Adding docker examples (#2)

* examples: adding docker example

Author: BojanZelic

.gitignore

@@ -1 +1,3 @@
-.idea
+.idea
+example/certs
+example/cloudflare_mock

Dockerfile

@@ -0,0 +1,34 @@
+FROM haproxy:1.9
+
+WORKDIR /root
+
+RUN apt update && \
+    apt install lua5.3 liblua5.3-dev wget make libssl-dev -y && \
+
+    mkdir -p /usr/local/share/lua/5.3 && \
+
+    wget https://github.com/haproxytech/haproxy-lua-http/archive/master.tar.gz && \
+    tar -xf master.tar.gz -C /usr/local/share/lua/5.3 && \
+    ln -s /usr/local/share/lua/5.3/haproxy-lua-http-master/http.lua /usr/local/share/lua/5.3/http.lua && \
+    rm /root/master.tar.gz && \
+
+    wget https://github.com/rxi/json.lua/archive/v0.1.2.tar.gz && \
+    tar -xf v0.1.2.tar.gz -C /usr/local/share/lua/5.3 && \
+    ln -s /usr/local/share/lua/5.3/json.lua-0.1.2/json.lua /usr/local/share/lua/5.3/json.lua && \
+    rm /root/v0.1.2.tar.gz && \
+
+    wget https://github.com/diegonehab/luasocket/archive/master.tar.gz && \
+    tar -xf master.tar.gz -C /usr/local/share/lua/5.3 && \
+    cd /usr/local/share/lua/5.3/luasocket-master && \
+    make clean all install-both LUAINC=/usr/include/lua5.3 && \
+    rm /root/master.tar.gz && \
+
+    cd /root && \
+    wget https://github.com/wahern/luaossl/archive/rel-20190731.tar.gz && \
+    tar -xf rel-20190731.tar.gz -C /usr/local/share/lua/5.3 && \
+    cd /usr/local/share/lua/5.3/luaossl-rel-20190731 && \
+    make install && \
+    rm /root/rel-20190731.tar.gz
+
+COPY ./src/base64.lua /usr/local/share/lua/5.3
+COPY ./src/jwtverify.lua /usr/local/share/lua/5.3

README.md

@@ -14,6 +14,7 @@ Install the following dependencies:
 * [haproxy-lua-http](https://github.com/haproxytech/haproxy-lua-http)
 * [rxi/json](https://github.com/rxi/json.lua)
 * [wahern/luaossl](https://github.com/wahern/luaossl)
+* [diegonehab/luasocket](https://github.com/diegonehab/luasocket)
 
 Extract base64.lua & jwtverify.lua to the same directory like so:
 
