@Senanito wrote:
Hi, all
I have a task to restrict access to some part of the site with a certificate.
I have written something after reading posts of @AaronWest and @lukastribus
however, have to admit that didn’t understand it solely.Let’s say url for all users: https://tapprod.com
Restricted part: https://tapprod.com/tier2/rest/
my backend server lets call: tapprodsrv-02 with ip 172.20.20.20Here is my config:
defaults mode http frontend HTTPS-IN bind 172.20.10.10:443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend HTTP-OUT-CERT if { req_ssl_sni -i /tier2/rest/ } default_backend HTTP-OUT-NOCERT backend TAPPROD-HTTP-OUT-CERT server loopback-for-tls abns@haproxy-clientcert send-proxy-v2 backend TAPPROD-HTTP-OUT-NOCERT server loopback-for-tls abns@haproxy-default send-proxy-v2 frontend fe-ssl-clientcert mode http bind abns@haproxy-clientcert accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem ca-file /etc/haproxy/ssl/tap-ca.crt verify required use_backend APPSR01 frontend fe-ssl-default mode http bind abns@haproxy-default accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem use_backend APPSR01 backend APPSR01 server tapprodsrv-02 172.20.20.20:443 check ssl verify noneCame to this point after reading and trying to understand this discussion:
As I understand it creates one more loop using loopback interface to segregate two different traffic.
I guess “abns@haproxy-clientcert” and “abns@haproxy-default” is marking different traffic.
And then loadbalancer listens to traffic coming to loopback interface to redirect it.
But original posts never point to actual backend servers, so I modified it. Not sure if its correct.Please help to understand and make it work.
Thank you
Posts: 3
Participants: 2