How to set ssl verify client for specific domain name

There is no simple way to do this, unfortunately.

Use a TCP frontend withouth SSL termination, SNI route to different backends that recirculate to traffic to dedicated SSL frontends with different configurations.

Something like:

frontend port443
    bind :443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend recir_clientcertenabled if { req_ssl_sni -i test1.demo.com }
    default_backend recir_default

backend recir_clientcertenabled
    server loopback-for-tls abns@haproxy-clientcert send-proxy-v2
backend recir_default
    server loopback-for-tls abns@haproxy-default send-proxy-v2

frontend fe-ssl-clientcert
    mode http
    bind abns@haproxy-clientcert accept-proxy ssl crt /etc/ssl/certsforhaproxy/test1.pem crt ca-file /etc/ssl/certsforhaproxy/ca.pem verify required
frontend fe-ssl-default
    mode http
    bind abns@haproxy-default accept-proxy ssl crt /etc/ssl/certsforhaproxy/test2.pem crt
1 Like