Skip to content

Instantly share code, notes, and snippets.

@filviu

filviu/README.md

Last active April 29, 2022 18:31
Show Gist options
  • Save filviu/7b943d1d25c8fed49189c0b7994769af to your computer and use it in GitHub Desktop.
Save filviu/7b943d1d25c8fed49189c0b7994769af to your computer and use it in GitHub Desktop.
Download ZIP
Basic auth with pfSense and haproxy
Raw
README.md

If you want to add a basic auth to haproxy (on pfsense)

haproxy general settings

Global Advanced pass thru

userlist AuthRealmName
  user username password ENCRYPTED_PASSWORD_HERE

Putting the password in clear text works but is a bad idea for obvious reasons.

userlist AuthRealmName user USERNAME insecure-password PASSWORD

Frontend

Access Control lists

Name: acl-name
Expression: Custom acl
Not: Checked Value: http_auth(AuthRealmName)

Actions

Action: http-request auth
Condition acl names: acl-name
realm: realm realmname # might be optional

Optional:

Action: Use Backend Condition acl names: acl-name condition2 fqdn_condition

Password

Based on the HAProxy documentation, create a UserList. You can use DES, MD5, SHA-256, and SHA-512 encrypted passwords. If you really know what you are doing: You can use plain text passwords here as well, but they are stored as plain text within the config files and can not recommend to do so!

python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'

Automated way to do it:

python -c 'import crypt; print(crypt.crypt("TheSuperSecretPasswordHere", crypt.mksalt(crypt.METHOD_SHA512)))'

mkpasswd should also work

printf "TheSuperSecretPasswordHere" | mkpasswd --stdin --method=sha-512

Password generation snipets are from here: https://hochwald.net/user-authentication-with-haproxy-on-pfsense/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment