27

I've successfully setup HAProxy in front of an HTTP server which I have no control over.

Is it possible to configure HAProxy to add Simple HTTP Authentication to all sites, bearing in mind I can't configure this on the backend?

Thanks,

Lars

Coops
6,1941 gold badge36 silver badges55 bronze badges
asked Feb 24, 2011 at 14:31

3 Answers 3

40

I had to do this today myself (because IIS 7.5 bizarrely doesn't actually support authenticating against anything but Windows user accounts or AD!)...

Here's all the code

userlist UsersFor_AcmeCorp
 user joebloggs insecure-password letmein
backend HttpServers
 .. normal backend stuff goes here as usual ..
 acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
 http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp

I documented it a bit better here: http://nbevans.wordpress.com/2011/03/03/cultural-learnings-of-ha-proxy-for-make-benefit/

answered Mar 3, 2011 at 20:37
2
  • 3
    +1 Just wanted to add that you can also add the final lines in a frontend definition rather than backend if you want. And the realm xxxx part is optional. Commented May 1, 2013 at 8:52
  • 1
    I implemented this but what happens is that on every subsequent api calls I get the popup asking for authentication.This makes it unusable. Is there anyway where it is asked once then cached for the rest of the calls ? That would be very helpful.
    shshnk
    Commented Sep 19, 2017 at 12:25
2

I think this is actually possible, but right now I can only find an example to get you halfway...

http://haproxy.1wt.eu/download/1.4/doc/configuration.txt is your bible.

Check out section 3.4 (Userlists)

It starts:

It is possible to control access to frontend/backend/listen sections or to http stats by allowing only authenticated and authorized users. To do this, it is required to create at least one userlist and to define users.

That section explains how to set up a userlist. The example in that section's quite exhaustive so copy that if you need to.

Next, need to figure out how to apply it... I think the answer lies in section 7.5.3 (Matching at Layer 7)

I think it might be as simple as using the following in an acl:

http_auth(userlist)
http_auth_group(userlist) <group> [<group>]*
 Returns true when authentication data received from the client matches
 username & password stored on the userlist. It is also possible to
 use http_auth_group to check if the user is assigned to at least one
 of specified groups.

Again, I haven't tested it, but that's what I read the documentation as suggesting is possible.

I hope that's enough to get you started?

answered Feb 24, 2011 at 16:47
4
  • Good shout, i guess i'm just used to it now!
    Pricey
    Commented Feb 25, 2011 at 0:23
  • Although looking at it again, it doesn't seem to have been updated in months... I haven't checked for specific changes between that and the wall of text but assume there is some.
    Pricey
    Commented Feb 25, 2011 at 9:19
  • 1
    That 'better' bible link is 404'ing. Even better would be this haproxy.org/#docs . There you find HTML/text manual goodies. Commented Aug 12, 2014 at 9:25
  • Links for getting at the manuals: cbonte.github.io/haproxy-dconv.
    slm
    Commented Aug 22, 2016 at 15:32
1

If you're looking to do this for the purposes of authenticating an

option httpchk

config, this simpler solution works: https://stackoverflow.com/questions/13325882/haproxy-solr-healthcheck-with-authentication

answered Mar 27, 2013 at 21:30
1
  • 1
    Welcome to Server Fault! While this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. Commented Mar 27, 2013 at 21:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.