How to Implement Basic HTTP Authentication at HAProxy Layer for Backend Servers You Don’t Control


26 views

When proxying traffic to backend servers where you lack administrative access, adding security layers becomes tricky. Traditional HTTP basic auth requires backend configuration, but HAProxy offers a solution at the proxy layer itself.

Here's the minimal configuration to implement Basic Auth for all requests:

frontend http-in
    bind *:80
    acl auth_ok http_auth(haproxy_users)
    http-request auth realm HAProxy\\ Authentication if !auth_ok
    default_backend servers

backend servers
    server backend1 192.168.1.100:80 check

userlist haproxy_users
    user lars password $6$WjZ6/5vC$.D3QOPSI0hH1dJ7qU6pJY91XpNzF8jL9SDF8k6r3vYV5sW4wL1B2

The configuration uses several key elements:

  • userlist: Defines authorized users with encrypted passwords (SHA-512 shown)
  • http_auth: ACL that checks credentials against the userlist
  • http-request auth: Challenges unauthenticated requests

Create secure hashed passwords using these methods:

Using OpenSSL (SHA-1):

openssl passwd -1 "yourpassword"

Using mkpasswd (SHA-512 recommended):

mkpasswd -m sha-512

For more control, you might want to:

frontend http-in
    bind *:80
    acl restricted_path path_beg /admin
    acl auth_ok http_auth(haproxy_admin_users)
    http-request auth realm Admin\\ Area if restricted_path !auth_ok
    default_backend servers

Verify the configuration works with curl:

curl -v http://yourhaproxy:80/ -u username:password

Look for HTTP/1.1 200 OK in successful cases or HTTP/1.1 401 Unauthorized when authentication fails.

Remember these critical points:

  • Basic Auth transmits credentials in base64 (easily decoded)
  • Always use HTTPS in production to encrypt the transmission
  • Regularly rotate passwords and audit user access
  • Consider combining with IP whitelisting for sensitive areas

When working with backend servers you don't have administrative access to, adding security layers can be tricky. HTTP Basic Authentication is one of the simplest ways to add a gatekeeper to your services, and HAProxy provides an elegant solution for implementing this at the proxy level.

Here's the fundamental HAProxy configuration to implement Basic Auth:

frontend http-in
    bind *:80
    acl authenticated http_auth(haproxy-auth)
    http-request auth realm "Restricted Area" unless authenticated
    use_backend backend_servers if authenticated
    default_backend maintenance_page

backend backend_servers
    server server1 192.168.1.100:80 check

userlist AuthUsers
    user admin password $6$VZyGz8Lm$J6Qz8YwXZz8YwXZz8YwXZz8YwXZz8YwXZz8YwXZz8YwXZz8YwXZz8YwXZ

For password security, we recommend using encrypted passwords. Here are three ways to generate them:

# Using openssl (for MD5)
openssl passwd -apr1

# Using mkpasswd (for SHA-256/512)
mkpasswd -m sha-256

# Python one-liner
python3 -c 'import crypt; print(crypt.crypt("yourpassword", crypt.mksalt(crypt.METHOD_SHA512)))'

For production environments, consider these enhancements:

frontend https-in
    bind *:443 ssl crt /etc/ssl/private/example.com.pem
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    acl auth_ok http_auth(AuthUsers)
    http-request auth realm "Secure Area" unless auth_ok
    http-request deny if !auth_ok
    use_backend secure_servers if auth_ok

backend secure_servers
    server secure1 10.0.0.42:443 ssl verify none

Key monitoring commands for your HAProxy Basic Auth setup:

# Check authentication stats
echo "show stat" | socat /var/run/haproxy.sock stdio | grep FRONTEND

# Test authentication
curl -v -u username:password http://yourhaproxy.example.com

# Debug mode
haproxy -d -f /etc/haproxy/haproxy.cfg