HAProxy – Is there a way to add authentication to stats socket

haproxy

We would like to use the following line in HAProxy to allow us to enable and disable servers remotely:

global stats socket ipv4@192.168.112.2:1000 level admin

Is there a way to add basic authentication to this? Or some way to add a username and password for who can access this port?

Best Answer

It is not possible to add authentication to the HAProxy socket. So as mentioned in this thread, securing the socket can be done by:
1/ Exposing the socket to a trusted network only(firewalling, ..)
2/ Making the socket listen on a loopback interface and using a ssh tunnel to access it.
3/ Use a HAProxy frontend to access the socket, and then you can secure it with SSL.

Related Solutions

Ssl – HaProxy giving – 503 Service Unavailable

Of course try the connection to backends yourself:

openssl s_client -connect 192.168.192.173:8443

This way you'll remove most of possible causes.

What if s_client works, but haproxy doesn't? On SELinux enforcing (for example CentOS 7 with default settings) exactly this happens and you need to explicitly allow haproxy to connect to any backend port:

setsebool -P haproxy_connect_any 1

Haproxy reload from stats socket

In a word, no.

You can't reload the whole process from the socket, and all details about using the admin sockets are listed under section 9.2 Unix Socket commands of the management docs.

Best Answer

Related Solutions

Ssl – HaProxy giving – 503 Service Unavailable

Haproxy reload from stats socket

Related Topic