HAProxy community

Can http_auth_group() be executed only when an acl is true


#1

Here is my relevant configuration to authenticate/authorize service requests -

global

userlist myusers
group u_svc1 users a,b
group u_svc2 users c
user a password hashedpwda
user b password hashedpwdb
user c password hashedpwdc

listen http-in
mode http
acl svc1flag hdr_sub(service) “svc1”
acl svc1auth http_auth_group(myusers) u_svc1 if svc1flag
use_backend …

acl svc2flag hdr_sub(service) “svc2”
acl svc2auth http_auth_group(myusers) u_svc2 if svc2flag
use_backend …

when i start, i get following errors -

invalid group if
invalid group svc1flag
invalid group if
invalid group svc2flag

If i remove (if svc1flag/if svc2flag/…) from http_auth_group lines like below, everything works fine -

acl svc1auth http_auth_group(myusers) u_svc1
acl svc2auth http_auth_group(myusers) u_svc2

But i want to keep (if svc1flag) this condition otherwise i will be running http_auth_group() acl for every service configuration until i find the matching service.

Any way to address it?

Thanks


#2

Any plans to support acl check with http_auth_group() method calls conditional?
Ideally if should be treated as keyword instead of treating it as just another user group.