Acl to allow users from cn field client certificate



I have setup working with client certificate authentication.
I would like to make setup to block particular user based on CN field in client certificate from accessing URL with regular expression.

I can block url with regular expression with acl:

acl restricted_page url_reg TEST
http-request deny if restricted_page

which works and prevents me to access URL with keyword TEST.

I tried to filter users with http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
but can’t make it working :frowning:

Basically I would like to achieve something like this:

if client certificate CN=user1 then block URLs with keyword TEST1
if client certificate CN=user2 then block URLs with keyword TEST2

Thank you in advance for any suggestions


Put both conditions into the ACL (after confirming they work individually).


ok I managed to make it working, I have problem with space in username.
CN=Firstname SecondName

It works with:
acl allow_user req.fhdr(X-SSL-Client-CN) -i -m str FirstName\ Lastname

but doesn;t work with:
acl allow_user req.fhdr(X-SSL-Client-CN) -i -m str -f /etc/haproxy/users

It seems “space” in CN is problem here as it works for CNs without space included.

Any suggestion?

Thank you


I assume you tried but escaping with the backslash and verbatim in the file?


yes, i’ve tried many combinations


Ok, lets back up for a moment.

Instead of setting a http header, and then matching it, why don’t you match the variable directly in the ACL?

acl restricted_page url_reg TEST
acl allow_user %{+Q}[ssl_c_s_dn(cn)] -i -m str FirstName\ Lastname
http-request deny if restricted_page allow_user


unfortunately doesn’t work this way

acl allow_user %{+Q}[ssl_c_s_dn(cn)] -i -m str FirstName\ Lastname

" unknown fetch method ‘%{…_s_dn(cn,2)]’"


This topic came up in my blog recently, we used this with an external file containing who was allowed.

http-request deny if !{ ssl_c_s_dn(cn) -f /etc/haproxy/allowed_cn.txt }

Check out the comments section at the bottom:

http-request deny if !{ ssl_c_s_dn(cn) -f /etc/haproxy/allowed_cn.txt }

work but second acl doesn’t work in this line e.g.

http-request deny if !{ ssl_c_s_dn(cn) -f /etc/haproxy/allowed_cn.txt }  second_acl


Finally made it working:

acl allow_users ssl_c_s_dn(cn,2) -i -f /etc/haproxy/users
acl restricted_page url_reg -f /etc/haproxy/keywords
http-request deny unless !restricted_page allow_users

It doesn’t work for some reason with:
http-request deny if restricted_page !allow_users