Authentik Integration

HAProxy Config
# _md5hash=f958d187be6300da982354f7af54581d
# _version=38
# Dataplaneapi managed File
# changing file directly can cause a conflict if dataplaneapi is running

global
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  master-worker
  stats socket /var/run/haproxy.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
  lua-prepend-path /usr/local/etc/haproxy/http.lua
  lua-load /usr/local/etc/haproxy/auth-request.lua

defaults unnamed_defaults_1
  mode http
  maxconn 4000
  log global
  option forwardfor
  option tcp-smart-accept
  timeout http-request 10s
  timeout check 10s
  timeout connect 10s
  timeout client 1m
  timeout queue 1m
  timeout server 1m
  timeout http-keep-alive 10s
  retries 3
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http

resolvers docker
  nameserver ns1 127.0.0.11:53
  hold nx 30s
  hold obsolete 30s
  hold other 30s
  hold refused 30s
  hold timeout 30s
  hold valid 10s
  timeout resolve 2s
  timeout retry 2s
  accepted_payload_size 8192
  resolve_retries 5

frontend fe_http from unnamed_defaults_1
  mode http
  bind :80
  acl letsencrypt-acl path_beg /.well-known
  use_backend letsencrypt_backend if letsencrypt-acl
  default_backend error_backend

frontend fe_https from unnamed_defaults_1
  mode http
  bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
  acl letsencrypt-acl path_beg /.well-known
  acl protected-frontends hdr(Host) -m reg -i ^(?i)(example.com|minc.demo2.tanmoysrt.xyz)
  acl is_authentikoutpost path -m reg ^/outpost.goauthentik.io/
  http-request set-var(req.scheme) str(https) if { ssl_fc }
  http-request set-var(req.scheme) str(http) if !{ ssl_fc }
  http-request set-var(req.questionmark) str(?) if { query -m found }
  http-request set-header X-Real-IP %[src]
  http-request set-header X-Forwarded-Method %[method]
  http-request set-header X-Forwarded-Proto %[var(req.scheme)]
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Original-URL %[url]
  http-request lua.auth-intercept be_authelia_9091 /outpost.goauthentik.io/auth/nginx HEAD x-original-url,x-real-ip,x-forwarded-host,x-forwarded-proto,user-agent,cookie,accept,x-forwarded-method x-authentik-username,x-authentik-uid,x-authentik-email,x-authentik-name,x-authentik-groups - if protected-frontends !is_authentikoutpost
  http-request redirect location /outpost.goauthentik.io/start?rd=%[hdr(X-Original-URL)] code 302 if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 401 } !is_authentikoutpost
  http-request deny if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 403 } !is_authentikoutpost
  http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool } !is_authentikoutpost
  use_backend be_authelia_9091 if protected-frontends is_authentikoutpost
  use_backend letsencrypt_backend if letsencrypt-acl
  use_backend be_minc_3000 if { hdr(host) -i minc.demo2.tanmoysrt.xyz }
  use_backend be_authelia_9091 if { hdr(host) -i authelia.demo2.tanmoysrt.xyz }
  use_backend be_uptime-kuma_3001 if { hdr(host) -i uptime.demo2.tanmoysrt.xyz }
  default_backend error_backend

backend be_authelia_9091 from unnamed_defaults_1
  balance roundrobin
  server oidc_http "167.235.59.0:9000"

backend be_minc_3000 from unnamed_defaults_1
  balance roundrobin
  http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
  server-template minc_container- 1 minc:3000 no-check init-addr none resolvers docker

backend be_uptime-kuma_3001 from unnamed_defaults_1
  balance roundrobin
  http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
  server-template uptime-kuma_container- 1 uptime-kuma:3001 no-check init-addr none resolvers docker

backend error_backend from unnamed_defaults_1
  mode http
  http-request deny deny_status 502
  http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }

backend letsencrypt_backend from unnamed_defaults_1
  option httpchk
  http-check send meth GET uri /healthcheck hdr Host "$SWIFTWAVE_SERVICE_ADDRESS"
  http-check expect status 200
  http-request set-header Host "$SWIFTWAVE_SERVICE_ADDRESS"
  server swiftwave_service_https "$SWIFTWAVE_SERVICE_ENDPOINT" check ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt check-sni "$SWIFTWAVE_SERVICE_ADDRESS" sni str("$SWIFTWAVE_SERVICE_ADDRESS")
  server swiftwave_service_http "$SWIFTWAVE_SERVICE_ENDPOINT" check

program api
  command /dataplaneapi.sh
  no option start-on-reload
Untitled