Hosting

How to setup & configure HAProxy on DigitalOcean

By
How to setup & configure HAProxy on DigitalOcean
Contents show

HAProxy (High Availability Proxy) is a powerful, open-source load balancer and reverse proxy. It sits between clients and your backend servers, distributing traffic, checking server health, optionally offloading TLS, and enabling flexible routing rules (layer 4 or layer 7). Because it’s lightweight, mature, and highly configurable, HAProxy is widely used in production environments.

On DigitalOcean, you can run HAProxy on a Droplet (a Linux VM) just as you would on any server. HAProxy will bind to your Droplet’s public IP, accept client requests, and proxy them to one or more backend servers (which might be on the same host or remote).

In a simple scenario, the traffic path is:

Client  DNS (your domain) → Droplet public IP → HAProxy → one or more backend servers
  • HAProxy listens on port 80/443 (HTTP/HTTPS)
  • It routes (or load-balances) requests to your backend servers
  • It can perform health checks to avoid sending traffic to failed nodes
  • It can terminate TLS (so backends see unencrypted HTTP) or pass TLS through

Later, you can expand to more complex setups (e.g. multiple HAProxy nodes for HA, VRRP/keepalived, floating IP, etc.).

Step 1: Provision your DigitalOcean Droplet

  1. In your DigitalOcean dashboard, create a new Droplet. Use Ubuntu 22.04 LTS or Debian (versions with current package support).
  2. Choose a size appropriate for your expected load (e.g. 2 vCPU, 8 GB RAM is a reasonable start for moderate traffic).
  3. Add your SSH keys for secure access.
  4. Optionally enable private networking if you’ll have backend servers in the same data center.
  5. Once the Droplet is ready, take note of its public IP (and private IP if assigned).

SSH into the server:

ssh root@<droplet_ip>

Step 2: Install HAProxy

On the Droplet:

apt update && apt upgrade -y
apt install -y haproxy

Enable and start the HAProxy service:

systemctl enable haproxy
systemctl start haproxy

You can check the version:

haproxy -v

Step 3: Basic HAProxy configuration

We’ll modify /etc/haproxy/haproxy.cfg. It has several sections; the key ones are global, defaults, frontend, and backend.

Here’s a minimal example for HTTP (no TLS) load balancing to two backend servers (using private IPs):

global
    log /dev/log local0
    maxconn 2048
    daemon

defaults
    log global
    mode http
    option httplog
    option dontlognull
    timeout connect 5s
    timeout client  50s
    timeout server  50s

frontend http_front
    bind *:80
    default_backend web_back

backend web_back
    balance roundrobin
    server web1 10.0.0.11:80 check
    server web2 10.0.0.12:80 check
  • frontend http_front listens on port 80 for all interfaces (*).
  • default_backend web_back means all traffic goes to that backend.
  • In backend web_back, two servers are defined with check so HAProxy will perform health checks.
  • The balancing method is roundrobin (it cycles between servers).

After editing, test the configuration:

haproxy -c -f /etc/haproxy/haproxy.cfg

If it’s valid, reload HAProxy:

systemctl reload haproxy

Now requests to your Droplet’s public IP should be routed to one of the backend servers.

Step 4: Add HTTPS / TLS termination

You’ll usually want to secure traffic with TLS. HAProxy can handle SSL termination so that backends receive plain HTTP.

Generate or obtain certificates

You can use Let’s Encrypt to issue a certificate for your domain (e.g. dropletdrift.com). Suppose you have the fullchain.pem and privkey.pem.

Concatenate them into a single PEM file:

cat fullchain.pem privkey.pem > /etc/haproxy/certs/dropletdrift.com.pem
chmod 600 /etc/haproxy/certs/dropletdrift.com.pem

Update HAProxy configuration for TLS

Modify (or supplement) the frontend section:

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/dropletdrift.com.pem
    default_backend web_back

frontend http_redirect
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }
  • https_front listens on port 443 with SSL using your certificate.
  • http_redirect listens on 80 and redirects all traffic to HTTPS.
  • ssl_fc is an HAProxy predicate meaning “client connected over SSL”.

You retain the same backend section.

Reload HAProxy again after changes.

At this point, clients requesting https://dropletdrift.com should see the secured site, and HAProxy handles decryption.

Step 5: Health checks & failure handling

The check keyword in server lines activates active health checks (TCP-level by default). If HAProxy cannot connect, it marks the server down and stops forwarding traffic there.

You can customize health checks. For example:

backend web_back
    balance roundrobin
    server web1 10.0.0.11:80 check inter 5s rise 2 fall 3
    server web2 10.0.0.12:80 check inter 5s rise 2 fall 3
  • inter 5s means check every 5 seconds
  • rise 2 means two consecutive successes to mark up
  • fall 3 means three failures to mark down

You can also use HTTP checks (e.g. check a particular path, response code). For instance:

backend web_back
    option httpchk GET /health
    server web1 10.0.0.11:80 check
    server web2 10.0.0.12:80 check

Here HAProxy sends GET /health to see if the backend is responsive and returns a valid HTTP status.

Step 6: DNS & domain pointing

Configure your DNS (at your registrar or DNS host) to point your domain (or subdomain) to the HAProxy Droplet’s public IP using an A record:

dropletdrift.com  203.0.113.10
www.dropletdrift.com  203.0.113.10

Allow time for propagation, then test in a browser.

Step 7: Logging, metrics & monitoring

  • Ensure HAProxy logs are enabled. Usually, HAProxy logs via rsyslog or syslog and outputs to /var/log/haproxy.log or /var/log/syslog.
  • You can enable the stats interface (a web UI) by adding a section like:
listen stats
    bind *:8404
    mode http
    stats enable
    stats uri /stats
    stats auth admin:YourStrongPass

Then you can visit http://your-droplet-ip:8404/stats to see live metrics.

  • Monitor CPU, memory, connections, dropped requests. Tools like Prometheus + HAProxy exporter + Grafana are often used in production.

Step 8: Scaling and High Availability (HA) considerations

Once this basic setup works, you may want redundancy — a single HAProxy server is itself a point of failure. Common strategies include:

  • Floating / Reserved IP: Assign a reserved IP in DigitalOcean and move it between HAProxy nodes on failure.
  • Keepalived / VRRP: Use keepalived alongside HAProxy to manage failover of virtual IPs between two HAProxy servers. (This is covered in DigitalOcean’s HA proxy HA guide)
  • Health-based failover scripts: Automate reassignment of IPs when health checks fail.
  • Multiple HAProxy nodes behind DNS failover: Using low-DNS TTL and health-aware DNS.
  • Use DigitalOcean’s Managed Load Balancer product: If you prefer a managed, fault-tolerant solution rather than DIY HA.

Summary & next steps

You now have:

  • A DigitalOcean Droplet running HAProxy
  • A working HAProxy configuration routing traffic to backend servers
  • TLS termination for HTTPS
  • Basic health checks
  • Logging and metrics interface

From here you can:

  • Add more backend nodes to scale
  • Harden security (firewall, restrict backend access)
  • Automate certificate renewal (e.g. with Certbot + scripts)
  • Implement HA (Keepalived, reserved IP)
  • Integrate with orchestration (Docker, Kubernetes, etc.)
Author

Alex is the resident editor and oversees all of the guides published. His past work and experience include Colorlib, Stack Diary, Hostvix, and working with a number of editorial publications. He has been wrangling code and publishing his findings about it since the early 2000s.

Related Posts