BestHub
Sign in
Operations 26 min read

Implementing High‑Availability Load Balancing with Keepalived and HAProxy

This article explains how to achieve high‑availability software load balancing by combining the open‑source HAProxy reverse‑proxy with Keepalived, covering installation, configuration of VRRP, health checks, session persistence, SSL termination, and traffic routing on CentOS systems.

Architects' Tech Alliance
Architects' Tech Alliance
Architects' Tech Alliance
Implementing High‑Availability Load Balancing with Keepalived and HAProxy

Load balancing is a critical component of distributed systems. This guide demonstrates how to build a high‑availability software load‑balancer using the open‑source HAProxy reverse‑proxy together with Keepalived, which provides VRRP‑based failover.

Keepalived overview – Keepalived operates at the transport layer (Layer 4) and was originally designed to monitor Linux Virtual Server (LVS) clusters. It adds VRRP for high‑availability, allowing a master and backup server to share a virtual IP (VIP) that can float between nodes.

HAProxy overview – HAProxy is a TCP/HTTP reverse‑proxy and load balancer capable of Layer 4 and Layer 7 routing, supporting high‑performance traffic distribution, health checks, session persistence, SSL termination, and extensive ACL‑based routing.

Combining Keepalived and HAProxy – Keepalived eliminates the single‑point‑of‑failure of HAProxy by managing a VIP that points to the active HAProxy instance. The architecture is illustrated in Figure 1.

Installation

yum install -y keepalived
yum install -y haproxy

Keepalived configuration

vi /etc/keepalived/keepalived.conf
global_defs {
    notification_email {
        [email protected]
    }
    notification_email_from  [email protected]
    smtp_server  127.0.0.1
    smtp_connect_timeout  60
    vrrp_mcast_group4  224.0.0.18
}
vrrp_instance R1 {
    state  MASTER
    interface  eth0
    virtual_router_id  50
    priority  100
    advert_int  1
    authentication {
        auth_type PASS
        auth_pass passwd
    }
    virtual_ipaddress {
        10.230.137.100
    }
    track_script {
        chk_haproxy
    }
    nopreempt
    preempt_delay 2
}
vrrp_script chk_haproxy {
    script  "killall -0 haproxy"
    interval  2
    weight  -2
    fall  3
    rise  1
}

After editing, start and enable the service on both master and backup nodes:

systemctl start keepalived
systemctl enable keepalived

HAProxy configuration

vi /etc/haproxy/haproxy.cfg
global
    log  /dev/log  local0 info
    chroot  /var/lib/haproxy
    pidfile  /var/run/haproxy.pid
    maxconn  4000
    user  haproxy
    group  haproxy
    daemon
defaults
    mode  http
    log  global
    option  httplog
    option  dontlognull
    option  http-server-close
    option  forwardfor  except 127.0.0.0/8
    option  redispatch
    retries  3
    timeout http-request  10s
    timeout queue  1m
    timeout connect  10s
    timeout client  1m
    timeout server  1m
    timeout http-keep-alive  10s
    timeout check  10s
frontend main
    mode  http
    bind  :80
    default_backend  nginx
backend nginx
    mode  http
    balance  roundrobin
    server  web1 host1:80 check inter 3s rise 1 fall 2
    server  web2 host2:80 check

Session persistence – Four‑layer persistence uses balance source with mode tcp , while seven‑layer persistence relies on cookies:

backend nginx
    mode  tcp
    balance  source
    server  web1 10.230.150.68:80 check cookie web1
    server  web3 10.230.150.70:80 check cookie web3
backend nginx
    mode  http
    balance  roundrobin
    cookie  WEBSRV insert indirect nocache
    server  web1 10.230.150.68:80 check cookie web1
    server  web3 10.230.150.70:80 check cookie web3

SSL termination – Add SSL parameters to the global section and bind port 443 with a certificate:

global
    maxconn  20000
    tune.ssl.default-dh-param 2048
    stats socket /var/lib/haproxy/stats

frontend main
    bind :80
    bind :443 ssl crt /etc/ssl/certs/web.pem
    redirect scheme https if !{ ssl_fc }
    default_backend nginx

Traffic routing – Use ACLs to route based on URL paths or HTTP headers. Example for path‑based routing:

frontend main
    bind :80
    bind :443 ssl crt /etc/ssl/certs/web.pem
    redirect scheme https if !{ ssl_fc }
    acl is_test1  path_beg /test1
    acl is_test2  path_beg /test2
    use_backend test1 if is_test1
    use_backend test2 if is_test2
    default_backend nginx

backend test1
    balance roundrobin
    server web2 10.230.150.69:80 check

backend test2
    balance roundrobin
    server web3 10.230.150.70:80 check

And for host‑header routing:

frontend main
    acl is_test1  hdr_beg(host) www.test1.com
    acl is_test2  hdr_beg(host) www.test2.com
    use_backend test1 if is_test1
    use_backend test2 if is_test2
    default_backend nginx

After configuration, start and enable HAProxy:

systemctl start haproxy
systemctl enable haproxy
systemctl reload haproxy   # for hot‑reloading changes

Conclusion – Software load balancing with Keepalived + HAProxy provides a cost‑effective, flexible, and highly available solution compared with hardware appliances. In the referenced banking PaaS platform, this combination successfully aggregated traffic for multiple control and worker nodes, offering seamless failover and easy scalability.

High AvailabilityLoad BalancingconfigurationLinuxHAProxyKeepalivedSSL Termination
Architects' Tech Alliance
Written by

Architects' Tech Alliance

Sharing project experiences, insights into cutting-edge architectures, focusing on cloud computing, microservices, big data, hyper-convergence, storage, data protection, artificial intelligence, industry practices and solutions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment