• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Client Authentication on path with HAProxy

Scheduled Pinned Locked Moved Cache/Proxy
4 Posts 2 Posters 648 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    ciconet
    last edited by Aug 5, 2021, 5:33 AM

    Hello guys,

    I'm trying to figure out how to perform a client authentication only on a specific path.
    Basically I have https://www.mysite.it and SSL certificate for everyone. OK
    I would like anyone who points to https://www.miosito.it/paginasicura to have a certificate on board (client certificate) to identify themselves.
    How can I insert this directive about HAPROXY in PFSENSE?
    I tried to go to the backend and create ACL: ClientAuth_Path with Expression: Path contains: and value: secure page
    But then I get lost in the Actions ... I guess I have to set http-request auth but I don't know where to specify the previously loaded Certification Authority (the one that "trusts" the client that arrives on a secure page) ...
    in the realm section I have to put a custom command?
    Or maybe I'm completely off track?!?
    😣
    Thanks in advance for your help !!!

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Aug 5, 2021, 12:24 PM

      Maybe: https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

      C 1 Reply Last reply Aug 5, 2021, 2:05 PM Reply Quote 0
      • C
        ciconet @stephenw10
        last edited by Aug 5, 2021, 2:05 PM

        @stephenw10 hi and thanks for your reply,

        i saw this, but i don't know how can apply it on HAProxy on PfSense...
        I attach image where you can see the problem...

        715e352d-daab-417c-b8c4-5df8bcca8766-image.png

        How can i make to specify the CA to trust client certificates ?
        It is correct this setting ?

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by stephenw10 Aug 5, 2021, 4:38 PM Aug 5, 2021, 4:37 PM

          I don't believe you can do that since the front end needs to bind with 'verify required' for everything. See the discussion linked from that article:
          https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3

          It may not be something you can do using only the gui options in the pfSense package. You might have to use the custom pass though fields. It's not something I've ever seen done.

          But if you;re using different front ends I would expect to use the 'SSL Client issued by CA common name:' option.

          Steve

          1 Reply Last reply Reply Quote 0
          2 out of 4
          • First post
            2/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received