HAProxy client certificate validation per app

  • Hi,

    I have HAProxy setup successfully with client certificate validation and everything is working well. Only my devices with a valid cert can view my applications behind the proxy. Great!

    I now have one particular app that I want to expose without needing a client cert.

    There seems to be a few different ways to achieve this, and several people have walked-through the configuration for HAProxy online, but unfortunately the pfSense GUI is completely different to everything the guides say and I can't for the life of me figure it out. Even this official guide from HAProxy themselves makes no sense:


    Can anyone please help with how this would be set up? I know how to find the "optional" setting for client certs, but this on its own obviously just allows connections to everything. I've tried playing with ACLs but I can't get a combination to work that achieves the desired effect.

    Thank you to anyone who gives this a shot!

  • @2fst4u
    You are using the haproxy-devel package.? It exposes a few extra settings for shared frontends regarding their certificates.

    And adding a acl that checks if client-certificate was validated could help as well, and rejecting the connection if it wasn't for specific backends.
    What config do you have at the moment and what part about it doesn't yet fully work as intended?

  • Thanks for the reply!

    No I'm not using development, I'm just using the regular package. What extra settings does the development package provide?

    Weirdly though I managed to get this to work. I found someone else online who did this by making a convoluted loop of frontend to backend to frontend and back to another backend.

    1. My first backend terminates the SSL connection and specifies the client certificate to be used, but is set to "optional". (Actually my first backend is on port 80 redirecting to 443 but I'll ignore that one).

    2. My second frontend, a shared frontend, determines if an app is "private" or "public" based on the address. If it's public it goes to a localhost backend, if it's private it goes to a different localhost backend. To go to a private app the ACL also requires client certificate to be valid.

    3. The private and public localhost backends just go straight to a localhost frontend each.

    4. The localhost frontends just have ACLs for the same apps as step 2, which direct to the actual correct backend.

    Now, weirdly I was thinking that I could get rid of the loop and just use the ACL for checking for client certificate to go straight to the proper backend, but this didn't work. It just made any request for a private app go to the first one on the list. I think it was using an OR operation and going "if the app is APP1 OR valid cert, Goto APP1. If the app is APP2 OR valid cert, Goto APP2" which meant any time is had a client cert it went to APP1 because it met the OR operation for a valid cert regardless of where I wanted to go. I don't understand why because as far as I can tell it's the same ACL as I'm using in the convoluted version.

    In the end the convoluted loop works so I'm going to leave it untouched. The only downside is mobile browsers ask for a client cert even if the user doesn't have one, so they have to click "cancel" to continue. This isn't production though so I'm not worried, it's just friends and family.

  • @2fst4u said in HAProxy client certificate validation per app:

    What extra settings does the development package provide?

    The development package allows specifying client certificate options per shared-frontend by using the crt-list option of haproxy 1.8 with a specific sslbindconf for each sni where 1.7 does not support that and thus hides those options in the webgui.

    b.t.w. that the package is called -devel does not mean the software isn't stable.. The current development version of haproxy is '2.0-dev' and 1.9 is also marked stable.. though still as some rough edges... 1.8 is really stable for everything it supports.

  • Banned

    This post is deleted!

Log in to reply