0

I would just like to now if it is possible to define a ACL by the CN of the Backend Server. So if a Client connects to my proxy, everything is fine and the connection will come to the backend. But there I want to proof if the CN of the Server’s Cert is in a list. ssl_c_i_dn(CN) - this fetch method is the right thing i need, but unfortunately for the cert of the client…

I hope u can help me!

Rivest
  • 33
  • 1
  • 4
  • Yes, it is: https://stackoverflow.com/questions/43478293/haproxy-acl-to-compare-values-in-the-headers .................. – Koubas Mar 05 '18 at 10:37
  • thanks for your fast reply! I think I am a bit confused.. In this post he also checks the clients CN or? Otherwise I am asking myself what CN should a Client have? – Rivest Mar 05 '18 at 11:28
  • Sorry, I was reading too quickly, I missed you wanted to validate >backend< cert (no reputation to comment) – Koubas Mar 05 '18 at 11:58
  • You're trying to authenticate the back-end server, correct? That is the `verify required` option, and you need the server's cert (not the key) or an appropriate upstream cert in a `ca-file`. Checking the CN isn't sufficient. Please confirm what you're trying to accomplish. – Michael - sqlbot Mar 05 '18 at 15:56
  • finally i just want to proof where the clients wants to connect via https. My further aim is to create a whitelist or blacklist of domains (including wildcards). – Rivest Mar 05 '18 at 16:10

0 Answers0