HAProxy Enterprise Documentation 2.1r1

Client Certificate Authentication

Client certificate authentication means that the client sends a certificate when they connect over TLS. The load balancer verifies the client's identity based on the certificate. Typically, client certificates are digitally signed with your organization's CA certificate. When a client presents one, you can verify whether it was indeed signed by your CA. If not, deny the request. You would give a unique certificate to each client to which you want to grant access.

Enable verification of client certificates by setting verify to required on a bind line. The ca-file parameter specifies the CA file to use to verify:

frontend www
   bind :443 ssl crt /etc/hapee-2.1/certs/ssl.pem  verify required  ca-file /etc/hapee-2.1/certs/ca.crt

HAProxy Enterprise can also send its own client certificate to backend servers. The servers would then be responsible for verifying it. The crt parameter points to your client certificate file:

backend webservers
  server web1 ssl verify required ca-file /etc/hapee-2.1/myca.pem crt /etc/hapee-2.1/client.pem

Next up

Response Policies