Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [HAProxy] HTTP Basic Auth

    Cache/Proxy
    2
    4
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfs_ch
      last edited by

      Hello

      I've multiple Sites running over HAProxy which is running for us as a proxy. HTTPS until HAProxy and then normal HTTP in the Backend to the DMZ. Everything is working fine.
      Now I want to secure one dedicated Frontend/Backend with HTTP Baisc Auth.

      I found something here in the Forum, but it wasn't working. It never except the username and password - always re-promt the auth dialog.
      https://forum.pfsense.org/index.php?topic=111933.0, https://forum.pfsense.org/index.php?topic=89484.0

      Like wrote on the post, i've add the first part to field "Custom options" on Section "Global Advanced pass thru" at the Tab "Settings"

      
userlist UsersFor_AcmeCorp
user joebloggs insecure-password letmein

      And the second part to the field "Backend pass thru" on Section "Advanced settings" at the dedicated Backend Server

      
acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp

      But it does not work, like i wrote on the 3rd line … do you have any hints for me? I'm using acl "Host matches" because i've multiple service with the same Domain and else the Proxy with the SSL was not able to redirect the request to the correct Backend Server - maybe I need any Identify or something that the Backend Server in HAProxy knows which Userlist to use?

      Thanks for Help.

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Can you share the haproxy.conf from bottom of settings tab? The lines 'should' work.. Or perhaps the webserver itself replies with a authentication request as well? And then either haproxy or webserver doesnt like the send credentials.?.

        1 Reply Last reply Reply Quote 0
        • P
          pfs_ch
          last edited by

          Sorry for the huge delay. This is the Part of that where i want to have the Auth Basic.

          
frontend mur.dmz.host.core-sfwlmur0x__fe.wiki.isd.ooo-merged
	bind			192.168.152.9:80 name 192.168.152.9:80   
	bind			192.168.152.9:443 name 192.168.152.9:443 ssl  crt /var/etc/haproxy/sepp.pem
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	redirect scheme https code 301 if !{ ssl_fc }
	acl			acl.sepp.1	hdr(host) -i sepp.test.ch
	acl			aclcrt_sepp.test.ch	hdr_reg(host) -i ^sepp\.test\.ch(:([0-9]){1,5})?$
	use_backend be.sepp.test.ch_http_ipvANY  if  acl.sepp.1 aclcrt_sepp.test.ch


          
backend be.sepp.test.ch_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	acl			acl.sepp.2	hdr(host) -i sepp.test.ch
	http-request set-header Host sepp.test.ch  if  acl.sepp.2 
	server			Sepp 192.168.186.55:80
          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            I dont see the "http-request auth" in there?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.