[HAProxy] HTTP Basic Auth



  • Hello

    I've multiple Sites running over HAProxy which is running for us as a proxy. HTTPS until HAProxy and then normal HTTP in the Backend to the DMZ. Everything is working fine.
    Now I want to secure one dedicated Frontend/Backend with HTTP Baisc Auth.

    I found something here in the Forum, but it wasn't working. It never except the username and password - always re-promt the auth dialog.
    https://forum.pfsense.org/index.php?topic=111933.0, https://forum.pfsense.org/index.php?topic=89484.0

    Like wrote on the post, i've add the first part to field "Custom options" on Section "Global Advanced pass thru" at the Tab "Settings"

    
    userlist UsersFor_AcmeCorp
    user joebloggs insecure-password letmein
    
    

    And the second part to the field "Backend pass thru" on Section "Advanced settings" at the dedicated Backend Server

    
    acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
    http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp
    
    

    But it does not work, like i wrote on the 3rd line … do you have any hints for me? I'm using acl "Host matches" because i've multiple service with the same Domain and else the Proxy with the SSL was not able to redirect the request to the correct Backend Server - maybe I need any Identify or something that the Backend Server in HAProxy knows which Userlist to use?

    Thanks for Help.



  • Can you share the haproxy.conf from bottom of settings tab? The lines 'should' work.. Or perhaps the webserver itself replies with a authentication request as well? And then either haproxy or webserver doesnt like the send credentials.?.



  • Sorry for the huge delay. This is the Part of that where i want to have the Auth Basic.

    
    frontend mur.dmz.host.core-sfwlmur0x__fe.wiki.isd.ooo-merged
    	bind			192.168.152.9:80 name 192.168.152.9:80   
    	bind			192.168.152.9:443 name 192.168.152.9:443 ssl  crt /var/etc/haproxy/sepp.pem
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	redirect scheme https code 301 if !{ ssl_fc }
    	acl			acl.sepp.1	hdr(host) -i sepp.test.ch
    	acl			aclcrt_sepp.test.ch	hdr_reg(host) -i ^sepp\.test\.ch(:([0-9]){1,5})?$
    	use_backend be.sepp.test.ch_http_ipvANY  if  acl.sepp.1 aclcrt_sepp.test.ch
    
    
    
    backend be.sepp.test.ch_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	acl			acl.sepp.2	hdr(host) -i sepp.test.ch
    	http-request set-header Host sepp.test.ch  if  acl.sepp.2 
    	server			Sepp 192.168.186.55:80 
    
    


  • I dont see the "http-request auth" in there?