We have a HAProxy setup which has basic auth on some of our backends. We now want to enable CORS requests to our backends but this is failing for those with basic auth enabled.
When CORS makes it preflight OPTIONS request it does not include the auth header and thus it fails and so the request fails.
Is there a way of allowing the OPTIONS request without authrisation but mandating it for all other requests?
Our haproxy.cfg has the following sections relevant to this:
#User lists used to enforce HTTP Basic Authentication
...
userlist ul_hyknpj6tb-uakf5isp
user fred password $6$H/M21cSsvXn$jlEZQV7QL/clhV7JtZkAQf34QAPfZq5sE.zLE.M3gi4K1DV5J6ppc.e1JAOP0CtVxM0.n157llg5tsTp0gPFj1
....
backend b_term_hyknpj6tb-uakf5isp
mode http
balance roundrobin
option forwardfor
stick-table type ip size 1k expire 30s store bytes_in_rate(1s),bytes_out_rate(1s)
tcp-request content track-sc2 src
tcp-request inspect-delay 200ms
tcp-request content accept if ! too_many_req
tcp-request content accept if WAIT_END
rspadd Strict-Transport-Security:\ max-age=16000000;\ includeSubDomains
acl is_auth http_auth(ul_hyknpj6tb-uakf5isp)
http-request auth realm iiboc if !is_auth
server node_hyknpj6tb-uakf5isp_1000 192.31.11.70:7843 check ssl verify required crt fred/fred-internal.pem ca-file bob/bob-internal.cert.pem
.....
Best Answer
You can allow the OPTIONS request without authorization by handling those requests in a different backend that does not require authenticatoin:
Where be_options is a backend similar to b_term_hyknpj6tb-uakf5isp but without http-request auth realm iiboc if !is_auth