Recently I changed my nginx configuration to support Client Certificates to login in to services through the Web from outside my internal network. This will be broken down in to mutable parts so that it is easier to read.
If you have not created you Client Certificate see Part 1.
Creating Client Certificates- Configuring Haproxy to accept them
- Configuring Haproxy to reverse proxy to your web applications
- Adding your Client Certificate to your browser
####Configuring Haproxy to Accept Client Certificates
This part is actually pretty easy assuming that you have ssl enabled on the connection you only need to add 3 lines.
frontend external-https
bind *:443 ssl crt /etc/haproxy/certs/generalzero.org.pem ca-file /etc/haproxy/certs/client.crt verify optional crt-ignore-err all
Thats it.
####Configuring Haproxy to reverse proxy to your web applications
Now we can configure the Reverse Proxy to validate certificates before going to the internal services.
acl cert-acl url_beg /cerrt AND if { ssl_fc_has_crt }
use_backend cert if cert-acl
You can also make it so that you can have another site when ssl_client is not verified like this
backend cert
server cert-server 127.0.0.1:8181 check
Continue to the next Part 3