• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[HAProxy] HTTP Basic Auth

Scheduled Pinned Locked Moved Cache/Proxy
4 Posts 2 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pfs_ch
    last edited by Apr 22, 2018, 9:59 AM

    Hello

    I've multiple Sites running over HAProxy which is running for us as a proxy. HTTPS until HAProxy and then normal HTTP in the Backend to the DMZ. Everything is working fine.
    Now I want to secure one dedicated Frontend/Backend with HTTP Baisc Auth.

    I found something here in the Forum, but it wasn't working. It never except the username and password - always re-promt the auth dialog.
    https://forum.pfsense.org/index.php?topic=111933.0, https://forum.pfsense.org/index.php?topic=89484.0

    Like wrote on the post, i've add the first part to field "Custom options" on Section "Global Advanced pass thru" at the Tab "Settings"

    
    userlist UsersFor_AcmeCorp
    user joebloggs insecure-password letmein
    
    

    And the second part to the field "Backend pass thru" on Section "Advanced settings" at the dedicated Backend Server

    
    acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
    http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp
    
    

    But it does not work, like i wrote on the 3rd line … do you have any hints for me? I'm using acl "Host matches" because i've multiple service with the same Domain and else the Proxy with the SSL was not able to redirect the request to the correct Backend Server - maybe I need any Identify or something that the Backend Server in HAProxy knows which Userlist to use?

    Thanks for Help.

    1 Reply Last reply Reply Quote 0
    • P
      PiBa
      last edited by Apr 22, 2018, 2:15 PM

      Can you share the haproxy.conf from bottom of settings tab? The lines 'should' work.. Or perhaps the webserver itself replies with a authentication request as well? And then either haproxy or webserver doesnt like the send credentials.?.

      1 Reply Last reply Reply Quote 0
      • P
        pfs_ch
        last edited by Apr 27, 2018, 5:47 AM

        Sorry for the huge delay. This is the Part of that where i want to have the Auth Basic.

        
        frontend mur.dmz.host.core-sfwlmur0x__fe.wiki.isd.ooo-merged
        	bind			192.168.152.9:80 name 192.168.152.9:80   
        	bind			192.168.152.9:443 name 192.168.152.9:443 ssl  crt /var/etc/haproxy/sepp.pem
        	mode			http
        	log			global
        	option			http-keep-alive
        	timeout client		30000
        	redirect scheme https code 301 if !{ ssl_fc }
        	acl			acl.sepp.1	hdr(host) -i sepp.test.ch
        	acl			aclcrt_sepp.test.ch	hdr_reg(host) -i ^sepp\.test\.ch(:([0-9]){1,5})?$
        	use_backend be.sepp.test.ch_http_ipvANY  if  acl.sepp.1 aclcrt_sepp.test.ch
        
        
        
        backend be.sepp.test.ch_http_ipvANY
        	mode			http
        	log			global
        	timeout connect		30000
        	timeout server		30000
        	retries			3
        	acl			acl.sepp.2	hdr(host) -i sepp.test.ch
        	http-request set-header Host sepp.test.ch  if  acl.sepp.2 
        	server			Sepp 192.168.186.55:80 
        
        
        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by Apr 27, 2018, 1:02 PM

          I dont see the "http-request auth" in there?

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received