Edge Lb DocumentationEdge-LB uses templates to configure load balancing settings. This tutorial demonstrates how you can create a custom haproxy template for Edge-LB to support Basic authentication.
In this tutorial, you use settings in the custom haproxy template to create at a simple userlist that defines the authenticated and authorized users who are allowed access using frontend and backend configuration settings.
Before you begin
You must have:
- An active and properly-configured DC/OS Enterprise cluster.
- Edge-LB installed as described in the Edge-LB installation instructions.
- The
edgelbcommand-line interface (CLI) installed.
Create a custom template
To create a custom template for basic authentication:
-
Install Edge-LB as described Installing Edge-LB.
-
Create an Edge-LB pool as described in Expose and load balance a service.
-
Fetch the template for the Edge-LB pool you created in the previous step and save it to a file named
haproxy.tmpl:dcos edgelb template show <pool-name> > haproxy.tmplFor example, if you created the
ping-lbpool, use the command:dcos edgelb template show ping-lb > haproxy.tmpl -
Open the
haproxy.tmpltemplate you created in the previous step in a text editor. -
Modify the
haproxy.tmplfile to create abasic-authuser list with user names and passwords for a set of regular and administrative users:userlist basic-auth group regular-users group admin-users user admin password ASYRtiLFCipT6 groups admin-users user drew password n5se4LwUfAW1sqA groups regular-users user luz password x18R29iAdV/$1QU groups regular-users user guest insecure-password guestpassword -
Create an access control list (ACL) rule inside the
backendsection for the users and groups you defined in theuserlistwho are allowed to access the load balanced service:acl example-auth http_auth(basic-auth) http-request auth realm example unless example-auth -
Create an access control list (ACL) rule inside the
backendsection to grant different access rights to users who belong to theadmin-usersgroup that you defined in theuserlist:acl itadmin-auth http_auth_group(basic-auth) admin-users http-request auth realm itadmin unless itadmin-auth -
Create additional access control list (ACL) rules inside the
frontendsection to grant limited access to the users who do not belong to theadmin-usersorregular-usersgroups that you defined in theuserlist:acl guest-users hdr_dom(host) -i guest.example.org acl basic-auth-user http_auth(basic-auth) acl basic-auth-user-with-group http_auth_group(basic-auth) admin-users regular-users http-request auth realm guest if guest-users !basic-auth-user OR guest-users basic-auth-user-with-group use_backend web-guest-production if guest-users -
Verify your user list and the access control rules you have set for the
frontendandbackendsections:userlist basic-auth group regular-users group admin-users user admin password ASYRtiLFCipT6 groups admin-users user drew password n5se4LwUfAW1sqA groups regular-users user luz password x18R29iAdV/$1QU groups regular-users user guest insecure-password guestpassword frontend web bind :80 #bind :443 ssl crt /etc/ssl/cert/ option httplog log /dev/log local0 debug option forwardfor except 127.0.0.1 option forwardfor header X-Real-IP #redirect scheme https code 301 if !{ ssl_fc } # ACL rule for general access for users defined in backend acl example hdr_dom(host) -i example.org use_backend web-example-production if example # ACL rule for admin-users group member defined in the backend acl itadmin hdr_dom(host) -i itadmin.example.org use_backend web-example-production if itadmin # ACL rules for guests who are not admin-users or regular-users acl guest-users hdr_dom(host) -i guest.example.org acl basic-auth-user http_auth(basic-auth) acl basic-auth-user-with-group http_auth_group(basic-auth) admin-users regular-users http-request auth realm guest if guest-users !basic-auth-user OR guest-users basic-auth-user-with-group use_backend web-guest-production if guest-users backend web-example-production acl example-auth http_auth(basic-auth) http-request auth realm example unless example-auth mode http server example 10.0.10.15:80 backend web-itadmin-production acl itadmin-auth http_auth_group(basic-auth) admin-users http-request auth realm itadmin unless itadmin-auth mode http server itadmin 10.0.10.16:80 backend web-guest-production mode http server guest 10.0.10.17:80 -
Update the Edge-LB pool to use the custom template:
dcos edgelb template update <pool-name> haproxy.tmplFor example, if the pool is
ping-lb, use the command:dcos edgelb template update ping-lb haproxy.tmpl