TLS Termination for VerneMQ MQTTS (with PROXY protocol V2)

lucamarchiori · November 4, 2025, 8:05am

Hello everyone! I am trying to configure the HAProxy Ingress Controller to perform TCP TLS termination on the Ingress and forward MQTT data to VerneMQ. For this usecase, in order to correctly authenticate clients, i need to use Proxy Protocol V2 and pass Common Name information.
On the client i get:

ERROR astarte_device_sdk::transport::mqtt::connection: error received from mqtt connection error=Connection refused, return code: NotAuthorized

and on the VerneMQ i see the following logs:

│ stdvmq-vernemq-0 2025-10-31T10:06:45.341194+00:00 [warning] <0.731.0> vmq_mqtt_fsm:check_user/2:737: can't authenticate client {[],<<"realm02/bJMmyr9iRLKCK │

I already added the following configuration to VerneMQ, based on the resources listed below, but i’m still getting the same problem.

listener.tcp.proxy_protocol = on
listener.tcp.proxy_protocol_use_cn_as_username = on

From the logs, my guess is that the CN is still not used as username and connections cannot be authenticated. It looks like TLS termination and data forwarding is working since VerneMQ logs the device id (see logs above).

I’m sharing our current HAProxy and VerneMQ configuration here, hoping to start a discussion on the best way to achieve a working setup and identify any misconfigurations. If you can spot any problems and solutions, we’d be incredibly grateful.

TCP CR

kind: TCP
metadata:
  annotations:
    ingress.class: haproxy
    haproxy.org/send-proxy-protocol: proxy-v2-ssl-cn
  name: mqtt-broker-ssl
  namespace: astarte
spec:
- frontend:
    binds:
    - port: 8883
      ssl: true
      ssl_certificate: astarte-tls-cert
    mode: tcp
    name: mqtt-tls-termination-8883
    tcplog: true
  name: mqtt-tls-termination
  service:
    name: astarte-vernemq
    port: 1883

VerneMQ Service

apiVersion: v1
kind: Service
metadata:
  annotations:
    haproxy.org/send-proxy-protocol: proxy-v2-ssl-cn
  name: astarte-vernemq
  namespace: astarte
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: mqtt
    port: 1883
    protocol: TCP
    targetPort: mqtt
  - name: mqtt-reverse
    port: 1885
    protocol: TCP
    targetPort: mqtt-reverse
  - name: webadmin
    port: 8888
    protocol: TCP
    targetPort: webadmin
  selector:
    app: astarte-vernemq
  type: ClusterIP

HAProxy Ingress LoadBalancer service

apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/neg: '{"ingress":true}'
    meta.helm.sh/release-name: haproxy-kubernetes-ingress
  labels:
    app.kubernetes.io/instance: haproxy-kubernetes-ingress
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kubernetes-ingress
    app.kubernetes.io/version: 3.1.13
    helm.sh/chart: kubernetes-ingress-1.45.1
  name: haproxy-kubernetes-ingress
  namespace: haproxy-controller
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: 34.118.238.211
  clusterIPs:
  - 34.118.238.211
  externalTrafficPolicy: Local
  healthCheckNodePort: 31008
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    nodePort: 30560
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    nodePort: 31113
    port: 443
    protocol: TCP
    targetPort: https
  - name: stat
    nodePort: 31447
    port: 1024
    protocol: TCP
    targetPort: stat
  - name: admin
    nodePort: 31228
    port: 6060
    protocol: TCP
    targetPort: admin
  - name: mqtts
    nodePort: 32169
    port: 8883
    protocol: TCP
    targetPort: 8883
  selector:
    app.kubernetes.io/instance: haproxy-kubernetes-ingress
    app.kubernetes.io/name: kubernetes-ingress
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - ip: ***.***.***.*** # Redacted
      ipMode: VIP

