Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy crashes when ACLing http_auth_group() and others

    Scheduled Pinned Locked Moved
    Cache/Proxy
    1
    1
    51
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jarrodsfarrell
      last edited by

      Setting up something for a game and encountered a crash when trying to do anything with trying to determine which user is connecting. Initially I tried acl isGuest http_auth_user guest then trying with http_auth_group out of desperation hence the weird redundancy I'm doing in the following configuration file.

      The server (or rather the server the mod serves on a game) I'm working against expects a basic Authorization header, but doesn't actually have any meaningful access control as it's primarily to identify who connected. So I'm using haproxy to bolt on proper(-ish) authentication then rewriting the Authorization header to force a specific user on the server based on which user connected.

      haproxy is able to rewrite the Authorization header just fine to force everyone to connect as a specific user without prompting, but whenever http_auth_group() or http_auth_user is involved haproxy crashes immediately whenever the client sends a Authorization with a valid user and password (after being prompted by the browser) with a signal 11 against haproxy. Using Wireshark, the backend receives nothing from the firewall where haproxy is running so it happens before haproxy even initiates a connection to the backend .

      I've also tried updating haproxy from 2.9.10 to devel aka 2.9.d11, but still encountered crashing.

      So here's the terse config file. The full config file is here.

      global
  userlist RemoteDispatch
    user guest
    user dispatcher insecure-password XXXX
    user remote insecure-password XXXX
    group guest users guest
    group dispatcher users dispatcher
    group remote users remote

frontend DVRemoteDispatch
  mode                    http
  option                  http-keep-alive
  option                  forwardfor
  http-request auth unless { http_auth(RemoteDispatch) }
  acl                     isGuest       http_auth_group(RemoteDispatch) guest
  acl                     isDispatcher  http_auth_group(RemoteDispatch) dispatcher
  acl                     isRemote      http_auth_group(RemoteDispatch) remote
  http-request set-header Authorization "Basic XXXX"  if  isGuest
  http-request set-header Authorization "Basic XXXX"  if  isDispatcher
  http-request set-header Authorization "Basic XXXX"  if  isRemote
  default_backend         DVRemoteDispatch_ipvANY

backend DVRemoteDispatch_ipvANY
  mode                    http
  http-check expect status 401
  server                  XXXX XXXX:7245
      1 Reply Last reply Reply Quote 0
      • First post
        Last post