-Forwarded-For %[src] if !hdr-xff_exists | |
| # Host ACLs | |
| acl host-apex hdr(Host) -i example.com | |
| acl host-anubis path_beg -i /.within.website/ | |
| acl host-authelia hdr(Host) -i auth.example.com | |
| acl protected-frontends hdr(host) -m reg -i ^(?!auth\.|anubis\.)[^.]+\.example\.com | |
| http-request redirect scheme https code 301 if !{ ssl_fc } | |
| http-request set-var(req.scheme) str(https) if { ssl_fc } | |
| http-request set-var(req.questionmark) str(?) if { query -m found } | |
| # Required Headers | |
| http-request set-header X-Real-IP %[src] | |
| http-request set-header X-Forwarded-For %[src] | |
| http-request set-header X-Forwarded-Method %[method] | |
| http-request set-header X-Forwarded-Proto %[var(req.scheme)] | |
| http-request set-header X-Forwarded-Host %[req.hdr(Host)] | |
| http-request set-header X-Forwarded-URI %[path]%[var(req.questionmark)]%[query] | |
| # Protect endpoints with Authelia | |
| http-request lua.auth-request be_authelia_proxy /api/authz/forward-auth if protected-frontends | |
| http-request deny if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 403 } | |
| http-request redirect scheme https location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool } | |
| # Protect endpoints with Anubis | |
| http-request lua.auth-request be_anubis_proxy /.within.website/x/cmd/anubis/api/check if !host-anubis | |
| http-request redirect scheme https code 307 location /.within.website/?redir=%[path]%[var(req.questionmark)]%[query] if !host-anubis !{ var(txn.auth_response_successful) -m bool } | |
| http-request deny if !host-anubis { var(txn.auth_response_code) -m int 403 } | |
| use_backend be_anubis_proxy if host-anubis | |
| use_backend be_authelia if host-authelia | |
| use_backend be_service if protected-frontends | |
| backend be_anubis_proxy | |
| server proxy 127.0.0.1:9092 check | |
| listen anubis_proxy | |
| bind 127.0.0.1:9092 | |
| server anubis 127.0.0.1:8443 ssl verify none | |
| backend be_authelia | |
| server authelia 127.0.0.1:8443 ssl verify none | |
| backend be_authelia_proxy | |
| server proxy 127.0.0.1:9093 check | |
| listen authelia_proxy | |
| bind 127.0.0.1:9093 | |
| server authelia 127.0.0.1:8443 ssl verify none | |
| backend be_service | |
| ## Pass the Authelia set-cookie response headers to the user. | |
| acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found | |
| http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist | |
| server service 127.0.0.1:8443 ssl verify none |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment