Jeff, I disagree, load balancing does not imply redundancy, it's quite the opposite in fact. The more servers you have, the more likely you'll have a failure at a given instant. That's why redundancy IS mandatory when doing load balancing, but unfortunately there are a lot of solutions which only provide load balancing without performing any health check, resulting in a less reliable service.
DNS roundrobin is excellent to increase capacity, by distributing the load across multiple points (potentially geographically distributed). But it does not provide fail-over. You must first describe what type of failure you are trying to cover. A server failure must be covered locally using a standard IP address takeover mechanism (VRRP, CARP, ...). A switch failure is covered by resilient links on the server to two switches. A WAN link failure can be covered by a multi-link setup between you and your provider, using either a routing protocol or a layer2 solution (eg: multi-link PPP). A site failure should be covered by BGP : your IP addresses are replicated over multiple sites and you announce them to the net only where they are available.
From your question, it seems that you only need to provide a server fail-over solution, which is the easiest solution since it does not involve any hardware nor contract with any ISP. You just have to setup the appropriate software on your server for that, and it's by far the cheapest and most reliable solution.
You asked "what if an haproxy machine fails ?". It's the same. All people I know who use haproxy for load balancing and high availability have two machines and run either ucarp, keepalived or heartbeat on them to ensure that one of them is always available.
Hoping this helps!
The easiest way of doing this if you currently have a load balancer in place is to decrypt the data on the load balancer and look at a cookie. At that point you can either send the request to the backend server un-ecnrypted or you can re-encrypt it and send it on.
Most setups I know of consider the network connection between the load balancer and the backend server secure and don't bother to re-encrypt the traffic for multiple reasons. One reason is that hardware based load balancers also act as SSL accelerators and this is another reason the HTTPS traffic ends at their door. Another is that it allows the traffic to be inspected for attacks.
Best Answer
Use the Upstream Consistent Hash module:
http://wiki.nginx.org/HttpUpstreamConsistentHash
or Upstream Request Hash Module:
http://wiki.nginx.org/NginxHttpUpstreamRequestHashModule