DEV Community

Cover image for HAProxy Basic Login Authentication
馃殌  Vu Dao 馃殌
馃殌 Vu Dao 馃殌

Posted on

HAProxy Basic Login Authentication

- In haproxy config, there is no limit to the number of http-request statements per instance so we can add the rules to request basic login to the site but whitelist specials IPs


馃殌 Setup HAProxy config which contains basic login to access the dashboard and allow access for special resource IP

  • Generate haproxy encrypted password
printf "thepassword" | mkpasswd --stdin --method=sha-256
Enter fullscreen mode Exit fullscreen mode
  • Modify haproxy.cfg which allow access for requests from source 18.69.61.21 but requires login for others
userlist AuthUsers
        user haproxyreport password $5$3VeorK1XxvgRseQ$VBkOPCY2enWZsas.C6X9Iif0FPHDknXXXXXXXXX

frontend fe-verify
        bind *:443 ssl crt /etc/certs

        acl haproxy_report hdr(host) haproxy-report.cloudopz.co

        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        use_backend haproxy-report-backend if haproxy_report

# haproxy-report-backend
backend haproxy-report-backend
        acl authorized http_auth(AuthUsers)
        acl nagios src 18.69.61.21
        http-request allow if nagios
        http-request auth realm haproxyreport if !authorized
        server haproxy-report 127.0.0.1:1800
Enter fullscreen mode Exit fullscreen mode

More about haproxy

Reference

馃尃 Blog Github Web Linkedin Group Page Twitter 馃尃

Discussion (1)

Collapse
gruentee profile image
Constantin

I don't get why everyone seems to suggest echoing your password and piping it to mkpassword. To my mind this only makes sense in a programmatic use-case where one wants to avoid the script from showing a prompt.
But when generating your password manually using mkpasswd interactively has one security advantage: you don't leave your clear-text password in your history!

So instead of echo "the password" | mkpasswd --stdin one would better just use mkpassword 鈥 IMHO.