HA Proxy when docker containers have nginx

What do I do with the docker compose .yml file that create an nginx & letsencrypt container if I’m running HAproxy above them & configured to handle the ssl for each of the subdomains? Do I just go into each yml and delete all references to nginx & Letsencrypt?

Goal is to install several services (bitwarden, nextcloud, etc) using docker compose. However, they all seem to be bundled with their own instance of nginx and lets encrypt. Don’t know what the proper thing to do if the certs & reverse proxy are already handled by haproxy.

BTW…I am aware that on the backend of haproxy I can check the ssl encrypt box for containers that have their own cert. Guess the concern is why have the extra overhead (multiple containers of nginx, letsencrypt for each app if HAproxy can do it) as well as reducing the diagnostic headache when something goes wrong.

As long as the services are not dependent on those existing to start removing would be fine. If the services have their own self signed certs the overhead is minimal but that would allow for the internal traffic between the service and HAProxy to be encrypted.


Depending on the application, the bundled nginx instance may be necessary because it either consolidates multiple internal backends or because it is simply the only web server (think e.g. PHP-FPM). In these cases I would advise against removing them from the compose file. If you could otherwise simply connect to a plain HTTP port and the whole application works as expected, you can probably circumvent the bundled reverse proxy and have HAProxy use that port as backend directly.

1 Like

Thankyou…so if the certs are low overhead & I have a bunch of docker containers with their own certs I’ll still need haproxy to direct the port 443 to the correct service.

I could use haproxy for certs but configure the haproxy backend to bypass those dockers with certs. This would provide ssl for other services that don’t have ssl bundled in.

If I remove the certs from within the docker but use a wildcard cert at haproxy. A) The container would have to work on its own without them B) Anyone on the lan could access that unencrypted traffic but it would be quicker

Is it best use to just default to leaving the docker containers alone and issue ssl via haproxy for any service without it bundled in their docker yml? I was concerned that having multiple keys from the same ip would cause letsencrypt to block/refuse certs (not sure if there is a limit).

Is my thinking correct?

Good points…thankyou