Re: Using HAproxy for https passthrough!
Hi Flemming, My answers inline. · I'm gonna use it with Novell Filr, which is a webfrontend providing access to personal and shared files (á la dropbox on steroids)! · Due to the nature of the application, it needs to be a passthrough session - hereby I mean that it will hold the session to one backend server, and not jump around! Your configuration looks good on this point · Need to grab both http and https and forward to backend servers at port 8443 Can you application uses both HTTP and HTTP on port 8443 only??? If yes, simply update your bind line: bind *:80,*:443 · Access to the status page show on http://demo.1wt.eu/; is needed Look for stats uri in HAProxy configuration file, there are many configuration example. · Could be nice: bind to specific IP's so different types of loadbalancing is possible replace the star * from the bind line by the IP address. You can specify mulitple couple IP/port separated by commas. Regards Flemming Baptiste
Re: using haproxy for https
On Tue, Apr 12, 2011 at 12:15 AM, Joseph Hardeman jwharde...@gmail.com wrote: HI, Considering these are for a customer and they have already purchased their certs, I don't want to go through the hassle of converting them and causing them any issues. I don't see how this would inconvenience anybody, it is a pretty straightforward operation. It is done server-side and won't impact the customer or CA etc. https://support.servertastic.com/entries/323869-moving-ssl-certificate-from-iis-to-apache You are simply exporting the cert/key from IIS, which will insist on encrypting them. Then you are decrypting them using openssl to a PEM format file so it can be used by software other than IIS. Now we can stick with the examples on the haproxy site using mode tcp, but I was wondering is there a way via ACL's or something to do something along the lines of reading the requested domain name and sending that traffic to a specific server or set of servers? Of course not, if you are doing TCP mode with SSL traffic, how are you going to inspect the traffic at the proxy? Remember, it is encrypted.
Re: using haproxy for https
HI, Considering these are for a customer and they have already purchased their certs, I don't want to go through the hassle of converting them and causing them any issues. Now we can stick with the examples on the haproxy site using mode tcp, but I was wondering is there a way via ACL's or something to do something along the lines of reading the requested domain name and sending that traffic to a specific server or set of servers? For example: listen cust1_443 mode tcp bind 0.0.0.0:443 option ssl-hello-chk balance roundrobin timeout client 70s timeout server 70s timeout connect 30s some sort of check here for specific domain name server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1 maxconn 300 server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1 maxconn 300 some sort of check here for specific domain name server IIS1-443 192.168.0.208:443 http://192.168.0.206:443/ check inter 5000 fall 3 rise 1 maxconn 300 server IIS2-443 192.168.0.209:443 http://192.168.0.207:443/ check inter 5000 fall 3 rise 1 maxconn 300 Just thinking that if I could do that, then it would save wasting IP's from applying a different one to the haproxy system and then again another couple to the IIS servers. Anyway, would appreciate some in site and advise on if this can be accomplished in this sort of fashion. Thanks Joe On Sun, Apr 10, 2011 at 5:14 PM, Brian Carpio bcar...@broadhop.com wrote: Of course you can export the cert and private keys from IIS and use them in stunnel. You will need to use OpenSSL to convert the certificate but it will work. Sent from my iPhone On Apr 10, 2011, at 11:59 AM, Joseph Hardeman jwharde...@gmail.com wrote: Hi Guys The problem is that this is for a customer who is running IIS and already has all their certs built for IIS, I don't know if the IIS cert would work with stunnel. I tried the following configuration which I had found and they said it was working for them, but I am getting SSL to long errors: #listen cust1_443 #maxconn 32000 #bind0.0.0.0:443 #mode http #cookie SERVERID insert indirect nocache ##cookie SERVERID rewrite nocache #timeout client 70s #timeout server 70s #timeout connect 30s #balance source #reqadd X-Forwarded-Proto:\ https #reqadd SSL-TERMINATION:\ ON #server IIS1-443 192.168.0.206:443 cookie iis1ssl check inter 5000 fall 3 rise 1 maxconn 30 ##server IIS2-443 192.168.0.207:443 cookie iis2ssl check inter 5000 fall 3 rise 1 maxconn 30 #option abortonclose #option httpclose #option forwardfor #retries 