Upgrading HAProxy 1.4 to 1.5+ for SSL termination?

Hello, I’ve inherited an out of date HAProxy server and in my learning about HAP for a project, I have found v 1.4 does not support SSL termination. We have many sites configured through HAProxy with SSL Passthrough and I would like to upgrade without breaking anything or at least have a way to rollback, but my experience is limited. The setup is as follows.

2 external HAP 1.4.22 / Ubuntu 12.04.2 vm servers (public facing)
2 internal HAP 1.4.22 / Ubuntu 12.04.2 vm servers
Keepalived is configured to provide redundancy between the 2 ext servers, same for the 2 int servers.
A cron job is set up on INT2 to copy config changes from INT1 and EXT2 from EXT1, every 5 minutes.

Any help or ideas are greatly appreciated


Replicate everything in a lab with uptodate software and test.

We can help you with haproxy specific upgrade issues, should they arise, but you will have to test everything.

1 Like

We use a similar haproxy setup and I can share some of steps we take to mitigate risk during upgrades:

  • multiple VIPs
    we use keepalived and multiple groups each owning their own VIP; at our discretion we can fail over individual IPs to one of the servers for testing out a new configuration or haproxy version. For a large upgrade we might fail all VIPs over to a single instance and then move them back one-by-one
  • image management
    we run haproxy in docker and have a sidecar for managing the configuration - everything from the configuration builder to the haproxy container itself is in configuration management and can be replicated by anybody with access to the repository
  • config management
    A cron job copying between machines doesn’t give you any history into what changed - I would advise to get your setup into some sort of configuration management (i.e. puppet) and use that for deployment.

Exactly this - you’re upgrading so you may as well go right to the most recent stable version rather than just 1.5.

Do the upgrade, then work on changing over to SSL termination to haproxy rather than SSL passthrough. Don’t try and do both at once.