This document provides information about configuring HAProxy with HSMs for TLS offloading. For additional questions about your HSM, see the relevant user guide.

HAProxy (High Availability Proxy) is a popular open-source software load balancer and reverse proxy that distributes incoming network traffic across multiple servers. It's particularly well-suited for HTTP and TCP applications, ensuring high service availability and reliability. HAProxy can handle millions of concurrent connections, making it a go-to choice for large-scale deployments. It offers advanced features like health checking, sticky sessions, and detailed monitoring capabilities that help maintain optimal web applications' performance and reliability.

One of the HAProxy powerful capabilities is TLS offloading (also known as SSL termination). This feature enables HAProxy to handle the computationally intensive process of encrypting and decrypting TLS/SSL traffic on behalf of backend servers. When you configure TLS offloading, HAProxy accepts incoming encrypted connections from clients, decrypts the traffic, and then forwards the decrypted requests to backend servers over a secure internal network. This approach offers the following benefits:

By handling the TLS processing at the proxy level, your organization can achieve better performance and simplified certificate management while maintaining end-to-end security.

HAProxy can use a pkcs11-provider, which is a PKCS #11 provider for OpenSSL 3, to offload cryptographic tasks to an HSM. It replaces pkcs11 engine because ENGINE is deprecated. The provider is usually installed as .../ossl-modules/pkcs11.so in the sub-folder of the OpenSSL build time --prefix using the same filename as the pkcs11 engine but a different folder.

pkcs11-provider is a middleware provider that requires an actual PKCS #11 provider (such as the PKCS #11 library).