Here’s a list of frequently asked questions (FAQ) about HAProxy, which is widely used as a high-performance load balancer and reverse proxy for TCP and HTTP-based applications.
sudo apt-get install haproxysudo dnf install haproxy/etc/haproxy/haproxy.cfg and includes several key sections:
frontend https
bind *:443 ssl crt /etc/ssl/private/cert.pem
mode http
default_backend servers
backend servers
server server1 192.168.1.10:80 check
global
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
backend my-backend
server server1 192.168.1.10:80 weight 5
server server2 192.168.1.11:80 weight 10
backend my-backend
option httpchk GET /health
server server1 192.168.1.10:80 check inter 2000 rise 2 fall 3
inter, rise, and fall parameters control the check frequency and failure thresholds.maxconn values in the global section for higher throughput.tune.bufsize).nbthread directive for better CPU utilization on multi-core systems.cpu-map to bind threads to specific CPU cores for better performance.timeout connect 5s
timeout client 60s
timeout server 60s
timeout tunnel 3600s # For WebSocket connections
timeout http-keep-alive 10s
global section:global
log /dev/log local0
defaults
log global
option httplog
defaults
log-format '{"timestamp":"%T", "client_ip":"%ci", "backend_name":"%b", "server_name":"%s", "request":"%r", "status_code":%ST}'
/metrics endpoint (if compiled with Prometheus support)defaults
log global
option httplog
option tcplog
log stdout local0 debug in global sectionhaproxy -c -f /etc/haproxy/haproxy.cfgfrontend http
stick-table type ip size 1m expire 5m store gpc0,http_req_rate(10s)
http-request track-sc0 src
http-request deny if { sc0_http_req_rate gt 10 }
stats hide-versiontimeout client 30s
timeout server 30s
timeout http-keep-alive 10s
# In frontend or backend
rspadd Strict-Transport-Security: max-age=31536000;\ includeSubDomains;\ preload
rspadd X-Content-Type-Options: nosniff
rspadd X-Frame-Options: DENY
rspadd X-XSS-Protection: 1;\ mode=block
backend servers
balance random(2)
cookie SERVERID insert indirect nocache
server server1 192.168.1.10:80 cookie s1 check
server server2 192.168.1.11:80 cookie s2 check
frontend ws
bind *:80
mode http
option http-server-close
timeout client 86400000
timeout http-keep-alive 86400000
backend ws-backend
mode http
timeout server 86400000
server ws-server1 192.168.1.20:8080 check
frontend http
acl is_api path_beg /api
acl is_static path_beg /static /images /css /js
use_backend api_backend if is_api
use_backend static_backend if is_static
default_backend app_backend
graceful reload feature:sudo systemctl reload haproxy
# Or using the binary directly:
sudo haproxy -f /etc/haproxy/haproxy.cfg -sf $(pidof haproxy)
frontend http
stick-table type ip size 1m expire 5m store gpc0,http_req_rate(10s)
http-request track-sc0 src
http-request deny if { sc0_http_req_rate gt 10 }