HAProxy community

Protect internal PHP by proxy

[Automatically translated]
Hello.

I am participating in a new project and I chose HAProxy as a solution, but I am new to the subject and I need your help.
I need to allow external access to an internal application, and for that I am using HAProxy in a DMZ controlling access via firewall. In addition I needed to create an authentication in the application (PHP) and this is where the problems started.
I am trying to block the user’s access directly on HAProxy if he has not yet authenticated himself on the system. I thought about using a custom header but I can’t access that header in haproxy.

Is this the ideal way for what I need to do?
My code looks like this:

[PHP]
...
if (!empty($_SESSION['uTokenAuth'])) {
	header("uTokenAuth:".$_SESSION['uTokenAuth']);
}
...

[HAPROXY]
...
frontend http_in
	bind *:80
	#bind *:443 ssl crt /etc/ssl/certs/mysite.pem
	http-request capture req.hdr(uTokenAuth) len 16
	log-format %ci\:%cp\ frontend=%ft\ backend_ip=%bi\ backend_pool=%b\ server_name=%s\ AuthHeader=%[capture.req.hdr(0)]\ %hr\ %hrl\ %hs\ %hsl\ http_log="[%tr] %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
	#http-request redirect scheme https unless { ssl_fc }
	default_backend WEB
	
backend WEB
	option forwardfor
	option http-server-close
	balance roundrobin
	server WEBSERVER ip:80 no-ssl check port 80
	acl withtoken req.hdr(uTokenAuth) -m found
	acl loginpage path_beg /login
	http-request set-header X-Client-ip %[src]
	http-request set-header X-Forwarded-Proto http
	http-request set-header X-Frame-Options DENY
	http-request redirect location /login if !withtoken !loginpage

Thanks

Don’t do that.

Decide whether you want to authenticate the user in the backend (PHP) or with haproxy. Do not mix those two, you are overcomplicating your setup for no reason.

Also you clearly misunderstood how PHP sessions work, there will be no uTokenAuth HTTP header coming from the browser. Please research PHP sessions.

I’m sorry. I reread the text and realized that it was necessary to pass one important information: the internal application is old and not all pages have “includes()” properly configured, so we will need to identify and adapt each page.
I’m trying to understand a way to authenticate directly in haproxy so that I don’t have to make the changes above, so I tried to use an information pass through the header as a device.

But on second thought, you’re right. What I’m trying to do doesn’t make a lot of sense.
I remember reading something about using LUA but I didn’t understand it very well. I will resume reading.

Thank you.