HAProxy Backend Config Generator

Backend name:

Name the backend section that frontends will reference.

Proxy mode:

Choose the HAProxy backend mode.

Balance algorithm:

Pick the backend load-balancing behavior.

Health check method:

Set the HTTP method used for active checks.

Health check URI:

Use a path such as /health, /ready, or /status.

Health Host header:

Set the Host header sent with the health-check request.

Healthy response:

Choose how strict the HTTP health-check response should be.

Check interval:

Seconds between active health checks.

Fall count:

Consecutive failed checks required before removal.

Rise count:

Consecutive successful checks required before recovery.

Server rows:

Enter one backend server per line: name,address:port,weight,maxconn,role.

Quoted CSV cells are accepted.

{{ result.errors.length ? 'Fix before using this config' : 'Review before using this config' }}

{{ item }}
{{ item }}

Backend server TLS:

Leave plain when HAProxy talks cleartext to the backend servers.

CA file:

Use an absolute path on the HAProxy host.

SNI host:

Leave blank when backend certificates do not require SNI.

Server timeout:

Leave blank to inherit timeout server from defaults.

Add http-reuse safe

Reuse idle backend HTTP connections when it is appropriate for the application.

Add option redispatch

Allow retrying a different server when the selected server is unavailable.

Add cookie persistence

Cookie name:

{{ result.config }}

Server	Address	Weight	Maxconn	Role	Generated arguments	Copy
{{ row.name }}	{{ row.address }}	{{ row.weight }}	{{ row.maxconn }}	{{ row.role }}	`{{ row.arguments }}`
No valid server rows yet.

Severity	Check item	Value	Config effect	Copy
{{ row.severity }}	{{ row.item }}	{{ row.value }}	{{ row.effect }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

An HAProxy backend is the named pool of upstream servers that receives traffic after a frontend or listener has matched a request. The backend section decides which targets are eligible, how traffic is distributed, how failed servers are removed, and which per-server arguments HAProxy should apply when it opens a connection.

Backend design turns availability policy into concrete configuration. A round-robin pool spreads requests evenly, a least-connection pool favors less busy targets, source hashing can keep a client near the same server, and backup servers stay out of rotation until the active pool cannot serve traffic. The best choice depends on the service's state model, connection length, readiness endpoint, and tolerance for retry or failover behavior.

Common HAProxy backend choices and what they affect
Backend choice	What it changes
Mode	HTTP mode can make request-aware checks and use HTTP-only options; TCP mode treats traffic as a stream and checks connectivity.
Balance algorithm	The algorithm chooses among currently healthy servers, so it affects spread, stickiness, and behavior under uneven connection load.
Health check	The check decides when a server leaves or returns to rotation. A port check and an application readiness check can answer different questions.
Server TLS	TLS to the backend can protect the hop, but certificate verification, CA files, and SNI values need to match the real backend certificate path.

Health checks deserve the same care as traffic routing. A TCP check proves that a connection can open, while an HTTP check can prove that a specific readiness endpoint returns an acceptable response. The method, URI, HTTP version, Host header, interval, fall count, and rise count all affect how quickly HAProxy removes a server and how confidently it brings that server back.

Frontend rule

selects backend name

Backend policy

mode, balance, timeout

Health decision

check type and cadence

Server line

target plus arguments

A backend ties the frontend's target name to load-balancing policy, health checks, and the server lines that HAProxy can actually use.

Most backend mistakes are not syntax mistakes. Common problems include a readiness endpoint that only checks a port, a missing Host header on a virtual-hosted application, cookie persistence applied to a service that should stay stateless, or server TLS set to skip certificate verification because the CA path was not ready.

A backend block is only one part of a working HAProxy file. DNS resolution, certificate files, CA trust, frontend references, inherited defaults, bind settings, logs, and deployment paths still need to be checked on the HAProxy host before the configuration is loaded.

How to Use This Tool:

Start with the routing and health-check basics, then add advanced options only when the backend actually needs them.

Set Backend name to the label your frontend will use in a default_backend or use_backend rule. Unsafe label characters are normalized in the generated section name.
Choose Proxy mode. HTTP mode creates HTTP health-check lines; TCP mode creates a TCP connection check.
Select the Balance algorithm. Use roundrobin for ordinary even rotation, leastconn for connection-heavy services, source for client-address affinity, or another listed algorithm when it matches your HAProxy design.
For HTTP mode, enter the check method, URI, optional Host header, and expected response class. Fix any warning about a blank Host header if the application routes by hostname.
Set Check interval, Fall count, and Rise count to control check frequency, removal after failures, and recovery after successes.
Enter Server rows as name,address:port,weight,maxconn,role. Role may be active or backup. Quoted CSV cells are accepted, and the normalize action rewrites valid rows into the expected shape.
Open advanced settings for backend TLS, CA file, SNI host, server timeout, HTTP connection reuse, redispatch, and HTTP cookie persistence. Verification-required TLS needs a CA file path before the config is usable.
Review the generated config, Server Ledger, Check Plan, and JSON output. Copy or download the config only after blockers are gone and review warnings make sense for your deployment.

Interpreting Results:

The summary state tells you how the draft should be treated. Ready means no blockers or review warnings were found. Review means output is available, but settings such as disabled TLS verification, missing Host header, duplicate server names, or omitted persistence need a human check. Blocked means the generated text starts with fix notes and should not be copied into a live configuration.

The Server Ledger is the easiest place to catch row-level surprises. It shows the final server name, address, weight, maximum connections, role, and generated arguments for each valid row. Name normalization, duplicate suffixes, clamped numeric values, backup status, TLS arguments, and cookie values are visible there before you copy the backend block.

