See the entire conversation

Haven’t used HAProxy since Tumblr, but it was fantastic then. Anyone with recent experience using it as the reverse-proxy in front of your webservers, especially if it does your HTTPS decryption: Is it still awesome? Does it work well with LetsEncrypt + certbot or similar?
56 replies and sub-replies as of May 11 2020

Not sure about haproxy, but Caddy works well for that sort of thing....
you guys still using HAProxy?
Yes and it keeps getting better and better. Highly recommended
I use @caddyserver as a reverse proxy for all my home stuff. It’s rock solid and does LE by default. Fantastic web server.
Add me as another voice for Caddy, using it to server static Jekyll site, and as a Proxy to DokuWiki and now Nextcloud.
It was awesome last time I used it, maybe 4 years back. It was a champ once they added TLS support.
we recently switched to Caddy and we've found that to be very good. Haven't used their auto HTTPS setup personally but it looks absolutely phenomenal:
Automatic HTTPS - Caddy Documentation
Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
HAproxy is definitely still the way to go. I use my own scripts to manage SSL certs (and OCSP staples) and just put them in the directory HAproxy is configured to look at.
I do the same. It works really well.
Haven't used HAProxy, but can recommend Traefik
HA proxy is still great. We use it as a load balancer in front of our Kubernetes master VMs in the VMware Kubernetes product, among other things.
In typical “I know you asked about X, but what about Y”, I’m running nginx as reverse proxy in front of about 100 servers, handling all the LetsEncrypt stuff. On a $5/month Linode.
We've heard of one that works well with @letsencrypt - automatically and by default
Who’s using you who’s way, way bigger than Overcast?
(No comment)
How "big" is Overcast? We know of several companies using us to serve tens of thousands of their customers sites -- Caddy scales globally and can handle millions of sites and certificates (hardware/cluster permitting). Google, Netflix, Cloudflare all run Go on their edge.
Marco I think you’d love caddy. They just released 2.0 which has been in the works for quite a while. Also the http stuff in go is rock solid.
If you mean, then does it help to know that @TransistorFM uses Caddy too? Their deployment is part of the reason Caddy 2 is as good as it is.
Used HAProxy but for internal load balancing. I’d recommend Nginx. Been using it for Reverse proxy + load balancing + HTTPS decr for more than 5 years. Been a Champ.
just use nginx — it’s very good
Does this have anything to do with the Dallas outage on Friday? That has me rethinking some of our backup plans as well. 🤔 Interested in what you come up with. 🙏
Unrelated. I’m currently doing load-balancing and HTTPS termination with CloudFlare, I’m looking to bring it back “in-house”, and my previous experience with Linode NodeBalancers was fine but I overloaded them a lot.
Have you had issues with Cloudflare?
I haven’t used HAProxy but, like others mentioned, Nginx is a lightweight and reliable reverse-proxy that works quite well with LetsEncrypt + Certbot
I’d recommend giving Caddy 2 a try, does wonders as a reverse proxy with auto SSL. Super simple config, rock solid. I find HAProxy’s config overly verbose, Caddy is a breath of fresh air. Happy to help if you have any questions!
Having said that, yes HAProxy still works flawlessly and is great at serving HTTPS. The benefit of a modern alternative (like Caddy or Traefik) is that you can get modern cryptography without being tied to your (probably old) OpenSSL version on the host.
I’d agree. Caddy 2 is much nicer and simpler to configure. Which is great when dealing with thus sort of thing...
Any modern and good cloud infra provider should be able to provide load balancers where you can do the SSL termination.
We use it at work and do TLS termination with it. Works great. Don’t know about using it with Let’s Encrypt.
haproxy + lego (zero dependency lets encrypt client) is great. Custom integration is easy with a zero downtime `service haproxy reload` or using the newish haproxy data plane api.
Works fantastically, well though you still need to write your own scripts for the SSL renewal.
HaProxy is still awesome. Old boring technology that works really well. We use it for load balancing and HTTPS encryption at @ChurchTools It was never our bottleneck and handles everything you throw at it.
Traefik with letsencrypt is also good in Performance.
Just add a Kubernetes container to spin up an autoprovisioned terraform node and orchestrate level 6 load balancing across multicloud distributed kvs clusters by dropping in an etcd pod to your systemd YAML.
You forgot Istio
“Just…” I love it.
nginx or roll your own with golang.
They’ll pry haproxy from my cold dead hands. Works well with letsencrypt, happy to share config.
Caddy is much easier way. Use it everywhere. Used in a project that had 100M uniques a month. Although that’s the version 1. Haven’t yet used version 2
Yes. I have recent experience, and it still is awesome. Wicked fast, still uses almost no resources. Works fine with LetsEncrypt, drop your cert in the right folder, restart proxy.
Yup. Still rock solid, works great. We use it as a reverse proxy on a number of projects that make hundreds of millions of dollars a year.
Yes. Yes. Yes. Yes.
nginx is the best option.
I'd recommend you look at traefik
My employer uses it for load balancing and some routing (some paths go to applications servers some directed to asset servers) and our ops team seems pretty happy with it. I don’t know Overcast’s numbers but we’re a fairly large e-commerce company
Recently used both haproxy and nginx and haproxy is waaaaay nicer. Not sure about letsencrypt plugins though
I recommend Caddy or Traefik.
Another one for Nginx. It’s so super simple and it’s there’s plenty of tutorials on using it with letsencrypt. I use Nginx and certbot (letsencrypt) as a reverse proxy with HTTPS running on docker to front all my home automation stuff
HAProxy continues to be awesome, even at huge scale. Best bit? Appears to be bulletproof. Can’t remember it ever being the culprit in a post-mortem.
Cloudflare TLS termination -> Nginx reverse proxy with clouflare signed cert (encrypts traffic between cloudflare and Overcast) -> webservers.
Actually, I see that you’re bringing it back in-house. Never mind. Kind of curious as to why (ATP topic?)
It is still awesome. nginx can also do that fwiw