Hi, > I want to enable client side ssl for a specific URL only. My web app > admin lives at https://example.org/admin and I want only the /admin part > require a client certificate. In Apache I would do it with a <Location > /admin> block. In haproxy I am able to require a certificate for the > entire frontend, but not for part of the frontend. (For example, |§acl > req_cert path_beg /admin|- and maybe something like client-cert if > req_cert). > > On IRC I was told this is not possible currently: "[16:30:12] meineerde: > Raymii: this isn't possible right now as the ssl handling is fully done > before any higher-layer stuff (i.e. http) is handled". > > If it's possible, I'd like to do a feature request?
It doesn't see how this is possible at all. If the server (or frontend proxy) requires a client SSL cert, than it needs to know about this at the beginning of the SSL handshake, before any URI is known. So you cannot do this at SSL level, not in Haproxy and not in Apache. What Apache probably does (and perhaps you want it like this), is to: - use a optional client SSL cert - fail the SSL handshake if the client certificate can't be verified - complete the SSL handshake if the client certificate was validated OR - complete the SSL handshake when the client did not provide a certificate - when someone tries to access the admin portal without a client cert then you give him a "403 Forbidden" (so at HTTP level). To do this in haproxy you simply: configure the bind line with "verify optional" [1] and use the ssl_c_used [2] variable to deny access to your admin area when there client did not use a certificate at HTTP level (403 Forbidden). Regards, Lukas [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-verify [2] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.3
