Haproxy ingress tls verify client certificate

Vishal Kumbhar

unread,

Dec 9, 2020, 5:25:50 AM12/9/20

to haproxy-ingress

Hi,

When we enabled below annotations on ingress object so mtls enabled to host i need only specific route path of that host.

ingress.kubernetes.io/auth-tls-secret: daas/tls-certs

ingress.kubernetes.io/auth-tls-verify-client: "on"

Joao Morais

unread,

Dec 9, 2020, 5:51:20 AM12/9/20

to haproxy...@googlegroups.com

Do you mean you need to verify client certs only in some paths and you
want some other paths without that validation? This cannot be done in
the right way because tls auth happens during the tls handshake and
the target path is inside the encrypted data, visible only after the
handshake completes. This would be possible forcing a tls
renegotiation, but 1) haproxy doesn't support it and 2) as far as I
know this isn't supported at all in TLS1.3.

In short, tls auth should be configured to a whole domain and there
isn't a possible workaround to it.

~jm

Vishal Kumbhar

unread,

Dec 9, 2020, 5:55:27 AM12/9/20

to haproxy-ingress

Thanks for the update.

Reply all

Reply to author

Forward