How to Install and Configure HAProxy on Oracle Linux VPS Servers

This article provides a guide for how to install and configure HAProxy on Oracle Linux VPS servers.

What is HAProxy?

HAProxy (High Availability Proxy) is an open-source software widely used for load balancing, proxying, and high availability in modern IT infrastructure. It is especially popular in web hosting, cloud platforms, and large-scale enterprise environments.

Key Features

• Load Balancing: Distributes traffic across multiple backend servers (e.g., web, app, or database servers) to improve performance and prevent overloading a single machine.
• High Availability: Provides automatic failover, so if one server goes down, traffic is routed to healthy ones.
• Reverse Proxy: Sits between clients (users) and backend servers, hiding internal details and providing security, caching, and SSL termination.
• Protocol Support: Works primarily with TCP and HTTP, but can also handle newer protocols (HTTP/2, gRPC, etc.).
• Health Checks: Monitors the status of backend servers and only forwards traffic to healthy ones.
• Scalability: Handles millions of requests per second efficiently, making it suitable for large websites and applications.

Common Use Cases

• Web Hosting/Cloud: Balance web traffic across multiple web servers (Apache, Nginx, etc.).
• API Gateways: Protect and scale REST or gRPC APIs.
• Security: Terminate SSL/TLS, filter malicious requests, prevent DDoS with rate limiting.
• Microservices: Route requests intelligently in containerized or service-oriented architectures (with Docker, Kubernetes, etc.).

Example Setup

Imagine you have three web servers running the same application. Instead of directing users to one server, you configure HAProxy as a front-end. Clients connect to HAProxy, which then decides—based on rules (round robin, least connections, etc.)—which backend server to forward the request to. This ensures:

• Faster response times
• Better uptime
• Easier scaling

HAProxy Configuration Guide for Oracle Linux VPS

SEE ALSO: Top Use-Cases for Oracle Linux VPS Hosting

Understanding HAProxy’s Role

Before diving into configuration, it’s important to understand what HAProxy does. Think of HAProxy as a traffic director at a busy intersection – it receives incoming web requests and intelligently routes them to the most appropriate backend server based on rules you define. This prevents any single server from becoming overwhelmed and provides redundancy if one server fails.

How to Install and Configure HAProxy on Oracle Linux VPS Servers

To install and configure HAProxy on Oracle Linux VPS servers, follow the steps below:

1. Update Your Oracle Linux System

   Start by ensuring your system is up to date. This is crucial for security and compatibility:

   # Update the package database and installed packages sudo dnf update -y # Install essential development tools (needed for some configurations) sudo dnf groupinstall "Development Tools" -y

2. Install HAProxy

   Oracle Linux provides HAProxy through its standard repositories, making installation straightforward:

   # Install HAProxy from the official repository sudo dnf install haproxy -y # Verify the installation and check the version haproxy -v

   The version information tells you which features are available. Modern versions include enhanced SSL/TLS support and improved load balancing algorithms.

3. Enable and Start HAProxy Service

   Configure HAProxy to start automatically when your server boots:

   # Enable HAProxy to start on boot sudo systemctl enable haproxy # Start the HAProxy service sudo systemctl start haproxy # Check the service status to ensure it's running properly sudo systemctl status haproxy

4. Create a Basic Configuration

   Let’s start with a foundational configuration that you can build upon. First, backup the original configuration:

   # Create a backup of the original configuration sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.backup # Create a new configuration file sudo nano /etc/haproxy/haproxy.cfg

   Here’s a comprehensive basic configuration:

