Chapter 5. Using HAProxy

HAProxy provides high-availability features to OpenStack by load-balancing traffic to controllers running OpenStack services. The haproxy package contains the haproxy daemon, which is started from the systemd service of the same name, along with logging features and sample configurations. As noted earlier, Pacemaker manages the HAProxy service itself as a highly available service called haproxy-bundle.


Refer to the KCS solution How can I verify my haproxy.cfg is correctly configured to load balance openstack services? for information on validating an HAProxy configuration.

In Red Hat OpenStack Platform, the director configures multiple OpenStack services to take advantage of the haproxy service. The director does this by configuring those services in the /var/lib/config-data/haproxy/etc/haproxy/haproxy.cfg file, because HAProxy runs in a dedicated container on each overcloud node.

For each service in that file, you can see the following properties:

  • listen: The name of the service that is listening for requests
  • bind: The IP address and TCP port number on which the service is listening
  • server: The name of each server providing the service, the server’s IP address and listening port, and other information.

The haproxy.cfg file that is created when you install Red Hat OpenStack Platform with the director identifies 19 different services for HAProxy to manage. The following example shows how the cinder listen service is configured in the haproxy.cfg file:

listen cinder
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  option httpchk
  server overcloud-controller-0 check fall 5 inter 2000 rise 2
  server overcloud-controller-1 check fall 5 inter 2000 rise 2
  server overcloud-controller-2 check fall 5 inter 2000 rise 2

This example of HAProxy settings for the cinder service identifies the IP addresses and ports on which the cinder service is offered (port 8777 on and

The address is a virtual IP address on the Internal API network (VLAN201) for use within the overcloud, and the virtual IP address is on the External network (VLAN100) to provide access to the API network from outside of the overcloud.

HAProxy can direct requests made for those two IP addresses to overcloud-controller-0 (, overcloud-controller-1 (, or overcloud-controller-2 (

The options set on these servers enables health checks (check) and the service is considered to be dead after five failed health checks (fall 5). The interval between two consecutive health checks is set to 2000 milliseconds (or 2 seconds) by inter 2000. A server is considered operational after 2 successful health checks (rise 2).

Here is the list of services managed by HAProxy on the controller nodes:

Table 5.1. Services managed by HAProxy

















5.1. HAProxy Stats

The director also enables HAProxy Stats by default on all HA deployments. This feature allows you to view detailed information about data transfer, connections, server states, and the like on the HAProxy Stats page.

The director also sets the IP:Port address through which you can reach the HAProxy Stats page. To find out what this address is, open the /var/lib/config-data/haproxy/etc/haproxy/haproxy.cfg file of any node where HAProxy is installed. The listen haproxy.stats section lists this information. For example:

listen haproxy.stats
  mode http
  stats enable
  stats uri /
  stats auth admin:<haproxy-stats-password>

In this case, navigate in your browser to and enter the credentials from the stats auth row to view the HAProxy Stats page.

5.2. References

For more information about HAProxy, see HAProxy Configuration (from Load Balancer Administration).

For detailed information about settings you can use in the haproxy.cfg file, see the documentation in /usr/share/doc/haproxy-_VERSION/configuration.txt_ on any system where the haproxy package is installed (such as Controller nodes).