RE: end all sessions for specific user

Thu, 03 Dec 2020 07:18:18 -0800 

Hi,
I'm using haproxy 1.8
This is my global and frontend configuration which include user auth:

global
  log /var/lib/haproxy/dev/log local0 info
  stats socket /run/haproxy.sock mode 660 level admin
  stats timeout 30s
  daemon
  pidfile /var/run/haproxy.pid
  maxconn 200000
  nbproc 1
  tune.maxrewrite 16384
  tune.bufsize 32768
  max-spread-checks 5s
  spread-checks 25
  lua-load /etc/haproxy/md5_converter.lua

defaults
  mode http
  option dontlognull
  option abortonclose
  timeout check 8s
  timeout connect 10s
  timeout client  300s
  timeout server  300s
  timeout queue 50s
  retries 3
  maxconn 200000
  option redispatch
  option http-use-proxy-header

frontend general
  log /var/lib/haproxy/dev/log local0 info
  bind *:8000
  option httplog

  acl BASIC_AUTH hdr_beg(Proxy-Authorization) "Basic "
  http-request set-var(req.username_string) 
hdr(Proxy-Authorization),regsub(^Basic\ ,),b64dec,field(1,":") if BASIC_AUTH
  http-request set-var(req.password_string) 
hdr(Proxy-Authorization),regsub(^Basic\ ,),b64dec,field(2,":") if BASIC_AUTH
  http-request set-header MD5UP %[var(req.password_string),lua.md5]
  http-request set-header MD5UP "%[var(req. username_string)]%[hdr(MD5UP)]"

  acl network_allowed src,map_ip_int(/etc/haproxy/allowed_ips.lst,0) -m int eq 1
  acl users_allowed hdr(MD5UP),map(/etc/haproxy/allowed_users.lst) -m found
  http-request auth realm Bis if network_allowed BASIC_AUTH !users_allowed
  http-request auth realm Bis if !users_allowed !network_allowed
  http-request reject unless network_allowed || users_allowed 


Thanks,
Yossi

-----Original Message-----
From: Lukas Tribus <[email protected]> 
Sent: Thursday, December 3, 2020 5:05 PM
To: Yossi Nachum <[email protected]>
Cc: [email protected]
Subject: Re: end all sessions for specific user

Hello,

On Thu, 3 Dec 2020 at 15:32, Yossi Nachum <[email protected]> wrote:
>
> Hi,
>
>
>
> I have haproxy configuration that based on a file with username and password.
>
> When I disable a user his new sessions are blocked with 407 but his 
> old/current sessions are still processed

Please share your configuration and haproxy release.

I think you may be in tunnel mode, where haproxy does not have visibility to 
subsequent transactions.


Lukas

Reply via email to