3 #option redispatch #log global #option httplog #option ssl-hello-chk #option dontlognull With the second IIS server commented out, they are able to serve 1 of their largest customer with their SSL site, but I want to be able to load balance the requests and at least pin each visitor to IIS server they are sent to. listen cust1_443 mode tcp bind 0.0.0.0:443 option ssl-hello-chk balance roundrobin server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1 maxconn 300 # server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1 maxconn 300 timeout client 70s timeout server 70s timeout connect 30s Any ideas or thoughts on this? Thanks JOe On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio bcar...@broadhop.com bcar...@broadhop.com wrote: You probably need to ask that question on the stunnel mailing list. Sent from my iPhone On Apr 10, 2011, at 8:20 AM, German Gutierrez germ...@olx.com germ...@olx.com wrote: BTW, will this patch ever go upstream? Why stunnel does not have this already? On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik vivek.ma...@gmail.com vivek.ma...@gmail.com wrote: Joe, You need to run as many stunnel instances as number of SSL certificates. If the sites share SSL certificate, then one stunnel instance will do. I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to port 81 on the same machine which is bound to haproxy. My stunnel config looks like cert = /etc/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https] accept = 443 connect = 127.0.0.1:81 TIMEOUTclose = 0 xforwardedfor = yes Note that xforwardedfor option only works after the patch is installed. My haproxy config looks like frontend http bind 0.0.0.0:80 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTP option forwardfor frontend
Re: using haproxy for https
BTW, will this patch ever go upstream? Why stunnel does not have this already? On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik vivek.ma...@gmail.com wrote: Joe, You need to run as many stunnel instances as number of SSL certificates. If the sites share SSL certificate, then one stunnel instance will do. I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to port 81 on the same machine which is bound to haproxy. My stunnel config looks like cert = /etc/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https] accept = 443 connect = 127.0.0.1:81 TIMEOUTclose = 0 xforwardedfor = yes Note that xforwardedfor option only works after the patch is installed. My haproxy config looks like frontend http bind 0.0.0.0:80 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTP option forwardfor frontend https bind 127.0.0.1:81 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTPS Note that I am passing a X-Forwarded-Proto to underlying application so that it can logic specific to https calls. Vivek On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby bti...@gmail.com wrote: On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman jwharde...@gmail.com wrote: Hi Guys, I was wondering if someone has a good example I could use for proxying https traffic. We are trying to proxy multiple sites that use https and I was hoping for a way to see how to proxy that traffic between multiple IIS servers without having to setup many different backend sections. The way the sites are setup they use a couple of cookies but mostly session variables to track the user as they do their thing. Either I need to be able to pin the user to a single server using the mode tcp function when they come in or be able to use some form of mode http that doesn't break the SSL function. This morning around 5am, I got one site running with only 1 backend using tcp but I really need to be able to load balance it between multiple servers. Joe, haproxy itself does not do SSL. That said, you can set up an SSL server in front of it. Myself, I use stunnel. Stunnel strips the SSL and forwards the traffic to haproxy. I have many instances of stunnel (one per cert/ip) which all feed a single haproxy http listener. http://www.stunnel.org/ You could also use another server like nginx, apache etc. to strip the SSL. However, I find stunnel well suited as all it does is SSL and it is fast and efficient at it (similar to how haproxy does proxyinig very well). -- Germán Gutiérrez OLX Operation Center OLX Inc. Buenos Aires - Argentina Phone: 54.11.4775.6696 Mobile: 54.911.5669.6175 Skype: errare_est Email: germ...@olx.com Delivering common sense since 1969 Epoch Fail!. The Nature is not amiable; It treats impartially to all the things. The wise person is not amiable; He treats all people impartially. No afecta el sitio, no necesita QA.
