HAProxy w/Client Certificates Authentication

Cheaha · Jun 2, 2021, 4:40 PM

I'm exhausted, because I've been researching this topic for days and can't seem to figure it out. I have a working setup with HAProxy using a shared frontend, with multiple front ends and backends. What I am trying to do is have one or two of those frontends forward traffic to the backend only if the client presents a proper client side certificate. I can see in pfSense where this is part of the GUI, but for the life of me can't figure out how to use it. In the frontend definition there is a section dedicated to Client Certificates.

Yes, I know VPN is a solution, but using a client side certificate has many advantages with both deployment and configuration. Again, HAProxy is working great, I can reach all the sites. I am just wanting to setup a client side certificate check on one or two of them. Here is a great article talking about how this is possible with HAProxy. The challenge is how do I do this with pfSense?

Client Certificate Authentication with HAProxy by Aaron West

There doesn't seem to be anything on the internet explaining how to do this with pfsense, yet it seems like it was considered when creating the package. Any thoughts? Thanks everybody!

Cheaha · Jun 3, 2021, 4:44 AM

I finally cracked it. In order for the settings for the frontend to work, a matching SNI filter was needed so that the crt-list would kick in. Settings for the sub-frontend for client side certs were ignored without the SNI match.