HAProxy Configuration Guide

This guide walks you through setting up an HAProxy reverse proxy on Ubuntu 22.04 with:

A path-based reverse proxy where yourwebiste.com/hash points to hash.yourwebsite.com
HTTPS support using Let’s Encrypt via Certbot and a standalone method

Prerequisites

A server running Ubuntu 22.04
A registered domain name (e.g., yourwebsite.com)
DNS A record pointing yourwebsite.com to your server’s IP

Step 1: Install HAProxy

sudo apt update
sudo apt install haproxy -y

Enable and start the HAProxy service:

sudo systemctl enable haproxy
sudo systemctl start haproxy

Step 2: Install Certbot (Let’s Encrypt Client)

sudo apt install certbot -y

Step 3: Generate SSL Certificate with Certbot (Standalone)

Temporarily stop HAProxy to allow Certbot to bind to port 80:

sudo systemctl stop haproxy

Run Certbot with the standalone plugin:

sudo certbot certonly --standalone -d yourwebsit.com

After success, your certificate will be in:

/etc/letsencrypt/live/yourwebsite.com/fullchain.pem
/etc/letsencrypt/live/yourwebsite.com/privkey.pem

Restart HAProxy:

sudo systemctl start haproxy

Step 4: Configure HAProxy

Edit the HAProxy config file:

sudo nano /etc/haproxy/haproxy.cfg

Example configuration:

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers PROFILE=SYSTEM

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

frontend http-in
    bind *:80
    redirect scheme https if !{ ssl_fc }

frontend https-in
    bind *:443 ssl crt /etc/letsencrypt/live/yoursite/yoursite.pem
    mode http

    acl is_hash path_beg /hash
    use_backend hash_backend if is_hash
    default_backend your_website_backend

backend hash_backend
    mode http
    http-request set-path "%[path,regsub(^/hash, /)]"
    http-request set-header Host hash.yoursite.com
    server apache_server hash.yoursite.com:443 ssl verify none


backend your_website_backend
    server apache_server 127.0.0.1:8080 check

Check the config:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

Reload HAProxy:

sudo systemctl reload haproxy

Step 5: Verify Setup

Visit:

https://yoursite.com/hash/

It should forward the request to:

http://hash.yoursite.com/

Step 6: Auto-Renew Certificates

Edit the crontab:

sudo crontab -e

Add the following to renew and reload HAProxy every 12 hours:

0 */12 * * * systemctl stop haproxy && certbot renew --quiet && systemctl start haproxy

Conclusion

You now have:

HAProxy running on Ubuntu 22.04
HTTPS via Let’s Encrypt
Reverse proxy from site.com/x to x.site.com

After enabling Cookie lifetime extender, the DCP will give a proxy code that is expected to be setup on https://domain.*/hash however, if it is set up on https://www.domain.*/hash it will cause a CORS Error on the Cookie Lifetime Extender Requests.

If you have any questions or feedback, please open a request on our Helpdesk.

PreviousApache Configuration Guide NextIIS (Microsoft Windows Server) Configuration Guide

Last updated 16 days ago

Was this helpful?