Question

我需要能够使用haproxy省略对特定URI的身份验证，但是无法使用以下配置文件。访问 whatever.server/app/my-app 时，仍然会要求我提供登录凭据。

global
    maxconn 4096
    daemon

userlist myUsers
    user someUser insecure-password somePass

defaults
    mode http
    log 127.0.0.1 local1 debug
    option httplog

frontend all
    bind  0.0.0.0:80
    timeout client 86400000
    default_backend www_backend
    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_webapp path_beg /app
    acl is_my_app path_beg /app/my-app
    acl auth_ok http_auth(myUsers)
    http-request auth unless auth_ok or is_websocket or is_my_app
    use_backend webapp_backend if is_webapp

backend www_backend
    balance roundrobin
    option forwardfor # This sets X-Forwarded-For
    option httpclose
    timeout server 1800000
    timeout connect 4000
    server server1 localhost:81 weight 1 maxconn 1024 check

backend webapp_backend
    balance roundrobin
    option forwardfor # This sets X-Forwarded-For
    option httpclose
    timeout server 1800000
    timeout connect 4000
    server server1 localhost:8800 weight 1 maxconn 1024 check

我正在使用haproxy v1.4

编辑

也尝试过

http-request allow if is_my_app
http-request auth unless auth_ok or is_websocket

但是它允许所有URL未经身份验证

Answer 1

可以如此处https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.2

所示否定Acl

acl url_static path_beg /app/my-app
acl AuthOkay_Web http_auth(myUsers)
http-request auth realm AuthYourself if !isOptions !url_static !AuthOkay_Web

也在https://serverfault.com/a/874742/297275

进行了解释

HAProxy：为URI省略身份验证不起作用

1 个答案: