Install and Configure HAProxy on Bare Metal Ubuntu 24.04

By /

Set up HAProxy 3.2 on Ubuntu 24.04 and forward HTTP/HTTPS to a backend Jenkins host using SNI-based TLS passthrough. HAProxy does not terminate TLS; it only routes by SNI. NGINX on the Jenkins host terminates HTTPS (Let’s Encrypt + reverse proxy to Jenkins).

What you’ll build

  • HAProxy installed via trusted PPA
  • Jenkins server terminates HTTPS
  • HAProxy handles SNI passthrough on port 443

Want the firewall-integrated version instead? See:
Set up HAProxy for TLS Passthrough with SNI Routing on OPNsense

  1. Install HAProxy 3.2 from Trusted PPA
sudo add-apt-repository ppa:vbernat/haproxy-3.2 -y
sudo apt-get install haproxy=3.2.\*
  1. Configure HAProxy to Forward HTTP/HTTPS to Jenkins
sudo vi /etc/haproxy/haproxy.cfg

Paste this configuration:

# HTTP for Let's Encrypt + redirect
frontend http_front
        bind *:80
        mode http
        option httplog

        acl is_acme path_beg /.well-known/acme-challenge/
        acl host_jenkins hdr(host) -i jenkins.maksonlee.com

        # Serve ACME challenge from Jenkins only for that host
        use_backend jenkins_http_backend if is_acme host_jenkins

        # Everything else -> HTTPS
        http-request redirect scheme https code 301 unless is_acme

backend jenkins_http_backend
        mode http
        option httpchk GET /            # optional but nice to have
        server jenkins 192.168.0.68:80 check


# HTTPS passthrough based on SNI
frontend https_front
        bind *:443
        mode tcp
        option tcplog
        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }

        use_backend jenkins_https_backend if { req.ssl_sni -i jenkins.maksonlee.com }
        default_backend reject_all

backend jenkins_https_backend
        mode tcp
        server jenkins 192.168.0.68:443 check

# Fallback reject (TCP connections to 443 that don’t match SNI)
backend reject_all
        mode tcp
        server dummy 127.0.0.1:1

Replace 192.168.0.68 with your Jenkins server’s private IP.

check and restart HAProxy:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl restart haproxy

Note: If the Jenkins host isn’t listening on 443 yet, you may briefly see warnings until you finish Step 3.

  1. Issue TLS on the Jenkins host (NGINX; just enough for certbot --nginx)

Prereq: the HAProxy rules above are loaded and jenkins.maksonlee.com resolves to your HAProxy’s public IP so /.well-known/acme-challenge/ reaches NGINX:80 on the Jenkins host.

sudo certbot --nginx -d jenkins.maksonlee.com

Certbot validates via HTTP-01 on NGINX:80, installs the certificate, writes an SSL server for :443, and reloads NGINX.

This post does not cover NGINX → Jenkins proxying; it only shows the HAProxy pieces required for certbot --nginx.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top