HAProxy Trust only specific client certs for mutual
I am using HAProxy to perform Mutual TLS termination for my API.
HAProxy has Mutual TLS enabled with "verify required" and a cert-auth file to restrict access to the Apache service that proxies to my API.
I only want to allow two specific clients access through HAProxy. Both of these clients used common Root/Int CAs to sign their certs.
I know HAProxy doesn't allow enforcing a specific depth check (of 3), so I can't simply add each client's whole chain to my cert-auth file, as HAProxy would still verify any cert signed by one of the CAs.
I believe I have three (main) options:
- Use a cert-auth file that has only the two specific leaf certs inside, and rely on HAProxy to reject everything else. This means my trusted root is the leaf itself, and I am ignoring the actual int/root authorities.
or
- Use some form of ACL in HAProxy to verify the presented cert's Name or Serial matches the name/serial of either of the two certs I trust, in combination with the root/int certs in cert-auth file.
or
- Strip the serial/cn/sha1 of the presented cert and add it as a header when forwarding to Apache, then perform similar verification as in option 2 within the upstream Apache service.
I would like to use option 1, although I'm not confident that it's as secure as the other two. My understanding is that so long as I trust the clients to provide me their correct leaf certs, then using only those leafs (sic) directly in my HAproxy cert-auth file should be no less secure than trusting the root CA and checking the Cert CN either in an ACL or in Apache. The initial TLS handshake will prove the presented cert is owned by the client, so there should be no risk of a third party presenting the correct cert getting to the HAProxy verify step.
The main reason I'm confused is because I have seen similar questions asked elsewhere, and the answer always tends to be some variant of "use an ACL", or "pass the CN as a header and verify it within the app".
TL;DR: Am I introducing any security risk by whitelisting specific certs within HAProxy's ca file, as opposed to the signing CAs themselves?
The reason I would prefer to use the ca file instead of an ACL rule, is this makes long term support easier (simply need to replace cert-auth file instead of updating haproxy config each year).
