HAProxy SSL Offloading for non-HTTPS services (IMAP, SSH, etc.)



  • Howdy, I'm looking to use pfsense with the Acme cert package to manage my domain's lets encrypt certificate and be the public face of my domain so I don't have to worry about the short renewal period of the cert.

    I've configured HAProxy to do ssl offloading for the HTTPS service (and proxy to the server HTTPS port) and that's working exactly as I would expect. Just configuring a transparent ssl proxy to the tcp services is also working. The problem occurs when I configure those frontends to use ssl offloading. At that point, there are ssl handshake errors attempting to connect with those services.

    From the documentation it seems like this kind of setup should work given that the frontend offload certificate is valid, the backend is configured as 'ssl on' and the frontend type is set to 'ssl/https (tcp)'.

    Any ideas on something I'm missing? It doesn't feel like a problem with HAProxy running into issues offloading onto another ssl connection to the backend (it works for HTTPS).

    Any suggestions are much appreciated!