HAProxy TCP Reverse Proxy Setup Guide (SSL/TLS Passthrough Proxy)

Published on 18 December 2018

HAProxy is an incredibly versatile reverse proxy that’s capable of acting as both an HTTP(S) proxy like above, and a straight TCP proxy which allows you to proxy SSL connections as-is without decrypting and re-encrypting them (terminating). It doesn’t require a wild card (or any certificate, since the cert and private key live exclusively on the backend), but you lose the ability to inspect traffic and rewrite headers. (You will most certainly lose your original source IP with this configuration). A Wildcard still makes sense though, since you can put it on each of your backend servers to simplify management and reduce cost.

Don’t be deceived by the shorter configuration, only use an SSL/TLS Passthrough Proxy if you know exactly why you’re doing it this way! This configuration is most useful for load balancing, and HAProxy includes built in support for health checks, dynamically balancing only between hosts that are detected as up.

HAProxy has us define two configurations – a “Frontend” configuration and a “backend” configuration. The Frontend is the client-facing proxy, and the backend, intuitively are the servers you’re proxying to.

text

frontend localhost
    # Only bind on 80 if you also want to listen for connections on 80
    bind *:80
    bind *:443
    option tcplog
    mode tcp
    default_backend nodes

backend nodes
    mode tcp
    balance roundrobin
    option ssl-hello-chk
    # Add an entry for each of your backend servers and their resolvable hostnames
    server webserver1 10.0.0.7:443 check
    server webserver2 10.0.0.8:443 check
    server webserver1 10.0.0.9:443 check

If your needing to use an SSL Certificate trusted by your frontend users / visitors we highly recommend a GeoTrust SSL Certificate. They have their root certificates trusted in over 99% of all major browsers and devices. GeoTrust also have available some very popular wildcard certificates.