Restrict access to some part of the site with certificate


#1

Hi, all

I have a task to restrict access to some part of the site with a certificate.
I have written something after reading posts of @AaronWest and @lukastribus
however, have to admit that didn’t understand it solely.

Let’s say url for all users: https://tapprod.com
Restricted part: https://tapprod.com/tier2/rest/
my backend server lets call: tapprodsrv-02 with ip 172.20.20.20

Here is my config:

defaults
            mode http

frontend HTTPS-IN
	bind		172.20.10.10:443
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	use_backend HTTP-OUT-CERT if { req_ssl_sni -i /tier2/rest/ }
	default_backend HTTP-OUT-NOCERT

backend TAPPROD-HTTP-OUT-CERT
      server loopback-for-tls abns@haproxy-clientcert send-proxy-v2
backend TAPPROD-HTTP-OUT-NOCERT
      server loopback-for-tls abns@haproxy-default send-proxy-v2

frontend fe-ssl-clientcert
	mode http
	bind abns@haproxy-clientcert accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem ca-file /etc/haproxy/ssl/tap-ca.crt verify required 
	use_backend     APPSR01

frontend fe-ssl-default
	mode http
	bind abns@haproxy-default accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem
	use_backend    APPSR01

backend APPSR01
	server tapprodsrv-02 172.20.20.20:443 check ssl verify none

Came to this point after reading and trying to understand this discussion:

As I understand it creates one more loop using loopback interface to segregate two different traffic.
I guess “abns@haproxy-clientcert” and “abns@haproxy-default” is marking different traffic.
And then loadbalancer listens to traffic coming to loopback interface to redirect it.
But original posts never point to actual backend servers, so I modified it. Not sure if its correct.

Please help to understand and make it work.
Thank you


#2

Just for the reference if someone needs it.
Seems like have solved it this way so far:

frontend TAPPROD-HTTPS-IN
mode http
bind 172.20.20.20:443 ssl crt /etc/haproxy/ssl/tapprod.pem ca-file /etc/haproxy/ssl/ca-chain.crt verify optional
acl restricted_path path_beg /tier2/rest/
http-request deny if restricted_path !{ ssl_c_used 1 } || restricted_path !{ ssl_c_verify 0 }
use_backend TAPPROD-HTTP-OUT


#3

Hi Senanito,

Sorry I didn’t get back to you in time, however, your solution looks good to me.