Protecting Haproxy with Hashed password protection for backend sites

You may have seen this guide for adding basic-auth password protection for a backend site within haproxy with non-hashed passwords. Obviously this is not ideal so, if you have slightly more time available you should ideally hash these passwords.

Before starting, you should ensure you are able to use the mkpasswd tool by installing the whois package (For this guide I am using Ubuntu so will install via apt).

apt-get install whois

Run the below command to generate a AES-256 bit hashed password for your new user:

echo [password] | mkpasswd --stdin --method=sha-256

Copy the output of the above, this will be the secure password for your user.

You can now complete the same as in the guide for insecure passwords, replacing “insecure-password” with “password” from the top section of your haproxy config. Examples below:

userlist trusted_users
user [username] password [password]

Finally, add the below two lines to update your backend to enforce the password protection for the required backend:

 acl AuthOkay_[siteName] http_auth(trusted_users)
http-request auth if !AuthOkay_[siteName]

Restart Haproxy to apply and browse to your site to confirm you are prompted for authentication.

Any comments or questions? Get in touch here or Email me at [email protected]