I’m trying to setup mutual tls for an haproxy instance and have ssl termination but I don’t think its actually setup properly to do so.
This is my front end
log 127.0.0.1 local0 info
bind localhost:443 ssl crt /etc/ssl/private/server.pem ca-file /etc/ssl/private/ca.crt verify optional
reqadd X-Forwarded-Proto:\ https
acl PATH-tls-test path_beg /test
use_backend SERVER-tls-test if PATH-tls-test
default_backend no-serverCan you elaborate what you expect from haproxy exactly? “Mutual TLS” is not exactly a precise description.
If you want to authenticate each client, change verify optional to verify required
The end goal is to constrain front-end traffic to only certified clients and route them based on the request to various backend servers. This way the servers don’t need to worry about authentication as reaching the server is only possible as a certified client through the front end. I had changed it to verify optional for testing purposes but if I switch it back to verify required then the client will have to handshake with the front end in order to reach the backend?
Correct, verify required will reject the handshake if the client does not authenticate.