HAProxy community

How to configure TLS client certificate authentication only for specific paths?


#1

The following blog post describes how to configure TLS client certificate authentication with HA Proxy: https://loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

This question describes how to enable it based on domain name: How to set ssl verify client for specific domain name

However, I would like to enable it based on url path.
Example:
Required for:
https://my-domain.com/path1
But disabled for:
https://my-domain.com/path2

Note: I am terminating the TLS connection at HA Proxy. So the information should be accessible to HA Proxy.
Before I started using HA Proxy I could do this easily in Apache, by putting the SSLVerifyClient inside a Location block.

Is this possible with HA Proxy? If so, how can it be done?


#2

No, this is not possible with haproxy.

I know that it is possible with Apache, it’s achieved by triggering a TLS renegotiation. With TLSv1.3 this changes completely, as renegotiation is no longer supported. Instead TLSv1.3 uses CertificateRequest messages to request the client certificate after the handshake.

Neither is support in haproxy and I doubt Apache supports it in TLSv1.3.


#3

Do you know whether adding support for the new TLSv1.3 way for doing this is planned?


#4

I don’t think so, no.

You may want to ask on the mailing list, but I doubt it.


#5

Do you have any idea of how hard it would be to add it?
Depending on how much work it is, we might consider implementing it ourselves, and adding a pull request for it.


#6

I’m not sure. I guess it could be quite complex, given how the connection, mux and transaction layer have been separated now, especially with HTTP/2.

Definitely discuss this on the mailing list before investing any actual development time on your end. The developers on the mailing list will have a better idea of how feasible it is.


#7

Ok, will contact the mailing list if we decide we want to pursue this further.
Thanks for your help and quick responses!