HAProxy community

Mutual TLS with SSL Termination


I’m trying to setup mutual tls for an haproxy instance and have ssl termination but I don’t think its actually setup properly to do so.

This is my front end

   log local0 info

   bind localhost:443 ssl crt /etc/ssl/private/server.pem ca-file /etc/ssl/private/ca.crt verify optional

   reqadd X-Forwarded-Proto:\ https

   acl PATH-tls-test path_beg /test

   use_backend SERVER-tls-test if PATH-tls-test

   default_backend no-server


Can you elaborate what you expect from haproxy exactly? “Mutual TLS” is not exactly a precise description.

If you want to authenticate each client, change verify optional to verify required



The end goal is to constrain front-end traffic to only certified clients and route them based on the request to various backend servers. This way the servers don’t need to worry about authentication as reaching the server is only possible as a certified client through the front end. I had changed it to verify optional for testing purposes but if I switch it back to verify required then the client will have to handshake with the front end in order to reach the backend?



Correct, verify required will reject the handshake if the client does not authenticate.