HAProxy Stats authentication: Does the username and password have to be cleartext?

I'm in the process of replacing my old nginx load balancer with HAProxy and I really like the stats dashboard because of the GUI that I can use to put servers into drain or maintenance. My concern, however is that the username and password for this is configured in plaintext in one of the config files. I haven't been able to find any information that would allow me to offload this to another authentication option like LDAP or secure it in a hashed format.

Is there any way to not have this information in plain text in the config?


Yes they have to be clear text. From the manual:

Since the authentication method is HTTP Basic Authentication, the passwords circulate in cleartext on the network. Thus, it was decided that the configuration file would also use cleartext passwords to remind the users that those ones should not be sensitive and not shared with any other account.


Workaround that hides haproxy stats.cfg password is using environment variable value instead of password in a configuration file.

This way stats.cfg may look like:

listen stats
        bind    *:1936
        mode    http
        stats auth admin:"$PASS"
        ...

PASS environment variable holds the password. The password could be populated via some secret file.