This is going to cover one way of configuring an SSL passthrough using HAProxy. This guide is intended to be a reference document, and administrators looking to configure an SSL passthrough should make sure the end solution meets both their company's business and security needs.
Why use SSL Passthrough instead of SSL Termination?
The main reason for ThingWorx would be if a company requires encrypted communication internally, as well as externally. With SSL Termination, the request between the load balancer and the client is encrypted. But the load balancer takes on the role to decrypt and passes that back to the server. With SSL Passthrough, the request goes through the load balancer as is, and the decryption happens on the ThingWorx Application server.
What you will need to continue with this guide:
A working ThingWorx application server (Guide to getting one setup can be found here)
Tomcat configured for ssl
NOTE : Always contact your Security team and make sure you have a certificate that meets your business policy
For this tutorial, I created a self-signed certificate following along with the below guide. If you have already obtained a valid certificate, then you can just skip over the step of creating it, and follow along with the Tomcat portion
With ThingWorx running as SSL and HAProxy installed, we just need to make sure the HAProxy configuration is setup to allow SSL traffic through. We use 'mode tcp' to accomplish this.
On your HAProxy machine, open /etc/haproxy/haproxy.cfg for editing. While most of this can be customized to fit your business needs, some variation of the highlighted portions below need to be included in your final configuration:
The load balancer port the clients connect to does not need to be the same as the ThingWorx port the load balancer will forward to
If working in a Highly Available configuration, each ThingWorx Application server needs to have its own certificate configured
If HAProxy seems unstable, try updating to the latest release
If it is on the latest release according to the Unix repository, check https://www.haproxy.org/ and see if there is a later stable release. There have been some issues where Ubuntu's latest update in the repository is actually a few years old