I am running haproxy in an Alpine Docker container. It is doing SSL termination for https and injecting the client DN into the X-ForwardedFor HTTP Header. But the format it uses for the client DN is not one that my application supports.
Can I change the format somehow, perhaps using openssl.cnf? People apparently change encryption algorithm settings that way. Can I change my DN format also?
This is the format that I need my certificate DN to look like in the X-ForwardedFor header. It is rather LDAP-ey.
CN=Jane Smith,OU=org1,OU=org2,O=myorg,C=AU
But haproxy is injecting a rather ASN.1 looking format
/C=AU/O=myorg/OU=org2/OU=org1/CN=Jane Smith
These are the verisons of the software. They can be changed, as I am compiling haproxy from source. I can also set any flags at compilation time:
- Haproxy 2.0
- Alpine 3.10
- openssl 1.1.1
Here are what I think are the relevant parts of the haproxy.cfg file .
frontend fe
mode http
bind *:443 ssl no-sslv3 no-tls10 no-tlsv11 crt /certs/mycert ca-file /certs/myca
option forwardfor
http-request set-header X-ForwardedFor %{+Q+E}[ssl_c_s_dn]
default_backend be
backend be
balance source
mode http
server server1 IP:PORT ca-file /certs/myca crt /certs/mycert ssl verify none
Is there something I can do to change the format? I have tried using the documented structure like this: %{+Q+E}[ssl_c_s_dn(CN)] but the format of my certificate DNs is very disorganized. There is no way to predict how many OU, C, O, etc there might be, and sometimes they are missing. So I don't think that is a viable solution.
I have also looked at how this question: haproxy tls hash algorithm customizes haproxy behavior with openssl settings. Can I do that to get the DN into a different format? If so, how? I am not sure what steps to follow. Do I need to modify openssl.cnf at compile time, or have it changed at runtime on the server? What sections and values?