Re: using haproxy for https
You probably need to ask that question on the stunnel mailing list. Sent from my iPhone On Apr 10, 2011, at 8:20 AM, German Gutierrez germ...@olx.com wrote: BTW, will this patch ever go upstream? Why stunnel does not have this already? On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik vivek.ma...@gmail.com wrote: Joe, You need to run as many stunnel instances as number of SSL certificates. If the sites share SSL certificate, then one stunnel instance will do. I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to port 81 on the same machine which is bound to haproxy. My stunnel config looks like cert = /etc/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https] accept = 443 connect = 127.0.0.1:81 TIMEOUTclose = 0 xforwardedfor = yes Note that xforwardedfor option only works after the patch is installed. My haproxy config looks like frontend http bind 0.0.0.0:80 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTP option forwardfor frontend https bind 127.0.0.1:81 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTPS Note that I am passing a X-Forwarded-Proto to underlying application so that it can logic specific to https calls. Vivek On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby bti...@gmail.com wrote: On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman jwharde...@gmail.com wrote: Hi Guys, I was wondering if someone has a good example I could use for proxying https traffic. We are trying to proxy multiple sites that use https and I was hoping for a way to see how to proxy that traffic between multiple IIS servers without having to setup many different backend sections. The way the sites are setup they use a couple of cookies but mostly session variables to track the user as they do their thing. Either I need to be able to pin the user to a single server using the mode tcp function when they come in or be able to use some form of mode http that doesn't break the SSL function. This morning around 5am, I got one site running with only 1 backend using tcp but I really need to be able to load balance it between multiple servers. Joe, haproxy itself does not do SSL. That said, you can set up an SSL server in front of it. Myself, I use stunnel. Stunnel strips the SSL and forwards the traffic to haproxy. I have many instances of stunnel (one per cert/ip) which all feed a single haproxy http listener. http://www.stunnel.org/ You could also use another server like nginx, apache etc. to strip the SSL. However, I find stunnel well suited as all it does is SSL and it is fast and efficient at it (similar to how haproxy does proxyinig very well). -- Germán Gutiérrez OLX Operation Center OLX Inc. Buenos Aires - Argentina Phone: 54.11.4775.6696 Mobile: 54.911.5669.6175 Skype: errare_est Email: germ...@olx.com Delivering common sense since 1969 Epoch Fail!. The Nature is not amiable; It treats impartially to all the things. The wise person is not amiable; He treats all people impartially. No afecta el sitio, no necesita QA.
Re: using haproxy for https
Haproxy can't do ssl ... SSL is encrypted from client to Server .. So haproxy can't analyze the requests and add headers or look at headers. You should be able to run haproxy in tcp mode and balance based on source but you can't load balance based on cookie or header info unless ssl decryption happens before the traffic reaches haproxy. Vivek -Original Message- From: Joseph Hardeman jwharde...@gmail.com Date: Sun, 10 Apr 2011 13:57:24 To: haproxy@formilux.org Subject: Re: using haproxy for https Hi Guys The problem is that this is for a customer who is running IIS and already has all their certs built for IIS, I don't know if the IIS cert would work with stunnel. I tried the following configuration which I had found and they said it was working for them, but I am getting SSL to long errors: #listen cust1_443 #maxconn 32000 #bind0.0.0.0:443 #mode http #cookie SERVERID insert indirect nocache ##cookie SERVERID rewrite nocache #timeout client 70s #timeout server 70s #timeout connect 30s #balance source #reqadd X-Forwarded-Proto:\ https #reqadd SSL-TERMINATION:\ ON #server IIS1-443 192.168.0.206:443 cookie iis1ssl check inter 5000 fall 3 rise 1 maxconn 30 ##server IIS2-443 192.168.0.207:443 cookie iis2ssl check inter 5000 fall 3 rise 1 maxconn 30 #option abortonclose #option httpclose #option forwardfor #retries 3 #option redispatch #log global #option httplog #option ssl-hello-chk #option dontlognull With the second IIS server commented out, they are able to serve 1 of their largest customer with their SSL site, but I want to be able to load balance the requests and at least pin each visitor to IIS server they are sent to. listen cust1_443 mode tcp bind 0.0.0.0:443 option ssl-hello-chk balance roundrobin server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1 maxconn 300 # server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1 maxconn 300 timeout client 70s timeout server 70s timeout connect 30s Any ideas or thoughts on this? Thanks JOe On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio bcar...@broadhop.com wrote: You probably need to ask that question on the stunnel mailing list. Sent from my iPhone On Apr 10, 2011, at 8:20 AM, German Gutierrez germ...