HaProxy Settings for different Auth's for different Backendpools in opnsense

Hey there
I am struggling with the settings in HaProxyplugin in opnsense, where I am trying to assign different authentications to different backend pools in the rules. For example, one backend pool should only be accessible with user authentication, while another should not.

As soon as I add user authentication as a rule to a pool, I only get a 503 error. If I enable user authentication in the “public services” section, it works. The order of conditions in the if-statement also seems to have no effect.

Has anyone had experience with this? Thanks and best regards.
-pakka

Config:

Automatically generated configuration.

Do not edit this file manually.

global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
httpclient.resolvers.prefer ipv4
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua

defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc

autogenerated entries for ACLs

userlist acl_6640a3e1899386.61784721
# Origin: Benutzeridentifizierung
# NOTE: UserlistAddUsers called with empty user data
user Bob insecure-password 123
user Charly insecure-password 123

userlists generated from groups

userlist Users
user Bob insecure-password 123
user Charly insecure-password 123
# NOTE: UserlistAddUsers called with empty group data

autogenerated entries for config in backends/frontends

autogenerated entries for stats

Frontend: service_https (Server auf Port 443 der alle externen Anfragen entgegenimmt)

frontend service_https
http-response set-header Strict-Transport-Security “max-age=15768000; includeSubDomains”
bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 no-alpn crt-list /tmp/haproxy/ssl/65803493585199.04920512.certlist
mode http
option http-keep-alive

# logging options
# ACL: Benutzeridentifizierung
acl acl_6640a3e1899386.61784721 http_auth(acl_6640a3e1899386.61784721)
# ACL: Host_nextcloud
acl acl_65ba4fd0051130.80702381 hdr(host) -i nextcloud.mydomain.de
# ACL: Host_homematic
acl acl_65bb4e01ce9c78.05950354 hdr(host) -i homematic.mydomain.de
# ACL: UserCertificate
acl acl_658f30533aa281.37619945 ssl_c_i_dn(CN) internal-ca

# ACTION: Nextcloud host rule
use_backend pool_nextcloud if acl_6640a3e1899386.61784721 acl_65ba4fd0051130.80702381
# ACTION: homematic host rule
use_backend pool_homematic if acl_65bb4e01ce9c78.05950354

Backend: pool_homematic ()

backend pool_homematic
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server_homematic 192.168.0.19:80

Backend: pool_nextcloud ()

backend pool_nextcloud
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server_nextcloud 192.168.0.9:80

statistics are DISABLED