Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using SSL client certificates in HAproxy

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wdijkerman
      last edited by

      Hi,

      I'm using PFsense 2.2.5 and have the haproxy-devel installed.
      I have 2 frontends and 1 backend. First backend sends all port 80 traffic to port 443.
      2nd backend is listening on port 443.

      I want to be able when an request with client ssl certificate is made, some of the values from this certificate needs to be sent as http header to the backend.

      I found this piece of information about how to do this:

      
      http-request set-header X-Forwarded-Proto      https
      http-request set-header X-SSL                       %[ssl_fc]
      http-request set-header X-SSL-Client-Used           %[ssl_c_used]
      http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
      http-request set-header X-SSL-Client-SHA1           %[ssl_c_sha1]
      http-request set-header X-SSL-Client-DN             %[ssl_c_s_dn]
      http-request set-header X-SSL-Client-CN             %[ssl_c_s_dn(cn)]
      http-request set-header X-SSL-Client-O              %[ssl_c_s_dn(o)]
      http-request set-header X-SSL-Issuer                %[ssl_c_i_dn]
      http-request set-header X-SSL-Issuer-O              %[ssl_c_i_dn(o)]
      http-request set-header X-SSL-Client-Not-Before     %[ssl_c_notbefore]
      http-request set-header X-SSL-Client-Not-After      %[ssl_c_notafter]
      
      

      This works in my Apache: %{HTTP:X-Forwarded-Proto}
      I get: https, https

      But this: %{HTTP:X-SSL-Issuer-O}
      won't return anything. If I manually set to to some hardcoded value, it works. The same is for the other X-SSL- headers.

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        This should work.. Have you tried inspecting (tcpdump/wireshark) the traffic between haproxy and backend? And haproxy itself does perform ssl offloading right?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.