Haproxy as a login portal / SSL-Login


#1

Hi,

I’d like to use haproxy as login portal, has anyone done a configuration like
that?

I’ve got some users connecting from dynamic IPs to access a 3rd party content
management system which I don’t want to expose globally and would like to
authenticate them not by IP, but by session/actual user before they actually can
try to login to the real system.

My idea is that haproxy is forwarding all unauthenticated requests to a portal
server, and after successfully logging in, that system sets a specific cookie
which I can match to in haproxy and forward authenticated users to the real
server. It’s not possible to access stick-tables from a external source, e.g.
via admin socket for this, correct? Maybe I could code the login portal in LUA
and write to a data structure?

This is just a quick idea, I didn’t look deeply into this yet, and was wondering
if anyone had done it before or has some ideas. :slight_smile:

Best regards,

craig


#2

Hi craig -

You can definitely access stick-table values from the stats socket. Docs are here: http://www.haproxy.org/download/1.6/doc/management.txt


set table <table> key <key> [data.<data_type> <value>]*
  Create or update a stick-table entry in the table. If the key is not present,
  an entry is inserted. See stick-table in section 4.2 to find all possible
  values for <data_type>. The most likely use consists in dynamically entering
  entries for source IP addresses, with a flag in gpc0 to dynamically block an
  IP address or affect its quality of service. It is possible to pass multiple
  data_types in a single call.

You could definitely have a portal set a cookie, then have HAProxy direct to another server based on that cookie. Maybe something like:

acl cookie_set hdr_sub(cookie) SEEN=1
use_backend approved if cookie_set
default_backend not_approved

Hope that helps!

  • Andrew