Does Haproxy supports backend on https for reverse proxy

October 1, 2015 9.6k views

Hi ,

I have configured Haproxy servere on linux at 80 port and trying to do reverse proxy with backend on https protocol (443). Is it possible in haparoxy ?

Client -->httptraffic -->Haproxy server-->https traffic-->backend server

Is there any other solution for this scenario?

If I use proxy pass through functionality provided on tcp mode. It did work but client can see the backend server(this is not real reverse proxy)

Thanks !!

1 Answer

HAProxy 1.4 does not support ssl backends. Unfortunately, this is the default version in Ubuntu 14.04 and a number of other widely used distros releases. There is a PPA that provides more recent versions for Ubuntu. If you have it installed already, you can upgrade it to 1.5 by running:

  • sudo add-apt-repository ppa:vbernat/haproxy-1.5
  • sudo apt-get update
  • sudo apt-get upgrade

Then, in your HAProxy config (/etc/haproxy/haproxy.cfg), you'd have something like this:

frontend www-http
        bind haproxy.public.ip.addr:80
        reqadd X-Forwarded-Proto:\ http
        default_backend www-backend

backend www-backend
        balance roundrobin
        server web-01 web01.priv.ip.addr:443 check ssl verify none
        server web-02 web01.priv.ip.addr:443 check ssl verify none
  • Thanks for reply..
    I am using haproxy 1.5 version
    I have followed same configurtaion as per the suggestions.
    when I try to hit this server from browser I get following error
    Url :

    Error on browser :

     An error occurred during a connection to SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) 

    My config file is :

        mode                    http
        log                     global
        option                  httplog
        option                  dontlognull
        option http-server-close
        option forwardfor       except
        option                  redispatch
        retries                 3
        timeout http-request    10s
        timeout queue           1m
        timeout connect         10s
        timeout client          1m
        timeout server          1m
        timeout http-keep-alive 10s
        timeout check           10s
        maxconn                 3000
    frontend www-http
            reqadd X-Forwarded-Proto:\ http
            default_backend default-backend
    backend default-backend
        balance roundrobin
        server adm-test-platform check ssl verify none

    Really appreciate help here

    edited by asb
    • The Error code: ssl_error_rx_record_too_long error is likely coming from Apache on "adm-test-platform" So it seems like HAProxy is likely working correctly, but that Apache on the backend is not configured for serving SSL over 443 right.

  • Asb , Your response to above question was very useful for me, Just a extension to original question .

    Does HA proxy also support 2 way ssl in a haproxy to backend setup.Basically if backend server only support Mutual authentication . How do i configure HAproxy to send in the client certificate to backend server.

    Client -->httptraffic -->(Haproxy server-->https traffic-->backend server)

    Is this some thing achievable .

    Reason why i want to do this is , I do not want to configure client certificates in each one of the client . but HA proxy acts a proxy client for backend so that i configure the client certificate in HA proxy only.

Have another answer? Share your knowledge.