HAProxy - basic authentication for backend server

Question

I use the following configuration to access internet from local 127.0.0.1:2000 proxy to the internet.:

global
    log 127.0.0.1   local0
    log 127.0.0.1   local1 notice
    #log loghost    local0 info
    maxconn 4096
    #chroot /usr/share/haproxy
    user haproxy
    group haproxy
    daemon
    #debug
    #quiet

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
    retries 3
    option redispatch
    maxconn 2000
    contimeout  5000
    clitimeout  50000
    srvtimeout  50000

listen appname 0.0.0.0:2000
    mode http
    stats enable
    acl white_list src 127.0.0.1 
    tcp-request content accept if white_list
    tcp-request content reject
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    stats auth special_admin:special_username
    balance roundrobin
    option httpclose
    option forwardfor
    server lamp1 23.123.1.110:3128 check

Unfortunately I need to authenticate to my external proxy 23.123.1.110 via http basic authentication "special_admin:special_username". My question is, is there any way to use basic authentication like :

server lamp1 http://special_admin:[email protected]:3128 check

Thanks

Answer 1

In your example you only need to add the necessary Authorization header with the authorization method and the username:password encoded as base64 like this:

reqadd Authorization:\ Basic\ c3BlY2lhbF9hZG1pbjpzcGVjaWFsX3VzZXJuYW1l

I created the base64 encoded string like this:

echo -n "special_admin:special_username" | base64

For more details about HTTP Basic authorization see https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

Answer 2

Below listed steps have worked for me.

# haproxy conf
global
  log 127.0.0.1   local1
  maxconn 4096

defaults
  mode http
  maxconn 2048

userlist AuthUsers
        user admin password $6$SydPP/et7BGN$C5VIhcn6OxuIaLPhCDCmzJyqDYQF8skik3J6sApkXPa6YPSVGutcgQPpdX/VEycGNi3sw7NxLSflEb53gzJtA1

frontend nginx-frontend
  bind *:5000
  mode http
  timeout connect 5s
  timeout client 5s
  timeout server 5s
  default_backend nginx-backend

  
  # For Path based basic authentication  use this commented example
  #acl PATH_cart  path_beg -i /testing 
  #acl authusers_acl http_auth(AuthUsers)
  #http-request auth realm nginx-backend  if PATH_cart  !authusers_acl

  acl authusers_acl http_auth(AuthUsers)      
  http-request auth realm nginx-backend if !authusers_acl

backend nginx-backend
  server nginx nginx:80  check inter 5s rise 2 fall 3

Install below package to generate hash password

sudo apt-get install whois

mkpasswd -m sha-512 'your_password'

mkpasswd -m sha-512 admin@456

expected output

$6$gnGNapo/XeXYg39A$T/7TDfMrZXUDPbv5UPYemrdxdh5xEwqBrzSbpJYs9rfxLbQtgQzxyzkSGWIVOEGze8KrsA0urh3/dG.1xOx3M0

Copy the generated password and paste in haproxy.cfg file

#Deploy the containers to test configuration

sudo docker run -d --name nginx nginx
sudo docker run -d -p 5000:5000 --name haproxy --link nginx:nginx -v /home/users/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg haproxy

Check in the browser, username and password will be prompted.