I am working on an HAProxy server configuration for a proof of concept. We want to forward any incoming connections which either
- Have a successful 2-way TLS handshake or
- Are coming from an IP address in a whitelist
I was looking at the documentation on ACLs, and thought maybe I could configure one to check for certs and one to check the whitelist, but I’m not sure if I’m barking up the right tree here. Currently, I have a server accepting valid certs by binding a port with an SSL certificate like so: bind *:2000 ssl crt cert.pem ca-file myCA.pem verify required
Another idea i’ve had is redirecting to a second port in case of failure on the first one. So, for instance, if the handshake fails, we redirect to another port checking a whitelist, or vice versa.
Which of these seems like a better approach? Are either of them impossible to implement in HAProxy? Thank you for any assistance.