Capture and forward extended PKI cert attributes (e.g. UPN) using haproxy

haproxyopensslpkireverse-proxy

I'm trying to pull an attribute from a client certificate in a mutual authentication scenario and set it as a HTTP header in the request to backend. See fig 1 below. 

fig1
  [user with correct certificate]
                 |
                 | 1. presents cert with normal v1 attributes
                 | has additional "extension" attributes
                 | incl. "Subject Alt Name" which contains
                 | "User Principal Name" ( UPN looks like an email addr) 
                 |
     [example.com:443 haproxy] --app1 / app2 CNAMEd to example.com 
                 |
                 | 2. read Subject Alternative Name
                 | 3. regex or parse out UPN
                 | 4. set REMOTE_USER header to be UPN
                 | 5. pass to backend(s)
                 |
       ┌------------------┬
       |                  |   
       |                  |   
       |                  |   
       |                  |   
       V                  V                 
 [app1svr:80]       [app2svr:80]

Normally, it's easy, you would just pull the attribute you want using the built in functionality like so:

frontend https
 bind *:443 name https ssl crt ./server.pem ca-file ./ca.crt verify required

 http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
 http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
 http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
 http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
 http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]

 default_backend app1svr

backend app1svr
 server app1 app1svr.example.com:80

backend app2svr
 server app2 app2svr.example.com:80

List of attributes here: https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.4

Unfortunately, missing from the list of attributes are any of the COMMON extension attributes such as:

  • Subject alternative name
    • RFC822 Name
    • Other Name
      • Principal Name
  • CRL Distribution Points

I can't seem to figure out the right way to access these attributes. Looking at the code (below line 5815) https://github.com/haproxy/haproxy/blob/master/src/ssl_sock.c it doesn't seem to be just a documentation issue.

Any thoughts here?
(possibly related issue): https://stackoverflow.com/questions/22966461/reading-an-othername-value-from-a-subjectaltname-certificate-extension

Best Answer

As HAProxy version 1.5.14 (see http://www.haproxy.org/news.html) HAProxy send the whole certificate in the ssl_c_der attribute.

So, if you put the following lines in haproxy configuration file

http-request set-header X-SSL-ClientCert-Base64          %{+Q}[ssl_c_der,base64]

then you could read the whole client certificate by reading the X-SSL-ClientCert-Base64 header.

Related Topic