The simplest way to make Backstage HAProxy work like it should

Everyone’s had that moment when a service catalog grows messy and traffic rules become a guessing game. Backstage keeps your developer portal organized, HAProxy keeps your network traffic sane, yet somehow they never quite golf-swing in sync. That’s where most teams stall, juggling auth sessions and ACLs like it’s 2012 again.

Backstage gives you a clear map of every internal service and owner. It’s the backstage pass to your own system—permissions, documentation, builds, all in one place. HAProxy, on the other hand, is the reliable door bouncer. It directs users, guards routes, and filters requests with surgical precision. Pair them and you get a portal that’s not only visible but also safely reachable.

At the center of a good Backstage HAProxy setup is identity propagation. You want your HAProxy to trust the same tokens that Backstage does, typically through OIDC or SSO integration. Requests hitting HAProxy carry signed identity claims, which get verified before routing traffic to backend services. No handwritten rules for every microservice, no duplicated policy logic. The proxy becomes your real-time gatekeeper.

To make this stick, map roles from your identity provider—Okta, Google Workspace, or AWS IAM—to service access policies inside Backstage. Use HAProxy ACLs that check headers or JWT scopes to allow or deny requests. When done right, it feels invisible. Developers click a service link in Backstage, and HAProxy quietly confirms they’re allowed. No VPN chaos, no lingering admin tokens.

Troubleshooting tip: If tokens get rejected, verify clock skew between HAProxy and your IdP. It’s a silent killer for time-limited claims. Also keep refresh token rotation short enough to pass SOC 2 audits but long enough for CI use.

Benefits of integrating Backstage and HAProxy:

• Unified control over developer access and traffic flow
• Faster approvals without granting blanket network rights
• Simplified auditing with a single identity source
• Fewer misconfigurations from duplicated routing logic
• Consistent SSL termination and security headers across services

For developers, this pairing means less context-switching between portals and consoles. You click, deploy, and debug without waiting for network exceptions or approval tickets. That’s real developer velocity, not a dashboard metric. Operators sleep better too because HAProxy logs now map to real user identities instead of random IPs.

Platforms like hoop.dev take this one step further. They translate these integration patterns into policy-as-code, so your Backstage catalog and HAProxy rules follow the same identity and compliance logic automatically. It’s identity-aware access on autopilot.

How do I connect Backstage and HAProxy securely?
Use your existing OIDC provider as the source of truth. Configure HAProxy to verify JWT tokens, and ensure Backstage issues or accepts the same identity tokens. The result is single sign-on that spans your proxy and developer portal.

When identity and routing align, your infrastructure finally behaves like the map in Backstage promises it will.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.