I have got Flash talking to CouchDB. I think anyone with such setup will hit the issue with <policy-file-request/> being sent by Flash >9 to port 843, and then retrying on the port it's trying to connect to (for heavily fire-walled environments the only options are ports 80 and 443 really).
I had some luck with following haproxy config (replace <myip>): global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 #chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet defaults log global mode tcp option tcplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 frontend couchdb-in bind <myip>:80 tcp-request inspect-delay 5s acl traffic_is_http req_proto_http tcp-request content accept if traffic_is_http use_backend flash-socket-policy if !traffic_is_http default_backend couchdb backend couchdb server couchdb5984 127.0.0.1:5984 maxconn 32 frontend couchdb-ssl-in bind <myip>:443 tcp-request inspect-delay 5s acl traffic_is_ssl req_ssl_ver gt 0 tcp-request content accept if traffic_is_ssl use_backend flash-socket-policy if !traffic_is_ssl default_backend couchdb-ssl backend couchdb-ssl mode tcp server couchdb6984 127.0.0.1:6984 maxconn 32 backend flash-socket-policy mode tcp server policy843 127.0.0.1:843 maxconn 32