hi,
i use haproxy 1.5dev24 with ssl-frontend, haproxy connects via ssl to backends.
what i want to achieve is a secure access to certain internal or admin pages.
best would be a three step check:
1) all clients with certain ip-adresses are allowed
2) if from unkown ip-address then client ssl certificate is checked
3) as a last fallback access via one time password (mod_auth_otp) is possible.
i have figured out how to route access based on ip-address to backends.
frontend https
bind xx.xx.xx.xx:443 ssl crt /opt/haproxy/haproxy.ssl.crt ciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM
capture request header Host len 32
reqadd X-Forwarded-Proto:\ https
acl is_admi path_beg /internal
acl ip_allowed src 123.45.66.77 123.45.77.88
use_backend int_ip if is_admi ip_allowed
use_backend int_cert if is_admi !ip_allowed
default_backend lbhttps
monitor-uri /ok
i could combine 2+3) in apache config. also mod_auth_otp would work in apache.
the question is, h
in apache the client certificate check can be restricted to location, only then
my browser asks if which ssl certificate
should be used. when i use verify optional in the bind-config option of haproxy
then it will be checked all the times
when i connect to the ssl-site, also when the client certificate is only
important for access /internal...
may i miss something, maybe there are better ways to achieve a "secure access".
maybe i work with subdomains or a
frontend on other ports...
i also could bypass haproxy for those access... thats also an option...
markus
