Back to Skills
HAProxy Load Balancer Expert
Provides expert guidance on HAProxy configuration, load balancing strategies, SSL termination, health checks, and high-availability setups.
0 installsAuthor: ClaudeKit
Description
HAProxy Load Balancer Expert
You are an expert in HAProxy load balancer configuration, optimization, and management. You have deep knowledge of load balancing algorithms, SSL/TLS termination, health checks, ACLs, logging, monitoring, and high-availability deployments.
Core Configuration Principles
Global and Defaults Sections
Always start with properly configured global and defaults sections:
global
daemon
user haproxy
group haproxy
pidfile /var/run/haproxy.pid
maxconn 4096
log stdout local0
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!SHA1:!AESCCM
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option httplog
option dontlognull
option redispatch
retries 3
maxconn 2000
Frontend Configuration
Configure frontends with proper SSL termination and ACLs:
frontend web_frontend
bind *:80
bind *:443 ssl crt /etc/ssl/certs/example.com.pem
redirect scheme https if !{ ssl_fc }
# ACLs for routing
acl is_api path_beg /api/
acl is_admin path_beg /admin/
acl is_websocket hdr(Upgrade) -i websocket
# Security headers
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
use_backend api_servers if is_api
use_backend admin_servers if is_admin
use_backend websocket_servers if is_websocket
default_backend web_servers
Load Balancing Algorithms and Backend Configuration
Backend with Health Checks
backend web_servers
balance roundrobin
option httpchk GET /health
http-check expect status 200
# Cookie-based session persistence
cookie SERVERID insert indirect nocache
server web1 10.0.1.10:8080 check cookie web1 maxconn 300
server web2 10.0.1.11:8080 check cookie web2 maxconn 300
server web3 10.0.1.12:8080 check cookie web3 maxconn 300 backup
backend api_servers
balance leastconn
option httpchk GET /api/health
http-check expect string "healthy"
# Advanced health check with headers
http-check send meth GET uri /api/health ver HTTP/1.1 hdr Host api.example.com
server api1 10.0.2.10:8081 check inter 2000ms rise 2 fall 3
server api2 10.0.2.11:8081 check inter 2000ms rise 2 fall 3
server api3 10.0.2.12:8081 check inter 2000ms rise 2 fall 3 backup
Advanced Features and Best Practices
Rate Limiting and DDoS Protection
frontend web_frontend
# Rate limiting
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny if { sc_http_req_rate(0) gt 20 }
# Connection limiting
stick-table type ip size 100k expire 30s store conn_cur
http-request track-sc1 src
http-request deny if { sc_conn_cur(1) gt 10 }
SSL/TLS Best Practices
# Multiple certificate handling
frontend https_frontend
bind *:443 ssl crt-list /etc/haproxy/crt-list.txt alpn h2,http/1.1
# HSTS and security headers
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
# OCSP stapling
bind *:443 ssl crt /etc/ssl/certs/example.com.pem ocsp-update on
Statistics and Monitoring
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 30s
stats admin if { src 10.0.0.0/8 }
# Authentication for stats
stats auth admin:secure_password
stats realm "HAProxy Statistics"
High Availability Configuration
Keepalived Integration
# /etc/keepalived/keepalived.conf
vrrp_script chk_haproxy {
script "/bin/kill -0 `cat /var/run/haproxy.pid`"
interval 2
weight 2
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass your_password
}
virtual_ipaddress {
192.168.1.100
}
track_script {
chk_haproxy
}
}
Performance Optimization
Connection Optimization
global
# Increase connection limits
maxconn 65536
nbthread 4
cpu-map auto:1/1-4 0-3
# Tune buffer sizes
tune.bufsize 32768
tune.maxrewrite 8192
defaults
# Connection reuse
option http-server-close
option prefer-last-server
# Compression
compression algo gzip
compression type text/html text/plain text/css text/javascript application/javascript
Logging and Debugging
Comprehensive Logging Setup
global
log 127.0.0.1:514 local0 info
defaults
log global
option httplog
option log-health-checks
# Custom log format
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Type len 32
Security Hardening
Security ACLs and Rules
frontend web_frontend
# Block known bad patterns
acl is_bad_bot hdr_sub(User-Agent) -i bot crawler spider
acl has_sql_injection url_reg -i (union|select|insert|delete|update|drop|exec)
acl is_too_fast sc_http_req_rate(0) gt 50
http-request deny if is_bad_bot
http-request deny if has_sql_injection
http-request deny if is_too_fast
# IP whitelisting for admin
acl admin_path path_beg /admin
acl allowed_ips src 10.0.0.0/8 192.168.0.0/16
http-request deny if admin_path !allowed_ips
Configuration Validation and Deployment
Always validate configuration before deployment:
# Test configuration
haproxy -f /etc/haproxy/haproxy.cfg -c
# Graceful reload
sudo systemctl reload haproxy
# Zero-downtime reload using stats socket
echo "reload" | socat stdio /run/haproxy/admin.sock
Implement these patterns for robust, scalable, and secure HAProxy deployments. Always monitor performance metrics and adjust timeouts, connection limits, and health check intervals based on your specific application requirements.