Setting up a HA Proxy in front of EJBCA

OCSP URL rewriting

Scenario: redirect "" -> ""

frontend ocsp_front
bind *:80
stats uri /haproxy?stats
default_backend ocsp_back
backend ocsp_back
mode http
option forwardfor
option http-server-close
reqrep ^([^\ :]*)\ [/]?(.*) \1\ /ejbca/publicweb/status/ocsp\2
reqirep ^Host:\ Host:\
server ejbca check

TLS Pass-through

Scenario: Have a proxy in front of Admin UI/WebService but just pass-through the TLS traffic in order to keep mutual authentication (allowing client certificate authentication to work in EJBCA). To do this you must use tcp mode. Hide behind proxy.

frontend ejbca_front
bind *:443
option tcplog
mode tcp
default_backend ca_nodes
backend ca_nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 check
server web02 check