HAProxy Client Certificate Authentication for specific backends

[s0mbra]

Hi y'all,

I worked my way through some of the walkthroughs and ended up with a nice SSL-offloading configuration with Let's Encrypt for all my backends, pretty sweet.

Now I have a few web-services I want to expose to the internet. On some of them I want to use Client Certificate Authentication.

I have been trying to figure this out for a few days and couldn't really find a quick and dirty solution provided by the GUI:

Checks on Condition's I tried, but don't work as expected:

• SSL Client Certificate is valid
• SSL Client Certificate verify error result

After digging through the HAProxy documentation: there's a quick way to check if a Client Certificate is used in the communication, I thought adding it here can save some people a day of (re)search

Add a 'Condition' through the GUI:

Name: client_cert_used
Description: Check if a Client Certificate is used
Condition type: Custom condition (option-pass-through)
Option pass-through: ssl_c_used  1

After that, add the condition to the rule that selects which backend to use.

Hope it helps someone!

[His.Dudeness]

Hi,

first of all: Thanks a lot for sharing your findings! 
I was just  just googeling cert based auth can be done with OPNsense+HAProxy.

I am wondering: Does "Check if a Client Certificate is used" really mean that the certificate is valid?
Where in the configuration do I specify the CA cert against which the client cert is checked?

cheers
Michael

[s0mbra]

Hey His.Dudeness,

The problem I was trying to solve was to use client certificates for authentication for SOME of the back-ends. For instance, i have a public website backend that obviously doesn't require a client cert. But other, more secure services do.

So, the client-certificate requirement is configured on the 'Public Service' as 'Optional'. This way you don't need a client-cert for the public website. For the secure services, I add the mentioned 'check' if a client-cert is used, otherwise deny access.

The description 'Check if a Client Certificate is Used' does exactly what it promises, you can configure your CA, CRL on the Public Service to make sure the cert is validated, so that happens before the check anyway.

[La Binouze]

Hi all,

I'm trying to figure out the configuration provided to do the trick with "standard" published service without CERT client verification and "securized" service with CERT client verification.

It's working with CERT verification with condition match to custom  ssl_c_used  1 and also with client CERT SSL CA verfication with Comon Name like " xxxx".

The fact is in both case, I'm not able to have :
 - the standard published service working AND
- the securized service not working
When I put the Revokation list check in place in the public service backend, with the client CERT tag as revoked (compromised reason for instance)

When I test both of them (services) are broken with "ERR_BAD_SSL_CLIENT_AUTH_CERT" in the client browser and with "HTTPS-WAN-frontend/192.168.x.x:443: SSL client certificate not trusted" message in the haproxy logs.

Do you have an idea, how to manage this use case by securizing specific services and none of the standard service, and keeping the possibility to revoke a compromised client CERT used in specific service.

Thank you for your help.

[Tubs]

So, the client-certificate requirement is configured on the 'Public Service' as 'Optional'. This way you don't need a client-cert for the public website. For the secure services, I add the mentioned 'check' if a client-cert is used, otherwise deny access.

I try to achieve something similar and found your post.

What will happen if the client presents a cert that is not valid and you only check if the cert was presented?
Would it be the right way to combine 'ssl_c_used' with 'ssl_c_verify' in your check?

[HatalaTitla48]

This is a little bit older post, but for those who searching for possible solution for this, I can offer main:
I just roll up separate public service with 444 port and dedicated it to specific backends which I want to connect with client cert. I dont need those backends on 443, as these arent ment for public. This is simple and fast solution....