HAProxy HTTP Authentication – Require Only for External Connections

authenticationhaproxyhttp-authenticationlocal-area-network

I have HAProxy configured to require a HTTP-authentication for a single frontend. It looks like this

userlist Users
    group G1
    user XXX password YYY


frontend public
    bind :::80 v4v6
    bind :::443 v4v6 ssl crt /etc/ssl/snakeoil.pem

    # Authentication
    acl ValidUser http_auth(Users)
    http-request auth realm mysite if !ValidUser

    option forwardfor except 127.0.0.1
    use_backend othersite if { path_beg /othersite/ }
    default_backend thesite

backend thesite
    acl needs_scheme req.hdr_cnt(X-Scheme) eq 0

    reqrep ^([^\ :]*)\ /(.*) \1\ /\2
    reqadd X-Scheme:\ https if needs_scheme { ssl_fc }
    reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }
    option forwardfor
    server thesite1 127.0.0.1:5000
    errorfile 503 /etc/haproxy/errors/503-no-thesite.http

backend othersite
    reqrep ^([^\ :]*)\ /othersite/(.*)     \1\ /\2
    server othersite1  127.0.0.1:8080
    errorfile 503 /etc/haproxy/errors/503-no-othersite.http

Now I want to request a HTTP-authentication only for connections from outside my LAN.

I tried to replace the line 

http-request auth realm mysite if !ValidUser

with 

http-request auth realm mysite unless ValidUser || { hdr_beg(host) -i 192.168.0. }

but that didn't work.

How can this task be accomplished?

[edit]
Thanks to this question (HAProxy basic auth except from specific IP)
I got my configuration working for one specific IP:

# Authentication
acl ValidOctoPrintUser http_auth(Users)
# Exclude one IP from Authentication
acl InternalIP src 192.168.0.XXX
http-request auth realm octoprint if !InternalIP !ValidOctoPrintUser

However, I don't know yet how to exclude all IPs starting with 192.168.0. from the authentication

Best Answer

hdr_beg(host) -i 192.168.0. is matching Header, not client's IP.

You want to use src, like

acl allowed_ip src 192.168.0.0/24

src matches by network's CIDR so you can match whole networks if needed

also note that you can OR rules by just defining rule named same, so say acl allowed_ip src 192.168.1.0/24 acl allowed_ip src 192.168.5.0/24

will match IPs from both 192.168.1.0/24 and 192.168.1.0/24 networks.

Only time when you want to do that on header is when you have another proxy in front and want to match IP in X-Forwarded-For

Related Topic