15.8. HAProxy

You can find the HAProxy Settings at Services → HAProxy.

The HAProxy is a high availability load balancer and proxy server for TCP and HTTP.

Before you can use the HAProxy it has to be installed. You can install it at System → Addons.

15.8.1. General Settings


On the page the HAProxy can be enabled or disabled. The Maximum Connections can be configured and is 1000 by default. Number of Processes can be defined and is 1 by default. Hard Stop After defines the maximum time allowed to perform a clean soft-stop. This may be used to ensure that the instance will quit even if connections remain opened during a soft-stop.

15.8.2. Backend

A backend is a server behind the firewall that HAProxy should send data to. Data are received on the Frontend, are processed and forwarded to a backend.

HAProxy HAProxy HAProxy

Each Backend has a Name, Description and can be enabled or disabled. You can add multiple Servers, each with a name, mode, IP address and port to each backend in case you want to load balance them. Load Balancing can be Round Robin, Static Round Robin, Least Connections or Source. Connection Timeout is the maximum time (in milliseconds) to wait for a connection attempt to a server to succeed. The default value is 30000. Server Timeout is the maximum inactivity time (in milliseconds) on the server side. The default value is 30000. Retries are the number of times a connection attempt should be retried on a server when a connection either is refused or times out. The default value is 3. Health check method can be None, Basic, HTTP or SMTP. Check frequency is the check frequency in milliseconds. The default value is 1000. When Log checks is enabled, any change of the health check status or to the server’s health will be logged. Health check method can be OPTIONS, HEAD, GET, POST, PUT, DELETE or TRACE. Url used by http check requests defaults to / if left blank. Http check version defaults to “HTTP/1.0” if left blank. Stick Table can be enabled. Type is the stick table type. Size is the stick table size in MB. The default value is 1 MB. Expire is the stick table expire time in seconds. The default value is 10 seconds.

15.8.3. Frontend

Frontend is the service where HAproxy is listening for connections to process. A frontend is listening on an IP Address and port pair.


Each Frontend has a Name, Description and can be enabled or disabled. A frontend can have multiple addresses with an IP address and port. You can also add multiple ACLs with a description, expression, backend and value. The value can be negated and checked for case-sensitivity. Mode can be http / https, ssl / https or tcp. Default Backend is the default connection to a backend when no specific one is chosen in a following option.

SSL Offloading Certificate allows you to SSL Offload connections. HAProxy can have more than one certificate and they are chosen based on CName and the request that is coming in. To enable SSL Offloading the IPAddress and port have to be explicilty set to enabled even when certificates are selected here.

HAProxy External Address

Each Frontend can listen on one ore more IPAddresses and ports. You need to set the type (IPv4 or IPv6) and which address to use. System addresses are aliases from the Firewall. You can enable SSL Offloading for each Pair. ACL

Access Control Lists are rules to match against for backends. They depend on the mode of frontend and include host names and source ips. Each ACL needs a unique name for the frontend so it can be used in the backend assignment.

HAProxy ACL Backends

Backends assigns ACLs to Backends. The frontend will forward traffic on matches from ACLs to Backends.

Multiple ACLs can be AND/OR together to get a flexible assignment.

HAProxy ACL Advanced

Advanced allows to set some settings for the entire frontend.

HAProxy Advanced

Maximum Connections limit the sockets to this number of concurrent connections. Client Timeout is the maximum inactivity time (in milliseconds) on the client side. The default value is 30000. Forwardfor Option enables the insertion of the X-Forwarded-For header to requests sent to servers. Httpclose Option enables passive HTTP connection closing.

15.8.4. General

Please be aware that port 443 and port 80 are occupied by Nginx. If you want to use them for HAProxy, please use DNAT on the interfaces to a different Port that the Frontend of HAProxy is using.