Skip to content

How to Configure HAProxy SSL Termination

DodaTech Updated 2026-06-24 2 min read

SSL termination offloads TLS decryption from backend servers. HAProxy handles certificates and HTTPS redirects efficiently. This guide walks through the specific troubleshooting steps to diagnose and resolve SSL termination issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

frontend web\n    bind *:443 ssl crt /etc/ssl/cert.pem

Wrong: Single certificate without redirect or OCSP

frontend web\n    bind *:443 ssl crt /etc/ssl/haproxy/ crt-ignore-err all\n    redirect scheme https if !{ ssl_fc }

Right: Certificate directory with automatic HTTPS redirect

Output

SSL termination configured\n  Cert directory: /etc/ssl/haproxy/\n  HTTP → HTTPS redirect enabled\n  OCSP stapling: enabled

Prevention

To avoid future issues, follow these best practices:

  • Use a certificate directory (crt /etc/ssl/haproxy/) for multiple certs
  • Enable HTTP to HTTPS redirect with redirect scheme https
  • Configure OCSP stapling for better revocation checking
  • Use crt-ignore-err to handle client certificate errors gracefully
  • Use ssl-min-ver TLSv1.2 for security

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with ssl termination

  1. Using return to exit a function early instead of wrapping a pure value in the monad
  2. Mixing let bindings with <- bindings in do notation, producing type errors
  3. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors

These mistakes appear frequently in real-world HAPROXY code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

How does HAProxy choose which certificate to use?|||HAProxy matches the TLS SNI from the client hello against certificates in the crt directory. The default SNI or first matching cert is used.
What is OCSP stapling in HAProxy? HAProxy fetches the OCSP response for its certificate and serves it during the TLS handshake, improving privacy and performance.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro