HAProxy Enterprise Documentation 2.4r1

Userlist

The userlist section allows you to configure authentication and restrict access to proxied services only for the defined users. Currently, only http Basic authentication is supported.

Each userlist keyword is followed by a label, such as valid_users, to differentiate it from others. The label can be used by ACLs and other HAProxy Enterprise keywords.

userlist valid_users
   # Your configuration directives

In our examples we will not be using ACLs because they are talked about and explained in depth at a later topic, but, it is always good practice to use ACLs.

Userlist section examples

In the following configuration sample, we define the www frontend and use the http-request auth keyword which stops the evaluation of further rules and immediately asks for a user name and a password.

We have also defined a userlist section labeled basic_auth_logins and added two users with a basic text password for each. The http_auth fetch returns a Boolean result indicating whether the username and the password that were received matches the ones defined in the basic_auth_logins userlist.

frontend www
  bind :80
  bind :443 ssl crt /etc/hapee-2.4/certs/site.pem
  http-request redirect scheme https unless { ssl_fc }
  http-request auth unless { http_auth(basic_auth_logins) }

userlist basic_auth_logins
  user joe insecure-password mypassword123
  user jane insecure-password myotherpassword123

Each user line specifies a username, the type of password that will be used, and the password that HAProxy Enterprise will accept.

Using encrypted passwords

Changing insecure-password to password allows you to use encrypted passwords.

frontend www
  bind :80
  bind :443 ssl crt /etc/hapee-2.4/certs/site.pem
  http-request redirect scheme https unless { ssl_fc }
  http-request auth unless { http_auth(basic_auth_logins) }

userlist basic_auth_logins
  user joe password $5$s6Subz0X7FSX2zON$r94OtF6gOfWlGmySwvn3pDFIAHbIpe6mWneueqtBOm/
  user jane password ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

Splitting users into groups

Users can also be added in groups. Building on our example we have used the group keyword to define two groups, labeled admins and devops. We also changed http_auth to http_auth_group. The http_auth_group fetch will return a Boolean if the username and the password are found in the userlist for groups admins and devops.

frontend www
  bind :80
  bind :443 ssl crt /etc/hapee-2.4/certs/site.pem
  http-request redirect scheme https unless { ssl_fc }
  http-request auth unless { http_auth_group(basic_auth_logins) admins devops }

userlist basic_auth_logins
  group admins  users joe,jane
  group devops  users joe

  user joe password $5$s6Subz0X7FSX2zON$r94OtF6gOfWlGmySwvn3pDFIAHbIpe6mWneueqtBOm/
  user jane password ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

See also

Basic Authentication

Next up

Cache