diff --git a/chef/cookbooks/cinder/attributes/default.rb b/chef/cookbooks/cinder/attributes/default.rb
index 92d31d6951..8e2e112cd3 100644
--- a/chef/cookbooks/cinder/attributes/default.rb
+++ b/chef/cookbooks/cinder/attributes/default.rb
@@ -54,3 +54,9 @@
 default[:cinder][:ha][:op][:monitor][:interval] = "10s"
 # Ports to bind to when haproxy is used for the real ports
 default[:cinder][:ha][:ports][:api] = 5520
+
+#
+# SSL settings
+#
+default[:cinder][:ssl][:loadbalancer_terminate_ssl] = false
+default[:cinder][:ssl][:pemfile] = "/etc/ssl/private/cinder.pem"
diff --git a/chef/cookbooks/cinder/recipes/controller_ha.rb b/chef/cookbooks/cinder/recipes/controller_ha.rb
index a4b2390839..bff42d2e62 100644
--- a/chef/cookbooks/cinder/recipes/controller_ha.rb
+++ b/chef/cookbooks/cinder/recipes/controller_ha.rb
@@ -28,6 +28,8 @@
   address node[:cinder][:api][:bind_open_address] ? "0.0.0.0" : cluster_admin_ip
   port node[:cinder][:api][:bind_port]
   use_ssl (node[:cinder][:api][:protocol] == "https")
+  terminate_ssl node[:cinder][:ssl][:loadbalancer_terminate_ssl]
+  pemfile node[:cinder][:ssl][:pemfile]
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "cinder", "cinder-controller", "api")
   rate_limit node[:cinder][:ha_rate_limit]["cinder-api"]
   action :nothing
diff --git a/chef/cookbooks/nova/attributes/default.rb b/chef/cookbooks/nova/attributes/default.rb
index dce35e3481..4deb763452 100644
--- a/chef/cookbooks/nova/attributes/default.rb
+++ b/chef/cookbooks/nova/attributes/default.rb
@@ -183,3 +183,9 @@
 # metadata/vendordata
 #
 default[:nova][:metadata][:vendordata][:json] = "{}"
+
+#
+# SSL settings
+#
+default[:nova][:ssl][:loadbalancer_terminate_ssl] = false
+default[:nova][:ssl][:pemfile] = "/etc/ssl/private/nova.pem"
diff --git a/chef/cookbooks/nova/recipes/controller_ha.rb b/chef/cookbooks/nova/recipes/controller_ha.rb
index 76b551a2ee..83773f0802 100644
--- a/chef/cookbooks/nova/recipes/controller_ha.rb
+++ b/chef/cookbooks/nova/recipes/controller_ha.rb
@@ -28,6 +28,8 @@
   address "0.0.0.0"
   port node[:nova][:ports][:api]
   use_ssl node[:nova][:ssl][:enabled]
+  terminate_ssl node[:nova][:ssl][:loadbalancer_terminate_ssl]
+  pemfile node[:nova][:ssl][:pemfile]
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "nova", "nova-controller", "api")
   rate_limit node[:nova][:ha_rate_limit]["nova-api"]
   action :nothing
diff --git a/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb b/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb
new file mode 100644
index 0000000000..08254d0e07
--- /dev/null
+++ b/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb
@@ -0,0 +1,12 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  template_value = template_attrs["cinder"]["ssl"][key]
+  attrs["cinder"]["ssl"][key] = template_value unless attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  attrs["cinder"]["ssl"].delete(key) unless template_attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
diff --git a/chef/data_bags/crowbar/migrate/nova/214_add_haproxy_mode_http.rb b/chef/data_bags/crowbar/migrate/nova/214_add_haproxy_mode_http.rb
new file mode 100644
index 0000000000..4ea89933e1
--- /dev/null
+++ b/chef/data_bags/crowbar/migrate/nova/214_add_haproxy_mode_http.rb
@@ -0,0 +1,12 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  template_value = template_attrs["nova"]["ssl"][key]
+  attrs["nova"]["ssl"][key] = template_value unless attrs["nova"]["ssl"].key? key
