Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't protect certain path only with client certificate

    Cache/Proxy
    2
    2
    68
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sensewolf
      last edited by

      Hi,

      I have a pfSense firewall with HAProxy running in my home lab.

      Some of my domains are publicly accessible and some are hidden behind a client certificate request. This separation on a pure domain basis works fine.

      But now I want to protect a certain path of an otherwise publicly accessible domain behind a client certificate request and I can't get that to work.

      My general setup

      • acl that matches the host (domain)
      • action that uses backend based on the acl

      What I have done to protect the path:

      • Defined an acl that matches the path I want to protect (on a "not"-basis)
      • Added that acl to the action

      -- The domain remains publicly accessible, except for that specific path. This is what I expect to happen --

      • Set up a new frontend
      • Defined an acl that matches the host (domain) -- I have also tried without this step
      • Defined an acl that matches the path I want to protect
      • Defined an action that uses the backend based on the acls
      • Require a certain client certificate

      -- The expected outcome is that in order to access the specific path, a client certificate is required. Surprisingly, however, the path becomes publicly accessible again without the client certificate --

      I don't understand why this doesn't work. The setup is basically the same as for my other accessible and protected domains with the only difference that in this case only a certain path should be protected.

      Why isn't this working? What am I missing?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @sensewolf
        last edited by

        @sensewolf said in Can't protect certain path only with client certificate:

        -- The expected outcome is that in order to access the specific path, a client certificate is required. Surprisingly, however, the path becomes publicly accessible again without the client certificate --

        I don't understand why this doesn't work. The setup is basically the same as for my other accessible and protected domains with the only difference that in this case only a certain path should be protected.

        Did you put this rule to the top, so that it is probed and executed before the other one?

        For testing the ACLs just use a simple rule, which give a clear result like "http request deny".

        Why isn't this working? What am I missing?

        Maybe someone will see it if you post the whole configuration.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.