Hi,
I’ve configured HAProxy such that client verification is required for HTTP requests to all paths except /ping. Here’s my (boiled down) configuration, somewhat derived from this post:
global
defaults
mode http
timeout client 2m
timeout connect 2m
timeout server 2m
frontend the_frontend
bind :443 ssl crt server-combined.pem ca-file ca.pem verify optional
acl ping_page path /ping
http-request deny if !{ ssl_fc_has_crt } !ping_page
default_backend the_backend
backend the_backend
server origin unix@origin.sock
Unfortunately, it seems that because of verify optional, clients that could authenticate sometimes establish an SSL session without authenticating, and this session is subsequently reused, causing the client to receive 403 responses for every path except /ping.
Turning off SSL caching with tune.ssl.cachesize 0 seems to fix the problem, but at the cost of a large amount of SSL negotiation.
I’d be very grateful for any advice on a better solution. I’m actually only permitting unverified clients because I need to accommodate health checks from a piece of upstream infrastructure that’s incapable of supplying a client certificate; I require all ‘genuine’ clients to be verified. I’m aware that choosing whether to require a certificate in the manner described here isn’t possible on the basis of path because the path isn’t available until after the SSL negotiation is complete, but I wonder if there might be an approach whereby the infrastructure health checks can be distinguished from regular traffic in some other way… a SNI kludge maybe?
If it’s relevant, haproxy -v returns:
HA-Proxy version 2.2.8-7bf78d7 2021/01/13 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.8.html
Running on: Linux 5.4.0-65-generic #73~18.04.1-Ubuntu SMP Tue Jan 19 09:02:24 UTC 2021 x86_64
8 posts - 2 participants