Search code examples
haproxy

Send request with self signed certificates to backend

The Haproxy documentation (http://cbonte.github.io/haproxy-dconv/1.7/intro.html#3.3.2) lists as a basic feature:

authentication with the backend server lets the backend server it's really the expected haproxy node that is connecting to it

I have been attempting to do just that and have been unable to. So here's the question:

How do I send a request off to a backend with self signed certificates for authentication. The front-end request that uses this backend, is just http.

Here's my haproxy.cfg file:

global
    maxconn 4096
    daemon
    log 127.0.0.1 local0

defaults
    log     global
    option  dontlognull
    retries 3
    option redispatch
    maxconn 2000
    timeout connect 5s
    timeout client  15min
    timeout server  15min

frontend public
    bind *:8213
    use_backend api if { path_beg /api/ }
    default_backend web

backend web
    mode http
    server blogweb1 127.0.0.1:4000

backend api
    mode tcp
    acl clienthello req.ssl_hello_type 1

    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    server blogapi  127.0.0.1:8780
Solution

  • I eventually got this to start working. I believe what was throwing me off was the fact that after doing a haproxy -f <configFile> -st it didn't actually close the process like I thought it would. So, none of my changes/updates took. I kill -9 the tens of haproxy service and reran the command (haproxy -f ) and now it's working.

    Now, this is a hypothesis, albeit one I am very confident in. I will still present my final configuration just in case someone will glean something from here. I used https://www.haproxy.com/doc/aloha/7.0/deployment_guides/tls_layouts.html. That link answers the question I had of "how do you authenticate to the backend using ssl" like the docs say you can.

    global
    maxconn 4096
    daemon
    log 127.0.0.1 local0

defaults
    log     global
    option  dontlognull
    retries 3
    option redispatch
    maxconn 2000
    timeout connect 5s
    timeout client  15min
    timeout server  15min

frontend public
    bind *:443
    mode http
    use_backend api if { path_beg /api/ }

backend api
    mode http
    option httplog
    server blogapi  127.0.0.1:4430 ssl ca-file <caFile.Pem> crt <clientCert.pem> verify required