Nginx – WSS Load Balancing with SSL Termination at layer 4

If you want to terminate the SSL at the load balancer then you have no choice but to use something like Stunnel, Pound or Nginx. HA-Proxy doesn't support terminating the SSL itself.

Alternatively you can terminate the SSL at your web servers. In which case just setup HA-Proxy to pass-thru the TCP (HTTPS/443) connections to your web servers. Although remember in this mode you will not be able to do any L7 inspection or rules which is sort of what makes HA-Proxy so powerful.

Firstly this adds unneccesary complexity to your webservers.

Secondly terminating the SSL connection at the LB means you can use keepalive on the client side for the connection reducing the complex part of establishing the connection. Also the most efficient use of resources is to group like workloads. Many people seperate static and dynamic content, SSL at the LB means that both can come from different servers through the same connection.

Thirdly SSL generally scales at a different rate than required by your web app. I think the lack of examples is due to the fact that a single LB pair or Round robin dns is enough for most people. It seems to me that you may be overestimating the SSL workload.

Also I am not sure about your reasoning regarding security. In addition to the fact that the webserver is already running far more services with possible exploits, if there are any vulnerabilities in the LB then you have just introduced them onto your webservers too!