HAProxy basic auth except from specific IP

haproxyhttp-basic-authentication

I have set up basic authentication for my backend, like this:

backend webservers
    acl is_auth_ok http_auth(SiteUsers)
    http-request auth realm MySite if !is_auth_ok

This works but now I want to exclude a certain IP from being challenged with the authentication.

I've tried a few things but I haven't managed to get it working. To give you an idea of what I'm trying to do, here's something that I've tried (this provokes a haproxy parsing error):

backend webservers
    acl is_internal src <<my-ip-to-exclude>>
    acl is_auth_ok http_auth(SiteUsers)
    acl is_allowed if is_internal or is_auth_ok
    http-request auth realm MySite if !is_allowed

Basically I'm looking to do in HAProxy the equivalent of this in Apache:

<Directory /var/www>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user
  Order allow,deny
  Allow from 172.17.10     <--- This allows this IP to 
  Satisfy any              <--- get in without a password
</Directory>

What should my HAProxy config look like?

Best Answer

backend webservers
    acl is_internal src <<my-ip-to-exclude>>
    acl is_auth_ok http_auth(SiteUsers)
    http-request auth realm MySite if !is_internal !is_auth_ok

This is the final working solution, thanks @GregL for pointing me in the right direction.

Related Solutions

Problems with haproxy reqrep

First, your rule should also keep the HTTP version part.

Second, why don't you use the "force-persist" statement for this ? It's designed exactly for this role. Just find something in your request that makes it different from your visitors', set a cookie to access it, then you can use this server. This me chanism was made precisely for maintenance operations without having to make the server appear as up for other users.

Alternatively in your case you could also use the "redirect" method, as it supports the "set-cookie" option; In your frontend, you would then replace the use_backend rule with something like this :

redirect location / code 302 set-cookie SERVERID=live03 if acl_patch

Your browser would then learn this cookie and redirect to the /, where server 3 will handle the request. There's even a clear-cookie option that can be used to get rid of the stickiness if you want.

HTTP Basic Authentication – Can You Pass User/Pass in URL Parameters?

It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:password@example.com/ -- this sends the credentials in the standard HTTP "Authorization" header.

It's possible that whoever you were speaking to was thinking of a custom module or code that looked at the query parameters and verified the credentials. This isn't standard HTTP auth, though, it's an application-specific thing.

Best Answer

Related Solutions

Problems with haproxy reqrep

HTTP Basic Authentication – Can You Pass User/Pass in URL Parameters?

Related Topic