2015-09-29 21:36 GMT+02:00 Douglas Harmon <[email protected]>: > Hello group. I'm new to haproxy. I have read the documentation but > still require some assistance. I'm trying to configure haproxy to: > > 1. accept https connection with client certs required. > 2. pass the client cert to a backend https server based on https url path > > First, can I accomplish this with haproxy? If so, could someone share > a sample haproxy 1.5 configuration? I have the item 1 above working in > tcp mode. But I believe I need to be in http mode to get item 2 to > work.
This is not possible. This is not a haproxy limitation, this is impossible to do with SSL as you effectively are trying to perform a man-in-the-middle attack and SSL is designed to prevent exactly that. You can either: 1. require client SSL cert on haproxy and decrypt traffic to see URL, but you cannot "forward" client certificate to the backend 2. configure haproxy in TCP mode and forward encrypted traffic to the backend, but you cannot se the URL You cannot have both, SSL protocol does not allow such operation. What you can do, which is usually what people want is to implement 1 and set custom HTTP header with client certificate details (search haproxy documentation for X-SSL-Client-CN for example). Your backend will not see client certificate in a SSL handshake, but can access the header for certificate information. -- Janusz Dziemidowicz
