HAProxy community

Need some guidance on how to setup HAProxy with SSL port 6443 and serving as a browser proxy

I am new to HAProxy and using a docker image from


My requirement is that HAProxy is to function as a browsers Proxy , such that i will set HAproxy’s IP and port 6443 as a HTTP/HTTPS proxy in manual proxy settings in Firefox browser

Now in browser i want to put a URL - https://123-10.1.2.3:8443/index.html
such that the request first lands on HAProxy IP and port 6443
and then i want to navigate to my servers based on the Hosts requests received-
say- Host is 123-10.1.2.3:8443 , navigate to backend server 11.1.2.3: 8443
say Host is 456-10.4.5.6:8443, navigate to backend server 11.4.5.6: 8443

Note- All Ips are just for example.

I have my config as below , but i keep getting SSL Handshake errors as soon as i type anything on the browser (after setting manual proxy), any help is appreciated-

global
maxconn 50000
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
ssl-default-bind-ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+RC4+SHA:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256:DHE+aRSA+AES128+SHA:RC4+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
ssl-dh-param-file /usr/local/etc/haproxy/dhparam.pem
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-server-verify none
stats socket /run/haproxy/admin.sock user haproxy group haproxy mode 660 level admin

defaults
timeout connect 60s
timeout client 120s
timeout server 120s
timeout tunnel 1h
timeout http-keep-alive 5s
timeout http-request 15s
timeout queue 15s
timeout tarpit 15s
default-server inter 3s rise 2 fall 3
log global
mode http
option httplog

frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST

frontend ssl
bind *:6443 ssl crt /usr/local/etc/haproxy/cert.pem #This is a let’s Encrypt certificate which contains cert + key together in one file
mode http
use_backend backend_123 if { hdr(host) -i 123-10.1.2.3:8443 }
use_backend backend_456 if { hdr(host) -i 456-10.4.5.6:8443 }

backend backend_123
mode http
server srvr_123 11.1.2.3:8443 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend_456
mode http
server srvr_456 11.4.5.6:8443 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

That’s not what haproxy does. Haproxy is a reverse proxy, not a forward proxy.

You need to use squid or tinyproxy instead.