Possible to add basic HTTP access authentication via HAProxy?

haproxy http-authentication

I've successfully setup HAProxy in front of an HTTP server which I have no control over.

Is it possible to configure HAProxy to add Simple HTTP Authentication to all sites, bearing in mind I can't configure this on the backend?

Thanks,

Lars


I had to do this today myself (because IIS 7.5 bizarrely doesn't actually support authenticating against anything but Windows user accounts or AD!)...

Here's all the code

userlist UsersFor_AcmeCorp
  user joebloggs insecure-password letmein

backend HttpServers
  .. normal backend stuff goes here as usual ..
  acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
  http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp

I documented it a bit better here: http://nbevans.wordpress.com/2011/03/03/cultural-learnings-of-ha-proxy-for-make-benefit/


I think this is actually possible, but right now I can only find an example to get you halfway...

http://haproxy.1wt.eu/download/1.4/doc/configuration.txt is your bible.

Check out section 3.4 (Userlists)

It starts:

It is possible to control access to frontend/backend/listen sections or to http stats by allowing only authenticated and authorized users. To do this, it is required to create at least one userlist and to define users.

That section explains how to set up a userlist. The example in that section's quite exhaustive so copy that if you need to.

Next, need to figure out how to apply it... I think the answer lies in section 7.5.3 (Matching at Layer 7)

I think it might be as simple as using the following in an acl:

http_auth(userlist)
http_auth_group(userlist) <group> [<group>]*
  Returns true when authentication data received from the client matches
  username & password stored on the userlist. It is also possible to
  use http_auth_group to check if the user is assigned to at least one
  of specified groups.

Again, I haven't tested it, but that's what I read the documentation as suggesting is possible.

I hope that's enough to get you started?


If you're looking to do this for the purposes of authenticating an

option httpchk

config, this simpler solution works: https://stackoverflow.com/questions/13325882/haproxy-solr-healthcheck-with-authentication

Related

Netstat continuous refresh (watch changes the output)
How can I list MACs, Ciphers and KexAlogrithms supported by my ssh server?
How to configure Tomcat to only listen to 127.0.0.1?
Storing and backing up 10 million files on Linux
How can I allow all users to run a given command via sudo?
How to pipe stderr without piping stdout
What printer driver should I use? [closed]
How can I pre-sign puppet certificates?
How does the RJ45 crimping tool work?
How do you synchronise huge sparse files (VM disk images) between machines?
Robocopy: How to move the content of a directory but KEEP the directory
What does "The IO operation at logical block address # for Disk # was retried." mean when seen in the Windows Server System event log?