J'ai fini par installer stunnel sur l'équilibreur de charge, et par rediriger le trafic sur le port 80 à travers le tunnel.
HTTPs client => haproxy:443 => (pas de backends disponibles, utiliser le serveur 'backup' 127.0.0.1:4443) => 127.0.0.1:443 (stunnel) => 127.0.0.1:80 (haproxy, avec page failwhale)
haproxy.conf
listen SSL-via-shared-ip 1.2.3.2:443
mode tcp
option ssl-hello-chk
#option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
option httpchk HEAD /test.txt HTTP/1.0
# list of web servers
server app1 1.2.3.4:443 check port 80 maxconn 60
server app2 1.2.3.5:443 check port 80 maxconn 60
server failwhale 127.0.0.1:4443 backup maxconn 500
#error pages#
##these are in raw http, not just html ##
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
stunnel.conf
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
options = NO_SSLv2
; PID is created inside the chroot jail
pid = /var/run/stunnel4/stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/stunnel.pem
key = /etc/ssl/certs/stunnel.pem
; Some security enhancements for UNIX systems - comment them out on Win32
;chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; Service-level configuration
[failwhale]
accept = 4443
connect = 127.0.0.1:80
TIMEOUTclose = 0