HAProxy Load Balancing Configuration
Configure HAProxy for production load balancing with health checks, SSL termination, rate limiting, and sticky sessions.
HAProxy Overview
HAProxy (High Availability Proxy) is the industry-standard open-source load balancer. It handles millions of connections per second at companies like GitHub, Reddit, and Stack Overflow. HAProxy operates at both Layer 4 (TCP) and Layer 7 (HTTP).
Configuration Structure
HAProxy configuration has four main sections:
global # Process-level settings (logging, security)
defaults # Default values for frontends and backends
frontend # Listening sockets (what clients connect to)
backend # Server pools (where traffic is sent)
Basic HTTP Load Balancer
global
log /dev/log local0
maxconn 50000
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 30s
timeout server 30s
retries 3
frontend http_front
bind *:80
default_backend web_servers
backend web_servers
balance roundrobin
option httpchk GET /health/
http-check expect status 200
server web1 10.0.0.1:8000 check inter 5s fall 3 rise 2
server web2 10.0.0.2:8000 check inter 5s fall 3 rise 2
server web3 10.0.0.3:8000 check inter 5s fall 3 rise 2 backup
Health Checks
HAProxy continuously monitors backend server health:
# Basic TCP check (can the server accept connections?)
server web1 10.0.0.1:8000 check
# HTTP check (does the health endpoint return 200?)
option httpchk GET /health/
http-check expect status 200
# Check parameters
check # Enable health checking
inter 5s # Check interval (every 5 seconds)
fall 3 # Mark down after 3 failures
rise 2 # Mark up after 2 successes
When a server fails health checks, HAProxy stops sending traffic to it. When it recovers, traffic resumes automatically. The backup flag designates standby servers that only receive traffic when all primary servers are down.
SSL Termination
frontend https_front
bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
# Set headers for backend
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
default_backend web_servers
The .pem file must contain both the certificate and private key concatenated. HAProxy handles SSL termination so backend servers receive plain HTTP.
Sticky Sessions
When applications store session state locally, the same user must reach the same backend:
backend web_servers
balance roundrobin
cookie SERVERID insert indirect nocache
server web1 10.0.0.1:8000 check cookie s1
server web2 10.0.0.2:8000 check cookie s2
HAProxy inserts a SERVERID cookie in the response. Subsequent requests from the same client are routed to the same server based on this cookie.
Rate Limiting
Protect backends from abuse:
frontend http_front
bind *:80
# Track request rates per source IP
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
# Deny if more than 100 requests in 10 seconds
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
default_backend web_servers
Stats Dashboard
HAProxy includes a built-in monitoring dashboard:
listen stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST
Access http://your-server:8404/stats to see real-time server health, connection counts, and request rates.