HAProxy community

Checking client certificat using acl/map/host/cn



I would like to check client certificat CN using a map file.
This map file contains for each targeted hostname, the authorized CN list.

Test steps :
a) 1st step, find the list of CN for the requested host, in the map file
b) 2nd step, check the client CN in the list retrieved at a)

An example of authorized CN lists map file :
$ cat /tmp/listCERT.checkcert
#host CNs List (separated by /)
server1.xxx.com client0.zzz/client1.zzz/
server2.xxx.com client0.zzz/client2.zzz/

An extract of haproxy configuration file :

acl validcert hdr(host),map_str(/tmp/listCERT.checkcert,nocerts) -m %[sub ssl_c_s_dn(cn)]
http-request deny if !validcert

But this acl configuration does not work :frowning:

Do you have any idea ?

thanks in advance :wink: