Netgate SG-1000 microFirewall

Author Topic: haproxy and HTTP basic auth via gui  (Read 1457 times)

0 Members and 1 Guest are viewing this topic.

Offline paulsnoop

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
haproxy and HTTP basic auth via gui
« on: May 16, 2016, 11:15:51 am »
Can anyone tell me if it is possible to do this via the GUI? I'm using haproxy (non-dev) to wrap https traffic to a http server and need a password prompt (don't ask ;)). At the moment I'm doing it in a config file and restarting haproxy on the command line to prevent the GUI overwriting my manual changes, it is working perfectly but not a very pretty solution.

Code: [Select]
userlist UsersFor_AcmeCorp
  user joebloggs insecure-password letmein

Code: [Select]
backend HttpServers
  .. normal backend stuff goes here as usual ..
  acl AuthOkay_AcmeCorp http_auth(UsersFor_AcmeCorp)
  http-request auth realm AcmeCorp if !AuthOkay_AcmeCorp

I've basically just copied the config from this post
https://nbevans.wordpress.com/2011/03/03/cultural-learnings-of-ha-proxy-for-make-benefit/

Any advice, I'm sure I'm missing something obvious? Thanks.

Offline PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: haproxy and HTTP basic auth via gui
« Reply #1 on: May 16, 2016, 05:04:26 pm »
Hi Paul,

Its currently not completely possible by clicking a few buttons/checkboxes in the gui.

You should however be able to put the user list in the advanced option on the settings tab.

As for the acl and http-request auth..
It is possible to define a 'custom acl' and use the action 'http-request auth' with that acl.
But you might want to just put it in the 'advanced' textbox on a backend edit page depends a bit what you like better..
That should be effectively included into the generated configuration parts.

Regards,
PiBa-NL

Offline paulsnoop

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: haproxy and HTTP basic auth via gui
« Reply #2 on: May 17, 2016, 03:46:49 am »
Many thanks for the guidance PiBa, I'll have a go at doing it this way and let you know how it ends up.

Offline paulsnoop

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: haproxy and HTTP basic auth via gui
« Reply #3 on: May 17, 2016, 07:28:31 am »
That seems to have done the job nicely, thanks very much for the advice.

Offline vexter0944

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: haproxy and HTTP basic auth via gui
« Reply #4 on: February 01, 2018, 09:44:40 am »
Am newer to pfsense and brand new to haproxy - but am highly interested in setting up basic auth for some things I'm running at my house behind haproxy.  I have lets encrypt up and running, working fine.  I understand what is being done here to a point, but when I tried pasting in something as a test - pfesense haproxy basically crashed out when I restarted it to save changes...can anyone point me in the right direction to get this going?  I need to know where to put what in the pfsense config more or less.  Thanks for any help ahead of time.

Offline Lockzi

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: haproxy and HTTP basic auth via gui
« Reply #5 on: February 06, 2018, 02:23:07 pm »
Hi Paul,

Its currently not completely possible by clicking a few buttons/checkboxes in the gui.

You should however be able to put the user list in the advanced option on the settings tab.

As for the acl and http-request auth..
It is possible to define a 'custom acl' and use the action 'http-request auth' with that acl.
But you might want to just put it in the 'advanced' textbox on a backend edit page depends a bit what you like better..
That should be effectively included into the generated configuration parts.

Regards,
PiBa-NL


Dear PiBa-NL

Would you mind elaborating on the other option?

I have a working solution and have been running one for a long time just like explained above using the passthrough text boxes. I have now reached a situation where I would like to exclude some backends from Basic HTTP Auth. How would I choose through ACL/Actions which ones would require Basic HTTP Auth?