HAProxy (short for High Availability Proxy) is an open-source software that acts as a load balancer and proxy server for TCP and HTTP-based applications. It is widely used in both small and large-scale production environments to improve performance, reliability, and scalability of web and application services.
Any L7 load balancer (reverse http proxy) nowadays is used for SSL/TLS termination and very often with combination with ACME (Automatic Certificate Management Environment).
How ACME works? Below is the simplified process ...
- Account Setup
- Your ACME client (like Certbot, acme.sh, or HAProxy’s built-in ACME support) registers with the CA.
- Domain Validation
- The CA challenges the client to prove it controls the domain (HTTP-01, DNS-01, or TLS-ALPN-01 challenge).
- Example:
- For HTTP-01, the client places a special token on your web server, and the CA checks it.
- For DNS-01, the client places a special token on your DNS server, and the CA checks it.
- acme.sh creates a TXT record value that must be placed under
- _acme-challenge.uw.cz
- Certificate Issuance
- Once validated, the CA issues an SSL/TLS certificate automatically.
- Renewal
- The client renews certificates before they expire, often without human involvement.
I use DNS-01 CA challenge, therefore integration with DNS provider is necessary. I use Active24.cz DNS provider.
For my personal load-balancer I use VM with 2 vCPUs, 2 GB RAM, 10 GB vSSD, 1x vNIC, Linux OS - Debian 13.0
If you are interested how to install and configure above solution, keep reading.
