Client SSL Certs for Remote Systems Administration Part 2

Recently I changed my nginx configuration to support Client Certificates to login in to services through the Web from outside my internal network. This will be broken down in to mutable parts so that it is easier to read.

If you have not created you Client Certificate see Part 1.

  • Creating Client Certificates
  • Configuring Haproxy to accept them
  • Configuring Haproxy to reverse proxy to your web applications
  • Adding your Client Certificate to your browser

Configuring Haproxy to Accept Client Certificates

This part is actually pretty easy assuming that you have ssl enabled on the connection you only need to add 3 lines.

frontend external-https
    bind *:443 ssl crt /etc/haproxy/certs/ ca-file /etc/haproxy/certs/client.crt verify optional crt-ignore-err all

Thats it.

Configuring Haproxy to reverse proxy to your web applications

Now we can configure the Reverse Proxy to validate certificates before going to the internal services.

	acl cert-acl url_beg /cerrt AND if { ssl_fc_has_crt }
	use_backend cert if cert-acl

You can also make it so that you can have another site when ssl_client is not verified like this

backend cert
    server cert-server check

Continue to the next Part 3

Show Comments