Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

HAProxy Stick Tables for Sessions

February 13, 2026 | HAProxy Security Session

Session persistence and abuse detection.

What Are HAProxy Stick Tables?

Stick tables are HAProxy's in-memory key-value stores that track connection metadata in real time. They enable two critical capabilities: session persistence (sticky sessions) and abuse detection — all without external dependencies like Redis or Memcached.

Session Persistence with Stick Tables

When your application requires session affinity, stick tables ensure a client always reaches the same backend server:

backend app_servers
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src

    server app1 10.0.1.10:8080 check
    server app2 10.0.1.11:8080 check
    server app3 10.0.1.12:8080 check

This configuration tracks client source IPs and routes subsequent requests to the same backend for 30 minutes.

Cookie-Based Persistence

For environments behind NAT where source IP isn't reliable, use cookie-based stickiness:

backend app_servers
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server app1 10.0.1.10:8080 check cookie s1
    server app2 10.0.1.11:8080 check cookie s2

Abuse Detection with Rate Tracking

Stick tables can track request rates and automatically deny abusive clients:

frontend http_front
    bind *:80
    stick-table type ip size 100k expire 30s store http_req_rate(10s),conn_cur
    http-request track-sc0 src
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }

    default_backend app_servers

This denies any IP making more than 100 requests in 10 seconds — effective against simple DDoS and scraping bots.

Advanced: Multi-Layer Tracking

Track multiple counters simultaneously for sophisticated abuse detection:

frontend http_front
    bind *:443 ssl crt /etc/ssl/cert.pem
    stick-table type ip size 200k expire 60s store http_req_rate(10s),http_err_rate(10s),conn_rate(10s)
    http-request track-sc0 src

    # Block high request rate
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
    # Block high error rate (credential stuffing)
    http-request deny deny_status 403 if { sc_http_err_rate(0) gt 20 }
    # Block connection floods
    http-request deny deny_status 429 if { sc_conn_rate(0) gt 50 }

Stick Table Replication

In active-active HAProxy setups, replicate stick tables between peers to maintain consistency:

peers mypeers
    peer haproxy1 10.0.1.1:1024
    peer haproxy2 10.0.1.2:1024

backend app_servers
    stick-table type ip size 200k expire 30m peers mypeers
    stick on src

Monitoring Stick Tables

Enable the HAProxy stats socket to inspect stick table contents in real time:

# Show all entries
echo "show table http_front" | socat stdio /var/run/haproxy.sock

# Clear a specific entry
echo "clear table http_front key 192.168.1.100" | socat stdio /var/run/haproxy.sock

Eazy SaaS Tip: We combine stick table abuse detection with Prometheus metrics export to create dashboards showing attack patterns in real time. This dual approach catches both automated and manual abuse attempts.

← Back to Blog