How to configure HAproxy for a certificate authentication

Good Evening,

I want to have a certificate-based authentication configured only on a backend

test5_ssl

in such a way that the configuration would not impact other nodes (test_1_ssl, test_2_ssl, test_3_ssl, test_4_ssl). My question is how to do it?

P.S.

my HAProxy version is 1.5.18

I have a following configuration

frontend primordial_ssl
log 127.0.0.1:514 local0 notice
mode http
—>>> LINE of INTEREST bind *:443 ssl crt /etc/ssl/server.pem ca-file /etc/haproxy/ca.crt verify required
http-request set-header X-SSL-Client %{+Q}[ssl_c_der,base64]
acl test_1 hdr_dom(host) -i -f /etc/haproxy/test1
acl test_2 hdr_dom(host) -i -f /etc/haproxy/test2
acl test_3 hdr_dom(host) -i -f /etc/haproxy/test3
use_backend test_1_ssl if test_1
use_backend test_2_ssl if test_2
use_backend test_3_ssl if test_3
default_backend test4

backend test_1_ssl
mode http
balance roundrobin
option forwardfor
cookie testcookie prefix nocache
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test1_s test.com:18443 cookie 01 id 1011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

backend test_2_ssl
mode http
balance roundrobin
option forwardfor
cookie test2cookie prefix nocache
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test2_s test.com:18443 cookie 01 id 11011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/test2.http

backend test3_ssl
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
cookie test3cookie insert indirect nocache
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test3_s test.com:8443 cookie 01 id 4011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

backend test4_ssl
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1.\r\nHost:localhost
cookie test4cookie insert indirect nocache
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
server test4_s test.com:8443 cookie 01 id 4011 ssl verify none
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

#—>> HOW to configure this node to accept only certificate based connections
#—>> without any impact on other nodes?
backend test5_ssl
mode http
#bind *:443 ssl crt /etc/ssl/server.pem ca-file /etc/haproxy/ca.crt
balance roundrobin
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto http
option forwardfor except 127.0.0.0/8
cookie test5cookie
server test5 test.com:19090 cookie 01 id 1001 check inter 2000 rise 2 fall 5
errorfile 503 /etc/haproxy/maintenance_pages/testmaintenance1.http

1 post - 1 participant

Read full topic