Hi,
I am looking for a solution on how to setup HaProxy and Tomcat with SSL
termination + passing client certificate to the backend tomcat.
At the moment we use Apache for SSL termination and proxy balancer to point
to tomcat AJP port.
Application on tomcat needs the client certificate in order to allow
logging in.
I have been trying various setups but nothing seems to work.
At the moment i have something like this:
frontend https-c-in
mode http
bind 192.168.0.10:443 name https ssl crt /etc/ssl/ljvfep.pem
ca-file /etc/ssl/CA.pem verify required
###########################################################################################
http-request set-header X-SSL %[ssl_fc]
http-request add-header Client-Cert %[ssl_c_der,base64]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-NotBefore
%{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
###########################################################################################
default_backend c-https
backend c-https
mode http
balance roundrobin
cookie SERVERID insert nocache
server ljvfep4 192.168.0.10:20443 check inter 2000 rise 2 fall 2
server ljvfep3 192.168.0.11:20443 check inter 2000 rise 2 fall 2
This would give me a 502 bad gateway error. If i access the tomcat directly
all works as expected.
And suggestions ?
Kr,
Milos
I am looking for a solution on how to setup HaProxy and Tomcat with SSL
termination + passing client certificate to the backend tomcat.
At the moment we use Apache for SSL termination and proxy balancer to point
to tomcat AJP port.
Application on tomcat needs the client certificate in order to allow
logging in.
I have been trying various setups but nothing seems to work.
At the moment i have something like this:
frontend https-c-in
mode http
bind 192.168.0.10:443 name https ssl crt /etc/ssl/ljvfep.pem
ca-file /etc/ssl/CA.pem verify required
###########################################################################################
http-request set-header X-SSL %[ssl_fc]
http-request add-header Client-Cert %[ssl_c_der,base64]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-NotBefore
%{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
###########################################################################################
default_backend c-https
backend c-https
mode http
balance roundrobin
cookie SERVERID insert nocache
server ljvfep4 192.168.0.10:20443 check inter 2000 rise 2 fall 2
server ljvfep3 192.168.0.11:20443 check inter 2000 rise 2 fall 2
This would give me a 502 bad gateway error. If i access the tomcat directly
all works as expected.
And suggestions ?
Kr,
Milos