/etc/haproxy/haproxy.cfghaproxy -c -f /etc/haproxy/haproxy.cfgContains process-wide settings:
Sets default parameters for all subsequent proxies:
Defines how HAProxy receives traffic:
Defines backend servers:
Combines frontend and backend in a single section
global
log /dev/log local0
maxconn 4000
user haproxy
group haproxy
defaults
mode http
log global
option httplog
option dontlognull
timeout connect 5s
timeout client 30s
timeout server 30s
retries 3
frontend http_front
bind *:80
default_backend web_servers
backend web_servers
balance random(2) # Default algorithm in HAProxy 3.3+
server web1 127.0.0.1:8080 check
server web2 127.0.0.1:8081 check
frontend https_front
bind *:443 ssl crt /path/to/certificate.pem
mode http
default_backend web_servers
backend web_servers
option httpchk GET /health
server web1 10.0.0.10:80 check
server web2 10.0.0.11:80 check inter 2000 rise 2 fall 3
frontend http_front
bind *:80
acl path_api path_beg /api
acl path_static path_beg /static /images /css /js
use_backend api_servers if path_api
use_backend static_servers if path_static
default_backend app_servers
# Define stick table
stick-table type ip size 1m expire 5m store gpc0,http_req_rate(10s)
frontend http_front
bind *:80
# Track requests and limit rate
http-request track-sc0 src
http-request deny if { sc0_http_req_rate gt 10 }
# Graceful reload (preserves existing connections)
sudo systemctl reload haproxy
# Or using the binary directly
sudo haproxy -f /etc/haproxy/haproxy.cfg -sf $(pidof haproxy)
global
log /dev/log local0
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
defaults
mode http
log global
option httplog
option dontlognull
timeout connect 5s
timeout client 30s
timeout server 30s
retries 3
option redispatch
maxconn 4000
frontend http_front
bind *:80
mode http
default_backend http_back
backend http_back
balance roundrobin
option httpchk GET /health
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 check
server web3 192.168.1.12:80 check backup
global
log /dev/log local0
maxconn 4000
user haproxy
group haproxy
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
mode http
log global
option httplog
option dontlognull
timeout connect 5s
timeout client 30s
timeout server 30s
retries 3
frontend https_front
bind *:443 ssl crt /etc/ssl/private/cert.pem alpn h2,http/1.1
mode http
http-request redirect scheme https if !{ ssl_fc }
default_backend https_back
backend https_back
balance random(2)
option httpchk GET /health
http-request set-header X-Forwarded-Proto https
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 check
global
log /dev/log local0
maxconn 4000
user haproxy
group haproxy
stats socket /var/run/haproxy/admin.sock mode 660 level admin
defaults
mode http
log global
option httplog
option dontlognull
option forwardfor
timeout connect 5s
timeout client 30s
timeout server 30s
retries 3
# Rate limiting table
stick-table type ip size 1m expire 5m store gpc0,http_req_rate(10s)
frontend secured_http
bind *:80
mode http
# Block clients exceeding 10 requests per 10 seconds
http-request track-sc0 src
http-request deny if { sc0_http_req_rate gt 10 }
# ACLs for security
acl invalid_url url_reg -i ^.*\.exe$
acl bad_request hdr_sub(user-agent) -i -f /etc/haproxy/bad_agents.txt
http-request deny if invalid_url bad_request
default_backend secured_back
backend secured_back
balance random(2)
option httpchk GET /health
server web1 192.168.1.10:80 check inter 2000 rise 2 fall 3
server web2 192.168.1.11:80 check inter 2000 rise 2 fall 3
# Enable statistics page
listen stats
bind *:8404 ssl crt /path/to/cert.pem
mode http
stats enable
stats uri /stats
stats refresh 30s
stats show-legends
stats hide-version
# Secure access with ACLs
acl allowed_network src 192.168.1.0/24
http-request allow if allowed_network
http-request deny
For Prometheus monitoring, HAProxy can expose metrics at /metrics endpoint:
# Add to frontend or listen section
frontend monitoring
bind *:9000
mode http
stats enable
stats uri /metrics
stats realm HAProxy\ Statistics
stats auth admin:change_this_password
Configure structured logging for better analysis:
defaults
log-format '{"timestamp":"%T", "client_ip":"%ci", "frontend_name":"%ft", "backend_name":"%b", "server_name":"%s", "time_wait_req":%Tw, "time_connect":%Tc, "time_queue":%Tq, "time_server":%Ts, "bytes_read":%B, "status_code":%ST, "term_state":"%ts", "actconn":%ac, "feconn":%fc, "beconn":%bc, "srvconn":%sc, "retries":%rc, "srv_queue":%sq, "backend_queue":%bq}'
HAProxy can be deployed in highly available configurations using several approaches:
Using Keepalived with VRRP (Virtual Router Redundancy Protocol) to ensure automatic failover:
Example Keepalived configuration:
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 110
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.100/24
}
notify_master "/bin/kill -USR1 `cat /var/run/haproxy.pid`"
}
Deploying multiple HAProxy instances in active-active mode:
Running HAProxy in containerized environments:
For maintaining session persistence across HAProxy instances:
Example peers configuration:
peers mycluster
peer haproxy1 192.168.1.10:1024
peer haproxy2 192.168.1.11:1024
Then reference the peers in your backend:
backend my_backend
balance roundrobin
server server1 192.168.1.20:80 check
server server2 192.168.1.21:80 check
cookie SERVERID insert indirect nocache
stick-table type ip size 200k peers mycluster
stick on src
Running HAProxy in regulated environments? We assist with:
Secure your deployment: office@linux-server-admin.com | Contact Page