1

I would need some help on HAproxy configuration to bypass HTTP basic auth and let the user use a specific backend in case there is a valid session cookie present from another backend application.

I got it working in general using the following configuration in my frontend definition:

# Monitor application response headers for keywords and update user ACL
acl has_disallowAPPUser res.hdr(X-APP-DisallowUser) -m found
acl has_allowAPPUser        res.hdr(X-APP-AllowUser) -m found
http-response del-acl(/var/lib/haproxy/app_user_sessions.acl) %[res.hdr(X-APP-DisallowUser)] if has_disallowAPPUser
http-response add-acl(/var/lib/haproxy/app_user_sessions.acl) %[res.hdr(X-APP-AllowUser)] if has_allowAPPUser

# Monitor application response headers for keywords and update admin ACL
acl has_disallowAPPAdmin    res.hdr(X-APP-DisallowAdmin) -m found
acl has_allowAPPAdmin       res.hdr(X-APP-AllowAdmin) -m found
http-response del-acl(/var/lib/haproxy/app_admin_sessions.acl) %[res.hdr(X-APP-DisallowAdmin)] if has_disallowAPPAdmin
http-response add-acl(/var/lib/haproxy/app_admin_sessions.acl) %[res.hdr(X-APP-AllowAdmin)] if has_allowAPPAdmin

# Check session cookie
acl is_appuser_session req.cook(PHPSESSID) -f /var/lib/haproxy/app_user_sessions.acl
acl is_appadmin_session req.cook(PHPSESSID) -f /var/lib/haproxy/app_admin_sessions.acl

# Monitor last session activity
http-request del-map(/var/lib/haproxy/app_user_sessions.map) %[req.cook(PHPSESSID)] if is_appuser_session
http-request set-map(/var/lib/haproxy/app_user_sessions.map) %[req.cook(PHPSESSID)] %[date()] if is_appuser_session
http-request del-map(/var/lib/haproxy/app_admin_sessions.map) %[req.cook(PHPSESSID)] if is_appadmin_session
http-request set-map(/var/lib/haproxy/app_admin_sessions.map) %[req.cook(PHPSESSID)] %[date()] if is_appadmin_session

# Do not show X-APP headers to the frontend user
rspidel ^X-APP-DisallowUser:.* if has_disallowAPPUser
rspidel ^X-APP-AllowUser:.* if has_allowAPPUser
rspidel ^X-APP-DisallowAdmin:.* if has_disallowAPPAdmin
rspidel ^X-APP-AllowAdmin:.* if has_allowAPPAdmin

# route to backend
use_backend bk_appuser-via-session if is_appadmin_uri is_appuser_session
use_backend bk_appadmin-via-session if is_appadmin_uri is_appadmin_session
use_backend bk_appuser-via-httpauth if is_appadmin_uri
use_backend bk_appadmin-via-httpauth if is_appadmin_uri

This allows direct access to the backend application in case the PHP application successfully created a user session and sent the appropriate X-APP headers.

Here is where I need some help:

To cleanup old ACLs, a cron reloads HAproxy every 5 minutes. This drops active sessions and user would fall back to basic auth until he reloads a page from the primary PHP application.

So my idea was to track any user activity per session together with a timestamp so I can write any sessions younger than 15 minutes to /var/lib/haproxy/app_user_sessions.acl from within my cron HAproxy reload script. HAproxy would then be able to read the existing sessions from there after each reload so existing sessions will not break.

Unfortunately I cannot get the map definitions running as I get no result getting their content via HAproxy admin socket (using HAtop for manual check).

Would there be any real HAproxy geek to help me getting this last part done somehow? I'd be very thankful for this.

Regards, Julian

  • I know this is an old question, but can you post the content of /var/lib/haproxy/app_user_sessions.acl ? – Beachhouse Mar 06 '15 at 23:28
  • There is actually no content as this is not a real file. I don't know the details about HAproxy but won't actually write any dynamic content to that file but keep all the data in the servers memory. – Julian Pawlowski Oct 09 '15 at 12:38

0 Answers0