> Em 2 de dez de 2017, à(s) 08:47, Aleksandar Lazic <al-hapr...@none.at> > escreveu: > > Von: "Joao Morais" <l...@joaomorais.com.br> gesendet: 02.12.2017 00:53:33 > >> Hi, I have some apps that need to mimic an Apache httpd behavior on client >> certificate verification: require certificate only on some paths. >> >> Apache does this implementing SSL renegotiation as briefly explained here[1]. >> >> Of couse I can `mode tcp` proxy to an Apache instance to do that for me but >> my topology would be simplified if I could implement SSL renegotiation on >> HAProxy as soon as I can fetch the path sample. >> >> Is there a way to accomplish this without using Apache httpd? > You can use the following line to full fill your request, untested. > > bind :443 ssl ca-file "${PATH_TO_CAFILE}" crl-file "${PATH_TO_CRLFILE}" > verify "${VERIFY_MODE}" > > http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1 > http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-ca-file > http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crl-file > http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-verify > > You can add the following header to see if the client was successful verified. > > http-request set-header X-SSL-Client-Verify %[ssl_c_verify] > > http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-http-request > > When you start the haproxy with the environment variables PATH_TO_CAFILE and > PATH_TO_CRLFILE set to your paths and VERIFY_MODE=optional can you test if > the verification works. > > http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#2.3
Thanks for the detailed explanation. This is actually very close to my current setup and I'm looking for a way to avoid ask the certificate from the user on a browser if he doesn't request the /path that require the certificate. HAProxy has a lot of L5/6 fetch samples, and with some unknown (by me) keyword, perhaps I could implement a SSL renegotiation (or something like that) just like Apache httpd already implement. Just to name an example: HAProxy doesn't have native support for configuration of a http response which explains to the user he need to provide a certificate (on one page) - and signed by a known CA (on another page), but I got it working using verify optional and fetching the right L5 samples. The actual configuration however is far beyond my knowledge in such a way that I simply cannot say this is even possible. > I strongly suggest to go through the manual several times due to the fact > that it's worth and you learn a lot about haproxy ;-) Sure, the link to the doc is already on my favourites =) ~jm