The resulting HAPRoxy configuration is:

kubectl exec -n haproxy-controller haproxy-kubernetes-ingress-7d55484c76-m85kx -- cat /etc/haproxy/haproxy.cfg
# _version=7
# HAProxy Technologies
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under haproxy ingress controller management

global
  daemon
  default-path config
  master-worker
  pidfile /var/run/haproxy.pid
  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
  stats timeout 36000
  limited-quic
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES
  hard-stop-after 1800000
  log 127.0.0.1 local0 notice

defaults haproxytech
  log global
  log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
  option dontlognull
  option http-keep-alive
  timeout http-request 5000
  timeout connect 5000
  timeout client 50000
  timeout queue 5000
  timeout server 50000
  timeout tunnel 3600000
  timeout http-keep-alive 60000

peers localinstance
  peer haproxy-kubernetes-ingress-7d55484c76-m85kx 10.68.1.30:10000

frontend healthz
  mode http
  bind 0.0.0.0:1042 name v4
  bind :::1042 name v6 v4v6
  monitor-uri /healthz
  option dontlog-normal

frontend http
  mode http
  bind [::]:8080 name v6
  bind 0.0.0.0:8080 name v4
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-prefix-exact.map) if !{ var(txn.path_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  http-request set-var(txn.cors_origin) req.hdr(origin) if { var(txn.path_match) -m dom a7793470751a615ed6395e6cce8220f2 }
  http-request redirect location https://%[hdr(host),field(1,:)]:8443%[capture.req.uri] code 302 if { var(txn.path_match) -m dom 92afcf7456e1a884dd198b1f8bfb6f63 }
  http-request replace-path /appengine/(.*) /\1 if { var(txn.path_match) -m dom 0ce5c6e3b45dfe86e9db57bdce87713b }
  http-request replace-path /pairing/(.*) /\1 if { var(txn.path_match) -m dom b105a282dce24924baf4b544407e8804 }
  http-request replace-path /housekeeping/(.*) /\1 if { var(txn.path_match) -m dom c3bfe53aba32430ca68fb2df59c7eb6f }
  http-request replace-path /realmmanagement/(.*) /\1 if { var(txn.path_match) -m dom 1a4d5ae4b835a9900575007937ec979c }
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend haproxy-controller_svc_default-local-service_http
  http-response set-header X-Frame-Options "SAMEORIGIN" if { var(txn.path_match) -m dom 756eb8748c13680d45a2f5f45efb968c }
  http-response set-header X-XSS-Protection "1; mode=block" if { var(txn.path_match) -m dom d3364bde8f570e654d7ae0ef21279d63 }
  http-response set-header X-Content-Type-Options "nosniff" if { var(txn.path_match) -m dom 7a1ad2e15e0426cdc3c7ab3007de99d2 }
  http-response set-header Referrer-Policy "no-referrer-when-downgrade" if { var(txn.path_match) -m dom 6e69add6679a29a1e7a56d3b823640dd }
  http-after-response set-header Access-Control-Allow-Origin * if { var(txn.path_match) -m dom 7642f313707653af2e69c6d0efd0343f } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" if { var(txn.path_match) -m dom 85c03d6b243d163519b53c52bb7f604f } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Allow-Headers "Origin,X-Requested-With,Content-Type,Accept,Authorization" if { var(txn.path_match) -m dom 2326260d17607ec5e116f7c8be8681ee } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Max-Age "5" if { var(txn.path_match) -m dom f71b960bdc84a665267da8e58359c134 } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Allow-Credentials "true" if { var(txn.path_match) -m dom 5199b1c6d22cab4f7dbc1ffecdcb87eb } { var(txn.cors_origin) -m found }

