That seams possible already.?.
If you have the configuration for SSL offloading configured already all
you need to add is the "ssl" option to your backend servers.
This option enables SSL ciphering on outgoing connections to the server. At
the moment, server certificates are not checked, so this is prone to man in
the middle attacks. The real intended use is to permit SSL communication
with software which cannot work in other modes over networks that would
otherwise be considered safe enough for clear text communications. When this
option is used, health checks are automatically sent in SSL too unless there
is a "port <http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#port>" or
an"addr <http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#addr>" directive
indicating the check should be sent to a
different location. See the "check-ssl
<http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#check-ssl>" optino to
force SSL health checks.
Op 30-4-2013 14:47, Chris Sarginson schreef:
Are there any plans to allow HAProxy to take the traffic that it can
now SSL offload, perform header analysis, and then use an SSL
encrypted connection to the backend server?
I have a situation where I need to be able to use ACLs against SSL
encrypted traffic, but then continue passing the traffic to the
backend over an encrypted connection. This is specifically a security
concern, rather than an issue with poor code.