HAProxy community

Basic auth vs kerberos

Hello,

looking for a solution in my case, thanks for help.

I have a haproxy in front of some Windows Server Backends. The WinServer Backends peform a Kerberos Authentication through haproxy and provide application. This is working already.

My problem is to control access to the proxy. I cant used a IP based control, because some of my testusers have daily switching IPs.
So i tried a basic auth in haproxy. I created a userlist and appropriate acl in frontend:
acl authorized http_auth(basic-auth-list)
http-request auth realm protected if !authorized
This works too, but breaks Kerberos Auth, because Authorization Header in Request is changing and Win-Backends deny access.
Iam looking for a way to combine these auths, so basic auth in the frontends and reuse original Authorisation header to the backends.

Thanks,
Hajo

I don’t think what you are looking for is easily achievable…

So if the application re-uses the Authorization header, and given that there can’t be more than one such header per request, HTTP basic authentication is out of the question. That leaves you with a couple of choices that could be easily implemented (from easiest to most complex):

  • use TLS client certificates for your clients, and authenticate in HAProxy against the client certificate fingerprint; (this is a sort of “poor-man-VPN” but it works, and I’ve used it successfully in the past; it is well supported in the major browsers;)
  • use a special URL that is not forwarded to the actual backends, but to one that always returns 200; do HTTP basic authentication on that one, and then add the source IP to a dynamic ACL whitelist; (this basically whitelists that IP;) the main issue is that now the users have to first access this URL before doing anything else;
  • like in the example above, use a custom backend that sets a cookie (or you could set that from HAProxy perhaps), which acts like a cryptographic token that you can verify from HAProxy via the sha1 converter; (for example you could generate a random token, append it with a secret, hash it, and return both the token and hash in the cookie; then you can use to verify that by recomputing the same steps and comparing;) (this is a “poor-man-authentication” that can be achieved in HAProxy alone;)
  • use a custom Lua service that perhaps could use the same Kerberos authentication header to validate the user;

Or you could use a VPN and be done with all these…