SSL termination has been available since the current stable version of HAProxy 1.5, which will need to be built (see parent page of this for instructions on that). This is a very minimalist configuration as every environment is different. I will continue to add specific examples of alternate configurations such as disabling certain CIPHERS (like sslv3 to thwart poodle). As well as adding additional HTTP headers, setting up Layer 7 health checks (http and mysql) and more.
global(Comments)
maxconn 1028
daemon
user haproxy
group haproxy
defaults
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend https_443_frontend
bind *:443 ssl crt /etc/ssl/certs/centoshowtos.org.pem
mode http
option forwardfor
option http-server-close
option httpclose
# we add this so the backend servers know the request was ssl
# otherwise we could end up in a redirect loop
reqadd X-Forwarded-Proto:\ https
default_backend http_80_backend
backend http_80_backend
mode http
balance roundrobin
timeout connect 5s
timeout server 30s
server web01 10.66.6.11:80
server web02 10.66.6.12:80
server web03 10.66.6.13:80
server web04 10.66.6.14:80
Comments