I understand that haproxy can perform ssl termination for load balancing web servers, but is it possible to perform ssl termination when load balancing squid proxy servers?
My scenario is that I have several geographically located squid servers and I wish to forward proxy requests to a squid server depending on the domain name requested by the end user.
For example, if a user who has our haproxy load balancer set in his proxy settings requests https://www.google.fr, haproxy decrypts the SSL CONNECT request, see's that the user has requested google.fr and then forwards their request to our France based squid server (fr1.squidproxy.com for example).
Best Answer
If your client is configured to use the HAproxy explicitly then it does not need to decrypt anything to know what peer to use. The server name and port are available in cleartext in the CONNECT message. Otherwise the proxy receiving a CONNECT would not know where to connect to.
Any HTTP proxy should be perfectly capable of relaying a CONNECT message on to another HTTP proxy. So your HAProxy should be able to pass the relevant Squid that CONNECT message and let Squid decrypt if you even still want it to at that point.
If you need the connections between the proxies to be secured, that is an entirely different situation with no relevance to HTTPS or anything beyond those three proxies.