HAProxy (v2.1) authorization header direct to different backend

Hi Guys,

I am trying to convert the following Nginx code into HAProxy but seem to be having trouble figuring it out and wonder if someone could point me in the right direction.

The below code is taken from Nginx and all it does is looks for the authorization header and if the regex matches then it will direct you onto the matched backend.

server {
    listen       80;
        location / {
            proxy_set_header Host $http_host;
            if ($http_authorization ~* "^AWS4-HMAC-SHA256 Credential=ROML2P775VPAT7RLPOWU") {
           # proxy the request to Minio-1
               proxy_pass http://localhost:9001;
            }
            if ($http_authorization ~* "^AWS4-HMAC-SHA256 Credential=ENT3GYJCKCD1Q79XLP4C") {
           # proxy the request to Minio-2
               proxy_pass http://localhost:9002;
            }
            if ($http_authorization ~* "^AWS4-HMAC-SHA256 Credential=C988WQ23D98207ELOLPW") {
           # proxy the request to Minio-3
               proxy_pass http://localhost:9003;
            }
    }
}

This code was originally taken from https://github.com/krishnasrinivas/wikinotes/wiki/Minio-Multi-tenancy as I am trying to do multi tenancy with MinIO but using HAProxy to do the proxying.

If anyone has an idea or where to start, I would love to hear from you.

Kind Regards,

Majestic

This is just about matching a HTTP header, which can be easily done in haproxy:

use_backend localhost9001 if { hdr(Authorization) "AWS4-HMAC-SHA256 Credential=ROML2P775VPAT7RLPOWU" }
use_backend localhost9002 if { hdr(Authorization) "AWS4-HMAC-SHA256 Credential=ENT3GYJCKCD1Q79XLP4C" }
use_backend localhost9003 if { hdr(Authorization) "AWS4-HMAC-SHA256 Credential=C988WQ23D98207ELOLPW" }

Of course, you need to create the those backends (localhost900[1-3]).

Thanks very much @lukastribus. You are a superstar!

1 Like

Fixed.

The complete solution in case anyone wants to do the same is:

  # matches if the host is s3.example.com & matches header
  acl req_minio-core-app_docker_host hdr(host) -i s3.example.com
  use_backend minio-core-app_docker if { hdr_sub(Authorization) "AWS4-HMAC-SHA256 Credential=4e2c3017-*******" }
  use_backend minio-bob-app_docker if { hdr_sub(Authorization) "AWS4-HMAC-SHA256 Credential=4ea559bc-********" }
  use_backend minio-fred-app_docker if { hdr_sub(Authorization) "AWS4-HMAC-SHA256 Credential=f9c54547-********" }
  use_backend minio-core-app_docker if req_minio-core-app_docker_host
backend minio-core-app_docker
  option forwardfor header X-Real-IP                                                                                          # Sets X-Real-IP header (required)
  http-request set-header X-Forwarded-For %[src]                                                                              # Sets X-Forward-For header (required)

  http-response set-header X-Frame-Options SAMEORIGIN                                                                         # X-Content-Type-Options
  http-response set-header X-XSS-Protection "1; mode=block"                                                                   # X-Xss-Protection (for Chrome, Safari, IE)

  cookie SERVERID insert nocache
  server docker03 minio-core-app:9000 weight 1 maxconn 10000 check

backend minio-bob-app_docker
  option forwardfor header X-Real-IP                                                                                          # Sets X-Real-IP header (required)
  http-request set-header X-Forwarded-For %[src]                                                                              # Sets X-Forward-For header (required)

  http-response set-header X-Frame-Options SAMEORIGIN                                                                         # X-Content-Type-Options
  http-response set-header X-XSS-Protection "1; mode=block"                                                                   # X-Xss-Protection (for Chrome, Safari, IE)

  cookie SERVERID insert nocache
  server docker03 minio-bob-app:9000 weight 1 maxconn 10000 check

backend minio-fred-app_docker
  option forwardfor header X-Real-IP                                                                                          # Sets X-Real-IP header (required)
  http-request set-header X-Forwarded-For %[src]                                                                              # Sets X-Forward-For header (required)

  http-response set-header X-Frame-Options SAMEORIGIN                                                                         # X-Content-Type-Options
  http-response set-header X-XSS-Protection "1; mode=block"                                                                   # X-Xss-Protection (for Chrome, Safari, IE)

  cookie SERVERID insert nocache
  server docker03 minio-fred-app:9000 weight 1 maxconn 10000 check

Just replace the **** with the whole ACCESS-KEY for that MinIO instance.

Thanks again @lukastribus for your help.

Kind Regards,

Majestic

Correct hdr_sub (substring match) or hdr_beg (substring only at the beginning) would work.

hi guys

thanks for the instructions.
I was able to make it work with a s3 client but it wont work with the Web UI. any suggestion on how to fix the problem?

thanks

I was able to create static ACL with acl url_paramf hdr_sub(Authorization) JMYQ6
I would like to create a mapping for the same. But, I don’t know why its not working for me. Here is my mapping ACL.
use_backend %[hdr(Authorization),map_sub(/etc/haproxy/PUT_Header.map)]

map file

# AccessKeyID		backend storage location/name
JMYQ6                            put_sg2
P2BHP                            put_sg2