HaProxy Regeln - Authentifizierung je nach Backendpool unterschiedlich einrichte

Started by pakka, September 14, 2024, 12:02:46 PM

Previous topic - Next topic
Hallo,
ich hadere mit der Einstellungen im HaProxy, dort versuche ich verschiedenen Backendpools in den Regeln unterschiedliche Authentifizierungen mitzugeben.
Z.B. Soll ein Backendpool mit User-Auth nur erreichbar sein, ein anderer nicht.

sobald ich die Userauthentifizierung als Regel einem Pool hinzufüge, kommt nur ein 503 Fehler.
Wenn ich die User-Auth schon im "öffentliche Dienste" anhake, klappt es.
Auch die Reihenfolge der Bedingungen im if-Statement scheint keinen Einfluss zu haben.

Hat jemand damit Erfahrungen?
Besten Dank und Gruß
-Pakka

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs
userlist acl_6640a3e1899386.61784721
    # Origin: Benutzeridentifizierung
    # NOTE: UserlistAddUsers called with empty user data
    user Bob insecure-password 123
    user Charly insecure-password 123


# userlists generated from groups
userlist Users
    user Bob insecure-password 123
    user Charly insecure-password 123
    # NOTE: UserlistAddUsers called with empty group data


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: service_https (Server auf Port 443 der alle externen Anfragen entgegenimmt)
frontend service_https
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains"
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 no-alpn crt-list /tmp/haproxy/ssl/65803493585199.04920512.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: Benutzeridentifizierung
    acl acl_6640a3e1899386.61784721 http_auth(acl_6640a3e1899386.61784721)
    # ACL: Host_nextcloud
    acl acl_65ba4fd0051130.80702381 hdr(host) -i nextcloud.mydomain.de
    # ACL: Host_homematic
    acl acl_65bb4e01ce9c78.05950354 hdr(host) -i homematic.mydomain.de
    # ACL: UserCertificate
    acl acl_658f30533aa281.37619945 ssl_c_i_dn(CN) internal-ca

    # ACTION: Nextcloud host rule
    use_backend pool_nextcloud if acl_6640a3e1899386.61784721 acl_65ba4fd0051130.80702381
    # ACTION: homematic host rule
    use_backend pool_homematic if acl_65bb4e01ce9c78.05950354

# Backend: pool_homematic ()
backend pool_homematic
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_homematic 192.168.0.19:80

# Backend: pool_nextcloud ()
backend pool_nextcloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_nextcloud 192.168.0.9:80


# statistics are DISABLED