Client cert authetication pass through


quite new to haproxy, got a setup where haproxy is in http mode, need to do a setup where clients is doing client certificate authentication to application behind haproxy, but that seems to fail since haproxy is terminating the session. Is there anyway to accomplish this, like forward certificate to backen server, or do I have to change from http to TCP?
Thanks in advance


That’s what TCP mode is for.

You can’t impersonate the SSL client without having access to it’s private key.

Thanks Lukas,
So no way to forward certificate in pem format in http header, that is suggested in applications documentation, but that was related to Apache rewrite module?
Reason I’m asking is that there is quite a few back ends that configured using the same front end configuration, and on most of the ssl termination is needed.
I have inherit the configuration, and both front end and back end got mode settings, is it possible to have mode setting on backend only.
Besides not beeing able to terminate ssl are there any specific drawbacks using tcp instead of http?
Lots of newbe question, sorry for that


That’s a different question.

Are you saying you can modify the backend server to look at some HTTP headers instead of the SSL client certificate?You can put data from SSL client certs in HTTP headers, yes.

Check the documentation for ssl_c_ variables. Common variables passed in HTTP headers are CN, DN’s or serial numbers.

You can access the entire certificate in binary format and so, theoretically transform it to base64. However I’m unsure if its a good idea and reliable to put so much data into HTTP header as you may hit per line limits different stacks.

TCP mode means that you connect 2 TCP connections with each other; you can make routing decisions based on SNI (in the client_hello of the SSL handshake), but really everything else is encrypted so you cannot modify or read other data.

You need to setup a HAProxy passthrough where the HAProxy simply forwards the packets to the host and the host does the authentication. It is ftp, Try this:
listen valen:7357 # PrivetEditorDevTest
mode tcp
balance roundrobin
server host1 check
server host2 check

need to make sure the IP address is on the proxy server but the client has the certs, we used a * key on both MS IIS servers with host header addresses

thanks for your reply, problem with tcp mode is that backend servers don’t get the client ip. So one problem is solved that way but a other problem is created.

You can use the proxy protocol to send the IP address information to the backend server, however your backend server needs to support it and enable it (as well as haproxy). However for common webservers like apache and nginx this is not a problem.

There are alternatives in transport mode by making haproxy become the default-gateway, but this is quite complicated and I suggest you avoid that.

Hi Lukas
Thanks for your reply, unfortunately the backend don’t support the Proxy Protocoll yet.
I won’t change def gateway, I could skip HAProxy and go directly on the backend server, since right now there is only one host that has to do mTLS, but that is not a long term solution either.

Yes, you are out of options if the backend can’t to any of this.