Acl to allow users from cn field client certificate

smalecwks · October 5, 2018, 8:51pm

Hi,

I have setup working with client certificate authentication.
I would like to make setup to block particular user based on CN field in client certificate from accessing URL with regular expression.

I can block url with regular expression with acl:

acl restricted_page url_reg TEST
http-request deny if restricted_page

which works and prevents me to access URL with keyword TEST.

I tried to filter users with http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
but can’t make it working

Basically I would like to achieve something like this:

if client certificate CN=user1 then block URLs with keyword TEST1
if client certificate CN=user2 then block URLs with keyword TEST2

Thank you in advance for any suggestions

lukastribus · October 8, 2018, 9:41am

Put both conditions into the ACL (after confirming they work individually).

smalecwks · October 8, 2018, 11:20am

ok I managed to make it working, I have problem with space in username.
CN=Firstname SecondName

It works with:
acl allow_user req.fhdr(X-SSL-Client-CN) -i -m str FirstName\ Lastname

but doesn;t work with:
acl allow_user req.fhdr(X-SSL-Client-CN) -i -m str -f /etc/haproxy/users

It seems “space” in CN is problem here as it works for CNs without space included.

Any suggestion?

Thank you

lukastribus · October 8, 2018, 3:03pm

I assume you tried but escaping with the backslash and verbatim in the file?

smalecwks · October 8, 2018, 5:08pm

yes, i’ve tried many combinations

lukastribus · October 8, 2018, 8:58pm

Ok, lets back up for a moment.

Instead of setting a http header, and then matching it, why don’t you match the variable directly in the ACL?

acl restricted_page url_reg TEST
acl allow_user %{+Q}[ssl_c_s_dn(cn)] -i -m str FirstName\ Lastname
http-request deny if restricted_page allow_user

smalecwks · October 9, 2018, 6:54am

unfortunately doesn’t work this way

acl allow_user %{+Q}[ssl_c_s_dn(cn)] -i -m str FirstName\ Lastname

" unknown fetch method ‘%{…_s_dn(cn,2)]’"

AaronWest · October 9, 2018, 7:22am

This topic came up in my blog recently, we used this with an external file containing who was allowed.

http-request deny if !{ ssl_c_s_dn(cn) -f /etc/haproxy/allowed_cn.txt }

Check out the comments section at the bottom: http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

smalecwks · October 9, 2018, 7:47am

http-request deny if !{ ssl_c_s_dn(cn) -f /etc/haproxy/allowed_cn.txt }

work but second acl doesn’t work in this line e.g.

http-request deny if !{ ssl_c_s_dn(cn) -f /etc/haproxy/allowed_cn.txt }  second_acl

smalecwks · October 9, 2018, 8:47am

Finally made it working:

acl allow_users ssl_c_s_dn(cn,2) -i -f /etc/haproxy/users
acl restricted_page url_reg -f /etc/haproxy/keywords
http-request deny unless !restricted_page allow_users

It doesn’t work for some reason with:
http-request deny if restricted_page !allow_users

Topic		Replies	Views
ACL based on Client CN in TCP mode - version - 1.7.10 Help!	3	1759	December 11, 2018
Server Certificate Common Name Help!	0	513	March 2, 2018
Checking client certificat using acl/map/host/cn Help!	0	861	January 27, 2017
Haproxy acl to block ips and host header Help!	2	2531	December 17, 2020
ACL for Bad User-Agents with SubString Match Fails Help!	6	565	June 17, 2024

Acl to allow users from cn field client certificate

Related topics