1. Home
  2. Balancer
  3. Client Certificates on a Frontend

Client Certificates on a Frontend

The main reason for using client-side certificates is to increase the level of authentication and security for your users.

Snapt Balancer supports client certificate authentication. You will also be able to enable “mutual authentication”, or SSL re-encryption, by enabling SSL on the servers in a backend.

Uploading and using a CA

To sign client certificates you must create (or have) a CA, which must be uploaded under the SSL certificates section of the Balancer as a .crt file. This will then be available in the CA dropdown on frontends.

Your client’s certificates must have been signed by this CA, and it is used for identifying them.

You must select the CA certificate uploaded earlier, and then either Optional or Required for the Client Certificates drop-down. Required will force all clients to provide a certificate and optional will support them providing one.

Headers and identification

You will often need to see information from the certificate on your backend web servers, especially if Optional is set so you can determine the security of the connection.

For this, you can set the Frontend to insert several headers which will pass the SSL connection information to your servers. To do this, you can use the HTTP Request Rules section under Header Modification on your Frontend.

These are the available headers that you can add:

  1. X-SSL %[ssl_fc]
  2. X-SSL-Client-Verify %[ssl_c_verify]
  3. X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
  4. X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
  5. X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
  6. X-SSL-Issuer %{+Q}[ssl_c_i_dn]
  7. X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
  8. X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]

You may also want (in Optional mode) to delete those headers above with the Request Delete options, to prevent a client spoofing them.

In the required mode this is not necessary.

Updated on January 10, 2019


Was this article helpful?

Related Articles