All, I got it working more or less I can bypass HTTP basic auth in case there is an existing session of the user via the primary backend application. What’s missing is the cleanup part of dynamic ACLs after session timeout where I need some help.
This is the working configuration: --------------------------- # Monitor application response headers for keywords and update user ACL acl has_disallowAPPUser res.hdr(X-APP-DisallowUser) -m found acl has_allowAPPUser res.hdr(X-APP-AllowUser) -m found http-response del-acl(/var/lib/haproxy/app_user_sessions.acl) %[res.hdr(X-APP-DisallowUser)] if has_disallowAPPUser http-response add-acl(/var/lib/haproxy/app_user_sessions.acl) %[res.hdr(X-APP-AllowUser)] if has_allowAPPUser # Monitor application response headers for keywords and update admin ACL acl has_disallowAPPAdmin res.hdr(X-APP-DisallowAdmin) -m found acl has_allowAPPAdmin res.hdr(X-APP-AllowAdmin) -m found http-response del-acl(/var/lib/haproxy/app_admin_sessions.acl) %[res.hdr(X-APP-DisallowAdmin)] if has_disallowAPPAdmin http-response add-acl(/var/lib/haproxy/app_admin_sessions.acl) %[res.hdr(X-APP-AllowAdmin)] if has_allowAPPAdmin # Check session cookie acl is_appuser_session req.cook(HOANOHOSESSID) -f /var/lib/haproxy/app_user_sessions.acl acl is_appadmin_session req.cook(HOANOHOSESSID) -f /var/lib/haproxy/app_admin_sessions.acl # Monitor last session activity http-request del-map(/var/lib/haproxy/app_user_sessions.map) %[req.cook(HOANOHOSESSID)] if is_appuser_session http-request set-map(/var/lib/haproxy/app_user_sessions.map) %[req.cook(HOANOHOSESSID)] %[date()] if is_appuser_session http-request del-map(/var/lib/haproxy/app_admin_sessions.map) %[req.cook(HOANOHOSESSID)] if is_appadmin_session http-request set-map(/var/lib/haproxy/app_admin_sessions.map) %[req.cook(HOANOHOSESSID)] %[date()] if is_appadmin_session # Do not show X-APP headers to the frontend user rspidel ^X-APP-DisallowUser:.* if has_disallowAPPUser rspidel ^X-APP-AllowUser:.* if has_allowAPPUser rspidel ^X-APP-DisallowAdmin:.* if has_disallowAPPAdmin rspidel ^X-APP-AllowAdmin:.* if has_allowAPPAdmin --------------------------- My HAproxy is reloading configuration via cron every 5 minutes anyway (to re-create userlists for basic auth). This also cleans the dynamic ACLs which is basically good but of course it breaks running connections for active sessions until they reload any site of the primary backend to have the ACL re-created. My idea is to track active sessions in a map (session and activity timestamp). I would then get the current map before reloading the HAproxy daemon and write sessions to be kept to /var/lib/haproxy/app_*_sessions.acl so the daemon can read them via file after reload. That’s what the map definitions should be for but seems they are not working as expected as „show map“ does not offer their content. Would somebody mind to help me with the map definition? Many thanks, Julian
