How I host multiple websites on Linode with HAProxy


This website and a couple others all run on a single small Linode virtual server. Most sites are generated with the static site generator Sculpin, but some require PHP and other technologies.

I wanted to keep the server relatively clean and be able to test my setup locally. Therefore i created a couple of docker containers and use docker-compose to run the whole system. All pages are served over https, using letsencrypt to get free SSL certificates. In this post I want to share about the tools I use.


HAProxy is a nice small server to handle incoming traffic and route it to the correct backend server. Using acl rules, we can decide which backend to go to, based on domain, path and so on.

You find examples for these things on the web. The thing I want to highlight is the integration with letsencrypt. I tried a couple of fancy docker-images that supposedly do everything with letsencrypt and whatnot. In the end I found a solution that i find quite simple: installing the certbot cli into the haproxy docker image. The relevant docker configuration is:

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/ssl/private/

    http-response set-header Strict-Transport-Security max-age=36000

    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

    redirect scheme https code 301 if !{ path_beg /.well-known/acme-challenge/ } !{ ssl_fc }

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt if letsencrypt-acl

    default_backend nginx

backend nginx
    retry-on all-retryable-errors
    http-request disable-l7-retry if METH_POST
    server nginx nginx:80 tfo

backend letsencrypt
    server letsencrypt localhost:8080

The Dockerfile for the haproxy adds the letsencrypt certbot and copies the configuration and a bash script into the container:

FROM haproxy:2.1-alpine

RUN apk add bash socat certbot

COPY /usr/local/bin/haproxy-certificate-refresh
RUN chmod +x /usr/local/bin/haproxy-certificate-refresh

COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

Certificate handling

The additional bash script in the Dockerfile above is used to update certificates without restarting HAProxy:


set -e


# update certs for HA Proxy
  if [ -d ${LE_DIR}/${DOMAIN} ]
    cat ${LE_DIR}/${DOMAIN}/fullchain.pem ${LE_DIR}/${DOMAIN}/privkey.pem | tee ${HA_DIR}/${DOMAIN}.pem
    echo -e "set ssl cert ${HA_DIR}/${DOMAIN}.pem <<\n$(cat ${HA_DIR}/${DOMAIN}.pem)\n" | socat stdio /var/run/haproxy
    echo -e "commit ssl cert ${HA_DIR}/${DOMAIN}.pem" | socat stdio /var/run/haproxy

To create a new certificate, I run certbot in the haproxy image:

docker-compose exec haproxy certbot certonly -d
docker-compose exec haproxy sh -c "cat /etc/letsencrypt/live/ /etc/letsencrypt/live/ | tee /etc/ssl/private/"

For this to work, DNS needs to be set up to point to the correct Linode. (As usual, to add an additional subdomain into the same certificate, you can re-run the certbot command with additional subdomains in the -d parameter. Keep in mind that you need to repeat all subdomains and the main domain to add a subdomain.)

For certificate renewal, I set up a cronjob that executes from the root directory with the docker-compose file:

/usr/local/bin/docker-compose exec haproxy certbot -q renew && \
/usr/local/bin/docker-compose exec haproxy haproxy-certificate-refresh`


I don't do anything unusual with nginx. It runs behind the HAProxy, and therefore does not need to know about the SSL certificates. The communication between HAProxy, nginx and PHP-FPM runs inside docker and is not visible from the outside.

The Dockerfile for nginx is using nginx:stable and has one custom line COPY etc/nginx /etc/nginx to set up the configuration. It would probably make sense to mount the configuration directory instead of copying it into the image. Then i could do configuration changes and have nginx reload the configuration without rebuilding the image and avoiding all downtime.

I configure each site in a file unter etc/nginx/sites-enabled. I redirect either www. to the bare name, or the bare name to www., depending on which domain name I want to use. A static site is configured with the following (the root depends on the mount point in the docker-compose below):

server {
    root /var/www/;
    include common.conf;
    include images.conf;

server {
    return 301$request_uri;

Sites that run a PHP application look a bit more complex (in this example a dokuwiki):

server {
    server_name www.dynamic-website.xy;
    root /var/www/dynamic-website.xy;

    client_max_body_size 12M;

    #Remember to comment the below out when you're installing, and uncomment it when done.
    location ~ /(conf/|bin/|inc/|install.php) { deny all; }

    location = / {
        return 301 /dokuwiki/;

    location ~ /dokuwiki/doku.php/ {
        return 301 /dokuwiki/;

    #Support for X-Accel-Redirect

    location ~ ^/dokuwiki/data/ { internal ; }

    location /dokuwiki { try_files $uri $uri/ @dokuwiki; }

    location @dokuwiki {
        # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
        rewrite ^/dokuwiki/_media/(.*) /dokuwiki/lib/exe/fetch.php?media=$1 last;
        rewrite ^/dokuwiki/_detail/(.*) /dokuwiki/lib/exe/detail.php?media=$1 last;
        rewrite ^/dokuwiki/_export/([^/]+)/(.*) /dokuwiki/doku.php?do=export_$1&id=$2 last;
        rewrite ^/dokuwiki/(.*) /dokuwiki/doku.php?id=$1&$args last;

    location ~ \.php$ {
        try_files $uri $uri/ /doku.php /index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_pass  dynamic-website:9000;

    include common.conf;

    index doku.php index.php index.html;

server {
    server_name dynamic-website.xy;
    return 301 http://www.dynamic-website.xy;


In the parent folder that contains the folders for HAProxy, nginx and PHP-FPM, i have a docker-compose.yml file. An excerpt from that file:

version: "3.5"

  linode: ~
    driver: bridge


    restart: unless-stopped
    build: haproxy/
      - ${HTTP_PORT}:80
      - ${HTTPS_PORT}:443
      - nginx
      - linode
      - back
      - ./_data/haproxy/certs.d:/etc/ssl/private:rw
      - ./_data/letsencrypt:/etc/letsencrypt:rw

    restart: unless-stopped
    build: nginx/
      - dynamic-website
      - back
      - /home/david/www/
      - /home/david/www/dynamic-website.xy/dokuwiki:/var/www/dynamic-website.xy/dokuwiki:ro
      # more volumes for the various applications

    restart: unless-stopped
    build: php-fpm/
      - back
      - /home/david/www/dynamic-website.xy/dokuwiki:/var/www/dynamic-website.xy/dokuwiki:rw

This configuration binds the HAProxy docker image to the ports 80 and 443 of the host system, so it is the default system answering HTTP and HTTPS requests.


I generate my static websites with sculpin, which allows me to write Markdown or HTML. I wrote about that topic yesterday. I have a git repository for the sculpin project with the page source, and another git repository for the generated files. I set up sculpin to generate the files into that second repository, so that i can then commit and push changes to the output files and use git pull to update the page on the Linode server.

If you want to add new sites without a downtime, you would need to mount the nginx configuration, and also change from mounting a separate volume per website to mount a parent folder of the websites into the nginx and php-fpm containers so that you can add on the fly.

Anyways, I hope this braindump is useful to you. If you want to give linode a try, please use this link to give me some credit.

php architecture https web server