How to Configure HAProxy for HTTP and TCP Load Balancing on RHEL 8

December 8, 2025
Linux
Comment off

HAProxy is a battle-tested open-source load balancer and proxy server that can distribute HTTP and raw TCP traffic across multiple backend servers with sub-millisecond overhead. On RHEL 8 it is available directly from the AppStream repository and integrates cleanly with firewalld and SELinux. This guide walks through installing HAProxy, writing a configuration that handles both HTTP round-robin load balancing for a web tier and TCP load balancing for a database tier, enabling the built-in stats page, and configuring SSL termination. By the end you will have a fully functional, health-checked load balancer ready for production.

Prerequisites

RHEL 8 server with a sudo-capable user
At least two backend web servers reachable over the network
Ports 80, 443, and 8404 (stats) available on the HAProxy host
firewalld active and running
A valid SSL/TLS certificate and key for SSL termination (optional)

Step 1 — Install HAProxy

Install HAProxy from the RHEL 8 AppStream and enable the service to start on boot.

sudo dnf install -y haproxy
haproxy -v
# HAProxy version 1.8.x / 2.4.x

sudo systemctl enable haproxy

Step 2 — Write the Global and Defaults Sections

Open /etc/haproxy/haproxy.cfg and replace its contents. The global section sets process-wide parameters; defaults provides sensible fallbacks for all frontends and backends.

sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak
sudo nano /etc/haproxy/haproxy.cfg

global
    log /dev/log local0 info
    chroot /var/lib/haproxy
    pidfile /var/run/haproxy.pid
    maxconn 50000
    user haproxy
    group haproxy
    daemon
    stats socket /var/lib/haproxy/stats

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  forwardfor
    option  http-server-close
    timeout connect 5s
    timeout client  30s
    timeout server  30s
    retries 3

Step 3 — Configure an HTTP Frontend and Round-Robin Backend

Add the HTTP frontend that listens on port 80 and routes traffic to two Nginx backend servers using round-robin load balancing. The check inter 2s option sends a TCP health probe every 2 seconds and removes unhealthy servers automatically.

frontend http_front
    bind *:80
    default_backend web_servers

backend web_servers
    balance roundrobin
    option httpchk GET /health
    http-check expect status 200
    server web1 192.168.1.10:80 check inter 2s rise 2 fall 3
    server web2 192.168.1.11:80 check inter 2s rise 2 fall 3
    server web3 192.168.1.12:80 check inter 2s rise 2 fall 3 backup

Step 4 — Enable the Stats Page

HAProxy ships a built-in statistics dashboard accessible via HTTP. Expose it on a dedicated port so it is not mixed with application traffic.

frontend stats
    bind *:8404
    stats enable
    stats uri /haproxy-stats
    stats refresh 10s
    stats auth admin:StrongPassword123!
    stats admin if TRUE

Open the stats port in the firewall:

sudo firewall-cmd --permanent --add-port=8404/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload

Step 5 — Add a TCP Mode Frontend for Database Load Balancing

For raw TCP services such as MySQL, switch the mode to tcp. HAProxy will forward the connection without inspecting HTTP headers, preserving binary protocol framing.

frontend mysql_front
    bind *:3306
    mode tcp
    default_backend mysql_servers

backend mysql_servers
    mode tcp
    balance leastconn
    option mysql-check user haproxy_check
    server db1 192.168.1.20:3306 check inter 5s
    server db2 192.168.1.21:3306 check inter 5s

Allow MySQL traffic through the firewall:

sudo firewall-cmd --permanent --add-service=mysql
sudo firewall-cmd --reload

Step 6 — Configure SSL Termination and Start HAProxy

To terminate TLS at HAProxy, combine the certificate and key into a single PEM file and bind the HTTPS frontend to port 443. HAProxy decrypts traffic and forwards plain HTTP to the backend.

sudo mkdir -p /etc/haproxy/certs
sudo cat /etc/letsencrypt/live/example.com/fullchain.pem 
         /etc/letsencrypt/live/example.com/privkey.pem 
    | sudo tee /etc/haproxy/certs/example.com.pem > /dev/null
sudo chmod 600 /etc/haproxy/certs/example.com.pem

# Add to haproxy.cfg:
# frontend https_front
#     bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
#     redirect scheme https if !{ ssl_fc }
#     default_backend web_servers

sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl start haproxy
sudo systemctl status haproxy

Conclusion

You have installed HAProxy on RHEL 8 and built a configuration covering the global, defaults, frontend, and backend sections. The HTTP frontend distributes requests across three web servers with health checks every 2 seconds, automatically removing failed nodes and promoting the backup server when needed. The TCP frontend demonstrates database-level load balancing with leastconn distribution. The stats page on port 8404 gives you a live dashboard of server state, session counts, and error rates. SSL termination at the proxy layer means your backend servers handle only plain HTTP, simplifying certificate management to a single location.

Next steps: How to Set Up Varnish Cache as a Reverse Proxy on RHEL 8, How to Configure Nginx FastCGI Caching on RHEL 8, and How to Install and Configure OpenLiteSpeed Web Server on RHEL 8.