Most of the documentation I've read regarding HAProxy and SSL seems to suggest that SSL must be handled before it reaches HAProxy. Most solutions focus on using stunnel, and a few suggest Apache + mod_ssl infront of HAProxy.
Our problem though, is that we use Apache as a reverse proxy to a number of other sites which use their own certificates. Ideally what we'd like, is for HAProxy to pass all SSL traffic to Apache, and let Apache handle either the SSL or reverse proxying.
Our current setup:
Apache Reverse Proxy -> Apache + mod_ssl -> Application
What I'd like to do:
HAProxy -> Apache Reverse Proxy -> Apache + mod_ssl -> Application
Is it possible to do this? Is HAProxy capable of forwarding SSL traffic to be handled by a server BEHIND it?
HAproxy can work in both TCP and HTTP modes. In TCP mode, it doesn't look at the content of the TCP packets, but simply load balances the connection at the layer 4.
So, you can use HAproxy on SSL traffic. I will work just fine. But you will not benefits from the HTTP features it includes.
Since I was previously using Apache to do SSL independently of reverse proxying or application work, I configured Apache to accept the SSL traffic, then forward it to HAProxy, which would then forward to one of the apache servers in the web farm, even if that is the original server that did the SSL.
An attempt of using stunnel failed miserably, until I realised that Apache could be a frontend and backend to HAProxy.
I could also have used Julien's advice, but I really did want the HTTP benefits rather than just the TCP options.