HaProxy and Client Certeficate To ACL

  • Hello, I'm using HaProxy plugin in pfsense. I have a problem that I can't find a solution.

    I have several DNS mapped in my wan port, all of them work under the same FrontEnd, and I make SSL Offloading to allow a secure connection. The problem is that I what to ask for a Client Certeficate, but only to one of them, and If I activate the option to request Client Certeficates it asks to all of them. I have a ACL "SSL Client certificate valid" to only validate in the one that I what, and only that one gives a error if no certeficate is provided, that is ok, but when I enter the other websites I'm allways asked for a certificate, and I don't what that to those.

    Can I do this under the same FrontEnd? Or I need to make a separate one? The problem is that with a different FrontEnd I can't use the same port (443) correct?

    Thank You
    Best Regards

  • @soloam
    You should be able to use a 'shared frontend' , and then on the second frontend configure the need for client certificates.

  • The problem is that the option to client certificate definition does not appear in the second frontend "SSL Offloading - client certificates", and if I define a "SSL Offloading - client certificates" all of them ask for the certificate, even if not required "Allows clients without a certificate to connect" and without the acl to validate the certificate "SSL Client certificate valid"

  • @Soloam
    Do have the haproxy 1.8 package installed? The 1.7 one does not support different certificate options for different domains / sni's by using crt-list with different binding configurations. And though the package is called 'haproxy-devel' the 1.8 version of haproxy is actually a 'stable' version..

  • Yes I have the none dev one!

    Question, can I remove the package and install the dev? will I lose all my configs?

    Thank You

  • @Soloam
    You can simply uninstall the old and then install the new and the config will remain in place. Also if for some reason you want to go back that is the way. Though some 'extra' settings would then be 'lost'. Anyway always good to have a config backup :).

Log in to reply