# HAProxy Configuration Guide This guide walks you through setting up an HAProxy reverse proxy on Ubuntu 22.04 with: * A path-based reverse proxy where `yourwebiste.com/hash` points to `hash.yourwebsite.com` * HTTPS support using Let’s Encrypt via Certbot and a standalone method *** ### **Prerequisites** * A server running **Ubuntu 22.04** * A registered domain name (e.g., `yourwebsite.com`) * DNS A record pointing `yourwebsite.com` to your server’s IP *** ### **Step 1: Install HAProxy** ``` sudo apt update sudo apt install haproxy -y ``` Enable and start the HAProxy service: ``` sudo systemctl enable haproxy sudo systemctl start haproxy ``` *** ### **Step 2: Install Certbot (Let’s Encrypt Client)** ``` sudo apt install certbot -y ``` *** ### **Step 3: Generate SSL Certificate with Certbot (Standalone)** Temporarily stop HAProxy to allow Certbot to bind to port 80: ``` sudo systemctl stop haproxy ``` Run Certbot with the standalone plugin: ``` sudo certbot certonly --standalone -d yourwebsit.com ``` After success, your certificate will be in: ``` /etc/letsencrypt/live/yourwebsite.com/fullchain.pem /etc/letsencrypt/live/yourwebsite.com/privkey.pem ``` Restart HAProxy: ``` sudo systemctl start haproxy ``` *** ### **Step 4: Configure HAProxy** Edit the HAProxy config file: ``` sudo nano /etc/haproxy/haproxy.cfg ``` Example configuration: {% code overflow="wrap" lineNumbers="true" %} ``` global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers PROFILE=SYSTEM defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend http-in bind *:80 redirect scheme https if !{ ssl_fc } frontend https-in bind *:443 ssl crt /etc/letsencrypt/live/yoursite/yoursite.pem mode http acl is_hash path_beg /hash use_backend hash_backend if is_hash default_backend your_website_backend backend hash_backend mode http http-request set-path "%[path,regsub(^/hash, /)]" http-request set-header Host hash.yoursite.com server apache_server hash.yoursite.com:443 ssl verify none backend your_website_backend server apache_server 127.0.0.1:8080 check ``` {% endcode %} Check the config: ``` sudo haproxy -c -f /etc/haproxy/haproxy.cfg ``` Reload HAProxy: ``` sudo systemctl reload haproxy ``` *** ### **Step 5: Verify Setup** Visit: ``` https://yoursite.com/hash/ ``` It should forward the request to: ``` http://hash.yoursite.com/ ``` *** ### **Step 6: Auto-Renew Certificates** Edit the crontab: ``` sudo crontab -e ``` Add the following to renew and reload HAProxy every 12 hours: {% code overflow="wrap" %} ``` 0 */12 * * * systemctl stop haproxy && certbot renew --quiet && systemctl start haproxy ``` {% endcode %} *** ### **Conclusion** You now have: * HAProxy running on Ubuntu 22.04 * HTTPS via Let’s Encrypt * Reverse proxy from `site.com/x` to `x.site.com` {% hint style="danger" %} After enabling Cookie lifetime extender, the DCP will give a proxy code that is expected to be setup on `https://domain.*/hash` however, if it is set up on `https://www.domain.*/hash` it will cause a CORS Error on the Cookie Lifetime Extender Requests. For more details on WWW configuration follow this [guide](https://docs.jentis.com/key-features/cookie-lifetime-extender/configure-your-tracking#www-configuration-guide-optional). {% endhint %} *** If you have any questions or feedback, please open a request on our [Helpdesk](https://jentis.atlassian.net/servicedesk/customer/portal/1/group/1/create/220).