Azure SDK python client to Azure iothub over HAproxy (SSL handshake failure)

Take this:

1. Use TCP Mode Only (No SSL Termination)

Azure IoT Hub expects TLS to be terminated only at its endpoint. Your HAProxy config must forward raw TCP traffic without interpreting or modifying SSL.

• Ensure frontend and backend are in mode tcp (Done).

✅ 2. Avoid Port Multiplexing

Each port (443, 8883, 5671) serves a different protocol:

• 8883 → MQTT over TLS
• 443 → HTTPS/WebSockets
• 5671 → AMQP over TLS

Instead of binding all ports in one frontend, create separate frontends per port:

frontend iothub_mqtt
    bind *:8883
    mode tcp
    default_backend iothub_mqtt_backend

backend iothub_mqtt_backend
    mode tcp
    server iothub_mqtt <iot-hub-hostname>:8883 check

frontend iothub_websockets
    bind *:443
    mode tcp
    default_backend iothub_websockets_backend

backend iothub_websockets_backend
    mode tcp
    server iothub_ws <iot-hub-hostname>:443 check

3. Use Correct SDK Protocol

Your SDK call uses websockets=True, which means it connects via port 443 using WebSockets. Ensure:

• HAProxy frontend for port 443 is active.
• Backend points to Azure IoT Hub’s FQDN on port 443.
• No SSL termination or inspection is done.

4. Proxy Configuration in SDK

The SDK’s ProxyOptions is intended for HTTP proxies, not TCP-level proxies like HAProxy. If you’re using HAProxy as a TCP passthrough, you don’t need to set proxy_options.

Instead:

device_client = IoTHubDeviceClient.create_from_connection_string(
    "IOTHUB_DEVICE_CONNECTION_STRING", websockets=True
)

And configure your system-level routing to direct traffic to HAProxy’s fixed IP.