> Em 2 de dez de 2017, à(s) 08:47, Aleksandar Lazic <al-hapr...@none.at>
> escreveu:
>
> Von: "Joao Morais" <l...@joaomorais.com.br> gesendet: 02.12.2017 00:53:33
>
>> Hi, I have some apps that need to mimic an Apache httpd behavior on client
>> certificate verification: require certificate only on some paths.
>>
>> Apache does this implementing SSL renegotiation as briefly explained here[1].
>>
>> Of couse I can `mode tcp` proxy to an Apache instance to do that for me but
>> my topology would be simplified if I could implement SSL renegotiation on
>> HAProxy as soon as I can fetch the path sample.
>>
>> Is there a way to accomplish this without using Apache httpd?
> You can use the following line to full fill your request, untested.
>
> bind :443 ssl ca-file "${PATH_TO_CAFILE}" crl-file "${PATH_TO_CRLFILE}"
> verify "${VERIFY_MODE}"
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-ca-file
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crl-file
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-verify
>
> You can add the following header to see if the client was successful verified.
>
> http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-http-request
>
> When you start the haproxy with the environment variables PATH_TO_CAFILE and
> PATH_TO_CRLFILE set to your paths and VERIFY_MODE=optional can you test if
> the verification works.
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#2.3
Thanks for the detailed explanation.
This is actually very close to my current setup and I'm looking for a way to
avoid ask the certificate from the user on a browser if he doesn't request the
/path that require the certificate. HAProxy has a lot of L5/6 fetch samples,
and with some unknown (by me) keyword, perhaps I could implement a SSL
renegotiation (or something like that) just like Apache httpd already implement.
Just to name an example: HAProxy doesn't have native support for configuration
of a http response which explains to the user he need to provide a certificate
(on one page) - and signed by a known CA (on another page), but I got it
working using verify optional and fetching the right L5 samples. The actual
configuration however is far beyond my knowledge in such a way that I simply
cannot say this is even possible.
> I strongly suggest to go through the manual several times due to the fact
> that it's worth and you learn a lot about haproxy ;-)
Sure, the link to the doc is already on my favourites =)
~jm
