I use haproxy in a SSL termination config, where depending on the URL the traffic is directed to different backends.
I auto generate a SSL certificate using Let’s Encrypt. Clients are just Web browsers and I currently authenticate using usernames and passwords for each backend. I can either enable or disable the authentication. I cannot modify the backends to accept client certificates.
I would like to use client certificates for authentication on the front end and therefore remove the need for username and passwords on the backend. According to this https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/ for nginx some additional lines need to be added to enable client authentication, and once authenticated, the rest of the traffic is encrypted.
How can I achieve the same thing with haproxy?
I’m aware that in some instances certificates can be combined (eg TLS with Client Authentication) but I’m not sure if this is required for haproxy nor how to do it.
On the front end I have the following line related to ssl:
` bind 126.96.36.199:443 ssl crt /etc/haproxy/certs/hostname-dh.pem`
What config changes do I need to make to add client authentication?