How to do basic auth with HAProxy while doing other ACL?

Question

I am running HAProxy in front of apache servers and I want to implement basic authentication for some domains.

The manual states that this should do the trick:

userlist admins
user myusername insecure-password mypassword

frontend restricted_cluster
   acl auth_tintoretto http_auth(admins)
   http-request auth realm ShareaholicRestricted

However, I have some other ACL and under one frontend there are several domains:

 frontend http-in

    # Define hosts
    acl stag_static hdr(host) -i staging.static.domain.com
    acl prod_static hdr(host) -i prod2.static.domain.com

    ## figure out which one to use
    use_backend apache-node1 if stag_static
    use_backend nginx-cluster if prod_static

How do I combine those commands in order to only restrict access to stag_static?

score 1 · Answer 1 · answered Sep 29 '15 at 21:15

1

I haven't tested, but try putting the http-request auth realm blah line in your backend configuration. It should work.

answered Sep 29 '15 at 21:15

Jim G.

2,657
1
19
19

score 0 · Answer 2 · answered Mar 02 '16 at 03:30

Predicate the http-request auth on the ACL matching the site that you want to auth:

frontend http-in
  acl stag_static hdr(host) -i staging.static.example.com
  acl prod_static hdr(host) -i prod2.static.examplecom

  http-request auth realm "The No Homers Club" if stag_static

  use_backend apache-node1 if stag_static
  use_backend nginx-cluster if prod_static

How to do basic auth with HAProxy while doing other ACL?

2 Answers2