HAProxy community

Stats Page Asking for Password Each time it refreshes

Every time my stats page refreshed, my browser signs me out. I’m not really sure why that is happening. I remember very clearly that it didn’t use to happen like that earlier. Below is a snippet from my configuration with some sensitive information chalked out:

Would appreciate your help in this regard.

Much thanks,

Sounds like a browser issue. Is just one specific browser installation affected? If yes, try disabling addons or start with a fresh profile.

Yes indeed. According to my testing it is happening with Chromium based browsers such as Google Chrome and the latest Microsoft Edge as well. The behavior is the same whether I do in in a regular windows with addons/extensions or in incognito without any. And it works perfectly fine in let’s say Mozilla Firefox.

Would you happen to have any suggestions on this?

Please advise,
Thanks,

Capture the traffic and look at it in wireshark.

I am not much aware about how to make of the packets that I’ve captured now. Would you be able to help? My URL resolves (A record) to an ip.addr == 139.162.49.55 (Wireshark Filter) which is attached below:

Would you please be able to help?

Regards,

Only encrypted port 443 traffic is in there. But we need to take a look at the unencrypted stats page traffic on port 8404, correct?

Oh. I was able to do that via TCPDUMP. I could not make of it much but.

The request, in the same connection stops sending authentication data (first request has it, second request 12 seconds later in the same connection does not). The problem is with the request arriving at haproxy, there is nothing that can be done with haproxy if the authentication data is not there.

You have an additional proxy between the browser and haproxy. Try connecting without the proxy, maybe it’s the proxy stripping data.

Also your admin credentials are now exposed in cleartext on the Internet, I suggest you change them immediately.

Another Proxy? I am not aware of one.

Thanks for the suggestion, I had done this :slight_smile:

Yes, because there is a X-forwarded-for header in the request arriving at haproxy. I don’t think your browser insert’s that, right?

Ohh. Could that be because of the:

Option forwardfor except 127.0.0.0/8

in my defaults section?

Basically what I’ve done is that I’ve setup a front end on the default HTTPS port along with an ACL to do a path match to “/monitor” and sending that request to a backend server at 127.0.0.1:8404 (which is where the stats server is listening)

Could this be a cause for anything?

Show the ENTIRE configuration please, in text-form, not as a screenshot.