Hi guys, I'm developing a device server and wish to use HAProxy to authenticate the client over TLS and to route clients to their appropriate cloud agent (which sits on server N with M agents running on it).
I was considering the below flow as it didn't require any customisation of HAProxy behaviour, but it assumes that I can trust the client to identify its agent and provide routing information as long as the TLS authentication is successful, however in the world of low-end IoT devices, it's presumptuous to believe that the private key is truly protected, which could lead to spoofing. Flow: -> Client connects to HAProxy which auths and routes to Welcome Server. -> Welcome Server provides the server address of the agent to the client. -> Client reconnects using TLS ALPN field to provide server address/name. -> HAProxy auths and routes to agent server. -> Client sends specific agent id to attach the connection to the specific agent, I need a mechanism that allows HAProxy to read the client's ID/serial from its TLS certificate (well understood from the website documentation), as it's one thing to steal a certificate but another to forge one, then append it as the first piece of data that is sent to the agent server when the connection is first opened and, critically, I then wish to return to high-performance layer 4 routing, as no packet inspection is required beyond establishment of the session. I've read the LUA documentation but have no idea where to begin for this and am hoping someone may be able to help outline what needs to be done. Any support is greatly appreciated. Many thanks, Alistair
