Client certificate authentication only for certain backends
-
Hi,
I have my pfSense setup with haproxy guarding the access to a number of backends in my home lab. haproxy is offloading ssl.
Now I want to secure the access to some of the backends.
In the frontend section, there seems to be what I need (SSL offloading - client certificate section) but if I use this, it is going to apply to all my backends, I believe. But I only want to apply this to certain backends.
In the backend section I don't find something similar.
I had the idea to create a separate frontend that will only connect to those backends I want the client certificate checked for. But if I create another frontend, haproxy complains that I now have multiple frontends and that I should use shared frontends.
If I add the new frontend as a shared frontend, the SSL offloading section vanishes. And anyway, there is an explanation that shared frontends will be merged into one setting (which would seem to bring me back to the issue that I want the client certificate checked only for certain backends but not for all...).
So how can I achieve what I want?
Any ideas?
Thanks!
-
okay, so I found a way to circumvent the problem: I made the new frontend listen on a different port.
The downside is that I now always need to add the port after the address itself.
So I am still looking for a way to do this on the "standard" port of 443...
-
Hmm, so I found this:
https://www.reddit.com/r/PFSENSE/comments/ptfvgy/pfsense_haproxy_client_certificate_authentication/
But I have an issue at step 6:
"Now it's time to create your server specific frontend. Goto Services / HAProxy / Frontend again and start a new definition. Name is 'app.yourwildcarddomain.com' and use 'Shared Frontend' (check it), and Primary Frontend is 'shared-frontend - http' (from step 3). Under Access Control lists add a new rule Name 'ACL1', Expression 'Host matches:', cs no, not no, value 'app.yourwildcarddomain.com'. (ACL1 is for your first server, make it ACL2, and ACL3 for future servers). In the next section 'Actions' create a new rule 'Action' Use Backend, Condition acl names, ACL1. Press the '+' and define the backend match we defined in step 5 'app.yourwildcarddomain.com'. This was the tricky part. You need to define your rules for SSL Offloading as this is what forces the client side cert. Under SSL Offloading use an SNI filter of 'app.yourwildcarddomain.com' and the CA of your legit wildcard cert. Use Add ACL for certificate Subject Alternative Names. Under additional certificates check "Add ACL for certificate CommonName" and "Add ACL for certificate Subject Alternative Names". Under the SSL Offloading - client certificate section, Client verification CA certificate choose the self-signed CA you created in step 1. (home_ca). If you want to use a revocation list you can define one and define it in Client verification CRL, but it is not required. Save it all."
This sound exactly like my original approach. But as before, when I get to "Under SSL Offloading use an SNI filter of 'app.yourwildcarddomain.com' and the CA of your legit wildcard cert.", there is no SSL Offloading segment (as that disappears once I check "shared frontend".
Am I missing something? Am I doing anything wrong?
-
anybody got this working?