I am running haproxy in an Alpine Docker container. It is doing SSL
termination for https and injecting the client DN into the X-ForwardedFor
HTTP Header. But the format it uses for the client DN is not one that my
application supports.

Can I change the format somehow, perhaps using openssl.cnf? People
apparently change encryption algorithm settings that way. Can I change my
DN format also?

This is the format that I need my certificate DN to look like in the
X-ForwardedFor header. It is rather LDAP-ey.

CN=Jane Smith,OU=org1,OU=org2,O=myorg,C=AU

But haproxy is injecting a rather ASN.1 looking format

/C=AU/O=myorg/OU=org2/OU=org1/CN=Jane Smith

These are the verisons of the software. They can be changed, as I am
compiling haproxy from source. I can also set any flags at compilation time:

   1. Haproxy 2.0
   2. Alpine 3.10
   3. openssl 1.1.1

Here are what I think are the relevant parts of the haproxy.cfg file .

frontend fe
    mode http
    bind *:443 ssl no-sslv3 no-tls10 no-tlsv11 crt /certs/mycert
ca-file /certs/myca
    option forwardfor
    http-request set-header X-ForwardedFor %{+Q+E}[ssl_c_s_dn]
    default_backend be

backend be
   balance source
   mode http
   server server1 IP:PORT ca-file /certs/myca crt /certs/mycert ssl verify none

Is there something I can do to change the format? I have tried using the
documented structure like this: %{+Q+E}[ssl_c_s_dn(CN)] but the format of
my certificate DNs is very disorganized. There is no way to predict how
many OU, C, O, etc there might be, and sometimes they are missing. So I
don't think that is a viable solution.

I have also looked at how this question: haproxy tls hash algorithm
<https://serverfault.com/questions/949537/haproxy-tls-hash-algorithm>
customizes
haproxy behavior with openssl settings. Can I do that to get the DN into a
different format? If so, how? I am not sure what steps to follow. Do I need
to modify openssl.cnf at compile time, or have it changed at runtime on the
server? What sections and values?

Thank you!

Reply via email to