Hi, I have Vault open-source configured with 3 nodes in HA, using the integrated storage backend (raft). I am using HAproxy to load balance the nodes, and it works fine for normal API calls, CLI, and web UI.
However it does not seem capable of handling the necessary TCP proxying for the cert login method. When attempting to use HAProxy and passing certs via the cert login API call, it reports “client certificate must be supplied” - if I pass the API directly to the active node and bypass HAproxy, everything works fine and I’m able to log in with the cert method.
I have a workaround, which is to use Nginx TCP stream to proxy a special port (i.e. 8300) which I can use for the cert login calls, and that works OK, but Nginx open source doesn’t have the httpchk capability that HAproxy does for everything else. So now I’m using two different proxying applications which is messy. Does anyone have any suggestion for a way to run HAproxy so that is correctly streams the TCP connection to allow cert login to pass through to the application?