sudo apt update
sudo apt install haproxy
sudo systemctl enable --now haproxy
sudo dnf install haproxy
sudo systemctl enable --now haproxy
For the latest HAProxy versions, you can use the official repository:
# Add the HAProxy APT repository key
curl -s https://haproxy.debian.net/bernat.debian.org.gpg | sudo gpg --dearmor -o /usr/share/keyrings/haproxy.debian.net.gpg
# Add the repository
echo "deb [signed-by=/usr/share/keyrings/haproxy.debian.net.gpg] https://haproxy.debian.net/debian-$(lsb_release -cs)-backports $(lsb_release -cs)-backports-backports main" | sudo tee /etc/apt/sources.list.d/haproxy.list
# Update and install
sudo apt update
sudo apt install haproxy
sudo systemctl enable --now haproxy
For the latest HAProxy versions on RHEL-based systems:
# Add the HAProxy YUM repository
sudo tee /etc/yum.repos.d/haproxy.repo << EOF
[ha-all]
name=haproxy
baseurl=https://rpm.haproxy.org/\$releasever/\$basearch/
enabled=1
gpgcheck=1
gpgkey=https://rpm.haproxy.org/haproxy.gpg
EOF
# Install HAProxy
sudo dnf install haproxy
sudo systemctl enable --now haproxy
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw status
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Here is a HAProxy configuration with security best practices:
global
log /dev/log local0
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# Modern SSL settings
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
# Performance tuning
tune.ssl.default-dh-param 2048
tune.bufsize 32768
tune.maxrewrite 1024
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5s
timeout client 60s
timeout server 60s
timeout tunnel 3600s # For WebSocket connections
timeout http-keep-alive 10s
retries 3
option redispatch
# Stats page - RESTRICT ACCESS!
frontend stats
bind *:8404
mode http
stats enable
stats uri /stats
stats refresh 30s
stats admin if LOCALHOST
# Replace with secure credentials
stats auth admin:change_this_password
# Main HTTP frontend
frontend http_front
bind *:80
mode http
# Redirect to HTTPS
http-request redirect scheme https code 301 if !{ ssl_fc }
# HTTPS frontend with SSL termination
frontend https_front
bind *:443 ssl crt /etc/ssl/private/cert.pem alpn h2,http/1.1
mode http
option httpclose
# Security headers
rspadd Strict-Transport-Security: max-age=31536000;\ includeSubDomains;\ preload
rspadd X-Content-Type-Options: nosniff
rspadd X-Frame-Options: DENY
rspadd X-XSS-Protection: 1;\ mode=block
# ACLs for path-based routing
acl path_api path_beg /api
acl path_static path_beg /static /images /css /js
use_backend api_servers if path_api
use_backend static_servers if path_static
default_backend app_servers
# Application servers backend
backend app_servers
balance random(2) # Default algorithm in HAProxy 3.3+
option httpchk GET /health
server app1 10.0.0.10:8080 check
server app2 10.0.0.11:8080 check
server app3 10.0.0.12:8080 check backup
# API servers backend
backend api_servers
balance random(2)
option httpchk GET /api/health
server api1 10.0.0.20:8080 check
server api2 10.0.0.21:8080 check
# Static content backend
backend static_servers
balance roundrobin
server static1 10.0.0.30:80 check
server static2 10.0.0.31:80 check
random(2) algorithm (default in HAProxy 3.3+) for better scalabilityThis configuration provides a production-ready setup with security best practices, SSL termination, and multiple backend routing options. Adjust server IPs and paths based on your specific environment.
See HAProxy Security for a focused security checklist.
See HAProxy Hardening.
Prefer automation? See HAProxy Ansible Setup for an example playbook.
Prefer containers? See HAProxy Docker Setup.
Need professional assistance with your load balancing infrastructure? Our team provides:
Get in touch: office@linux-server-admin.com | Contact Page