Hi Chriss,

That seams possible already.?.
If you have the configuration for SSL offloading configured already all you need to add is the "ssl" option to your backend servers.

---------------------- http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2 ----------------------
*ssl <http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5-ssl>*

This option enables SSL ciphering on outgoing connections to the server. At
the moment, server certificates are not checked, so this is prone to man in
the middle attacks. The real intended use is to permit SSL communication
with software which cannot work in other modes over networks that would
otherwise be considered safe enough for clear text communications. When this
option is used, health checks are automatically sent in SSL too unless there
is a "port  <http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#port>" or 
an"addr  <http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#addr>" directive 
indicating the check should be sent to a
different location. See the "check-ssl  
<http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#check-ssl>" optino to 
force SSL health checks.


Op 30-4-2013 14:47, Chris Sarginson schreef:

Are there any plans to allow HAProxy to take the traffic that it can now SSL offload, perform header analysis, and then use an SSL encrypted connection to the backend server?

I have a situation where I need to be able to use ACLs against SSL encrypted traffic, but then continue passing the traffic to the backend over an encrypted connection. This is specifically a security concern, rather than an issue with poor code.


Reply via email to