Try this , in at least this version (own built)
root@server5:~# haproxy -vv
HA-Proxy version 1.5-dev17 2012/12/28
Copyright 2000-2012 Willy Tarreau <w@1wt.eu>
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Then try a configuration of this kind in haproxy
listen ssl_relay 192.168.128.101:443
# this only works with 1.5 haproxy, it accepts multiple SSL en sends it
# off to the correct backend which does the SSL termination.
mode tcp
balance roundrobin
option tcplog
option socket-stats
# option ssl-hello-chk -> This is not be needed anymore, in fact,
# it needs to be off
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
# make sure we cover type 1 (fallback), although chances are it will
# not route correctly, it will terminate on ssl
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
# intercept incoming TLS requests based on the SNI field
use-server xtp2_83 if { req_ssl_sni -i proudsslsite.com }
use-server xtp2_83 if { req_ssl_sni -i www.proudsslsite.com }
use-server xtp2_84 if { req_ssl_sni -i myothersecuremasterpiece.net }
use-server xtp2_84 if { req_ssl_sni -i www.myothersecuremasterpiece.net }
server xtp2_83 192.168.128.1:483 weight 0
server xtp2_84 192.168.128.2:484 weight 0
# all the rest is forwarded to this server
server xtp_default 192.168.128.3:443 check inter 10000 rise 2 fall 2
You just need to terminate the SSL on your webservers inside. So encrypt traffic all the way. This works for me.