Configure client authentication on the load balancer (HAProxy) for EJBCA nodes

[bsjaramillo]

I'm trying to implement this high availability architecture:

Using EJBCA last release, HAProxy.

I having problems with the load balancer configuration. As we know EJBCA requests certificates to authenticate with the system administration but I am not being able to authenticate to the system from the load balancer. In the following points I describe what I have been trying.

• Configure HAProxy to request the authentication certificate
  To do this, I set the haproxy.cfg like this.

# PKI FE Configuration
frontend pki_balancer_fe
        bind *:443 ssl crt haproxy_load_balancer.pem verify required ca-file CA_CERT.pem
        bind *:80
        mode http
        option tcplog
        default_backend pki_balancer_be

# PKI BE Configuration
backend pki_balancer_be
        mode http
        option tcpka
        balance leastconn
        server pki-01 10.9.9.142:443 check weight 1
        server pki-02 10.9.9.143:443 check weight 1
        server pki-03 10.9.9.144:443 check weight 1
        server pki-04 10.9.9.142:80 check weight 1

This configuration request the client certificate in the load balancer frontend but does not forward to the backend or the EJBCA system. So the response that I get is "not auth provided" or sometimes I get "502 bad gateway" and I can't access to the system administration from load balancer server.

• Configure HAProxy not to request the authentication certificate
  In my business rules, I set up public access rules to access the request form for a digital certificate (/ejbca/ra/enrollmakenewrequest.xhtml). For this you do not need to authenticate to the system with any certificate. To do this, I set the haproxy.cfg like this.

# PKI FE Configuration
frontend pki_balancer_fe
        bind *:443 ssl crt haproxy_load_balancer.pem
        bind *:80
        mode http
        option tcplog
        default_backend pki_balancer_be

# PKI BE Configuration
backend pki_balancer_be
        mode http
        option tcpka
        balance leastconn
        server pki-01 10.9.9.142:443 check weight 1 ssl verify none
        server pki-02 10.9.9.143:443 check weight 1 ssl verify none
        server pki-03 10.9.9.144:443 check weight 1 ssl verify none
        server pki-04 10.9.9.142:80 check weight 1

With that way, I can access to the request form for a digital certificate (/ejbca/ra/enrollmakenewrequest.xhtml) from load balancer server. This works right but sometimes I get "session has time out".

[bsjaramillo]

This is the answer.
https://doc.primekey.com/ejbca/ejbca-integration/integrating-with-third-party-applications/setting-up-a-ha-proxy-in-front-of-ejbca#SettingupaHAProxyinfrontofEJBCA-TLSPass-through

# Stats FE Configuration
frontend stats
        mode http
        bind *:8404
        stats enable
        stats uri /stats
        stats refresh 10s
        stats admin if LOCALHOST

# PKI FE Configuration
frontend pki_balancer_fe
        bind *:443
        option tcplog
        mode tcp
        default_backend pki_balancer_be

# PKI BE Configuration
backend pki_balancer_be
        mode tcp
        option ssl-hello-chk
        balance leastconn
        server pki-01 10.9.9.142:443 check
        server pki-02 10.9.9.143:443 check
        server pki-03 10.9.9.144:443 check