6

I have a web API fronted by an HA Proxy load balancer. The web API uses client authentication certificates for identity authentication and authorization. I'd like the HA Proxy appliance to terminate the TLS connection and use normal HTTP on the backend to talk to the web API, but I need the client authentication certificate passed through over the HTTP connection. How does the HA Proxy need to be set up to keep the authentication certificate on the request out the backend, but using HTTP only?

Matt Hamsmith
  • 173
  • 1
  • 7

1 Answers1

8

You can set various HTTP headers to be sent to the backend regarding the TLS client certificate that was presented. For example:

frontend intranet
    bind 10.20.30.40:443 ssl crt /etc/haproxy/pem/server.pem ca-file /etc/haproxy/pem/client-chain.pem verify required
    http-request set-header X-SSL                       %[ssl_fc]
    http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
    http-request set-header X-SSL-Client-SHA1           %{+Q}[ssl_c_sha1]
    http-request set-header X-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
    http-request set-header X-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
    http-request set-header X-SSL-Issuer                %{+Q}[ssl_c_i_dn]
    http-request set-header X-SSL-Client-Not-Before     %{+Q}[ssl_c_notbefore]
    http-request set-header X-SSL-Client-Not-After      %{+Q}[ssl_c_notafter]
    default_backend your_backend

Your application must then examine the headers and take appropriate action.

This example was taken from raymii.org where you may find some additional useful information about using client certificates with HAProxy, such as validating the client certificate and rejecting invalid certificates.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I think I misunderstand this answer. I don't want to forward a TLS certificate from the client. TLS terminates at the HA proxy appliance. Within the HTTPS connection to HA proxy is a different client certificate for authentication that needs to be forwarded over HTTP. That certificate has nothing to do with TLS. – Matt Hamsmith Jul 06 '19 at 13:14
  • 1
    @MattHamsmith You can either terminate TLS at HAProxy, or at your backend server. If you terminate it at HAProxy, then HAProxy must handle the client certificate, including validation. You can't "forward" the client certificate, but you can forward its metadata. If your backends must actually do the certificate validation, then you cannot terminate TLS with HAProxy. You must pass it through. – Michael Hampton Jul 06 '19 at 15:01