This module allows HAProxy to periodically update content of acl and map whose content is loaded from a file.


this module can be used to update map and acl content without reloading HAProxy

Loading lb-update module in HAProxy

  1. Edit HAProxy's configuration file: browse the LB Layer 7 tab from the GUI.

  2. Create (or update) a global section at the top of the file, with the content below:

  module-load  /usr/libexec/haproxy/

lb-update module configuration

Once enabled, lb-update module allows a new HAProxy configuration section named dynamic-update.

This section can contain a single type of directive, named update like below:

update id <id> url <url> [delay <delay>] [timeout <tmout>] [retries <nb>] [map]

With the following parameters:

id <id>

<id> is the file name initially loaded by map or acl; uses the absolute file path

url <url>

<url> is where the file can be downloaded

delay <delay>

<delay> is the download period; by default, its value is 5m

timeout <tmout>

<tmout> is the connection timeout to the download server; by default its value is 5s

retries <nb>

<nb> is the number of tries to establish a connection to the download server


informs that the downloaded file must be interpreted as a map file. By Default, the file is interpreted as an acl file.

Some other HAProxy's configuration parameters available for the server directive can also be applied:

  • ciphers

  • crt

  • force-sslv3

  • force-tlsv10

  • force-tlsv11

  • force-tlsv12

  • no-sslv3

  • no-tlsv10

  • no-tlsv11

  • no-tlsv12

  • no-tls-tickets

  • verify

  • verifyhost

Way of working

At startup, HAProxy loads content of the map or acl from the designated file. If an update directive is setup to update this content, then after the <delay> period of time, HAProxy will download the new content from the given <url>.


Content of the downloaded file replaces existing content.

HAProxy updates the content of the map or acl only if the file has been properly downloaded.

If HAProxy can't get connected on the server for <tmout> time, then it's going to retry <nb> times before giving up.

Configuration example

Deliver redirect URLs based on client IP address:

  • HAProxy's configuration frontend with a map definition and a dynamic-update section to define how to update the map:

frontend fe_main
  mode http
  http-request redirect location src,map_ip( if { src,map_ip( -m found }

  update id map url delay 300s
  • content of the file with a list of subnets and associated redirection:     /maintenance.html /forbiden.html        /deny.html