Access Proxy, Authentication, Encryption, Questions…


I’m a CE user which currently use HAProxy as HTTPS Router.

HAProxy is in front and re-route TLS requests based on SNI field.

In this situation TLS stream is end to end between client and final server. Which is what we wanted initially: end to end TLS encryption for all services.

I’ve read that HAProxy Enterprise is also able to do SAML authentication and so redirect incoming request to the end server only when authentication is OK.

Which is a great improvement to our current situation.

But if I understand well, this works only if HAProxy is able to decrypt incoming TLS.

Which mean our proxy create some decryption gap at the edge of the network. And add configuration complexity (with two TLS cert needed for the same hostname, one at the proxy and one at the internal services).

I’m not really confortable with that idea. This look like a SPOF where all incoming trafic could be eavesdropped.

So I have two questions:

  • is your security posture using HAProxy as TLS ending point and why do you think it’s OK versus end to end encryption?
  • is there (with CE or Enterprise) capabilities that allow us to keep TLS E2E but still have initial kind of authentication / access control? (any kind can be handled, Kerberos, Certificate Based, SAML, OIDC, whatever that allow us to limit access)


Different goals and be achieved with different methods. We can’t evaluate the pros and cons for you, we don’t even know your threat model.

No, you can re-encrypt on the other side, if that’s what you want.

There is no way to maintain end-to-end encryption but at the same time accessing and modifying layer 7.

Either you trust haproxy to do layer 7 stuff or you do not. But you can’t have your cake and eat it too. And you can reencrypt your backend traffic just as you can encrypt the frontend traffic, so you only open “decryption gaps” in your network if that is what you actually want.