Replacing Amazon LoadBalancers with HAProxy servers, forwarding secure HTTPS to non-secure HTTP

Question

Right now, I deployed some Amazon Elastic Load Balancers just because I'm using the free AWS SSL certificate for the domain *.mycompany.cxx. So, when a user opens https://service.mycompany.cxx, a load balancer forwards the request to a non-secure HTTP connection to a back-end server's port 80.

I would like to replace that Amazon's load balancers with one EC2 instance with HA Proxy. Don't worry about performance because it's for a development environment.

This is the idea:

• Buy a new SSL certificate for my domain *.mycompany.cxx
• Configure HAProxy in the same way: it should receives HTTPS requests in the port 443, and forwards them to the port 80 of different back-end servers. The users will be always connected with HTTPS. Behind the HAProxy server, the connections will be HTTP.

I know how to configure everything except forwarding from HTTPS to HTTP. Even, I don't know if that possible, and that is my question. Is it possible to do that?

EDIT: the name of this kind of proxy is SSL Termination Proxy (Wikipedia, DigitalOcean). Thanks @MarkB

Answer 1

Yes, it's possible.

To make HAProxy accept HTTPS clients and forward their requests to a local non-HTTPS server listening on port 8080, you may have something like this:

frontend https
    mode http
    maxconn 1000
    bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/fullchain.pem
    option forwardfor
    reqadd X-Forwarded-Proto:\ https

    use_backend app

backend app
    mode http
    server srv-app 127.0.0.1:8080 check