Project

General

Profile

Actions
Copy link

Bug #13022

open

HAProxy - Sub Frontends ignore Client verification CA certificates

Added by M W 12 months ago. Updated 12 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
amd64

Description

I noticed that when I create sub frontends in HAProxa and enable the "Client verification CA certificates" in them (enter a certificate), the whole thing is just ignored. On the other hand, in the main frontends the whole thing works without problems.

Files

Download all files
Main Frontent 1.PNG (78.8 KB) Main Frontent 1.PNG M W, 04/04/2022 12:08 PM
Main Frontent 2.PNG (70.3 KB) Main Frontent 2.PNG M W, 04/04/2022 12:08 PM
Main Frontent 3.PNG (92.7 KB) Main Frontent 3.PNG M W, 04/04/2022 12:08 PM
Sub Frontent 2.PNG (96.8 KB) Sub Frontent 2.PNG M W, 04/04/2022 12:08 PM
Sub Frontent 3.PNG (30.7 KB) Sub Frontent 3.PNG M W, 04/04/2022 12:08 PM
Sub Frontent 1.PNG (84 KB) Sub Frontent 1.PNG M W, 04/04/2022 12:08 PM
Actions
Copy link
 #1

Updated by Viktor Gurov 12 months ago

  • Status changed from New to Feedback

Unable to reproduce with pfSense-pkg-haproxy-devel 0.62_9

Could you provide detailed step-by-step instructions to reproduce?

Actions
Copy link
 #2

Updated by Jim Pingle 12 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Services to haproxy
  • Release Notes deleted (Default)
  • Affected Version deleted (2.6.x)
Actions
Copy link
 #3

Updated by M W 12 months ago

I have taken screenshots of my settings. In principle, the Main Frontent is almost empty, since all settings are covered by the Sub Frontents. For test purposes I have only one Sub Frontent.

In the picture "Sub Frontent 1":
Yellow: ACL1
Red: ACL2
Green: ACL3
Blue: 2x an IP/domain that is authorized, 1x the domain that should be reacted to.

In the image "Sub Frontent 3":
Any certificate can be chosen, it only has to be checked if the access is extended.

I hope the description is sufficient, if something is still unclear simply report.

Translated with www.DeepL.com/Translator (free version)

Actions
Copy link
 #4

Updated by Viktor Gurov 12 months ago

Shared frontends certificates are saved to the /var/etc/haproxy/<frontend>.crt_list
for example:

# cat /var/etc/haproxy/frontend.crt_list
/var/etc/haproxy/frontend.pem [ ca-file /var/etc/haproxy/clientca_frontend.pem verify required] 
/var/etc/haproxy/frontend/frontend2_61c5a80ab5e85.pem [ ca-file /var/etc/haproxy/clientca_frontend2.pem verify required]

please check

Actions
Copy link
 #5

Updated by M W 12 months ago

Hi, I have entered the line and received the following antowrt:

[2.6.0-RELEASE][____@pfsense]/var/etc/haproxy: cat <frontend>.crt_list
/var/etc/haproxy/<frontend>.pem []
/var/etc/haproxy/<frontend>/<subfrontent>_61a1646f20925.pem [ ca-file /var/etc/haproxy/clientca_<subfrontent>.pem verify required]
Actions
Copy link

Also available in: Atom PDF