HAProxy • Syspirit

HAProxy is an open source load balancer and proxy server designed for high availability, load distribution and proxying for TCP and HTTP applications.

Service Management

Action	Command
Start HAProxy	`sudo systemctl start haproxy`
Stop HAProxy	`sudo systemctl stop haproxy`
Restart HAProxy	`sudo systemctl restart haproxy`
Reload configuration	`sudo systemctl reload haproxy`
Service status	`sudo systemctl status haproxy`
Enable at boot	`sudo systemctl enable haproxy`
Test configuration	`sudo haproxy -f /etc/haproxy/haproxy.cfg -c`
HAProxy version	`haproxy -v`

Configuration

File/Directory	Description
`/etc/haproxy/haproxy.cfg`	Main configuration
`/var/log/haproxy.log`	HAProxy logs
`/var/lib/haproxy/stats`	Statistics socket
`/etc/default/haproxy`	Service configuration
`/etc/rsyslog.conf`	System logs configuration

Configuration Structure

Main Sections

Section	Description	Usage
`global`	Global configuration	Process, logs, security
`defaults`	Default parameters	Timeouts, mode, options
`frontend`	Request entry point	Listening, routing
`backend`	Destination servers	Load balancing, health
`listen`	Combined Frontend + Backend	Simple configuration

Basic Configuration

Simple HTTP Configuration

global
    daemon
    user haproxy
    group haproxy
    chroot /var/lib/haproxy
    stats socket /var/run/haproxy.sock mode 660
 
defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
 
frontend web_frontend
    bind *:80
    default_backend web_servers
 
backend web_servers
    balance roundrobin
    server web1 192.168.1.10:8080 check
    server web2 192.168.1.11:8080 check
    server web3 192.168.1.12:8080 check

HTTPS Configuration with SSL

frontend https_frontend
    bind *:443 ssl crt /etc/ssl/certs/example.pem
    redirect scheme https if !{ ssl_fc }
    default_backend web_servers
 
backend web_servers
    balance roundrobin
    option httpchk GET /health
    server web1 192.168.1.10:8080 check
    server web2 192.168.1.11:8080 check backup

Load Balancing Algorithms

Algorithm	Description	Configuration
`roundrobin`	Circular rotation	`balance roundrobin`
`leastconn`	Least connections	`balance leastconn`
`source`	Source IP hash	`balance source`
`uri`	URI hash	`balance uri`
`url_param`	URL parameter hash	`balance url_param id`
`random`	Random selection	`balance random`
`first`	First available server	`balance first`

Configuration Examples

# Load balancing by source IP (sticky session)
backend api_servers
    balance source
    hash-type consistent
    server api1 10.0.1.10:3000 check
    server api2 10.0.1.11:3000 check
 
# Load balancing by URI
backend static_servers
    balance uri whole
    server static1 10.0.2.10:80 check
    server static2 10.0.2.11:80 check

Health Checks and Monitoring

Check Type	Configuration	Example
Simple TCP	`check`	`server web1 ip:port check`
HTTP GET	`option httpchk GET /path`	`option httpchk GET /health`
HTTP with headers	`option httpchk GET /path HTTP/1.1\r\nHost:\ domain`	Custom headers
Check interval	`check inter 5s`	Check every 5s
Retry count	`check rise 2 fall 3`	2 OK for UP, 3 KO for DOWN

Advanced Health Check Configuration

backend app_servers
    option httpchk GET /api/health HTTP/1.1\r\nHost:\ api.example.com
    server app1 10.0.1.10:3000 check inter 10s rise 2 fall 3
    server app2 10.0.1.11:3000 check inter 10s rise 2 fall 3
    server app3 10.0.1.12:3000 check inter 10s rise 2 fall 3 backup

Statistics Interface

Stats Configuration

# In the frontend or as a listen section
listen stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 30s
    stats admin if TRUE
    stats auth admin:password123

