Basic authentication - Shopware 6

In this article you will learn how to protect your Shopware 6 instance with HTTP basic authentication if you are using HaProxy as a load balancer.


Prerequisites

  • Managed or unmanaged HaProxy server
  • Access to the creoline configuration file module (Managed) or SSH root (Unmanaged)
  • Shopware 6 installation (as configured backend)


General configuration

To protect the sales channel or the administration, a new section must first be implemented for the list of users.


# Userlist
userlist shopware
    user creoline insecure-password "unencrypted-password"


Sales Channel & Administration

In the next step, the basic authentication must be implemented in the HaProxy Frontend. Please note that Shopware uses the Authorization header for the API requests in the administration and therefore the API cannot be additionally protected with a basic authentication.


# Frontend
frontend http_frontend

# [...]

# Disable Basic auth on API routes for JWT token exchange inside Authorization header
acl uri_shopware_api path_beg /api /store-api /product-api

# Apply Basic Auth
acl authenticated http_auth(shopware)
acl ip_whitelist src 1.2.3.4 2.3.4.5 3.4.5.6

http-request auth if !uri_shopware_api !authenticated !ip_whitelist


In this example, HTTP basic authentication is displayed if :

  • the ACL uri_shopware_api does not apply, here: /api /store-api /product-api
  • the ACL authenticated does not apply, here: no login of userlist shopware
  • the ACL ip_whitelist does not apply, here: source IP 1.2.3.4 , 2.3.4.5 or 3.4.5.6


Administration

In addition to the overall protection of the Shopware instance, it is also possible to protect only the Shopware administration with basic authentication. Please note that Shopware uses the Authorization header for the API requests in the administration and therefore the API cannot be additionally protected with basic authentication.


# Frontend
frontend http_frontend

# [...]

# Protected URIs
acl uri_shopware_admin path_beg /admin

# Disable Basic auth on API routes for JWT token exchange inside Authorization header
acl uri_shopware_api path_beg /api /store-api /product-api

# Apply Basic Auth
acl authenticated http_auth(shopware)
acl ip_whitelist src 1.2.3.4 2.3.4.5 3.4.5.6

http-request auth if uri_shopware_admin !uri_shopware_api !authenticated !ip_whitelist


In this example, HTTP basic authentication is displayed if :

  • the ACL uri_shopware_admin applies, here: /admin
  • the ACL uri_shopware_api does not apply, here: /api /store-api /product-api
  • the ACL authenticated does not apply, here: no login of userlist shopware
  • the ACL ip_whitelist does not apply, here: source IP 1.2.3.4 , 2.3.4.5 or 3.4.5.6


Use of Cloudflare

If you protect Shopware via HaProxy with Cloudflare (reverse proxy), additional adjustments to the ACL ip_whitelist are required, as HTTP requests are sent from Cloudflare in this case and no longer from the actual client to HaProxy. Cloudflare transmits the actual IP address in the HTTP header Cf-Connecting-Ip.


The correct ACL for the ip_whitelist must be adjusted as follows in this case:

acl ip_whitelist hdr(Cf-Connecting-Ip) 1.2.3.4 2.3.4.5 3.4.5.6


Please make sure that the Authenticated Origin Pull setting is enabled, otherwise header spoofing can be used to bypass basic authentication if HTTP requests are sent directly to the HaProxy instance.


More information: https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/

On this page
Emergency?
In urgent cases, our emergency hotline is available around the clock at +49 2507 900 80 - 34.