vhost: Support proxy forward auth

2025-07-13 19:03:02 +03:00
parent 83569c59ee
commit c0753aeaa2
4 changed files with 81 additions and 0 deletions
--- a/roles/vhost/meta/argument_specs.yaml
+++ b/roles/vhost/meta/argument_specs.yaml
@@ -119,6 +119,27 @@ argument_specs:
        type: bool
        required: false
        default: true
+      vhost_proxy_auth_socket:
+        description: >-
+          Unix socket path to forward requests to for auhtentication, before
+          proxying them
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_uri:
+        description: >-
+          The authentication endpoint of the auth host. Required if
+          proxy_auth_socket is defined. Does nothing otherwise.
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_unauthorized_redir:
+        description: >-
+          Where to redirect requests if authentication service returns 401
+          unathorized. If not set, returns responses as is.
+        type: str
+        required: false
+        default: ""

      vhost_redirect_target:
        description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -282,6 +303,27 @@ argument_specs:
            type: bool
            required: false
            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"

          redirect_target:
            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -422,6 +464,27 @@ argument_specs:
            type: bool
            required: false
            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"

          redirect_target:
            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"