Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

HAProxy Configuration for HA Web Apps

February 13, 2026 | HAProxy Load Balancing HA

Complete haproxy.cfg with security hardening.

Production HAProxy Configuration

A well-configured HAProxy setup provides high availability, security, and observability. This guide covers a complete production configuration with SSL termination, health checks, security hardening, and monitoring.

Complete haproxy.cfg

global
    maxconn 50000
    log /dev/log local0
    log /dev/log local1 notice
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    tune.ssl.default-dh-param 2048

defaults
    mode http
    log global
    option httplog
    option dontlognull
    option http-server-close
    option forwardfor
    timeout connect 5s
    timeout client 30s
    timeout server 30s
    timeout http-request 10s
    timeout http-keep-alive 10s
    retries 3
    default-server init-addr last,libc,none

frontend http_front
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    http-request set-header X-Forwarded-Proto https
    
    # Security headers
    http-response set-header Strict-Transport-Security "max-age=63072000"
    http-response set-header X-Content-Type-Options nosniff
    http-response set-header X-Frame-Options SAMEORIGIN
    
    # Rate limiting
    stick-table type ip size 100k expire 30s store http_req_rate(10s)
    http-request track-sc0 src
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
    
    default_backend web_servers

backend web_servers
    balance roundrobin
    option httpchk GET /health
    http-check expect status 200
    
    server web1 10.0.1.10:8080 check inter 5s fall 3 rise 2
    server web2 10.0.1.11:8080 check inter 5s fall 3 rise 2
    server web3 10.0.1.12:8080 check inter 5s fall 3 rise 2

listen stats
    bind *:9000
    mode http
    stats enable
    stats uri /stats
    stats auth admin:secure_password
    stats refresh 5s

Key Configuration Sections

  • Global: SSL settings, connection limits, logging
  • Defaults: Timeouts, retry policies, default behavior
  • Frontend: Listener configuration, SSL termination, routing rules
  • Backend: Server pools, health checks, load balancing algorithm
  • Stats: Real-time monitoring dashboard

Eazy SaaS Tip: Always enable the stats page in production (on a separate port with authentication). It provides invaluable real-time visibility into backend health, connection counts, and error rates.

← Back to Blog