Hi,
On Fri, Dec 04, Milos Zupancic wrote:
> Hi,
>
> I am looking for a solution on how to setup HaProxy and Tomcat with SSL
> termination + passing client certificate to the backend tomcat.
>
> At the moment we use Apache for SSL termination and proxy balancer to point
> to tomcat AJP port.
> Application on tomcat needs the client certificate in order to allow
> logging in.
>
> I have been trying various setups but nothing seems to work.
> At the moment i have something like this:
> frontend https-c-in
> mode http
> bind 192.168.0.10:443 name https ssl crt /etc/ssl/ljvfep.pem
> ca-file /etc/ssl/CA.pem verify required
>
> ###########################################################################################
> http-request set-header X-SSL %[ssl_fc]
> http-request add-header Client-Cert %[ssl_c_der,base64]
> http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
> http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
> http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
> http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
> http-request set-header X-SSL-Client-NotBefore
> %{+Q}[ssl_c_notbefore]
> http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
>
> ###########################################################################################
> default_backend c-https
>
> backend c-https
> mode http
> balance roundrobin
> cookie SERVERID insert nocache
> server ljvfep4 192.168.0.10:20443 check inter 2000 rise 2 fall 2
> server ljvfep3 192.168.0.11:20443 check inter 2000 rise 2 fall 2
>
>
> This would give me a 502 bad gateway error. If i access the tomcat directly
> all works as expected.
Is tomcat configured for ssl on port 20443 ?
> And suggestions ?
If you want to terminate SSL on haproxy (connection between
haproxy<->tomcat is http), then you can try to configure SSLValve on
tomcat (tomcat expects client certificate on SSL_CLIENT_CERT header)
and send the client cert with:
http-request add-header SSL_CLIENT_CERT -----BEGIN\ CERTIFICATE-----\
%[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last space
(http://marc.info/?l=haproxy&m=141460786510796&w=2)
-Jarno
--
Jarno Huuskonen