Using SSL client certificates in HAproxy



  • Hi,

    I'm using PFsense 2.2.5 and have the haproxy-devel installed.
    I have 2 frontends and 1 backend. First backend sends all port 80 traffic to port 443.
    2nd backend is listening on port 443.

    I want to be able when an request with client ssl certificate is made, some of the values from this certificate needs to be sent as http header to the backend.

    I found this piece of information about how to do this:

    
    http-request set-header X-Forwarded-Proto      https
    http-request set-header X-SSL                       %[ssl_fc]
    http-request set-header X-SSL-Client-Used           %[ssl_c_used]
    http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
    http-request set-header X-SSL-Client-SHA1           %[ssl_c_sha1]
    http-request set-header X-SSL-Client-DN             %[ssl_c_s_dn]
    http-request set-header X-SSL-Client-CN             %[ssl_c_s_dn(cn)]
    http-request set-header X-SSL-Client-O              %[ssl_c_s_dn(o)]
    http-request set-header X-SSL-Issuer                %[ssl_c_i_dn]
    http-request set-header X-SSL-Issuer-O              %[ssl_c_i_dn(o)]
    http-request set-header X-SSL-Client-Not-Before     %[ssl_c_notbefore]
    http-request set-header X-SSL-Client-Not-After      %[ssl_c_notafter]
    
    

    This works in my Apache: %{HTTP:X-Forwarded-Proto}
    I get: https, https

    But this: %{HTTP:X-SSL-Issuer-O}
    won't return anything. If I manually set to to some hardcoded value, it works. The same is for the other X-SSL- headers.



  • This should work.. Have you tried inspecting (tcpdump/wireshark) the traffic between haproxy and backend? And haproxy itself does perform ssl offloading right?


Log in to reply