• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using SSL client certificates in HAproxy

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 2 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wdijkerman
    last edited by Feb 5, 2016, 9:56 AM

    Hi,

    I'm using PFsense 2.2.5 and have the haproxy-devel installed.
    I have 2 frontends and 1 backend. First backend sends all port 80 traffic to port 443.
    2nd backend is listening on port 443.

    I want to be able when an request with client ssl certificate is made, some of the values from this certificate needs to be sent as http header to the backend.

    I found this piece of information about how to do this:

    
    http-request set-header X-Forwarded-Proto      https
    http-request set-header X-SSL                       %[ssl_fc]
    http-request set-header X-SSL-Client-Used           %[ssl_c_used]
    http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
    http-request set-header X-SSL-Client-SHA1           %[ssl_c_sha1]
    http-request set-header X-SSL-Client-DN             %[ssl_c_s_dn]
    http-request set-header X-SSL-Client-CN             %[ssl_c_s_dn(cn)]
    http-request set-header X-SSL-Client-O              %[ssl_c_s_dn(o)]
    http-request set-header X-SSL-Issuer                %[ssl_c_i_dn]
    http-request set-header X-SSL-Issuer-O              %[ssl_c_i_dn(o)]
    http-request set-header X-SSL-Client-Not-Before     %[ssl_c_notbefore]
    http-request set-header X-SSL-Client-Not-After      %[ssl_c_notafter]
    
    

    This works in my Apache: %{HTTP:X-Forwarded-Proto}
    I get: https, https

    But this: %{HTTP:X-SSL-Issuer-O}
    won't return anything. If I manually set to to some hardcoded value, it works. The same is for the other X-SSL- headers.

    1 Reply Last reply Reply Quote 0
    • P
      PiBa
      last edited by Feb 12, 2016, 10:51 PM

      This should work.. Have you tried inspecting (tcpdump/wireshark) the traffic between haproxy and backend? And haproxy itself does perform ssl offloading right?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        [[user:consent.lead]]
        [[user:consent.not_received]]