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  attrs["nova"]["ssl"].delete(key) unless template_attrs["nova"]["ssl"].key? key
+  return attrs, deployment
+end
diff --git a/chef/data_bags/crowbar/template-cinder.json b/chef/data_bags/crowbar/template-cinder.json
index c3653aa891..e2f01b2883 100644
--- a/chef/data_bags/crowbar/template-cinder.json
+++ b/chef/data_bags/crowbar/template-cinder.json
@@ -156,7 +156,9 @@
         "generate_certs": false,
         "insecure": false,
         "cert_required": false,
-        "ca_certs": "/etc/cinder/ssl/certs/ca.pem"
+        "ca_certs": "/etc/cinder/ssl/certs/ca.pem",
+        "loadbalancer_terminate_ssl": false,
+        "pemfile": "/etc/ssl/private/cinder.pem"
       },
       "db": {
         "password": "",
@@ -183,7 +185,7 @@
     "cinder": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 209,
+      "schema-revision": 210,
       "element_states": {
           "cinder-controller": [ "readying", "ready", "applying" ],
           "cinder-volume": [ "readying", "ready", "applying" ]
diff --git a/chef/data_bags/crowbar/template-cinder.schema b/chef/data_bags/crowbar/template-cinder.schema
index 0c7804509c..58ef0e1ab7 100644
--- a/chef/data_bags/crowbar/template-cinder.schema
+++ b/chef/data_bags/crowbar/template-cinder.schema
@@ -332,7 +332,9 @@
               "generate_certs": { "type" : "bool", "required" : true },
               "insecure": { "type" : "bool", "required" : true },
               "cert_required": { "type" : "bool", "required" : true },
-              "ca_certs": { "type" : "str", "required" : true }
+              "ca_certs": { "type" : "str", "required" : true },
+              "loadbalancer_terminate_ssl": { "type" : "bool", "required": true},
+              "pemfile": { "type" : "str", "required": true}
             }},
             "db": {
               "type": "map",
diff --git a/chef/data_bags/crowbar/template-nova.json b/chef/data_bags/crowbar/template-nova.json
index 8b150fe4a6..01ff6c967a 100644
--- a/chef/data_bags/crowbar/template-nova.json
+++ b/chef/data_bags/crowbar/template-nova.json
@@ -116,7 +116,9 @@
         "generate_certs": false,
         "insecure": false,
         "cert_required": false,
-        "ca_certs": "/etc/nova/ssl/certs/ca.pem"
+        "ca_certs": "/etc/nova/ssl/certs/ca.pem",
+        "loadbalancer_terminate_ssl": false,
+        "pemfile": "/etc/ssl/private/nova.pem"
       },
       "novnc": {
         "ssl": {
@@ -182,7 +184,7 @@
     "nova": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 213,
+      "schema-revision": 214,
       "element_states": {
         "nova-controller": [ "readying", "ready", "applying" ],
         "nova-compute-ironic": [ "readying", "ready", "applying" ],
diff --git a/chef/data_bags/crowbar/template-nova.schema b/chef/data_bags/crowbar/template-nova.schema
index 8478958a5b..8d0e22cb33 100644
--- a/chef/data_bags/crowbar/template-nova.schema
+++ b/chef/data_bags/crowbar/template-nova.schema
@@ -178,7 +178,9 @@
                 "generate_certs": { "type" : "bool", "required" : true },
                 "insecure": { "type" : "bool", "required" : true },
                 "cert_required": { "type" : "bool", "required" : true },
-                "ca_certs": { "type" : "str", "required" : true }
+                "ca_certs": { "type" : "str", "required" : true },
+                "loadbalancer_terminate_ssl": { "type" : "bool", "required": true},
+                "pemfile": { "type" : "str", "required": true}
               }
             },
             "novnc": {