Messages

Hi
Anyone with an Idea how to solve the Problem? Or what I can try?
Thanks a Lot!

Hallo
Hat jemand eine Idee, was ich noch probieren könnte?

Hey there
I am struggling with the settings in HaProxy, where I am trying to assign different authentications to different backend pools in the rules. For example, one backend pool should only be accessible with user authentication, while another should not.

As soon as I add user authentication as a rule to a pool, I only get a 503 error. If I enable user authentication in the "public services" section, it works. The order of conditions in the if-statement also seems to have no effect.

Has anyone had experience with this? Thanks and best regards.
-pakka

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs
userlist acl_6640a3e1899386.61784721
    # Origin: Benutzeridentifizierung
    # NOTE: UserlistAddUsers called with empty user data
    user Bob insecure-password 123
    user Charly insecure-password 123


# userlists generated from groups
userlist Users
    user Bob insecure-password 123
    user Charly insecure-password 123
    # NOTE: UserlistAddUsers called with empty group data


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: service_https (Server auf Port 443 der alle externen Anfragen entgegenimmt)
frontend service_https
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains"
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 no-alpn crt-list /tmp/haproxy/ssl/65803493585199.04920512.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: Benutzeridentifizierung
    acl acl_6640a3e1899386.61784721 http_auth(acl_6640a3e1899386.61784721)
    # ACL: Host_nextcloud
    acl acl_65ba4fd0051130.80702381 hdr(host) -i nextcloud.mydomain.de
    # ACL: Host_homematic
    acl acl_65bb4e01ce9c78.05950354 hdr(host) -i homematic.mydomain.de
    # ACL: UserCertificate
    acl acl_658f30533aa281.37619945 ssl_c_i_dn(CN) internal-ca

    # ACTION: Nextcloud host rule
    use_backend pool_nextcloud if acl_6640a3e1899386.61784721 acl_65ba4fd0051130.80702381
    # ACTION: homematic host rule
    use_backend pool_homematic if acl_65bb4e01ce9c78.05950354

# Backend: pool_homematic ()
backend pool_homematic
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_homematic 192.168.0.19:80

# Backend: pool_nextcloud ()
backend pool_nextcloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_nextcloud 192.168.0.9:80


# statistics are DISABLED

Hallo,
ich hadere mit der Einstellungen im HaProxy, dort versuche ich verschiedenen Backendpools in den Regeln unterschiedliche Authentifizierungen mitzugeben.
Z.B. Soll ein Backendpool mit User-Auth nur erreichbar sein, ein anderer nicht.

sobald ich die Userauthentifizierung als Regel einem Pool hinzufüge, kommt nur ein 503 Fehler.
Wenn ich die User-Auth schon im "öffentliche Dienste" anhake, klappt es.
Auch die Reihenfolge der Bedingungen im if-Statement scheint keinen Einfluss zu haben.

Hat jemand damit Erfahrungen?
Besten Dank und Gruß
-Pakka

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs
userlist acl_6640a3e1899386.61784721
    # Origin: Benutzeridentifizierung
    # NOTE: UserlistAddUsers called with empty user data
    user Bob insecure-password 123
    user Charly insecure-password 123


# userlists generated from groups
userlist Users
    user Bob insecure-password 123
    user Charly insecure-password 123
    # NOTE: UserlistAddUsers called with empty group data


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: service_https (Server auf Port 443 der alle externen Anfragen entgegenimmt)
frontend service_https
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains"
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 no-alpn crt-list /tmp/haproxy/ssl/65803493585199.04920512.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: Benutzeridentifizierung
    acl acl_6640a3e1899386.61784721 http_auth(acl_6640a3e1899386.61784721)
    # ACL: Host_nextcloud
    acl acl_65ba4fd0051130.80702381 hdr(host) -i nextcloud.mydomain.de
    # ACL: Host_homematic
    acl acl_65bb4e01ce9c78.05950354 hdr(host) -i homematic.mydomain.de
    # ACL: UserCertificate
    acl acl_658f30533aa281.37619945 ssl_c_i_dn(CN) internal-ca

    # ACTION: Nextcloud host rule
    use_backend pool_nextcloud if acl_6640a3e1899386.61784721 acl_65ba4fd0051130.80702381
    # ACTION: homematic host rule
    use_backend pool_homematic if acl_65bb4e01ce9c78.05950354

# Backend: pool_homematic ()
backend pool_homematic
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_homematic 192.168.0.19:80

# Backend: pool_nextcloud ()
backend pool_nextcloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_nextcloud 192.168.0.9:80


# statistics are DISABLED