Using the ACL in HAProxy for Load Balancing Named Virtual Hosts

Until recently, I wasn’t aware of the ACL system in HAProxy, but once I found it I realized that I have been missing a very important part of load balancing with HAProxy!

While the full configuration settings available for the ACL are listed in the configuration doc, the below example includes the basics that you’ll need to build an HAProxy load balancer that supports multiple host headers.

Here is a quick example haproxy configuration file that uses ACLs:

    log local0
    log local1 notice
    maxconn 4096
    user haproxy
    group haproxy

    log global
    mode http
    option httplog
    option dontlognull
    retries 3
    option redispatch
    maxconn 2000
    contimeout 5000
    clitimeout 50000
    srvtimeout 50000

frontend http-in
    bind *:80
    acl is_www_example_com hdr_end(host) -i
    acl is_www_domain_com hdr_end(host) -i
    use_backend www_example_com if is_www_example_com
    use_backend www_domain_com if is_www_domain_com
    default_backend www_example_com

backend www_example_com
    balance roundrobin
    cookie SERVERID insert nocache indirect
    option httpchk HEAD /check.txt HTTP/1.0
    option httpclose
    option forwardfor
    server Server1 cookie Server1
    server Server2 cookie Server2

backend www_domain_com
    balance roundrobin
    cookie SERVERID insert nocache indirect
    option httpchk HEAD /check.txt HTTP/1.0
    option httpclose
    option forwardfor
    server Server1 cookie Server1
    server Server2 cookie Server2

In HAProxy 1.3, the ACL rules are placed in a “frontend” and (depending on the logic) the request is proxied through to any number of “backends”. You’ll notice in our frontend entitled “http-in” that I’m checking the host header using the hdr_end feature. This feature performs a simple check on the host header to see if it ends with the provided argument.

You can find the rest of the Layer 7 matching options by searching for “7.5.3. Matching at Layer 7” in the configuration doc I linked to above. A few of the options I didn’t use but you might find useful are path_beg, path_end, path_sub, path_reg, url_beg, url_end, url_sub, and url_reg. The *_reg commands allow you to perform RegEx matching on the url/path, but there is the usual performance consideration you need to make for RegEx (especially since this is a load balancer).

The first “use_backend” that matches a request will be used, and if none are matched, then HAProxy will use the “default_backend”. You can also combine ACL rules in the “use_backend” statements to match one or more rules. See the configuration doc for more helpful info.

If you’re looking to use HAProxy with SSL, that requires a different approach, and I’ll blog about that soon.

12 thoughts on “Using the ACL in HAProxy for Load Balancing Named Virtual Hosts

  1. Thanks for this post – the HAProxy docs are a huge laundry list of options so it was really helpful to see a concrete example of how to do a multi-backend configuration with ACLs.

  2. Hi,Matt,thanks for the sharing. you mentioned about the HAProxy with SSL, do you have some information about this? I tested the HAProxy with SSL use the TCP mode,but have some questions about the session persistence ,if you can give me some suggestions that’s will be good.Thanks.

  3. Matt, this is an awesome article, eagerly waiting to read the haproxy with SSL article and much better if it also mentions about using ACL’s in TCP mode

  4. Hi, this scenario was what I want 😀
    Thanks you,

    But in according to my needs

    how if :

    Server1 ( and Server1 ( are in one machine (using vhost/same ip)


    Server2 ( and Server2 ( are in Different machine (different ip, not vhost)

    Is it Posible??


    Thank you so mucccchh 🙂

  5. HAProxy is a load balancer. In your second example, both and will need DNS A records that point to the HAProxy server. While it isn’t a requirement that they use the same IP (you can have HAProxy listen to as many interfaces/IPs on one server that you want), you *are* able to use the same IP for both websites, and use HAProxy to examine the HTTP headers to find out what backend servers to send to.

  6. Hello,

    Thank you very much . as i can see you have seperate cluter for seperate domain.

    How will you do to configure backup/failover for both domains ?

    the option backup only works when all the server in the cluster is down.

    I tried using acl for a backup/failover, it worked only for my first domain. for the second one . nope.

    Help plzz 🙁

  7. Hi Matt,

    The article on HA Proxy is very informative. I thought you could help on this issue i have encountered:

    Environment: Balancer http://hn3_host_ip:6080) – http://hn2_host_ip:6080) – http://hn1_host_ip:6080)

    I have to access my application from LoadBalancer i.e, http://hn3_host_ip:6080 which should redirect to hn2 and hn3 with roundrobin .

    Problem: I am able to access only my login page on http://hn3_host_ip:6080, after entering the credentials it takes me back again to the login page again. I would require help in redirecting to GET the application page after the login. Please help me with the piece of configurations to add to redirect it to the application page.

    Below is the /etc/haproxy/haproxy.cfg details:
    frontend haproxy_in
    bind hn3_host_ip:6080
    default_backend ranger_ha

    backend ranger_ha
    balance roundrobin
    mode http
    option httpclose
    option forwardfor
    cookie SERVERID insert nocache indirect
    option httpchk HEAD /check.txt HTTP/1.0
    server hn1_host_ip:6080 check
    server hn2_host_ip:6080 check



  8. Thank you for this article it has helped me massively,
    I really needed a raw to redirect my traffic in my local network through 1 IP internet to proxy and the alias defines which local machine the alis is sent to.


Leave a Reply

Your email address will not be published. Required fields are marked *