/
Setup TLS Offloading & PROXY Protocol for HAProxy and NGINX

Setup TLS Offloading & PROXY Protocol for HAProxy and NGINX

Owned by Dominic Wenig
Last updated: Jun 05, 2025 by Daria Samkova

HAProxy

Installation

brew install haproxy

Configuration

cat /etc/haproxy/haproxy.cfg
#HA Proxy Config global ulimit-n 500000 maxconn 99999 maxpipes 99999 tune.maxaccept 500 log stdout local0 log stdout local1 notice defaults timeout connect 5000ms timeout client 50000ms timeout server 50000ms timeout tunnel 1h frontend hivemq.mbp.local bind 127.0.0.1:8888 ssl crt /etc/haproxy/MBP.pem ca-file /etc/haproxy/rootCA.crt verify optional mode tcp default_backend hivemq mode tcp backend hivemq server mqtt1 127.0.0.1:1883 send-proxy-v2-ssl-cn

Note

Optionally, you can add send-proxy-v2-ssl send-proxy-v2 send-proxy proxy-v2-options ssl,cert-cn,ssl-cipher,cert-sig,cert-key,authority,crc32c,unique-id

See https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#5.2-proxy-v2-options

Run

haproxy -f /etc/haproxy/haproxy.cfg

NGINX

Installation

Install NGINX with PROXY protocol support. On macOS, you can use Homebrew:

brew install nginx

⚠️ You may need to compile NGINX from source with the --with-stream_realip_module if you need PROXY protocol support in stream (TCP) context.

Configuration

Create or edit your NGINX configuration file, usually located at:

/usr/local/etc/nginx/nginx.conf

Example configuration for TLS termination and PROXY protocol:

# nginx.conf worker_processes 1; events { worker_connections 1024; } stream { log_format proxy '$proxy_protocol_addr $remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time'; access_log /usr/local/var/log/nginx/stream-access.log proxy; map $ssl_preread_server_name $backend_name { default mqtt_backend; } upstream mqtt_backend { server 127.0.0.1:8888; # HAProxy SSL listener with PROXY protocol } server { listen 8883 ssl proxy_protocol; proxy_pass $backend_name; ssl_preread on; # Required for proxy_protocol to trust incoming HAProxy proxy_protocol on; } }

Notes

  • listen 8883 ssl proxy_protocol; makes NGINX accept TLS connections and trust the PROXY protocol header.

  • proxy_protocol on; enables PROXY protocol support when forwarding the connection.

  • ssl_preread on; allows routing based on SNI without decrypting traffic.

Make sure your HAProxy is sending the correct PROXY protocol version (e.g., send-proxy-v2).

Run

Start or reload NGINX:

brew services start nginx # or reload if already running nginx -s reload

You can check the configuration syntax with:

nginx -t