Backend server selection

matta · March 25, 2026, 6:18pm

Hello,

I am using HAProxy to load balance incoming authentication attempts for an application called HP Anyware. The client application for Anyware is a black box so I do not have access to know what requests are made, however I know authentication requests are made over 443

At present I am using HAProxy version 3.0.2

I have a default backend that has two servers. I am finding that the proxy is preferring the second server in the list every time and I cannot work out why. Both servers work individually (if they are the only option in the list, and if the order is swapped the second option is chosen.)

Is there something in my config that’s incorrect?

global
#    log 127.0.0.1:514  local0  
    log /dev/log local0 info
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn 8000
    user haproxy
    group haproxy
    daemon
    h1-case-adjust connection Connection
    h1-case-adjust content-length Content-Length
    h1-case-adjust content-encoding Content-Encoding 
    h1-case-adjust content-type Content-Type
    h1-case-adjust cache-control Cache-Control
    h1-case-adjust date Date
    h1-case-adjust expires Expires
    h1-case-adjust etag ETag
    h1-case-adjust last-modified Last-Modified
    h1-case-adjust server Server
    h1-case-adjust via Via
    h1-case-adjust age Age
    h1-case-adjust accept-ranges Accept-Ranges
    h1-case-adjust access-control-allow-origin Access-Control-Allow-Origin

defaults
    balance roundrobin
    log global
    option httplog
    retries 2
    #timeout client 30s
    timeout client 15s
    timeout connect 4s
    #timeout server 30s
    timeout server 15s
    timeout check 5s
    option allbackups
#    errorfile 400 /etc/haproxy/errors/400.http
#    no option http-use-htx

listen admin_page
    bind 192.168.30.5:9600
    mode http
    stats enable
    stats refresh 60s
    stats uri /

frontend fe_connector_443
    bind :80
    bind *:443 ssl crt /etc/ssl/private/proxy-01.pem alpn h2,http/1.1
    http-request redirect scheme https code 301 unless { ssl_fc }
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
    option h1-case-adjust-bogus-client
    mode http
    capture cookie JSESSIONID len 32
    option forwardfor
    acl internal_range_l src 192.168.0.0/16
    acl internal_range_l_pv src 10.19.0.0/16
    acl internal_range_m src 10.102.0.0/16
    use_backend internal_source_be if internal_range_l || internal_range_l_pv || internal_range_m
    default_backend external_source_be


backend external_source_be
    mode http
    balance roundrobin
    cookie JSESSIONID prefix indirect nocache
    server cac-01 192.168.30.11:443 check cookie s2 verify none ssl alpn h2,http/1.1 
    server cac-03 192.168.30.12:443 check cookie s1 verify none ssl alpn h2,http/1.1 

backend internal_source_be
    mode http
    balance roundrobin
    cookie JSESSIONID prefix indirect nocache
    server cac-02 192.168.30.13:443 check cookie s3 verify none ssl alpn h2,http/1.1

I have a config that is pretty identical working successfully on version 2.8.1 of HAProxy, could it be something with the version?

Thanks

romgo · March 30, 2026, 9:35am

Hello,

it seems you use sticky session with a cookie so, this is normal behaviour no ?

See more here : Two ways to enable sticky sessions in HAProxy (guide)

matta · March 30, 2026, 2:00pm

Hello,

Thanks for your reply.

I am using sessions with a cookie so that subsequent requests remain with the server they started with.

My issue is that all requests are ending up with “cac-03”. Are you’re suggesting that it is normal behaviour? I was expecting the connections to be distributed between servers “cac-01” and “cac-03”

Thanks

romgo · March 30, 2026, 2:24pm

matta:

backend external_source_be
    mode http
    balance roundrobin
    cookie JSESSIONID prefix indirect nocache
    server cac-01 192.168.30.11:443 check cookie s2 verify none ssl alpn h2,http/1.1 
    server cac-03 192.168.30.12:443 check cookie s1 verify none ssl alpn h2,http/1.1

Sorry, should not happen unless you tested from the same client computer

matta · March 30, 2026, 3:01pm

Are you saying the behaviour I am seeing is not intended?

I have just updated to 3.3 and am seeing my connections being distributed between the two servers. So there must be an issue in 3.0.2

romgo · March 30, 2026, 3:19pm

I follow this site for the version :

I would recommend for production to use LTS version like 3.2.15

lukastribus · March 30, 2026, 4:11pm

Always use the latest bugfix release of whatever branch you choose.

Version 3.0.2 has 541 bugs that are fixed in 3.0.19.

3.0 will be supported until 2029-Q2, but you need to upgrade to the latest bugfix release if you have problems.

Topic		Replies	Views
Sticky sessions config uses only first server for new requests Help!	0	410	May 14, 2019
Only first server on backend getting used Help!	3	891	February 10, 2023
Redirecting issue Help!	3	1417	November 6, 2021
HAProxy randomly forwards Connection to only one of two Backend Servers (Roundrobin / Healthcheck is normal). Only starts loadbalancing when "empty" Server is disabled and re-enabled Help!	0	373	September 4, 2023
Problem with backend selection - after a few successful hits suddenly wrong backend is chosen with no config change Help!	4	1053	April 23, 2023

Backend server selection

Related topics