Hi Lukas, Thanks you for making this clear. I ended up by adding another public ip just for SSL Client certificate authentication.
Groeten, Martin On Tue, Jul 1, 2014 at 3:17 PM, Lukas Tribus <[email protected]> wrote: > Hi Martin, > > > > Hi, > > > > I'm trying to configure HAProxy so that on one specific domain users > > authenticate with a SSL Client certificate. > > > > The Load Balancer has one public IP address and has a frontend > > configured which is bind to port 443: > > bind *:443 ssl crt ./haproxy/ > > > > I selected the correct backend as followed: > > use_backend secure_servers if { ssl_fc_sni secure.domain.tld > ssl_fc_has_crt } > > > > default_backend default_servers > > > > When changing bind to verify the ssl certicate all other ssl traffic is > > no longer allowed: > > bind *:443 ssl crt ./haproxy/ ca-file ./ca.pem verify required > > > > A solution would be to create another frontend with an additional > > public IP address but I want to prevent this if possible. > > > > How can I only require a SSL Client certificate on the > secure.domain.tld? > > You cannot, this is not currently supported. > > > The only workaround here is to put another proxying layer in tcp mode in > front of your current deployment, enabling you to switch to a different > backend --> second layer frontend combination according to the SNI value > (req.ssl_sni [1] in this case, since you are not using SSL termination on > the > first proxy tier). > > (and you could use the recently implemented abstract namespaces for 1st > tier > backend -> 2nd tier frontend connection). > > > > > > Regards, > > Lukas > > > > [1] > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.5-req.ssl_sni >