@olx.com wrote: BTW, will this patch ever go upstream? Why stunnel does not have this already? On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik vivek.ma...@gmail.com wrote: Joe, You need to run as many stunnel instances as number of SSL certificates. If the sites share SSL certificate, then one stunnel instance will do. I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to port 81 on the same machine which is bound to haproxy. My stunnel config looks like cert = /etc/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https] accept = 443 connect = 127.0.0.1:81 TIMEOUTclose = 0 xforwardedfor = yes Note that xforwardedfor option only works after the patch is installed. My haproxy config looks like frontend http bind 0.0.0.0:80 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTP option forwardfor frontend https bind 127.0.0.1:81 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTPS Note that I am passing a X-Forwarded-Proto to underlying application so that it can logic specific to https calls. Vivek On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby bti...@gmail.com wrote: On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman jwharde...@gmail.com wrote: Hi Guys, I was wondering if someone has a good example I could use for proxying https traffic. We are trying to proxy multiple sites that use https and I was hoping for a way to see how to proxy that traffic between multiple IIS servers without having to setup many different backend sections. The way the sites are setup they use a couple of cookies but mostly session variables to track the user as they do their thing. Either I need to be able to pin the user to a single server using the mode tcp function when they come in or be able to use some form of mode http that doesn't break the SSL function. This morning around 5am, I got one site running with only 1 backend using tcp but I really need to be able to load balance it between multiple servers. Joe, haproxy itself does not do SSL. That said, you can set up an SSL server in front of it. Myself, I use stunnel. Stunnel strips the SSL and forwards the traffic to haproxy. I have many instances of stunnel (one per
Re: using haproxy for https
Of course you can export the cert and private keys from IIS and use them in stunnel. You will need to use OpenSSL to convert the certificate but it will work. Sent from my iPhone On Apr 10, 2011, at 11:59 AM, Joseph Hardeman jwharde...@gmail.commailto:jwharde...@gmail.com wrote: Hi Guys The problem is that this is for a customer who is running IIS and already has all their certs built for IIS, I don't know if the IIS cert would work with stunnel. I tried the following configuration which I had found and they said it was working for them, but I am getting SSL to long errors: #listen cust1_443 #maxconn 32000 #bind0.0.0.0:443http://0.0.0.0:443 #mode http #cookie SERVERID insert indirect nocache ##cookie SERVERID rewrite nocache #timeout client 70s #timeout server 70s #timeout connect 30s #balance source #reqadd X-Forwarded-Proto:\ https #reqadd SSL-TERMINATION:\ ON #server IIS1-443 192.168.0.206:443http://192.168.0.206:443 cookie iis1ssl check inter 5000 fall 3 rise 1 maxconn 30 ##server IIS2-443 192.168.0.207:443http://192.168.0.207:443 cookie iis2ssl check inter 5000 fall 3 rise 1 maxconn 30 #option abortonclose #option httpclose #option forwardfor #retries 3 #option redispatch #log global #option httplog #option ssl-hello-chk #option dontlognull With the second IIS server commented out, they are able to serve 1 of their largest customer with their SSL site, but I want to be able to load balance the requests and at least pin each visitor to IIS server they are sent to. listen cust1_443 mode tcp bind 0.0.0.0:443http://0.0.0.0:443 option ssl-hello-chk balance roundrobin server IIS1-443 192.168.0.206:443http://192.168.0.206:443 check inter 5000 fall 3 rise 1 maxconn 300 # server IIS2-443 192.168.0.207:443http://192.168.0.207:443 check inter 5000 fall 3 rise 1 maxconn 300 timeout client 70s timeout server 70s timeout connect 30s Any ideas or thoughts on this? Thanks JOe On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio mailto:bcar...@broadhop.combcar...@broadhop.commailto:bcar...@broadhop.com wrote: You probably need to ask that question on the stunnel mailing list. Sent from my iPhone On Apr 10, 2011, at 8:20 AM, German Gutierrez mailto:germ...@olx.comgerm...@olx.commailto:germ...@olx.com wrote: BTW, will this patch ever go upstream? Why stunnel does not have this already? On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik mailto:vivek.ma...@gmail.comvivek.ma...@gmail.commailto:vivek.ma...@gmail.com wrote: Joe, You need to run as many stunnel instances as number of SSL certificates. If the sites share SSL certificate, then one stunnel instance will do. I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/ http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to port 81 on the same machine which is bound to haproxy. My stunnel config looks like cert = /etc/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https] accept = 443 connect = 127.0.0.1:81http://127.0.0.1:81 TIMEOUTclose = 0 xforwardedfor = yes Note that xforwardedfor option only works after the patch is installed. My haproxy config looks like frontend http bind 0.0.0.0:80http://0.0.0.0:80 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTP option forwardfor frontend https bind 127.0.0.1:81http://127.0.0.1:81 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTPS Note that I am passing a X-Forwarded-Proto to underlying application so that it can logic specific to https calls. Vivek On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby mailto:bti...