@@ -37,13 +38,14 @@ Define a HAProxy backend, DNS Resolver, and ENV variables with the following nam
 ```
 global
   lua-load  /usr/local/share/lua/5.3/jwtverify.lua
-  setenv  OAUTH_JWKS_URL https://|cloudflare_jwt|/cdn-cgi/access/certs
-  setenv  OAUTH_ISSUER https://test.cloudflareaccess.com
+    setenv  OAUTH_HOST     test.cloudflareaccess.com
+    setenv  OAUTH_JWKS_URL https://|cloudflare_jwt|/cdn-cgi/access/certs
+    setenv  OAUTH_ISSUER   https://"${OAUTH_HOST}"
 
 backend cloudflare_jwt
   mode http
   default-server inter 10s rise 2 fall 2
-  server test.cloudflareaccess.com test.cloudflareaccess.com:443 check ssl verify required ca-file /etc/ssl/certs/ca-bundle.crt resolvers dnsresolver resolve-prefer ipv4
+  server "${OAUTH_HOST}" "${OAUTH_HOST}":443 check resolvers dnsresolver resolve-prefer ipv4
 
 resolvers dnsresolver
   nameserver dns1 1.1.1.1:53
@@ -60,7 +62,7 @@ Obtain your Application Audience (AUD) Tag from Cloudflare and define your backe
 backend my_jwt_validated_app
   mode http
   http-request deny unless { req.hdr(Cf-Access-Jwt-Assertion) -m found }
-  http-request set-var(txn.audience) str("4714c1358e65fe4b408ad6d432a5f878f08194bdb4752441fd56faefa9b2b6f2")
+  http-request set-var(txn.audience) str("1234567890abcde1234567890abcde1234567890abcde")
   http-request lua.jwtverify
   http-request deny unless { var(txn.authorized) -m bool }
   server haproxy 127.0.0.1:8080

example/docker-compose.yml

@@ -0,0 +1,28 @@
+version: '3'
+
+services:
+  haproxy_cloudflare_jwt_validator:
+    build: ../
+    image: haproxy_cloudflare_jwt_validator:latest
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
+      - ../src/jwtverify.lua:/usr/local/share/lua/5.3/jwtverify.lua
+      - ../src/base64.lua:/usr/local/share/lua/5.3/base64.lua
+    depends_on:
+      - debug_http_listener
+      - cloudflare_mock
+
+  debug_http_listener:
+    image: mendhak/http-https-echo
+
+  cloudflare_mock:
+    image: python:2.7
+    volumes:
+      - ./cloudflare_mock/cdn-cgi:/cdn-cgi
+    expose:
+      - "80"
+    ports:
+      - "8081:80"
+    command: python -m SimpleHTTPServer 80

example/haproxy/haproxy.cfg

@@ -0,0 +1,43 @@
+# This file managed by Puppet
+global
+    log stdout  format raw  local0  debug
+    maxconn 4096
+    daemon
+    lua-load  /usr/local/share/lua/5.3/jwtverify.lua
+    setenv  OAUTH_HOST   cloudflare_mock
+    setenv  OAUTH_JWKS_URL http://|cloudflare_jwt|/cdn-cgi/access/certs
+    setenv  OAUTH_ISSUER http://"${OAUTH_HOST}"
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    option  dontlognull
+    option  forwardfor
+    option  http-server-close
+    stats   enable
+    stats   uri /haproxyStats
+    timeout  http-request 10s
+    timeout  queue 1m
+    timeout  connect 10s
+    timeout  client 1m
+    timeout  server 1m
+    timeout  check 10s
+
+frontend http-in
+  bind *:8080
+  mode http
+  use_backend http-backend
+
+backend http-backend
+  mode http
+  http-request deny unless { req.hdr(Cf-Access-Jwt-Assertion) -m found }
+  http-request set-var(txn.audience) str("1234567890abcde1234567890abcde1234567890abcde")
+  http-request lua.jwtverify
+  http-request deny unless { var(txn.authorized) -m bool }
+  server debug_http_listener debug_http_listener:80 check
+
+backend cloudflare_jwt
+  mode http
+  default-server inter 10s rise 2 fall 2
+  server "${OAUTH_HOST}" "${OAUTH_HOST}":80 check

example/jwt_test.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+mkdir -p cloudflare_mock/cdn-cgi/access
+
+openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
+    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
+    -keyout certs/private.key  -out certs/certificate.pem
+
+CERT=$(cat certs/certificate.pem)
+
+jq -n --arg cert "$CERT" '{public_certs: [{kid: "1", cert: $cert}, {kid: "2", cert: $cert}]}' \
+  > cloudflare_mock/cdn-cgi/access/certs
+
+docker-compose stop
+docker-compose up -d
+
+CLAIM='{
+  "aud": [
+    "1234567890abcde1234567890abcde1234567890abcde"
+  ],
+  "email": "[email protected]",
+  "sub": "1234567890",
+  "name": "John Doe",
+  "admin": true,
+  "iss": "http://cloudflare_mock",
+  "iat": 1593204858,
+  "nbf": 1593204858,
+  "exp": 3993204858,
+  "type": "app",
+  "identity_nonce": "11111111111",
+  "custom": {}
+}'
+
+while ! nc -z localhost 8080; do
+  sleep 0.1
+done
+
+#wait a couple of seconds for the backends to start for haproxy
+sleep 3
+
+JWT_TOKEN=$(jwtgen -a RS256 -p certs/private.key --claims "$CLAIM")
+
+curl -H "Cf-Access-Jwt-Assertion: ${JWT_TOKEN}" localhost:8080
+
+docker-compose stop