Skip to main content


Haproxy and LemonLDAP (or other SSO Provider)


I've got a question to pose towards the almighty Fediverse Hive Mind! :-)

Do you have any experience replacing Apache2 with Haproxy and integrating it with an existing LemonLDAP SSO Provider?

Why you ask?
I'm currently fiddling around with Proxmox SDN and an Opnsense Firewall to securely compartmentalize the respective networks. Opnsense has a Haproxy implementation to use as reverse proxy, which would greatly streamline my current setup, replacing Apache2 reverse proxy.

If you have successfully implemented Haproxy with another SSO Provider (Authentik, Keycloak, etc?) please let me know your hard earned findings with implementation. :-)

Thank you!

#linux #opnsense #proxmox #firewall #haproxy #apache

in reply to Peter Schlager

LemonLDAP supports apache2, nginx and Traffik natively when using for vhosts. It doesn't matter If you use an additional reverse haproxy in front.
This entry was edited (10 months ago)
in reply to h2owasser🌊

Thank your for your answer 👍 I'm afraid this all only goes to show that I do not fully grasp the LemonLDAP concepts.
Perhaps you could advise/correct regarding the following:

My old setup has a one-armed LemonLDAP apache2 vhosts machine which also serves as a TLS-terminating reverse proxy.

Now with the dedicated Opnsense Firewall (which of course has multiple arms) I was hoping to replace the one-armed reverse proxy, moving its functionality and config to haproxy in Opnsense while also keeping the existing LemonLDAP machine setup as IDP.
Hence why my research mostly focused on the idea of getting Haproxy to terminate TLS (done) have backend servers as vhosts (done) and only route traffic after doing AAA against the existing LemonLDAP installation on another host.

I suppose this is where my concepts of LemonLDAP fail me :-) as in that vhosts which should to be protected must also reside upon LemonLDAP itself as apache/nginx vhosts.

I understand your suggestion would simply work, yet introduce another reverse proxy in the mix? Neither would configuration management of the reverse proxy be slimmed down.
I will have to give this some thought.

in reply to Peter Schlager

I am not sure if i really understand your setup, but you can easily configure haproxy doing TLS-termination as dns endpoint. Configure your lemonldap-portal/manager and vhosts as haproxy-backends. Use nginx or apache2 on these hosts, which may listen on port 80. But keep in mind that depending on your configuration (see lemonldap-ng.ini) lemonldap and the vhosts have to communicate to each other (configurationdb/redis etc...) #sso #lemonldap