HAProxy Enterprise Documentation 2.1r1
Basic Authentication
When your traffic is HTTP, you can use Basic authentication to display a login prompt to users. Configuring it is easy, but it does have one drawback: credentials are trasnmitted in the clear over HTTP. You can mitigate this exposure by enabling TLS to encrypt the traffic. In our examples, we will do just that.
Enable Basic authentication
Follow these steps to set up Basic authentication.
-
Usernames and their associated passwords are stored in HAProxy Enterprise's running memory. To define them, create a userlist
section. Each entry in this section has a user
field to indicate the username and an insecure-password
field to indicate the password.
userlist mycredentials
user joe insecure-password joespassword
user alice insecure-password alicespassword
user mark insecure-password markspassword
-
In your frontend
section, enable TLS on your bind
line so that credentials will be encrypted when transmitted between the client and load balancer. In this example, we also redirect HTTP requests to HTTPS. We use the http-request auth
line to display the Basic authentication login prompt to users. If a user has already logged in, then they will not see the prompt again.
frontend www
bind :80
bind :443 ssl crt /etc/hapee-2.1/certs/ssl.pem
http-request redirect scheme https unless { ssl_fc }
http-request auth unless { http_auth(mycredentials) }
default_backend webservers
Hash passwords in the userlist
You can store a hashed value for a password in the userlist
section instead of storing it as cleartext.
-
Install the whois
package, which provides the mkpasswd
tool:
-
Call mkpasswd
with the SHA-256 algorithm to hash your password:
$ mkpasswd -m sha-256 joespassword
-
Store the hashed password by using the password
parameter:
userlist mycredentials
user joe password <hashed password>
Next up
Bot Management