0

Here is my context:

  • I have a web application (using HTTPS) which needs users to be authenticated prior to contacting it
  • The application expects an HTTP header to be set (let's name it HEADER)
  • There are ~20 different Active Directory servers instances
  • Users need to be authenticated on one of these AD server
  • The AD server that needs to be used depends on the IP the user is using

Is it possible to do the following with HAProxy, and if yes, how can I do it ?

  1. when a user tries to contact a given URL, if the header named HEADER is missing, force basic auth to request the user's usernameand password.
  2. when receiving username and password from the user, check the source ip and depending on the its value (mask / pattern / whatever) contact the corresponding Active Directory to authenticate the user
  3. once the user is correctly authenticated by the selected AD server, write the HEADER

Thanks in advance for your help!

P.S. I posted the same question on Stackoverflow but I guess that serverfault may be a better place to ask this kind of question.

Kraal
  • 121
  • 5

1 Answers1

0

I know this is a bit of an old topic, but I figured I'd give it my 2 pence...

You may want to consider using a higher-level tool such as Keycloak + a higher level HTTP gateway (e.g. Apache Knox) to redirect the users, and perhaps use HAProxy to point the users to the closest Knox Gateway available. You could almost have a 1-to-1 relationship between Knox, Keycloak, and AD instances if the distance will really make a difference, and then use HAProxy to choose which gateway to connect depending on the user's IP.

The following project enables users to connect keycloak and knox together: https://github.com/UKHomeOffice/pontus-keycloak-knox

Leo
  • 141
  • 3