Re: haproxy ssl questions

Tue, 01 Apr 2014 05:15:07 -0700 

Hi Jarno,

some informations available here:
http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/
and here:
http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/

concerning nbproc, you should makes all your SSL processes to point to
a single HAProxy process in clear where you do your stick-table stuff.
Each frontend and backend must be in the same process, so you must
pass information through the loopback interface between you SSL
frontends and your HTTP with stich-table backends.

Baptiste


On Tue, Apr 1, 2014 at 1:58 PM, Jarno Huuskonen <jarno.huusko...@uef.fi> wrote:
> Hello,
>
> I have couple of haproxy(1.5dev22 snapshot) ssl related questions:
>
> Is it possible to use mod_ssl compatible "optional_no_ca" client
> cert verify with haproxy:
>   - is it possible to use "ca-ignore-err" for this.
>   (I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca:
> #define ssl_verify_error_is_optional(errnum) \
>    ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
>     || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
>     || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
>     || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
>     || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
> )
>   - so ca-ignore-err 18,19,20,27,21 should be same as "optional_no_ca" ?
>   - or is the correct keyword crt-ignore-err (or both :) ?
>
> Is it possible to send the client certificate to backend server in header
> (similar to mod_ssl +ExportCertData / nginx $ssl_client_cert):
>   - I think something like:
>    http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert]
>   - AFAIK currently there's no keyword / code for this ? But would it be
>     possible to add new smp_fetch_ssl_c_* function for this ?
>     (I might try to code it myself if this sounds reasonable ?)
>
> - ssl offloading and nbproc:
>   - is nbproc > 1 recommended way to handle ssl offloading if one core
>     is not able to handle the load ?
>   - is it possible to use stick tables with nbproc > 1:
>     - for example bind-process 1-3 to ssl enabled frontends and
>       bind-process 4 for backends -> is it possible to use stick tables
>       on backends ?
>     - stick table peers with nbproc > 1 ?
>
> Thanks,
> -Jarno
>

Reply via email to