OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: Webxorcist on November 21, 2017, 09:57:38 pm
-
I configured 3 apache servers with several virtual hosts. HAProxy makes it all possible, with SSL offloading.
Now I want a couple of management sites to be protected with a client certificate. How do I this? I have no idea where to start. I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.
Can anyone help?
-
Is it even possible? Or am I looking in the wrong direction?
-
I don't think this is possible with a reverse proxy.
Can you just publish the management sites with normal port forwarding on a separate port?
-
I don't think this is possible with a reverse proxy.
Can you just publish the management sites with normal port forwarding on a separate port?
Why should that not work? The question is if HAProxy can do that and if yes, is it possible via the GUI.
The way to go is injecting an HTTP header which includes the client certificate.
-
I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.
Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).
Regards
- Frank
-
Thanks for the answers. A tutorial would be great. I have never done this.
-
I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.
Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).
Regards
- Frank
https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
-
https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
Thanks. I've opened a feature request:
https://github.com/opnsense/plugins/issues/426
I have to admit that it's not a high priority for me, but I'll try to implement it after OPNsense 18.1 was released. That being said, patches and pull-requests are welcome :)
Regards
- Frank
-
\o/ Thank you.
I wish I could code :-(
-
Unless I missed it: Not yet right? ;-)