Add basic auth to HAProxy

Started by mimugmail, December 09, 2017, 06:56:32 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 09, 2017, 06:56:32 AM
This show guide only works with HAProxy 2.0 or 2.1.

I have a Webapplication which have to be exposed to the outside and doesn't allow authentication.
So HAProxy with basic auth would be just fine to get a mininum of security.

- Go to "Rules & Conditions" - "Condictions" and Add a new one called "userauth".
- Set "Condition type" to "Custom" and option pass-through to "http_auth(admins)".
- Save and add a rule called "rule1". "Test type" UNLESS, and select your condition. Logical op is "none" and "Execute function" to "http-request auth", then save.
- Go to your frontend and add the ACL to it.
- Then to "Settings" and "Global Parameters", tick display advanced mode, and add to "Custom options"
userlist admins
user test1 insecure-password pw1
user test2 insecure-password pw2


February 06, 2018, 03:43:18 PM #1
Thank you, this works fine for me.
However, I placed the ACL in the appropriate backend pool instead. I use redirect to multiple backend pools but only one of them needs basic auth.
November 11, 2018, 06:34:44 PM #2
For future reference: os-haproxy 2.10 (available in the upcoming OPNsense 18.7.8 ) finally adds support for HTTP Basic Auth.
See https://github.com/opnsense/plugins/pull/970#issuecomment-437688137
December 27, 2018, 12:22:06 AM #3
Quote from: fraenki on November 11, 2018, 06:34:44 PM
For future reference: os-haproxy 2.10 (available in the upcoming OPNsense 18.7.8 ) finally adds support for HTTP Basic Auth.
See https://github.com/opnsense/plugins/pull/970#issuecomment-437688137

This is great, thank you, however after updating, the basic auth is not passing through to backend servers as before the update, pretty sure is related?

for example, before there was no basic auth option on backend or frontend and haproxy passed the header to backend, meaning the backend webserver would serve the basic auth normally, now is not doing it with same backend server, any way to tell haproxy not to use frontend basic auth and use backend webserver instead ?

Thank you
January 05, 2019, 12:20:27 PM #4
+1 for put the auth in the gui!

but i have the same problem as akron.
After i fill the auth forms correct i just get an
Code Select
{"message":"Basic auth failed"}

Did you find a solution akron?

Cheers Chris
January 06, 2019, 10:42:59 PM #5 Last Edit: January 06, 2019, 10:47:14 PM by akron
Quote from: SpawnY on January 05, 2019, 12:20:27 PM
+1 for put the auth in the gui!

but i have the same problem as akron.
After i fill the auth forms correct i just get an
Code Select
{"message":"Basic auth failed"}

Did you find a solution akron?

Cheers Chris

Hello, yes I've got a solution,

the way this works is you configure the basic auth on backend if you dont have basic auth at the webserver level.

if you want HAPROXY to pass the basic auth to the webserver, disable it on the backend object and your webserver will serve the basic auth.

didnt work for me first time because haproxy process for some reason was messed up, restarted and is working as expected.
Print
Go Up Pages1
User actions