Hi all!
Is it possible to use a backend based on the ssl client certificate DN?
I tried it like this:
use_backend %[ssl_c_s_dn,map(/etc/haproxy/backends.map)]
but it seems that this lookup just doesn’t work.
The SSL Config seems to be ok, the DN is logged into the logfile.
Can someone point me in the right direction?
thx
Chris
Share the rest of the configuration as well as the output of the logs please.
Here’s the relevant config:
global
maxconn 10000
stats socket /var/run/haproxy.stat mode 600 level admin
log 127.0.0.1:514 local0 debug
chroot /var/empty
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
defaults
option log-health-checks
log global
option httplog
frontend app
bind *:7002 ssl crt /etc/haproxy/haproxy.pem ca-file /etc/pki/ca-app/intermediate/app_clients/certs/ca-chain.cert.pem verify required crl-file /etc/pki/ca-app/crl-chain.pem
mode tcp
log global
maxconn 8000
timeout client 30s
log-format '%ci:%cp [%t] %ft {%[ssl_c_verify],%{+Q}[ssl_c_s_dn(cn)],%{+Q}[ssl_c_i_dn]}'
use_backend %[ssl_c_s_dn,map(/etc/haproxy/app.map)]_app
backend demo1_app
mode tcp
balance roundrobin
retries 2
option redispatch
timeout connect 5s
timeout server 30s
timeout queue 30s
option tcp-check
server prod 192.168.37.210:7000 check
app.map:
"/C=AT/ST=Vienna/O=xxx/CN=xxx/emailAddress=xxx.com" demo1
/C=AT/ST=Vienna/O=xxx/CN=xxx/emailAddress=xxx.com demo1
Logfile:
[WARNING] 297/222740 (15582) : Health check for server demo1_app/prod succeeded, reason: Layer4 check passed, check duration: 1ms, status: 3/3 UP.
xxx:60034 [24/Oct/2020:22:21:00.302] xxx~ {0,"/C=AT/ST=Vienna/O=xxx/CN=xxx/emailAddress=xxx.com","/C=AT/ST=Vienna/O=xxx/OU=xxx/CN=xxx"}
I had to remove company specific details, but the entry in the map file and the ssl_c_s_dn in the logfile do match.
I don’t think this is a supported configuration. Use complete and actual backend names in your map file.