HAProxy - Sub Frontends ignore Client verification CA certificates
I noticed that when I create sub frontends in HAProxa and enable the "Client verification CA certificates" in them (enter a certificate), the whole thing is just ignored. On the other hand, in the main frontends the whole thing works without problems.
- File Main Frontent 1.PNG Main Frontent 1.PNG added
- File Main Frontent 2.PNG Main Frontent 2.PNG added
- File Main Frontent 3.PNG Main Frontent 3.PNG added
- File Sub Frontent 1.PNG Sub Frontent 1.PNG added
- File Sub Frontent 2.PNG Sub Frontent 2.PNG added
- File Sub Frontent 3.PNG Sub Frontent 3.PNG added
I have taken screenshots of my settings. In principle, the Main Frontent is almost empty, since all settings are covered by the Sub Frontents. For test purposes I have only one Sub Frontent.
In the picture "Sub Frontent 1":
Blue: 2x an IP/domain that is authorized, 1x the domain that should be reacted to.
In the image "Sub Frontent 3":
Any certificate can be chosen, it only has to be checked if the access is extended.
I hope the description is sufficient, if something is still unclear simply report.
Translated with www.DeepL.com/Translator (free version)
Updated by Viktor Gurov 3 months ago
Shared frontends certificates are saved to the
# cat /var/etc/haproxy/frontend.crt_list /var/etc/haproxy/frontend.pem [ ca-file /var/etc/haproxy/clientca_frontend.pem verify required] /var/etc/haproxy/frontend/frontend2_61c5a80ab5e85.pem [ ca-file /var/etc/haproxy/clientca_frontend2.pem verify required]
Hi, I have entered the line and received the following antowrt:
[2.6.0-RELEASE][____@pfsense]/var/etc/haproxy: cat <frontend>.crt_list /var/etc/haproxy/<frontend>.pem  /var/etc/haproxy/<frontend>/<subfrontent>_61a1646f20925.pem [ ca-file /var/etc/haproxy/clientca_<subfrontent>.pem verify required]