HTTPS ReverseProxy + Basic authentification

Hello there.
I’m using HaProxy reverse proxy with https for a few months now.
Here is my conf :


global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
option forwardfor except 127.0.0.0/8
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

############################################
frontend port80-redirect
mode http
bind 192.168.10.5:80
redirect scheme https
############################################
frontend port443-relay
bind 192.168.10.5:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend backendgogs if { req_ssl_sni -i mydomain1 }
use_backend backendmulticraft if { req_ssl_sni -i mydomain2 }
use_backend backendwigo if { req_ssl_sni -i mydomain3 }
default_backend backendgogs
############################################
backend backendgogs
mode tcp
server vm-git ip1:443 maxconn 32

backend backendmulticraft
mode tcp
server vm-multicraft ip2:443 maxconn 32

backend backendwigo
mode tcp
server vm-wigo ip3:443 maxconn 32


Here is my question :
One of my web interface (mydomain3, the last backend) does not have an authentification system.
As I know it is possible to have an basic authentification with HaProxy, but i’m not sure about how it works.
I tried to add an userlist :

userlist Admins
group AdminGroup users admin
user admin password 1d4cdafaac5871387085b898f4ff81be

And then add this to the backend :

acl AuthOkay_UsersAuth http_auth(Admins)
http-request auth realm Admins if !AuthOkay_Admins

But HaProxy fail to start, so I guess something is wrong.

If someone could enlight me, I would be grateful :slight_smile:

When haproxy fails to starts it returns error message with the exact reason why it cannot start. I strongly suggest you read those :wink:

It will probably tell you that the ACL AuthOkay_Admins doesn’t exist:

acl AuthOkay_UsersAuth http_auth(Admins)
http-request auth realm Admins if !AuthOkay_Admins

The ACL you define is called AuthOkay_UsersAuth, not AuthOkay_Admins.

Also, quick tip: instead of using if with negation (if !), just use unless:

acl AuthOkay_UsersAuth http_auth(Admins)
http-request auth realm Admins unless AuthOkay_UsersAuth

Eh ! Have to say that I went lazy on that one :b

Indeed, after edited to

acl AuthOkay_UsersAuth http_auth(Admins)
http-request auth realm Admins unless AuthOkay_UsersAuth

Haproxy restart well.

But I still dont have any basic authentification showing up, am I missing something ?

I can see what’s wrong. Your just using haproxy as a TCP proxy, and passing encrypted TLS traffic transparently to the backend.

So there is no way for haproxy to even see the http transactions, let alone protect the backend with HTTP Authentication.

You either terminate SSL and HTTP on haproxy, or you have to configure this on your backend.

Yes, that’s what I thought.

I wont setup SSL on the haproxy machine.
When you say configure it on your backend, are you talking about something like install a haproxy on the backend ?

No, i mean the actual application, like Apache or nginx.

Of course you can insert another layer of haproxy as well, but you still have to terminate SSL on that haproxy instance then.

Ok, I got it. Thanks for your explanations.