I have an application that authenticates its peers using pre-registered self-signed certificates. When we deploy this application behind a nginx or apache reverse proxy, we use TLS client authentication with “optional_no_ca” and transfer the hash of the certificate to the application using a custom header.
Now I’d like to deploy this application behind HAproxy. Using “verify optional” in combination with “crt-ignore-err all” seems to be the right choice, but it seems HAproxy provides an empty value for %[ssl_c_sha1] upon authentication. This might make sense when you actually require certificate validation, but in this case ANY certificate is valid for the reverse proxy.
There are examples of how to do certificate validation in the application, but I’ve seen none that uses self-signed certificates.
Is there any way to configure HAproxy to not only accept the self-signed certificate and also make data extracted from the client certificate available? Adding an “optional_no_ca” mode with the same semantics as nginx and apache make sense, but perhaps there are other options. Please advise.