Hello,
Am 24.02.2017 um 09:04 schrieb mlist:
Hi,
We configured haproxy for client certificates:
bind <IP>:443 ssl crt <path> ca-file <path> verify optional
Configuring in this way (at bind stage), however, haproxy always ask
client certificate
if present in the certificate store - for all domain, for all backends.
There is solution so haproxy ask/manage client certificates only for
specific domain
or other request matching ?
So it is possible to share a bind on <IP>:443 port for mixed backends,
accepting/requesting
client certificates and other not using client certificates.
It is possible, with a not-so-nice but possible workaround:
Put your frontend in tcp mode and content switch based on SNI to a different
SSL terminating second layer frontend.
That way, with a single public IP you can cover all cases.
Lukas
