Hacker News new | comments | show | ask | jobs | submit login
Show HN: Haproxy-auth-request – HTTP access control using subrequests (duesterhus.eu)
45 points by TimWolla 11 months ago | hide | past | web | favorite | 8 comments

Why do people use stateless authentication when there's absolutely no need to do so? Unless you're very large, request authentication is not going to be your bottleneck.

One of your users session token was compromised - your only recourse is changing the secret and logging out everyone.

See: http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-fo...

I am not sure how this comment applies? The choice for oauth2_proxy in my case was, because it is a solution that already existed. You certainly could put a stateful session service as the auth-request backend, my Lua script is agnostic to that. As an example: For one project I put a service that validated IP addresses against Tor's RBL behind nginx' auth_request module.

Yes I'm specifically talking about oauth2_proxy.

Cool project, by the way! Thank you for making it open source. I had a similar use case where I added an extra Nginx just for auth_request, this makes me reevaluate.

I think performance is not the main reason for going stateless for most people. With stateless you can more easily achieve HA of your auth server. Since it is all stateless your auth servers dont need to know about each other. However with stateful you need somesort of special HA construct between instances of your auth servers otherwise they don't know which sessions exist.

in a state less auth layer you can't do blacklisting of token. hence if your security requirement are somewhat in the "safer" ranger. you will need to use a bit of state to whitelist or blacklist tokens.

Direct link to the repository, in case my server does not survive HN's hug of death: https://github.com/TimWolla/haproxy-auth-request

Thanks not only for making this, but also describing your process in a blog.

I use ngx_http_auth_request_module a lot and used haproxy a lot in the past but it's currently too limiting for my usecases - now i know it supports lua we're in a whole different ballgame.

> Thanks not only for making this, but also describing your process in a blog.

You're welcome. I like giving back to Open Source.

> but it's currently too limiting for my usecases

My personal experience is the opposite: For one project I specifically slapped on an haproxy in front of the nginx after the fact, because I considered it's HTTP "rewriting" abilities way superior. What I could do with a single ACL + http-response set-header (setting a specific CSP for a single path only) would have resulted in great pain with nginx only.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact