How to install Haproxy, Letsencrypt, Varnish cache and Nginx tutorial

Actually I won’t get into details with Varnish and Nginx configuration because it really depends on your particular case. But it should be pretty straight forward as installing default packages:

apt install varnish
apt install nginx

I’m using port 443 for SSL services, so Haproxy is using this one. It also uses http port 80 and redirect that to https. Everybody knows that Haproxy is stable and quick in jobs it does and that’s load balancing and proxying traffic. I our case we are going to use it for SSL termination and forward traffic to Varnish which is going to occupy port 6081 (default). And Nginx will use port 8080 because it’s final destination in our setup. Varnish should cache most of the web content and hopefully put our dedicated server’s CPU at ease most of the time and leverage quite slow CPU to large amount of RAM (128GB).

In case of traffic increase we can easily balance our traffic to other servers behind Varnish,  because Varnish can play load balancing role as well.

So, lets install Haproxy and Letsencrypt. Letsencrypt is your way to free digital certificates. There are few drawbacks of using Letsencrypt like cert expiration time is 3 months but it’s free and for time being stable so if you don’t need something better it’s fine. And EFF has nice newsletter about digital freedom just to keep you informed how close we are to digital enslavement in form of abolishing net neutrality led by large telecoms. Well, maybe we are already digital slaves of our devices, so it’s not important. 🙂

add-apt-repository ppa:certbot/certbot
apt update
apt install haproxy
apt install certbot

Of course, if you’re not root you have to use sudo in front of the commands.

In my particular case I already have valid certificates so I just copied everything from directory /etc/letsencrypt from old server to new one. If you need to generate new certificates you can use certbot:

certbot certonly –standalone –preferred-challenges http –http-01-port 888 -d -d

You should use port 80 to generate certificate and it should not be used by other service on you server. Test if port is in use with:

netstat -na | grep ‘:80.*LISTEN’

If you already have installed web server it could occupy this port, so for Nginx you might need to issue following command to stop it while generating certificate:

systemctl stop nginx

You don’t need to use port 80 to generate your certificates, you can use port 443 as well, because you’re using standalone plugin which in effect serve it’s own server for authentication. Also you could listen on other ports with certbot server but in that case you must forward letsencrypt validation requests from whatever you have listening those port to certbot server. Another thing that is important is your DNS record, meaining your FQDN should point to correct IP.

For Haproxy to work as SSL terminator you need to combine fullchain.pem and privkey.pem in one file and add it in config. So first cd to /etc/letsencrypt/live/ and then type:

cat fullchain.pem privkey.pem >

Open /etc/haproxy/haproxy.cfg and change bind line in your frontend settings to something like:

bind ssl crt /etc/letsencrypt/live/

You also need to add forwarding or redirection on backend settings like this:

redirect scheme https if !{ ssl_fc }

And typical redirection (in my case to Varnish port 6081) like this:

server web01 check

Restart Haproxy and you’re ready to go. One more thing to keep in mind is to renew certificate every three months, which you can automate with simple shell script and crontab.

Leave a Reply

Your email address will not be published. Required fields are marked *