HAProxy allows users by IP, but not by password?

@

@nidalee2021-12-29 17:53:19

User identification

@nidalee, 2021-12-29 17:53:19

Struggling with HAProxy on Ubuntu for a while:

HAProxy version 2.5.0-1ppa1~focal 2021/11/26 - https://haproxy.org/
Running on: Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64

I'm trying to raise a proxy that will scatter users according to the list of proxies on the backend. Proxies on the backend authorize the first server with HAProxy by IP, and it, in turn, must let users in by IP or a login:password pair.
I create a user:

userlist L1
user user secure-password password

The current variation of the authorization check (I have already tried a bunch of different options from Google):

frontend FRONTEND
bind *:48151
http-request set-header X-Forwarded-Proto http
acl auth_ok http_auth(L1)
acl ipwhitelist src IP
http-request allow if ipwhitelist
http-request allow if auth_ok
http-request auth if !ipwhitelist !auth_ok
default_backend PROXIES

As a result, curl from the PC from the IP whitelist goes through:

curl -x http://IP:PORT -O https://yastatic.net/s3/home/notifications/bground... --trace dump

CURL DUMP

== Info:   Trying IP:PORT...
== Info: Connected to IP port PORT(#0)
== Info: allocate connect buffer!
== Info: Establish HTTP proxy tunnel to yastatic.net:443
=> Send header, 116 bytes (0x74)
0000: 43 4f 4e 4e 45 43 54 20 79 61 73 74 61 74 69 63 CONNECT yastatic
0010: 2e 6e 65 74 3a 34 34 33 20 48 54 54 50 2f 31 2e .net:443 HTTP/1.
0020: 31 0d 0a 48 6f 73 74 3a 20 79 61 73 74 61 74 69 1..Host: yastati
0030: 63 2e 6e 65 74 3a 34 34 33 0d 0a 55 73 65 72 2d c.net:443..User-
0040: 41 67 65 6e 74 3a 20 63 75 72 6c 2f 37 2e 37 34 Agent: curl/7.74
0050: 2e 30 0d 0a 50 72 6f 78 79 2d 43 6f 6e 6e 65 63 .0..Proxy-Connec
0060: 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 tion: Keep-Alive
0070: 0d 0a 0d 0a                                     ....
<= Recv header, 37 bytes (0x25)
0000: 48 54 54 50 2f 31 2e 30 20 32 30 30 20 43 6f 6e HTTP/1.0 200 Con
0010: 6e 65 63 74 69 6f 6e 20 65 73 74 61 62 6c 69 73 nection establis
0020: 68 65 64 0d 0a                                  hed..
<= Recv header, 2 bytes (0x2)
0000: 0d 0a                                           ..
== Info: Proxy replied 200 to CONNECT request
== Info: CONNECT phase completed!
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info:  CAfile: /etc/ssl/certs/ca-certificates.crt
== Info:  CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 02 00                                  .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: 01 00 01 fc 03 03 55 cc 15 88 de 07 b8 3c 61 3c ......U......<a<
0010: ed 64 f1 3c ab 0a 4f e3 91 36 fa 41 46 e4 12 89 .d.<..O..6.AF...
0020: 9d c2 b8 c7 24 6a 20 ce 7c 38 a0 4e 9a 59 ac 72 ....$j .|8.N.Y.r
0030: e9 87 09 6e 26 46 8d 02 44 07 63 2b 42 d5 48 93 ...n&F..D.c+B.H.
0040: d3 57 ec c0 c6 b7 f3 00 3e 13 02 13 03 13 01 c0 .W......>.......
0050: 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 ,.0.........+./.
0060: 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 ..$.(.k.#.'.g...
0070: 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 ..9.....3.....=.
0080: 3c 00 35 00 2f 00 ff 01 00 01 75 00 00 00 11 00 <.5./.....u.....
0090: 0f 00 00 0c 79 61 73 74 61 74 69 63 2e 6e 65 74 ....yastatic.net
00a0: 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d ................
00b0: 00 17 00 1e 00 19 00 18 33 74 00 00 00 10 00 0e ........3t......
00c0: 00 0c 02 68 32 08 68 74 74 70 2f 31 2e 31 00 16 ...h2.http/1.1..
00d0: 00 00 00 17 00 00 00 31 00 00 00 0d 00 2a 00 28 .......1.....*.(
00e0: 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b ................
00f0: 08 04 08 05 08 06 04 01 05 01 06 01 03 03 03 01 ................
0100: 03 02 04 02 05 02 06 02 00 2b 00 05 04 03 04 03 .........+......
0110: 03 00 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 ..-.....3.&.$...
0120: 20 18 00 d0 97 e6 b2 a5 8f 4f d9 d7 3b ef 83 a0  ........O..;...
0130: 20 d9 09 1d 0c f6 80 17 53 e6 16 ce 17 61 00 88  .......S....a..
0140: 7d 00 15 00 bb 00 00 00 00 00 00 00 00 00 00 00 }...............
0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
== Info: CONNECT phase completed!
== Info: CONNECT phase completed!
...

