Setting up a HA Proxy in front of EJBCA

OCSP URL rewriting

Scenario: redirect "http://ocsp.website.com" -> "http://1.2.3.4:80/ejbca/publicweb/status/ocsp"

[...]
frontend ocsp_front
        bind *:80
        stats uri /haproxy?stats
        default_backend ocsp_back

backend ocsp_back
        mode http
        option forwardfor
        option http-server-close
        reqrep ^([^\ :]*)\ [/]?(.*) \1\ /ejbca/publicweb/status/ocsp\2
        reqirep ^Host:\ ocsp.website.com Host:\ 1.2.3.4
        server ejbca 1.2.3.4:80 check
[...]

CODE

TLS Pass-through

Scenario: Have a proxy in front of Admin UI/WebService but just pass-through the TLS traffic in order to keep mutual authentication (allowing client certificate authentication to work in EJBCA). To do this you must use tcp mode. Hide 192.168.10.32/33 behind proxy.

[...]
frontend ejbca_front
    bind *:443
    option tcplog
    mode tcp
    default_backend ca_nodes
    
backend ca_nodes
    mode tcp
    balance roundrobin
    option ssl-hello-chk
    server web01 192.168.10.32:8443 check
    server web02 192.168.10.33:8443 check
[...]

CODE

OCSP URL rewriting

TLS Pass-through

Cookie Notice