Post

Advanced HAProxy Load Balancing & Performance Guide

Comprehensive HAProxy deep dive: dynamic load-balancing algorithms, SSL offloading, health-check tuning, observability metrics, and performance optimizations for high availability.

Posted
By Jared
5 min read
Advanced HAProxy Load Balancing & Performance Guide

Table of Contents

  1. Introduction
  2. Installation
  3. Basic Configuration
  4. Load Balancing
  5. SSL/TLS Termination
  6. High Availability Setup
  7. Security Hardening
  8. Monitoring and Logging
  9. Performance Tuning
  10. Troubleshooting

Introduction

HAProxy (High Availability Proxy) is a free, open-source load balancer and proxy server for TCP and HTTP-based applications. Known for its reliability, high performance, and low resource consumption, HAProxy efficiently distributes workloads across multiple servers to optimize resource utilization, maximize throughput, minimize response time, and ensure fault tolerance.

Installation

Debian/Ubuntu

1
2

sudo apt-get update
sudo apt-get install haproxy

CentOS/RHEL

1

sudo yum install haproxy

Docker

1
2

docker pull haproxy:latest
docker run -d --name my-haproxy -p 80:80 -p 443:443 -v /path/to/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro haproxy:latest

Compilation from Source

1
2
3
4
5
6
7
8
9
10
11
12
13

# Install dependencies
sudo apt-get install build-essential libpcre3-dev zlib1g-dev libssl-dev

# Download and extract HAProxy (check for latest version)
wget http://www.haproxy.org/download/2.6/src/haproxy-2.6.9.tar.gz
tar xzvf haproxy-2.6.9.tar.gz
cd haproxy-2.6.9

# Compile with common options
make TARGET=linux-glibc USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1 USE_SYSTEMD=1

# Install
sudo make install

Basic Configuration

HAProxy’s configuration file is typically located at /etc/haproxy/haproxy.cfg and consists of four main sections:

Global Section

Sets process-wide parameters:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    
    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    
    # TLS settings
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

Defaults Section

Sets default parameters for frontend and backend sections:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

defaults
    log global
    mode http
    option httplog
    option dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

Frontend Section

Defines how requests should be forwarded to backends:

1
2
3
4

frontend http_front
    bind *:80
    mode http
    default_backend web_servers

Backend Section

Defines the servers to which the proxy will forward requests:

1
2
3
4
5
6
7

backend web_servers
    mode http
    balance roundrobin
    option httpchk
    http-check send meth GET uri /health
    server web1 192.168.1.10:80 check
    server web2 192.168.1.11:80 check

Load Balancing

HAProxy supports various load balancing algorithms:

  • roundrobin: Each server is used in turns
  • leastconn: Selects the server with the least number of connections
  • source: Uses the client’s IP for persistence
  • uri: Hashes the left part of the URI to select a server
  • url_param: Uses a URL parameter for persistence
  • hdr(name): Hashes the specified header for server selection

Example configuration:

1
2
3
4
5
6
7

backend web_backend
    balance roundrobin
    cookie SERVERID insert indirect nocache
    option httpchk GET /health
    http-check expect status 200
    server web1 192.168.1.10:80 check cookie server1
    server web2 192.168.1.11:80 check cookie server2

SSL/TLS Termination

HAProxy can handle SSL/TLS termination to offload encryption from backend servers:

1
2
3
4
5
6

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/combined.pem
    mode http
    option httplog
    option forwardfor
    default_backend web_servers

Generate a combined certificate file:

1

cat your_cert.pem your_key.pem > combined.pem

High Availability Setup

For redundancy, deploy HAProxy in an active-passive configuration using Keepalived:

  1. Install Keepalived:
    1

    sudo apt-get install keepalived
  2. Configure /etc/keepalived/keepalived.conf on the primary:
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

    vrrp_script chk_haproxy {
    script "killall -0 haproxy"
    interval 2
    weight 2
}
   
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 101
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass secret
    }
    virtual_ipaddress {
        192.168.1.100
    }
    track_script {
        chk_haproxy
    }
}
  3. Configure the backup with the same settings but state BACKUP and lower priority.

Security Hardening

Access Control Lists (ACLs)

Use ACLs to implement security rules:

1
2
3
4
5
6
7
8
9

frontend http_front
    bind *:80
    mode http
    
    # Deny access to sensitive URLs
    acl restricted_page path_beg /admin
    http-request deny if restricted_page !{ src 192.168.1.0/24 }
    
    default_backend web_servers

Rate Limiting

Protect against abuse with rate limiting:

1
2
3
4
5
6
7
8
9
10

frontend http_front
    bind *:80
    mode http
    
    # Rate limiting
    stick-table type ip size 100k expire 30s store http_req_rate(10s)
    http-request track-sc0 src
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
    
    default_backend web_servers

Security Headers

Add security headers to responses:

1
2
3
4
5
6
7
8
9
10
11

frontend http_front
    bind *:80
    mode http
    
    # Security headers
    http-response set-header X-Frame-Options DENY
    http-response set-header X-Content-Type-Options nosniff
    http-response set-header X-XSS-Protection "1; mode=block"
    http-response set-header Content-Security-Policy "default-src 'self'"
    
    default_backend web_servers

Monitoring and Logging

Enable the stats page for monitoring:

1
2
3
4
5
6
7

listen stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s
    stats admin if LOCALHOST
    stats auth admin:password

Configure logging:

1
2
3
4
5
6
7

global
    log /dev/log local0
    log /dev/log local1 notice

defaults
    log global
    option httplog

Performance Tuning

System Tuning

Optimize system limits in /etc/sysctl.conf:

1
2
3
4
5
6

# Maximum open file descriptors
fs.file-max = 200000

# TCP tuning
net.ipv4.tcp_max_syn_backlog = 4096
net.core.somaxconn = 4096

HAProxy Tuning

Optimize HAProxy settings:

1
2
3
4
5
6

global
    maxconn 50000
    nbproc 4
    nbthread 8
    cpu-map auto:1/1-4 0-3
    tune.ssl.default-dh-param 2048

Troubleshooting

Common troubleshooting commands:

  • Check configuration validity:
    1

    haproxy -c -f /etc/haproxy/haproxy.cfg
  • Graceful restart:
    1

    systemctl reload haproxy
  • View logs:
    1

    tail -f /var/log/haproxy.log
  • Debug with increased verbosity:
    1

    haproxy -d -f /etc/haproxy/haproxy.cfg

This guide covers the essential aspects of installing, configuring, and securing HAProxy. For advanced features and detailed documentation, refer to the official HAProxy documentation.

Infrastructure, Web Servers
haproxy load-balancing advanced-configuration ssl-termination health-checks metrics high-availability
This post is licensed under CC BY 4.0 by the author.