Hi Martin,
> Hi,
>
> I'm trying to configure HAProxy so that on one specific domain users
> authenticate with a SSL Client certificate.
>
> The Load Balancer has one public IP address and has a frontend
> configured which is bind to port 443:
> bind *:443 ssl crt ./haproxy/
>
> I selected the correct backend as followed:
> use_backend secure_servers if { ssl_fc_sni secure.domain.tld ssl_fc_has_crt }
>
> default_backend default_servers
>
> When changing bind to verify the ssl certicate all other ssl traffic is
> no longer allowed:
> bind *:443 ssl crt ./haproxy/ ca-file ./ca.pem verify required
>
> A solution would be to create another frontend with an additional
> public IP address but I want to prevent this if possible.
>
> How can I only require a SSL Client certificate on the secure.domain.tld?
You cannot, this is not currently supported.
The only workaround here is to put another proxying layer in tcp mode in
front of your current deployment, enabling you to switch to a different
backend --> second layer frontend combination according to the SNI value
(req.ssl_sni [1] in this case, since you are not using SSL termination on the
first proxy tier).
(and you could use the recently implemented abstract namespaces for 1st tier
backend -> 2nd tier frontend connection).
Regards,
Lukas
[1]
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.5-req.ssl_sni
