HaProxy Settings for different Auth's for different Backendpools

[pakka]

Hey there
I am struggling with the settings in HaProxy, where I am trying to assign different authentications to different backend pools in the rules. For example, one backend pool should only be accessible with user authentication, while another should not.

As soon as I add user authentication as a rule to a pool, I only get a 503 error. If I enable user authentication in the "public services" section, it works. The order of conditions in the if-statement also seems to have no effect.

Has anyone had experience with this? Thanks and best regards.
-pakka

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs
userlist acl_6640a3e1899386.61784721
    # Origin: Benutzeridentifizierung
    # NOTE: UserlistAddUsers called with empty user data
    user Bob insecure-password 123
    user Charly insecure-password 123


# userlists generated from groups
userlist Users
    user Bob insecure-password 123
    user Charly insecure-password 123
    # NOTE: UserlistAddUsers called with empty group data


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: service_https (Server auf Port 443 der alle externen Anfragen entgegenimmt)
frontend service_https
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains"
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 no-alpn crt-list /tmp/haproxy/ssl/65803493585199.04920512.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: Benutzeridentifizierung
    acl acl_6640a3e1899386.61784721 http_auth(acl_6640a3e1899386.61784721)
    # ACL: Host_nextcloud
    acl acl_65ba4fd0051130.80702381 hdr(host) -i nextcloud.mydomain.de
    # ACL: Host_homematic
    acl acl_65bb4e01ce9c78.05950354 hdr(host) -i homematic.mydomain.de
    # ACL: UserCertificate
    acl acl_658f30533aa281.37619945 ssl_c_i_dn(CN) internal-ca

    # ACTION: Nextcloud host rule
    use_backend pool_nextcloud if acl_6640a3e1899386.61784721 acl_65ba4fd0051130.80702381
    # ACTION: homematic host rule
    use_backend pool_homematic if acl_65bb4e01ce9c78.05950354

# Backend: pool_homematic ()
backend pool_homematic
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_homematic 192.168.0.19:80

# Backend: pool_nextcloud ()
backend pool_nextcloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server_nextcloud 192.168.0.9:80


# statistics are DISABLED

[pakka]

Hi
Anyone with an Idea how to solve the Problem? Or what I can try?
Thanks a Lot!

[Patrick M. Hausen]

This particular problem is so specific you might have greater success if you ask in the HAproxy community platform, whatever they use. I guess, there's a forum.

Sorry, I'm a regular here and have done a hell of a lot of support, but I have absolutely no idea. Keep in mind that OPNsense integrates dozens of independent open source products, most of which have their own communities and support platforms.