CURL from a PC not from the whitelist, but with a login and password - no:

curl -x ' http://USER:[email protected]:PORT ' -v -O https://yastatic.net/s3/home/notifications/bground... --trace dump

CURL DUMP

== Info:   Trying IP:PORT...
== Info: Connected to IP port PORT (#0)
== Info: allocate connect buffer!
== Info: Establish HTTP proxy tunnel to yastatic.net:443
== Info: Proxy auth using Basic with user 'USER'
=> Send header, 169 bytes (0xa9)
0000: 43 4f 4e 4e 45 43 54 20 79 61 73 74 61 74 69 63 CONNECT yastatic
0010: 2e 6e 65 74 3a 34 34 33 20 48 54 54 50 2f 31 2e .net:443 HTTP/1.
0020: 31 0d 0a 48 6f 73 74 3a 20 79 61 73 74 61 74 69 1..Host: yastati
0030: 63 2e 6e 65 74 3a 34 34 33 0d 0a 50 72 6f 78 79 c.net:443..Proxy
0040: 2d 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 -Authorization: 
0050: *** Basic ***
0060: *** ***..
0070: 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 72 6c User-Agent: curl
0080: 2f 37 2e 37 34 2e 30 0d 0a 50 72 6f 78 79 2d 43 /7.74.0..Proxy-C
0090: 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d onnection: Keep-
00a0: 41 6c 69 76 65 0d 0a 0d 0a                      Alive....
<= Recv header, 27 bytes (0x1b)
0000: 48 54 54 50 2f 31 2e 31 20 34 30 31 20 55 6e 61 HTTP/1.1 401 Una
0010: 75 74 68 6f 72 69 7a 65 64 0d 0a                uthorized..
<= Recv header, 21 bytes (0x15)
0000: 63 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 content-length: 
0010: 31 31 32 0d 0a                                  112..
<= Recv header, 25 bytes (0x19)
0000: 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 3a 20 6e cache-control: n
0010: 6f 2d 63 61 63 68 65 0d 0a                      o-cache..
<= Recv header, 25 bytes (0x19)
0000: 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 content-type: te
0010: 78 74 2f 68 74 6d 6c 0d 0a                      xt/html..
<= Recv header, 52 bytes (0x34)
0000: 77 77 77 2d 61 75 74 68 65 6e 74 69 63 61 74 65 www-authenticate
0010: 3a 20 42 61 73 69 63 20 72 65 61 6c 6d 3d 22 72 : Basic realm="r
0020: *** ***
0030: 6b 22 0d 0a                                     k"..
== Info: Authentication problem. Ignoring this.
<= Recv header, 2 bytes (0x2)
0000: 0d 0a                                           ..
== Info: Received HTTP code 401 from proxy after CONNECT
== Info: CONNECT phase completed!
== Info: Closing connection 0

I also tried to feed CURL username and password via -u, no change.

Log of HAProxy itself:

Dec 29 17:29:59 en haproxy[80530]: IP1 [29/Dec/2021:17:29:59.163] ADDRESS PROXIES/PROXY-1 0/0/43/44/381 200 32357 - - ---- 1/1/0/0/0 0/0 "CONNECT yastatic.net:443 HTTP/1.1"
Dec 29 17:33:10 en haproxy[80530]: IP2 [29/Dec/2021:17:33:10.954] ADDRESS ADDRESS/ 0/-1/-1/-1/0 401 263 - - LR-- 1/1/0/0/0 0/0 "CONNECT yastatic.net:443 HTTP/1.1"

What am I doing wrong? Why does HAProxy allow IP by IP, but not by user and password?
Some of the configurations proposed by Google helped to get a response from HAProxy in the form of a 403 error instead of 401, which, in general, did not change the situation.
I tried to solve the issue by shifting the authorization to nginx, but the LUA haproxy-auth-request did not take off with the error "too many C levels (limit is 200) in function" and I left this idea.