HAProxy not passing through user certificate


#1

I’m using HAProxy to load balance between four servers, which requires a user to present a certificate in order to login to. When the user hits the webpage they are asked to present their certificate but the certificate never gets through to the server to authenticate with. I’ve tested logging in without HAProxy in front of it and everything works correctly. I have pasted what my configuration setup looks like.

global
uid 0
gid 0
log /dev/log local0
log /dev/log local1 notice
maxconn 45000
daemon

defaults
log global
mode http
option tcplog
option dontlognull
timeout server 86400000
timeout connect 86400000
timeout client 86400000
timeout queue 1000s

frontend 443_oam
bind 192.168.0.208:443
mode tcp
option tcplog
default_backend oam_443

backend oam_443
mode tcp
option ssl-hello-chk
balance roundrobin
server oam01 :443 check
server oam02 :443 check
server oam03 :443 check
server oam04 :443 check


#2

You are only forwarding TCP payload in this configuration, and it will forward everything, including everything related to SSL.

I assume the issue is somewhere else, like your backend not requesting the client certificate if it comes from a trusted IP address (which the haproxy box may be), or only some of the servers request the SSL certificate from the client, so depending on the load-balancing you may hit a server that doesn’t request the certificate from the client.