Client Certificates on a Frontend

Snapt Balancer supports client certificate authentication. You can also enable “mutual authentication”, or SSL re-encryption, by enabling SSL on the servers in a backend.

Uploading and using a CA

To sign client certificates you must create (or have) a CA, which must be uploaded under the SSL certificates section of the Balancer as a .crt file. This will then be available in the CA dropdown on frontends.

Your clients certificates must have been signed by this CA, and it is used for identifying them.

You must select the CA certificate uploaded earlier, and then either Optional or Required for the Client Certificates dropdown. Required will force all clients to provide a certificate, and optional will support them providing one.

Headers and identification

You will often need to see information from the certificate on your backend webservers, especially if Optional is set so you can determine the security of the connection.

For this, you can set the Frontend to insert several headers which will pass the SSL connection information to your servers. To do this, you can use the HTTP Request Rules section under Header Modification on your frontend.

These are the available headers you can add:

  1. X-SSL %[ssl_fc]
  2. X-SSL-Client-Verify %[ssl_c_verify]
  3. X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
  4. X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
  5. X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
  6. X-SSL-Issuer %{+Q}[ssl_c_i_dn]
  7. X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
  8. X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]

You may also want (in Optional mode) to delete those headers above with the Request Delete options, to prevent a client spoofing them. In Required mode this is not necessary.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.