HAProxy

HAProxy is a high-performance TCP/HTTP load balancer and reverse proxy. It’s widely used in production for its low latency, strong health checks, and precise routing via ACLs.

Choose HAProxy when you need fine-grained traffic control, multiple backends, or predictable performance under load.

Install HAProxy (Ubuntu / Debian)

sudo apt update
sudo apt install -y haproxy
sudo systemctl enable --now haproxy

HAProxy runs as a systemd service and starts on boot.

Check status:

systemctl status haproxy

Basic reverse proxy (HTTP)

Edit /etc/haproxy/haproxy.cfg:

global
  log /dev/log local0
  maxconn 4096

defaults
  mode http
  log global
  option httplog
  option forwardfor
  timeout connect 5s
  timeout client  30s
  timeout server  30s

frontend http-in
  bind :80
  default_backend app

backend app
  server app1 127.0.0.1:3000 check

Validate and reload:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl reload haproxy

HTTPS with Let’s Encrypt (safe approach)

HAProxy does not manage certificates itself. A common pattern is:

Certbot handles ACME
HAProxy terminates TLS using PEM files

Obtain certificates

sudo snap install --classic certbot
sudo certbot certonly --standalone -d example.com

Prepare certificate for HAProxy

sudo mkdir -p /etc/haproxy/certs
sudo bash -c 'cat /etc/letsencrypt/live/example.com/fullchain.pem \
 /etc/letsencrypt/live/example.com/privkey.pem \
 > /etc/haproxy/certs/example.com.pem'
sudo chmod 600 /etc/haproxy/certs/example.com.pem

Add HTTPS frontend

frontend https-in
  bind :443 ssl crt /etc/haproxy/certs/example.com.pem
  default_backend app

frontend http-in
  bind :80
  http-request redirect scheme https code 301

Logging and debugging

Logs: /var/log/syslog or via journalctl -u haproxy
Config check: haproxy -c -f /etc/haproxy/haproxy.cfg
Health checks are visible via backend status

When to use HAProxy

Multiple backends or services
Advanced routing (ACLs, headers, paths)
High traffic or low-latency requirements
TCP-level proxying (not just HTTP)

When not to use HAProxy

You want HTTPS with zero configuration
You prefer simple, readable configs
You don’t need advanced routing logic

HAProxy vs others (intuition)

HAProxy: maximum control, production-grade routing
Nginx: flexible web server + proxy
Caddy: simplest HTTPS-first experience

Key takeaways

HAProxy excels at performance and control
Configuration is explicit and powerful
TLS is handled externally (Certbot, ACME)
Ideal for complex or high-traffic setups

Skip manual setup

If you don’t want to manage certificates, configs, or reloads:

👉 Deploy an app with built-in HTTPS and routing

Hostim.dev provides automatic HTTPS, routing, logs, and metrics—without manual HAProxy configuration.

Install HAProxy (Ubuntu / Debian)​

Basic reverse proxy (HTTP)​

HTTPS with Let’s Encrypt (safe approach)​

Obtain certificates​

Prepare certificate for HAProxy​

Add HTTPS frontend​

Logging and debugging​

When to use HAProxy​

When not to use HAProxy​

HAProxy vs others (intuition)​

Key takeaways​

Skip manual setup​