ACLs with TLS and URL paths

Mac · March 15, 2022, 2:19pm

Hello Everyone,

I have an application that requires client certificate authentication. These applications run on different ports and are accessed by path. https://host.domain.com:9443/application1, https://host.domain.com:9444/application2.

I would like to ‘hide’ those ports or redirect to the backend for each of those separate application.

Do I terminate the TLS at the HAProxy, use an ACL to determine the correct backend server - than pass the client certificate as a header?

Is that the correct approach?

Mac · March 20, 2022, 8:17pm

Further follow-up to my question. Attached is my config.
So I do certificate authentication to HAProxy and terminate so that I can examine the URL Path.
If it is just a host.domain than pass that through a a Web Site.

If the host.domain includes a path than redirect to that specific application port.

frontend web-in
bind *:443 ssl verify required crt /etc/haproxy/cert/cert.pem ca-file /etc/haproxy/cert/cacert.pem
mode http

http-request set-header SSL_CLIENT_CERT &[ssl_c_der.base64]
http-request set-header X-Real-IP %[src]

acl user_app1 path -i -m beg /Application/

use_backend web if { req.hdr(host) -i host.domain.com }
use_backend app1 if user_app1

default_backend web

backend web
server web1 192.1.1.121:443 ssl verify none

backend app1
server app_srv1 192.1.2.121:9443 ssl verify none

Topic		Replies	Views
Help me with ACL for TCP Help!	1	331	July 25, 2020
ACL filters when using mode tcp? Help!	3	3482	August 27, 2021
Http frontend to https Backend on selected paths Help!	9	980	December 10, 2021
ACL based on Client CN in TCP mode - version - 1.7.10 Help!	3	1642	December 11, 2018
How do I setup acls to split a server by directory Help!	2	1236	June 13, 2018

ACLs with TLS and URL paths

Related Topics