For now, I'm authenticating users through a web form. (this is still POC phase). I want to be able to authenticate users through Authentication header too. And why not the situation you're describing, if it makes sense for third party.
For now, any unauthenticated user is redirected to my daemon until authenticated. Once authenticated, HAProxy's map is updated on the fly and HAProxy knows how to use the MAP to let the user pass to the server and inject credentials (and later a token like a cookie). My very first need is to present a web form for authentication, then make HAProxy able to authenticate the user using BASIC onto the server. For example, I can access HAProxy stats page authenticated in Basic just by filling a web form. Credentials are validated in a LDAP, group membership as well. Radius will be just a "module" which could be used instead of or in conjunction with LDAP and any other backend such as *SQL servers or maybe third party webservices. Your authentication through HTTP headers is simply the way my deamon could collect credentials before validating them. But there is still many things to do and to decided, mainly on session expiration, etc... So just keep on reporting me features you would like in such daemon and who knows, you may have some surprise... Baptiste On Tue, Mar 18, 2014 at 4:16 PM, Patrick Hemmer <patr...@stormcloud9.net> wrote: > I'm assuming it'll be generic authentication. What information will be made > available to the auth daemon? Just the Authorization header? > > I would love a feature that allowed any/multiple header to be passed > through. We use haproxy on an API service, which all incoming requests must > pass in a key and signature. The signature is a hash of a secret token, the > URI and several headers. Currently each backend application that receives > the request has to perform the authentication, but it would be awesome if we > could leverage this auth daemon to perform the authentication before passing > the request through. > > -Patrick > > ________________________________ > From: Baptiste <bed...@gmail.com> > Sent: 2014-03-18 11:03:56 E > To: Roel Cuppen <r...@cuppie.com> > CC: HAProxy <haproxy@formilux.org> > Subject: Re: Radius authentication > > Well, I'm currently writing a piece of code which stands behind > HAProxy and whose purpose is to authenticate a user. > Once authenticated, it updates HAProxy who, in turn, let the user > browse the application and sets authentication requirement on the fly. > > I think OTP will be possible :) > > Still a lot of work to do on this project and HAProxy needs some > patches as well, so I can't say more for now. > Just stay tuned, I'll update the ML once done :) > > That said, if you have some requirements, this is the moment :) > > Baptiste > > > On Tue, Mar 18, 2014 at 2:04 PM, Roel Cuppen <r...@cuppie.com> wrote: > > Hi Baptiste, > > Many thanks for your explination > What kind of daemon is it ? > > > OTP = One Time Password. > > Kind regards, > > Roel > > > 2014-03-18 11:03 GMT+01:00 Baptiste <bed...@gmail.com>: > > Hi Roel, > > Let say there are currently some developments in that way. > It won't be part of HAProxy, but rather a third party daemon > interacting deeply with HAProxy. > > What do you mean by OTP? > > Baptiste > > > > On Mon, Mar 17, 2014 at 9:43 PM, Roel Cuppen <r...@cuppie.com> wrote: > > Hi, > > I would like to know if it is possible to add radius authentication. So > that > the http authentication users kan exist in a radius database. > > Whenever a radius authentication feature is active , it;s possbile to > add > OTP authentication. > > Kind regards, > > Cuppie > >
