HAProxy Integration

HAProxy (High Availability Proxy) is a popular open source, fast, and reliable solution providing load balancer and reverse proxy features for TCP- and HTTP-based applications, capable handling heavy load traffic and rerouting requests seamlessly across multiple workloads (e.g. web, application, database).

HAProxy is highly extensible thanks to Lua scripting support. For that reason the vanilla HAProxy does not implement any means of external authorization support and requires custom Lua code to achieve integration with heimdall.

The HAProxy Ingress Controller has the required integration options however in place. That way, delegation of authentication and authorization to heimdall operated in Decision Mode is easily possible using the Ingress rule annotations, which you can see below. Alternatively, configuring the HAProxy Ingress Controller globally to perform the aforesaid delegation to heimdall is possible as well. With that global configuration you can implement secure defaults for all your workloads.

If heimdall answers with a 2XX code, HAProxy grants access and forwards the original request to the upstream service. Otherwise, the response from heimdall is returned to the client.

This integration requires proper configuration of trusted_proxies.
Example 1. Ingress annotations
haproxy-ingress.github.io/auth-url: "https://<heimdall service name>.<namespace>.svc.cluster.local:<decision port>" (1)
haproxy-ingress.github.io/auth-headers-succeed: "authorization" (2)
haproxy-ingress.github.io/headers: | (3)
  X-Forwarded-Uri: %[baseq]
  X-Forwarded-Method: %[method]
  X-Forwarded-Host: %[req.hdr(host)]
1Configures the controller to use heimdall’s decision service endpoint with <heimdall service name>, <namespace> and <decision port> depending on your configuration.
2Let HAProxy forward the Authorization header set by heimdall to the upstream service upon successful response. This configuration depends on your Contextualizers and Finalizers configuration.
There is currently a limitation in HAProxy Ingress Controller regarding the case-insensitivity for headers. Since heimdall returns the header in lower-case, it is important to set the names of the required to be forwarded headers in lower case as well.
3Configures the required headers to pass the information about the used HTTP scheme, host and port, request path and used query parameters to be forwarded to heimdall. X-Forwarded-Proto is not used, as it is already set by HAProxy by default.

Checkout the examples on GitHub for a working demo.

Last updated on Nov 14, 2023

Envoy Integration
Integration with OPA