Example configuration of HAProxy Community Edition

This article provides a configuration example for HAProxy Community Edition. If necessary, you can change the settings to suit your needs. This configuration was tested with package version 2.4.24-0ubuntu0.22.04.2.

To configure HAProxy Community Edition:

1. On the host where you are installing the balancer, start the command line console and install the haproxy package:

   sudo apt update && sudo apt install haproxy -y

2. Go to the /etc/haproxy directory and edit the haproxy.cfg configuration file as shown in the example below. The order of the sections and parameters in the configuration file is significant and must be the same as in the example given.

   Example of settings in the haproxy.cfg file if a TLS certificate is not used

   global

   log /dev/log local0

   log /dev/log local1 notice

   chroot /var/lib/haproxy

   stats socket /run/haproxy/admin.sock mode 660 level admin

   stats timeout 30s

   user haproxy

   group haproxy

   defaults

   log global

   mode tcp

   option tcplog

   option dontlognull

   timeout connect 5000

   timeout client 50000

   timeout server 50000

   errorfile 400 /etc/haproxy/errors/400.http

   errorfile 403 /etc/haproxy/errors/403.http

   errorfile 408 /etc/haproxy/errors/408.http

   errorfile 500 /etc/haproxy/errors/500.http

   errorfile 502 /etc/haproxy/errors/502.http

   errorfile 503 /etc/haproxy/errors/503.http

   errorfile 504 /etc/haproxy/errors/504.http

   frontend deploy-raft

   mode tcp

   bind *:7220

   default_backend be_d1

   backend be_d1

   mode tcp

   balance roundrobin

   server machine2 kuma-inst-02.avp.ru:7220 check

   server machine3 kuma-inst-03.avp.ru:7220 check

   server machine4 kuma-inst-04.avp.ru:7220 check

   Example of settings in the haproxy.cfg file when using a TLS certificate

   global #

   log /dev/log local0

   log /dev/log local1 notice

   chroot /var/lib/haproxy

   stats socket /run/haproxy/admin.sock mode 660 level admin

   stats timeout 30s

   user haproxy

   group haproxy

   # Default SSL material locations

   ca-base /etc/ssl/certs

   crt-base /etc/ssl/private

   ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

   ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

   ssl-default-bind-options ssl-min-ver TLSv1.3 no-tls-tickets

   defaults #

   log global

   mode http

   option httplog

   option dontlognull

   timeout connect 5000

   timeout client 50000

   timeout server 50000

   errorfile 400 /etc/haproxy/errors/400.http

   errorfile 403 /etc/haproxy/errors/403.http

   errorfile 408 /etc/haproxy/errors/408.http

   errorfile 500 /etc/haproxy/errors/500.http

   errorfile 502 /etc/haproxy/errors/502.http

   errorfile 503 /etc/haproxy/errors/503.http

   errorfile 504 /etc/haproxy/errors/504.http

   frontend http_front

   bind 0.0.0.0:443 ssl crt kuma-inst-01.avp.ru

   default_backend be_d1 #name of the default application server group

   backend be_d1 #be_d1 is the name of the application server group; used by the frontend section for addressing purposes

   balance roundrobin #requests are distributed equally among available application servers

   cookie SERVER insert indirect nocache #the insert parameter creates a cookie file upon request; indirect deletes the cookie file upon every incoming request before forwarding it to the application server, #nocache ensures that there is no caching between the client and the balancer

   option httpchk #start HTTP check

   http-check connect port 7220 #port 7220 is used for the HTTP check

   http-check send meth GET #HTTP method GET is used for the check

   http-check expect status 200 #a successful HTTP check gets the 200 OK status from the application server

   server machine2 kuma-inst-02.avp.ru:7220 inter 4s fall 2 rise 4 ssl verify none #the inter parameter sets the http-check interval to four seconds to exclude the machine

   server machine3 kuma-inst-03.avp.ru:7220 inter 4s fall 2 rise 4 ssl verify none #from the rotation, 2 consecutive checks must fail - fall 2, to return, 4 must

   server machine4 kuma-inst-04.avp.ru:7220 inter 4s fall 2 rise 4 ssl verify none #complete successfully - rise 4. The authenticity of the server TLS certificate is not verified - ssl #verify none

3. Save the haproxy.cfg configuration file.
4. Check the correctness of the haproxy.cfg configuration file using the following command:

   haproxy -f /etc/haproxy/haproxy.cfg -c

   If the check command returns an error, make sure the contents of the haproxy.cfg configuration file matches the example and make changes if necessary. If the check command does not return any errors, proceed to starting the balancer.

5. Start the balancer:

   sudo systemctl start haproxy

   If the haproxy service needs to be enabled before starting, run the following sequence of commands:

   sudo systemctl enable haproxy

   sudo systemctl start haproxy

The balancer is configured.