How to configure HAproxy for a certificate authentication

Good Evening,

I want to have a certificate-based authentication configured only on a backend

test5_ssl

in such a way that the configuration would not impact other nodes (test_1_ssl, test_2_ssl, test_3_ssl, test_4_ssl). My question is how to do it?

P.S.

my HAProxy version is 1.5.18

I have a following configuration

frontend primordial_ssl
log 127.0.0.1:514 local0 notice
mode http
—>>> LINE of INTEREST bind *:443 ssl crt /etc/ssl/server.pem ca-file /etc/haproxy/ca.crt verify required
http-request set-header X-SSL-Client %{+Q}[ssl_c_der,base64]
acl test_1 hdr_dom(host) -i -f /etc/haproxy/test1
acl test_2 hdr_dom(host) -i -f /etc/haproxy/test2
acl test_3 hdr_dom(host) -i -f /etc/haproxy/test3
use_backend test_1_ssl if test_1
use_backend test_2_ssl if test_2
use_backend test_3_ssl if test_3
default_backend test4

backend test_1_ssl
mode http
balance roundrobin
option forwardfor
cookie testcookie prefix nocache
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test1_s test.com:18443 cookie 01 id 1011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

backend test_2_ssl
mode http
balance roundrobin
option forwardfor
cookie test2cookie prefix nocache
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test2_s test.com:18443 cookie 01 id 11011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/test2.http

backend test3_ssl
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
cookie test3cookie insert indirect nocache
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test3_s test.com:8443 cookie 01 id 4011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

backend test4_ssl
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
cookie test4cookie insert indirect nocache
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test4_s test.com:8443 cookie 01 id 4011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

#—>> HOW to configure this node to accept only certificate based connections
#—>> without any impact on other nodes?
backend test5_ssl
mode http
#bind *:443 ssl crt /etc/ssl/server.pem ca-file /etc/haproxy/ca.crt
balance roundrobin
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto http
option forwardfor except 127.0.0.0/8
cookie test5cookie
server test5 test.com:19090 cookie 01 id 1001 check inter 2000 rise 2 fall 5
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

have a look at

i think it ist not possible to have client auth at backend level (this is communicaiton between haproxy and backend server) . you can setup an auth so that haproxy will be required to do auth against backend. but you can’t pass client auth info to backend.

so you can configure your frontend (listener) to do client auth. You can’t pass the client certificate to backend server (i beleieve) but you can send infos as ENV-Vars, so you can send username, mail etc. as ENV var and use it (as trusted vars) on your backend.

i wanted to use it on my stats/admin page. i have a client auth setup for direct access my backend server. it would work on haproxy admin page. but the problem is, i access it via ip-address and not domain name and so the client ssl auth will fail (as no matching domain is found)

markus