HAProxy chainloading Lua Scripts

[sorano]

So I'm testing out running Authelia behind HAProxy in OPNsense and since a new commit to the Lua scripts it's finally possible to run without luasockets.

I'm trying to deploy this in the OPNsense webui as much as possible, incl. loading the Lua scripts. The reasoning for that is that any changes to the scripts will get synced to the standby CARP host.

However, I'm having some troubles when a Lua script tries to load another Lua script like this:

Code Select Expand

local http = require("haproxy-lua-http")

If I add the haproxy-lua-http script directly in OPNsense HAProxy Lua Scripts it will get a random generated name and the first script fails the code above with a Lua runtime error.

The solution is to put the script as /usr/local/share/lua/5.3/haproxy-lua-http.lua but then it will not get synced to standby host.

Is there any obvious solution that I'm missing?

[sorano]

Ok, spending some more time troubleshooting this I upgraded the HAProxy package to haproxy-2.2.2 just for testing.

In HAProxy >= 2.1.3 we can use lua-prepend-path,
http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#lua-prepend-path

Then I add a prepend-path in haproxy config for the Luascripts autogenerated name by opnsense like this:

Code Select Expand

lua-prepend-path /tmp/haproxy/lua/5f57638f250b46.07710505.lua

Checking config with

Code Select Expand

haproxy -c -f /usr/local/etc/haproxy.conf

And it properly validates.

So I guess it'll be best to wait until we get HAProxy >= 2.1.3 in the official OPNsense plugin.

[greymatter313]

Hi There, I would love to hear more about how you have set this up.  I have been wanting to get authelia set up and working with HAProxy.  Are you running Authelia in a docker somewhere on your lan?  Have any tips for getting it setup and how to use it on specific subdomains?

[sorano]

Hi There, I would love to hear more about how you have set this up.  I have been wanting to get authelia set up and working with HAProxy.  Are you running Authelia in a docker somewhere on your lan?  Have any tips for getting it setup and how to use it on specific subdomains?

Yes I'm running it in a docker container in my DMZ.

The biggest gotcha in running it under HAProxy stable in OPNSense with HA is the loading of all lua scripts.
However, that will be alot easier when os-haproxy 3.0 will be merged which should hopefully be pretty soon.

Otherwise the config is pretty much the same as the Authelia examples in their documentation. Just translate those examples to Conditions and Rules in OPNSense webui and take a look at the generated HAProxy config file via CLI to verify it looks the same if you are unsure  :)

[EFaden]

Ever solve this?  I am struggling with the LUA file.  The http-auth lua uses haproxy-lua-http ... which i can't seem to find.

[sorano]

Ever solve this?  I am struggling with the LUA file.  The http-auth lua uses haproxy-lua-http ... which i can't seem to find.

Solve what exactly?

The "chainloading"/require between lua scripts added via the webui is not working due to the way that OPNsense autogenerates the filenames of lua scripts (dot in the middle of the filename).

See this issue on github and give your input in order to give the issue more attention.
https://github.com/opnsense/plugins/issues/2265

Until that gets fixed the solution is posted in my first post in this thread:

The solution is to put the script as /usr/local/share/lua/5.3/haproxy-lua-http.lua but then it will not get synced to standby host.

If you have more than one host you will need to add the file manually to each host.

[ibrahim.djadir]

Hello

I am trying to integrate authelia with HAproxy I am struggling with the configuration. I try to follow authelia documentation but the problem is there is some configuration that I don't know how to do in the web gui, I go to the CLI and try to modify haproxy.conf, the problem is when I hit apply in the gui the config I modified in the cCLI disappear is the any other option
thank you