Last active
December 9, 2017 18:26
-
-
Save meineerde/2a388fd52d0aa447215a to your computer and use it in GitHub Desktop.
Example HAProxy config which selectively requires client certificates based on SNI "vhost"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| listen tls | |
| bind *:443 | |
| mode tcp | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| # deny clients not sending an SNI header in 5 seconds | |
| tcp-request content reject | |
| acl require_client_certificate req.ssl_sni -i auth.example.com supersecure.example.com | |
| use_server tls_client_certificate if require_client_certificate | |
| # Fallback, here we send other hosts | |
| use_server tls_no_client_certificate | |
| server tls_client_certificate 127.0.0.1:4431 send-proxy | |
| server tls_no_client_certificate 127.0.0.1:4432 send-proxy | |
| # The frontend which requires the use of client certificates | |
| frontend tls_client_certificate | |
| bind 127.0.0.1:4431 accept-proxy ssl crt /etc/haproxy/ssl/example.com.pem ca-file /etc/haproxy/ssl/client_ca.pem verify required | |
| mode http | |
| # Do whatever here with the http requests | |
| # [...] | |
| # The frontend which does NOT request client certificates at all | |
| frontend tls_no_client_certificate | |
| bind 127.0.0.1:4432 accept-proxy ssl crt /etc/haproxy/ssl/example.com.pem | |
| mode http | |
| # Do whatever here with the http requests | |
| # [...] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend tls | |
| bind *:443 | |
| mode tcp | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| # deny clients not sending an SNI header in 5 seconds | |
| tcp-request content reject | |
| acl require_client_certificate req.ssl_sni -i auth.example.com supersecure.example.com | |
| use_backend tls_client_certificate if require_client_certificate | |
| # Fallback, here we send other hosts | |
| default_backend tls_no_client_certificate | |
| backend tls_client_certificate | |
| mode tcp | |
| server tls_client_certificate 127.0.0.1:4431 send-proxy | |
| backend tls_no_client_certificate | |
| mode tcp | |
| server tls_no_client_certificate 127.0.0.1:4432 send-proxy | |
| # The frontend which requires the use of client certificates | |
| frontend tls_client_certificate | |
| bind 127.0.0.1:4431 accept-proxy ssl crt /etc/haproxy/ssl/example.com.pem ca-file /etc/haproxy/ssl/client_ca.pem verify required | |
| mode http | |
| # Do whatever here with the http requests | |
| # [...] | |
| # The frontend which does NOT request client certificates at all | |
| frontend tls_no_client_certificate | |
| bind 127.0.0.1:4432 accept-proxy ssl crt /etc/haproxy/ssl/example.com.pem | |
| mode http | |
| # Do whatever here with the http requests | |
| # [...] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment