27

I've successfully setup HAProxy in front of an HTTP server which I have no control over.

Is it possible to configure HAProxy to add Simple HTTP Authentication to all sites, bearing in mind I can't configure this on the backend?

Thanks,

Lars

Coops
  • 5,967
  • 1
  • 31
  • 52
Lars Schneider
  • 373
  • 1
  • 3
  • 5

3 Answers3

39

I had to do this today myself (because IIS 7.5 bizarrely doesn't actually support authenticating against anything but Windows user accounts or AD!)...

Here's all the code

userlist UsersFor_AcmeCorp
  user joebloggs insecure-password letmein

backend HttpServers
  .. normal backend stuff goes here as usual ..
  acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
  http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp

I documented it a bit better here: http://nbevans.wordpress.com/2011/03/03/cultural-learnings-of-ha-proxy-for-make-benefit/

nbevans
  • 742
  • 1
  • 6
  • 13
  • 3
    +1 Just wanted to add that you can also add the final lines in a `frontend` definition rather than `backend` if you want. And the `realm xxxx` part is optional. – UpTheCreek May 01 '13 at 08:52
  • 1
    I implemented this but what happens is that on every subsequent api calls I get the popup asking for authentication.This makes it unusable. Is there anyway where it is asked once then cached for the rest of the calls ? That would be very helpful. – shshnk Sep 19 '17 at 12:25
2

I think this is actually possible, but right now I can only find an example to get you halfway...

http://haproxy.1wt.eu/download/1.4/doc/configuration.txt is your bible.

Check out section 3.4 (Userlists)

It starts:

It is possible to control access to frontend/backend/listen sections or to http stats by allowing only authenticated and authorized users. To do this, it is required to create at least one userlist and to define users.

That section explains how to set up a userlist. The example in that section's quite exhaustive so copy that if you need to.

Next, need to figure out how to apply it... I think the answer lies in section 7.5.3 (Matching at Layer 7)

I think it might be as simple as using the following in an acl:

http_auth(userlist)
http_auth_group(userlist) <group> [<group>]*
  Returns true when authentication data received from the client matches
  username & password stored on the userlist. It is also possible to
  use http_auth_group to check if the user is assigned to at least one
  of specified groups.

Again, I haven't tested it, but that's what I read the documentation as suggesting is possible.

I hope that's enough to get you started?

Pricey
  • 419
  • 1
  • 5
  • 19
  • Good shout, i guess i'm just used to it now! – Pricey Feb 25 '11 at 00:23
  • Although looking at it again, it doesn't seem to have been updated in months... I haven't checked for specific changes between that and the wall of text but assume there is some. – Pricey Feb 25 '11 at 09:19
  • 1
    That 'better' bible link is 404'ing. Even better would be this http://www.haproxy.org/#docs . There you find HTML/text manual goodies. – Glenn Plas Aug 12 '14 at 09:25
  • Links for getting at the manuals: https://cbonte.github.io/haproxy-dconv/. – slm Aug 22 '16 at 15:32
1

If you're looking to do this for the purposes of authenticating an

option httpchk

config, this simpler solution works: https://stackoverflow.com/questions/13325882/haproxy-solr-healthcheck-with-authentication

Community
  • 1
Dan Richelson
  • 11
  • 1
  • 1
    Welcome to Server Fault! While this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers/8259#8259) to include the essential parts of the answer here, and provide the link for reference. – HopelessN00b Mar 27 '13 at 21:56