Example of backend selection by username and password

haproxy.cfg

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


userlist basic-auth-list
        group is-regular-user
        group is-admin
        group is-user1
        group is-user2


        user username1 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFiV89xhW524abcdfg                   groups is-user1
        user Username2 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFefghxhW524abcdfg                   groups is-user2
		
        user admin  password ASYRtiLFCipT6                                                              groups is-admin
		
        user michal password $5$gZZsvtRWI$9JIU8pfHLG8BtYW5tceAKD1oNAjjfL5e4LwUfAW1sqA                   groups is-regular-user
        user milosz password $1$R29iAdV/$1QUKx8eo6e5pcMIEgaZwt0                                         groups is-regular-user
        user guest  insecure-password guestpassword


frontend frontproxy
        bind 0.0.0.0:10000

        use_backend api_servers if { path_beg /api/ }
        default_backend web_servers

#       acl authorized_user1 http_auth(atuhuser1)
#       acl authorized_user2 http_auth(atuhuser1)
#       acl authorized http_auth(AuthUsers)
#       http-request auth realm Example1 if host_example1 !authorized
#       http-request auth realm Example2 if host_example2 !authorized

        acl is-basic-auth-user-with-group-user1  http_auth_group(basic-auth-list) is-user1

        acl is-basic-auth-user-with-group-user2  http_auth_group(basic-auth-list) is-user2

        use_backend example1 if  is-basic-auth-user-with-group-user1
        use_backend example2 if  is-basic-auth-user-with-group-user2

#       use_backend web-guest-production


backend web_servers
        balance roundrobin
        cookie SERVERUSED insert indirect nocache
        option httpchk HEAD /
        default-server check maxconn 20
        server server1 10.0.1.3:80 cookie server1
        server server2 10.0.1.4:80 cookie server2

backend api_servers
        balance roundrobin
        cookie SERVERUSED insert indirect nocache
        option httpchk HEAD /
        default-server check maxconn 20
        server apiserver1 10.0.1.3:80 cookie server1
        server apiserver2 10.0.1.4:80 cookie server2

backend example1
        http-request set-header X-Client-IP %[src]
        server px1 10.0.0.1:3001 check
        http-request del-header Authorization

backend example2
        http-request set-header X-Client-IP %[src]
        server px2 10.0.0.1:3002 check
        http-request del-header Authorization