Full HAProxy Ingress Setup: DNS, SSL & Multi‑Domain Routing (Ubuntu/Debian)
This guide walks you through the complete setup of a HAProxy ingress node on Ubuntu/Debian 12, including:
- DNS A‑record configuration
- Installing HAProxy
- Multi‑domain SNI routing
- Installing Certbot
- Generating SSL certificates
- Creating HAProxy PEM bundles
- Automatic certificate renewal
- Routing traffic to backend services
1. DNS A‑Record Setup
1.1 Get your HAProxy server's public IP
curl ifconfig.meExample output:
203.0.113.45All domains must point to this IP before SSL certificates can be issued.
1.2 Create DNS A‑records
In your domain registrar's DNS panel, add:
For domain1.com
| Type | Name | Value | TTL |
|---|---|---|---|
| A | @ | 203.0.113.45 | 300 |
| A | www | 203.0.113.45 | 300 |
For domain2.com
| Type | Name | Value | TTL |
|---|---|---|---|
| A | @ | 203.0.113.45 | 300 |
| A | www | 203.0.113.45 | 300 |
2. Install HAProxy
sudo apt update
sudo apt install haproxy
Check status:
systemctl status haproxy3. Install Certbot (APT Method)
sudo apt update
sudo apt install certbot
Debian 12 supports Certbot via
apt without snap.4. Generate SSL Certificates
Stop HAProxy temporarily:
sudo systemctl stop haproxyGenerate certificates:
sudo certbot certonly --standalone -d domain1.com -d www.domain1.com
sudo certbot certonly --standalone -d domain2.com -d www.domain2.com
Certificates are stored in:
/etc/letsencrypt/live/domain1.com/
/etc/letsencrypt/live/domain2.com/
5. Create HAProxy PEM Bundles
HAProxy requires combined PEM files:
sudo bash -c 'cat \
/etc/letsencrypt/live/domain1.com/fullchain.pem \
/etc/letsencrypt/live/domain1.com/privkey.pem \
> /etc/letsencrypt/live/domain1.com/haproxy.pem'
sudo bash -c 'cat \
/etc/letsencrypt/live/domain2.com/fullchain.pem \
/etc/letsencrypt/live/domain2.com/privkey.pem \
> /etc/letsencrypt/live/domain2.com/haproxy.pem'
6. Configure HAProxy Multi‑Domain Routing
Edit:
sudo nano /etc/haproxy/haproxy.cfgFrontend
frontend https-in
bind :443 ssl crt /etc/letsencrypt/live/domain1.com/haproxy.pem \
crt /etc/letsencrypt/live/domain2.com/haproxy.pem
mode http
acl host_domain1 hdr(host) -i domain1.com
acl host_domain2 hdr(host) -i domain2.com
use_backend backend_domain1 if host_domain1
use_backend backend_domain2 if host_domain2
Backends (generic placeholders)
backend backend_domain1
server srv1 127.0.0.1:3001
backend backend_domain2
server srv2 127.0.0.1:3002
Restart HAProxy:
sudo systemctl start haproxy7. Automatic SSL Renewal + HAProxy Reload
Create deploy hook:
sudo nano /etc/letsencrypt/renewal-hooks/deploy/haproxy-reload.shAdd:
#!/bin/bash
# Domain 1
cat /etc/letsencrypt/live/domain1.com/fullchain.pem \
/etc/letsencrypt/live/domain1.com/privkey.pem \
> /etc/letsencrypt/live/domain1.com/haproxy.pem
# Domain 2
cat /etc/letsencrypt/live/domain2.com/fullchain.pem \
/etc/letsencrypt/live/domain2.com/privkey.pem \
> /etc/letsencrypt/live/domain2.com/haproxy.pem
systemctl reload haproxy
Make executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/haproxy-reload.sh
Certificates now renew automatically and HAProxy reloads without downtime.
Done
You now have a fully functional HAProxy ingress node with:
- DNS A‑records
- Multi‑domain SSL
- Automated certificate renewal
- Backend routing
This setup is ideal for routing multiple services through a single secure entrypoint.
Không có bình luận nào được tìm thấy