HAProxy community

ACL based on Basic Auth User

Hi, I have what would appear to be a bit of an unusual requirement from HAProxy, just wondering if anyone has any ideas if / how it can be implemented.

In short, I’m migrating from one platform to another, both are authenticated by basic authentication. With the number of users I’m looking at, I won’t be able to do the migration in one hit so would like to be able to control which backend the users get to based on their basic authentication username but without HAProxy actually providing the authentication.

HAProxy can see the credentials, which I can prove by logging the Authorization header.

I was hoping I could control it with a list file of migrated users eg:
use backend migrated_backend_application if <basicauth user> -f /var/tmp/migrated_users.lst

Any pointers would be greatly appreciated!

James

Yes you actually can with a little bit of haproxy magic.

What is required is that both backends return a 401 Unauthorized and that both require Basic authentication. I know that is the case for you, I’m just reiterating it for others that may copy/paste this solution.

Also you need at least Haproxy 1.8.

Now to get to the username Haproxy has to look at the Authorization header, remove the Basic part, base64 decode the value, and the trim the :<password> from the result, and you can do that with:

req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,)

So it would look like this:

acl acl_migrated_users req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) -f /var/tmp/migrated_users.lst
use_backend migrated_backend_application if acl_migrated_users

Thank you! I thought it would be possible with regex, but couldn’t quite figure it out.

Will give this a try.

Thanks again

Works a treat - thanks again