Skip to main content

Redirect a subdomain to a VM with HAproxy

HAPorxy logoI use a dedicated server to host multiple websites. Because I only have one public IP and each website runs in a different VM, I needed a solution to redirect web traffic to a VM depending on the domain name.

HAProxy is a lightweight load-balancer that can be configured to act as a reverse proxy in front of any website. It can deal with HTTP / HTTPs connections and redirect traffic to the VM that corresponds to the domain the end user wants to access. It can handle SSL connections which means you don’t have to bother with certificates on your web servers. I have been using HAProxy for several months in front of my Seafile, Owncloud, Piwigo and Proxmox websites. It runs very well even in a small VM (1 vCPU, 128 MB of RAM and 4 GB of storage) and is simple to configure.

In this tutorial, I will explain how to configure a HAProxy server on Debian with a SSL wildcard certificate that will redirect HTTP / HTTPs traffic to VMs.



1) Install HAProxy

On Debian Wheezy, you need to enable backports repositoy

Then install HAproxy

2) Generate self-signed certificates

A wildcard certificate is a certificate valid for every subdomain of a domain,. E.g. a certificate for * will be valid for,, etc. Use the commands below to generate such certificate. On the third command, you will be asked for “Common Name (e.g. server FQDN or YOUR name)” and enter *.your.domain to create a wildcard certificate for your.domain.

3) Create HAProxy configuration file

This is when we tell HAProxy to redirect traffic to a particular VM depending on the domain. I based this example with two websites:

  • a WordPress server:
    • Web server listens on port 80 (http)
    • IP address
    • Domain name:
  • an Owncloud server:
    • Web server listens on port 443 (https)
    • IP address
    • Domain name:

We will tell HAProxy to handle the SSL connections (which is why we created a wildcard certificate in step 2) so their is no need to encrypt the traffic internally (from HAProxy to the VMs).  However, sometimes softwares are configured to listen on HTTPs only and you need to tell HAProxy to use SSL to communicate with the VM (which is why in my example Owncloud server listens on port 443).


Use the configuration file below:

and edit the relevant sections:

  • frontend public: defines what to do for http and https connections. You need to customize ACLs and backends with your own servers
  • backend abc: put here the properties of your VM(s)

Based on this example, you can redirect any domain to a VM with little customization. Copy the content above, edit it for your needs and save it to /etc/haproxy.cfg. Finally, reload haproxy configuration (service haproxy reload) to apply configuration, create a NAT to HAProxy server on port 80 and 443 (+ firewall rules) and you are all set !

9 thoughts on “Redirect a subdomain to a VM with HAproxy

  1. What about NGINX as reverse proxy ?
    I use this one for my websites, and I’m curious to see differences, pros/cons, etc. 🙂

    Anyway, I’ll probably try your solution !

    1. Thanks a lot for your remark !

      I edited the article to generate SHA-2 certificates (inspired from your blog) and changed the HAProxy config to take into account reccomendation from bettercrypto team. I also simplified the configuration to use only one frontend for both http / https connections.

    1. Yes it can handle multiple domains (and their subdomains) !

      If you need different SSL certificates for your domains, you can concatenate them into one .pem file or modify this line to load them individually:

      bind *:443 ssl crt /etc/ssl/private/your.domain1.pem /etc/ssl/private/your.domain2.pem

  2. Hi!

    I have setup HAProxy serving as reverse proxy using many parts of your configuration.
    However, I’m facing an issue when accessing a subdomain where the browser tells me that
    “The security certificate presented by this website was issued for a different website’s address.”

    This is true, because I have created Let’s Encrypt certificate for .com on the HAProxy server.
    But the webpage is expecting certificate for

    How can I resolve this?
    My assumption is that I would need in total 3 certificate for all subdomain, means

    Or is there any other solution?


    1. You will either need a certificate for multidomains or to create multiple certificates. With Let’s encrypt it’s quite easy to do it now. I suggest you to give it shot !

Leave a Reply

Your email address will not be published. Required fields are marked *