9dev parent
Why is fronting these systems with a central haproxy with TLS termination or similar not an option?
Because then you have plain HTTP running over your network. The issue here (I presume) is not how to secure access over the Internet, but within an internal network.
Plenty of people leave these devices without encrypted connections, because they are in a "secure network", but you should never rely on such a thing.
Nothing stops you from using a self-signed certificate with a ridiculous expiration period for HTTPS between the reverse proxy and the device in question.
Except browsers and other software that are becoming hard-coded to block access to such devices.
We used to use Firefox solely for internal problem devices with IP and subnet exclusions but even that is becoming difficult.
Use the self-signed cert between the proxy and the problem device; everything else talks to the proxy.
Fronting a switch management interface with haproxy? Are you sure that is a good idea?
Yes. If we're talking about handling TLS termination and putting an IP behind a sensible hostname, I don't see what's wrong about using a reverse proxy. Note that this does not imply making it accessible on the internet.
Yet more infra that must now be managed and a point of failure. No thank you.