HAProxy Config Generator

Design robust HAProxy load balancers with active health checks and SSL offloading.

HAProxy Settings

SSL / TLS Offloading

Backend Servers & Load Balancing

haproxy.cfg
Valid
1
0
Overall Score

Configuration Health

Detailed Analysis

Best Practice Analysis

    Production Readiness

      Overview

      The HAProxy Configuration Generator is designed to build enterprise-grade load balancing architectures. HAProxy (High Availability Proxy) is renowned for its speed, stability, and ability to handle millions of concurrent connections.

      Whether you are balancing TCP traffic for database clusters or HTTP traffic for microservices, HAProxy's configuration file (haproxy.cfg) requires precision. This tool allows you to abstract away the syntax complexities, letting you visually define frontends, backends, ACLs (Access Control Lists), and health checks to generate a perfectly valid, high-performance configuration.

      How It Works

      1. Global & Defaults: Set process-level configurations like `maxconn` and timeouts (client, server, connect). These values dictate the overall capacity of your load balancer.

      2. Define Frontends: Frontends define how HAProxy accepts incoming requests (e.g., binding to port 80 or 443). You can attach SSL certificates and define routing rules (ACLs) to direct traffic to different backends based on URL paths or headers.

      3. Configure Backends: Backends define pools of servers. Choose a balancing algorithm (Round Robin, Least Connections, Source IP Hash) and configure active health checks to ensure traffic only routes to healthy nodes.

      4. Enable Stats: Enable the HAProxy Statistics Dashboard to monitor live traffic, connection rates, and server health visually.

      Best Practices

      • Always separate your `frontend` and `backend` blocks instead of using `listen`. This separation makes it much easier to reuse backends and implement complex ACL routing.
      • Use the `leastconn` balancing algorithm instead of `roundrobin` for applications with long-lived connections (like WebSockets or heavy API requests) to distribute load more evenly.
      • Configure `option httpchk` in your backends so HAProxy actively verifies application health (e.g., expecting a 200 OK from `/health`) rather than just checking if the TCP port is open.
      • Enable HTTP/2 by adding `alpn h2,http/1.1` to your frontend bind directive to significantly improve performance for modern clients.

      Common Mistakes

      • Setting `timeout server` lower than `timeout client`. If the backend takes longer to respond than the client is willing to wait, HAProxy will terminate the connection with a 504 Gateway Timeout.
      • Forgetting to set `option forwardfor` in the backend. Without this, your application servers will log the HAProxy server's IP address instead of the actual client's IP.
      • Not setting a global `maxconn`. If unconfigured, HAProxy defaults to 2000 connections, which is easily exhausted during traffic spikes, causing dropped requests.

      Security Recommendations

      • Do not expose the HAProxy Stats page to the public internet. Restrict it using `acl` rules to internal IP ranges, or protect it with strong HTTP Basic Auth.
      • Run HAProxy in a chroot jail by setting `chroot /var/lib/haproxy` and drop privileges using `user haproxy` and `group haproxy`.
      • Use `http-request set-header X-Forwarded-Proto https if { ssl_fc }` to ensure backend servers know when a request was originally encrypted.

      Production Tips

      • Take advantage of HAProxy's multi-threading by setting `nbthread` to match the number of CPU cores available.
      • Use HAProxy's Data Plane API to dynamically add or remove backend servers programmatically without reloading the process.
      • For massive scale, use `stick-tables` to track client IPs and aggressively rate-limit or block abusive traffic (DDoS mitigation) directly at the edge.

      Frequently Asked Questions

      Can HAProxy terminate SSL/TLS?
      Yes, HAProxy handles SSL termination exceptionally well. You bind a frontend to port 443, provide the path to a PEM file containing both the certificate and private key, and HAProxy decrypts the traffic before sending it to the backend.
      What is an ACL in HAProxy?
      An Access Control List (ACL) is a conditional rule. You use ACLs to inspect incoming requests (like looking at the Host header or URL path) and route them to specific backends. For example: `acl is_api path_beg /api` followed by `use_backend api_servers if is_api`.
      Does HAProxy support TCP load balancing?
      Yes. By changing the `mode` from `http` to `tcp`, HAProxy can load balance raw TCP traffic, making it perfect for database clusters (like PostgreSQL or MySQL), Redis, or MQTT brokers.

      Related Generators