frontend https
  mode http
  bind [::]:8443 name v6 crt /etc/haproxy/certs/frontend ssl alpn h2,http/1.1
  bind 0.0.0.0:8443 name v4 crt /etc/haproxy/certs/frontend ssl alpn h2,http/1.1
  bind quic4@0.0.0.0:8443 name quicv4 crt /etc/haproxy/certs/frontend ssl alpn h3
  bind quic6@[::]:8443 name quicv6 crt /etc/haproxy/certs/frontend ssl alpn h3
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-prefix-exact.map) if !{ var(txn.path_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  http-request set-var(txn.cors_origin) req.hdr(origin) if { var(txn.path_match) -m dom a7793470751a615ed6395e6cce8220f2 }
  http-request redirect scheme https unless { ssl_fc }
  http-request set-header X-Forwarded-Proto https
  http-request replace-path /appengine/(.*) /\1 if { var(txn.path_match) -m dom 0ce5c6e3b45dfe86e9db57bdce87713b }
  http-request replace-path /pairing/(.*) /\1 if { var(txn.path_match) -m dom b105a282dce24924baf4b544407e8804 }
  http-request replace-path /housekeeping/(.*) /\1 if { var(txn.path_match) -m dom c3bfe53aba32430ca68fb2df59c7eb6f }
  http-request replace-path /realmmanagement/(.*) /\1 if { var(txn.path_match) -m dom 1a4d5ae4b835a9900575007937ec979c }
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend haproxy-controller_svc_default-local-service_http
  http-response set-header X-Frame-Options "SAMEORIGIN" if { var(txn.path_match) -m dom 756eb8748c13680d45a2f5f45efb968c }
  http-response set-header X-XSS-Protection "1; mode=block" if { var(txn.path_match) -m dom d3364bde8f570e654d7ae0ef21279d63 }
  http-response set-header X-Content-Type-Options "nosniff" if { var(txn.path_match) -m dom 7a1ad2e15e0426cdc3c7ab3007de99d2 }
  http-response set-header Referrer-Policy "no-referrer-when-downgrade" if { var(txn.path_match) -m dom 6e69add6679a29a1e7a56d3b823640dd }
  http-response set-header alt-svc "h3=\":8443\";ma=60;"
  http-after-response set-header Access-Control-Allow-Origin * if { var(txn.path_match) -m dom 7642f313707653af2e69c6d0efd0343f } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" if { var(txn.path_match) -m dom 85c03d6b243d163519b53c52bb7f604f } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Allow-Headers "Origin,X-Requested-With,Content-Type,Accept,Authorization" if { var(txn.path_match) -m dom 2326260d17607ec5e116f7c8be8681ee } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Max-Age "5" if { var(txn.path_match) -m dom f71b960bdc84a665267da8e58359c134 } { var(txn.cors_origin) -m found }
  http-after-response set-header Access-Control-Allow-Credentials "true" if { var(txn.path_match) -m dom 5199b1c6d22cab4f7dbc1ffecdcb87eb } { var(txn.cors_origin) -m found }

frontend stats
  mode http
  bind :::1024 name v6
  bind *:1024 name stats
  stats enable
  stats uri /
  stats refresh 10s
  stats show-legends
  http-request set-var(txn.base) base
  http-request use-service prometheus-exporter if { path /metrics }

frontend tcpcr_astarte_mqtt-tls-termination-8883
  mode tcp
  bind :8883 name :8883 crt /etc/haproxy/certs/tcp/astarte_astarte-tls-cert.pem ssl
  option tcplog
  default_backend astarte_svc_astarte-vernemq_mqtt

backend astarte_svc_astarte-appengine-api_http
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  default-server check
  server SRV_1 10.68.2.4:4000 enabled
  server SRV_2 127.0.0.1:1 disabled
  server SRV_3 127.0.0.1:1 disabled
  server SRV_4 127.0.0.1:1 disabled
  server SRV_5 127.0.0.1:1 disabled
  server SRV_6 127.0.0.1:1 disabled
  server SRV_7 127.0.0.1:1 disabled
  server SRV_8 127.0.0.1:1 disabled
  server SRV_9 127.0.0.1:1 disabled
  server SRV_10 127.0.0.1:1 disabled
  server SRV_11 127.0.0.1:1 disabled
  server SRV_12 127.0.0.1:1 disabled
  server SRV_13 127.0.0.1:1 disabled
  server SRV_14 127.0.0.1:1 disabled
  server SRV_15 127.0.0.1:1 disabled
  server SRV_16 127.0.0.1:1 disabled
  server SRV_17 127.0.0.1:1 disabled
  server SRV_18 127.0.0.1:1 disabled
  server SRV_19 127.0.0.1:1 disabled
  server SRV_20 127.0.0.1:1 disabled
  server SRV_21 127.0.0.1:1 disabled
  server SRV_22 127.0.0.1:1 disabled
  server SRV_23 127.0.0.1:1 disabled
  server SRV_24 127.0.0.1:1 disabled
  server SRV_25 127.0.0.1:1 disabled
  server SRV_26 127.0.0.1:1 disabled
  server SRV_27 127.0.0.1:1 disabled
  server SRV_28 127.0.0.1:1 disabled
  server SRV_29 127.0.0.1:1 disabled
  server SRV_30 127.0.0.1:1 disabled
  server SRV_31 127.0.0.1:1 disabled
  server SRV_32 127.0.0.1:1 disabled
  server SRV_33 127.0.0.1:1 disabled
  server SRV_34 127.0.0.1:1 disabled
  server SRV_35 127.0.0.1:1 disabled
  server SRV_36 127.0.0.1:1 disabled
  server SRV_37 127.0.0.1:1 disabled
  server SRV_38 127.0.0.1:1 disabled
  server SRV_39 127.0.0.1:1 disabled
  server SRV_40 127.0.0.1:1 disabled
  server SRV_41 127.0.0.1:1 disabled
  server SRV_42 127.0.0.1:1 disabled

