HAProxy community

ACL based on Client CN in TCP mode - version - 1.7.10


#1

I am running HAProxy in TCP mode with TLS (client certificate based authentication). My configuration is pasted below. My goal is to redirect the SSH connection to correct server based on Client certificate that is being presented. This example talks about SSH but in the future I have various services that I may have to securely expose in this manner. Any help is appreciated.

Note that in HTTPS mode you can extract the client CN using something like and use the variable in header against an ACL. However, as I am in TCP mode, I am unsure how to do something similar.

http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]

However, I am not sure how to do something similar when running in TCP mode.

  frontend Frontend_server
  mode tcp
  option tcplog
  log global
  bind X.X.X.X:8000 ssl crt /etc/certs/server.pem ca-file /etc/certs/ca.crt verify required
  acl ACL_SRV1 ??????? -m str -f /etc/SRV1/cn.list
  acl ACL_SRV2 ??????? -m str -f /etc/SRV2/cn.list  
  acl ACL_SRV3 ??????? -m str -f /etc/SRV3/cn.list
  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %ST\ %B\ %tsc\ %ac/%fc/%bc/%sc\ %sq/%bq\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]

  use_backend SRV1 if ACL_SRV1
  use_backend SRV2 if ACL_SRV2
  use_backend SRV3 if ACL_SRV3

backend SRV1
  mode tcp
  option tcplog
  option tcp-check
  server MY_SRV1 X.X.X.X:22 check  inter 1000 port 22 maxconn 1000
backend SRV2
  mode tcp
  option tcplog
  option tcp-check
  server MY_SRV2 X.X.X.X:22 check  inter 1000 port 22 maxconn 1000
backend SRV3
  mode tcp
  option tcplog
  option tcp-check
  server MY_SRV3 X.X.X.X:22 check  inter 1000 port 22 maxconn 1000

#2

You should be able to use ssl_c_s_dn(cn) within the ACL directly just fine, did you try that?