I’m looking for simple way to few services from public access.
Some of them already have own authentication mechanisms, but still we want to reject early at proxy, not even exposing their login pages.
First idea was to use basic auth - but it caused lots of issues due to basic auth interfering with service’s own authentication
- service itself sometimes responds with HTTP 401, what instructs web browsers to drop basic auth data
- service’s authorization page also uses auth request header, replacing basic auth needed by proxy
Idea is to use session cookie, as it seems to overcome both problems:
- user hits proxy, receivies basic auth challenge in response
- request with basic auth data is processed, proxy adds “set-cookie” to the response
- following requests are authenticated with session identified by cookie
For now I just implemented basic scenario, without actual session binding (just the cookie presence is checked), sth like:
frontend default
acl auth_ok http_auth(AuthUsers)
acl has_cookie hdr_sub(cookie) X-ProxyCookie
http-request auth if !has_cookie
http-request set-var(txn.hascookie) str(true) if has_cookie
use_backend my_backend
backend my_backend
acl cookie_found var(txn.hascookie) -i -m beg true
http-response set-header Set-Cookie X-ProxyCookie=session-valid;path=/ if !cookie_found
http-request del-header authorization
server my_server 192.168.93.62:445 ssl verify none
Can scenario described above be implemented with stick tables?
Or maybe if the whole idea is wrong - is there another way to protect whole website at proxy?
m.