-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathhaproxy.cfg
46 lines (33 loc) · 1.41 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
global
lua-load /usr/local/etc/haproxy/emissary.lua
defaults
mode http
timeout client 10s
timeout connect 3s
timeout server 30s
frontend ingress
monitor-uri /_health_check
bind 0.0.0.0:7070
##### if we dont have a x-emissary-auth header skip
##### auth to avoid blocking services that are not
##### emissary enabled
acl emissary_auth req.hdr_cnt(x-emissary-auth) gt 0
# send an ingress emissary auth request to lua
http-request lua.emissary_ingress 172.200.1.100 9090 if emissary_auth
# deny the request if auth fails in lua (emissary returns a 403 status code)
http-request deny if emissary_auth ! { var(txn.emissary_ingress_success) -m bool }
# any request that makes it here hasnt been denied above
http-request set-header x-emissary-auth-status success
default_backend app
frontend egress
bind 0.0.0.0:17000
# send an egress emissary auth request to lua use emissary for subrequests
http-request lua.emissary_egress 172.200.1.100 9090
# deny the request if auth fails in lua (emissary returns a 403 status code)
http-request deny if ! { var(txn.emissary_egress_success) -m bool }
# set the auth token in the header of the request
http-request set-header x-emissary-auth %[var(txn.emissary_egress_token)] if { var(txn.emissary_egress_success) -m bool }
# any request that makes it here hasnt been denied above
default_backend app
backend app
server app app_container:8000