HAPROXY : client certificate validation
Today at the office, the security team ask me to secure our reverse proxy by adding a client certificate validation to only trust the client host CN.
So here is my method to verify the client certificate CN according to the expected one :
frontend frontend_foo mode tcp bind *:443 ssl crt /etc/ssl/certs/haproxy_reverse.proxy.company.com.pem ca-file /etc/ssl/certs/autorite_chain_haproxy.pem crl-file /etc/ssl/certs/crl-bundle_haproxy.pem verify required ca-ignore-err all crt-ignore-err all default_backend backend_foo backend backend_foo mode tcp option httpchk acl cert_from_trusted_client ssl_c_s_dn(CN) -m reg ^trusted\.client\.(site1|site2)\.company\.(com|fr)$ tcp-response inspect-delay 2s tcp-response content reject unless cert_from_trusted_client server srv_load01 backend.company.com:443 check ssl crt /etc/ssl/certs/haproxy_reverse.proxy.company.com.pem ca-file /etc/ssl/certs/autorite_chain_haproxy.pem verify required
With this configuration, only hosts with a certificate with a CN like « trusted.client.site1.company.fr » , « trusted.client.site2.company.fr », « trusted.client.site1.company.com », « trusted.client.site2.company.com » can connect to the revperse proxy.
Hope this will help someone 😛