Skip to main content

HAProxy Configuration

In order for the plugin to gather statistics, HAProxy must expose the /stats;csv endpoint. This is done by editing the haproxy.cfg file (default location: /etc/haproxy/haproxy.cfg).

Minimum configuration (no authentication, no SSL)

Add a dedicated frontend for statistics:

frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s

With this configuration the plugin will consume the URL:

http://<SERVER_IP>:8404/stats

The plugin automatically normalizes the URL by appending the ;csv suffix and the norefresh parameter when missing, so it is enough to provide the base stats URL.

Configuration with basic authentication

To protect the endpoint with a username and password, define a userlist and apply http-request auth on the stats frontend:

frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s

    acl auth_ok http_auth(stats_users)
    http-request auth realm stats if !auth_ok

userlist stats_users
    user admin password $6$rounds=5000$<SHA512_HASH>

Generate the password hash with mkpasswd or openssl:

mkpasswd -m sha-256 mypassword
# or
openssl passwd -6 mypassword

In the plugin, the same username and password must be provided through --user / --password (or the username / password fields in the configuration file).

Configuration with SSL/TLS

To serve the stats over HTTPS, add ssl crt to the bind directive:

frontend stats
    bind *:8404 ssl crt /etc/haproxy/certs/stats.pem
    stats enable
    stats uri /stats
    stats refresh 10s

Generate a self-signed certificate for testing with:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/haproxy/certs/stats.key \
  -out /etc/haproxy/certs/stats.crt \
  -subj "/CN=localhost"
cat /etc/haproxy/certs/stats.crt /etc/haproxy/certs/stats.key > /etc/haproxy/certs/stats.pem

In the plugin, point to the URL with the https:// scheme and set the --ssl (or verify_ssl) parameter depending on whether the certificate should be validated:

  • verify_ssl = true → for valid certificates in production.
  • verify_ssl = false → for self-signed certificates or testing environments.

Complete configuration (SSL + authentication)

global
    maxconn 4096

defaults
    mode http
    timeout connect 5s
    timeout client 30s
    timeout server 30s

frontend stats
    bind *:8404 ssl crt /etc/haproxy/certs/stats.pem
    stats enable
    stats uri /stats
    stats refresh 10s
    stats admin if TRUE

    acl auth_ok http_auth(stats_users)
    http-request auth realm stats if !auth_ok

userlist stats_users
    user admin password $6$rounds=5000$<SHA512_HASH>

frontend myapp
    bind *:80
    default_backend servers

backend servers
    server s1 127.0.0.1:8080 check

After modifying haproxy.cfg, reload the service to apply the changes:

sudo systemctl reload haproxy

Verification

To confirm that the endpoint is responding correctly, you can make a manual request to the stats CSV:

curl -u admin:mypassword http://192.168.0.10:8404/stats;csv

The output must be a CSV whose first record is the header with the column names (# pxname,svname,qcur,qmax,...) and the following rows contain the data of each frontend, backend and server.