Project

General

Profile

Actions

Bug #13022

open

HAProxy - Sub Frontends ignore Client verification CA certificates

Added by M W 3 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
amd64

Description

I noticed that when I create sub frontends in HAProxa and enable the "Client verification CA certificates" in them (enter a certificate), the whole thing is just ignored. On the other hand, in the main frontends the whole thing works without problems.


Files

Main Frontent 1.PNG (78.8 KB) Main Frontent 1.PNG M W, 04/04/2022 12:08 PM
Main Frontent 2.PNG (70.3 KB) Main Frontent 2.PNG M W, 04/04/2022 12:08 PM
Main Frontent 3.PNG (92.7 KB) Main Frontent 3.PNG M W, 04/04/2022 12:08 PM
Sub Frontent 2.PNG (96.8 KB) Sub Frontent 2.PNG M W, 04/04/2022 12:08 PM
Sub Frontent 3.PNG (30.7 KB) Sub Frontent 3.PNG M W, 04/04/2022 12:08 PM
Sub Frontent 1.PNG (84 KB) Sub Frontent 1.PNG M W, 04/04/2022 12:08 PM
Actions #1

Updated by Viktor Gurov 3 months ago

  • Status changed from New to Feedback

Unable to reproduce with pfSense-pkg-haproxy-devel 0.62_9

Could you provide detailed step-by-step instructions to reproduce?

Actions #2

Updated by Jim Pingle 3 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Services to haproxy
  • Release Notes deleted (Default)
  • Affected Version deleted (2.6.x)
Actions #3

Updated by M W 3 months ago

I have taken screenshots of my settings. In principle, the Main Frontent is almost empty, since all settings are covered by the Sub Frontents. For test purposes I have only one Sub Frontent.

In the picture "Sub Frontent 1":
Yellow: ACL1
Red: ACL2
Green: ACL3
Blue: 2x an IP/domain that is authorized, 1x the domain that should be reacted to.

In the image "Sub Frontent 3":
Any certificate can be chosen, it only has to be checked if the access is extended.

I hope the description is sufficient, if something is still unclear simply report.

Translated with www.DeepL.com/Translator (free version)

Actions #4

Updated by Viktor Gurov 3 months ago

Shared frontends certificates are saved to the /var/etc/haproxy/<frontend>.crt_list
for example:

# cat /var/etc/haproxy/frontend.crt_list
/var/etc/haproxy/frontend.pem [ ca-file /var/etc/haproxy/clientca_frontend.pem verify required] 
/var/etc/haproxy/frontend/frontend2_61c5a80ab5e85.pem [ ca-file /var/etc/haproxy/clientca_frontend2.pem verify required]

please check

Actions #5

Updated by M W 3 months ago

Hi, I have entered the line and received the following antowrt:

[2.6.0-RELEASE][____@pfsense]/var/etc/haproxy: cat <frontend>.crt_list
/var/etc/haproxy/<frontend>.pem []
/var/etc/haproxy/<frontend>/<subfrontent>_61a1646f20925.pem [ ca-file /var/etc/haproxy/clientca_<subfrontent>.pem verify required]
Actions

Also available in: Atom PDF