HAProxy Enterprise Documentation 2.3r1

Basic Authentication

When your traffic is HTTP, you can use Basic authentication to display a login prompt to users. Configuring it is easy, but it does have one drawback: credentials are transmitted in the clear over HTTP. You can mitigate this exposure by enabling TLS to encrypt the traffic. In our examples, we will do just that.

Enable Basic authentication

Follow these steps to set up Basic authentication.

  1. Usernames and their associated passwords are stored in HAProxy Enterprise's running memory.

To define them, create a userlist section. Each entry in this section has a user field to indicate the username and an insecure-password field to indicate the password.

userlist mycredentials
   user joe  insecure-password joespassword
   user alice  insecure-password alicespassword
   user mark  insecure-password markspassword
  1. In your frontend section, enable TLS on your bind line so that credentials will be encrypted when transmitted between the client and load balancer.

    In this example, we also redirect HTTP requests to HTTPS. We use the http-request auth line to display the Basic authentication login prompt to users. If a user has already logged in, then they will not see the prompt again.

    frontend www
       bind :80
       bind :443 ssl crt /etc/hapee-2.3/certs/site.pem
       http-request redirect scheme https unless { ssl_fc }
       http-request auth unless { http_auth(mycredentials) }
       default_backend webservers

Hash passwords in the userlist

You can store a hashed value for a password in the userlist section instead of storing it as cleartext.

  1. Install the whois package, which provides the mkpasswd tool:

    $ sudo apt install whois
  2. Call mkpasswd with the SHA-256 algorithm to hash your password:

    $ mkpasswd -m sha-256 joespassword
  3. Store the hashed password by using the password parameter:

    userlist mycredentials
       user joe password <hashed password>

Next up

Client Certificate Authentication