HAProxy is an incredibly versatile reverse proxy that’s capable of acting as both an HTTP(S) proxy like above, and a straight TCP proxy which allows you to proxy SSL connections as-is without decrypting and re-encrypting them (terminating). It doesn’t require a wild card (or any certificate, since the cert and private key live exclusively on the backend), but you lose the ability to inspect traffic and rewrite headers. (You will most certainly lose your original source IP with this configuration). A Wildcard still makes sense though, since you can put it on each of your backend servers to simplify management and reduce cost.
Don’t be deceived by the shorter configuration, only use an SSL/TLS Passthrough Proxy if you know exactly why you’re doing it this way! This configuration is most useful for load balancing, and HAProxy includes built in support for health checks, dynamically balancing only between hosts that are detected as up.
HAProxy has us define two configurations – a “Frontend” configuration and a “backend” configuration. The Frontend is the client-facing proxy, and the backend, intuitively are the servers you’re proxying to.
frontend localhost
# Only bind on 80 if you also want to listen for connections on 80
bind *:80
bind *:443
option tcplog
mode tcp
default_backend nodes
backend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
# Add an entry for each of your backend servers and their resolvable hostnames
server webserver1 10.0.0.7:443 check
server webserver2 10.0.0.8:443 check
server webserver1 10.0.0.9:443 check
If your needing to use an SSL Certificate trusted by your frontend users / visitors we highly recommend a GeoTrust SSL Certificate. They have their root certificates trusted in over 99% of all major browsers and devices. GeoTrust also have available some very popular wildcard certificates.