HAProxy’s statistics page is a powerful tool for live monitoring, but it’s not enabled by default and requires a specific configuration block.
Let’s get it running.
Here’s a minimal HAProxy configuration that includes the statistics page. Imagine this is in your /etc/haproxy/haproxy.cfg:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http_frontend
bind *:80
acl host_static hdr(host) -i static.example.com
acl host_api hdr(host) -i api.example.com
use_backend static_backend if host_static
use_backend api_backend if host_api
backend static_backend
balance roundrobin
server static1 192.168.1.10:80 check
server static2 192.168.1.11:80 check
backend api_backend
balance roundrobin
server api1 192.168.1.20:8080 check
server api2 192.168.1.21:8080 check
listen stats
bind *:8404
mode http
stats enable
stats uri /haproxy?stats
stats realm HAProxy\ Statistics
stats auth user:password
The crucial part is the listen stats block. This defines a new frontend-like section that HAProxy listens on, separate from your main application traffic.
The bind *:8404 directive tells HAProxy to listen on all network interfaces on port 8404. You can change this port to anything you prefer, just ensure it doesn’t conflict with other services.
mode http is necessary because the statistics page is served over HTTP.
stats enable is the command that actually turns on the statistics collection and reporting.
stats uri /haproxy?stats defines the URL path where the statistics page will be accessible. So, if your HAProxy server’s IP is 10.0.0.5, you’d access it at http://10.0.0.5:8404/haproxy?stats.
stats realm HAProxy\ Statistics sets the text displayed in the basic authentication prompt. The backslash before the space is important for escaping.
stats auth user:password enables basic HTTP authentication for accessing the stats page. Crucially, replace user and password with your desired strong credentials. This is not optional for any production or even semi-production environment.
After saving this configuration, you’ll need to reload HAProxy for the changes to take effect. The command for this varies slightly depending on your OS, but it’s typically:
sudo systemctl reload haproxy
or
sudo service haproxy reload
Once reloaded, you can navigate to http://<your-haproxy-ip>:8404/haproxy?stats in your web browser. You’ll be prompted for the username and password you set.
The statistics page provides a wealth of information: current status of frontends and backends, request rates, server response times, error counts, and much more. It’s invaluable for understanding traffic patterns and diagnosing performance issues in real-time.
One aspect often overlooked is the stats socket directive in the global section. While not strictly required for viewing the stats page, it enables programmatic interaction with HAProxy, like enabling/disabling servers or frontends via tools like socat or HAProxy’s own show stat command, which is what the web UI actually uses. This socket is typically secured with file permissions (mode 660) and restricted to specific users/groups, offering a layer of administrative control.
The next common challenge is securing this statistics page further, especially if it’s exposed to the internet, which is generally discouraged.