Baptiste schreef op 08/01/14 17:23:
Thank you. I've read the blog post. However, with the verify optional bind line, if the client has a certificate in their browser, they will get asked every time they visit the website. I only want them to be asked for a certificate on a specific path. Possibly something like:Ah sorry, I misread your email.I would do like this: Add the directive "verify optional" on the bind line, then an ACL: http-request deny if { path_beg /admin } ! { ssl_fc_has_crt } Interesting reading here: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/ Baptiste On Wed, Jan 8, 2014 at 12:22 PM, Remy van Elst <[email protected]> wrote:Baptiste schreef op 08/01/14 11:49:Hi Remy, you can enable both HTTP and HTTPs in the frontend and then use ACLs to force traffic to move to HTTP or HTTPs based on the client side connection type and URL.: http-request redirect scheme https if !{ ssl_fc } { path_beg -i /admin } http-request redirect scheme http if { ssl_fc } !{ path_beg -i /admin } Baptiste On Wed, Jan 8, 2014 at 9:02 AM, Remy van Elst <[email protected]> wrote:Howdy, I've not yet received a response on my earlier email, sending it again. -------- Origineel bericht -------- Onderwerp: client side ssl certificates for specific location Datum: Wed, 18 Dec 2013 20:09:32 +0100 Van: Remy van Elst <[email protected]> Aan: [email protected] Hello, I want to enable client side ssl for a specific URL only. My web app admin lives at https://example.org/admin and I want only the /admin part require a client certificate. In Apache I would do it with a <Location /admin> block. In haproxy I am able to require a certificate for the entire frontend, but not for part of the frontend. (For example, |§acl req_cert path_beg /admin|- and maybe something like client-cert if req_cert). On IRC I was told this is not possible currently: "[16:30:12] meineerde: Raymii: this isn't possible right now as the ssl handling is fully done before any higher-layer stuff (i.e. http) is handled". If it's possible, I'd like to do a feature request? Sincerely, Remy van Elst https://raymii.orgHello Baptiste, The traffic is https only, I don't want to redirect from http to https. It is specific for a client side ssl certificate. The website now asks for a certificate for the entire site, it should only ask the user for a certificate when they visit the /admin url.
if { path_beg /admin }ca-file ./ca.crt verify required
Now when someone with a client certficate loaded in their browser visits
example.org (firefox, chrome and safari) ask if they want to use that
certificate. This is a working apache2 config for example:
<VirtualHost>
VirtualHost 10.0.20.30
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.org.cert.pem
SSLCertificateKeyFile /etc/ssl/certs/example.org.key.pem
SSLCertificateChainFile /etc/ssl/certs/example.org.chain.bundle.pem
SSLOptions StrictRequire
SSLProtocol all -SSLv2
ServerName example.org
ServerAdmin [email protected]
LogLevel warn
CustomLog /var/log/apache2/apache.access.log combined
ErrorLog /var/log/apache2/apache.error.log
DocumentRoot /var/www/example.org/www
<Location />
SSLRequireSSL
Order Deny,Allow
Allow from All
Options -MultiViews
</Location>
<Location /admin/>
SSLOptions +ExportCertData +FakeBasicAuth +StrictRequire +StdEnvVars
SSLCACertificateFile /etc/ssl/certs/example.org.client.cacert.pem
SSLVerifyClient require
SSLVerifyDepth 4
</Location>
</VirtualHost>
(Working as in the client only gets asked for their certificate if the /admin
url is requested).
smime.p7s
Description: S/MIME-cryptografische ondertekening