   #--------------------------------------------------------------------- # Global settings - These affect the entire HAProxy process #--------------------------------------------------------------------- global # Run HAProxy as the haproxy user for security user haproxy group haproxy # Create a chroot jail for additional security (optional but recommended) chroot /var/lib/haproxy # Specify the maximum number of connections HAProxy can handle maxconn 4000 # Enable logging to syslog log 127.0.0.1:514 local0 # Create a stats socket for runtime management stats socket /var/run/haproxy.sock mode 600 level admin # Daemon mode - run in background daemon #--------------------------------------------------------------------- # Default settings - Applied to all frontend/backend sections #--------------------------------------------------------------------- defaults # Use HTTP mode (as opposed to TCP mode) mode http # Enable HTTP connection logging option httplog # Don't log normal, successful connections (reduces log noise) option dontlognull # Enable HTTP close mode for better connection handling option http-server-close # Forward the original client IP to backend servers option forwardfor # Insert X-Forwarded-Proto header for SSL detection option forwardfor header X-Forwarded-For # Timeout settings - adjust based on your application needs timeout connect 5000ms # Time to connect to backend server timeout client 50000ms # Time to wait for client data timeout server 50000ms # Time to wait for server response # Error page customization (optional) errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http #--------------------------------------------------------------------- # Frontend - This is where clients connect #--------------------------------------------------------------------- frontend web_frontend # Listen on port 80 for HTTP traffic bind *:80 # Optional: Redirect HTTP to HTTPS # redirect scheme https if !{ ssl_fc } # Define which backend to use for incoming requests default_backend web_servers # Optional: Add custom headers http-request set-header X-Forwarded-Proto http #--------------------------------------------------------------------- # Backend - These are your actual web servers #--------------------------------------------------------------------- backend web_servers # Use round-robin load balancing (distributes requests evenly) balance roundrobin # Health check configuration option httpchk GET /health # Define your backend servers # Replace these IP addresses with your actual server IPs server web1 192.168.1.10:80 check inter 2000ms rise 2 fall 3 server web2 192.168.1.11:80 check inter 2000ms rise 2 fall 3 # Backup server (only used if all primary servers are down) server backup_web 192.168.1.12:80 check backup #--------------------------------------------------------------------- # Statistics page (optional but very useful for monitoring) #--------------------------------------------------------------------- listen stats # Access statistics on port 8080 bind *:8080 # Enable statistics stats enable # Statistics page URI stats uri /stats # Authentication for stats page (change these credentials!) stats auth admin:secure_password_here # Refresh interval stats refresh 30s # Hide HAProxy version for security stats hide-version

5. Configure Firewall Rules

   Oracle Linux typically uses firewalld. You need to open the necessary ports:

   # Open HTTP port (80) sudo firewall-cmd --permanent --add-service=http # Open HTTPS port (443) if you plan to use SSL sudo firewall-cmd --permanent --add-service=https # Open statistics port (8080) - be careful with this in production sudo firewall-cmd --permanent --add-port=8080/tcp # Open any custom ports your application uses # sudo firewall-cmd --permanent --add-port=8000/tcp # Reload firewall rules sudo firewall-cmd --reload # Verify the rules are active sudo firewall-cmd --list-all

6. Test and Validate Configuration

   Before starting HAProxy with your new configuration, always test it first:

   # Test the configuration syntax sudo haproxy -f /etc/haproxy/haproxy.cfg -c # If the test passes, restart HAProxy sudo systemctl restart haproxy # Check if HAProxy started successfully sudo systemctl status haproxy # View HAProxy logs to troubleshoot any issues sudo journalctl -u haproxy -f

7. Advanced SSL/HTTPS Configuration

   For production environments, you’ll likely need SSL support. Here’s how to configure HTTPS:

   First, obtain your SSL certificates and place them in /etc/ssl/certs/. Then modify your configuration:

   # Add to your frontend section frontend web_frontend # HTTP on port 80 bind *:80 # HTTPS on port 443 with SSL certificate bind *:443 ssl crt /etc/ssl/certs/your-domain.pem # Redirect HTTP to HTTPS redirect scheme https if !{ ssl_fc } # Security headers for HTTPS http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains" http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" default_backend web_servers