Accessing Statistics

Action	URL/Command
Web interface	`http://server:8404/stats`
JSON statistics	`http://server:8404/stats?stats;json`
Disable a server	Web UI or `echo "disable server backend/server1" \| socat stdio /var/run/haproxy.sock`
Enable a server	`echo "enable server backend/server1" \| socat stdio /var/run/haproxy.sock`
Real-time statistics	`echo "show stat" \| socat stdio /var/run/haproxy.sock`

Advanced Configuration

SSL/TLS and Security

global
    ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!SHA1:!AESCCM
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
frontend https_frontend
    bind *:443 ssl crt /etc/ssl/certs/ alpn h2,http/1.1
 
    # Security headers
    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
    http-response set-header X-Frame-Options "DENY"
    http-response set-header X-Content-Type-Options "nosniff"
 
    # HTTPS redirection
    redirect scheme https if !{ ssl_fc }

Content-Based Routing

frontend web_frontend
    bind *:80
 
    # ACLs for routing
    acl is_api path_beg /api/
    acl is_static path_beg /static/
    acl is_admin hdr(host) -i admin.example.com
 
    # Conditional routing
    use_backend api_servers if is_api
    use_backend static_servers if is_static
    use_backend admin_servers if is_admin
    default_backend web_servers

Rate Limiting

# Global rate limiting
frontend web_frontend
    stick-table type ip size 100k expire 30s store http_req_rate(10s)
    http-request track-sc0 src
    http-request deny if { sc_http_req_rate(0) gt 20 }

Logs and Monitoring

Action	Configuration/Command
Enable HTTP logs	`option httplog`
Detailed TCP logs	`option tcplog`
Logs to syslog	`log 127.0.0.1:514 local0`
View real-time logs	`sudo tail -f /var/log/haproxy.log`
Statistics via socket	`echo "show info" \| socat stdio /var/run/haproxy.sock`
Server state	`echo "show servers state" \| socat stdio /var/run/haproxy.sock`

Log Configuration

global
    log 127.0.0.1:514 local0 info
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
 
defaults
    log global
    option httplog
    option dontlognull
    option log-health-checks

Common Troubleshooting

Problem	Solution
Configuration error	`haproxy -f /etc/haproxy/haproxy.cfg -c`
Service won’t start	Check syntax and permissions
Backend unreachable	Check health checks and connectivity
Degraded performance	Adjust timeouts and LB algorithm
Stats inaccessible	Check stats bind and authentication
SSL issues	Check certificates and paths

Management Commands

Action	Command
General statistics	`echo "show info" \| socat stdio /var/run/haproxy.sock`
Backend state	`echo "show stat" \| socat stdio /var/run/haproxy.sock`
Disable server	`echo "disable server backend/server1" \| socat stdio /var/run/haproxy.sock`
Enable server	`echo "enable server backend/server1" \| socat stdio /var/run/haproxy.sock`
Change server weight	`echo "set weight backend/server1 50%" \| socat stdio /var/run/haproxy.sock`
Active sessions	`echo "show sess" \| socat stdio /var/run/haproxy.sock`
Clear sessions	`echo "clear counters all" \| socat stdio /var/run/haproxy.sock`

Practical Tips

Best Practices

Always test configuration: haproxy -f /etc/haproxy/haproxy.cfg -c
Monitor stats via web interface :8404/stats
Enable logs to diagnose issues
Use leastconn for variable loads
Configure a whitelist for admin IPs

Search

➤HAProxy

➤HAProxy

Service Management

Configuration

Configuration Structure

Main Sections

Basic Configuration

Simple HTTP Configuration

HTTPS Configuration with SSL

Load Balancing Algorithms

Configuration Examples

Health Checks and Monitoring

Advanced Health Check Configuration

Statistics Interface

Stats Configuration

Accessing Statistics

Advanced Configuration

SSL/TLS and Security

Content-Based Routing

Rate Limiting

Logs and Monitoring

Log Configuration

Common Troubleshooting

Management Commands

Practical Tips

Best Practices

Table of Contents