Menu
I use the Haproxy as the SSL termination to identify client side certificate. I want to check the CN value in the client certificate if it matches a header value sent by the client. Is there a way to set ACL if the CN value in the certificate does not match the value in the header?
Something like:
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
acl id_not_match hdr(client-id) -m hdr(X-SSL-Client-CN)
359
ACL files are updated when HAProxy is reloaded to read the new configuration, but it is also possible to update its contents during runtime. HAProxy Enterprise will now update the ACL contents every 60 seconds by requesting the specified URL.
ssl_fc_sni : string. This extracts the Server Name Indication TLS extension (SNI) field from an incoming connection made via an SSL/TLS transport layer and locally deciphered by haproxy. The result (when present) typically is a string matching the HTTPS host name (253 chars or less).
A Sample configuration to check CN and allow authentication based on a list:
frontend www-https
....
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
use_backend www-backend
backend www-backend
acl allow_users req.fhdr(X-SSL-Client-CN) -m str -f /etc/haproxy/ssl/userslist
http-request deny if !allow_users
....
server www-1 <ip>:<port> check
server www-2 <ip>:<port> check
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