8. Performance Tuning and Monitoring

   System-Level Optimizations

   # Increase system limits for HAProxy echo "haproxy soft nofile 65536" | sudo tee -a /etc/security/limits.conf echo "haproxy hard nofile 65536" | sudo tee -a /etc/security/limits.conf # Optimize network settings echo "net.core.somaxconn = 65536" | sudo tee -a /etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 65536" | sudo tee -a /etc/sysctl.conf # Apply the changes sudo sysctl -p

   Monitoring and Logging Setup

   Configure rsyslog to handle HAProxy logs properly:

   # Create HAProxy log configuration sudo tee /etc/rsyslog.d/49-haproxy.conf << EOF # Enable UDP syslog reception \$ModLoad imudp \$UDPServerRun 514 \$UDPServerAddress 127.0.0.1 # HAProxy log handling local0.* /var/log/haproxy.log & stop EOF # Restart rsyslog sudo systemctl restart rsyslog # Create log rotation for HAProxy logs sudo tee /etc/logrotate.d/haproxy << EOF /var/log/haproxy.log { daily rotate 30 compress delaycompress missingok notifempty create 644 syslog adm postrotate /bin/kill -HUP \`cat /var/run/rsyslogd.pid 2> /dev/null\` 2> /dev/null || true endscript } EOF

9. Health Checks and High Availability

   Understanding health checks is crucial for maintaining service reliability. HAProxy can detect when backend servers become unavailable and automatically route traffic away from them:

   # Advanced health check configuration in backend section backend web_servers balance roundrobin # HTTP health check with custom path and expected response option httpchk GET /health HTTP/1.1\r\nHost:\ example.com http-check expect status 200 # Server definitions with detailed health check parameters server web1 192.168.1.10:80 check inter 5s rise 2 fall 3 maxconn 1000 server web2 192.168.1.11:80 check inter 5s rise 2 fall 3 maxconn 1000 # Parameters explanation: # inter 5s: Check every 5 seconds # rise 2: Server considered healthy after 2 consecutive successful checks # fall 3: Server considered unhealthy after 3 consecutive failed checks # maxconn 1000: Maximum concurrent connections to this server

10. Securing Your HAProxy Installation

    Security should be a primary concern when configuring HAProxy:

    # Create a dedicated haproxy user if it doesn't exist sudo useradd -r -s /sbin/nologin haproxy # Set proper permissions on configuration files sudo chown root:haproxy /etc/haproxy/haproxy.cfg sudo chmod 640 /etc/haproxy/haproxy.cfg # Create chroot directory sudo mkdir -p /var/lib/haproxy sudo chown haproxy:haproxy /var/lib/haproxy

Understanding HAProxy Configuration Structure

HAProxy’s configuration file is located at /etc/haproxy/haproxy.cfg. The configuration is divided into several sections, each serving a specific purpose:

1. Global Section: Server-wide settings like logging, security, and performance tuning
2. Defaults Section: Default settings that apply to all frontend and backend sections
3. Frontend Section: Defines how HAProxy receives requests from clients
4. Backend Section: Defines the servers that will handle the requests
5. Listen Section: Combines frontend and backend in one block (optional)

Troubleshooting Common Issues

When HAProxy doesn’t work as expected, follow this systematic approach:

1. Check Configuration Syntax: Always run haproxy -f /etc/haproxy/haproxy.cfg -c first
2. Review Service Status: Use systemctl status haproxy to see if the service is running
3. Examine Logs: Check /var/log/haproxy.log or use journalctl -u haproxy
4. Test Connectivity: Use telnet or curl to test connections to backend servers
5. Verify Firewall Rules: Ensure all necessary ports are open

Maintenance and Best Practices

Regular maintenance ensures your HAProxy installation remains secure and performant:

• Monitor the statistics page regularly to identify performance bottlenecks
• Keep HAProxy updated with security patches
• Review and rotate logs to prevent disk space issues
• Test your configuration in a staging environment before applying changes to production
• Document any custom configurations for your team

This configuration provides a solid foundation for most web applications. As your needs grow, you can add features like rate limiting, advanced routing rules, and integration with service discovery systems.

Conclusion

You now know how to install and configure HAProxy on Oracle Linux VPS servers.