Hi Peter, A few more information about HAProxy features and client certificate: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/ http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/
Baptiste On Tue, Jul 2, 2013 at 10:39 AM, Hudec Peter <phu...@cnc.sk> wrote: > Thanks Lukas, > > I will try 1.5 version. > > But for Debian this version is in experimental now ;( I will look if some > already done for Wheezy. > > Best regards > Peter Hudec > > -----Original Message----- > From: Lukas Tribus <luky...@hotmail.com> > Date: Tuesday, July 2, 2013 10:24 AM > To: Hudec Peter <phu...@cnc.sk>, "haproxy@formilux.org" > <haproxy@formilux.org> > Subject: RE: ssl sni and client certificate verification > >>Hi Peter! >> >> >>> 1) SSL SNI with SSL offload >>> As I read the docs, this is supported only in version 1.%, which is >>>still >>> not stable. Is there any way how to do this on 1.$ without nginx as >>> frontend? >> >>SSL offload does work only in 1.5. In 1.4 you need to do this with stunnel >>or stud, but that's a lot more complex and error prone than to simple use >>1.5. >>I'm not sure client verification is supported with stunnel or stud. >> >>I suggest you give haproxy 1.5-dev19 a try. It's already in use by a lot >>of >>people in production despite its not declared stable. >> >> >> >>> 2) SSL client verfication >>> I did not found the how to enforce the client verification on the >>>haproxy >> >>On the bind line, add "verify required": >>http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-verify >> >>You will also need to configure the CA file for verification (keyword: >>ca-file). >> >> >>Regards, >> >>Lukas >