Recipe
HAProxy Patterns
Production-grade ACL routing, rate limiting, and TLS termination patterns for HAProxy.
ACL-based routing
Route requests by host header, path prefix, or query parameter using named ACLs. Combine conditions with logical operators for precise traffic steering.
frontend http-in bind :80 acl is_api path_beg /api/ acl is_admin src 10.0.0.0/8 use_backend api_servers if is_api use_backend admin_servers if is_admin
Rate limiting
Protect backends with stick-table–based rate limiting. Track per-IP request counts and reject offenders with a 429 response.
frontend http-in
bind :443 ssl crt /etc/ssl/cert.pem
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }TLS termination
Terminate TLS at the edge with modern cipher suites. Enforce minimum TLS 1.2 and forward client certificate details to backends via headers.
frontend https-in
bind :443 ssl crt /etc/ssl/combined.pem alpn h2,http/1.1
ssl-min-ver TLSv1.2
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]Health checks
Active and passive health checks with fallback backends. Mark servers down after consecutive failures and resume when they recover.
backend api_servers option httpchk GET /health default-server inter 3s fall 3 rise 2 server srv1 10.0.1.10:8080 check server srv2 10.0.1.11:8080 check backup
These patterns ship with Meridian's HAProxy integration. See the full integration guide for configuration details.