HAProxy and I t'> Skip to content

User Authentication with HAProxy on pfSense

I’m a big fan of HAProxy and I try to use it whenever possible. It’s reliable and flexible Open Source Load Balancer for TCP and HTTP. The only thing you might miss: A nice Web GUI! I also like the Open Source Firewall pfSense a lot! Best of all: There is a HAProxy package for pfSense that provide a nice Web UI.

A friend asked me: “I want to protect a backend Server with basic authentication, and this is not working with the pfSense package of HAProxy.
He was wrong: It is possible, but the process is not directly implemented within the UI.

Based on the HAProxy documentation, create a UserList. You can use DES, MD5, SHA-256, and SHA-512 encrypted passwords. If you really know what you are doing: You can use plain text passwords here as well, but they are stored as plain text within the config files and can not recommend to do so!

Sample of a userlist with the name UserGroup

userlist UserGroup
user User1 password SECRET
user User2 password SECRET

Same as above with plain text passwords:

userlist UserGroup
user User1 insecure-password YourInsecurePasswordStringHere
user User2 insecure-password YourInsecurePasswordStringHere

Again: I highly recommend to use encrypted passwords! My example will use SHA-512 encrypted passwords.

Paste the snippet above to the custom options on the HAProxy settings:

custom options on the HAProxy settings
custom options on the HAProxy settings

Please note the following: Always put the userlist to the end of you custom options!

Reminder: Put this to the end!
Reminder: Put this to the end!

Now modify your Access control lists and actions. You can do this for a Frontend and/or Backend:
In my Example I use a “Access Control list” as “Custom acl” with the name “BackendAccess” and the Value “http_auth(UserGroup)
We create a “Action” as “http-request auth” with the “realm:” vale of “realm UserGroup unless BackendAccess“. Please leave the “Condition acl names” empty.

Access control lists and actions
Access control lists and actions

You might ask yourself: how should I create the encrypted passwords?
I use Python to do this:

python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'
Use Python to create encrypted password
Use Python to create encrypted password

A more automated way to do it:

python -c 'import crypt; print(crypt.crypt("TheSuperSecretPasswordHere", crypt.mksalt(crypt.METHOD_SHA512)))'
Use Python to create encrypted password
Use Python to create encrypted password

On Debian you can use the mkpasswd command (This is, why-ever, part of the whois package):

printf "TheSuperSecretPasswordHere" | mkpasswd --stdin --method=sha-512

On the Mac you can use HomeBrew to install Python 3:

/usr/local/bin/python3 -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'
Use Python on macOS to create encrypted password
Use Python on macOS to create encrypted password

You might need a more complex solution, with different access levels or access based on groups. You can do this with HAProxy!!!

Just edit your UserList like this:

userlist UserGroup
group is-user
group is-admin
user User1 password SECRET groups is-user
user User2 password SECRET groups is-admin

All users can access the backend protected with the example above! If you want another Backend, lets say just for admins, use the following rule:
Create a “Custom acl” in “Access Control list” with the name “AdminAccess” and the Value “http_auth_group(basic-auth-list) is-admin
Now create a “Action” as “http-request auth” with the “realm:” vale of “realm Admin unless AdminAccess“.

Another Example
Another Example
Published inHowTo

2 Comments

  1. T S T S

    Can you use HAProxy with FreeRadius or Active Directory authentication?

    • Hi,

      not as far as I know. I think in the commercial version is an option to use LDAP (And this could be you Active Directory).
      And to be honest: I would use an reverse Proxy (Apache or NGINX) behind the HAProxy to do such an authentication. But this is just my personal opinion.
      The documentation points to basic auth as described, not more. Maybe you can extend it by yourself (e.g. with LUA scripts), but I never tried to do that.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2018 by Joerg Hochwald. All rights reserved. ● Site is powered by Author