How to Configure HAProxy for HTTP and TCP Load Balancing on RHEL 9

November 9, 2025
Linux
Comment off

HAProxy (High Availability Proxy) is a battle-hardened open-source load balancer and proxy for TCP and HTTP workloads. Where Nginx load balancing is sufficient for simple round-robin HTTP distribution, HAProxy provides a richer feature set: advanced health checks with multiple failure thresholds, ACL-based routing, Layer 4 TCP load balancing for non-HTTP protocols (MySQL, Redis, SMTP), detailed per-backend statistics, connection draining, and slow-start for newly added servers. HAProxy is the industry standard for multi-backend deployments that need fine-grained traffic control. This guide covers installing HAProxy 2.x on RHEL 9, configuring HTTP and TCP load balancing with health checks, enabling the stats dashboard, and configuring SSL pass-through.

Prerequisites

At least two backend servers or processes to load balance
RHEL 9 with sudo/root access

Step 1 — Install HAProxy

# HAProxy 2.4 is available in RHEL 9's AppStream
dnf install -y haproxy
haproxy -v

Step 2 — Configure HTTP Load Balancing

# /etc/haproxy/haproxy.cfg
global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     50000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  http-server-close
    option                  forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

# Stats dashboard — accessible at http://server:8404/stats
frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s
    stats auth admin:StrongPassword
    stats hide-version

# HTTP frontend — all incoming HTTP traffic
frontend http_frontend
    bind *:80
    # Redirect /api/* to API backends, everything else to web backends
    acl is_api path_beg /api/
    use_backend api_servers if is_api
    default_backend web_servers

# Web servers backend
backend web_servers
    balance     roundrobin
    option      httpchk GET /healthz
    server web1 10.0.1.10:8080 check inter 5s fall 3 rise 2
    server web2 10.0.1.11:8080 check inter 5s fall 3 rise 2
    server web3 10.0.1.12:8080 check inter 5s fall 3 rise 2 weight 2

# API servers backend
backend api_servers
    balance     leastconn
    option      httpchk GET /api/health
    server api1 10.0.1.20:3000 check inter 5s
    server api2 10.0.1.21:3000 check inter 5s

Step 3 — Add TCP Load Balancing

For MySQL, Redis, or other TCP protocols, add a separate frontend/backend pair with mode tcp:

# Append to haproxy.cfg
frontend mysql_frontend
    bind *:3306
    mode tcp
    default_backend mysql_servers

backend mysql_servers
    mode    tcp
    balance leastconn
    option  mysql-check user haproxy_check
    server  db1 10.0.2.10:3306 check inter 5s
    server  db2 10.0.2.11:3306 check inter 5s backup  # db2 only used if db1 fails

Step 4 — SSL Pass-Through

# Append to haproxy.cfg
frontend https_passthrough
    bind *:443
    mode tcp
    option tcplog
    default_backend https_backends

backend https_backends
    mode    tcp
    balance roundrobin
    server  web1 10.0.1.10:443 check
    server  web2 10.0.1.11:443 check

Step 5 — Start and Enable HAProxy

haproxy -f /etc/haproxy/haproxy.cfg -c   # Validate config
systemctl enable --now haproxy
systemctl status haproxy

# Open ports in firewall
firewall-cmd --permanent --add-port=80/tcp --add-port=443/tcp --add-port=8404/tcp
firewall-cmd --reload

Step 6 — Verify Load Balancing

# Check which backend handles each request
for i in {1..6}; do curl -s http://example.com/healthz; done

# View live stats
curl -u admin:StrongPassword http://localhost:8404/stats

# Check logs
journalctl -u haproxy -f

Conclusion

HAProxy on RHEL 9 provides enterprise-grade HTTP and TCP load balancing with ACL-based routing, detailed health checks, and per-server weighting. The integrated stats dashboard gives real-time visibility into backend server health and request distribution. The configuration supports both Layer 7 HTTP inspection and Layer 4 TCP pass-through, making it suitable for web, API, database, and cache tier load balancing in a single configuration file.

Next steps: How to Install and Configure OpenLiteSpeed Web Server on RHEL 9, How to Set Up Varnish Cache as a Reverse Proxy on RHEL 9, and How to Configure Nginx Load Balancing on RHEL 9.