Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [HAProxy] HTTP Basic Auth

    Cache/Proxy
    2
    4
    1102
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfs_ch last edited by

      Hello

      I've multiple Sites running over HAProxy which is running for us as a proxy. HTTPS until HAProxy and then normal HTTP in the Backend to the DMZ. Everything is working fine.
      Now I want to secure one dedicated Frontend/Backend with HTTP Baisc Auth.

      I found something here in the Forum, but it wasn't working. It never except the username and password - always re-promt the auth dialog.
      https://forum.pfsense.org/index.php?topic=111933.0, https://forum.pfsense.org/index.php?topic=89484.0

      Like wrote on the post, i've add the first part to field "Custom options" on Section "Global Advanced pass thru" at the Tab "Settings"

      
      userlist UsersFor_AcmeCorp
      user joebloggs insecure-password letmein
      
      

      And the second part to the field "Backend pass thru" on Section "Advanced settings" at the dedicated Backend Server

      
      acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
      http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp
      
      

      But it does not work, like i wrote on the 3rd line … do you have any hints for me? I'm using acl "Host matches" because i've multiple service with the same Domain and else the Proxy with the SSL was not able to redirect the request to the correct Backend Server - maybe I need any Identify or something that the Backend Server in HAProxy knows which Userlist to use?

      Thanks for Help.

      1 Reply Last reply Reply Quote 0
      • P
        PiBa last edited by

        Can you share the haproxy.conf from bottom of settings tab? The lines 'should' work.. Or perhaps the webserver itself replies with a authentication request as well? And then either haproxy or webserver doesnt like the send credentials.?.

        1 Reply Last reply Reply Quote 0
        • P
          pfs_ch last edited by

          Sorry for the huge delay. This is the Part of that where i want to have the Auth Basic.

          
          frontend mur.dmz.host.core-sfwlmur0x__fe.wiki.isd.ooo-merged
          	bind			192.168.152.9:80 name 192.168.152.9:80   
          	bind			192.168.152.9:443 name 192.168.152.9:443 ssl  crt /var/etc/haproxy/sepp.pem
          	mode			http
          	log			global
          	option			http-keep-alive
          	timeout client		30000
          	redirect scheme https code 301 if !{ ssl_fc }
          	acl			acl.sepp.1	hdr(host) -i sepp.test.ch
          	acl			aclcrt_sepp.test.ch	hdr_reg(host) -i ^sepp\.test\.ch(:([0-9]){1,5})?$
          	use_backend be.sepp.test.ch_http_ipvANY  if  acl.sepp.1 aclcrt_sepp.test.ch
          
          
          
          backend be.sepp.test.ch_http_ipvANY
          	mode			http
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          	acl			acl.sepp.2	hdr(host) -i sepp.test.ch
          	http-request set-header Host sepp.test.ch  if  acl.sepp.2 
          	server			Sepp 192.168.186.55:80 
          
          
          1 Reply Last reply Reply Quote 0
          • P
            PiBa last edited by

            I dont see the "http-request auth" in there?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post