When faced with aging NetScaler appliances and expensive renewal costs…
Migrating from Citrix NetScaler to HAProxy: A Complete Guide
I've been riding the HAProxy wave for almost a year now, and this recap isn't corporate. It's the honest trail of what worked, what didn't, and how I ended up with true active-active load balancing via BGP anycast.
The Migration – NetScaler to HAProxy
Sick of the 20 Mb/s bottleneck on Citrix NetScaler freemium, I said no more.
Migrating from Citrix NetScaler to HAProxy removed the 20 Mb/s freemium bottleneck and replaced dead SDX hardware with a modern, open-source load balancer.
Migrating from Citrix NetScaler to HAProxy: A Complete Guide
It was a clean swap: delete the legacy gear, drop in HAProxy, run the app. No license renewal, no hardware churn.
Adding Resilience – HA & Monitoring
Running a single HAProxy is a gamble.
Running a single HAProxy instance creates a critical single point of failure.
Implementing HAProxy High Availability: A Complete Migration Guide
So I spun up two instances behind Keepalived and VRRP. Then, to be honest, I needed eyes.
Complete HAProxy HA monitoring using Prometheus and Grafana. Custom dashboard with eight panels.
Comprehensive HAProxy High Availability Monitoring with Grafana and Prometheus
Eight panels of dashboards became my new best friend.
Real-World Fixes – SNI, X-Frame, and More
Proxying Parallels RAS was a nightmare thanks to SNI.
The SNI Routing Trap…
Why Parallels RAS Wouldn't Work on Port 443 with my other services
Same with Home Assistant; X-Frame-Options kept the browser at bay.
Fixing Add-on Access Blocked by X-Frame-Options.
Home Assistant + HAProxy: Fixing Add-on Access Blocked by X-Frame-Options
A few tweaks, a couple of lines, and everything spoke HTTPS again.
Security & Integration – ACLs, SSO, and DNS Rewrites
When you're managing a cluster, you must know who sits on which node.
When managing a high availability HAProxy cluster, one of the most common moments of confusion happens right after SSH.
Smart HAProxy Role Detection: Know Your Server's Status Instantly
I tightened walls with ACLs and rewrote internal DNS through AdGuard.
Restrict sensitive services to your internal network using HAProxy access control lists combined with AdGuard Home DNS rewrites.
Securing Internal Services: Using HAProxy ACLs and AdGuard Home DNS Rewrites
Follow that with an SSO dance: Authentik, Azure, Docker Swarm. All glazed under HAProxy.
Deploying Authentik SSO with Azure SMTP and HAProxy: A Complete Guide.
Deploying Authentik SSO with Azure SMTP and HAProxy: A Complete Guide
Automation – Data Plane API
Configuration migration was a pain.
HAProxy config management across multiple servers is tedious.
From SSH to API: Deploying HAProxy Data Plane API for Automated Load Balancer Management
I flipped the script. I no longer typed SSH. I piped JSON to HAProxy's new Data Plane API, automated all reloads, and never had a broken server again.
The Final Step – BGP Anycast
Keepalived sat behind the gateway for years. I craved a true active-active model.
How I got true active-active HAProxy load balancing using BGP anycast on a UniFi UDM Pro Max. No expensive routers needed.
From Keepalived to BGP Anycast: HAProxy HA on UniFi UDM Pro Max
BGP anycast let two boxes each take real traffic. Capacity stopped being idle.
What's Next?
I've packed the essentials. What's next? Scale with micro-services, explore OpenTelemetry tracing, or just sit back and enjoy the smoother uptime. The world of HAProxy keeps moving, and the next chapter will be even cooler. Maybe I'll get my hand on
