16.8. HAProxy

You can find the HAProxy Settings at Services → HAProxy.

The HAProxy is a high availability load balancer and proxy server for TCP and HTTP.

Before you can use the HAProxy it has to be installed. You can install it at System → Addons.

16.8.1. General Settings


On the page the HAProxy can be enabled or disabled.

The Maximum Connections can be configured and is 1000 by default.

Number of Processes can be defined and is 1 by default.

Hard Stop After defines the maximum time allowed to perform a clean soft-stop. This may be used to ensure that the instance will quit even if connections remain opened during a soft-stop.

SSL Ciphers is a list of ssl chiphers seperated by colons.

SSL Options can be a selection of no-sslv3, no-tlsv10, no-tlsv11, no-tls-tickets, no-tlsv12 and no-tlsv13.

Let’s Encrypt ACL will redirect all letsencrypt requests to the VT AIR firewall for renewal of certificates. Use this option if VT AIR itself is renewing the certificates in the web mode.

Custom Options can be used for custom configuration parameters for the config.

You can export the settings in the top right corner as an Excel spreadsheet.

16.8.2. Backend

A backend is a server behind the firewall that HAProxy should send data to. Data are received on the Frontend, are processed and forwarded to a backend.

HAProxy HAProxy HAProxy

Each Backend has a Name, Description and can be enabled or disabled. You can add multiple Servers, each with a name, mode, IP address, port and ssl encrypt and ssl checks to each backend in case you want to load balance them.

SSL Encrypt enables SSL deciphering on connections instantiated from this listener.

SSL Checks forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic.

Load Balancing can be Round Robin, Static Round Robin, Least Connections or Source.

Connection Timeout is the maximum time (in milliseconds) to wait for a connection attempt to a server to succeed. The default value is 30000.

Server Timeout is the maximum inactivity time (in milliseconds) on the server side. The default value is 30000.

Retries are the number of times a connection attempt should be retried on a server when a connection either is refused or times out. The default value is 3.

Send Proxy if the proxy protocol should be used to connect to the backend and if so which version.

Source Address in order to change the source of the connection from HAProxy to the firewall. This might be useful in HA Setups to use the virtual ip as sender.

WAF Error Page File is a Custom Error Page if WAF is activated and access is blocked for this backend. Has to be a HTML file.

Custom Options can be used for custom configuration parameters for the config.

Health check method can be None, Basic, HTTP or SMTP.

Check frequency is the check frequency in milliseconds. The default value is 1000.

When Log checks is enabled, any change of the health check status or to the server’s health will be logged.

Health check method can be OPTIONS, HEAD, GET, POST, PUT, DELETE or TRACE.

Url used by http check requests defaults to / if left blank.

Http check version defaults to “HTTP/1.0” if left blank.

Stick Table can be enabled.

Type is the stick table type.

Size is the stick table size in MB. The default value is 1 MB.

Expire is the stick table expire time in seconds. The default value is 10 seconds.

16.8.3. Frontend

Frontend is the service where HAproxy is listening for connections to process. A frontend is listening on an IP Address and port pair.


Each Frontend has a Name, Description and can be enabled or disabled. A frontend can have multiple addresses with an IP address and port. You can also add multiple ACLs with a description, expression, backend and value. The value can be negated and checked for case-sensitivity.

Mode can be http / https, ssl / https (TCP mode) or tcp.

Default Backend is the default connection to a backend when no specific one is chosen in a following option.

SSL Offloading Certificate allows you to SSL Offload connections. HAProxy can have more than one certificate and they are chosen based on CName and the request that is coming in. To enable SSL Offloading the IPAddress and port have to be explicilty set to enabled even when certificates are selected here. Only HTTP connections can be offloaded and not TCP or TLS connections.

Validate Client Certificates can be enabled. If enabled, you also need to choose a Certificate Authority. This is only possible on http / https and tcp mode with SSL Offloading enabled for external addresses.

HAProxy External Address

Each Frontend can listen on one ore more IPAddresses and ports. You need to set the type (IPv4 or IPv6) and which address to use. System addresses are Network Objects from the Firewall. You can enable SSL Offloading for each Pair.

In order to use the Web Application Firewall on encrypted connections you can enable the SSL Offloading to transparently encrypt traffic to the user but still give access to the WAF.

Use Web Application Firewall enables the web application firewall for this frontend. The traffic will be inspected by the WAF and if a threat is detected it will be blocked with a 404 error. Advanced

Advanced allows to set some settings for the entire frontend.

HAProxy Advanced

Maximum Connections limit the sockets to this number of concurrent connections.

Client Timeout is the maximum inactivity time (in milliseconds) on the client side. The default value is 30000.

Forwardfor Option enables the insertion of the X-Forwarded-For header to requests sent to servers.

HTTP/s Redirect can be enabled.

Httpclose Option enables passive HTTP connection closing.

Custom Options can be used for custom configuration parameters for the config.

16.8.4. Access Control Lists

Access Control Lists are rules to match against which can be used in Frontends and Backends. In the Frontend they depend on the mode and include host names and source ips. Each ACL needs a unique name for the frontend so it can be used in the actions assignment.


16.8.5. Actions

Actions can only be used together with ACLs.

Multiple ACLs can be AND/OR together to get a flexible assignment.


16.8.6. General

Please be aware that port 443 and port 80 are occupied by Nginx. If you want to use them for HAProxy, please use DNAT on the interfaces to a different Port that the Frontend of HAProxy is using.

You can simply redirect the port 443 and 80 from WAN to HAProxy. HAProxy needs to run on a different port, for example 444 and 81.

An example for the DNAT rule can be found in the following image.

HAProxy Redirect Port 443 and 80