https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html

```
frontend intranet
    mode http
    bind 10.20.30.40:443 ssl crt /etc/haproxy/pem/server.pem ca-file /etc/haproxy/pem/client-chain.pem verify optional crt-ignore-err all crl-file /etc/haproxy/crl/haproxy.pem
    use_backend ssl-error unless { ssl_c_verify 0 }
    use_backend wiki if { ssl_fc_has_crt }
    default_backend helpdesk

backend wiki
    mode http
    server wiki1 10.20.10.10:80 check
    server wiki2 10.20.10.20:80 check

backend ssl-error
    mode http
    server helpdesk1 10.20.20.10:80 check
    server helpdesk2 10.20.20.20:80 check

backend expired
    mode http
    option http-server-close
    redirect location /certificate-expired.html if { ssl_c_verify 10 } ! { path /certificate-expired.html }
    redirect location /certificate-revoked.html if { ssl_c_verify 23 } ! { path /certificate-revoked.html }
    redirect location /other-certificate-error.html unless { ssl_c_verify 0 } ! { path //other-certificate-error.html }
    server helpdesk3 10.20.20.30:80 check
```

```
frontend intranet
    bind 10.20.30.40:443 ssl crt /etc/haproxy/pem/server.pem ca-file /etc/haproxy/pem/client-chain.pem verify required
    http-request set-header X-SSL                       %[ssl_fc]
    http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
    http-request set-header X-SSL-Client-SHA1           %{+Q}[ssl_c_sha1]
    http-request set-header X-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
    http-request set-header X-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
    http-request set-header X-SSL-Issuer                %{+Q}[ssl_c_i_dn]
    http-request set-header X-SSL-Client-Not-Before     %{+Q}[ssl_c_notbefore]
    http-request set-header X-SSL-Client-Not-After      %{+Q}[ssl_c_notafter]
    default_backend example_backend
```