HaProxy Certbots make certificate challange possible without stopping haproxy

olethanh · olethanh · commit 18c765e43f7c · 2025-07-15T12:00:12.000+02:00
diff --git a/packaging/aleph-vm/etc/haproxy/haproxy-aleph.cfg b/packaging/aleph-vm/etc/haproxy/haproxy-aleph.cfg
@@ -71,6 +71,11 @@ frontend ft_http
     # Extract Host header and store it
     http-request set-var(txn.host) hdr(host)
 
+    # Redirect to letsencrypt certbot for certificate challange requests
+    # Test URI to see if its a letsencrypt request
+    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+    use_backend bk_letsencrypt if letsencrypt-acl
+
     # Find the target server dynamically from Host header
     use_backend bk_http if { var(txn.host) -m found }
     default_backend bk_default_supervisor
@@ -116,6 +121,10 @@ backend bk_default_ssl
     mode tcp
     server fallback_local 127.0.0.1:4443 send-proxy
 
+# Let's encrypt Backend for certificate renewal
+backend bk_letsencrypt
+    server letsencrypt 127.0.0.1:8888
+
 # Internal frontend that handles TLS termination (serve cert) and HTTP
 frontend ft_terminated_ssl
     bind 127.0.0.1:4443 ssl crt /etc/haproxy/certs/ accept-proxy
