• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HaProxy and Client Certeficate To ACL

Scheduled Pinned Locked Moved Cache/Proxy
6 Posts 2 Posters 997 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Soloam
    last edited by Mar 15, 2019, 4:03 PM

    Hello, I'm using HaProxy plugin in pfsense. I have a problem that I can't find a solution.

    I have several DNS mapped in my wan port, all of them work under the same FrontEnd, and I make SSL Offloading to allow a secure connection. The problem is that I what to ask for a Client Certeficate, but only to one of them, and If I activate the option to request Client Certeficates it asks to all of them. I have a ACL "SSL Client certificate valid" to only validate in the one that I what, and only that one gives a error if no certeficate is provided, that is ok, but when I enter the other websites I'm allways asked for a certificate, and I don't what that to those.

    Can I do this under the same FrontEnd? Or I need to make a separate one? The problem is that with a different FrontEnd I can't use the same port (443) correct?

    Thank You
    Best Regards

    P 1 Reply Last reply Mar 15, 2019, 8:34 PM Reply Quote 0
    • P
      PiBa @Soloam
      last edited by Mar 15, 2019, 8:34 PM

      @soloam
      You should be able to use a 'shared frontend' , and then on the second frontend configure the need for client certificates.

      1 Reply Last reply Reply Quote 0
      • S
        Soloam
        last edited by Mar 17, 2019, 2:10 PM

        The problem is that the option to client certificate definition does not appear in the second frontend "SSL Offloading - client certificates", and if I define a "SSL Offloading - client certificates" all of them ask for the certificate, even if not required "Allows clients without a certificate to connect" and without the acl to validate the certificate "SSL Client certificate valid"

        P 1 Reply Last reply Mar 17, 2019, 6:03 PM Reply Quote 0
        • P
          PiBa @Soloam
          last edited by PiBa Mar 17, 2019, 6:04 PM Mar 17, 2019, 6:03 PM

          @Soloam
          Do have the haproxy 1.8 package installed? The 1.7 one does not support different certificate options for different domains / sni's by using crt-list with different binding configurations. And though the package is called 'haproxy-devel' the 1.8 version of haproxy is actually a 'stable' version..

          1 Reply Last reply Reply Quote 0
          • S
            Soloam
            last edited by Mar 19, 2019, 4:04 PM

            Yes I have the none dev one!

            Question, can I remove the package and install the dev? will I lose all my configs?

            Thank You

            P 1 Reply Last reply Mar 19, 2019, 6:32 PM Reply Quote 0
            • P
              PiBa @Soloam
              last edited by Mar 19, 2019, 6:32 PM

              @Soloam
              You can simply uninstall the old and then install the new and the config will remain in place. Also if for some reason you want to go back that is the way. Though some 'extra' settings would then be 'lost'. Anyway always good to have a config backup :).

              1 Reply Last reply Reply Quote 0
              5 out of 6
              • First post
                5/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received