Using SSL client certificates in HAproxy
-
Hi,
I'm using PFsense 2.2.5 and have the haproxy-devel installed.
I have 2 frontends and 1 backend. First backend sends all port 80 traffic to port 443.
2nd backend is listening on port 443.I want to be able when an request with client ssl certificate is made, some of the values from this certificate needs to be sent as http header to the backend.
I found this piece of information about how to do this:
http-request set-header X-Forwarded-Proto https http-request set-header X-SSL %[ssl_fc] http-request set-header X-SSL-Client-Used %[ssl_c_used] http-request set-header X-SSL-Client-Verify %[ssl_c_verify] http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1] http-request set-header X-SSL-Client-DN %[ssl_c_s_dn] http-request set-header X-SSL-Client-CN %[ssl_c_s_dn(cn)] http-request set-header X-SSL-Client-O %[ssl_c_s_dn(o)] http-request set-header X-SSL-Issuer %[ssl_c_i_dn] http-request set-header X-SSL-Issuer-O %[ssl_c_i_dn(o)] http-request set-header X-SSL-Client-Not-Before %[ssl_c_notbefore] http-request set-header X-SSL-Client-Not-After %[ssl_c_notafter]This works in my Apache: %{HTTP:X-Forwarded-Proto}
I get: https, httpsBut this: %{HTTP:X-SSL-Issuer-O}
won't return anything. If I manually set to to some hardcoded value, it works. The same is for the other X-SSL- headers.
-
This should work.. Have you tried inspecting (tcpdump/wireshark) the traffic between haproxy and backend? And haproxy itself does perform ssl offloading right?