This is an unusual requirement which is far from the correct way to do this, however, this is a system which I’ve just taken on and we need to get this working in this way until we can do it better next year.
There’s an API endpoint, secured with TLS, but also secured by the presentation of a client certificate. The unusual part here is the certificate must have a given string for the organisation name and common name. There is no other purpose for this certificate; not for encryption or any other purpose.
The frontend bind line has verify none as we don’t (apparently) care where the cert has come from.
bind *:443 ssl crt-list /etc/haproxy/certs/certlist.txt ca-file /etc/haproxy/certs/internal/RootAuthority.pem verify none
Just trying to log either the Common Name or Organisation Name doesn’t work using this line in the frontend: (Edit: it just logs “”)
log-format "%ci %{+Q}[ssl_c_s_dn(c)]"
I’ve looked at Lua to try and get this information, but I’ve no experience with Lua and feel this should be possible through the existing configuration language.
If anyone can get both of these certificate fields into variables that would really help.
3 posts - 2 participants