How to enable ssl termination for HA proxy in PostgresSQL?

[snehalasarode]

I deployed the postgres using this repository and it is working fine. Now, I want to enable the ssl for postgresql. for that i did the changes in Haproxy.conf. below is my haproxy.conf

global
  log 127.0.0.1 syslog info
  daemon
  user vcap
  group vcap
  maxconn 64000
  spread-checks 4
  stats socket /var/vcap/sys/run/vip/haproxy.sock mode 600 level admin
  stats timeout 2m
  external-check
  ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
  ssl-server-verify none

defaults
  log global
  maxconn 64000
  option contstats
  timeout connect 5m
  timeout client  30m
  timeout server  30m
  timeout queue   30m

frontend postgres
  mode tcp
  bind :5432 ssl crt /var/vcap/jobs/vip/config/privkey.pem
  default_backend postgres

backend postgres
  mode tcp
  option external-check
  external-check command "/var/vcap/jobs/postgres/bin/healthy"
  external-check path    "/var/vcap/packages/postgres/bin:/bin:/usr/bin:/sbin:/usr/sbin"
  server node0 x.x.x.x:6432 check inter 1000
  server node1 x.x.x.x:6432 check inter 1000

frontend postgres-read-replica
  mode tcp
  bind :7432
  default_backend postgres-read-replica

backend postgres-read-replica
  mode tcp
  option external-check
  external-check command "/var/vcap/jobs/postgres/bin/healthy"
  server node0 x.x.x.x:6432 check inter 1000
  server node1 x.x.x.x:6432 check inter 1000

I am using openssl to create the certificate for ssl. After changes into Haproxy.conf file i restarted all the components and it is in running state. When i am trying to connect postgres with ssl using postgres client it is giving me EOF error.
@jhunt can you guide me what exact steps i need perform to enable ssl termination for postgresql?

[jhunt]

I would do the SSL termination at the PostgreSQL itself.

That said, I think I personally would move off of this BOSH release and onto something like the Containers BOSH release, and run the upstream postgres image. I've updated that repo to include an example of a single-node postgres deployment with TLS as a hard requirement.