Restrict access to some part of the site with certificate


Hi, all

I have a task to restrict access to some part of the site with a certificate.
I have written something after reading posts of @AaronWest and @lukastribus
however, have to admit that didn’t understand it solely.

Let’s say url for all users:
Restricted part:
my backend server lets call: tapprodsrv-02 with ip

Here is my config:

            mode http

frontend HTTPS-IN
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	use_backend HTTP-OUT-CERT if { req_ssl_sni -i /tier2/rest/ }
	default_backend HTTP-OUT-NOCERT

      server loopback-for-tls abns@haproxy-clientcert send-proxy-v2
      server loopback-for-tls abns@haproxy-default send-proxy-v2

frontend fe-ssl-clientcert
	mode http
	bind abns@haproxy-clientcert accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem ca-file /etc/haproxy/ssl/tap-ca.crt verify required 
	use_backend     APPSR01

frontend fe-ssl-default
	mode http
	bind abns@haproxy-default accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem
	use_backend    APPSR01

backend APPSR01
	server tapprodsrv-02 check ssl verify none

Came to this point after reading and trying to understand this discussion:

As I understand it creates one more loop using loopback interface to segregate two different traffic.
I guess “abns@haproxy-clientcert” and “abns@haproxy-default” is marking different traffic.
And then loadbalancer listens to traffic coming to loopback interface to redirect it.
But original posts never point to actual backend servers, so I modified it. Not sure if its correct.

Please help to understand and make it work.
Thank you


Just for the reference if someone needs it.
Seems like have solved it this way so far:

mode http
bind ssl crt /etc/haproxy/ssl/tapprod.pem ca-file /etc/haproxy/ssl/ca-chain.crt verify optional
acl restricted_path path_beg /tier2/rest/
http-request deny if restricted_path !{ ssl_c_used 1 } || restricted_path !{ ssl_c_verify 0 }
use_backend TAPPROD-HTTP-OUT


Hi Senanito,

Sorry I didn’t get back to you in time, however, your solution looks good to me.