Remove PublicAccessAuthenticationToken in Proxy mode when Cert Auth is Configured

[hsamaurai]

Hi,

I am running EJBCA CE 9.3.7 behind HAProxy with TLS_SETUP_ENABLED=later
where HAProxy handles SSL termination and forwards the SuperAdmin client certificate
via the SSL_CLIENT_CERT header to EJBCA.

Current HAProxy setup:

• SSL terminated at HAProxy
• Client cert extracted via verify optional against ManagementCA
• Client cert forwarded to EJBCA via SSL_CLIENT_CERT header

The adminweb correctly denies access when no client cert is presented,
however because "PublicAccessAuthenticationToken: Any transport (HTTP or
HTTPS)" is still active, direct navigation to /ejbca/ra allows access
without any restriction.

Questions:

1. Is it possible to fully remove/disable PublicAccessAuthenticationToken
   when running in TLS later/proxy mode with client cert auth configured?

2. What is the recommended way to restrict RA web access to authenticated
   users only when running behind a reverse proxy?

Also, good to mention that im serving different fqdn's for the admin and ra web:
i.e
adminweb - admin.example.com
raweb - certificates.example.com

Any guidance appreciated.

[primetomas]

In "Roles and Access Rules" you can remove public access, it's just another role member.

[hsamaurai]

I started as TLS_SETUP_ENABLED=later

Are you saying with TLS_SETUP_ENABLED=simple it should work and allow placing behind a proxy

[primetomas]

Here are two old thread that I found. I think there is some more as well, but it didn't show up in my first search.
#909
#745

[primetomas]

Here is a long one:
#925

[hsamaurai]

Thanks for the guides..Resolved following #745.

    ssl_client_certificate /data/certs/ManagementCA.pem;
    ssl_trusted_certificate /data/certs/ManagementCA.pem;
    ssl_verify_client optional_no_ca;
    ssl_verify_depth 1;
    
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
        proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://$server:$port;
    }