I have an AWS NLB setup with a TLS listener and Proxy protocol v2 enabled on the target group. I have our wildcard certificate from AWS ACM sett on the NLB… e.g.
The traffic is forwarded from the NLB to HAProxy. The HAProxy frontend is setup with a self-signed certificate to keep TLS end-to-end.
What I am trying to do is validate a client TLS certificate on HAProxy, and I assumed that the Proxy Protocol headers would contain the authority and common name. However, I haven’t been able to see a way to get that information.
Is this possible?
What I suspect would work is if I setup the NLB to have a TCP listener instead of TLS, skip the Proxy Protocol, and inspect/validate the client certificate details on HAProxy. However, that would require the proxy to have a trusted CA certificate, and I’d prefer to avoid creating and managing a new server certificate (e.g. someserver.foo.com)