I had a similar challenge. What I elected to do was to termninate ssl on
the HAproxy that then pass it to an apache. From there I have an AJP
Port to a tomcat. So I LB the Apache not the tomcat. Tomcat only listens
on ajp.
HTH
On 04/12/2015 13:16, Milos Zupancic wrote:
Hi,
I am looking for a solution on how to setup HaProxy and Tomcat with
SSL termination + passing client certificate to the backend tomcat.
At the moment we use Apache for SSL termination and proxy balancer to
point to tomcat AJP port.
Application on tomcat needs the client certificate in order to allow
logging in.
I have been trying various setups but nothing seems to work.
At the moment i have something like this:
frontend https-c-in
mode http
bind 192.168.0.10:443 <http://192.168.0.10:443> name https ssl
crt /etc/ssl/ljvfep.pem ca-file /etc/ssl/CA.pem verify required
###########################################################################################
http-request set-header X-SSL %[ssl_fc]
http-request add-header Client-Cert %[ssl_c_der,base64]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-NotBefore
%{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-NotAfter
%{+Q}[ssl_c_notafter]
###########################################################################################
default_backend c-https
backend c-https
mode http
balance roundrobin
cookie SERVERID insert nocache
server ljvfep4 192.168.0.10:20443 <http://192.168.0.10:20443>
check inter 2000 rise 2 fall 2
server ljvfep3 192.168.0.11:20443 <http://192.168.0.11:20443>
check inter 2000 rise 2 fall 2
This would give me a 502 bad gateway error. If i access the tomcat
directly all works as expected.
And suggestions ?
Kr,
Milos
--
Kobus Bensch Trustpay Global LTD email signature Kobus Bensch
Senior Systems Administrator
Address: 22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
DDI: 0207 871 3958
Tel: 0207 871 3890
Email: [email protected]
<mailto:[email protected]>
--
Trustpay Global Limited is an authorised Electronic Money Institution
regulated by the Financial Conduct Authority registration number 900043.
Company No 07427913 Registered in England and Wales with registered address
130 Wood Street, London, EC2V 6DL, United Kingdom.
For further details please visit our website at www.trustpayglobal.com.
The information in this email and any attachments are confidential and
remain the property of Trustpay Global Ltd unless agreed by contract. It is
intended solely for the person to whom or the entity to which it is
addressed. If you are not the intended recipient you may not use, disclose,
copy, distribute, print or rely on the content of this email or its
attachments. If this email has been received by you in error please advise
the sender and delete the email from your system. Trustpay Global Ltd does
not accept any liability for any personal view expressed in this message.
