reverse proxy – HAProxy : SSL/TLS termination + ports forwarding


I’m writing here, because I use HAProxy as reverse-proxy with SSL/TLS termination, and I don’t know how to configure it to forward HTTPS requests on specific port to the same on my HTTP backend’s servers.

I’m searching to do something like this :

https://www.example.com:PORT —-> http://www-backend:PORT

PORT is a port in a port range between 8000 and 9000 (These ports are open on backend’s servers )

www-backend corresponds to one of my backend’s servers

I already done this with NGINX by the past, but never with HaProxy.

Could you help me ?

This my current HAProxy’s configuration :

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 5s
        user haproxy
        group haproxy
        daemon

        tune.ssl.default-dh-param 4096

defaults
        log     global

        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        option http-server-close
        option http_proxy

        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

        stats enable
        stats hide-version
        stats refresh 5s
        stats uri /hastats


#Define http frontend
frontend www-http
        bind *:80
        reqadd X-Forwarded-Proto: http
        default_backend www-backend

        # Test URI to see if its a letsencrypt request
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl

#Define https frontend
frontend www-https
        bind *:8000-9000 crt /etc/haproxy/certs/example.com.pem
        bind *:443 crt /etc/haproxy/certs/example.com.pem
        reqadd X-Forwarded-Proto: https
        default_backend www-backend

#Define www-backend
backend www-backend
        mode http
        http-request set-header X-Forwarded-For %(src)
        reqadd X-Forwarded-Proto: https
        option http-server-close

        balance roundrobin
        redirect scheme https if !{ ssl_fc }
        server web1 xxx.xxx.xxx.101:80 check
        server web2 xxx.xxx.xxx.102:80 check

#Define letsencrypt backend
backend letsencrypt-backend
        server letsencrypt 127.0.0.1:8080