Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HaProxy and Client Certeficate To ACL

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    6
    805
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • SoloamS
      Soloam
      last edited by

      Hello, I'm using HaProxy plugin in pfsense. I have a problem that I can't find a solution.

      I have several DNS mapped in my wan port, all of them work under the same FrontEnd, and I make SSL Offloading to allow a secure connection. The problem is that I what to ask for a Client Certeficate, but only to one of them, and If I activate the option to request Client Certeficates it asks to all of them. I have a ACL "SSL Client certificate valid" to only validate in the one that I what, and only that one gives a error if no certeficate is provided, that is ok, but when I enter the other websites I'm allways asked for a certificate, and I don't what that to those.

      Can I do this under the same FrontEnd? Or I need to make a separate one? The problem is that with a different FrontEnd I can't use the same port (443) correct?

      Thank You
      Best Regards

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @Soloam
        last edited by

        @soloam
        You should be able to use a 'shared frontend' , and then on the second frontend configure the need for client certificates.

        1 Reply Last reply Reply Quote 0
        • SoloamS
          Soloam
          last edited by

          The problem is that the option to client certificate definition does not appear in the second frontend "SSL Offloading - client certificates", and if I define a "SSL Offloading - client certificates" all of them ask for the certificate, even if not required "Allows clients without a certificate to connect" and without the acl to validate the certificate "SSL Client certificate valid"

          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @Soloam
            last edited by PiBa

            @Soloam
            Do have the haproxy 1.8 package installed? The 1.7 one does not support different certificate options for different domains / sni's by using crt-list with different binding configurations. And though the package is called 'haproxy-devel' the 1.8 version of haproxy is actually a 'stable' version..

            1 Reply Last reply Reply Quote 0
            • SoloamS
              Soloam
              last edited by

              Yes I have the none dev one!

              Question, can I remove the package and install the dev? will I lose all my configs?

              Thank You

              P 1 Reply Last reply Reply Quote 0
              • P
                PiBa @Soloam
                last edited by

                @Soloam
                You can simply uninstall the old and then install the new and the config will remain in place. Also if for some reason you want to go back that is the way. Though some 'extra' settings would then be 'lost'. Anyway always good to have a config backup :).

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post