This topic has 2 replies, 2 voices, and was last updated 6 years, 2 months ago by bertalanvoros.

  • Author
  • #10722

    Hello All,

    I have the following configuration.

    There is a HAProxy server fronting OpenIG, SSL is terminated on HAProxy.
    Clients hitting 80 are also redirected on the frontend HAProxy to use 443.

    HAProxy then talks to OpenIG unencrypted.

    All is well with this configuration if the Application behind OpenIG is not using SSL.

    Unfortunately there is an application that uses SSL redirection at the application level which results in a redirection loop when accessing it via the current config.

    What would be the best way of dealing with this?

    +----------------+            +-----------------+              +-----------------+
    | HAProxy        |            |OpenIG no SSL    |              |Legacy App       |
    | SSL Redirection+----------->+                 +------------->+SSL redirection  |
    |                |            |                 |              |                 |
    +----------------+            +-----------------+              +-----------------+


    • Can you share your config ?
    • Do you expect IG/HAProxy to somehow forward client certificate (verified in HAP) to the legacy app ?

    I may have figured this out.

    Changed my config so OpenIG now listens on 8443 (using our wildcard cert) and also configured a keystore and a keymanager with the relevant certificate. So the whole chain is now ssl all the way.

    For the applications that do not do ssl I use a baseUriDecorator so OpenIG talks to them on the correct port.

    This seems to achieve the best of both worlds, HAProxy redirects all traffic to use ssl and each route can also use the relevant ClientHandler depending whether ssl is required or not by the application.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?