Is it possible to use HAProxy to override 25 Certificates per Application Load Balancer limit in AWS?


I am a beginner in HAProxy and I am experienting with it now. I use AWS to run a web application, which supports custom domains and subdomains. I am using AWS certificate manager to generate and manage certificates.

Well, say my application is available under , I can use my certificate manager to generate certificate for my domain. Also I can very well support subdomains like , etc by using a wildcard certificate like *

This gets stuck when I try to support custom domains, like if I need to support or . What I does is, I will configure DNS and attach the certificate to my Application Load Balancer and DNS (Route 53). But ALB has a limit of 25 certificates per node. Some workaround to support more than 25 certificates is to bring up multiple ALB and introduce a Network Load Balancer as shown in the diagram below;

If I proceed with solutions like this, I will end up with bringing up one load balancer for every 25 domains I need to cater - 4 for 100 and 40 for 1000 - , and I don’t trust it as a feasible solution at all.

I was reading all the blogs and documentation available online and I would like to see Is it possible to use HAProxy with Application Load Balancer and Route 53 to enable more than 25 certificates in AWS? If possible, somebody please tell me how to achieve this?

I am adding links below for reference.

Thanks in advance :pray: .

Haproxy can indeed be used to solve your problem. But I don’t think it is the best way to do it. Why don’t you use a SAN certificate ? (SAN Certificates: Subject Alternative Name – Multi-Domain (SAN))

But, if some some reason, you can’t:
First, I would not use the network diagram you provided (or maybe it is incomplete): you cannot register a NLB as a target for an ALB. You would have to use a lambda function to update the ALB target group.

Then, if you want to use a cleaner setup, you could do:
users (https) → NLB (tcp) → Haproxy (SSL offload for all you domains) → NLB/ALB → ECS
You’ll need a bit of effort to integrate haproxy (get the certs, take care of ssl configuration, proper autoscaling setup, decide if you want to keep ssl for your private network, …), but it will work.

1 Like

Hi @baptiste64 thank you so much for your support.

As you have mentioned, I cannot use SAN, and I am not using the architecture as mentioned in the diagram as well.

Could you please tell me how can I setup HAProxy to get all certificates, and to point to my ALB in AWS? Can you provide me some insights or guidelines or some doc links?

I am sorry, but I am just a beginner, I dont know how to start with.


The certificate management (getting all the certificates on the Haproxy local filesystem) can be achieved with the aws cli command “aws acm” get-certificate — AWS CLI 2.1.30 Command Reference
You can use list/get, with text output, to build a .pem file.

After that, the configuration is straight forward, except one thing: from the haproxy instance, to target the ALB or NLB backend:

I’m sorry, but I don’t have a proper technical article to help you more.

1 Like

Hi @baptiste64 Thank you so much for providing detailed steps :pray:

Let me go through the steps and will ping here if I get stuck somewhere.