resources/haproxy/haproxy.cfg

global
    log 127.0.0.1 local0
    # log 127.0.0.1 local1 notice
    user root
    group root
    daemon
    maxconn 20000

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

frontend haproxynode
    bind *:9080
    mode http

    # Domains to protect
    acl acl_public hdr_beg(host) -i public.example.com
    acl acl_app1 hdr_beg(host) -i app1.example.com

    acl acl_app2 hdr_beg(host) -i app2.example.com
    http-request set-var(req.oidc_client_id) str(app2-client) if acl_app2
    http-request set-var(req.oidc_client_secret) str(app2-secret) if acl_app2
    http-request set-var(req.oidc_redirect_url) str(http://app2.example.com:9080/oauth2/callback) if acl_app2

    acl acl_app3 hdr_beg(host) -i app3.example.com
    http-request set-var(req.oidc_client_id) str(app3-client) if acl_app3
    http-request set-var(req.oidc_client_secret) str(app3-secret) if acl_app3
    http-request set-var(req.oidc_redirect_url) str(http://app3.example.com:9080/oauth2/callback) if acl_app3
    ## Request extra OpenID token claims, space separated
    ## The extra claims will be set as variables with keys: "token_claim_" + {{ claim name }},
    ## where '.' and '-' are replaced with '_'.
    ## Nested claims are supported.
    http-request set-var(req.oidc_token_claims) str("name roles org-groups resource_access.servicename.roles") if acl_app3

    acl oauth2callback path_beg /oauth2/callback
    acl oauth2logout path_beg /oauth2/logout

    acl dex_domain hdr_beg(host) -i dex.example.com
    # define the spoe agent
    http-request send-spoe-group spoe-auth try-auth-all
    filter spoe engine spoe-auth config /usr/local/etc/haproxy/spoe-auth.conf

    # map the spoe response to acl variables
    acl authenticated var(sess.auth.is_authenticated) -m bool
    acl auth_error var(sess.auth.has_error) -m bool

    use_backend backend_dex if dex_domain
    use_backend backend_oauth2 if oauth2callback || oauth2logout

    use_backend backend_error if auth_error

    # app1 returns 401 when it's not authenticated
    use_backend backend_unauthorized if acl_app1 ! authenticated
    use_backend backend_app if acl_app1 authenticated

    # app2 redirects the user to the OAuth2 server when not authenticated
    use_backend backend_redirect if acl_app2 ! authenticated
    use_backend backend_app if acl_app2 authenticated

    # Set headers based on OpenID token claims
    http-request set-header X-OIDC-Username %[var(sess.auth.token_claim_name)] if acl_app3 authenticated
    http-request set-header X-OIDC-Roles %[var(sess.auth.token_claim_roles)] if acl_app3 authenticated
    http-request set-header X-OIDC-Groups %[var(sess.auth.token_claim_org_groups)] if acl_app3 authenticated
    http-request set-header X-OIDC-Resource-Access %[var(sess.auth.token_claim_resource_access_servicename_roles)] if acl_app3 authenticated

    # app3 redirects the user to the OAuth2 server when not authenticated
    use_backend backend_redirect if acl_app3 ! authenticated
    use_backend backend_app if acl_app3 authenticated

    # otherwise, simply serve the public domain
    default_backend backend_public

# Public page
backend backend_public
    mode http
    balance roundrobin
    server node-unprotected-app unprotected-backend:80 check

# Page supposed to be protected
backend backend_app
    mode http
    balance roundrobin
    http-request add-header X-Authorized-User %[var(sess.auth.authenticated_user)]

    server node-protected-app protected-backend:80 check

# Serve dex application
backend backend_dex
    mode http
    balance roundrobin
    option tcp-check

    server node-dex-app dex:5556 check

# Page the user is redirected to when unauthorized
backend backend_unauthorized
    mode http
    balance roundrobin
    http-response set-status 401
    http-response add-header WWW-Authenticate 'Basic realm="Access the webapp"'

    server node-noauth unauthorized-backend:80 check

# Return an internal error
backend backend_error
    mode http
    balance roundrobin
    http-response set-status 500

# Page the user is redirected to when unauthorized
backend backend_redirect
    mode http
    balance roundrobin
    http-request redirect location %[var(sess.auth.redirect_url)]

# Backend bridging with the SPOE agent
backend backend_spoe-agent
    mode tcp
    balance roundrobin
    option tcp-check

    timeout connect 5s
    timeout server  3m

    server node-auth spoe:8081 check

backend backend_oauth2
    mode http
    balance roundrobin
    option tcp-check

    timeout connect 5s
    timeout server  3m

    server node-auth spoe:5000 check