HAProxy Configuration
In order for the plugin to gather statistics, HAProxy must expose the /stats;csv endpoint. This is done by editing the haproxy.cfg file (default location: /etc/haproxy/haproxy.cfg).
Minimum configuration (no authentication, no SSL)
Add a dedicated frontend for statistics:
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
With this configuration the plugin will consume the URL:
http://<SERVER_IP>:8404/stats
The plugin automatically normalizes the URL by appending the
;csvsuffix and thenorefreshparameter when missing, so it is enough to provide the base stats URL.
Configuration with basic authentication
To protect the endpoint with a username and password, define a userlist and apply http-request auth on the stats frontend:
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
acl auth_ok http_auth(stats_users)
http-request auth realm stats if !auth_ok
userlist stats_users
user admin password $6$rounds=5000$<SHA512_HASH>
Generate the password hash with mkpasswd or openssl:
mkpasswd -m sha-256 mypassword
# or
openssl passwd -6 mypassword
In the plugin, the same username and password must be provided through --user / --password (or the username / password fields in the configuration file).
Configuration with SSL/TLS
To serve the stats over HTTPS, add ssl crt to the bind directive:
frontend stats
bind *:8404 ssl crt /etc/haproxy/certs/stats.pem
stats enable
stats uri /stats
stats refresh 10s
Generate a self-signed certificate for testing with:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/haproxy/certs/stats.key \
-out /etc/haproxy/certs/stats.crt \
-subj "/CN=localhost"
cat /etc/haproxy/certs/stats.crt /etc/haproxy/certs/stats.key > /etc/haproxy/certs/stats.pem
In the plugin, point to the URL with the https:// scheme and set the --ssl (or verify_ssl) parameter depending on whether the certificate should be validated:
-
verify_ssl = true→ for valid certificates in production. -
verify_ssl = false→ for self-signed certificates or testing environments.
Complete configuration (SSL + authentication)
global
maxconn 4096
defaults
mode http
timeout connect 5s
timeout client 30s
timeout server 30s
frontend stats
bind *:8404 ssl crt /etc/haproxy/certs/stats.pem
stats enable
stats uri /stats
stats refresh 10s
stats admin if TRUE
acl auth_ok http_auth(stats_users)
http-request auth realm stats if !auth_ok
userlist stats_users
user admin password $6$rounds=5000$<SHA512_HASH>
frontend myapp
bind *:80
default_backend servers
backend servers
server s1 127.0.0.1:8080 check
After modifying haproxy.cfg, reload the service to apply the changes:
sudo systemctl reload haproxy
Verification
To confirm that the endpoint is responding correctly, you can make a manual request to the stats CSV:
curl -u admin:mypassword http://192.168.0.10:8404/stats;csv
The output must be a CSV whose first record is the header with the column names (# pxname,svname,qcur,qmax,...) and the following rows contain the data of each frontend, backend and server.