HAProxy SSL-termination with re-encryption on selfsigned cert?

After 10 hours of debugging i am lost and hope someone get me clarified on this. i read probably several times the right answer or was near “it-works”…

My Setup is Simple:
i got two webservers with self signed certs and there running fine internal



to make them reachable over wan i wanted to utilize haproxy (v1.8) with letsencrypt certificates for public web access.


the following domain certs are created via letsencrypt and stored in ssl folder

and from now on it wasnt even once working:
i cant reach a site trough the haproxy address i run either into 503 or connection refused errors. startet to strip and change a lot on my haproxy confg file. this is how it looks now

frontend main
  bind :80
  bind :443 ssl crt /path/to/ssl.pem
  redirect scheme https if !{ ssl_fc }
  acl isapp1 hdr(host) -i app1.public.net
  acl isapp2 hdr(host) -i app2.public.net
  use_backend bapp1 if isapp1
  use_backend bapp2 if isapp2

backend bapp1
  description my shiny app server is so shiny
  server app1 XXX.XXX.XXX.XXX:433 check-ssl ssl verify none
  option http-no-delay
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend bapp2
  description a second shiny tower somewhere between bits and bytes
  server app2 XXX.XXX.XXX.XXX:433 check-ssl ssl verify none
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

listen haproxy-stats
  bind :8080
  mode http
  option forwardfor
  option httpclose
  stats enable
  stats show-legends
  stats refresh 10s
  stats uri /stats
  stats realm Haproxy\ Statistics
  stats auth someuser:somepassphrase
  stats admin if TRUE

i would love to get some help here what i am missing, dont want to spend another night on it :smiley:

there is also a more to consider: why do i terminate ssl 2x ?
i usually encrypt most of my internal traffic with ssl but brings this re-encryption some drawbacks except to the perfomance impact of ssl?

is there any advance on how ssl termination is done on nginx or haproxy?
something to consider security wise?

i love the idea to manage just a single machine with all certs on it, but since i deploy ssl certs with ansible i dont care that much.

is it maybee better to generete the letsencrypt certs on the backends and let haproxy run in tcp reverse-proxy mode?

a lot of questions for a first post and a happy hello to all the proxy-nerds :wink:

thanks in advance