• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can't protect certain path only with client certificate

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 2 Posters 229 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sensewolf
    last edited by Apr 30, 2025, 7:55 PM

    Hi,

    I have a pfSense firewall with HAProxy running in my home lab.

    Some of my domains are publicly accessible and some are hidden behind a client certificate request. This separation on a pure domain basis works fine.

    But now I want to protect a certain path of an otherwise publicly accessible domain behind a client certificate request and I can't get that to work.

    My general setup

    • acl that matches the host (domain)
    • action that uses backend based on the acl

    What I have done to protect the path:

    • Defined an acl that matches the path I want to protect (on a "not"-basis)
    • Added that acl to the action

    -- The domain remains publicly accessible, except for that specific path. This is what I expect to happen --

    • Set up a new frontend
    • Defined an acl that matches the host (domain) -- I have also tried without this step
    • Defined an acl that matches the path I want to protect
    • Defined an action that uses the backend based on the acls
    • Require a certain client certificate

    -- The expected outcome is that in order to access the specific path, a client certificate is required. Surprisingly, however, the path becomes publicly accessible again without the client certificate --

    I don't understand why this doesn't work. The setup is basically the same as for my other accessible and protected domains with the only difference that in this case only a certain path should be protected.

    Why isn't this working? What am I missing?

    V 1 Reply Last reply May 1, 2025, 6:28 PM Reply Quote 0
    • V
      viragomann @sensewolf
      last edited by May 1, 2025, 6:28 PM

      @sensewolf said in Can't protect certain path only with client certificate:

      -- The expected outcome is that in order to access the specific path, a client certificate is required. Surprisingly, however, the path becomes publicly accessible again without the client certificate --

      I don't understand why this doesn't work. The setup is basically the same as for my other accessible and protected domains with the only difference that in this case only a certain path should be protected.

      Did you put this rule to the top, so that it is probed and executed before the other one?

      For testing the ACLs just use a simple rule, which give a clear result like "http request deny".

      Why isn't this working? What am I missing?

      Maybe someone will see it if you post the whole configuration.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received