HAProxy community

GDPR Solution for looking up login id country code


#1

I have a requirement to use backend servers in remote countries if the user’s home country preference is set to that country.

Right now when a user logs in, I query a haproxy map for their login id and return the two letter country code.

Then their authentication request is directed to that remote region, or local depending on the country code.

This is working.

But I need to come up with some logic for syncing the haproxy map with a global source of truth redis table.

I know I can use socat to add / remove entries to the haproxy map.

But I would like to implement something in haproxy that queries the haproxy map, and if the login id is not found it considers it a cache miss and goes to lua to query the global source of truth redis table, if the user is found there lua then updates the local haproxy map and also updates the proper variable with the country code to pass the users authentication request to the proper country.

Has anyone done anything like this? I am looking for lua examples of how to first connect to Redis, and make queries, then update the local haproxy map.

Thanks
Zach


#2

This seems extremely complicated to me for what you would like to achieve. Why not simply have your backend set a country cookie instead of maintaining a map with a login id -> country mapping?


#3

Yes after talking more with the team today this is what we decided to go with.
Still need to find some lua example code to query Redis externally for initial connect before cookie is set, and any subsequent requests where the user has removed cookies.


#4

To be honest, I would cover that case with some local geo-IP based matching in haproxy. Then you would honor a country cookie for clients that set the country and use the geolocation of the IP address otherwise.

I can’t help you with lua->redis, although it would certainly be an interesting use-case.

Another “shortcut” that comes to mind is that instead of implementing it using redis in lua, have your backend provide a http endpoint that makes that redis call, and your LUA code would simply talk to that HTTP endpoint, without needing redis support in LUA.


#5

Tim Düsterhus send the following informations regarding Redis in LUA which he asked me to relay:

From my experience using Redis with Lua is easier than using HTTP with
Lua. The Redis protocol is way simpler and there is a library that is
compatible with haproxy.

Details are outlined in a blog post of mine:
https://bl.duesterhus.eu/20180511/

I use Thierry’s connection pool for Redis in there:
https://blog.arpalert.org/2018/02/haproxy-lua-redis-connection-pool.html

Hope this helps,
lukas