Check Certificate in Backend possible


#1

Hi everyone,

As i already mentioned in another post, I am using just one front end and more backends.
as for one specific location is a certificate check necessary, i would like to check in that specific backend and for the specific site.
the apache for this section shows like this :

Location /api
Allow from all
Satisfy any
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq “Company name”
and %{SSL_CLIENT_S_DN_OU} eq “department”
and %{SSL_CLIENT_S_DN_C} eq “US”
and %{SSL_CLIENT_S_DN_CN} in { “User_1”, “host01” }
)
ProxyPass 1.1.1.1:8090/api nocanon
ProxyPassReverse 1.1.1.1:8090/api
/Location

Any ideea how I can rewrite from apache to haproxy ?

Thanks and cheers,


#2

If I understand correctly you are talking about client certificate verification, and you would like to do that in one specific URI.

That’s not possible with haproxy.


#3

Yes @lukastribus, i’m talking about client certificate verification and yes i would like to do it for www.example.com/api but www.example.com should be available to all.

Thanks,


#4

Like I said this is not possible with Haproxy. Apache is pretty much the only product that can do this.

The recommended way is to use a different (SNI-) hostname and certificate for this, and negotiate client certificates in the beginning.


#5

Thank you very much for your help.

Cheers,
silviu