HAProxy basic auth except from specific IP

I have set up basic authentication for my backend, like this:

backend webservers
    acl is_auth_ok http_auth(SiteUsers)
    http-request auth realm MySite if !is_auth_ok

This works but now I want to exclude a certain IP from being challenged with the authentication.

I've tried a few things but I haven't managed to get it working. To give you an idea of what I'm trying to do, here's something that I've tried (this provokes a haproxy parsing error):

backend webservers
    acl is_internal src <<my-ip-to-exclude>>
    acl is_auth_ok http_auth(SiteUsers)
    acl is_allowed if is_internal or is_auth_ok
    http-request auth realm MySite if !is_allowed

Basically I'm looking to do in HAProxy the equivalent of this in Apache:

<Directory /var/www>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user
  Order allow,deny
  Allow from 172.17.10     <--- This allows this IP to 
  Satisfy any              <--- get in without a password
</Directory>

What should my HAProxy config look like?


Solution 1:

backend webservers
    acl is_internal src <<my-ip-to-exclude>>
    acl is_auth_ok http_auth(SiteUsers)
    http-request auth realm MySite if !is_internal !is_auth_ok

This is the final working solution, thanks @GregL for pointing me in the right direction.