Using SSL client certificates in HAproxy

wdijkerman

Hi,

I'm using PFsense 2.2.5 and have the haproxy-devel installed.
I have 2 frontends and 1 backend. First backend sends all port 80 traffic to port 443.
2nd backend is listening on port 443.

I want to be able when an request with client ssl certificate is made, some of the values from this certificate needs to be sent as http header to the backend.

I found this piece of information about how to do this:

http-request set-header X-Forwarded-Proto      https
http-request set-header X-SSL                       %[ssl_fc]
http-request set-header X-SSL-Client-Used           %[ssl_c_used]
http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1           %[ssl_c_sha1]
http-request set-header X-SSL-Client-DN             %[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN             %[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Client-O              %[ssl_c_s_dn(o)]
http-request set-header X-SSL-Issuer                %[ssl_c_i_dn]
http-request set-header X-SSL-Issuer-O              %[ssl_c_i_dn(o)]
http-request set-header X-SSL-Client-Not-Before     %[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After      %[ssl_c_notafter]

This works in my Apache: %{HTTP:X-Forwarded-Proto}
I get: https, https

But this: %{HTTP:X-SSL-Issuer-O}
won't return anything. If I manually set to to some hardcoded value, it works. The same is for the other X-SSL- headers.

PiBa

This should work.. Have you tried inspecting (tcpdump/wireshark) the traffic between haproxy and backend? And haproxy itself does perform ssl offloading right?