Way 2 - TCP Balanced Round Robin with HAPROXY

In this case we will deploy a haproxy node in front of many proxy nodes. Browsers will connect to haproxy node that will distribute TCP connections to proxy nodes using round robin scheme.

  1. Create new type A record for proxy.example.lan with IP address This will be the haproxy frontend to our cluster.

  2. Create new type A record for node11.example.lan with IP address

  3. Create new type A record for node12.example.lan with IP address

  4. Configure haproxy on proxy.example.lan with the following configuration /etc/haproxy/haproxy.cfg.

        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    frontend squid
        default_backend squid_pool
    backend squid_pool
        balance roundrobin
        mode tcp
        server squid1 check
        server squid2 check
  5. Deploy two virtual appliances of Web Safety and assign IP address of for the first node and for the second node. For the instructions on how to assign static IP for a virtual appliance see article How to Set Static IP Address in VA.

  6. Follow the usual Active Directory configuration steps described in previous articles for each virtual appliance, but when configuring Kerberos authenticator provide the SPN based on proxy.example.lan and check the Use GSS_C_NO_NAME checkbox. This will let the node process requests for Kerberos authentication from browsers based on credentials contained in the request and not based on SPN (SPN still needs to be configured though).

  7. Restart haproxy afterwards systemctl restart haproxy. Log in /var/log/haproxy.log should indicate both proxy nodes are working.


When using haproxy to load balance requests to proxy nodes with TCP method of load balancing all connections to proxy nodes will appear to come from haproxy’s IP address. This will mean that you will not be able to use IP based members in web filtering policies. Nevertheless when proxy nodes are integrated with Active Directory and proxy authentication is enabled user name will be available and thus policy management by security group will work as expected. This limitation is fixed in Web Safety 6.0+. See next article.