The Check Plan is a deployment review list, not a formal HAProxy syntax check. Confirm that the backend name matches the frontend reference, the health-check endpoint is the one the application team expects, the CA and timeout paths are valid on the HAProxy host, and the final complete file passes HAProxy's own configuration check.

Exports are meant for handoff and audit. The config tab provides the backend block, the table tabs provide CSV or DOCX-friendly review ledgers, and the JSON output captures the normalized settings, warnings, errors, server list, and check plan.

Technical Details:

The generated backend follows HAProxy's normal structure: a backend line, a proxy mode, a balance directive, optional backend-level directives, health-check directives, a default-server check cadence, and one server line per valid target. Each server line includes check, weight, and maxconn, with optional backup, TLS, SNI, and cookie arguments.

HTTP mode generates option httpchk and an http-check send request using the selected method, URI, HTTP/1.1, and optional Host header. The expected response can be left implicit, constrained to status 200-399, constrained to 200, or expressed as anything except a 5xx response. TCP mode instead generates option tcp-check and tcp-check connect.

Directive Map:

HAProxy backend directives generated by the tool
Generated area	Directive or argument	Review meaning
Backend identity	`backend NAME`	The name must match the frontend `use_backend` or `default_backend` reference.
Proxy mode	`mode http` or `mode tcp`	HTTP mode supports request-aware checks and HTTP-only options; TCP mode checks stream connectivity.
Load distribution	`balance roundrobin`, `leastconn`, `source`, `random`, `static-rr`, or `first`	The algorithm chooses among servers that are currently eligible.
HTTP health check	`option httpchk`, `http-check send`, optional `http-check expect`	The check can validate a readiness URI and response status instead of only opening a socket.
TCP health check	`option tcp-check` and `tcp-check connect`	The check succeeds when a TCP connection can be established to the target.
Check cadence	`default-server inter Ns fall N rise N`	Interval controls check frequency, fall controls removal after failures, and rise controls return after successes.
Server pool	`server NAME ADDRESS check weight N maxconn N`	Each valid row becomes one checked server line with optional backup, TLS, SNI, and cookie arguments.

Input Transformation:

How HAProxy backend inputs become generated config
Input area	Normalization or validation	Generated effect
Backend and server names	Unsafe characters are replaced, and duplicate server names receive a suffix.	Section and server labels remain config-friendly, with changes reported as review notes.
Health URI and Host header	A missing leading slash is added, spaces in the URI are encoded, and header values containing whitespace are omitted.	HTTP check lines are generated with the selected method, URI, version, and valid Host header.
Server rows	Address and port are parsed, IPv6 requires `[addr]:port`, weight is clamped to 1-256, and maxconn is clamped to 1-1000000.	Valid targets become checked server lines; malformed rows become blockers or review warnings.
Health cadence	Check interval is clamped to 1-300 seconds; fall and rise counts are clamped to 1-20.	The generated `default-server` line controls active-check timing for all listed servers.
Backend TLS	Plain, verify-none, and verify-required modes control server-line TLS arguments.	Verify-required mode blocks output without a CA file; verify-none remains a review warning.
Timeout and persistence	Bare numeric timeouts become seconds, supported HAProxy units are kept, and cookie names are normalized.	Valid timeouts become `timeout server`; HTTP cookie persistence adds a backend cookie directive and per-server cookie values.

Server TLS and health checks deserve extra review. A server-line SNI value is useful for backend TLS connections, but HAProxy also has health-check-specific SNI behavior. If an HTTPS health check must present a specific SNI value, review the final block against your HAProxy version and add check-specific options where needed.

There is no numeric formula behind the output. The useful checks are rule transformation, HAProxy directive compatibility, safe label and value normalization, and final deployment validation with the complete configuration file.

Worked Examples:

HTTP API pool. A backend named be_app_api, HTTP mode, roundrobin balance, GET health check at /health, Host header api.internal.example, and three server rows produces a backend block with HTTP check directives, default-server cadence, and one checked server line per valid target.

Verified backend TLS. Choosing TLS with verification required adds certificate verification arguments to each server line and requires a CA file path. If the CA file is blank or contains whitespace, the Check Plan marks a blocker so the draft should not be copied.

TCP service with persistence requested. TCP mode can generate a checked server pool, but cookie persistence is HTTP-only. The Check Plan reports that the cookie directive was omitted, so use a TCP-appropriate stickiness design if the service needs affinity.

Imported server list. A pasted CSV list with a duplicate name, out-of-range weight, or malformed address still produces useful review feedback. Valid rows are normalized into the ledger, while address and port errors are shown as blockers.

FAQ:

Does this validate my full HAProxy file?

No. It generates a backend block and review tables. Test the complete HAProxy configuration with the surrounding global, defaults, frontend, certificate, and file-path settings before deployment.

Why is a Host header warning shown?

HTTP/1.1 health checks often need a Host header when an application or virtual host routes by hostname. Add the expected backend host when the readiness endpoint depends on it.

What does verify none mean?

It means HAProxy uses TLS to reach the backend server but does not verify the certificate chain. That may be acceptable for a temporary lab case, but production backends should usually use certificate verification with a trusted CA file.

Why did my SNI value not remove every TLS review step?

The generated server argument can set an SNI value for backend TLS connections, but some health-check designs need separate check-specific TLS options. Review HTTPS health checks carefully when the backend certificate or route depends on SNI.

Why was my server row skipped?

A valid row needs a usable name and an address with a port, such as app01,10.44.30.11:8080,100,800,active. Check missing ports, malformed IPv6 notation, whitespace in the address, empty rows, and copied header lines.

References:

Backends, HAProxy Technologies.
Health checks, HAProxy Technologies.
HAProxy Configuration Manual, HAProxy project.
How to configure backend health checks in HAProxy, Simplified Guide.
How to validate an HAProxy configuration file, Simplified Guide.