snippets:haproxy
https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html
frontend intranet
mode http
bind 10.20.30.40:443 ssl crt /etc/haproxy/pem/server.pem ca-file /etc/haproxy/pem/client-chain.pem verify optional crt-ignore-err all crl-file /etc/haproxy/crl/haproxy.pem
use_backend ssl-error unless { ssl_c_verify 0 }
use_backend wiki if { ssl_fc_has_crt }
default_backend helpdesk
backend wiki
mode http
server wiki1 10.20.10.10:80 check
server wiki2 10.20.10.20:80 check
backend ssl-error
mode http
server helpdesk1 10.20.20.10:80 check
server helpdesk2 10.20.20.20:80 check
backend expired
mode http
option http-server-close
redirect location /certificate-expired.html if { ssl_c_verify 10 } ! { path /certificate-expired.html }
redirect location /certificate-revoked.html if { ssl_c_verify 23 } ! { path /certificate-revoked.html }
redirect location /other-certificate-error.html unless { ssl_c_verify 0 } ! { path //other-certificate-error.html }
server helpdesk3 10.20.20.30:80 check
frontend intranet
bind 10.20.30.40:443 ssl crt /etc/haproxy/pem/server.pem ca-file /etc/haproxy/pem/client-chain.pem verify required
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
default_backend example_backend
snippets/haproxy.txt · Last modified: by allspark_cp
