Hi,
I’m trying to proxy traffic to our CRM-Server as I want to prevent accessing the server without a valid client certificate.
This is my configuration:
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local0 debug
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# Defaults section
#---------------------------------------------------------------------
# Regarding timeout client and timeout server:
# https://discourse.haproxy.org/t/high-number-of-connection-resets-during-transfers-exchange-2013/1158/4
defaults
log global
mode http
option dontlognull
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
balance leastconn
default-server inter 3s rise 2 fall 3
timeout client 600s
timeout http-request 10s
timeout connect 4s
timeout server 60s
#-------------------------------------------------------
# Stats section
#-------------------------------------------------------
listen stats
bind *:444 ssl crt /etc/ssl/crm.DOMAIN.com/crm.DOMAIN.com.pem
stats enable
stats refresh 30s
stats show-node
stats auth admin:1234
stats uri /
stats admin if TRUE # Administration allowed
stats show-legends
#---------------------------------------------------------------------
# Main Front-Ends that proxy to the Back-Ends
#---------------------------------------------------------------------
frontend fe_default
bind *:80 name http
bind *:443 name https ssl crt /etc/ssl/crm.DOMAIN.com/crm.DOMAIN.com.pem ca-file /etc/ssl/DOMAIN_CRM_Device_CA.crt verify required crt-ignore-err all
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Serial %{+Q}[ssl_c_serial,hex]
http-request set-header X-SSL-Client-Version %{+Q}[ssl_c_version]
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10
maxconn 50000
acl ssl_connection ssl_fc
acl letsencrypt path_beg /.well-known/acme-challenge/
acl is_web_path path_beg -i /updateCRM_web
acl is_pad_path path_beg -i /updateCRM_pad
acl path_check path_end -i HealthCheck.htm
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request deny if path_check
use_backend be_crm if is_web_path
use_backend be_crm if is_pad_path
default_backend be_nomatch
#---------------------------------------------------------------------
# Back-Ends
#---------------------------------------------------------------------
backend be_letsencrypt
server letsencrypt 127.0.0.1:8888
backend be_nomatch
errorfile 503 /etc/haproxy/errors/400.http
backend be_crm
server crmprod 10.32.0.170:443 ssl verify none maxconn 20000 weight 10 check
HAProxy starts up fine, without errors but unfortunately is unable to verfy my certificate. As you can see I have added crt-ignore-err all to line 64, but the result is the same as before.
My Browser prompts to select a certificate:
but after selecting it just shows an error:
I tried to create the certificates as mentioned here: Client Certificate Authentication with HAProxy
Any ideas as to why HAProxy cannot validate the certifcates?
Also, /var/log/haproxy.log shows nothing helpful.