Re: HAProxy setup

Sat, 05 Dec 2015 03:29:54 -0800 

Hi,

On Fri, Dec 04, Milos Zupancic wrote:
> Hi,
> 
> I am looking for a solution on how to setup HaProxy and Tomcat with SSL
> termination + passing client certificate to the backend tomcat.
> 
> At the moment we use Apache for SSL termination and proxy balancer to point
> to tomcat AJP port.
> Application on tomcat needs the client certificate in order to allow
> logging in.
> 
> I have been trying various setups but nothing seems to work.
> At the moment i have something like this:
> frontend https-c-in
>         mode http
>         bind 192.168.0.10:443 name https ssl crt /etc/ssl/ljvfep.pem
> ca-file /etc/ssl/CA.pem verify required
> 
> ###########################################################################################
>         http-request set-header X-SSL                  %[ssl_fc]
>         http-request add-header Client-Cert            %[ssl_c_der,base64]
>         http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]
>         http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
>         http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
>         http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
>         http-request set-header X-SSL-Client-NotBefore
> %{+Q}[ssl_c_notbefore]
>         http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
> 
> ###########################################################################################
>         default_backend c-https
> 
> backend c-https
>         mode http
>         balance roundrobin
>         cookie SERVERID insert nocache
>         server ljvfep4 192.168.0.10:20443 check inter 2000 rise 2 fall 2
>         server ljvfep3 192.168.0.11:20443 check inter 2000 rise 2 fall 2
> 
> 
> This would give me a 502 bad gateway error. If i access the tomcat directly
> all works as expected.

Is tomcat configured for ssl on port 20443 ?

> And suggestions ?

If you want to terminate SSL on haproxy (connection between
haproxy<->tomcat is http), then you can try to configure SSLValve on
tomcat (tomcat expects client certificate on SSL_CLIENT_CERT header)
and send the client cert with:
http-request add-header SSL_CLIENT_CERT -----BEGIN\ CERTIFICATE-----\ 
%[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last space
(http://marc.info/?l=haproxy&m=141460786510796&w=2)

-Jarno

-- 
Jarno Huuskonen

Reply via email to