Show Posts
1
Web Proxy Filtering and Caching / Enforce Clint Certificat Verification with haproxy to internal sites
« on: August 27, 2018, 01:37:00 pm »
Hi All,
I´ll be posting this question here at OPNSense Forum, because i think it belongs rather here and not in the haproxy forum, due to the OPNsense frontend configuration for haproxy.... (hope i`m right...)
I`m using the latest OPNSens Version 18.7.1 an for reverseproxying i`m using HAProxy Plugin Version (2.7_2).
On internal Severs i`m running different Applicatiopns with WebAcces wich i`m pubilishing throug haproxy plugin to the world. LetsEncrypt ssl termination at opnsens works fine, and i reach the internal App trough my path rules.
e.g.: Url: https://FQDNS/App1 with Serverbackand: "Server1" using Rule (with condition path starts with) : "/App1" and URL https://FQDNS/App2 with Serverbackand: "Serevr2" using Rule (with condition: path starts with) : "/App2"
Now i want to limit access only to clients wich present a valid client certificate.
I set up an internal CA. Issued a client certificate th a user, installed the client certificate in my browser.
I understand that haproxy dose that via the config switch "verify required" in the ssl ca settings. If i`m globaly switching that on trough the Global Parameters settings under the Settings tab. But i want to limit it only to certain apps...
If i`m configurating a condition under the "Rules&Checks" Tab " "SSL Client certificate is valid" what rule do i have to configure to use that condition?
I simply cant get OPNSense HAProxy to aks for the client certificate befor redirekting to one of the backend apps...
Anny suggestions?
Thanx
HBau
I´ll be posting this question here at OPNSense Forum, because i think it belongs rather here and not in the haproxy forum, due to the OPNsense frontend configuration for haproxy.... (hope i`m right...)
I`m using the latest OPNSens Version 18.7.1 an for reverseproxying i`m using HAProxy Plugin Version (2.7_2).
On internal Severs i`m running different Applicatiopns with WebAcces wich i`m pubilishing throug haproxy plugin to the world. LetsEncrypt ssl termination at opnsens works fine, and i reach the internal App trough my path rules.
e.g.: Url: https://FQDNS/App1 with Serverbackand: "Server1" using Rule (with condition path starts with) : "/App1" and URL https://FQDNS/App2 with Serverbackand: "Serevr2" using Rule (with condition: path starts with) : "/App2"
Now i want to limit access only to clients wich present a valid client certificate.
I set up an internal CA. Issued a client certificate th a user, installed the client certificate in my browser.
I understand that haproxy dose that via the config switch "verify required" in the ssl ca settings. If i`m globaly switching that on trough the Global Parameters settings under the Settings tab. But i want to limit it only to certain apps...
If i`m configurating a condition under the "Rules&Checks" Tab " "SSL Client certificate is valid" what rule do i have to configure to use that condition?
I simply cant get OPNSense HAProxy to aks for the client certificate befor redirekting to one of the backend apps...
Anny suggestions?
Thanx
HBau