Hi all,
I have a haproxy 1.8.27 instance in HTTP mode that uses TLS mutual
authentication and adds the client certificate in base64 format as a
X-ClientCert header in the backend section using:
http-request set-header X-ClientCert %{+Q}[ssl_c_der,base64]
I am logging the client certificate DN using
{%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%[ssl_fc_is_resumed]} and I can confirm
that the request is using client authentication. However, for some
requests, the header X-ClientCert appears to be missing on the application
(backend) side which logs all received headers for such situations. I do
see the X-ForwardedFor header added by haproxy, but not X-ClientCert. The
situation is puzzling because I have other requests with the same
certificate for the same URL that work correctly. I would like to add
debugging information either by logging few bytes of the X-ClientCert
header added by haproxy or at least log the total request in bytes as
received on the frontend as well as the size before the request is sent to
the backend server (i.e. after the headers are added as the certificate
size is significant, around 2.2KB.)
Do you have any ideas what might cause the problem and how to debug? I
would have expected an error if the header length that can be processed by
haproxy or backend application is exceeded.
Best regards,
Radu
