Protecting site, basic auth + session cookie

I’m looking for simple way to few services from public access.
Some of them already have own authentication mechanisms, but still we want to reject early at proxy, not even exposing their login pages.

First idea was to use basic auth - but it caused lots of issues due to basic auth interfering with service’s own authentication

  • service itself sometimes responds with HTTP 401, what instructs web browsers to drop basic auth data
  • service’s authorization page also uses auth request header, replacing basic auth needed by proxy

Idea is to use session cookie, as it seems to overcome both problems:

  • user hits proxy, receivies basic auth challenge in response
  • request with basic auth data is processed, proxy adds “set-cookie” to the response
  • following requests are authenticated with session identified by cookie

For now I just implemented basic scenario, without actual session binding (just the cookie presence is checked), sth like:

frontend default
    acl auth_ok http_auth(AuthUsers)
    acl has_cookie hdr_sub(cookie) X-ProxyCookie
    http-request auth if !has_cookie
    http-request set-var(txn.hascookie) str(true) if has_cookie
    use_backend my_backend

backend my_backend
    acl cookie_found var(txn.hascookie) -i -m beg true
    http-response set-header Set-Cookie X-ProxyCookie=session-valid;path=/ if !cookie_found
    http-request del-header authorization
    server my_server ssl verify none

Can scenario described above be implemented with stick tables?
Or maybe if the whole idea is wrong - is there another way to protect whole website at proxy?