39 lines
1.3 KiB
Nix
39 lines
1.3 KiB
Nix
|
# HAProxy routing stubs for Kanidm.
|
||
|
|
# These are ADDITIVE fragments — merge into your main haproxy config.
|
||
|
|
# Assumes:
|
||
|
|
# - HAProxy terminates TLS using the acme-nayeonie.com certificate
|
||
|
|
# - Kanidm HTTPS listens on [::1]:8443
|
||
|
|
# - Kanidm LDAP compat listens on [::1]:3890
|
||
|
|
# - ACL-based routing by SNI / Host header
|
||
|
|
#
|
||
|
|
# In your main frontend (or add a dedicated one):
|
||
|
|
#
|
||
|
|
# acl host_kanidm hdr(host) -i auth.nayeonie.com # internal/admin only
|
||
|
|
#
|
||
|
|
# use_backend kanidm if host_kanidm
|
||
|
|
#
|
||
|
|
# --- Kanidm backend ---
|
||
|
|
#
|
||
|
|
# backend kanidm
|
||
|
|
# mode http
|
||
|
|
# option forwardfor
|
||
|
|
# http-request set-header X-Forwarded-Proto https
|
||
|
|
# http-request set-header X-Forwarded-Host %[req.hdr(host)]
|
||
|
|
# acl internal src 192.168.76.0/24 192.168.191.0/24
|
||
|
|
# http-request deny unless internal
|
||
|
|
# server kanidm [::1]:8443 ssl verify none check
|
||
|
|
#
|
||
|
|
# --- Forward-auth pattern for protecting other backends with Kanidm ---
|
||
|
|
#
|
||
|
|
# To protect an existing backend with Kanidm OIDC, add oauth2-proxy.
|
||
|
|
# The simplest
|
||
|
|
# path for HAProxy is:
|
||
|
|
#
|
||
|
|
# 1. Deploy oauth2-proxy (services.oauth2-proxy) configured against
|
||
|
|
# Kanidm as OIDC provider (issuer https://auth.nayeonie.com).
|
||
|
|
# 2. In HAProxy frontend, redirect unauthenticated requests to
|
||
|
|
# oauth2-proxy before forwarding to the real backend.
|
||
|
|
#
|
||
|
|
# This is left as a follow-up — get Kanidm running first.
|
||
|
|
{ ... }: { }
|