Author Topic: HAProxy: Client Certificates (Read 7971 times)

Webxorcist · « **on:** November 21, 2017, 09:57:38 pm »

I configured 3 apache servers with several virtual hosts. HAProxy makes it all possible, with SSL offloading.

Now I want a couple of management sites to be protected with a client certificate. How do I this? I have no idea where to start. I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Can anyone help?

Webxorcist · « **Reply #1 on:** November 23, 2017, 08:53:03 am »

Is it even possible? Or am I looking in the wrong direction?

ChrisH · « **Reply #2 on:** November 23, 2017, 11:37:29 am »

I don't think this is possible with a reverse proxy.

Can you just publish the management sites with normal port forwarding on a separate port?

fabian · « **Reply #3 on:** November 23, 2017, 05:07:21 pm »

Quote from: ChrisH on November 23, 2017, 11:37:29 am

I don't think this is possible with a reverse proxy.

Can you just publish the management sites with normal port forwarding on a separate port?

Why should that not work? The question is if HAProxy can do that and if yes, is it possible via the GUI.
The way to go is injecting an HTTP header which includes the client certificate.

fraenki · « **Reply #4 on:** November 24, 2017, 09:26:44 pm »

Quote from: Webxorcist on November 21, 2017, 09:57:38 pm

I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).

Regards
- Frank

Webxorcist · « **Reply #5 on:** November 25, 2017, 12:42:52 am »

Thanks for the answers. A tutorial would be great. I have never done this.

Webxorcist · « **Reply #6 on:** December 08, 2017, 08:54:19 am »

Quote from: fraenki on November 24, 2017, 09:26:44 pm

Quote from: Webxorcist on November 21, 2017, 09:57:38 pm
I found some tuts for HAProxy, but what I read there doesn't match the HAProxy plugin in OPNsense.

Please post the links to these tutorials. This will help me to guide you (or to add this feature, if it's currently missing in the HAProxy plugin).

Regards
- Frank

https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/

http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

fraenki · « **Reply #7 on:** December 13, 2017, 12:26:36 pm »

Quote from: Webxorcist on December 08, 2017, 08:54:19 am

https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

Thanks. I've opened a feature request:
https://github.com/opnsense/plugins/issues/426

I have to admit that it's not a high priority for me, but I'll try to implement it after OPNsense 18.1 was released. That being said, patches and pull-requests are welcome

Regards
- Frank

Webxorcist · « **Reply #8 on:** December 18, 2017, 10:04:04 am »

\o/ Thank you.

I wish I could code :-(

Webxorcist · « **Reply #9 on:** February 06, 2018, 02:30:54 pm »

Unless I missed it: Not yet right? ;-)

Author Topic: HAProxy: Client Certificates (Read 7971 times)

Webxorcist

HAProxy: Client Certificates

Webxorcist

Re: HAProxy: Client Certificates

ChrisH

Re: HAProxy: Client Certificates

fabian

Re: HAProxy: Client Certificates

fraenki

Re: HAProxy: Client Certificates

Webxorcist

Re: HAProxy: Client Certificates

Webxorcist

Re: HAProxy: Client Certificates

fraenki

Re: HAProxy: Client Certificates

Webxorcist

Re: HAProxy: Client Certificates

Webxorcist

Re: HAProxy: Client Certificates