Hi, all
I have a task to restrict access to some part of the site with a certificate.
I have written something after reading posts of @AaronWest and @lukastribus
however, have to admit that didn’t understand it solely.
Let’s say url for all users: https://tapprod.com
Restricted part: https://tapprod.com/tier2/rest/
my backend server lets call: tapprodsrv-02 with ip 172.20.20.20
Here is my config:
defaults
mode http
frontend HTTPS-IN
bind 172.20.10.10:443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend HTTP-OUT-CERT if { req_ssl_sni -i /tier2/rest/ }
default_backend HTTP-OUT-NOCERT
backend TAPPROD-HTTP-OUT-CERT
server loopback-for-tls abns@haproxy-clientcert send-proxy-v2
backend TAPPROD-HTTP-OUT-NOCERT
server loopback-for-tls abns@haproxy-default send-proxy-v2
frontend fe-ssl-clientcert
mode http
bind abns@haproxy-clientcert accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem ca-file /etc/haproxy/ssl/tap-ca.crt verify required
use_backend APPSR01
frontend fe-ssl-default
mode http
bind abns@haproxy-default accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem
use_backend APPSR01
backend APPSR01
server tapprodsrv-02 172.20.20.20:443 check ssl verify none
Came to this point after reading and trying to understand this discussion:
As I understand it creates one more loop using loopback interface to segregate two different traffic.
I guess “abns@haproxy-clientcert” and “abns@haproxy-default” is marking different traffic.
And then loadbalancer listens to traffic coming to loopback interface to redirect it.
But original posts never point to actual backend servers, so I modified it. Not sure if its correct.
Please help to understand and make it work.
Thank you