OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of s0mbra »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - s0mbra

Pages: [1]
1
General Discussion / Re: HAProxy Client Certificate Authentication for specific backends
« on: September 28, 2021, 01:49:13 pm »
Hey His.Dudeness,

The problem I was trying to solve was to use client certificates for authentication for SOME of the back-ends. For instance, i have a public website backend that obviously doesn't require a client cert. But other, more secure services do.

So, the client-certificate requirement is configured on the 'Public Service' as 'Optional'. This way you don't need a client-cert for the public website. For the secure services, I add the mentioned 'check' if a client-cert is used, otherwise deny access.

The description 'Check if a Client Certificate is Used' does exactly what it promises, you can configure your CA, CRL on the Public Service to make sure the cert is validated, so that happens before the check anyway.

2
General Discussion / HAProxy Client Certificate Authentication for specific backends
« on: March 27, 2021, 04:30:25 pm »
Hi y'all,

I worked my way through some of the walkthroughs and ended up with a nice SSL-offloading configuration with Let's Encrypt for all my backends, pretty sweet.

Now I have a few web-services I want to expose to the internet. On some of them I want to use Client Certificate Authentication.

I have been trying to figure this out for a few days and couldn't really find a quick and dirty solution provided by the GUI:

Checks on Condition's I tried, but don't work as expected:
  • SSL Client Certificate is valid
  • SSL Client Certificate verify error result

After digging through the HAProxy documentation: there's a quick way to check if a Client Certificate is used in the communication, I thought adding it here can save some people a day of (re)search :)

Add a 'Condition' through the GUI:

Name: client_cert_used
Description: Check if a Client Certificate is used
Condition type: Custom condition (option-pass-through)
Option pass-through: ssl_c_used  1

After that, add the condition to the rule that selects which backend to use.

Hope it helps someone!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2