Add ACL for certificate CommonName
-
What is the purpose of the "Add ACL for certificate CommonNamen." setting in an HAProxy frontend ?
-
@coreybrett
As the hint there "host header matches the "CN" of the certificate" tells you, if this is checked it adds an ALC to limit the access to the host name according the common name in the SSL certificate.Note, if you have a SAN certificate, you also need to check "Add ACL for certificate Subject Alternative Names" if the above is enabled to pass all covered domains.
These ACLs are also applied to none-SSL traffic, if the frontend allows this as well.
-
So checking those boxes, adds these lines to the generated config
acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^edge\.117pd\.xxx\.us(:([0-9]){1,5})?$ acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^bbc-911\.xxx\.us(:([0-9]){1,5})?$ acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^bbc-revere\.xxx\.us(:([0-9]){1,5})?$ acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^flasktestapp\.xxx\.us(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend flasktestapp_ipvANY if aclcrt_https-edgeThis line
use_backend flasktestapp_ipvANY if aclcrt_https-edgeIs only added if a default backend is selected.
If I have a backend for each of these hostnames, it seems that I still need to create an ACL for each to use for backend selection.
So I guess I still don't see the point of checking those boxes and creating the aclcrt_https-edge acl .