Hello, On Thu, 3 Dec 2020 at 16:17, Yossi Nachum <[email protected]> wrote: > > Hi, > I'm using haproxy 1.8 > This is my global and frontend configuration which include user auth: > [...] > acl network_allowed src,map_ip_int(/etc/haproxy/allowed_ips.lst,0) -m int > eq 1 > acl users_allowed hdr(MD5UP),map(/etc/haproxy/allowed_users.lst) -m found > http-request auth realm Bis if network_allowed BASIC_AUTH !users_allowed > http-request auth realm Bis if !users_allowed !network_allowed > http-request reject unless network_allowed || users_allowed
I assume you are reloading haproxy to apply this change. This means that an older haproxy process will keep running with the old data. Some ideas: - restart instead of reloading, dropping all session immediately (but also killing in flight transactions) - configure hard-stop-after to an acceptable value for your, to limit the amount of time haproxy runs with old configurations - apply the changes to the map file via admin socket, instead of requiring a new haproxy process to spawn Haproxy can't know whether a session has an old password or not. This is handled at transaction level, not at session level. The only thing you can do is kill all sessions with an IP address that is not in network_allowed, manually. cheers, lukas
