Enforce Clint Certificat Verification with haproxy to internal sites

[hbau]

Hi All,

I´ll be posting this question here at OPNSense Forum, because i think it belongs rather here and not in the haproxy forum, due to the OPNsense frontend configuration for haproxy.... (hope i`m right...)

I`m using the latest OPNSens Version 18.7.1 an for reverseproxying i`m using HAProxy Plugin Version (2.7_2).
On internal Severs i`m running different Applicatiopns with WebAcces wich i`m pubilishing throug haproxy plugin to the world. LetsEncrypt ssl termination at opnsens works fine, and i reach the internal App trough my path rules.

e.g.: Url: https://FQDNS/App1  with Serverbackand: "Server1" using Rule (with condition path starts with) : "/App1"   and URL https://FQDNS/App2 with Serverbackand: "Serevr2" using Rule (with condition: path starts with) : "/App2"

Now i want to limit access only to clients wich present a valid client certificate.
I set up an internal CA. Issued a client certificate th a user, installed the client certificate in my browser.

I understand that haproxy dose that via the config switch "verify required" in the ssl ca settings. If i`m globaly switching that on trough the Global Parameters settings under the Settings tab. But i want to limit it only to certain apps...
If i`m configurating a condition under the "Rules&Checks" Tab " "SSL Client certificate is valid" what rule do i have to configure to use that condition?
I simply cant get OPNSense HAProxy to aks for the client certificate befor redirekting to one of the backend apps...

Anny suggestions?

Thanx
HBau