I do not have a HAProxy configuration but porting the nginx configuration to HAProxy should be straightforward.
The following nginx configuration uses mTLS w/ a mapping to allow clients based on the fingerprint of their certificate.
In this example teddycloud runs on port 443 and nginx on 8443. In my setup both services are Containerized running in one pod and I ingress traffic on the host ip from port 443 to the nginx container on port 8443.
This allows specified toniebox clients to connect to teddycloud through nginx.
catchall.tld.conf (nginx)
map $ssl_client_fingerprint $reject {
default 1;
"b571ef0c5841a7c23bfce63f1a20286fcfcfcfcf" 0;
}
server {
listen 8443 ssl;
listen [::]:8443;
server_name _;
ssl_certificate /etc/ssl/certs/server/ttt-fullchain.pem;
ssl_certificate_key /etc/ssl/certs/server/ttt.pem;
ssl_client_certificate /etc/ssl/certs/client/ca.pem;
ssl_verify_client optional_no_ca;
root /usr/share/nginx/html/server;
location / {
if ($reject) {
return 403;
}
set $upstream 127.0.0.1:443;
proxy_pass https://$upstream$request_uri;
proxy_ssl_conf_command Options UnsafeLegacyRenegotiation;
}
}
For access via web browsers you can expose the same teddycloud instance based on the SNI hostname using a separate nginx configuration file for the corresponding DNS name.
Best
Christian