Ha
Developer Tools AWS

HAProxy on AWS User Guide

| Product: HAProxy on AWS

Overview

HAProxy is the world's fastest and most widely used open-source software load balancer and reverse proxy, powering high-traffic sites with TCP and HTTP load balancing, health checking, and observability. The cloudimg image installs HAProxy as the packaged haproxy.service, binds the public frontend on port 80, ships a self-contained demo backend so the load balancer and the built-in Statistics Report are live the moment the instance boots, and rotates a unique stats password on the first boot of every instance. The HAProxy configuration lives on a dedicated data volume mounted at /etc/haproxy. Backed by 24/7 cloudimg support.

What is included:

  • HAProxy bound to :80 as the public frontend (HAProxy is the listener - no nginx)
  • The built-in HAProxy Statistics Report at /stats, protected by HTTP Basic auth with a per instance password
  • An unauthenticated /health endpoint returning 200 ok for load balancers and probes
  • A self-contained demo backend of two loopback responders so the LB and stats show live traffic with no external dependency
  • A per instance stats password generated on first boot and recorded in a root-only file
  • haproxy.service as a systemd unit, enabled and active
  • The HAProxy configuration on a dedicated, independently resizable data volume at /etc/haproxy
  • 24/7 cloudimg support

Prerequisites

An Amazon Web Services account where you can launch EC2 instances, an EC2 key pair in the target Region, and a VPC + subnet. m5.large is a good starting point. Security group inbound: allow 22/tcp from your management network and 80/tcp.

Step 1: Launch the Instance from the AWS Marketplace

Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for HAProxy by cloudimg. Select the cloudimg listing and choose Select, then Continue on the subscription summary. Pick your instance type and EC2 key pair, and under Network settings select a security group that allows inbound ports 22 and 80 as described above. Select Launch instance.

Step 2: Launch the Instance from the AWS CLI

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type m5.large \
  --key-name <key-name> \
  --subnet-id <subnet-id> \
  --security-group-ids <security-group-id> \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=haproxy-01}]'

Step 3: Connect to your Instance

The SSH login user depends on the operating system of the AMI variant you launched:

AMI variant SSH login user
HAProxy on Rocky Linux 9 rocky
ssh -i <path-to-key>.pem rocky@<instance-public-ip>

Step 4: Confirm HAProxy is running

systemctl is-active haproxy.service

It reports active. On first boot HAProxy generates its unique stats password and starts serving the frontend on port 80.

Step 5: Retrieve your stats password

The Statistics Report password is generated uniquely on the first boot of your instance and written to a root-only file:

sudo cat /root/haproxy-credentials.txt

This file contains HAPROXY_STATS_URL, HAPROXY_STATS_USER (admin) and the stats password line haproxy.stats.pass. Store the password somewhere safe.

Step 6: Open the Statistics Report

Browse to http://<instance-public-ip>/stats and sign in as admin with the password from Step 5. The HAProxy Statistics Report shows every frontend, backend and server, with live session counters, byte counts, health-check state, and (because stats admin is enabled) controls to enable/disable individual backend servers.

HAProxy Statistics Report - full table

HAProxy Statistics Report - frontend section

HAProxy Statistics Report - backend servers UP

HAProxy Statistics Report - live counters

Step 7: Confirm the health endpoint

HAProxy serves an unauthenticated health endpoint for load balancers and probes:

curl -s http://localhost/health

It returns ok.

Step 8: Verify the Statistics Report from the command line

The stats page rejects an anonymous request, rejects a wrong password, and accepts the per instance admin password:

curl -s -o /dev/null -w 'unauth=%{http_code}\n' http://localhost/stats
curl -s -o /dev/null -w 'admin=%{http_code}\n' -u "admin:<HAPROXY_STATS_PASSWORD>" http://localhost/stats

The first returns unauth=401; the second returns admin=200.

Step 9: See the demo backend load-balancing

Out of the box, the default frontend routes to the bundled demo backend, which round-robins between two loopback responders so the Statistics Report has live traffic to show. Hit the root path a few times:

curl -s http://localhost/

Repeated requests alternate between the two demo responders as HAProxy load-balances, and the traffic appears in the Statistics Report.

Step 10: Route to your own app servers

Edit /etc/haproxy/haproxy.cfg and repoint the demo backend servers (or add new backend sections) at your real application servers:

backend demo_backend
    balance roundrobin
    option httpchk GET /
    http-check expect status 200
    server app1 10.0.0.11:8080 check
    server app2 10.0.0.12:8080 check

Validate the configuration and reload HAProxy with zero downtime:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl reload haproxy

The reload performs a seamless, connection-preserving config swap. Your new backends then appear in the Statistics Report with live health-check state.

Maintenance

  • Backends: edit /etc/haproxy/haproxy.cfg; validate with haproxy -c -f /etc/haproxy/haproxy.cfg, then sudo systemctl reload haproxy (zero downtime).
  • Persistence: the HAProxy configuration lives on the dedicated data volume mounted at /etc/haproxy, so it survives reboots and can be snapshotted independently.
  • Stats password: rotate by editing the stats auth admin: line in /etc/haproxy/haproxy.cfg and reloading.
  • Logs: HAProxy logs to the journal - journalctl -u haproxy.
  • Runtime API: the admin stats socket lives at /run/haproxy/admin.sock for live server enable/disable via socat.
  • Security patches: automatic security updates remain enabled so the OS continues to receive security patches.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.