Here is my context:
- I have a web application (using HTTPS) which needs users to be authenticated prior to contacting it
- The application expects an HTTP header to be set (let's name it
HEADER
) - There are ~20 different Active Directory servers instances
- Users need to be authenticated on one of these AD server
- The AD server that needs to be used depends on the IP the user is using
Is it possible to do the following with HAProxy, and if yes, how can I do it ?
- when a user tries to contact a given URL, if the header named
HEADER
is missing, force basic auth to request the user'susername
andpassword
. - when receiving
username
andpassword
from the user, check thesource ip
and depending on the its value (mask / pattern / whatever) contact the corresponding Active Directory to authenticate the user - once the user is correctly authenticated by the selected AD server, write the
HEADER
Thanks in advance for your help!
P.S. I posted the same question on Stackoverflow but I guess that serverfault may be a better place to ask this kind of question.
Best Answer
I know this is a bit of an old topic, but I figured I'd give it my 2 pence...
You may want to consider using a higher-level tool such as Keycloak + a higher level HTTP gateway (e.g. Apache Knox) to redirect the users, and perhaps use HAProxy to point the users to the closest Knox Gateway available. You could almost have a 1-to-1 relationship between Knox, Keycloak, and AD instances if the distance will really make a difference, and then use HAProxy to choose which gateway to connect depending on the user's IP.
The following project enables users to connect keycloak and knox together: https://github.com/UKHomeOffice/pontus-keycloak-knox