backend astarte_svc_astarte-dashboard_http
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  default-server check
  server SRV_1 10.68.3.4:80 enabled
  server SRV_2 127.0.0.1:1 disabled
  server SRV_3 127.0.0.1:1 disabled
  server SRV_4 127.0.0.1:1 disabled
  server SRV_5 127.0.0.1:1 disabled
  server SRV_6 127.0.0.1:1 disabled
  server SRV_7 127.0.0.1:1 disabled
  server SRV_8 127.0.0.1:1 disabled
  server SRV_9 127.0.0.1:1 disabled
  server SRV_10 127.0.0.1:1 disabled
  server SRV_11 127.0.0.1:1 disabled
  server SRV_12 127.0.0.1:1 disabled
  server SRV_13 127.0.0.1:1 disabled
  server SRV_14 127.0.0.1:1 disabled
  server SRV_15 127.0.0.1:1 disabled
  server SRV_16 127.0.0.1:1 disabled
  server SRV_17 127.0.0.1:1 disabled
  server SRV_18 127.0.0.1:1 disabled
  server SRV_19 127.0.0.1:1 disabled
  server SRV_20 127.0.0.1:1 disabled
  server SRV_21 127.0.0.1:1 disabled
  server SRV_22 127.0.0.1:1 disabled
  server SRV_23 127.0.0.1:1 disabled
  server SRV_24 127.0.0.1:1 disabled
  server SRV_25 127.0.0.1:1 disabled
  server SRV_26 127.0.0.1:1 disabled
  server SRV_27 127.0.0.1:1 disabled
  server SRV_28 127.0.0.1:1 disabled
  server SRV_29 127.0.0.1:1 disabled
  server SRV_30 127.0.0.1:1 disabled
  server SRV_31 127.0.0.1:1 disabled
  server SRV_32 127.0.0.1:1 disabled
  server SRV_33 127.0.0.1:1 disabled
  server SRV_34 127.0.0.1:1 disabled
  server SRV_35 127.0.0.1:1 disabled
  server SRV_36 127.0.0.1:1 disabled
  server SRV_37 127.0.0.1:1 disabled
  server SRV_38 127.0.0.1:1 disabled
  server SRV_39 127.0.0.1:1 disabled
  server SRV_40 127.0.0.1:1 disabled
  server SRV_41 127.0.0.1:1 disabled
  server SRV_42 127.0.0.1:1 disabled

