HAProxy 1.5.4 Performance Tuning


I currently have HAProxy 1.5.4 setup using keepalived for HA on centos 7 using IPtables to create a transparent load balancer to load balance a number of cisco WSA proxy servers for internet filtering on an infrastructure of around 15,000 users running on vmware and cisco UCS with one GB nic.

All has been running well until the load was increased, at first i realised the maxconn on the frontend was set at default and has now been changed to 5000.

Being new to HAProxy and having only set it up following a guide for our exchange environment could anyone point out any obvious issues in my config below and any performance improvements I could make.

edit Users have been reporting a lack of internet connectivity which usually happens when the current sessions reaches around 2,500-3000.

HAProxy Config:

    log /dev/log local4
    maxconn 40000
    ulimit-n 81000

    log global
    timeout connect 4000
    timeout client 42000
    timeout server 43000
    mode http

frontend http-in
    bind *:80
    maxconn 5000
    default_backend backend_servers
    option  forwardfor
    option http-server-close

backend backend_servers
    balance leastconn
    stick-table type ip size 10240k expire 10m
    stick on src
    server  wsa01 check inter 30000 fall 5
    server  wsa02 check inter 30000 fall 5
    server  wsa03 check inter 30000 fall 5
    source usesrc clientip

listen stats *:7000
   stats enable
   stats hide-version
   stats refresh 30s
   stats show-node
   stats uri     /
   stats auth    admin:REDACTED

IPtables Config:

:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A DIVERT -j MARK --set-xmark 0x6f/0xffffffff

Added to rc.local for iptables:

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local dev lo table 100

Keepalived Config:

! Configuration File for keepalived

global_defs {
notification_email {
notification_email_from REDACTED@EMAIL
smtp_connect_timeout 30

vrrp_script chk_haproxy {
script "killall -0 haproxy" # this will check if the haproxy is up
interval 45 # check every 5 seconds
weight 2 # add 2 points of priority if OK

vrrp_instance VI_1 {
interface ens32
state MASTER # or "BACKUP" on backup
priority 101 # 101 on master, 100 on backup
virtual_router_id 60

smtp_alert # Activate SMTP notifications, you can remove this if you dont want alerts

authentication {
    auth_type PASS
    auth_pass REDACTED

virtual_ipaddress {
track_script {

Many Thanks in advance for any assistance...


asked on Server Fault Jul 15, 2015 by Rebus • edited Jul 15, 2015 by Rebus

1 Answer


You can add nbproc N to Global, where N is the number of cores on your server. This will get HAproxy to use all the cores. You can allocate groups of processors to different frontends and backends to, for example, prioritise a frontend that does SSL.

answered on Server Fault Jul 15, 2015 by Justin Hourigan

User contributions licensed under CC BY-SA 3.0