[zaarn]

I do hope that HAProxy might support ACME at some point, I'm currently stuck on Traefik which has been breaking some traffic but I rely heavily on dynamically issued LE certs.

Otherwise, outside of SSL, HAProxy has been very pleasant in my experience.

[ajcornett]

We are using https://github.com/janeczku/haproxy-acme-validation-plugin to provide ACME support directly in HAProxy without an extra backend. Example:

    frontend example.com
        bind 192.168.1.100:80
    
        # Redirect ACME domain validations
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01
    
        # Redirect all plain HTTP traffic to HTTPS
        redirect scheme https code 301 if !{ ssl_fc }

[mschuster91]

Where's your problem? Spin up a certbot docker container and use this here in haproxy:

    frontend http_in
      bind *:80
      bind *:443 ssl crt /path/to/letsencrypt/data/mydomain.pem
      acl path_letsencrypt path_beg /.well-known/acme-challenge
      use_backend letsencrypt if path_letsencrypt
    backend letsencrypt
      mode http
      server server-letsencrypt MYLOCALIP:8080

For the letsencrypt docker image, I use mesosphere/letsencrypt-dcos with a patched run.sh that triggers a docker kill -s HUP on the haproxy container.

[zaarn]

My problem is usually that I rely heavily on traefik being able to very easily issue certificates simply by having a backend with a hostname present.

If I, for example, configure my PHP VM to be reachable over "test.example.org" in Traefik, then Traefik will automatically try to issue a certificate for this domain once it detects the config change.

On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

If it was integrated, I would only have to tell HAP.

[mschuster91]

> On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

You only need to tell the certbot container the new domain. The frontend config I gave you actually hits before any host-ACLs which means it will pass all acme-challenge requests on all domains to the certbot container, and certbot will reload haproxy when it's done.

[zaarn]

No I need to tell both.

HAP still needs to know where to route the traffic to and LE needs to know which domains are available.

[tuyguntn]

Can you share your experience with Traefik? We also wanted to integrate it into our stack. What problems do you have? How it scales?

[zaarn]

My major problem with Traefik is that if you aren't using the defined stacks and opt for file configuration it can be a bit exhausting to configure, TOML is a rather repetitive format.

It also lacks support for HTTP streaming for non-standard HTTP (I wish there was an option to just enable streaming on a host) which sucks for some enterprise software, and streaming for entire hosts so my nextcloud instance always has to wait for the traefik host to buffer the response before being able to download the file to the browser.

However, in terms of scaling and being able to get a SSL-terminating or SSL-handover reverse proxy going it's a breeze and it handles decent load very well.