- In haproxy config, there is no limit to the number of http-request statements per instance so we can add the rules to request basic login to the site but whitelist specials IPs
π Setup HAProxy config which contains basic login to access the dashboard and allow access for special resource IP
- Generate haproxy encrypted password
printf "thepassword" | mkpasswd --stdin --method=sha-256 - Modify haproxy.cfg which allow access for requests from source
18.69.61.21but requires login for others
userlist AuthUsers user haproxyreport password $5$3VeorK1XxvgRseQ$VBkOPCY2enWZsas.C6X9Iif0FPHDknXXXXXXXXX frontend fe-verify bind *:443 ssl crt /etc/certs acl haproxy_report hdr(host) haproxy-report.cloudopz.co http-request set-header X-Forwarded-Proto https if { ssl_fc } use_backend haproxy-report-backend if haproxy_report # haproxy-report-backend backend haproxy-report-backend acl authorized http_auth(AuthUsers) acl nagios src 18.69.61.21 http-request allow if nagios http-request auth realm haproxyreport if !authorized server haproxy-report 127.0.0.1:1800 More about haproxy
- How To Set HTTP-Request Header In Haproxy
- How To Block IP Addresses In HAProxy
- HAProxy With Resolvers In Case Of AWS Application LoadBalancer
- Use GoAccess To Analyze HAProxy Logs
Top comments (1)
I don't get why everyone seems to suggest echoing your password and piping it to
mkpassword. To my mind this only makes sense in a programmatic use-case where one wants to avoid the script from showing a prompt.But when generating your password manually using
mkpasswdinteractively has one security advantage: you don't leave your clear-text password in your history!So instead of
echo "the password" | mkpasswd --stdinone would better just usemkpassword β¦IMHO.