How to enable HAProxy admin access for Opserver so we can use the options such as DRAIN, MAINT ?

[yashvit]

Opserver is really the awesome-est monitoring tool I have come across! Been using it to monitor our SQL, Elasticsearch & now HAProxy.

Not able to figure out how to configure Opserver "adminUser" for HAProxy. Would be great to be able to manage frontend and backends.

[NickCraver]

To enable this, you'll need to configure an admin username and password in HAProxy, and then set "adminUser" and "adminPassword" on your config. Any user in the admin group for either HAProxy or globally will then see actions enabled :)

[hamedmaleki1366]

hi all, i have a user for stats and is working on OPServer for fetching Logs .

but how can i define an adminuser for using in OPServer ?

this is my Config file where i should create adminuser and how can i do it ?

` #--------------------------------------------------------------------- #- Global settings #--------------------------------------------------------------------- global log 127.0.0.1 local2 info

chroot      /var/opt/rh/rh-haproxy18/lib/haproxy
pidfile     /var/run/rh-haproxy18-haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon	
# turn on stats unix socket
stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats

# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM

#--------------------------------------------------------------------- #- common defaults that all the 'listen' and 'backend' sections will #- use if not designated in their block #--------------------------------------------------------------------- userlist admins group admin users admin user admin insecure-password admin defaults mode http log global option httplog #option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch
retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000

#--------------------------------------------------------------------- #- main frontend which proxys to the backends #--------------------------------------------------------------------- frontend main bind *:7081 stats enable

stats auth statuser:statpassword

stats hide-version

stats show-node

stats refresh 60s

stats uri /haproxy?stats	  
default_backend             app

#--------------------------------------------------------------------- #- static backend for serving up images, stylesheets and such #--------------------------------------------------------------------- backend static balance roundrobin server static 127.0.0.1:4331 check

#--------------------------------------------------------------------- #- round robin balancing between the various backends #--------------------------------------------------------------------- backend app balance roundrobin server app1 95.80.184.86:80 check server app2 95.80.184.92:80 check

`

thank you.

[itssimple]

This is how my backend (with modifications) looks for the stats, with working admin-tools to DRAIN, MAINT and READY backends and servers.

backend app
    ... snip snip ...

    acl AUTH    http_auth(stats_user)
    acl AUTH_ADMIN      http_auth_group(stats_user) admin

    ... snip snip ...

    stats       enable
    stats       hide-version
    stats       refresh 30s
    stats       show-node
    stats       uri     /haproxy?stats
    stats       admin   if AUTH_ADMIN
    stats       http-request    auth unless AUTH

    ... snip snip ...

.. and then the userlist, in my config, this is at the very top of the file.

userlist        stats_user
    group       admin   users   admin
    user        admin   password       <some long password hash>

So, for your config to work, you need the stats admin, preferably with an ACL like I have above. And you can have multiple users in a userlist, so if you want, you can also have one with view access (normal), and then an admin account for access to the admin methods.