Hi there,
we're in the process of migrating from citrix netscaler to haproxy and
facing a configuration problem. in this scenario all requests have to
use a ssl client cert, but for some urls and user-agents there's no cert
needed.
i get a 403 "go away", but am not asked to show my client cert ...
here's what i did:
haproxy.conf
global
uid 99
gid 99
daemon
chroot /usr/share/haproxy
spread-checks 5
stats socket /var/run/haproxy/admin.sock mode 0600 level admin
log 127.0.0.1 local2 warning
log loghost local4 warning
log-send-hostname lb-haproxy
maxconn 20000
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ... line too long :-/
defaults
log global
maxconn 20000
timeout connect 20s
timeout server 120s
timeout client 120s
timeout check 10s
retries 3
mode http
option log-separate-errors
option log-health-checks
frontend host-with-clientcert
mode http
option forwardfor
option http-server-close
bind 195.30.x.y:80
bind 195.30.x.y:443 ssl crt /home/conf/ssl/cert.pem no-sslv3 \
ca-file /home/conf/ssl/myca.crt verify optional
reqidel ^X-Forwarded-For:.*
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
redirect scheme https if !{ ssl_fc }
rspadd Strict-Transport-Security:\ max-age=31536000;
acl nocert path /servlets or hdr_sub(User-Agent) java
acl crtauth ssl_fc_has_crt ! { ssl_c_verify 10 }
http-request deny unless nocert or crtauth
use_backend cms-prod
backend cms-prod
balance roundrobin
option httpchk
server cms ...:443 rise 1 fall 1 inter 3s check ssl verify none
--8<---
haproxy -vv
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org>
Build options :
TARGET = linux26
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=yes USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
any ideas, how to configure such a scenario?
cheers
basti schubert