HAProxy community

Haproxy stats page - user lockout


#1

Does anyone know if there is a way to have the users defined to access the stats page have a lockout period.
So it someone tries to access the site with wrong password it will lockout for a set period?


#2

Any idea or work around to lock access after so many attempt for a set period ?


#3

You can use ACL’s for protecting the stats page like with any other page.

Therefore if you come up with an ACL (perhaps based on stick-tables) that rate-limits, or “locks out” a praticular IP for a certain amount of time, then you can use that with your status page. (I’ve never done that, so I can’t provide the actual ACL.)

However I don’t think the status page is so critical, especially if you don’t enable stats admin, because the worst it can happen is for an attacker to get a layout of your infrastructure and get a “statistic” of its usage.

I usually put the stats page at a randomly generated path (like an UUID), and use authentication for it. Now only those that know your config file can also know where the stats page is.


#4

Doesnt anyone know if its possible to only allow users to only have admin login from a certain network range.
We currently have the stats page setup with 2 accounts and admin and a standard user, they only get access non readonly access if they user the admin user and password


#5

You can use stats admin if <acl> where <acl> is the name of an ACL that checks if the source IP is from a certain range.


#6

You can use your firewall and only accept your ip range for stats port if you running stats on another port. It’s working good for me.