HAProxy TLS interception

Hello guys,

I’m currently working on a research project. Therefor I need to intercept the HTTPS traffic between client and server. I’m trying several things out, but I’m not sure if HAProxy is the right choice for this.

So, for example, when someone browses to example.com, I want the proxy (HAProxy?) to establish a connection with the server example.com and a connection with the client. Based on the server certificate, it needs to sign a new certificate for the client with my own Root CA. So that way, the proxy can decrypt all traffic going back and forward. The clients need to be able to do their internet browsing as they are used to, so requests need to be forwarded to the original destination.

So the proxy server decrypts the traffic where the traffic comes in and let the other end re-encrypt it before going out to the original destination.

Below my current config. I can’t seem to find out if it’s possible with HAProxy and how.


This is what I see in my logs:

Please reply if you can help me out (or perhaps tell me its impossible). I can give more information on request.

Thanks in advance.

server secure needs ssl verify none

Hi Lukas, thanks for replying. If I’m understanding correctly; ssl verify none is needed because of my custom made root CA?

I’m still not sure about how to achieve the following (I changed my initial post with some extra clarifying info about what I’d like to achieve): HTTPS traffic enters the proxy, the proxy needs to decrypt it (from both server and client side). The other end of the proxy, where the traffic will be sent to its destination, needs to re-encrypt the traffic before doing so.
This is achieved by the proxy who has a secure connection with the client (and his own signed certificate) on one side, and on the other side a secure connection with the server that the client would normally have.

Hope it’s clear enough to understand, sorry if I’m asking too much.

No, it is needed because the traffic from haproxy to the destination servers needs to be SSL encrypted. The ssl keyword does this. You need verify none, because haproxy won’t be able to verify the server certificate with the correct hostname, because the hostname haproxy is looking at would be I believe. Also you probably not using a ca-file with all the root certificates needed on the Internet, so there’s that too.

You probably also need to set the SNI value for many websites. sni req.hdr(host) on the server line would do this.

No I’m not using a ca-file with all the root certificates on the internet. Is it possible for haproxy to get the certificate from the domain I’m visiting? HAProxy should be able to generate his self-signed certificate for the client “on the fly”, based on the server certificate he gets, right (in order to get my plan working)?

I’ve edited my config to this:

I added a ca-file with all root certificates from mozilla.

Right now I’m able to curl and get a valid 200 http response back (also seen in the haproxy log). The curl command im doing:
curl --insecure --connect-to www.facebook.com:443:[proxyip]:[proxyport] https://www.facebook.com

But when I try via the firefox browser with the proxy settings enabled:

That’s doesn’t make sense. You may as well use “verify none” at this point. If you want verification, point the ca-file to your root-ca-file that you have on the filesystem anyway (for browser, etc). But haproxy doesn’t know the hostname

That’s what generate-certificates does.

There is no point in doing so, verify none is needed anyway.

That’s wrong. Haproxy is not a forwarding HTTP or SOCKS proxy. Haproxy is a reverse proxy.

If you want to use Firefox, you need to disable DoH in Firefox and point www.facebook.com to haproxy in your hosts file.

1 Like

Thank you very much again for your answers, I really appreciate it. I’m feeling kinda stupid since I’m new to HAproxy, sorry for asking so much (and perhaps silly) stuff.

That sounds like the thing I need! Do you have a example of how that would look like in my haproxy.cfg file, in order to serve my client a certificate that is signed by my own CA? I see that it’s a bind or server option but I’m not sure how to exactly write it down, combined with the ca-sign-file I will need.

I need to have a proxy setup that doesn’t need any client-sided configuration (transparent). Is it possible to forward traffic from my clients via a PfSense firewall to the proxy and vice versa?

You need to combine it with ca-sign-file, which needs to point to your CA + key.

Yes, that’s the point: a forward HTTP or SOCKS proxy is NOT want you want, and it is also not what Haproxy is. You can divert via DNS or Layer4 redirection, sure.

1 Like

Thanks for the help so far lukas, I got it working so far with the haproxy config. Thank you very much.