The purpose of a load balancer is to efficiently distribute incoming network traffic between Confluence nodes in round robin cluster configuration. If you don't have a particular preference or policy for load balancers, you can use HAProxy, which is a popular open-source load balancer. Learn how to get up and running with HAProxy and see sample configurations that you can use as reference points for creating your own setup.

haproxy --version

To configure HAProxy:

1. Review the contents of the haproxy.cfg file and customize it for your environment.

   The haproxy.cfg file is typically located at /etc/haproxy/haproxy.cfg. See https://docs.haproxy.org/ for more information about configuring HAProxy. Refer to the examples of how to configure HAProxy in different scenarios:

   Example 1: HTTP termination

   The following is an example of a minimal configuration that sets up a frontend on port 80/TCP (HTTP) in front of two Confluence servers running on the default HTTP service port 8090/TCP, and the Syncrony service on port 8091/TCP.

   When installing haproxy it should create the user haproxy to run it has a service, change it in the haproxy.cfg if necessary.

   In this configuration example, the HAProxy statistics page is disabled by default. To do enable it, change the stats disabled line to stats enabled. Then, once the haproxy service is running, navigate to http://<confluence-url>:8404/stats.

   However, by default, the HAProxy statistics page doesn't require authentication. In case of any security concerns, you can enforce basic authentication by adding a stats auth <username:password> line to the configuration. Alternatively, disable access to the page by changing the stats enabled line to stats disabled. 

   For more information, see Exploring the HAProxy Stats Page (What You Should Know).

   global
     log 127.0.0.1 local2 # Loging to syslog service local2
     chroot      /var/lib/haproxy
     daemon
     user haproxy
     group haproxy
   
   frontend stats
     bind *:8404
     stats enable
     stats uri /stats
     stats refresh 10s   
   
    frontend confluence
     bind *:80
     mode http
     option forwardfor
     option http-server-close
     log global
     option httplog
     timeout client 300s
     maxconn 150
     use_backend connie_backend if { path /confluence } || { path_beg /confluence/ }
     use_backend synchrony_backend if { path /synchrony } || { path_beg /synchrony/ }
   
   backend connie_backend
     log global
     mode http
     balance roundrobin   
     option httpchk
     http-check send meth GET uri /confluence/status
     http-check expect string RUNNING    
     cookie confluence insert indirect nocache
     server confluence1 x.x.x.x:8090 check cookie confluence1
     server confluence2 x.x.x.x:8090 check cookie confluence2
   backend synchrony_backend
     log global
     mode http
     balance roundrobin        
     option httpchk
     http-check send meth GET uri /synchrony/heartbeat
     http-check expect string OK   
     cookie synchrony insert indirect nocache
     server synchrony1 x.x.x.x:8091 check cookie synchrony1
     server synchrony2 x.x.x.x:8091 check cookie synchrony2

   Example 2: HTTPS termination

   The following is an example of a more complex HAProxy configuration, which assumes that:

   • This is a 2-node Confluence active-active cluster.

   • HAProxy will listen on ports:
     • 443/TCP for HTTPS connections

   • The certificate apem file used by HAProxy are installed in /etc/haproxy/cert.pem. Change this for your certificate path.

   • <confluence-url> this is your FQDN

   • HAProxy redirects calls to /url/confluence path to Confluence Node1 and Node 2

   • HAProxy redirects calls to /url/confluence path to Synchrony Node1 and Node 2 - This one can be standalone or managed.

   In this configuration example, the HAProxy statistics page is enabled by default. This allows you to monitor the health of your cluster by navigating to the HAProxy statistics page at https://<confluence-url>:8404/stats.

   However, by default, the HAProxy statistics page doesn't require authentication. In case of any security concerns, you can enforce basic authentication by adding a stats auth <username:password> line to the configuration. Alternatively, disable access to the page by changing the stats enabled line to stats disabled. 

   For more information, see Exploring the HAProxy Stats Page (What You Should Know).

   The following details the structure of a typical .pem file (including they private key, the certificate and the certificate chain):

   -----BEGIN RSA PRIVATE KEY----- 
   (Private Key: domain_name.key contents) 
   -----END RSA PRIVATE KEY-----
   -----BEGIN CERTIFICATE----- 
   (Primary SSL certificate: domain_name.crt contents) 
   -----END CERTIFICATE----- 
   -----BEGIN CERTIFICATE----- 
   (Intermediate certificate: certChainCA.crt contents) 
   -----END CERTIFICATE----

   global
     log 127.0.0.1 local2 # Loging to syslog service local2
     chroot      /var/lib/haproxy
     daemon
     user haproxy
     group haproxy
   
   frontend stats
     bind *:8404 name <confluence-url> ssl crt /etc/haproxy/cert.pem 
     stats enable
     stats uri /stats
     stats refresh 10s  
   
     # HTTPS frontend confluence
     bind *:443 name <confluence-url> ssl crt /etc/haproxy/cert.pem
     mode http
     option forwardfor
     option http-server-close
     http-request redirect scheme https unless { ssl_fc }
     log global
     option httplog
     timeout client 300s
     maxconn 150
     use_backend connie_backend if { path /confluence } || { path_beg /confluence/ }
     use_backend synchrony_backend if { path /synchrony } || { path_beg /synchrony/ }
   
   backend connie_backend
     log global
     mode http
     balance roundrobin   
     option httpchk
     http-check send meth GET uri /confluence/status
     http-check expect string RUNNING      
     cookie confluence insert indirect nocache
     server confluence1 x.x.x.x:8090 check cookie confluence1
     server confluence2 x.x.x.x:8090 check cookie confluence2
   backend synchrony_backend
     log global
     mode http
     balance roundrobin   
     option httpchk
     http-check send meth GET uri /synchrony/heartbeat
     http-check expect string OK   
     cookie synchrony insert indirect nocache
     server synchrony1 x.x.x.x:8091 check cookie synchrony1
     server synchrony2 x.x.x.x:8091 check cookie synchrony2

2. Once you have configured haproxy.cfg correctly for your environment, start the haproxy service according to the instructions appropriate for your operating system.