How to do basic auth with HAProxy while doing other ACL

haproxyhttp-basic-authentication

I am running HAProxy in front of apache servers and I want to implement basic authentication for some domains.

The manual states that this should do the trick:

userlist admins
user myusername insecure-password mypassword

frontend restricted_cluster
   acl auth_tintoretto http_auth(admins)
   http-request auth realm ShareaholicRestricted

However, I have some other ACL and under one frontend there are several domains:

 frontend http-in

    # Define hosts
    acl stag_static hdr(host) -i staging.static.domain.com
    acl prod_static hdr(host) -i prod2.static.domain.com

    ## figure out which one to use
    use_backend apache-node1 if stag_static
    use_backend nginx-cluster if prod_static

How do I combine those commands in order to only restrict access to stag_static?

Best Answer

I haven't tested, but try putting the http-request auth realm blah line in your backend configuration. It should work.

Related Solutions

Nginx – Enable basic auth sitewide and disabling it for subpages

How about two files?

includes/proxy.conf would be:

proxy_pass http://appserver-1;
proxy_redirect              off;
proxy_set_header            Host $host;
proxy_set_header            X-Real-IP $remote_addr;
proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

And your current conf file:

upstream appserver-1 {
    server unix:/var/www/example.com/app/tmp/gunicorn.sock fail_timeout=0;
}
server {
    listen  80;
    server_name  example.com;

    location / {
        auth_basic                  "Restricted";
        auth_basic_user_file        /path/to/htpasswd;
        include includes/proxy.conf;
    }

    location /api/ {
        auth_basic          off;
        include includes/proxy.conf;
    }
}

HAProxy – Configure Multihost with SSL ACL

I don't think haproxy will allow you to specify a per-backend SSL certificate for each incoming request, rather you'd have to have a combined certificate that allows for multiple domain names (SNI).

Here's a guide on using SNI with haproxy, where all the certificates are actually hosted by the haproxy server, not the backend instances: https://trick77.com/haproxy-and-sni-based-ssl-offloading-with-intermediate-ca/

Also see the example at the end of this section: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-use-server

Best Answer

Related Solutions

Nginx – Enable basic auth sitewide and disabling it for subpages

HAProxy – Configure Multihost with SSL ACL

Related Topic