Hi.
------ Originalnachricht ------
Von: "Joao Morais" <[email protected]>
An: "HAproxy Mailing Lists" <[email protected]>
Gesendet: 02.12.2017 00:53:33
Betreff: Client cert verification on some paths
Hi, I have some apps that need to mimic an Apache httpd behavior on
client certificate verification: require certificate only on some
paths.
Apache does this implementing SSL renegotiation as briefly explained
here[1].
Of couse I can `mode tcp` proxy to an Apache instance to do that for me
but my topology would be simplified if I could implement SSL
renegotiation on HAProxy as soon as I can fetch the path sample.
Is there a way to accomplish this without using Apache httpd?
You can use the following line to full fill your request, untested.
bind :443 ssl ca-file "${PATH_TO_CAFILE}" crl-file
"${PATH_TO_CRLFILE}" verify "${VERIFY_MODE}"
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-ca-file
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crl-file
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-verify
You can add the following header to see if the client was successful
verified.
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-http-request
When you start the haproxy with the environment variables PATH_TO_CAFILE
and PATH_TO_CRLFILE set to your paths and VERIFY_MODE=optional can you
test if the verification works.
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#2.3
I strongly suggest to go through the manual several times due to the
fact that it's worth and you learn a lot about haproxy ;-)
~jm
[1] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient
Hth
Aleks
