
Show HN: Haproxy-auth-request – HTTP access control using subrequests - TimWolla
https://bl.duesterhus.eu/20180119/
======
lima
Why do people use stateless authentication when there's absolutely no need to
do so? Unless you're very large, request authentication is not going to be
your bottleneck.

One of your users session token was compromised - your only recourse is
changing the secret and logging out everyone.

See: [http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-
fo...](http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-
part-2-why-your-solution-doesnt-work/)

~~~
TimWolla
I am not sure how this comment applies? The choice for oauth2_proxy in my case
was, because it is a solution that already existed. You certainly could put a
stateful session service as the auth-request backend, my Lua script is
agnostic to that. As an example: For one project I put a service that
validated IP addresses against Tor's RBL behind nginx' auth_request module.

~~~
lima
Yes I'm specifically talking about oauth2_proxy.

Cool project, by the way! Thank you for making it open source. I had a similar
use case where I added an extra Nginx just for auth_request, this makes me
reevaluate.

------
TimWolla
Direct link to the repository, in case my server does not survive HN's hug of
death: [https://github.com/TimWolla/haproxy-auth-
request](https://github.com/TimWolla/haproxy-auth-request)

~~~
plange
Thanks not only for making this, but also describing your process in a blog.

I use ngx_http_auth_request_module a lot and used haproxy a lot in the past
but it's currently too limiting for my usecases - now i know it supports lua
we're in a whole different ballgame.

~~~
TimWolla
> Thanks not only for making this, but also describing your process in a blog.

You're welcome. I like giving back to Open Source.

> but it's currently too limiting for my usecases

My personal experience is the opposite: For one project I specifically slapped
on an haproxy in front of the nginx after the fact, because I considered it's
HTTP "rewriting" abilities way superior. What I could do with a single ACL +
http-response set-header (setting a specific CSP for a single path only) would
have resulted in great pain with nginx only.

