Is it possible to use HAProxy for transparent mTLS in tcp mode?

Hi folks,

I’m trying to solve the following problem: I have a third party distributed database application that doesn’t support encrypted traffic and I would like to set up a transparent proxy so that traffic can be routed through it on both ends and handle mTLS (both sides present and validate certificates) for both client-server and server-server communication.

I’ve been trying to use iptables and HaProxy to do this and my idea was to route incoming traffic to the original database port to HaProxy for server side mTLS (present server certificate, validate client certificate), while preserving the original caller IP for tracking and route outgoing traffic to the original database (remote) port locally to HaProxy as well, to perform client side mTLS (present client certificate, validate server certificate).

Is it possible to do this with HAProxy? Most tutorials I’ve seen online are about doing transparent proxying for remote clients and servers, so I’d appreciate any help or pointers

You can only preserve the remote IP if your backend servers actually supports the PROXY protocol. Otherwise you will see the IP of the last haproxy instance.

Regarding mTLS sure, haproxy is flexible.

The first haproxy layer would look roughly look like this:

frontend dbclients
 bind :1234
 default backend_sslify

backend backend_sslify
 server haproxy-second-layer 192.168.50.123:41234 ssl verify required ca-file /path/to/cafile crt /path/to/client-certificate

The second haproxy layer would probably look like this:

frontend desslify
 bind 192.168.50.123:41234 ssl crt /path/to/server.crt verify required ca-file /path/to/ca-file
 default backend_db

backend backend_db
 server actualdb 127.0.0.1:1234

If you db server support the proxy protocol, add send-proxy to retain the source IP.

My backend didn’t support the proxy protocol, but I was actually able to preserve the source IP using TPROXY