Re: Client side ssl certificates for specific location

Wed, 08 Jan 2014 08:35:43 -0800 

Ah sorry, I misread your email.

I would do like this:
Add the directive "verify optional" on the bind line, then an ACL:
http-request deny if { path_beg /admin } ! { ssl_fc_has_crt }

Interesting reading here:
http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/

Baptiste

On Wed, Jan 8, 2014 at 12:22 PM, Remy van Elst <[email protected]> wrote:
> Baptiste schreef op 08/01/14 11:49:
>
>> Hi Remy,
>>
>> you can enable both HTTP and HTTPs in the frontend and then use ACLs
>> to force traffic to move to HTTP or HTTPs based on the client side
>> connection type and URL.:
>>
>> http-request redirect scheme https if !{ ssl_fc } { path_beg -i /admin }
>> http-request redirect scheme http if { ssl_fc } !{ path_beg -i /admin }
>>
>> Baptiste
>>
>> On Wed, Jan 8, 2014 at 9:02 AM, Remy van Elst <[email protected]> wrote:
>>>
>>> Howdy,
>>>
>>> I've not yet received a response on my earlier email, sending it again.
>>>
>>>
>>> -------- Origineel bericht --------
>>> Onderwerp:      client side ssl certificates for specific location
>>> Datum:  Wed, 18 Dec 2013 20:09:32 +0100
>>> Van:    Remy van Elst <[email protected]>
>>> Aan:    [email protected]
>>>
>>>
>>>
>>> Hello,
>>>
>>> I want to enable client side ssl for a specific URL only. My web app
>>> admin lives at https://example.org/admin and I want only the /admin part
>>> require a client certificate. In Apache I would do it with a <Location
>>> /admin> block. In haproxy I am able to require a certificate for the
>>> entire frontend, but not for part of the frontend. (For example, |§acl
>>> req_cert path_beg /admin|- and maybe something like client-cert if
>>> req_cert).
>>>
>>> On IRC I was told this is not possible currently: "[16:30:12] meineerde:
>>> Raymii: this isn't possible right now as the ssl handling is fully done
>>> before any higher-layer stuff (i.e. http) is handled".
>>>
>>> If it's possible, I'd like to do a feature request?
>>>
>>> Sincerely,
>>> Remy van Elst
>>> https://raymii.org
>>>
>>>
>>>
>>>
> Hello Baptiste,
>
> The traffic is https only, I don't want to redirect from http to https. It
> is specific for a client side ssl certificate. The website now asks for a
> certificate for the entire site, it should only ask the user for a
> certificate when they visit the /admin url.
>

Reply via email to