OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Webxorcist on November 21, 2017, 09:57:38 pm

Title: HAProxy: Client Certificates
Post by: Webxorcist on November 21, 2017, 09:57:38 pm
I configured 3 apache servers with several virtual hosts. HAProxy makes it all possible, with SSL offloading.

Now I want a couple of management sites to be protected with a client certificate. How do I this? I have no idea where to start. I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Can anyone help?
Title: Re: HAProxy: Client Certificates
Post by: Webxorcist on November 23, 2017, 08:53:03 am
Is it even possible? Or am I looking in the wrong direction?
Title: Re: HAProxy: Client Certificates
Post by: ChrisH on November 23, 2017, 11:37:29 am
I don't think this is possible with a reverse proxy.

Can you just publish the management sites with normal port forwarding on a separate port?
Title: Re: HAProxy: Client Certificates
Post by: fabian on November 23, 2017, 05:07:21 pm
I don't think this is possible with a reverse proxy.

Can you just publish the management sites with normal port forwarding on a separate port?

Why should that not work? The question is if HAProxy can do that and if yes, is it possible via the GUI.
The way to go is injecting an HTTP header which includes the client certificate.
Title: Re: HAProxy: Client Certificates
Post by: fraenki on November 24, 2017, 09:26:44 pm
I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).


Regards
- Frank
Title: Re: HAProxy: Client Certificates
Post by: Webxorcist on November 25, 2017, 12:42:52 am
Thanks for the answers. A tutorial would be great. I have never done this.
Title: Re: HAProxy: Client Certificates
Post by: Webxorcist on December 08, 2017, 08:54:19 am
I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).


Regards
- Frank

https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/

http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
Title: Re: HAProxy: Client Certificates
Post by: fraenki on December 13, 2017, 12:26:36 pm
https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

Thanks. I've opened a feature request:
https://github.com/opnsense/plugins/issues/426

I have to admit that it's not a high priority for me, but I'll try to implement it after OPNsense 18.1 was released. That being said, patches and pull-requests are welcome :)


Regards
- Frank
Title: Re: HAProxy: Client Certificates
Post by: Webxorcist on December 18, 2017, 10:04:04 am
\o/ Thank you.

I wish I could code :-(
Title: Re: HAProxy: Client Certificates
Post by: Webxorcist on February 06, 2018, 02:30:54 pm
Unless I missed it: Not yet right? ;-)