Introduction to Basic Load Balancing with HAProxy
Load balancing is an essential technique in modern network architectures to distribute incoming traffic across multiple servers, ensuring high availability, optimized resource utilization, and improved responsiveness.
HAProxy (High Availability Proxy) is an open‐source, high‐performance TCP/HTTP load balancer and proxy server. It is widely adopted in many high‐traffic environments due to its robustness, flexibility, and extensive feature set.
For more information, visit the official website of HAProxy.
Why Choose HAProxy
- Performance: Capable of handling hundreds of thousands of connections per second on modest hardware.
- Reliability: Proven stability in production deployments powering major websites and services.
- Flexibility: Supports both Layer 4 (TCP) and Layer 7 (HTTP) load balancing, SSL termination, content switching, and more.
- Extensibility: Rich configuration options, runtime API, and integration with monitoring tools like Datadog or Prometheus.
- Open Source: Actively maintained community edition with commercial support available through HAProxy Technologies.
Core Architecture and Components
HAProxy’s configuration is organized into several sections:
- global – Defines process‐wide settings (logging, maximum connections, user privileges).
- defaults – Sets defaults for the following proxies (timeouts, retries, log format).
- frontend – Specifies how incoming client connections are handled (bind address, protocol, ACLs).
- backend – Lists server pools and load balancing algorithms.
- listen – Combines frontend and backend in a single section (useful for simple setups).
Typical Data Flow
- Client sends request to HAProxy’s frontend IP and port.
- Frontend applies Access Control Lists (ACLs) and directs traffic.
- Request is forwarded to a selected backend server based on the algorithm.
- Backend performs health checks and maintains persistence if configured.
- Response from server is relayed back to the client.
Essential HAProxy Configuration
1. Global Section
global
log /dev/log local0
maxconn 20000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
2. Defaults Section
defaults
log global
mode http
option httplog
option dontlognull
retries 3
timeout connect 5s
timeout client 50s
timeout server 50s
3. Frontend and Backend
frontend http-in
bind :80
default_backend servers
backend servers
balance roundrobin
server web1 192.168.1.101:80 check
server web2 192.168.1.102:80 check
Load Balancing Algorithms
HAProxy supports several algorithms. Below is a comparison:
| Algorithm | Description | Use Case |
|---|---|---|
| roundrobin | Distribute requests evenly in rotation. | General-purpose, stateless apps. |
| leastconn | Send to server with fewest connections. | Long-lived sessions, variable request time. |
| source | Hash client IP to select server. | Basic session persistence. |
| uri | Hash URI to select server. | Cache-prioritized load balancing. |
Health Checks and Monitoring
- HTTP Checks: Use
option httpchkandhttp-check expectto validate page content or status codes. - TCP Checks: Configure
checkon server lines for basic TCP connectivity testing. - External Checks: Employ
external-checkfor custom scripts.
Monitoring endpoints can be enabled via the stats directive, exposing a web interface:
listen stats
bind :9000
stats enable
stats uri /haproxystats
stats auth admin:password
SSL Termination and HTTPS
HAProxy can handle SSL offloading to reduce CPU load on backend servers. Example:
frontend https-in
bind :443 ssl crt /etc/ssl/private/site.pem
mode http
redirect scheme https code 301 if !{ ssl_fc }
default_backend secure-servers
Session Persistence (Sticky Sessions)
To ensure that a client’s requests always reach the same server:
- Cookie-based:
cookie SERVERID insert indirecton backend. - Source IP:
balance source. - Stick Tables: Advanced tracking via
stick-tableandstick on.
Example: Comprehensive Configuration
global
log /dev/log local0
maxconn 30000
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
timeout connect 5s
timeout client 50s
timeout server 50s
frontend http-frontend
bind :80
acl is_static path_end .jpg .png .css .js
use_backend static-backend if is_static
default_backend app-backend
backend static-backend
balance roundrobin
server static1 10.0.0.11:80 check
server static2 10.0.0.12:80 check
backend app-backend
balance leastconn
cookie SERVERID insert indirect nocache
server app1 10.0.0.21:8080 check cookie A
server app2 10.0.0.22:8080 check cookie B
Using HAProxy for VPN Load Balancing
HAProxy can also distribute traffic across multiple VPN servers, improving redundancy and throughput. Two common VPN solutions are
OpenVPN and
WireGuard.
By placing HAProxy in front of your VPN cluster (TCP mode for OpenVPN, UDP mode for WireGuard), you can achieve transparent failover and load distribution.
Best Practices and Tips
- Keep HAProxy and OS kernel updated for security fixes and performance improvements.
- Use connection limits and rate-limiting to mitigate DDoS attacks.
- Store SSL certificates securely and automate renewals with Let’s Encrypt.
- Monitor in real-time using
haproxy-exporterfor Prometheus or the built-in stats socket. - Document configuration changes and maintain versioned backups.
Conclusion
HAProxy provides a powerful, flexible, and efficient solution for load balancing web services, APIs, and even VPN infrastructures. By mastering its configuration syntax, algorithms, and health-check mechanisms, operators can ensure that applications remain available, performant, and secure under varying workloads.
With this foundation in basic load balancing, you are now prepared to explore advanced features such as Layer 7 content switching, dynamic server discovery, and integration with container orchestration platforms like Kubernetes.
Leave a Reply