HAProxy with SSL termination

Problem

I needed to run a dockerized HAProxy in front of two different containers running web services for two different domains:

• Foo.com for Node app in port 3000 having a certificate and forced https
• Bar.com for Ghost (this blog) in port 2368

Caveats

HAProxy will do DNS resolve for the host names when reading the configs (e.g. www-foo & www-bar) and if it fails the proxy will not start. So either you need to start the proxy after the containers are running or you need to use a default-server init-addr none setting in the defaults. Also make sure that the aliases of the backend nodes are not the same since then HAProxy will for some reason fail to resolve the addresses.

global  
    log /dev/log   local0
    log 127.0.0.1   local1 notice
    maxconn 4096

defaults  
    log     global
    mode    http
    option forwardfor
    option http-server-close
    option  httplog
    option  dontlognull
    retries 3
    option redispatch
    maxconn 2000
    timeout connect     5000
    timeout client     50000
    timeout server     50000
    #default-server init-addr none

frontend www-http  
    mode http
    stats enable
    stats uri /haproxy?stats
    bind 0.0.0.0:80
    reqadd X-Forwarded-Proto:\ http

    # Define hosts
    acl host_foo hdr(host) -i foo.com
    acl host_bar hdr(host) -i bar.com

 ## figure out which one to use
    use_backend foo-backend if host_foo
    use_backend bar-backend if host_bar

    default_backend foo-backend

frontend www-https  
    bind 0.0.0.0:443 ssl crt /etc/ssl/private/foo.com.pem
    reqadd X-Forwarded-Proto:\ https

    # Define hosts
    acl host_foo hdr(host) -i foo.com
    acl host_bar hdr(host) -i bar.com

    ## figure out which one to use
    use_backend foo-backend if host_foo
    use_backend bar-backend if host_bar

    default_backend foo-backend

backend foo-backend  
    redirect scheme https if !{ ssl_fc }
    server foo-node1 www-foo:3000 check

backend bar-backend  
    server bar-node1 www-bar:2368 check