backend astarte_svc_astarte-housekeeping_http
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  default-server check
  server SRV_1 10.68.2.5:4000 enabled
  server SRV_2 127.0.0.1:1 disabled
  server SRV_3 127.0.0.1:1 disabled
  server SRV_4 127.0.0.1:1 disabled
  server SRV_5 127.0.0.1:1 disabled
  server SRV_6 127.0.0.1:1 disabled
  server SRV_7 127.0.0.1:1 disabled
  server SRV_8 127.0.0.1:1 disabled
  server SRV_9 127.0.0.1:1 disabled
  server SRV_10 127.0.0.1:1 disabled
  server SRV_11 127.0.0.1:1 disabled
  server SRV_12 127.0.0.1:1 disabled
  server SRV_13 127.0.0.1:1 disabled
  server SRV_14 127.0.0.1:1 disabled
  server SRV_15 127.0.0.1:1 disabled
  server SRV_16 127.0.0.1:1 disabled
  server SRV_17 127.0.0.1:1 disabled
  server SRV_18 127.0.0.1:1 disabled
  server SRV_19 127.0.0.1:1 disabled
  server SRV_20 127.0.0.1:1 disabled
  server SRV_21 127.0.0.1:1 disabled
  server SRV_22 127.0.0.1:1 disabled
  server SRV_23 127.0.0.1:1 disabled
  server SRV_24 127.0.0.1:1 disabled
  server SRV_25 127.0.0.1:1 disabled
  server SRV_26 127.0.0.1:1 disabled
  server SRV_27 127.0.0.1:1 disabled
  server SRV_28 127.0.0.1:1 disabled
  server SRV_29 127.0.0.1:1 disabled
  server SRV_30 127.0.0.1:1 disabled
  server SRV_31 127.0.0.1:1 disabled
  server SRV_32 127.0.0.1:1 disabled
  server SRV_33 127.0.0.1:1 disabled
  server SRV_34 127.0.0.1:1 disabled
  server SRV_35 127.0.0.1:1 disabled
  server SRV_36 127.0.0.1:1 disabled
  server SRV_37 127.0.0.1:1 disabled
  server SRV_38 127.0.0.1:1 disabled
  server SRV_39 127.0.0.1:1 disabled
  server SRV_40 127.0.0.1:1 disabled
  server SRV_41 127.0.0.1:1 disabled
  server SRV_42 127.0.0.1:1 disabled

backend astarte_svc_astarte-pairing_http
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  default-server check
  server SRV_1 10.68.1.4:4000 enabled
  server SRV_2 127.0.0.1:1 disabled
  server SRV_3 127.0.0.1:1 disabled
  server SRV_4 127.0.0.1:1 disabled
  server SRV_5 127.0.0.1:1 disabled
  server SRV_6 127.0.0.1:1 disabled
  server SRV_7 127.0.0.1:1 disabled
  server SRV_8 127.0.0.1:1 disabled
  server SRV_9 127.0.0.1:1 disabled
  server SRV_10 127.0.0.1:1 disabled
  server SRV_11 127.0.0.1:1 disabled
  server SRV_12 127.0.0.1:1 disabled
  server SRV_13 127.0.0.1:1 disabled
  server SRV_14 127.0.0.1:1 disabled
  server SRV_15 127.0.0.1:1 disabled
  server SRV_16 127.0.0.1:1 disabled
  server SRV_17 127.0.0.1:1 disabled
  server SRV_18 127.0.0.1:1 disabled
  server SRV_19 127.0.0.1:1 disabled
  server SRV_20 127.0.0.1:1 disabled
  server SRV_21 127.0.0.1:1 disabled
  server SRV_22 127.0.0.1:1 disabled
  server SRV_23 127.0.0.1:1 disabled
  server SRV_24 127.0.0.1:1 disabled
  server SRV_25 127.0.0.1:1 disabled
  server SRV_26 127.0.0.1:1 disabled
  server SRV_27 127.0.0.1:1 disabled
  server SRV_28 127.0.0.1:1 disabled
  server SRV_29 127.0.0.1:1 disabled
  server SRV_30 127.0.0.1:1 disabled
  server SRV_31 127.0.0.1:1 disabled
  server SRV_32 127.0.0.1:1 disabled
  server SRV_33 127.0.0.1:1 disabled
  server SRV_34 127.0.0.1:1 disabled
  server SRV_35 127.0.0.1:1 disabled
  server SRV_36 127.0.0.1:1 disabled
  server SRV_37 127.0.0.1:1 disabled
  server SRV_38 127.0.0.1:1 disabled
  server SRV_39 127.0.0.1:1 disabled
  server SRV_40 127.0.0.1:1 disabled
  server SRV_41 127.0.0.1:1 disabled
  server SRV_42 127.0.0.1:1 disabled

