@dinosauriecito wrote:

Hi there,

I am looking forward for some help on how to implement ACL rules based on server backend username login so I can share the same IP and port with several backends depending the authentication username of each back-end server. I am implementing SSL termination on Haproxy. I found what seems almost exactly the same case(link here) but the difference is they have a user list whereas I just want to provide the usernames in the ACL rule.

diagrama_acl_login1056×816 125 KB

I had three failed attempts:

In the following attempts, I have as the above figure 2 backends servers with login username of server 1 is “server1” and the counterpart in backend server 2 is “server2”:

1st attempt

frontend one_ip_and_port_to_two_backends
    bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt3  accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    mode tcp
    option tcp-smart-accept
    acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1'
    acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2'
    use_backend server1 if rule1
    use_backend server2 if rule2
 
 backend server1
    mode http
    option tcp-smart-connect
    server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50

 backend server2
    mode tcp
    option tcp-smart-connect
    server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50

2nd attempt

frontend one_ip_and_port_to_two_backends
    bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt3  accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    mode tcp
    option tcp-smart-accept
    default_backend server_seleccion_backend

backend server_seleccion_backend
    mode tcp
    option tcp-smart-connect
    acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1'
    acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2'
    use_backend server1 if rule1
    use_backend server2 if rule2
 
 backend server1
    mode http
    option tcp-smart-connect
    server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50

 backend server2
    mode tcp
    option tcp-smart-connect
    server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50

3rd attempt

userlist server-auth
    group is-server1 users server_username1
    user server1
    
    group is-server2 users server_username2
    user server2

frontend one_ip_and_port_to_two_backends
    bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt3  accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    mode tcp
    option tcp-smart-accept
    default_backend server_seleccion_backend

backend server_seleccion_backend
    mode tcp
    option tcp-smart-connect
    acl rule1 http_auth_group(server-auth) is-server2
    acl rule2 http_auth_group(server-auth) is-server1
    use_backend server1 if rule1
    use_backend server2 if rule2
 
 backend server1
    mode http
    option tcp-smart-connect
    server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50

 backend server2
    mode tcp
    option tcp-smart-connect
    server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50

Any pointers would be greatly appreciated!
Hernán

Posts: 1

Participants: 1

Read full topic