Blog Support

HAProxy TCP Reverse Proxy Setup Guide (SSL/TLS Passthrough Proxy)

HAProxy is an incredibly versatile reverse proxy that’s capable of acting as both an HTTP(S) proxy like above, and a straight TCP proxy which allows you to proxy SSL connections as-is without decrypting and re-encrypting them (terminating). It doesn’t require a wild card (or any certificate, since the cert and private key live exclusively on the backend), but you lose the ability to inspect traffic and rewrite headers. (You will most certainly lose your original source IP with this configuration). A Wildcard still makes sense though, since you can put it on each of your backend servers to simplify management and reduce cost.

Don’t be deceived by the shorter configuration, only use an SSL/TLS Passthrough Proxy if you know exactly why you’re doing it this way! This configuration is most useful for load balancing, and HAProxy includes built in support for health checks, dynamically balancing only between hosts that are detected as up.

HAProxy has us define two configurations – a “Frontend” configuration and a “backend” configuration. The Frontend is the client-facing proxy, and the backend, intuitively are the servers you’re proxying to.

text

frontend localhost
    # Only bind on 80 if you also want to listen for connections on 80
    bind *:80
    bind *:443
    option tcplog
    mode tcp
    default_backend nodes

backend nodes
    mode tcp
    balance roundrobin
    option ssl-hello-chk
    # Add an entry for each of your backend servers and their resolvable hostnames
    server webserver1 10.0.0.7:443 check
    server webserver2 10.0.0.8:443 check
    server webserver1 10.0.0.9:443 check

If your needing to use an SSL Certificate trusted by your frontend users / visitors we highly recommend a GeoTrust SSL Certificate. They have their root certificates trusted in over 99% of all major browsers and devices. GeoTrust also have available some very popular wildcard certificates.

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.


Continue reading with these guides you may be interested in...

Setup HAProxy 2 with KeepAliveD and Layer 7 Retries

HAProxy is an extremely powerful free and open-source load balancing solution. With it, you can insure high availability within your datacenter. Highly available systems are better for business continuity and better for security, as they can be …

Setup Squid Forward Proxy

You’re probably frustrated by the lack of relevant information about Squid, a very popular forward proxy. Some of these frustrations involve major usability changes occurring after minor software revisions, misconceptions about what’s actually …