Load balancing
HTTP
Although HAProxy can load balance HTTP requests in TCP mode, in which the connections are opaque and the HTTP messages are not inspected or altered, it can also operate in HTTP mode. In HTTP mode, the load balancer can inspect and modify the messages, and perform protocol-specific actions. To enable HTTP mode, set the directive mode http
in your frontend
and backend
section.
Below, we describe features related to distinct versions of the HTTP protocol.
HTTP/2 Jump to heading
You can load balance HTTP/2 over:
- encrypted HTTPS when OpenSSL 1.0.2 or newer is available on the server
- unencrypted HTTP (known as h2c)
Most browsers support HTTP/2 over HTTPS only, but you may find it useful to enable h2c between backend services (e.g. gRPC services).
HTTP/2 over HTTPS to the client Jump to heading
Available since
- HAProxy 1.8
- HAProxy Enterprise 1.8r1
- HAProxy ALOHA 10.0
HTTP/2 is enabled by default between clients and load balancer in HAProxy ALOHA 15.5 / HAProxy Enterprise 2.8r1 and up. You do not need to specify the alpn
extension, because it has a default value of h2,http/1.1
for HTTPS bind lines. Note that ALPN works only for HTTPS bind lines, and so HTTP/2 requires HTTPS. Clients that lack support for HTTP/2 will be automatically reverted to HTTP/1.1. The load balancer server must have OpenSSL 1.0.2 or newer.
haproxy
frontend wwwmode httpbind :443 ssl crt /path/to/cert.crtdefault_backend servers
haproxy
frontend wwwmode httpbind :443 ssl crt /path/to/cert.crtdefault_backend servers
For HAProxy ALOHA 15.0 / HAProxy Enterprise 2.7r1 and older, you will need to specify both the extension and protocols:
haproxy
frontend wwwmode httpbind :443 ssl crt /path/to/cert.crt alpn h2,http/1.1default_backend servers
haproxy
frontend wwwmode httpbind :443 ssl crt /path/to/cert.crt alpn h2,http/1.1default_backend servers
HTTP/2 over HTTPS to the server Jump to heading
Available since
- HAProxy 1.9
- HAProxy Enterprise 1.9r1
- HAProxy ALOHA 11.0
To enable HTTP/2 between the load balancer and your backend servers, add the alpn
argument to your server
or default-server
lines:
haproxy
backend serversmode httpserver s1 192.168.0.10:443 ssl alpn h2,http/1.1server s2 192.168.0.11:443 ssl alpn h2,http/1.1
haproxy
backend serversmode httpserver s1 192.168.0.10:443 ssl alpn h2,http/1.1server s2 192.168.0.11:443 ssl alpn h2,http/1.1
This announces to the servers that the load balancer, acting as a client, supports HTTP/2. The servers must also support it.
HTTP/2 over HTTP (h2c) to the client Jump to heading
Available since
- HAProxy 1.9
- HAProxy Enterprise 1.9r1
- HAProxy ALOHA 11.0
To enable HTTP/2 between clients and the load balancer without using TLS, use the proto
argument to announce support for it. This method does not allow you to support multiple versions of HTTP simultaneously.
haproxy
frontend wwwmode httpbind :80 proto h2default_backend servers
haproxy
frontend wwwmode httpbind :80 proto h2default_backend servers
HTTP/2 over HTTP (h2c) to the server Jump to heading
Available since
- HAProxy 1.9
- HAProxy Enterprise 1.9r1
- HAProxy ALOHA 11.0
To enable HTTP/2 between the load balancer and your backend servers, add the proto
argument to your server
or default-server
lines:
haproxy
backend serversmode httpserver s1 192.168.0.10:80 proto h2server s2 192.168.0.11:80 proto h2
haproxy
backend serversmode httpserver s1 192.168.0.10:80 proto h2server s2 192.168.0.11:80 proto h2
Adjust the HTTP/2 initial window size Jump to heading
When you expect large file uploads over a network with moderately high latency, you may experience slow upload speeds. You can increase the HTTP/2 Flow Control window size to allow the load balancer to buffer more data. Set tune.h2.initial-window-size
in the global
section to the number of bytes the client can upload before waiting for an acknowledgement from the load balancer. For example, you could set a high value like 1048576.
HTTP/3 Jump to heading
HAProxy can send and receive HTTP/3 messages over the QUIC protocol.
While earlier HTTP implementations were transported over TCP, HTTP/3 uses QUIC, a UDP-based, connectionless protocol. To support QUIC, the load balancer must bundle a compatible SSL/TLS library. Ordinarily, the stock OpenSSL library on a Linux system will do, but in this case, we provide a specialized version of OpenSSL. For HAProxy ALOHA 15.5 / HAProxy Enterprise 2.8r1 and newer, bind
lines that use the QUIC protocol will get a default ALPN value of h3
for HTTP/3. Versions prior to that must set the alpn
argument to h3
.
Install for HAProxy Enterprise Jump to heading
Available since
- HAProxy Enterprise 2.7r1
To enable HTTP/3 over QUIC, you must uninstall any prior installed instance of HAProxy Enterprise and install the QUIC-compatible package.
This package is available for the following operating system versions:
- AlmaLinux 9
- Debian 11
- Red Hat Enterprise Linux 9
- Rocky Linux 9
- Ubuntu 22.04
To install HAProxy Enterprise with QUIC support:
-
Uninstall any prior installed instance of HAProxy Enterprise.
-
Install the QUIC-compatible HAProxy Enterprise package, replacing
<HAProxy Enterprise key>
with your HAProxy Enterprise license key:nixwget https://www.haproxy.com/static/install_haproxy_enterprise.shsudo bash ./install_haproxy_enterprise.sh \--version 2.9r1 \--key <HAProxy Enterprise key> \--quictlsnixwget https://www.haproxy.com/static/install_haproxy_enterprise.shsudo bash ./install_haproxy_enterprise.sh \--version 2.9r1 \--key <HAProxy Enterprise key> \--quictls -
Update your configuration file so that your
frontend
includes required directives:haproxyfrontend examplebind :80# Enable HTTPSbind :443 ssl crt ssl.pem# enables HTTP/3 over QUICbind quic4@:443 ssl crt ssl.pem alpn h3# Redirects to HTTPShttp-request redirect scheme https unless { ssl_fc }# 'Alt-Svc' header invites client to switch to the QUIC protocol# Max age (ma) is set to 15 minutes (900 seconds), but# can be increased once verified working as expectedhttp-response set-header alt-svc "h3=\":443\";ma=900;"default_backend webservershaproxyfrontend examplebind :80# Enable HTTPSbind :443 ssl crt ssl.pem# enables HTTP/3 over QUICbind quic4@:443 ssl crt ssl.pem alpn h3# Redirects to HTTPShttp-request redirect scheme https unless { ssl_fc }# 'Alt-Svc' header invites client to switch to the QUIC protocol# Max age (ma) is set to 15 minutes (900 seconds), but# can be increased once verified working as expectedhttp-response set-header alt-svc "h3=\":443\";ma=900;"default_backend webservers -
Enable and start the service:
nixsudo systemctl enable hapee-2.9-lbsudo systemctl start hapee-2.9-lbnixsudo systemctl enable hapee-2.9-lbsudo systemctl start hapee-2.9-lb
See also Jump to heading
Do you have any suggestions on how we can improve the content of this page?