Deny status 401

[lastlegion]

How to return 401s to the client on auth failure.

frontend http
	# *snip*
	
	http-request deny if ! { var(txn.auth_response_successful) -m bool }

will return 403.

we can use

frontend http
	# *snip*
	
	http-request auth if ! { var(txn.auth_response_successful) -m bool }

But it'll return 401 with basic auth instead of bearer token. Do you have any workaround for this?

[TimWolla]

http-request deny deny_status 401 should send a HTTP 401 response code. Ganesh Iyer <notifications@github.com> schrieb am Fr., 22. Nov. 2019, 20:49:

…

How to return 401s to the client on auth failure. frontend http # *snip* http-request deny if ! { var(txn.auth_response_successful) -m bool } will return 403. we can use frontend http # *snip* http-request auth if ! { var(txn.auth_response_successful) -m bool } But it'll return 401 with basic auth instead of bearer token. Do you have any workaround for this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#11?email_source=notifications&email_token=AABTC5WR2E2LG32JXFD3EGDQVAZTZA5CNFSM4JQVHIO2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H3PHR5A>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABTC5QGGIRG4THBT6CAEJLQVAZTZANCNFSM4JQVHIOQ> .

[lastlegion]

Hi @TimWolla, thanks for responding. For deny_status the list of permitted status codes is limited to those that can be overridden by the "errorfile" directive. 401 is not in the "errorfile" directive. https://cbonte.github.io/haproxy-dconv/1.7/configuration.html

[TimWolla]

@lastlegion Yes, I'm aware of that limitation, but I incorrectly assumed that 401 would be on that list.

As you need to have Lua anyway in order to run this script I guess the best solution for your use case is to add a Lua "service" to generate the correct response. An example can be found on this blog post: https://www.haproxy.com/de/blog/5-ways-to-extend-haproxy-with-lua/

[lastlegion]

Hi @TimWolla, thanks for the suggestion! That looks like it'll work. Great job with the library.