Reverse SSL offloading configuration


Was wondering if it’s possible to use Haproxy in the following configuration.

Client  --------------------> Haproxy -----------------------> Server (not controlled by me)
          Internal Network              Internet
          TLS 1.0 Only                  TLS 1.2

In other words, I have a computer that needs to make outgoing connections using TLS 1.2, but it is only capable of TLS 1.0. I want to use haproxy to intercept and re-encrypt using TLS 1.2.

Any thoughts? Thanks!


Yes, you can, just specify the ssl keyword on both sides. If you want to verify the server certificate, make sure you set the ca-file.


Hi Lukas,

Thank you for your response. I presume you are suggesting I specify the remote server as the backend in Haproxy terms? I can do this, and it does work, but there are some problems. Ideally I’d like the client (my computer) to be able to initiate a a connection to any TLS 1.2 server not just the backend. I don’t see a way to do this because I am limited to the remote that I set as backend. Also, Haproxy seems to create a persistant connection to the backend regardless of whether I set it to force-close mode or not. Because I don’t control the remote computer, I’d prefer to only connect to it when I’m using it.

Thanks again.


Something can be done with option http_proxy, but really haproxy is not made for this use case:

I suggest you look elsewhere for this functionality.

On the mailing list, exaproxy was mentioned once (I didn’t use it myself though):


Thanks again! I’ll look in to it.