backend astarte_svc_astarte-realm-management_http
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  default-server check
  server SRV_1 10.68.3.7:4000 enabled
  server SRV_2 127.0.0.1:1 disabled
  server SRV_3 127.0.0.1:1 disabled
  server SRV_4 127.0.0.1:1 disabled
  server SRV_5 127.0.0.1:1 disabled
  server SRV_6 127.0.0.1:1 disabled
  server SRV_7 127.0.0.1:1 disabled
  server SRV_8 127.0.0.1:1 disabled
  server SRV_9 127.0.0.1:1 disabled
  server SRV_10 127.0.0.1:1 disabled
  server SRV_11 127.0.0.1:1 disabled
  server SRV_12 127.0.0.1:1 disabled
  server SRV_13 127.0.0.1:1 disabled
  server SRV_14 127.0.0.1:1 disabled
  server SRV_15 127.0.0.1:1 disabled
  server SRV_16 127.0.0.1:1 disabled
  server SRV_17 127.0.0.1:1 disabled
  server SRV_18 127.0.0.1:1 disabled
  server SRV_19 127.0.0.1:1 disabled
  server SRV_20 127.0.0.1:1 disabled
  server SRV_21 127.0.0.1:1 disabled
  server SRV_22 127.0.0.1:1 disabled
  server SRV_23 127.0.0.1:1 disabled
  server SRV_24 127.0.0.1:1 disabled
  server SRV_25 127.0.0.1:1 disabled
  server SRV_26 127.0.0.1:1 disabled
  server SRV_27 127.0.0.1:1 disabled
  server SRV_28 127.0.0.1:1 disabled
  server SRV_29 127.0.0.1:1 disabled
  server SRV_30 127.0.0.1:1 disabled
  server SRV_31 127.0.0.1:1 disabled
  server SRV_32 127.0.0.1:1 disabled
  server SRV_33 127.0.0.1:1 disabled
  server SRV_34 127.0.0.1:1 disabled
  server SRV_35 127.0.0.1:1 disabled
  server SRV_36 127.0.0.1:1 disabled
  server SRV_37 127.0.0.1:1 disabled
  server SRV_38 127.0.0.1:1 disabled
  server SRV_39 127.0.0.1:1 disabled
  server SRV_40 127.0.0.1:1 disabled
  server SRV_41 127.0.0.1:1 disabled
  server SRV_42 127.0.0.1:1 disabled

backend astarte_svc_astarte-vernemq_mqtt
  mode tcp
  balance roundrobin
  no option abortonclose
  default-server check send-proxy-v2-ssl-cn
  server SRV_1 10.68.2.27:1883 enabled
  server SRV_2 127.0.0.1:1 disabled
  server SRV_3 127.0.0.1:1 disabled
  server SRV_4 127.0.0.1:1 disabled
  server SRV_5 127.0.0.1:1 disabled
  server SRV_6 127.0.0.1:1 disabled
  server SRV_7 127.0.0.1:1 disabled
  server SRV_8 127.0.0.1:1 disabled
  server SRV_9 127.0.0.1:1 disabled
  server SRV_10 127.0.0.1:1 disabled
  server SRV_11 127.0.0.1:1 disabled
  server SRV_12 127.0.0.1:1 disabled
  server SRV_13 127.0.0.1:1 disabled
  server SRV_14 127.0.0.1:1 disabled
  server SRV_15 127.0.0.1:1 disabled
  server SRV_16 127.0.0.1:1 disabled
  server SRV_17 127.0.0.1:1 disabled
  server SRV_18 127.0.0.1:1 disabled
  server SRV_19 127.0.0.1:1 disabled
  server SRV_20 127.0.0.1:1 disabled
  server SRV_21 127.0.0.1:1 disabled
  server SRV_22 127.0.0.1:1 disabled
  server SRV_23 127.0.0.1:1 disabled
  server SRV_24 127.0.0.1:1 disabled
  server SRV_25 127.0.0.1:1 disabled
  server SRV_26 127.0.0.1:1 disabled
  server SRV_27 127.0.0.1:1 disabled
  server SRV_28 127.0.0.1:1 disabled
  server SRV_29 127.0.0.1:1 disabled
  server SRV_30 127.0.0.1:1 disabled
  server SRV_31 127.0.0.1:1 disabled
  server SRV_32 127.0.0.1:1 disabled
  server SRV_33 127.0.0.1:1 disabled
  server SRV_34 127.0.0.1:1 disabled
  server SRV_35 127.0.0.1:1 disabled
  server SRV_36 127.0.0.1:1 disabled
  server SRV_37 127.0.0.1:1 disabled
  server SRV_38 127.0.0.1:1 disabled
  server SRV_39 127.0.0.1:1 disabled
  server SRV_40 127.0.0.1:1 disabled
  server SRV_41 127.0.0.1:1 disabled
  server SRV_42 127.0.0.1:1 disabled

