The HAProxy Configuration File has 4 Main Sections
- Global - This is where you specify global settings for HAProxy, these settings include things like max connections, pid file, log file locations and the user and group that HAProxy runs as
- Defaults - This is where you specify default options that can be used for all front ends and back ends
- Frontend - This is where you configure frontend settings such as port and IP that HAProxy listens on. You can create multiple front ends to handle different protocols such as http and https
- Backend - This is where you specify the backend systems that HAProxy talks to. This could be web servers, database servers or whatever else you want to load balance
Sysctl / Kernel Tweaks
Please do not blindly copypasta these settings! Make sure the values here are sane for your environment and test them out one at a time instead of applying them at once. These should be fairly safe settings, but you never know!
net.ipv4.ip_local_port_range = “1025 65534” net.ipv4.tcp_max_syn_backlog = 100000 net.core.netdev_max_backlog = 100000 net.core.somaxconn = 65534 ipv4.tcp_rmem = “4096 16060 64060” ipv4.tcp_wmem = “4096 16384 262144”
If your workload allows for this:
tcp_slow_start_after_idle = 0
If using IPtables with HAProxy
net.netfilter.nf_conntrack_max = 131072
To apply changes:
- timeout client - client side inactivity
- timeout connect - time to establish the TCP connection to the server
- timeout server - TCP: server side inactivity, HTTP: time for server to process the response (504 returned)
- timeout client-fin - max time to wait in FIN_WAIT state on client side
- timeout server-fin - max time to wait in FIN_WAIT state on server side
- timeout http-request - Used in HTTP mode. The timeout for the client to send a whole request, this can help protect against DoS like attacks.
- timeout http-keep-alive - Used in HTTP mode. The max time to wait for the next request when doing HTTP keep alive
- timeout queue - How long a request can remain in HAProxy queue
- timeout tarpit - How long the tarpitted connection is maintained for.
Config EXAMPLE for HTTP Service (timeouts). This is an EXAMPLE only, please do not copypasta!
defaults HTTP mode http timeout http-request 10s timeout client 20s timeout connect 4s timeout server 30s timeout http-keep-alive 4s
HAProxy Stats Page
HAProxy Stats Page can be enabled by adding this to the config file.
listen stats bind-process 1 bind :9010 stats enable stats uri / stats auth $user:$pass stats realm Demo stats admin if TRUE
If you have set nbproc to a value greater than 1, it's suggested to set one TCP port and a unique path for each process