UI webserver authentication issues

maxernstscr · February 20, 2026, 3:41pm

Hi team,

I am using YugabyteDB Open Source version and we found it very hard to have authentication set on the 15433 UI page!

Secondly, when tried to use the flags :
webserver_password_file ,webserver_authentication_domain for tserver and master, it fails on creation with error :
Webserver: Invalid option: global_passwords_file and I think this is because of a bug in the code where

YugabyteDB `webserver.cc` passes	Squeasel expects
`"global_passwords_file"`	`"global_auth_file"`

The option name doesn’t match, so get_option_index() returns -1, Squeasel logs "Invalid option: global_passwords_file", calls free_context(ctx), returns NULL, and then YugabyteDB sees context_ == nullptr

We would love to have this solved please and the General UI 15433 having authentication layer

maxernstscr · February 20, 2026, 3:42pm

We would love to know how we can set and hide the UI ( on 9000 and 7000 and 15433 ) behind an auth page or something , do you have any suggestions please?

Thank you

dorian_yugabyte · February 20, 2026, 3:57pm

Hi @maxernstscr

How did you use them exactly?

Please pass exact commands and exact errors.

What is Squeasel?

Note that 7000(yb-master), 9000(yb-tserver), and 15433(yugabyte-ui) are all different processes.

Can you check yb-tserver configuration reference | YugabyteDB Docs ? Same for yb-master All YB-Master flags | YugabyteDB Docs

Note that the best way is to put a reverse http proxy in front of them.

maxernstscr · February 20, 2026, 4:03pm

yugabyted.conf

{
“master_flags”:“hide_dead_node_threshold_mins=1,webserver_password_file=/home/yugabyte/zone4/.htpasswd,webserver_authentication_domain=mydomain.com",
“tserver_flags”:“webserver_password_file=/home/yugabyte/zone4/.htpasswd,webserver_authentication_domain=mydomain.com”
}

Errors from logs:

Log file created at: 2026/02/20 15:07:07
Current UTC time: 2026/02/20 15:07:07
Running on machine:${myhostipaddress}.com
Application fingerprint: version 2025.2.0.0 build 131 revision 73eac3c9f1b96c84a8284af85ea3579b75832d9a build_type RELEASE built at 04 Dec 2025 18:21:29 UTC
Running duration (h:mm:ss): 0:00:00
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
F0220 15:07:07.495572 21 master_main.cc:143] Network error (yb/server/webserver.cc:464): Webserver: Could not start on address : ${myhostipaddress}.com:7000

I0220 15:07:07.482846 21 webserver.cc:368] Document root: /home/yugabyte/www

I0220 15:07:07.482857 21 webserver.cc:423] Webserver: Password file is /home/yugabyte/zone4/.htpasswd

I0220 15:07:07.483160 21 webserver.cc:354] Webserver listen spec is ${myhostipaddress}:7000

I0220 15:07:07.483174 21 webserver.cc:579] Webserver: Invalid option: global_passwords_file

W0220 15:07:07.483183 21 net_util.cc:543] Failed to bind to 0.0.0.0:7000. Trying to use lsof to find any processes listening on the same port:

I0220 15:07:07.483194 21 net_util.cc:502] $ export PATH=$PATH:/usr/sbin ; lsof -n -i ‘TCP:7000’ -sTCP:LISTEN ; for pid in $(lsof -F p -n -i ‘TCP:7000’ -sTCP:LISTEN | cut -f 2 -dp) ; do while [ $pid -gt 1 ] ; do ps h -fp $pid ; pid=$(sed ‘s/.* (.) [^ ] ([0-9]).*/\1/g’ /proc/$pid/stat); done ; done

I0220 15:07:07.495558 21 net_util.cc:510]

F0220 15:07:07.495572 21 master_main.cc:143] Network error (yb/server/webserver.cc:464): Webserver: Could not start on address ${myhostipaddress}:7000

When I remove these 2 flags everything runs without issues.

maxernstscr · February 20, 2026, 4:05pm

And for the second question:

i was just looking at your repo yugabyte-db/src/yb/server/webserver.cc at a2df0514f33051c77ae8cae8c29344be18e89903 · yugabyte/yugabyte-db · GitHub

github.com/yugabyte/squeasel

squeasel.c

d83cf6d9a


      
          // See https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) for details.
          #ifdef ALLOW_UNSAFE_HTTP_METHODS
          char* UNSAFE_HTTP_METHODS[] = { "DELETE" , "CONNECT", "PUT" };
          #endif
          
          // NOTE(lsm): this enum shoulds be in sync with the config_options below.
          enum {
            CGI_EXTENSIONS, CGI_ENVIRONMENT, PUT_DELETE_PASSWORDS_FILE, CGI_INTERPRETER,
            PROTECT_URI, AUTHENTICATION_DOMAIN, SSI_EXTENSIONS, THROTTLE,
            ACCESS_LOG_FILE, ENABLE_DIRECTORY_LISTING, ERROR_LOG_FILE,
            GLOBAL_PASSWORDS_FILE, INDEX_FILES, ENABLE_KEEP_ALIVE, ACCESS_CONTROL_LIST,
            EXTRA_MIME_TYPES, LISTENING_PORTS, DOCUMENT_ROOT, SSL_CERTIFICATE, SSL_PRIVATE_KEY,
            SSL_PRIVATE_KEY_PASSWORD, SSL_GLOBAL_INIT, NUM_THREADS, RUN_AS_USER, REWRITE,
            HIDE_FILES, REQUEST_TIMEOUT, SSL_VERSION, SSL_CIPHERS, NUM_OPTIONS
          };
          
          static const char *config_options[] = {
            "cgi_pattern", "**.cgi$|**.pl$|**.php$",
            "cgi_environment", NULL,
            "put_delete_auth_file", NULL,
            "cgi_interpreter", NULL,

finding where this “global_passwords_file” variable is coming from or used!

maxernstscr · February 20, 2026, 4:11pm

Also how can please put a reverse proxy behind them if I deploy this in Linux hosts and want to create a distributed cluster connecting different machines ! They need to join each other using the advertise_address no ? how can I achieve the same if I deploy it in the host and restrict it to only 127.0.0.1?

dorian_yugabyte · February 23, 2026, 11:52am

See Default ports reference | YugabyteDB Docs

They contact each other on ports 7100 & 9100.

7000/9000 are read-only UI. You put a reverse proxy only on 7000/9000.

Topic		Replies	Views
Issue Accessing UI After Enabling Authentication General	16	355	February 6, 2025
Yuagbyte webserver_interface not working in tmaster flags General	4	49	February 20, 2026
Authentication enabling in YugaByte DB General	1	889	May 29, 2019
Port 7000 not open, UI connection time out General	12	3358	October 9, 2019
Tserver does not start on Ubuntu 18.04 General	13	3312	October 12, 2019

UI webserver authentication issues

Related topics