Configuring the HAProxy load balancer for Confluence DC

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

The purpose of a load balancer is to efficiently distribute incoming network traffic between Confluence nodes in round robin cluster configuration. If you don't have a particular preference or policy for load balancers, you can use HAProxy, which is a popular open-source load balancer. Learn how to get up and running with HAProxy and see sample configurations that you can use as reference points for creating your own setup.

Before you begin

The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.


Download and install HAProxy from http://www.haproxy.org/.

Make sure that you're using HAProxy 2.2.0 or newer for HTTP check and HTTPS support.

To check which version of HAProxy you use, run the following command:

haproxy --version

Related pages:

Installing Confluence Data Center

To configure HAProxy:

  1. Review the contents of the haproxy.cfg file and customize it for your environment.

    The haproxy.cfg file is typically located at /etc/haproxy/haproxy.cfg. See https://docs.haproxy.org/ for more information about configuring HAProxy. Refer to the examples of how to configure HAProxy in different scenarios:

    Example 1: HTTP termination

    The following is an example of a minimal configuration that sets up a frontend on port 80/TCP (HTTP) in front of two Confluence servers running on the default HTTP service port 8090/TCP, and the Syncrony service on port 8091/TCP.

    When installing haproxy it should create the user haproxy to run it has a service, change it in the haproxy.cfg if necessary.

    tip/resting Created with Sketch.

    In this configuration example, the HAProxy statistics page is disabled by default. To do enable it, change the stats disabled line to stats enabled. Then, once the haproxy service is running, navigate to http://<confluence-url>:8404/stats.

    However, by default, the HAProxy statistics page doesn't require authentication. In case of any security concerns, you can enforce basic authentication by adding a stats auth <username:password> line to the configuration. Alternatively, disable access to the page by changing the stats enabled line to stats disabled

    For more information, see Exploring the HAProxy Stats Page (What You Should Know).

    global
  log 127.0.0.1 local2 # Loging to syslog service local2
  chroot      /var/lib/haproxy
  daemon
  user haproxy
  group haproxy

frontend stats
  bind *:8404
  stats enable
  stats uri /stats
  stats refresh 10s   

 frontend confluence
  bind *:80
  mode http
  option forwardfor
  option http-server-close
  log global
  option httplog
  timeout client 300s
  maxconn 150
  use_backend connie_backend if { path /confluence } || { path_beg /confluence/ }
  use_backend synchrony_backend if { path /synchrony } || { path_beg /synchrony/ }

backend connie_backend
  log global
  mode http
  balance roundrobin   
  option httpchk
  http-check send meth GET uri /confluence/status
  http-check expect string RUNNING    
  cookie confluence insert indirect nocache
  server confluence1 x.x.x.x:8090 check cookie confluence1
  server confluence2 x.x.x.x:8090 check cookie confluence2
backend synchrony_backend
  log global
  mode http
  balance roundrobin        
  option httpchk
  http-check send meth GET uri /synchrony/heartbeat
  http-check expect string OK   
  cookie synchrony insert indirect nocache
  server synchrony1 x.x.x.x:8091 check cookie synchrony1
  server synchrony2 x.x.x.x:8091 check cookie synchrony2
    Example 2: HTTPS termination

    The following is an example of a more complex HAProxy configuration, which assumes that:

    • This is a 2-node Confluence active-active cluster.

    • HAProxy will listen on ports:
      • 443/TCP for HTTPS connections

    • The certificate apem file used by HAProxy are installed in /etc/haproxy/cert.pem. Change this for your certificate path.

    • <confluence-url> this is your FQDN

    • HAProxy redirects calls to /url/confluence path to Confluence Node1 and Node 2

    • HAProxy redirects calls to /url/confluence path to Synchrony Node1 and Node 2 - This one can be standalone or managed.
    tip/resting Created with Sketch.

    In this configuration example, the HAProxy statistics page is enabled by default. This allows you to monitor the health of your cluster by navigating to the HAProxy statistics page at https://<confluence-url>:8404/stats.

    However, by default, the HAProxy statistics page doesn't require authentication. In case of any security concerns, you can enforce basic authentication by adding a stats auth <username:password> line to the configuration. Alternatively, disable access to the page by changing the stats enabled line to stats disabled

    For more information, see Exploring the HAProxy Stats Page (What You Should Know).

    (info) The following details the structure of a typical .pem file (including they private key, the certificate and the certificate chain):

    -----BEGIN RSA PRIVATE KEY----- 
(Private Key: domain_name.key contents) 
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- 
(Primary SSL certificate: domain_name.crt contents) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Intermediate certificate: certChainCA.crt contents) 
-----END CERTIFICATE----
    global
  log 127.0.0.1 local2 # Loging to syslog service local2
  chroot      /var/lib/haproxy
  daemon
  user haproxy
  group haproxy

frontend stats
  bind *:8404 name <confluence-url> ssl crt /etc/haproxy/cert.pem 
  stats enable
  stats uri /stats
  stats refresh 10s  

  # HTTPS frontend confluence
  bind *:443 name <confluence-url> ssl crt /etc/haproxy/cert.pem
  mode http
  option forwardfor
  option http-server-close
  http-request redirect scheme https unless { ssl_fc }
  log global
  option httplog
  timeout client 300s
  maxconn 150
  use_backend connie_backend if { path /confluence } || { path_beg /confluence/ }
  use_backend synchrony_backend if { path /synchrony } || { path_beg /synchrony/ }

backend connie_backend
  log global
  mode http
  balance roundrobin   
  option httpchk
  http-check send meth GET uri /confluence/status
  http-check expect string RUNNING      
  cookie confluence insert indirect nocache
  server confluence1 x.x.x.x:8090 check cookie confluence1
  server confluence2 x.x.x.x:8090 check cookie confluence2
backend synchrony_backend
  log global
  mode http
  balance roundrobin   
  option httpchk
  http-check send meth GET uri /synchrony/heartbeat
  http-check expect string OK   
  cookie synchrony insert indirect nocache
  server synchrony1 x.x.x.x:8091 check cookie synchrony1
  server synchrony2 x.x.x.x:8091 check cookie synchrony2

  2. Once you have configured haproxy.cfg correctly for your environment, start the haproxy service according to the instructions appropriate for your operating system.

Last modified on Feb 20, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.