Most of the documentation I've read regarding HAProxy and SSL seems to suggest that SSL must be handled before it reaches HAProxy. Most solutions focus on using stunnel, and a few suggest Apache + mod_ssl infront of HAProxy.
Our problem though, is that we use Apache as a reverse proxy to a number of other sites which use their own certificates. Ideally what we'd like, is for HAProxy to pass all SSL traffic to Apache, and let Apache handle either the SSL or reverse proxying.
Our current setup:
Apache Reverse Proxy -> Apache + mod_ssl -> Application
What I'd like to do:
HAProxy -> Apache Reverse Proxy -> Apache + mod_ssl -> Application
Is it possible to do this? Is HAProxy capable of forwarding SSL traffic to be handled by a server BEHIND it?
Best Answer
HAproxy can work in both TCP and HTTP modes. In TCP mode, it doesn't look at the content of the TCP packets, but simply load balances the connection at the layer 4.
So, you can use HAproxy on SSL traffic. I will work just fine. But you will not benefits from the HTTP features it includes.