Is this possible - HAProxy 2 Way SSL - Cert Auth Reverse Proxy


#1

We have a backend system that communicates over SSL and clients must present a Client Certificate.
We are using HAProxy as a Reverse Proxy to these servers.

Our configuration looks like this -

global
log /dev/log local0
log /dev/log local2 error
user haproxy
group haproxy
daemon

defaults
log global
option dontlognull
timeout connect 5000
timeout client 5000
timeout server 5000

listen stats
bind *:8081
mode http
stats enable
stats uri /
stats realm Haproxy\ HAProxy Statistics
stats auth xxxxx:xxxxx

frontend www-https-in
mode tcp
bind *:443 transparent ssl crt /etc/cert/site.pem ca-file /etc/cert/cacert.pem verify required
default_backend app_backend

backend app_backend
mode tcp
stick-table type ip size 200k expire 30m
stick on src
server appserv1 10.10.10.12:8000 ssl crt /etc/cert/site.pem verify none


The Reverse Proxy works and the Client Certificate functions at the Front - but the backend is attempting to validate a SSL Certificate and not the Clients Certificate.

How do I get the Client Certificate to pass through to the appserver?


#2

Don’t terminate SSL at haproxy. Your specific requirement is to have the SSL client cert presented to the backend server, so instead re-encrypting everything and hiding the client cert, let it pass through.


#3

Hi Mac

I have same issue here, did you solve your issue if yes, kindly share it here. thank you

best regards, Fahad