I understand that there's some prototypical functionality for analogies to nginx $ssl_client_s_dn et al. I'd be quite happy to get my hands on this, as I've been having issues with way too many components of my stack re: properly extracting certificate info, supporting newer cipher suites, or even exposing the certificate info in their TLS bindings/implementations. For better or worse, nginx is also not a solution, as its current proxy_pass method fully buffers the request, killing websocket. The other solution is that I write a very small streaming proxy to unwrap the TLS and inject the relevant headers, but haproxy already does 99% of this, and that level of code duplication seems like madness. Code beauty is not a major concern to me at this point, and I'd be happy to contribute back any changes I make--could we get a feature branch for this in github?
k
