I have an Exchange 2016 as a backend that requires client certificates for accessing OWA and HAProxy as a reverse proxy. When I try to open OWA from Exchange directly everything is fine: I get a certificate prompt and can choose one that I want. But when I do the same through HAProxy I only get certificate prompt for HAProxy and then browser redirects me to Exchange authentication page.
The part of my config is below.
frontend fe_exch_443
bind x.x.x.x:443 ssl crt /etc/ssl/certs/cert.pem ca-file /etc/ssl/certs/cert.crt verify optional crt-ignore-err all
acl ssl_connection ssl_fc
acl path_owa path_beg -i /owa/
http-request deny if path_check
http-request redirect scheme https code 301 if !{ ssl_fc }
use_backend bk_exchange_https_owa if path_owa
default_backend be_exch_443
backend bk_exchange_https_owa
option httpchk GET /owa/HealthCheck.htm
http-check expect string 200\ OK
server exch x.x.x.x:443 check ssl verify none maxconn 1000 weight 10 check
Could you please help me.
Thank you.
Best Answer
It seems OK if bypass HAProxy. Then I think it may be some misconfiguration on HAProxy.
I notice you use “verify optional”, do you want to use client certificate mandatory? Review your configuration based on this blog: https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/