Skip to content

Latest commit



416 lines (343 loc) · 11.7 KB

File metadata and controls

416 lines (343 loc) · 11.7 KB

haproxy-ng cookbook Build Status

This cookbook is deprecated, check out the haproxy cookbook instead.

A resource-driven cookbook for configuring HAProxy.

Cookbook builds on 2 core resources:

  • haproxy_instance: the "parent" resource, which maps to a complete configuration and (probably) a running haproxy daemon
  • haproxy_proxy: the "core" proxy resource, which maps to a specific proxy

Additional resources haproxy_peers, haproxy_userlist, haproxy_frontend, haproxy_backend, haproxy_defaults, and haproxy_listen extend the haproxy_proxy resource with additional validation for common configuration keywords for their respective proxy types.

Suggested background reading:

  • The Fine Manual
  • This README, the modules in libraries/haproxy*.rb, and the individual resources/providers (libraries/chef_haproxy*.rb)
  • the test target and example wrapper cookbook: 'test/fixtures/cookbooks/my-lb'
  • the consul-template powered example wrapper cookbook: 'test/fixtures/cookbooks/my-consul-lb'



Configures a default instance, 'haproxy_instance[haproxy]', and corresponding 'haproxy' service via the config, tuning, and proxies cookbook attributes (which are mapped onto the corresponding resource attributes).

This recipe also provides a useful example of using the provided helper, Haproxy::Helpers#proxy, to map a list of proxies to their corresponding resources in the resource collection.

See wrapper cookbook example at 'test/fixtures/cookbooks/my-lb'.


Installs haproxy via the node['haproxy']['install_method'] method. Supports 'package', 'source', and 'ppa'.


Configures a default-named ("haproxy") service resource.

Useful for typical installs running a single haproxy daemon under the default 'haproxy' service name. Service providers, or those running multiple haproxy daemons on a single host will most likely want to configure a service instance per haproxy_instance.


Attribute Description Default
install_method One of: 'package', 'source', 'ppa' package
proxies Array of proxy names for the default haproxy_instance[haproxy] []
config global config of resource haproxy_instance[haproxy] See attributes/default.rb
tuning global tuning of resource haproxy_instance[haproxy] See attributes/default.rb

And more! (see attributes/*.rb)



The "parent" resource. Maps 1-to-1 with a generated haproxy config file, and most likely to a running service.

Attribute Description Default
verify whether to perform resource whitelist validation true
config global keywords for process mgmt ['daemon']
tuning global keywords for performance ['maxconn 256']
debug global keyword for debugging ('debug', 'quiet') nil
proxies array of proxies, see default recipe for example []


The simplest proxy representation and base class for the other proxy resources (peers, userlist, defaults, frontend, backend, listen).

Attribute Description Default
verify whether to perform resource whitelist validation true
type String denoting proxy type. (defaults, frontend, backend, listen, peers, userlist) nil
config array of keywords, validated against specified type []


Maps to a peers block in haproxy configuration. Not actually a proxy, but treating it like one is useful for code reusability. Don't judge me.

Attribute Description Default
verify whether to perform resource whitelist validation true
peers array of hashes. each hash requires 'name', 'config' keys []
config array of peers keywords. validated against whitelist []

For example, this resource:

haproxy_peers 'lb' do
  peers [
      'name' => 'lb01',
      'address' => '',
      'port' => 1_024
      'name' => 'lb02',
      'address' => '',
      'port' => 1_024

will render this configuration:

peers lb
  peer lb01
  peer lb02


Maps to a userlist block in haproxy configuration. Also not actually a proxy, as such.

Attribute Description Default
verify whether to perform resource whitelist validation true
groups array of hashes. hashes require 'name', 'config' keys []
users array of hashes. hashes require 'name', 'config' keys []
config array of userlist keywords, validated against whitelist []

For example, this resource:

haproxy_userlist 'L1' do
  groups [
    { 'name' => 'G1', 'config' => 'users tiger,scott' },
    { 'name' => 'G2', 'config' => 'users xdb,scott' }
  users [
    { 'name' => 'tiger', 'config' => 'insecure-password password123' },
    { 'name' => 'scott', 'config' => 'insecure-password pa55word123' },
    { 'name' => 'xdb', 'config' => 'insecure-password hello' }

will render this configuration:

userlist L1
  group G1 users tiger,scott
  group G2 users xdb,scott
  user tiger insecure-password password123
  user scott insecure-password pa55word123
  user xdb insecure-password hello


Maps to a 'defaults' block in haproxy configuration. Convention suggests that resource names be capitalized (e.g. haproxy_defaults[HTTP]).

