Protect internal PHP by proxy

rafaelweb · January 23, 2020, 4:12pm

[Automatically translated]
Hello.

I am participating in a new project and I chose HAProxy as a solution, but I am new to the subject and I need your help.
I need to allow external access to an internal application, and for that I am using HAProxy in a DMZ controlling access via firewall. In addition I needed to create an authentication in the application (PHP) and this is where the problems started.
I am trying to block the user’s access directly on HAProxy if he has not yet authenticated himself on the system. I thought about using a custom header but I can’t access that header in haproxy.

Is this the ideal way for what I need to do?
My code looks like this:

[PHP]
...
if (!empty($_SESSION['uTokenAuth'])) {
	header("uTokenAuth:".$_SESSION['uTokenAuth']);
}
...

[HAPROXY]
...
frontend http_in
	bind *:80
	#bind *:443 ssl crt /etc/ssl/certs/mysite.pem
	http-request capture req.hdr(uTokenAuth) len 16
	log-format %ci\:%cp\ frontend=%ft\ backend_ip=%bi\ backend_pool=%b\ server_name=%s\ AuthHeader=%[capture.req.hdr(0)]\ %hr\ %hrl\ %hs\ %hsl\ http_log="[%tr] %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
	#http-request redirect scheme https unless { ssl_fc }
	default_backend WEB
	
backend WEB
	option forwardfor
	option http-server-close
	balance roundrobin
	server WEBSERVER ip:80 no-ssl check port 80
	acl withtoken req.hdr(uTokenAuth) -m found
	acl loginpage path_beg /login
	http-request set-header X-Client-ip %[src]
	http-request set-header X-Forwarded-Proto http
	http-request set-header X-Frame-Options DENY
	http-request redirect location /login if !withtoken !loginpage

Thanks

lukastribus · January 23, 2020, 4:39pm

Don’t do that.

Decide whether you want to authenticate the user in the backend (PHP) or with haproxy. Do not mix those two, you are overcomplicating your setup for no reason.

Also you clearly misunderstood how PHP sessions work, there will be no uTokenAuth HTTP header coming from the browser. Please research PHP sessions.

rafaelweb · January 23, 2020, 5:28pm

I’m sorry. I reread the text and realized that it was necessary to pass one important information: the internal application is old and not all pages have “includes()” properly configured, so we will need to identify and adapt each page.
I’m trying to understand a way to authenticate directly in haproxy so that I don’t have to make the changes above, so I tried to use an information pass through the header as a device.

But on second thought, you’re right. What I’m trying to do doesn’t make a lot of sense.
I remember reading something about using LUA but I didn’t understand it very well. I will resume reading.

Thank you.

Topic		Replies	Views
Help needed: I am trying to use HAProxy to deny access from internet to a specific URL Help!	0	434	October 9, 2023
How to restrict access for a back-end just to the internal network Help!	1	983	November 14, 2018
Configuring haproxy to access a protected url Help!	4	369	September 11, 2023
Getting BADREQ 408 only externally Help!	1	870	March 26, 2019
How to set/provide X-Forwarded-* headers Help!	1	11969	October 1, 2021

Protect internal PHP by proxy

Related Topics