Created
April 15, 2021 08:36
-
-
Save elico/405f0608e60910fc9ea119e22e1ffd07 to your computer and use it in GitHub Desktop.
Example of backend selection by username and password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
log /dev/log local0 | |
log /dev/log local1 notice | |
chroot /var/lib/haproxy | |
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
stats timeout 30s | |
user haproxy | |
group haproxy | |
daemon | |
# Default SSL material locations | |
ca-base /etc/ssl/certs | |
crt-base /etc/ssl/private | |
# Default ciphers to use on SSL-enabled listening sockets. | |
# For more information, see ciphers(1SSL). This list is from: | |
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
# An alternative list with additional directives can be obtained from | |
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
ssl-default-bind-options no-sslv3 | |
defaults | |
log global | |
mode http | |
option httplog | |
option dontlognull | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
userlist basic-auth-list | |
group is-regular-user | |
group is-admin | |
group is-user1 | |
group is-user2 | |
user username1 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFiV89xhW524abcdfg groups is-user1 | |
user Username2 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFefghxhW524abcdfg groups is-user2 | |
user admin password ASYRtiLFCipT6 groups is-admin | |
user michal password $5$gZZsvtRWI$9JIU8pfHLG8BtYW5tceAKD1oNAjjfL5e4LwUfAW1sqA groups is-regular-user | |
user milosz password $1$R29iAdV/$1QUKx8eo6e5pcMIEgaZwt0 groups is-regular-user | |
user guest insecure-password guestpassword | |
frontend frontproxy | |
bind 0.0.0.0:10000 | |
use_backend api_servers if { path_beg /api/ } | |
default_backend web_servers | |
# acl authorized_user1 http_auth(atuhuser1) | |
# acl authorized_user2 http_auth(atuhuser1) | |
# acl authorized http_auth(AuthUsers) | |
# http-request auth realm Example1 if host_example1 !authorized | |
# http-request auth realm Example2 if host_example2 !authorized | |
acl is-basic-auth-user-with-group-user1 http_auth_group(basic-auth-list) is-user1 | |
acl is-basic-auth-user-with-group-user2 http_auth_group(basic-auth-list) is-user2 | |
use_backend example1 if is-basic-auth-user-with-group-user1 | |
use_backend example2 if is-basic-auth-user-with-group-user2 | |
# use_backend web-guest-production | |
backend web_servers | |
balance roundrobin | |
cookie SERVERUSED insert indirect nocache | |
option httpchk HEAD / | |
default-server check maxconn 20 | |
server server1 10.0.1.3:80 cookie server1 | |
server server2 10.0.1.4:80 cookie server2 | |
backend api_servers | |
balance roundrobin | |
cookie SERVERUSED insert indirect nocache | |
option httpchk HEAD / | |
default-server check maxconn 20 | |
server apiserver1 10.0.1.3:80 cookie server1 | |
server apiserver2 10.0.1.4:80 cookie server2 | |
backend example1 | |
http-request set-header X-Client-IP %[src] | |
server px1 10.0.0.1:3001 check | |
http-request del-header Authorization | |
backend example2 | |
http-request set-header X-Client-IP %[src] | |
server px2 10.0.0.1:3002 check | |
http-request del-header Authorization |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment