I have a web API fronted by an HA Proxy load balancer. The web API uses client authentication certificates for identity authentication and authorization. I'd like the HA Proxy appliance to terminate the TLS connection and use normal HTTP on the backend to talk to the web API, but I need the client authentication certificate passed through over the HTTP connection. How does the HA Proxy need to be set up to keep the authentication certificate on the request out the backend, but using HTTP only?
Forward Client Authentication Certificate Through HAProxy
certificateclient-certificatehaproxy
Related Topic
- Ssl – Setup IIS to require client certificate and to use anonymous authentication
- Ssl – Mutual SSL authentication – client certificate vs server certificate
- Can Squid be used as “TLS termination proxy” to encrypt TCP connections using client certificates
- AWS API Gateway Lambda Authorizers + Client certificates
- Using the Same SSL/TLS Certificate for Server and Client – Guide
- Domain Controllers – How to Prevent Domain Controllers from Enrolling a Kerberos Authentication Certificate
- Forward SSL Traffic and Authentication Certificates Through HAProxy
Best Answer
You can set various HTTP headers to be sent to the backend regarding the TLS client certificate that was presented. For example:
Your application must then examine the headers and take appropriate action.
This example was taken from raymii.org where you may find some additional useful information about using client certificates with HAProxy, such as validating the client certificate and rejecting invalid certificates.