[tpmx]

I'm quite impressed with HAProxy.

It takes a little effort to fully understand the configuration file format (hint: you've got to read the documentation, not just look at examples to fully grok it), but it's so worth it, IMO.

It's also a nice treat to have the founder and technical leader (Willy Tarreau) of the HAProxy company being so active in the community, so many years later (the initital release was in 2001). I regularly see him answering e.g. newbie questions.

(HAProxy docs: https://docs.haproxy.org/ - pick 2.8/LTS)

[exabrial]

It's become my swiss army knife of TCP. I nearly always terminate TCP first with haproxy "out of process" of whatever, then have it proxy over a unix socket to "whatever". This allows an immense amount of flexibility, from being able to "wiretap" whats going on in the real world, to default error pages, alarms, monitoring, handling CORS... tons of uses.

[tpmx]

Please write a blog post about this and submit it to HN!

[chaps]

Agreed. Haproxy is an absolute wonder compared to similar systems. It all just feels so much cleaner, thought out, and built from the ground up for many different use cases. It very much has a feel that reminds me a lot of the spirit of sqlite.

[tpmx]

Yeah. Stringency and rigor are words that come to mind.

[xiasongh]

What about nginx? I'm not too familiar but I was under the impression that it was the safe choice

[tpmx]

It's primary focus is/was being a web server - a faster Apache. This shows.

Also (after the acqusition by F5 in 2019?) more features are kept away from the open source version compared to HAProxy.

[andyfleming]

How does it compare with Caddy?

[superq]

Caddy is a bit quick and dirty, rapidly-developing, with neat plugins but hard to configure for more complex scenarios and too light on the docs (IMO).

HA Proxy is robust, comprehensive, mature, and bulletproof. It's basically boring because it works so well.

If you have to choose only one to learn, choose HA Proxy.

[frankjr]

I wanted to try it out just now but hit a roadblock immediately - it cannot automatically obtain and maintain TLS certificates. You have to use an external client (e.g. acme.sh), set up a cron to check/renew them, and poke HAProxy to reload them if necessary. I'm way past doing this in 2023.

https://www.haproxy.com/blog/haproxy-and-let-s-encrypt

https://github.com/haproxy/haproxy/issues/1864

[nickramirez]

If getting Let's Encrypt to work with HAProxy is your only struggle, you'll soon overcome it and be loving HAProxy. And there are multiple ways to set up Let's Encrypt, if you don't want to use acme.sh. For example, you could use certbot. There are blog posts that cover that pretty well.

[superq]

you may wish to use certbot instead:

https://github.com/acmesh-official/acme.sh/issues/4659

[scns]

That is some very well written documentation IMHO.

[chasingtheflow]

Can’t seem to read it on mobile.

[rrrix1]

You probably don't want to. Usually it needs at least a browser window, an editor and maybe an open TTY.

haproxy.cfg can be ... tricky.

[bkallus]

I had the privilege of reporting a few bugs in HAProxy in the last few months. Willy's a real treasure; he's friendly and knowledgeable, and he clearly cares a ton about HAProxy even after 22 years of development.