Client Authentication on path with HAProxy

ciconet

Hello guys,

I'm trying to figure out how to perform a client authentication only on a specific path.
Basically I have https://www.mysite.it and SSL certificate for everyone. OK
I would like anyone who points to https://www.miosito.it/paginasicura to have a certificate on board (client certificate) to identify themselves.
How can I insert this directive about HAPROXY in PFSENSE?
I tried to go to the backend and create ACL: ClientAuth_Path with Expression: Path contains: and value: secure page
But then I get lost in the Actions ... I guess I have to set http-request auth but I don't know where to specify the previously loaded Certification Authority (the one that "trusts" the client that arrives on a secure page) ...
in the realm section I have to put a custom command?
Or maybe I'm completely off track?!?

Thanks in advance for your help !!!

stephenw10

Maybe: https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

ciconet

@stephenw10 hi and thanks for your reply,

i saw this, but i don't know how can apply it on HAProxy on PfSense...
I attach image where you can see the problem...

How can i make to specify the CA to trust client certificates ?
It is correct this setting ?

stephenw10

I don't believe you can do that since the front end needs to bind with 'verify required' for everything. See the discussion linked from that article:
https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3

It may not be something you can do using only the gui options in the pfSense package. You might have to use the custom pass though fields. It's not something I've ever seen done.

But if you;re using different front ends I would expect to use the 'SSL Client issued by CA common name:' option.

Steve