Hi Francis
I solved this problem maybe not elegantly but it works.
1) Client certificate authentication is set on the nginx side and not on haproxy
ssl_client_certificate /etc/pki/tls/certs/CA_COPE_SZAFIR_TEST.cer;
2) Authentication is optional and not required
ssl_verify_client optional;
3 ) In locations that require a certificate (/ polishapi and / identityserver), it is verified if the authentication was successful client's certificate, if not, error 403 is returned - access denied
if ($ssl_client_verify != SUCCESS) {
return 403;
}
I tested on IE 11, FF 65 and Chrome 72 the behavior was correct.
Good luck,
M.W.