Skip to content

How to Use HAProxy ACLs for Advanced Routing

DodaTech Updated 2026-06-24 2 min read

HAProxy ACLs provide flexible traffic routing based on request attributes. They enable sophisticated multi-service load balancing. This guide walks through the specific troubleshooting steps to diagnose and resolve ACL issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

default_backend servers (no conditional routing)

Wrong: Single backend without ACL-based routing

acl is_api path_beg /api/\nacl is_admin hdr(Host) admin.example.com\nuse_backend api_backend if is_api\nuse_backend admin_backend if is_admin

Right: ACL-based routing to different backends

Output

ACLs configured:\n  is_api: path begins with /api/\n  is_admin: host header = admin.example.com\n  Routing: API to api_backend, Admin to admin_backend

Prevention

To avoid future issues, follow these best practices:

  • Use path_beg for prefix matching, path_end for suffix, path_reg for regex
  • Use hdr(Host) for domain-based routing
  • Use src to match source IP addresses
  • ACLs can be combined with and/or logic
  • Test ACLs with haproxy -c -f haproxy.cfg

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with acl

  1. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  2. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  3. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks

These mistakes appear frequently in real-world HAPROXY code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

How many ACLs can I have in HAProxy?|||Thousands. ACLs are evaluated efficiently with a binary tree. However, complex ACLs should be tested for performance.
What is the difference between path_beg and path_reg? path_beg matches path prefixes (starts with). path_reg uses regex for flexible pattern matching. path_beg is faster.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro