HAProxy on AWS User Guide
Overview
HAProxy is the world's fastest and most widely used open-source software load balancer and reverse proxy, powering high-traffic sites with TCP and HTTP load balancing, health checking, and observability. The cloudimg image installs HAProxy as the packaged haproxy.service, binds the public frontend on port 80, ships a self-contained demo backend so the load balancer and the built-in Statistics Report are live the moment the instance boots, and rotates a unique stats password on the first boot of every instance. The HAProxy configuration lives on a dedicated data volume mounted at /etc/haproxy. Backed by 24/7 cloudimg support.
What is included:
- HAProxy bound to
:80as the public frontend (HAProxy is the listener - no nginx) - The built-in HAProxy Statistics Report at
/stats, protected by HTTP Basic auth with a per instance password - An unauthenticated
/healthendpoint returning200 okfor load balancers and probes - A self-contained demo backend of two loopback responders so the LB and stats show live traffic with no external dependency
- A per instance stats password generated on first boot and recorded in a root-only file
haproxy.serviceas a systemd unit, enabled and active- The HAProxy configuration on a dedicated, independently resizable data volume at
/etc/haproxy - 24/7 cloudimg support
Prerequisites
An Amazon Web Services account where you can launch EC2 instances, an EC2 key pair in the target Region, and a VPC + subnet. m5.large is a good starting point. Security group inbound: allow 22/tcp from your management network and 80/tcp.
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for HAProxy by cloudimg. Select the cloudimg listing and choose Select, then Continue on the subscription summary. Pick your instance type and EC2 key pair, and under Network settings select a security group that allows inbound ports 22 and 80 as described above. Select Launch instance.
Step 2: Launch the Instance from the AWS CLI
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type m5.large \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=haproxy-01}]'
Step 3: Connect to your Instance
The SSH login user depends on the operating system of the AMI variant you launched:
| AMI variant | SSH login user |
|---|---|
| HAProxy on Rocky Linux 9 | rocky |
ssh -i <path-to-key>.pem rocky@<instance-public-ip>
Step 4: Confirm HAProxy is running
systemctl is-active haproxy.service
It reports active. On first boot HAProxy generates its unique stats password and starts serving the frontend on port 80.
Step 5: Retrieve your stats password
The Statistics Report password is generated uniquely on the first boot of your instance and written to a root-only file:
sudo cat /root/haproxy-credentials.txt
This file contains HAPROXY_STATS_URL, HAPROXY_STATS_USER (admin) and the stats password line haproxy.stats.pass. Store the password somewhere safe.
Step 6: Open the Statistics Report
Browse to http://<instance-public-ip>/stats and sign in as admin with the password from Step 5. The HAProxy Statistics Report shows every frontend, backend and server, with live session counters, byte counts, health-check state, and (because stats admin is enabled) controls to enable/disable individual backend servers.




Step 7: Confirm the health endpoint
HAProxy serves an unauthenticated health endpoint for load balancers and probes:
curl -s http://localhost/health
It returns ok.
Step 8: Verify the Statistics Report from the command line
The stats page rejects an anonymous request, rejects a wrong password, and accepts the per instance admin password:
curl -s -o /dev/null -w 'unauth=%{http_code}\n' http://localhost/stats
curl -s -o /dev/null -w 'admin=%{http_code}\n' -u "admin:<HAPROXY_STATS_PASSWORD>" http://localhost/stats
The first returns unauth=401; the second returns admin=200.
Step 9: See the demo backend load-balancing
Out of the box, the default frontend routes to the bundled demo backend, which round-robins between two loopback responders so the Statistics Report has live traffic to show. Hit the root path a few times:
curl -s http://localhost/
Repeated requests alternate between the two demo responders as HAProxy load-balances, and the traffic appears in the Statistics Report.
Step 10: Route to your own app servers
Edit /etc/haproxy/haproxy.cfg and repoint the demo backend servers (or add new backend sections) at your real application servers:
backend demo_backend
balance roundrobin
option httpchk GET /
http-check expect status 200
server app1 10.0.0.11:8080 check
server app2 10.0.0.12:8080 check
Validate the configuration and reload HAProxy with zero downtime:
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl reload haproxy
The reload performs a seamless, connection-preserving config swap. Your new backends then appear in the Statistics Report with live health-check state.
Maintenance
- Backends: edit
/etc/haproxy/haproxy.cfg; validate withhaproxy -c -f /etc/haproxy/haproxy.cfg, thensudo systemctl reload haproxy(zero downtime). - Persistence: the HAProxy configuration lives on the dedicated data volume mounted at
/etc/haproxy, so it survives reboots and can be snapshotted independently. - Stats password: rotate by editing the
stats auth admin:line in/etc/haproxy/haproxy.cfgand reloading. - Logs: HAProxy logs to the journal -
journalctl -u haproxy. - Runtime API: the admin stats socket lives at
/run/haproxy/admin.sockfor live server enable/disable viasocat. - Security patches: automatic security updates remain enabled so the OS continues to receive security patches.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.