Add header if ssl:

http-request add-header X-Forwarded-Proto https if { ssl_fc }

Check config:

haproxy -c -f /etc/haproxy/haproxy.cfg

Log rotation config /etc/logrotate.d/haproxy:

/var/log/haproxy.log {
    rotate 52
        invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true


frontend fe

# HTTP log format format, which is the most advanced for HTTP proxying.
# It provides the same information as the TCP format with some HTTP-specific fields such as the request, the status code, and captures of headers and cookies.
# This format is recommended for HTTP proxies.
   option httplog

backend be

    stick-table type string len 32 size 1M peers haproxy-peers
    # type string len 32 - String 32 characters
    # size 1M - maximum number of entries that can fit in the table. Count approximately 50 bytes per entry, plus the size of a string if any.
    # The size supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.

    # Define a request pattern to associate a user to a server
    stick on req.cook(SERVERID)

    # Define a request pattern matching condition to stick a user to a server
    stick match <pattern> [table <table>] [{if | unless} <cond>]

Proxy to backend depending on hostname. Only https. If hostname rule is not exist - proxy to default backend:

frontend https-front-session
        bind *:443 ssl crt /etc/ssl/key.pem
        bind *:80
        redirect scheme https if !{ ssl_fc }

        default_backend back-session

        acl is_old hdr_end(host) -i old.example.com
        use_backend old_example if is_old

        acl is_new hdr_end(host) -i new.example.com
        use_backend new_example if is_new

SSL backend:

backend be
    balance roundrobin
    server s1 example.com:443 check ssl verify none
# ssl verify none - without ssl verification


HATop is an interactive ncurses client and real-time monitoring, statistics displaying tool for the HAProxy TCP/HTTP load balancer.


First of all, make sure you have the stats socket enabled in the haproxy config:

  stats socket /run/haproxy/admin.sock mode 0600 level admin

That’s all you need to use HATop:

sudo hatop -s /run/haproxy/admin.sock

HAProxy + LetsEncrypt

sudo apt install letsencrypt


frontend https-front-session
        bind *:443 ssl crt /etc/ssl/le/one.example.com.pem crt /etc/ssl/le/two.example.com.pem
        bind *:80

        redirect scheme https if !{ ssl_fc }

        default_backend back-session

        acl is_le path_beg /.well-known/acme-challenge/
        acl is_old hdr_end(host) -i one.example.com
        acl is_new hdr_end(host) -i two.example.com

        # Order is important
        use_backend le if is_le
        use_backend b1 if is_old
        use_backend b2 if is_new

backend le
        server letsencrypt

Get cert:

sudo letsencrypt certonly --agree-tos --renew-by-default --standalone-supported-challenges http-01 --http-01-port 54321 -d <one.example.com>



letsencrypt renew --agree-tos --standalone-supported-challenges http-01 --http-01-port 54321

cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/ssl/le/$DOMAIN.pem

cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/ssl/le/$DOMAIN.pem

service haproxy reload