Install and Configure HAProxy on Bare Metal Ubuntu 24.04

By /

This guide demonstrates how to set up HAProxy 3.0 on a bare metal Ubuntu 24.04 server and use it to forward HTTP and HTTPS traffic to a backend Jenkins server via SNI-based TLS passthrough.

  • HAProxy installed via trusted PPA
  • Jenkins terminates HTTPS
  • HAProxy handles SNI passthrough on port 443

Want the firewall-integrated version instead? See:
Set up HAProxy for TLS Passthrough with SNI Routing on OPNsense

  1. Install HAProxy 3.0 from Trusted PPA
sudo add-apt-repository ppa:vbernat/haproxy-3.0 -y
sudo apt-get install haproxy=3.0.\*
  1. Configure HAProxy to Forward HTTP/HTTPS to Jenkins
sudo vi /etc/haproxy/haproxy.cfg

Paste this configuration:

# HTTPS passthrough based on SNI
frontend https_front
        bind *:443
        mode tcp
        option tcplog
        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }
        use_backend jenkins_https_backend if { req.ssl_sni -i jenkins.maksonlee.com }
        default_backend reject_all

backend jenkins_https_backend
        mode tcp
        server jenkins 192.168.0.68:443 check

# HTTP for Let's Encrypt + redirect
frontend http_front
        bind *:80
        mode http
        option httplog

        acl letsencrypt_http path_beg /.well-known/acme-challenge/
        redirect scheme https code 301 if !letsencrypt_http
        use_backend jenkins_http_backend if letsencrypt_http

backend jenkins_http_backend
        mode http
        server jenkins 192.168.0.68:80 check

# Fallback reject (TCP connections to 443 that don’t match SNI)
backend reject_all
        mode tcp
        server dummy 127.0.0.1:1

Replace 192.168.0.100 with your Jenkins server’s private IP.

check and restart HAProxy:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl restart haproxy

Note: If Jenkins is not yet running with HTTPS (port 443), HAProxy may warn:

backend jenkins_https_backend has no server available!

This is expected during initial setup. You can ignore it for now — the backend will become available after HTTPS is enabled on Jenkins in Step 3.

  1. Use Certbot + NGINX to Issue TLS Certificate for Jenkins

On the Jenkins host, ensure NGINX is installed and listening on port 80:

sudo apt install nginx certbot python3-certbot-nginx
sudo certbot --nginx -d jenkins.maksonlee.com

Certbot will automatically validate and install the certificate

Restart Nginx,

sudo systemctl restart jenkins
  1. Finalize HAProxy and Verify Routing

If Jenkins is now available on port 443, restart HAProxy one more time:

sudo systemctl restart haproxy

Then verify access.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top