The High Availability (HA)Proxy is an open-source very fast and reliable reverse proxy and load balancer.

Infrastructure Setup with HAProxy used as a Reverse Proxy

Over the years it has become a state of the art open-source product and is often deployed by default on popular cloud platforms.

Basic Setup with Health Endpoint and Statistic Page

For a first test, you can use the following HAProxy configuration file, which defines a frontend bound to port 80 and provides a health check endpoint as well as a statistic page.

  maxconn 256
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms
  mode http

  stats enable
  stats hide-version
  stats refresh 30s
  stats auth proxyUser:test1234
  stats uri /haproxy?stats

  # SETUP HEALTH Check Endpoint
  monitor-uri /health
frontend redirect_http-in
  # a frontend can bind multiple ports
  bind *:80
  # Set the proxy mode to http (layer 7) or tcp (layer 4)
  mode http

For a first starting point, you can run HAPRoxy using the official docker image with the configuration file mounted and port 80 exposed.

docker run --name haproxy -p 80:80 -v /path/to/config/folder:/usr/local/etc/haproxy haproxy

Concrats! HAProxy is up and running.
To verify the basic setup, you can visit the /health endpoint as well as the /haproxy?stats page.

Statistic Page of HAProxy

Common Configuration Commands

The main focus of this post is on some very common HAProxy configuration commands.

Fronted Configuration

The frontend part of the HAProxy configuration file usually includes some actions executed on received requests based on some conditions defined using Access Control Lists.

frontend redirect_http-in
  # bind port 80
  bind *:80
  # Set the proxy mode to http 
  mode http
  # acl
  # actions

Access Control List (ACL)

An ACL allows to test various conditions and perform actions based on those conditions. Different ACLs can also be combined using logic operators (AND, OR, NOT).
An ACL can be defined inline or as a named ACL that can be used for different actions.
To provide an example of a named ACL, the following ACL named TEST_ACL evaluates true for all requests that request path starts with /test.

acl TEST_ACL path_beg /test

Execute Actions on Requests

This section provides some basic configurations to modify requests that fulfill a defined ACL.

Redirect Requests

This config snippet provides examples of modifying or redirecting request URLs that fulfill some defined ACLs.

acl url_path_rewrite path_beg /rewrite
http-request redirect location %[url,regsub(^/rewrite,/static,)] if url_path_rewrite 

acl url_path_replace path_beg /replace
http-request replace-path /replace /static200 if url_path_replace 
acl uri_replace path_beg /redirect
http-request redirect location if uri_replace
Set Query Param
acl query_test path_beg /query
http-request set-query tenant=1 if query_test
http-request replace-path /query /static-backend if query_test 
Block Requests

To block requests HAProxy provides a http-request deny command.
In combination with an ACL it can be used to block specific requests.

acl bad_ip hdr_ip(X-Forwarded-For) 89.XXX.XXX.XX
http-request deny if bad_ip
acl blockedagent hdr_sub(user-agent) -m reg -i ^(.bot.)
http-request deny if blockedagent
Forward Request to Backend
acl static_backend path_beg /static-backend
use_backend static_backend if static_backend 

Backend Configuration

The backend configuration part of the HAProxy provides the possibility to define backend applications, files, or websites that can be used to proxy or load-balance incoming requests using the use_backend configuration command.
Backend configurations are defined on the same level as the frontend configuration.

Serve Static File


backend static_backend
  http-request return status 200 content-type "text/html; charset=utf-8" lf-file /usr/local/etc/haproxy/test.http

Serve Backend Application


backend web_server
   mode http
   server server1
   server server2
   server server3
Categories: DevOpsInfrastructure


Leave a Reply

Your email address will not be published. Required fields are marked *