Details

    • Story Points:
      3

      Description

      Problem

      In current realization, it is impossible to use client certs with validation, because we have  a one http entry point for https. Yep, we can change our config like:

       bind *:443 ssl crt /etc/ssl/cert.pem crt /etc/ssl/cert0.pem crt /etc/ssl/cert1.pem
      

      Unfortunately, if we add "verify optional" or "verify required", it will affect all domains.

      What is a suggestion?

      E.g. We have domains test.com and test2.com and one of them have a client cert

      1. generate a frontend and backend with loopback for each domain.

      backend test
          server loopback-for-tls abns@test send-proxy-v2
      backend test2
          server loopback-for-tls abns@test2 send-proxy-v2
      
      frontend test
          mode http
          bind abns@test accept-proxy ssl crt /etc/ssl/certsforhaproxy/test1.pem crt ca-file /etc/ssl /certsforhaproxy/ca.pem verify required
          frontend test2
          mode http
          bind abns@test2 accept-proxy ssl crt /etc/ssl/certsforhaproxy/test2.pem crt
      

      2. Change https entrypoint

      frontend port443
          bind :443
          tcp-request inspect-delay 5s
          tcp-request content accept if { req_ssl_hello_type 1 }
          use_backend test if { req_ssl_sni -i test.com }
          use_backend test if { req_ssl_sni -i test2.com }
          //and maybe default backend with 404
      

      3. Add an acl path logic into our frontend which was generated in step1.

      frontend test
          mode http
          bind abns@test accept-proxy ssl crt /etc/ssl/certsforhaproxy/test1.pem crt 
          acl path_something_port path_beg /any_path
          use_backend any_child_backend if path_something_port
      

       

        Attachments

          Activity

            People

            • Assignee:
              dkerrigan Drew Kerrigan (Inactive)
              Reporter:
              gurinderu gurinderu
              Team:
              Networking Team
              Watchers:
              Deepak Goel, gurinderu, Judith Malnick (Inactive)
            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: