Hi there,
I am looking forward for some help on how to implement ACL rules based on server backend username login so I can share the same IP and port with several backends depending the authentication username of each back-end server. I am implementing SSL termination on Haproxy. I found what seems almost exactly the same case(link here) but the difference is they have a user list whereas I just want to provide the usernames in the ACL rule.
I had three failed attempts: ![:frowning: :frowning:]()
In the following attempts, I have as the above figure 2 backends servers with login username of server 1 is “server1” and the counterpart in backend server 2 is “server2”:
1st attempt
frontend one_ip_and_port_to_two_backends
bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
mode tcp
option tcp-smart-accept
acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1'
acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2'
use_backend server1 if rule1
use_backend server2 if rule2
backend server1
mode http
option tcp-smart-connect
server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50
backend server2
mode tcp
option tcp-smart-connect
server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50
2nd attempt
frontend one_ip_and_port_to_two_backends
bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
mode tcp
option tcp-smart-accept
default_backend server_seleccion_backend
backend server_seleccion_backend
mode tcp
option tcp-smart-connect
acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1'
acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2'
use_backend server1 if rule1
use_backend server2 if rule2
backend server1
mode http
option tcp-smart-connect
server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50
backend server2
mode tcp
option tcp-smart-connect
server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50
3rd attempt
userlist server-auth
group is-server1 users server_username1
user server1
group is-server2 users server_username2
user server2
frontend one_ip_and_port_to_two_backends
bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
mode tcp
option tcp-smart-accept
default_backend server_seleccion_backend
backend server_seleccion_backend
mode tcp
option tcp-smart-connect
acl rule1 http_auth_group(server-auth) is-server2
acl rule2 http_auth_group(server-auth) is-server1
use_backend server1 if rule1
use_backend server2 if rule2
backend server1
mode http
option tcp-smart-connect
server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50
backend server2
mode tcp
option tcp-smart-connect
server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50
Any pointers would be greatly appreciated!
Hernán