Skip to content

Setting up HAProxy as a Gateway for Backend Services

Introduction

In modern web architectures, achieving high availability and scalability is crucial. A robust gateway can manage traffic, enhance security, and improve performance. HAProxy (High Availability Proxy) stands out as a powerful, reliable, and high-performance solution for these tasks. This guide will walk you through configuring HAProxy as a gateway for your backend services, complete with examples involving three different servers.

Why HAProxy?

HAProxy is widely used due to its:

  • High performance
  • Reliability
  • Advanced load balancing algorithms
  • SSL termination
  • Detailed logging and monitoring
  • Ability to act as a gateway

Setting Up HAProxy

Let’s dive into the practical steps of configuring HAProxy as a load balancer for your backend services. We will use two backend servers for this example.

Step 1: Install HAProxy

To install HAProxy on a Linux server, use the package manager of your choice. For example, on Debian-based systems: 

sudo apt-get update
sudo apt-get install haproxy
On Red Hat-based systems: 
sudo yum install haproxy
Step 2: Configure HAProxy

The primary configuration file for HAProxy is located at /etc/haproxy/haproxy.cfg. Open this file in your favorite text editor: 

sudo nano /etc/haproxy/haproxy.cfg
Add the following configuration to set up load balancing across three backend servers: 
global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log global
    option httplog
    option dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend stats
    bind *:9000
    mode http
    stats uri /
    stats show-legends
    stats enable

frontend http_front
    bind *:80
    bind *:8080
    log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts%ac/%fc/%bc/%sc/%rc %sq/%bq"
    acl valid_method method GET PUT POST DELETE PATCH OPTION HEAD
    http-request deny if !valid_method
    option forwardfor

    use_backend product_backend if { path /product} || { path_beg /product/ }
    use_backend catalog_backend if { path /catalog} || { path_beg /catalog/ }


backend product_backend
    balance roundrobin
    server server1 192.168.1.101:8080 check port 8080
    server server2 192.168.1.101:8081 check port 8081
    server server3 192.168.1.101:8082 check port 8082

backend catalog_backend
    balance roundrobin
    server server1 192.168.1.102:8080 check port 8080
    server server2 192.168.1.102:8081 check port 8081
    server server3 192.168.1.102:8082 check port 8082

In this configuration:

  • The global section defines global settings for HAProxy.
  • The defaults section sets default parameters for all subsequent sections.
  • The frontend section defines how incoming requests are handled. In this case, we bind to port 80 and direct traffic to the http_back backend.
  • The backend section lists the backend servers and the load balancing algorithm (roundrobin).

Step 3: Enable and Start HAProxy

Enable and start the HAProxy service to apply the configuration: 

sudo systemctl enable haproxy
sudo systemctl start haproxy
To check the status of HAProxy, use: 
sudo systemctl status haproxy

Monitoring and Statistics

HAProxy comes with a built-in web interface for monitoring. You can access it at http://<your-server-ip>:9000. By default, this interface is open to anyone, so for production environments, you should secure it with authentication. To add basic authentication, modify the frontend section of your configuration: 

frontend stats
    bind *:9000

    stats auth admin:password
Replace admin and password with your preferred username and password.

Load Balancing Algorithms

HAProxy supports various load balancing algorithms. In our example, we used roundrobin, but you can choose other algorithms based on your needs:

  • leastconn: Distributes requests to the server with the fewest connections.
  • source: Hashes the source IP address to ensure that a client always connects to the same server.
  • uri: Hashes a portion of the request URI to distribute requests.

To change the load balancing algorithm, update the balance directive in the backend section: 

backend product_backend
    balance leastconn
    server server1 192.168.1.101:8080 check port 8080
    server server2 192.168.1.101:8081 check port 8081
    server server3 192.168.1.101:8082 check port 8082
SSL Termination

To enhance security, you can configure SSL termination in HAProxy. This means HAProxy will handle the SSL/TLS encryption, and the backend servers will receive decrypted traffic.

First, generate or obtain an SSL certificate. Then, modify your HAProxy configuration: 

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/your_cert.pem

    stats auth admin:password
Conclusion

Setting up HAProxy as a gateway for your backend services can significantly improve the availability, security, and scalability of your applications. With its powerful features and flexibility, HAProxy can handle a wide range of use cases, from simple load balancing to complex traffic routing and SSL termination.