Bug #5601

haproxy can only authenticate via plaintext

Added by Kim Steglin over 1 year ago. Updated over 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Found in version:
Affected Versions:


I have set up HA-proxy to be able to stream any content from anywhere, without complicating the setup with vpn clients an such.
I do have vpn but all the clients does not support it or is a hassle to set up, so keep that option not an option.
On travels i use android tv with kodi and thveadend pvr ( HTSP )
In my home i have set up paswordless access, and from anywhere else i have password access.
To benefit from this im using the option "PROXY protocol & X-Forwarded-For:" along with haproxys option forwardfor to ge the client ip.

If i dont use X-Client-IP the source will be my internal haproxy seeing it as local network and the user will not need to authenticate, ie the headend server is wide open...
Therefor im useing the client ip to determen the access control.
This is not a critical issue as i have ssl termination on the proxy, but it is disturbing.
As im unaware how the HTSP protocol works and set to plaintext auth i fel unsecure... Is this a critical issue or not?

The bug:
In this setup, i can only have plaintext authentication, digest authentication just sends 401 back to the client without a http auth request.

Thvhedend settings,
user * allowed networks no password
user user1 allowed networks with password
user user2 allowed networks with password

working with ONLY plaintext authentication set ( digest and plain, does not work )

HAproxy settings,
mode http
option forwardfor except

frontend http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

frontend https
bind *:443 ssl crt /valid/certificate.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https code 301 if !{ ssl_fc }

backend tv_ssl
server tv check



Updated by Kim Steglin over 1 year ago

VLC 3.0.7


Updated by Jaroslav Kysela over 1 year ago

Show the TCP communication (HTTP protocol) between your proxy and tvheadend for the digest authentication. You may use wireshark - TCP decode.


Updated by Flole Systems over 1 year ago

As far as I know VLC (at least 3) doesn't support digest auth. If it works with a Webbrowser that's most likely the issue.


Updated by Kim Steglin over 1 year ago

If that is an issue with VLC then this is a non issue.

I thought it might be VLC spooking aswell.
Then i have to rethink the setup to make it as secure as i feel comfortable.

Im fine with the resolution.
Thanks for the time


Updated by Flole Systems over 1 year ago

This just came to my mind and might help you: I noticed a while ago that when allowing digest and plain auth you can specify the data in the url like https://user:[email protected]/mystream to get around this issue.


Updated by Kim Steglin over 1 year ago


you are correct.
And this is an VLC issue not a tvheadend one.

Thanks once again.

Also available in: Atom PDF