HAProxy community

Is this possible - HAProxy 2 Way SSL - Cert Auth Reverse Proxy


#1

We have a backend system that communicates over SSL and clients must present a Client Certificate.
We are using HAProxy as a Reverse Proxy to these servers.

Our configuration looks like this -

global
log /dev/log local0
log /dev/log local2 error
user haproxy
group haproxy
daemon

defaults
log global
option dontlognull
timeout connect 5000
timeout client 5000
timeout server 5000

listen stats
bind *:8081
mode http
stats enable
stats uri /
stats realm Haproxy\ HAProxy Statistics
stats auth xxxxx:xxxxx

frontend www-https-in
mode tcp
bind *:443 transparent ssl crt /etc/cert/site.pem ca-file /etc/cert/cacert.pem verify required
default_backend app_backend

backend app_backend
mode tcp
stick-table type ip size 200k expire 30m
stick on src
server appserv1 10.10.10.12:8000 ssl crt /etc/cert/site.pem verify none


The Reverse Proxy works and the Client Certificate functions at the Front - but the backend is attempting to validate a SSL Certificate and not the Clients Certificate.

How do I get the Client Certificate to pass through to the appserver?


#2

Don’t terminate SSL at haproxy. Your specific requirement is to have the SSL client cert presented to the backend server, so instead re-encrypting everything and hiding the client cert, let it pass through.


#3

Hi Mac

I have same issue here, did you solve your issue if yes, kindly share it here. thank you

best regards, Fahad


#4

Hi Fahad,

As Lukas said, don’t terminate SSL on HAProxy in such a situation. If you do, HAProxy would need both the certificate and the private key from every user for it to be able to sign in with them. This does not make sense at all and would comrpomise / expose clients’ private keys.

So just don’t terminate SSL on HAProxy and forward it straight to the backend where the server itself will receive and certificate and will handshake the session with the clients.