I’m a CE user which currently use HAProxy as HTTPS Router.
HAProxy is in front and re-route TLS requests based on SNI field.
In this situation TLS stream is end to end between client and final server. Which is what we wanted initially: end to end TLS encryption for all services.
I’ve read that HAProxy Enterprise is also able to do SAML authentication and so redirect incoming request to the end server only when authentication is OK.
Which is a great improvement to our current situation.
But if I understand well, this works only if HAProxy is able to decrypt incoming TLS.
Which mean our proxy create some decryption gap at the edge of the network. And add configuration complexity (with two TLS cert needed for the same hostname, one at the proxy and one at the internal services).
I’m not really confortable with that idea. This look like a SPOF where all incoming trafic could be eavesdropped.
So I have two questions:
- is your security posture using HAProxy as TLS ending point and why do you think it’s OK versus end to end encryption?
- is there (with CE or Enterprise) capabilities that allow us to keep TLS E2E but still have initial kind of authentication / access control? (any kind can be handled, Kerberos, Certificate Based, SAML, OIDC, whatever that allow us to limit access)