HAProxy: Client Certificates

Webxorcist · November 21, 2017, 09:57:38 PM

I configured 3 apache servers with several virtual hosts. HAProxy makes it all possible, with SSL offloading.

Now I want a couple of management sites to be protected with a client certificate. How do I this? I have no idea where to start. I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Can anyone help?

Webxorcist · November 23, 2017, 08:53:03 AM

Is it even possible? Or am I looking in the wrong direction?

ChrisH · November 23, 2017, 11:37:29 AM

I don't think this is possible with a reverse proxy.

Can you just publish the management sites with normal port forwarding on a separate port?

fabian · November 23, 2017, 05:07:21 PM

Quote from: ChrisH on November 23, 2017, 11:37:29 AM
I don't think this is possible with a reverse proxy.

Can you just publish the management sites with normal port forwarding on a separate port?

Why should that not work? The question is if HAProxy can do that and if yes, is it possible via the GUI.
The way to go is injecting an HTTP header which includes the client certificate.

fraenki · November 24, 2017, 09:26:44 PM

Quote from: Webxorcist on November 21, 2017, 09:57:38 PM
I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).

Regards
- Frank

Webxorcist · November 25, 2017, 12:42:52 AM

Thanks for the answers. A tutorial would be great. I have never done this.

Webxorcist · December 08, 2017, 08:54:19 AM

Quote from: fraenki on November 24, 2017, 09:26:44 PM
Quote from: Webxorcist on November 21, 2017, 09:57:38 PM
I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).

Regards
- Frank

https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/

http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

fraenki · December 13, 2017, 12:26:36 PM

Quote from: Webxorcist on December 08, 2017, 08:54:19 AM
https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

Thanks. I've opened a feature request:
https://github.com/opnsense/plugins/issues/426

I have to admit that it's not a high priority for me, but I'll try to implement it after OPNsense 18.1 was released. That being said, patches and pull-requests are welcome :)

Regards
- Frank

Webxorcist · December 18, 2017, 10:04:04 AM

\o/ Thank you.

I wish I could code :-(

Webxorcist · February 06, 2018, 02:30:54 PM

Unless I missed it: Not yet right? ;-)

HAProxy: Client Certificates

Webxorcist

November 21, 2017, 09:57:38 PM

Webxorcist

November 23, 2017, 08:53:03 AM #1

ChrisH

November 23, 2017, 11:37:29 AM #2

fabian

November 23, 2017, 05:07:21 PM #3

fraenki

November 24, 2017, 09:26:44 PM #4

Webxorcist

November 25, 2017, 12:42:52 AM #5

Webxorcist

December 08, 2017, 08:54:19 AM #6

fraenki

December 13, 2017, 12:26:36 PM #7

Webxorcist

December 18, 2017, 10:04:04 AM #8

Webxorcist

February 06, 2018, 02:30:54 PM #9