I've been trying for about a week to setup a HashiCorp Vault environment, but have gotten stuck at setting up the last part: HAProxy, as I am unable to forward my Client Certificate to my backend.
My current setup on the HAProxy is this:
frontend vaultfrontend
mode http
bind *:8200 ssl crt /home/administrator/tls.crt verify none
redirect scheme https code 301 if !{ ssl_fc }
default_backend vaultbackend
backend vaultbackend
mode http
timeout check 5s
option httpchk
http-check connect ssl
http-check send meth GET uri /v1/sys/health
http-check expect status 200
server a.vault a.vault.test.local:8200 ssl verify none check
server b.vault b.vault.test.local:8200 ssl verify none check
server c.vault c.vault.test.local:8200 ssl verify none check
My backend vault servers are running SSL with Windows CA signed certificates, and works just fine through their respective URLS.
The HAProxy has a signed certificate allowing people to connect to it via this URL: https://vault.test.local:8200, which works as expected.
The issue arises when I try to access the Vaults via HashiCorp Vault's Cert Auth authentication method.
Whenever I try to authenticate via https://vault.test.local:8200 which is the HAProxy, I get an error message saying there's a lack of Client Certificate in the request:
({"errors":["client certificate must be supplied"]})'
It however works perfectly fine if I directly target my Vault servers instead.
I've tried to edit the config to include this: http-request set-header X-Client-Cert %{+Q}[ssl_c_der,base64] with different variations, but it changes nothing.
It really seems to me like HAProxy for whatever reason will not take my X-Client-Certificate being sent from my VaultSharp application (C#) and forward it.
Does anyone have a setup like this that works, or at least have any idea what the issue might be?
I finally got it solved, the issue is that performing SSL-Termination with HAProxy will always cause a Client Certificate to get lost (at least from all the things I ended up trying..)
The solution is to do SSL-Passthrough instead, and the Client Certificate will be read by the Vault environment correctly.
It would look something like this:
frontend vaultfrontend
mode tcp
bind *:8200
redirect scheme https code 301 if !{ ssl_fc }
default_backend vaultbackend
backend vaultbackend
mode tcp
timeout check 5s
option httpchk
http-check connect ssl
http-check send meth GET uri /v1/sys/health
http-check expect status 200
server a.vault a.vault.test.local:8200 ssl verify none check
server b.vault b.vault.test.local:8200 ssl verify none check
server c.vault c.vault.test.local:8200 ssl verify none check