Attribute Description Default
verify whether to perform resource whitelist validation true
mode specifies listener mode (http, tcp, health) nil
default_backend argument to default_backend keyword nil
balance desired balancing algo (see docs for permitted values) nil
source argument to source keyword nil
config array of defaults keywords, validated against whitelist []

For example, this resource:

haproxy_defaults 'TCP' do
  mode 'tcp'
  balance 'leastconn'
  source node['ipaddress']
  config [
    'option clitcpka',
    'option srvtcpka',
    'timeout connect 5s',
    'timeout client 300s',
    'timeout server 300s'

will render this configuration:

defaults TCP
  balance leastconn
  mode tcp
  option clitcpka
  option srvtcpka
  timeout connect 5s
  timeout client 300s
  timeout server 300s


Maps to a frontend block in the instance configuration, and typically to one or more listening ports or sockets.

Attribute Description Default
verify whether to perform resource whitelist validation true
mode specifies listener mode (http, tcp, health) nil
acls array of hashes, each requiring 'name', 'criterion' keys []
description string describing proxy nil
bind args to bind keyword nil
default_backend argument to default_backend keyword nil
use_backends array of hashes, each requiring 'backend', 'condition', keys []
config array of frontend keywords, validated against whitelist []
config_tail same as 'config' only appended after acls []

For example, this resource:

haproxy_frontend 'www' do
  mode 'http'
  acls [
      'name' => 'inside',
      'criterion' => 'src'
  description 'http frontend'
  bind '*:80'
  default_backend 'app'
  use_backends [
      'backend' => 'app',
      'condition' => 'if inside'
  config [
    'option clitcpka'
  config_tail [
    'http-request allow if inside'

will render this configuration:

frontend www
  bind *:80
  mode http
  option clitcpka
  description http frontend
  acl inside src
  http-request allow if inside
  default_backend app
  use_backend app if inside


Maps to a backend configuration block in haproxy configuration.

Attribute Description Default
verify whether to perform resource whitelist validation true
mode specifies listener mode (http, tcp, health) nil
acls array of hashes, each requiring 'name', 'criterion' keys []
description string describing proxy nil
balance desired balancing algo (see docs for permitted values) nil
source string specifying args to source keyword nil
servers array of hashes, each requiring 'name', 'address', 'port' keys. 'config' key optional []
config array of backend keywords, validated against whitelist []
config_tail same as 'config' only appended after acls []

For example, this resource:

haproxy_backend 'app' do
  mode 'http'
  acls [
      'name' => 'inside',
      'criterion' => 'src'
  description 'app pool'
  balance 'roundrobin'
  source node['ipaddress']
  servers [
      'name' => 'app01',
      'address' => '',
      'port' => 80,
      'config' => 'check inter 5000 rise 2 fall 5'
      'name' => 'app02',
      'address' => '',
      'port' => 80,
      'config' => 'check inter 5000 rise 2 fall 5'
  config [
    'option httpchk GET /health_check HTTP/1.1\r\nHost:\ localhost'
  config_tail [
    'http-request allow if inside'

will render this configuration:

backend app
  balance roundrobin
  mode http
  option httpchk GET /health_check HTTP/1.1\r\nHost:\ localhost
  description app pool
  acl inside src
  http-request allow if inside
  server app01 check inter 5000 rise 2 fall 5
  server app02 check inter 5000 rise 2 fall 5


Maps to a listen configuration block, combines frontend and backend config blocks into a single proxy. Less flexible, but more concise. Typically used for tcp-mode proxies with a 1:1 frontend:backend mapping.

Attribute Description Default
verify whether to perform resource whitelist validation true
mode specifies listener mode (http, tcp, health) nil
acls array of hashes, each requiring 'name', 'criterion' keys []
description string describing proxy nil
balance desired balancing algo (see docs for permitted values) nil
source string specifying args to source keyword nil
servers array of hashes, each requiring 'name', 'address', 'port' keys. 'config' key optional []
bind args to bind keyword nil
default_backend argument to default_backend keyword nil
use_backends array of hashes, each requiring 'backend', 'condition', keys []
config array of listen keywords, validated against whitelist []
config_tail same as 'config' only appended after acls []

For example, this resource:

haproxy_listen 'mysql' do
  mode 'tcp'
  acls [
      'name' => 'inside',
      'criterion' => 'src'
  description 'mysql pool'
  balance 'leastconn'
  source node['ipaddress']
  bind ''
  servers [
      'name' => 'mysql01',
      'address' => '',
      'port' => 3_306,
      'config' => 'maxconn 500 check port 3306 inter 2s backup'
      'name' => 'mysql02',
      'address' => '',
      'port' => 3_306,
      'config' => 'maxconn 500 check port 3306 inter 2s backup'
  config [
    'option mysql-check'
  config_tail [
    'http-request allow if inside'

will generate this configuration:

listen mysql
  balance leastconn
  mode tcp
  option mysql-check
  description mysql pool
  acl inside src
  http-request allow if inside
  server mysql01 maxconn 500 check port 3306 inter 2s backup
  server mysql02 maxconn 500 check port 3306 inter 2s backup