Possible to add basic HTTP access authentication via HAProxy?
I've successfully setup HAProxy in front of an HTTP server which I have no control over.
Is it possible to configure HAProxy to add Simple HTTP Authentication to all sites, bearing in mind I can't configure this on the backend?
Thanks,
Lars
I had to do this today myself (because IIS 7.5 bizarrely doesn't actually support authenticating against anything but Windows user accounts or AD!)...
Here's all the code
userlist UsersFor_AcmeCorp
user joebloggs insecure-password letmein
backend HttpServers
.. normal backend stuff goes here as usual ..
acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp
I documented it a bit better here: http://nbevans.wordpress.com/2011/03/03/cultural-learnings-of-ha-proxy-for-make-benefit/
I think this is actually possible, but right now I can only find an example to get you halfway...
http://haproxy.1wt.eu/download/1.4/doc/configuration.txt is your bible.
Check out section 3.4 (Userlists)
It starts:
It is possible to control access to frontend/backend/listen sections or to http stats by allowing only authenticated and authorized users. To do this, it is required to create at least one userlist and to define users.
That section explains how to set up a userlist. The example in that section's quite exhaustive so copy that if you need to.
Next, need to figure out how to apply it... I think the answer lies in section 7.5.3 (Matching at Layer 7)
I think it might be as simple as using the following in an acl:
http_auth(userlist)
http_auth_group(userlist) <group> [<group>]*
Returns true when authentication data received from the client matches
username & password stored on the userlist. It is also possible to
use http_auth_group to check if the user is assigned to at least one
of specified groups.
Again, I haven't tested it, but that's what I read the documentation as suggesting is possible.
I hope that's enough to get you started?
If you're looking to do this for the purposes of authenticating an
option httpchk
config, this simpler solution works: https://stackoverflow.com/questions/13325882/haproxy-solr-healthcheck-with-authentication