Author Image

Sean's Blog

Friendly Neighbourhood SysAdmin. I write about my homelab and home network.


Tags:

Client Certificate Authentication in PFSense with HAProxy - HAProxy

Feb 7, 2026 in TUTORIALS
homelab pfsense haproxy ssl
3 min read
View all posts in the "Client Certificate Authentication in PFSense With HAProxy" series
  1. Client Certificate Authentication in PFSense with HAProxy - Introduction
  2. Client Certificate Authentication in PFSense with HAProxy - Certificates
  3. Client Certificate Authentication in PFSense with HAProxy - HAProxy

Setting up the HAProxy

Set up the required Access Control Lists (ACLs)

Browse to Services > HAProxy > Frontend.
Click edit on the frontend you wish to add client certificate authentication to, then navigate to the section: Default backend, access control lists and actions > Access Control lists.

We will be needing four ACL entries to make this work:

  • Is<APPNAME> - Is this the webapp you wish to protect?
  • LocalIP - Are you accessing this from an internal IP address?
  • ClientCertUsed - Did the device offer an SSL Client Certificate?
  • ValidCert - Was the certificate valid when checked against the configured CA and CRL?

Using the ACL names above, create your four ACL entries: ACL Entries

  • ValidCert - SSL Client certificate valid - PFSense has a default option to return whether an offered certificate was valid. (note, this may return true if no cert was offered.)
  • LocalIP - Source IP matches IP or Alias - Enter your internal IP range here
  • Is<APPNAME> - Host starts with - This is how I identify my apps, via the subdomain. In this case, my app is called Grocy.
  • ClientCertUsed - Custom acl: PFSense doesn’t have a prebuilt option for this, so we’re gonna use ssl_c_used, which checks to see if an SSL Client Cert was offered by a device.

Configure actions

Scroll further down to the Actions section. We are going to use three actions here: ACL Entries

Action Conditional/s Parameters Explanation End Result
http-request-deny IsGrocy ClientCertUsed !ValidCert 403 The app is Grocy.
A cert was offered by the device.
The cert was invalid/revoked.		 Device is shown an Error 403 page.
http-request-deny IsGrocy !ClientCertUsed !LocalIP 403 The app is Grocy.
No cert was offered by the device.
The device is not on the internal IP range.		 Device is shown an Error 403 page.
Use Backend IsGrocy backend: backend_Grocy The app is Grocy. HAProxy should forward the request to the backend called backend_Grocy. Device can access the Grocy app.

In this order, PFSense will check to see if the requesting device needs to be rejected for any reason, before then allowing access.

Configure client certificate checking

Scroll all the way down to the section SSL Offloading - client certificates Client Certs By entering options into Client verification CA certificates and Client verification CRL, you will tell PFSense to start verifying client certificates.

Important
If you do not tick the Without client cert option, the certificate checking will occurr on all backends provided by this front end. Ticking this option will work alongside your ACLs and Actions to limit this authorisation requirement to the Apps/Sites you want to protect.

All you need to now is save this frontend, then restart HAProxy!

This screenshot was taken from a device without a certificate, off the internal network: 403! Success! Testing from an internal device, or one loaded with the certificate you generated in the second entry in this series will allow you access to your app!

You did it! Applause



That's all for this entry! Feel free to read the Previous/Next blog post in the series below:
Client Certificate Authentication in PFSense with HAProxy - Certificates

Section Navigation

Read the Previous/Next blog post in the section: Tutorials
Client Certificate Authentication in PFSense with HAProxy - Certificates

Related Articles