Master HAProxy: Core Features, High Performance, and High Availability
HAProxy is an open‑source L4/L7 load balancer offering reverse‑proxy, session persistence, diverse balancing algorithms, ACL‑based routing, health checks, and a web UI; the guide details its high‑performance architecture, high‑availability deployment with Keepalived, configuration examples, and extensive kernel and system tuning for massive traffic.
HAProxy Load Balancer
HAProxy (High Availability Proxy) is an open‑source TCP/HTTP L4‑L7 load balancer developed by Willy Tarreau. It does not support UDP and is suited for high‑connection‑count scenarios that require session persistence and complex traffic distribution.
Key features from the official site include:
Client‑side keep‑alive
TCP speedups
Response buffering
Source‑based stickiness
HTTP authentication
ACL‑based persistence
Traffic‑based health checks
Rich statistics interface
Server management CLI
Log analyzer
Web GUI
The article examines HAProxy from four perspectives: core functionality, high performance, high reliability, and scalability.
Core Functionality
Reverse Proxy
HAProxy supports both L4 and L7 reverse proxy modes:
L4 Proxy : TCP NAT forwarding between client and real server.
L7 Proxy : HTTP‑level inspection and modification for intelligent traffic routing.
Session Persistence
HAProxy can keep TCP connections or HTTP sessions based on:
srcIP : hash of the client IP.
HTTP Request : hash of URL path, query parameters, headers, etc.
Cookie : hash of the cookie returned by the backend.
Load‑Balancing Algorithms
Algorithms are divided by whether they support persistence:
Non‑persistent : roundrobin, static‑rr, leastconn.
Persistent : source, uri, url_param, hdr, rdp‑cookie.
ACL‑Based Routing
ACL rules can validate client requests and direct matching traffic to a specific backend. Example syntax:
acl <acl_name> <acl_method> -i [path|file]Typical parameters:
acl_name : friendly name.
acl_method : hdr_reg(host), hdr_dom(host), url_sub, path_beg, etc.
[path|file] : optional regex such as .html .jpg .gif.
Common directives used with ACLs:
use_backend : forward matching requests to a backend.
default_backend : fallback backend when no ACL matches.
acl www_policy hdr_reg(host) -i ^(www.z.cn|z.cn)
acl bbs_policy hdr_dom(host) -i bbs.z.cn
acl url_policy url_sub -i buy_sid=
use_backend server_www if www_policy
use_backend server_bbs if bbs_policy
use_backend server_app if url_policy
default_backend server_cacheHealth Checks
HAProxy performs health checks (TCP, HTTP, PING) to detect backend failures and automatically disables unhealthy servers until they recover.
Web Monitoring Interface
A web UI shows frontend and backend status, using colors to highlight problems.
High Performance Implementation
Official benchmarks show HAProxy can saturate a 10 Gbps NIC and handle 10 000+ concurrent TCP connections. Performance‑critical techniques include:
Event‑driven I/O with epoll and non‑blocking sockets.
Zero‑copy forwarding via splice() (Linux ≥ 2.6.27.19) and zero‑starting (Linux ≥ 3.5).
Single‑buffer mechanism that avoids data copies.
Fast memory allocation from fixed‑size pools.
Optimized HTTP header parsing.
Ebtree (elastic binary tree) for low‑overhead timers and queues.
O(1) event checker for instant event detection.
Reduced reliance on expensive system calls.
Support for SP (single process), MP (multi‑process), and MT (multi‑thread) models.
Performance comparison (HAProxy MT/MP vs NGINX) under 100 % CPU load is illustrated below:
High Reliability Deployment
Combining HAProxy with Keepalived provides a mature high‑availability solution. Two common HA modes are supported:
Active‑Passive (master‑backup) : a single virtual IP (VIP) floats between master and backup when the master fails.
Active‑Active (dual‑VIP) : two VIPs are managed by two VRRP instances; if one master fails, its VIP migrates to the other node.
HAProxy Configuration Example
# Global configuration (OS‑related)
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
nbproc 1
daemon
stats socket /var/lib/haproxy/stats
# Default settings
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
# Frontend definition
frontend allen
bind *:80
mode http
option httpclose
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
acl url_static path_end -i .html .jpg .gif
acl url_dynamic path_end -i .php
use_backend lamp if url_dynamic
default_backend webservers
# Backend definitions
backend webservers
balance roundrobin
server web1 192.168.1.8:80 check rise 2 fall 1 weight 2
server web2 192.168.1.9:80 check rise 2 fall 1 weight 2
server web3 192.168.1.10:80 check rise 2 fall 1 weight 2
backend lamp
balance source
server lamp 192.168.1.3:80 check rise 2 fall 1
# Stats listener
listen stats
mode http
bind 0.0.0.0:8090
option httpchk GET /info.txt
stats enable
stats refresh 3s
stats hide-version
stats uri /allen
stats realm "Haproxy allen"
stats auth admin:admin
stats admin if TRUEKeepalived Configuration (Active‑Passive)
global_defs {
notification_email {
root@localhost
}
notification_email_from keepalived@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id HAproxy237
}
vrrp_script chk_haproxy {
script "/etc/keepalived/check_haproxy.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy
}
virtual_ipaddress {
182.148.15.239
}
notify_master "/etc/keepalived/clean_arp.sh 182.148.15.239"
}Keepalived Configuration (Active‑Active)
# Global settings
global_defs {
notification_email { root@localhost }
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_ALLEN
}
vrrp_script chk_process {
script "killall -0 haproxy"
interval 1
weight -2
}
# Master instance
vrrp_instance ha_1 {
state MASTER
interface eth0
virtual_router_id 56
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1056
}
virtual_ipaddress {
192.168.1.100/24
}
track_script { chk_process }
}
# Backup instance
vrrp_instance ha_2 {
state BACKUP
interface eth0
virtual_router_id 58
priority 92
advert_int 1
authentication {
auth_type PASS
auth_pass 1058
}
virtual_ipaddress {
192.168.1.101/24
}
}Performance Optimizations
HAProxy Parameter Tuning
Add maxconn in global and defaults to raise the connection limit.
Set nbproc in global to control process count.
Enable option forwardfor in defaults so backends see the real client IP.
Disable unnecessary logging.
TCP Kernel Parameter Tuning
# Example /etc/sysctl.conf entries
fs.file-max = 12553500
fs.nr_open = 12453500
kernel.shmall = 4294967296
kernel.shmmax = 68719476736
net.core.netdev_max_backlog = 2000000
net.core.rmem_default = 699040
net.core.rmem_max = 50331648
net.core.wmem_default = 131072
net.core.wmem_max = 33554432
net.core.somaxconn = 65535
net.ipv4.ip_local_port_range = 1025 65534
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.tcp_fin_timeout = 7
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 655360
net.ipv4.tcp_max_tw_buckets = 6000000
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_rmem = 32768 699040 50331648
net.ipv4.tcp_wmem = 32768 131072 33554432
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
vm.swappiness = 0File Descriptor Limits
# /etc/security/limits.conf
* soft nofile 1000000
* hard nofile 1000000
root soft nofile 1000000
root hard nofile 1000000How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.