A few links on our blogs related to Willy's mail and your problem: - SSLID persistence: http://blog.exceliance.fr/2011/07/04/maintain-affinity-based-on-ssl-session-id/
- Content switching based on SNI in HAProxy: http://blog.exceliance.fr/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ - Proxy protocol and application: http://blog.exceliance.fr/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/ - SSL offloading in HAProxy: http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ Scaling out SSL with Stud: http://blog.exceliance.fr/2011/11/07/scaling-out-ssl/ (but might be the same in HAProxy once applied to it) You mix a bit of these article and you can build the architecture Willy described. cheers