On Fri, Feb 17, 2017 at 07:20:14PM -0500, Sam Crowell wrote: > Thanks for the response Daniel. What is the best way to handle SSL traffic > through a load balancer to maintain original client certificates? Just use > mode TCP and passthrough? Is there a way to do that without turning off > hostname verifier at the client level?
If you want to transfer client certificates to the server, you have to pass them in HTTP headers or using the proxy protocol for non-HTTP services. This means that you'll rely on haproxy to validate these client certs using the CA and possibly CRL though. There's a good example here : https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html Hoping this helps, Willy
