Use tcp backend based on map and ssl_c_s_dn

Hi all!

Is it possible to use a backend based on the ssl client certificate DN?

I tried it like this:

use_backend     %[ssl_c_s_dn,map(/etc/haproxy/backends.map)]

but it seems that this lookup just doesn’t work.
The SSL Config seems to be ok, the DN is logged into the logfile.

Can someone point me in the right direction?

thx
Chris

Share the rest of the configuration as well as the output of the logs please.

Here’s the relevant config:

  global
        maxconn         10000
        stats socket    /var/run/haproxy.stat mode 600 level admin
        log             127.0.0.1:514 local0 debug
        chroot          /var/empty
        pidfile         /var/run/haproxy.pid
        user            haproxy
        group           haproxy
        daemon

defaults
    option  log-health-checks
    log         global
    option  httplog

frontend app
    bind            *:7002 ssl crt /etc/haproxy/haproxy.pem ca-file /etc/pki/ca-app/intermediate/app_clients/certs/ca-chain.cert.pem verify required crl-file /etc/pki/ca-app/crl-chain.pem
    mode            tcp
    log             global
    maxconn         8000
    timeout client  30s
    log-format '%ci:%cp [%t] %ft {%[ssl_c_verify],%{+Q}[ssl_c_s_dn(cn)],%{+Q}[ssl_c_i_dn]}'

    use_backend     %[ssl_c_s_dn,map(/etc/haproxy/app.map)]_app

backend demo1_app
    mode            tcp
    balance         roundrobin
    retries         2
    option redispatch
    timeout connect 5s
    timeout server  30s
    timeout queue   30s
    option  tcp-check
    server          prod 192.168.37.210:7000 check

app.map:

"/C=AT/ST=Vienna/O=xxx/CN=xxx/emailAddress=xxx.com" demo1
/C=AT/ST=Vienna/O=xxx/CN=xxx/emailAddress=xxx.com demo1

Logfile:

[WARNING] 297/222740 (15582) : Health check for server demo1_app/prod succeeded, reason: Layer4 check passed, check duration: 1ms, status: 3/3 UP.
 xxx:60034 [24/Oct/2020:22:21:00.302] xxx~ {0,"/C=AT/ST=Vienna/O=xxx/CN=xxx/emailAddress=xxx.com","/C=AT/ST=Vienna/O=xxx/OU=xxx/CN=xxx"}

I had to remove company specific details, but the entry in the map file and the ssl_c_s_dn in the logfile do match.

I don’t think this is a supported configuration. Use complete and actual backend names in your map file.