Last active
August 31, 2020 10:13
-
-
Save wilsonkhlam/41fa17e08382a23b0173985e56b10696 to your computer and use it in GitHub Desktop.
Passing SSL and Client Cert Authentication Data to Tomcat through HTTP Headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
log stdout format raw daemon | |
maxconn 2000 | |
daemon | |
defaults | |
mode http | |
option dontlognull | |
retries 3 | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
frontend http-in | |
bind *:443 ssl crt /ssl-cert/server-combined.pem ca-file /ssl-cert/ca/client-intermediate/certs/client-intermediate.crt ca-verify-file /ssl-cert/ca/root/certs/root.crt verify optional ssl-min-ver TLSv1.2 no-tls-tickets | |
bind *:80 | |
default_backend webservers | |
mode http | |
option httplog | |
log stderr format raw daemon | |
frontend monitoring-in | |
bind *:8080 | |
default_backend monitoring | |
mode http | |
option httplog | |
log stderr format raw daemon | |
backend monitoring | |
stats enable | |
stats auth admin:admin | |
stats uri /haproxy?stats | |
backend webservers | |
balance roundrobin | |
option forwardfor | |
http-request del-header ssl_client_cert | |
http-request del-header ssl_cipher | |
http-request del-header ssl_session_id | |
http-request del-header ssl_cipher_usekeysize | |
http-request set-header X-Forwarded-Port %[dst_port] | |
http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } | |
http-request set-header ssl_cipher %[ssl_fc_cipher] if { ssl_fc } | |
http-request set-header ssl_session_id %[ssl_fc_session_id,hex] if { ssl_fc } | |
http-request set-header ssl_cipher_usekeysize %[ssl_fc_alg_keysize] if { ssl_fc } | |
option http-server-close | |
option tcp-check | |
server srv1 tomcat:8080 check port 8080 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On Tomcat side, the following should be enabled:
SSLValve
at engine levelweb.xml
server.xml
AuthenticatedUserRealm
is the simplest one. You may use other realms if you need to load user roles from database or LDAPTo customize user name (e.g. use CN only instead of full Subject DN from the certificate), you may implement your own
org.apache.catalina.realm.X509UsernameRetriever
and set the class name throughx509UsernameRetrieverClassName
in realm setting.