Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No support for POST requests #9

Open
nadavpld opened this issue May 21, 2019 · 2 comments
Open

No support for POST requests #9

nadavpld opened this issue May 21, 2019 · 2 comments
Labels
question Further information is requested

Comments

@nadavpld
Copy link

nadavpld commented May 21, 2019
edited
Loading

It is not quite a bug, rather a request
The requests made by the Lua script are GET requests by default.
In order to enhance security we are not allowing such requests to our authentication backends and therefore had to make a small fix in the Lua script :

     local b, c, h = http.request {
		url = "http://" .. addr .. path,
		method = 'POST',
		headers = headers,
		create = create_sock,
		-- Disable redirects, because DNS does not work here.
		redirect = false
	}

Should the script get the method as a parameter with a default value of GET ?
Anyways, a clarification in the README file will be great, spent some time debugging my code and haproxy.cfg before noticing the request method

Thanks
@TimWolla
Copy link
Owner

Should the script get the method as a parameter with a default value of GET ?

Yes, for several reasons:

  1. It's what nginx does, which is the inspiration for this script.
  2. The authentication request is semantically a GET request (“GET the authentication information for the given request”). Specifically a GET request is defined to not modify state which is a desirable property for this kind of sub request.
  3. The authentication request is unable to pass the body to the upstream server, requiring that the decision is made based on the headers alone. While POST requests without a body are equivalent to POST request with an empty body which are perfectly valid they are somewhat unusual.

In order to enhance security we are not allowing such requests to our authentication backends

I'm curious: Why would a simple change of the verb improve the security? Specifically for this use case?

Anyways, a clarification in the README file will be great, spent some time debugging my code and haproxy.cfg before noticing the request method

Sure, do you have specific suggestions where to put it? A pull request would be appreciated. If you don't want to create one I can make the necessary adjustments as well.

@TimWolla TimWolla added the question Further information is requested label May 21, 2019
@TimWolla
Copy link
Owner

With #37 you are able to specify the desired method, but haproxy-auth-request still does not forward the request body.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TimWolla @nadavpld