HAProxy community

SSL Offloading & SSL Passthrough on same port with SNI

Hi everyone,

I’m desperately looking to solve the following problem, but was not able to find the solution on the internet. I was told by someone it should be possible to resolve, but no further hints have been given. That’s where you HAProxy Pros (hopefully) come into play :wink:

In case you can help me or point me to the right direction, please also let me know which HAProxy version I need to have in place to make it work.


  • I only have one public IP address
  • Got multiple backend servers
  • All backend services shall be made publicly available on Port 443
  • Based on the backend’s capabilities, I’m forced to SSL offload or passthrough


  • With the help of SNI, I want to define when an incoming traffic/request is SSL offloaded or SSL passthrough.


  • A.website.com Port 443 --> SSL offloading / termination to backend Server A on Port 80
  • B.website.com Port 443 --> SSL offloading / termination to backend Server B on Port 80
  • C.website.com Port 443 --> SSL passthrough to backend Server C on Port 443
  • D.website.com Port 443 --> SSL passthrough to backend Server D on Port 443

If you could provide me a simple HAProxy config with some details, which is able to achieve the outlined desired scenario, I would be greatly thankful.

Thanks in advance for your support,


Hi Sascha,
This is exactly what I do. Here is a guide I wrote a while back.

The haproxy.cfg should help you out.

A note that if any of the backend servers are using TLS you will need to change the config for the final backend config.
server server01 check
would become
server server01 check ssl verify none