@gmail.combti...@gmail.commailto:bti...@gmail.com wrote: On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman mailto:jwharde...@gmail.comjwharde...@gmail.commailto:jwharde...@gmail.com wrote: Hi Guys, I was wondering if someone has a good example I could use for proxying https traffic. We are trying to proxy multiple sites that use https and I was hoping for a way to see how to proxy that traffic between multiple IIS servers without having to setup many different backend sections. The way the sites are setup they use a couple of cookies but mostly session variables to track the user as they do their thing. Either I need to be able to pin the user to a single server using the mode tcp function when they come in or be able to use some form of mode http that doesn't break the SSL function. This morning around 5am, I got one site running with only 1 backend using tcp but I really need to be able to load balance it between multiple servers. Joe, haproxy itself does not do
Re: using haproxy for https
On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman jwharde...@gmail.com wrote: Hi Guys, I was wondering if someone has a good example I could use for proxying https traffic. We are trying to proxy multiple sites that use https and I was hoping for a way to see how to proxy that traffic between multiple IIS servers without having to setup many different backend sections. The way the sites are setup they use a couple of cookies but mostly session variables to track the user as they do their thing. Either I need to be able to pin the user to a single server using the mode tcp function when they come in or be able to use some form of mode http that doesn't break the SSL function. This morning around 5am, I got one site running with only 1 backend using tcp but I really need to be able to load balance it between multiple servers. Joe, haproxy itself does not do SSL. That said, you can set up an SSL server in front of it. Myself, I use stunnel. Stunnel strips the SSL and forwards the traffic to haproxy. I have many instances of stunnel (one per cert/ip) which all feed a single haproxy http listener. http://www.stunnel.org/ You could also use another server like nginx, apache etc. to strip the SSL. However, I find stunnel well suited as all it does is SSL and it is fast and efficient at it (similar to how haproxy does proxyinig very well).
Re: using haproxy for https
Joe, You need to run as many stunnel instances as number of SSL certificates. If the sites share SSL certificate, then one stunnel instance will do. I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/on port 443 and forward it to port 81 on the same machine which is bound to haproxy. My stunnel config looks like cert = /etc/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https] accept = 443 connect = 127.0.0.1:81 TIMEOUTclose = 0 xforwardedfor = yes Note that xforwardedfor option only works after the patch is installed. My haproxy config looks like frontend http bind 0.0.0.0:80 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTP option forwardfor frontend https bind 127.0.0.1:81 reqidel ^X-Forwarded-Proto:.* reqadd X-Forwarded-Proto:\ HTTPS Note that I am passing a X-Forwarded-Proto to underlying application so that it can logic specific to https calls. Vivek On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby bti...@gmail.com wrote: On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman jwharde...@gmail.com wrote: Hi Guys, I was wondering if someone has a good example I could use for proxying https traffic. We are trying to proxy multiple sites that use https and I was hoping for a way to see how to proxy that traffic between multiple IIS servers without having to setup many different backend sections. The way the sites are setup they use a couple of cookies but mostly session variables to track the user as they do their thing. Either I need to be able to pin the user to a single server using the mode tcp function when they come in or be able to use some form of mode http that doesn't break the SSL function. This morning around 5am, I got one site running with only 1 backend using tcp but I really need to be able to load balance it between multiple servers. Joe, haproxy itself does not do SSL. That said, you can set up an SSL server in front of it. Myself, I use stunnel. Stunnel strips the SSL and forwards the traffic to haproxy. I have many instances of stunnel (one per cert/ip) which all feed a single haproxy http listener. http://www.stunnel.org/ You could also use another server like nginx, apache etc. to strip the SSL. However, I find stunnel well suited as all it does is SSL and it is fast and efficient at it (similar to how haproxy does proxyinig very well).