Setting up a HA Proxy in front of EJBCA
OCSP URL rewriting
Scenario: redirect "http://ocsp.website.com" -> "http://1.2.3.4:80/ejbca/publicweb/status/ocsp"
[...]
frontend ocsp_front
bind *:80
stats uri /haproxy?stats
default_backend ocsp_back
backend ocsp_back
mode http
option forwardfor
option http-server-close
reqrep ^([^\ :]*)\ [/]?(.*) \1\ /ejbca/publicweb/status/ocsp\2
reqirep ^Host:\ ocsp.website.com Host:\ 1.2.3.4
server ejbca 1.2.3.4:80 check
[...]
TLS Pass-through
Scenario: Have a proxy in front of Admin UI/WebService but just pass-through the TLS traffic in order to keep mutual authentication (allowing client certificate authentication to work in EJBCA). To do this you must use tcp mode. Hide 192.168.10.32/33 behind proxy.
[...]
frontend ejbca_front
bind *:443
option tcplog
mode tcp
default_backend ca_nodes
backend ca_nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 192.168.10.32:8443 check
server web02 192.168.10.33:8443 check
[...]