Inserting SSL/TLS Certificate Information into HTTP Headers

How to insert Client SSL/TLS Certificate information into HTTP headers using HAProxy

You can insert quite a number of SSL/TLS related client certificate information into request headers (sent to the real server) like so:

frontend name_here
    bind ...
    reqadd X-SSL:\ %[ssl_fc]
    reqadd X-SSL-Client-Verify:\ %[ssl_c_verify]
    reqadd X-SSL-Client-SHA1:\ %{+Q}[ssl_c_sha1]
    reqadd X-SSL-Client-DN:\ %{+Q}[ssl_c_s_dn]
    reqadd X-SSL-Client-CN:\ %{+Q}[ssl_c_s_dn(cn)]
    reqadd X-SSL-Issuer:\ %{+Q}[ssl_c_i_dn]
    reqadd X-SSL-Client-Not-Before:\ %{+Q}[ssl_c_notbefore]
    reqadd X-SSL-Client-Not-After:\ %{+Q}[ssl_c_notafter]
    default_backend ...

Note: The {+Q} ensures the certificate data is inserted as an ASCII string rather than it’s original binary form (which HTTP does not support).

Here’s what each header and the variable used to populate it’s value contain:

  • ssl_fc/X-SSL : whether the client used a secure connection (1) or not (0)

  • ssl_c_verify/X-SSL-Client-Verify : the status code of the SSL client connection (I think 0 is good)

  • ssl_c_sha1/X-SSL-Client-SHA1 : the SHA1 hash of the client certificate

  • ssl_c_s_dn/X-SSL-Client-DN : the full Distinguished Name of the client certificate

  • ssl_c_s_dn(cn)/X-SSL-Client-CN : the full Common Name of the client certificate

  • ssl_c_i_dn/X-SSL-Issuer : the full Distinguished Name of the issuing certificate

  • ssl_c_notbefore/X-SSL-Client-Not-Before : the date from which the client certificate is valid, in this format: YYMMDDhhmmss

  • ssl_c_notafter/X-SSL-Client-Not-After : the date after which the certificate is no longer valid, in this format: YYMMDDhhmmss