3.4. Userlists

  1. It is possible to control access to frontend/backend/listen sections or to
  2. http stats by allowing only authenticated and authorized users. To do this,
  3. it is required to create at least one userlist and to define users.

userlist 

  1. Creates new userlist with name <listname>. Many independent userlists can be
  2. used to store authentication & authorization data for independent customers.

group [users ,,(…)]

  1. Adds group <groupname> to the current userlist. It is also possible to
  2. attach users to this group by using a comma separated list of names
  3. proceeded by "users" keyword.

user [password|insecure-password ] [groups ,,(…)]

  1. Adds user <username> to the current userlist. Both secure (encrypted) and
  2. insecure (unencrypted) passwords can be used. Encrypted passwords are
  3. evaluated using the crypt(3) function, so depending on the system's
  4. capabilities, different algorithms are supported. For example, modern Glibc
  5. based Linux systems support MD5, SHA-256, SHA-512, and, of course, the
  6. classic DES-based method of encrypting passwords.
  7.  
  8. Attention: Be aware that using encrypted passwords might cause significantly
  9. increased CPU usage, depending on the number of requests, and the algorithm
  10. used. For any of the hashed variants, the password for each request must
  11. be processed through the chosen algorithm, before it can be compared to the
  12. value specified in the config file. Most current algorithms are deliberately
  13. designed to be expensive to compute to achieve resistance against brute
  14. force attacks. They do not simply salt/hash the clear text password once,
  15. but thousands of times. This can quickly become a major factor in haproxy's
  16. overall CPU consumption!

Example:

  1. userlist L1
  2.   group G1 users tiger,scott
  3.   group G2 users xdb,scott
  5.   user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
  6.   user scott insecure-password elgato
  7.   user xdb insecure-password hello
  9. userlist L2
  10.   group G1
  11.   group G2
  13.   user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
  14.   user scott insecure-password elgato groups G1,G2
  15.   user xdb insecure-password hello groups G2
  1. Please note that both lists are functionally identical.