Haproxy and HTTP basic auth via gui



  • Can anyone tell me if it is possible to do this via the GUI? I'm using haproxy (non-dev) to wrap https traffic to a http server and need a password prompt (don't ask ;)). At the moment I'm doing it in a config file and restarting haproxy on the command line to prevent the GUI overwriting my manual changes, it is working perfectly but not a very pretty solution.

    userlist UsersFor_AcmeCorp
      user joebloggs insecure-password letmein
    
    backend HttpServers
      .. normal backend stuff goes here as usual ..
      acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
      http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp
    

    I've basically just copied the config from this post
    https://nbevans.wordpress.com/2011/03/03/cultural-learnings-of-ha-proxy-for-make-benefit/

    Any advice, I'm sure I'm missing something obvious? Thanks.



  • Hi Paul,

    Its currently not completely possible by clicking a few buttons/checkboxes in the gui.

    You should however be able to put the user list in the advanced option on the settings tab.

    As for the acl and http-request auth..
    It is possible to define a 'custom acl' and use the action 'http-request auth' with that acl.
    But you might want to just put it in the 'advanced' textbox on a backend edit page depends a bit what you like better..
    That should be effectively included into the generated configuration parts.

    Regards,
    PiBa-NL



  • Many thanks for the guidance PiBa, I'll have a go at doing it this way and let you know how it ends up.



  • That seems to have done the job nicely, thanks very much for the advice.



  • Am newer to pfsense and brand new to haproxy - but am highly interested in setting up basic auth for some things I'm running at my house behind haproxy.  I have lets encrypt up and running, working fine.  I understand what is being done here to a point, but when I tried pasting in something as a test - pfesense haproxy basically crashed out when I restarted it to save changes…can anyone point me in the right direction to get this going?  I need to know where to put what in the pfsense config more or less.  Thanks for any help ahead of time.



  • @PiBa:

    Hi Paul,

    Its currently not completely possible by clicking a few buttons/checkboxes in the gui.

    You should however be able to put the user list in the advanced option on the settings tab.

    As for the acl and http-request auth..
    It is possible to define a 'custom acl' and use the action 'http-request auth' with that acl.
    But you might want to just put it in the 'advanced' textbox on a backend edit page depends a bit what you like better..
    That should be effectively included into the generated configuration parts.

    Regards,
    PiBa-NL

    Dear PiBa-NL

    Would you mind elaborating on the other option?

    I have a working solution and have been running one for a long time just like explained above using the passthrough text boxes. I have now reached a situation where I would like to exclude some backends from Basic HTTP Auth. How would I choose through ACL/Actions which ones would require Basic HTTP Auth?



  • @Lockzi , sorry for late reply.
    Attached screenshots of what i meant with the custom acl. Maybe they will help you, or someone else finding this..

    ![2018-03-03 23_06_00-Services_ HAProxy_ Settings - pfSe.localdomain.png](/public/imported_attachments/1/2018-03-03 23_06_00-Services_ HAProxy_ Settings - pfSe.localdomain.png)
    ![2018-03-03 23_06_00-Services_ HAProxy_ Settings - pfSe.localdomain.png_thumb](/public/imported_attachments/1/2018-03-03 23_06_00-Services_ HAProxy_ Settings - pfSe.localdomain.png_thumb)
    ![2018-03-03 23_09_23-Services_ HAProxy_ Backend_ Edit - pfSe.localdomain.png](/public/imported_attachments/1/2018-03-03 23_09_23-Services_ HAProxy_ Backend_ Edit - pfSe.localdomain.png)
    ![2018-03-03 23_09_23-Services_ HAProxy_ Backend_ Edit - pfSe.localdomain.png_thumb](/public/imported_attachments/1/2018-03-03 23_09_23-Services_ HAProxy_ Backend_ Edit - pfSe.localdomain.png_thumb)



  • Dear PiBa-NL

    The screenshots are not visible, would be of great help if you could repost them.

    Thank you!
    Luc