# HAProxy Configuration Guide

This guide walks you through setting up an HAProxy reverse proxy on Ubuntu 22.04 with:

* A path-based reverse proxy where `yourwebiste.com/hash` points to `hash.yourwebsite.com`
* HTTPS support using Let’s Encrypt via Certbot and a standalone method

***

### **Prerequisites** <a href="#haproxyconfigurationguide-prerequisites" id="haproxyconfigurationguide-prerequisites"></a>

* A server running **Ubuntu 22.04**
* A registered domain name (e.g., `yourwebsite.com`)
* DNS A record pointing `yourwebsite.com` to your server’s IP

***

### **Step 1: Install HAProxy** <a href="#haproxyconfigurationguide-step1-installhaproxy" id="haproxyconfigurationguide-step1-installhaproxy"></a>

```
sudo apt update
sudo apt install haproxy -y
```

Enable and start the HAProxy service:

```
sudo systemctl enable haproxy
sudo systemctl start haproxy
```

***

### **Step 2: Install Certbot (Let’s Encrypt Client)** <a href="#haproxyconfigurationguide-step2-installcertbot-letsencryptclient" id="haproxyconfigurationguide-step2-installcertbot-letsencryptclient"></a>

```
sudo apt install certbot -y
```

***

### **Step 3: Generate SSL Certificate with Certbot (Standalone)** <a href="#haproxyconfigurationguide-step3-generatesslcertificatewithcertbot-standalone" id="haproxyconfigurationguide-step3-generatesslcertificatewithcertbot-standalone"></a>

Temporarily stop HAProxy to allow Certbot to bind to port 80:

```
sudo systemctl stop haproxy
```

Run Certbot with the standalone plugin:

```
sudo certbot certonly --standalone -d yourwebsit.com
```

After success, your certificate will be in:

```
/etc/letsencrypt/live/yourwebsite.com/fullchain.pem
/etc/letsencrypt/live/yourwebsite.com/privkey.pem
```

Restart HAProxy:

```
sudo systemctl start haproxy
```

***

### **Step 4: Configure HAProxy** <a href="#haproxyconfigurationguide-step4-configurehaproxy" id="haproxyconfigurationguide-step4-configurehaproxy"></a>

Edit the HAProxy config file:

```
sudo nano /etc/haproxy/haproxy.cfg
```

Example configuration:

{% code overflow="wrap" lineNumbers="true" %}

```
global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers PROFILE=SYSTEM

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

frontend http-in
    bind *:80
    redirect scheme https if !{ ssl_fc }

frontend https-in
    bind *:443 ssl crt /etc/letsencrypt/live/yoursite/yoursite.pem
    mode http

    acl is_hash path_beg /hash
    use_backend hash_backend if is_hash
    default_backend your_website_backend

backend hash_backend
    mode http
    http-request set-path "%[path,regsub(^/hash, /)]"
    http-request set-header Host hash.yoursite.com
    server apache_server hash.yoursite.com:443 ssl verify none


backend your_website_backend
    server apache_server 127.0.0.1:8080 check
```

{% endcode %}

Check the config:

```
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
```

Reload HAProxy:

```
sudo systemctl reload haproxy
```

***

### **Step 5: Verify Setup** <a href="#haproxyconfigurationguide-step5-verifysetup" id="haproxyconfigurationguide-step5-verifysetup"></a>

Visit:

```
https://yoursite.com/hash/
```

It should forward the request to:

```
http://hash.yoursite.com/
```

***

### **Step 6: Auto-Renew Certificates** <a href="#haproxyconfigurationguide-step6-auto-renewcertificates" id="haproxyconfigurationguide-step6-auto-renewcertificates"></a>

Edit the crontab:

```
sudo crontab -e
```

Add the following to renew and reload HAProxy every 12 hours:

{% code overflow="wrap" %}

```
0 */12 * * * systemctl stop haproxy && certbot renew --quiet && systemctl start haproxy
```

{% endcode %}

***

### **Conclusion** <a href="#haproxyconfigurationguide-conclusion" id="haproxyconfigurationguide-conclusion"></a>

You now have:

* HAProxy running on Ubuntu 22.04
* HTTPS via Let’s Encrypt
* Reverse proxy from `site.com/x` to `x.site.com`

{% hint style="danger" %}
After enabling Cookie lifetime extender, the DCP will give a proxy code that is expected to be setup on `https://domain.*/hash` however, if it is set up on `https://www.domain.*/hash` it will cause a CORS Error on the Cookie Lifetime Extender Requests.

For more details on WWW configuration follow this [guide](https://docs.jentis.com/key-features/cookie-lifetime-extender/configure-your-tracking#www-configuration-guide-optional).
{% endhint %}

***

If you have any questions or feedback, please open a request on our [Helpdesk](https://jentis.atlassian.net/servicedesk/customer/portal/1/group/1/create/220).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.jentis.com/key-features/cookie-lifetime-extender/cookie-lifetime-extender-webserver-cdn-configurations/haproxy-configuration-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.