Reputation: 5
HaProxy tls checking CN
I need to configure HaProxy to act as a reverse TLS proxy. I would like to check CN received from server certificate. I have several problems. First if I write this kind of configuration it's not working (assuming CN is equal to server hostname) :
global
tune.ssl.default-dh-param 4096
log /dev/log local0 debug
ssl-default-bind-options ssl-min-ver TLSv1.1
frontend test_ft
mode tcp
log global
option tcplog
bind 127.0.0.1:9001
use_backend test_bk
backend test_bk
mode tcp
log global
option tcplog
acl check_cn ssl_c_s_dn(CN) -m str remote
tcp-request content reject unless check_cn
server remote remote:9000 check ssl crt /etc/ssl/certs/local.pem ca-file /etc/ssl/certs/rootCA.pem verify required
Requests are always blocked even if the server certificate contains the good CN. I have tried also :
acl check_cn ssl_c_s_dn(CN) -m str remote
use-server remote if check_cn
server remote remote:9000 check ssl crt /etc/ssl/certs/local.pem ca-file /etc/ssl/certs/rootCA.pem verify required
In this case, it's the opposite even if server CN is not equal to "remote", TLS connection is every time OK.
Thank you for your help
Upvotes: 0
Views: 1053
Answers (1)
Reputation: 2652
As far as I understand your question want you to check the backend (bc) common name (cn) in haproxy.
There is no fetch method for that as you can see in the documenation Fetching samples at Layer 5 .
Maybe this fetch method ssl_f_s_dn will help you to solve your problem.
Upvotes: 1
Related Questions
- HA Proxy using tcp-check for HTTP connections
- HAProxy health check with backend ssl servers
- HAProxy http check on for ssl?
- haproxy https health checks
- HAProxy health check in tcp mode on https 404 status code
- Haproxy Health Check port
- Detect HTTPS without SSL Termination
- Haproxy doesnt check backend in tcp mode
- HAProxy and SSL Certification
- Using an HTTP healthcheck for a TCP server in HA Proxy