- In haproxy config, there is no limit to the number of http-request statements per instance so we can add the rules to request basic login to the site but whitelist specials IPs
🚀 Setup HAProxy config which contains basic login to access the dashboard and allow access for special resource IP
- Generate haproxy encrypted password
printf "thepassword" | mkpasswd --stdin --method=sha-256
- Modify haproxy.cfg which allow access for requests from source
18.69.61.21but requires login for others
userlist AuthUsers
user haproxyreport password $5$3VeorK1XxvgRseQ$VBkOPCY2enWZsas.C6X9Iif0FPHDknXXXXXXXXX
frontend fe-verify
bind *:443 ssl crt /etc/certs
acl haproxy_report hdr(host) haproxy-report.cloudopz.co
http-request set-header X-Forwarded-Proto https if { ssl_fc }
use_backend haproxy-report-backend if haproxy_report
# haproxy-report-backend
backend haproxy-report-backend
acl authorized http_auth(AuthUsers)
acl nagios src 18.69.61.21
http-request allow if nagios
http-request auth realm haproxyreport if !authorized
server haproxy-report 127.0.0.1:1800
More about haproxy
- How To Set HTTP-Request Header In Haproxy
- How To Block IP Addresses In HAProxy
- HAProxy With Resolvers In Case Of AWS Application LoadBalancer
- Use GoAccess To Analyze HAProxy Logs
Top comments (1)
I don't get why everyone seems to suggest echoing your password and piping it to
mkpassword. To my mind this only makes sense in a programmatic use-case where one wants to avoid the script from showing a prompt.But when generating your password manually using
mkpasswdinteractively has one security advantage: you don't leave your clear-text password in your history!So instead of
echo "the password" | mkpasswd --stdinone would better just usemkpassword …IMHO.