backend haproxy-controller_svc_default-local-service_http
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  default-server check
  server SRV_1 127.0.0.1:6061 enabled
  server SRV_2 127.0.0.1:1 disabled
  server SRV_3 127.0.0.1:1 disabled
  server SRV_4 127.0.0.1:1 disabled
  server SRV_5 127.0.0.1:1 disabled
  server SRV_6 127.0.0.1:1 disabled
  server SRV_7 127.0.0.1:1 disabled
  server SRV_8 127.0.0.1:1 disabled
  server SRV_9 127.0.0.1:1 disabled
  server SRV_10 127.0.0.1:1 disabled
  server SRV_11 127.0.0.1:1 disabled
  server SRV_12 127.0.0.1:1 disabled
  server SRV_13 127.0.0.1:1 disabled
  server SRV_14 127.0.0.1:1 disabled
  server SRV_15 127.0.0.1:1 disabled
  server SRV_16 127.0.0.1:1 disabled
  server SRV_17 127.0.0.1:1 disabled
  server SRV_18 127.0.0.1:1 disabled
  server SRV_19 127.0.0.1:1 disabled
  server SRV_20 127.0.0.1:1 disabled
  server SRV_21 127.0.0.1:1 disabled
  server SRV_22 127.0.0.1:1 disabled
  server SRV_23 127.0.0.1:1 disabled
  server SRV_24 127.0.0.1:1 disabled
  server SRV_25 127.0.0.1:1 disabled
  server SRV_26 127.0.0.1:1 disabled
  server SRV_27 127.0.0.1:1 disabled
  server SRV_28 127.0.0.1:1 disabled
  server SRV_29 127.0.0.1:1 disabled
  server SRV_30 127.0.0.1:1 disabled
  server SRV_31 127.0.0.1:1 disabled
  server SRV_32 127.0.0.1:1 disabled
  server SRV_33 127.0.0.1:1 disabled
  server SRV_34 127.0.0.1:1 disabled
  server SRV_35 127.0.0.1:1 disabled
  server SRV_36 127.0.0.1:1 disabled
  server SRV_37 127.0.0.1:1 disabled
  server SRV_38 127.0.0.1:1 disabled
  server SRV_39 127.0.0.1:1 disabled
  server SRV_40 127.0.0.1:1 disabled
  server SRV_41 127.0.0.1:1 disabled
  server SRV_42 127.0.0.1:1 disabled

On the HAPRoxy Pods, i get this kind of logs:

[NOTICE]   (69) : Reloading HAProxy
[NOTICE]   (69) : Initializing new worker (164)
[NOTICE]   (69) : Loading success.
[WARNING]  (153) : Proxy healthz stopped (cumulated conns: FE: 2, BE: 0).
[WARNING]  (153) : Proxy http stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy https stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy stats stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy tcpcr_astarte_mqtt-tls-termination-8883 stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy astarte_svc_astarte-appengine-api_http stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy astarte_svc_astarte-dashboard_http stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy astarte_svc_astarte-housekeeping_http stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy astarte_svc_astarte-pairing_http stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy astarte_svc_astarte-realm-management_http stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy astarte_svc_astarte-vernemq_mqtt stopped (cumulated conns: FE: 0, BE: 0).
[WARNING]  (153) : Proxy haproxy-controller_svc_default-local-service_http stopped (cumulated conns: FE: 0, BE: 0).
[NOTICE]   (69) : haproxy version is 3.1.9-38cc406
[WARNING]  (69) : Former worker (153) exited with code 0 (Exit)
2025/11/04 08:01:15 INFO    controller/controller.go:241 [transactionID=9322b23c-0a7d-453b-8e87-4c7136cad663] HAProxy reloaded

Other resources used for this config:

Topic		Replies	Views
Rancher LB on TCP port Help!	0	671	January 9, 2020
How to get common name from client cert in TLS connection instead of HTTPS Help!	19	7059	September 22, 2016
Haproxy not sending files to backend server Help!	20	4078	May 21, 2019
mTLS tunnel between two HAProxy instances? Help!	5	6151	May 14, 2017
Trying to re-establish SSL for connection to TCP backend Help!	1	1302	February 22, 2016

TLS Termination for VerneMQ MQTTS (with PROXY protocol V2)

Related topics