You may have seen this guide for adding basic-auth password protection for a backend site within haproxy with non-hashed passwords. Obviously this is not ideal so, if you have slightly more time available you should ideally hash these passwords.
Before starting, you should ensure you are able to use the mkpasswd tool by installing the whois package (For this guide I am using Ubuntu so will install via apt).
apt-get install whois
Run the below command to generate a AES-256 bit hashed password for your new user:
echo [password] | mkpasswd --stdin --method=sha-256
Copy the output of the above, this will be the secure password for your user.
You can now complete the same as in the guide for insecure passwords, replacing “insecure-password” with “password” from the top section of your haproxy config. Examples below:
userlist trusted_users user [username] password [password]
Finally, add the below two lines to update your backend to enforce the password protection for the required backend:
acl AuthOkay_[siteName] http_auth(trusted_users) http-request auth if !AuthOkay_[siteName]
Restart Haproxy to apply and browse to your site to confirm you are prompted for authentication.