This guide provides detailed instructions for configuring HAProxy to expose both the Runtime API and the Statistics page, which are required for the HAProxy MCP Server to function properly.
HAProxy’s Runtime API allows for dynamic configuration changes and monitoring without restarting the service. The HAProxy MCP Server requires access to this API to function properly.
To expose the Runtime API over a TCP socket, add the following to your haproxy.cfg:
global
# Other global settings...
# Runtime API configuration
stats socket ipv4@0.0.0.0:9999 level admin
# OR for more secure setup, bind to localhost only
# stats socket ipv4@127.0.0.1:9999 level admin
For HAProxy 2.0 and later, you can also use:
global
# Other global settings...
# Runtime API with HTTP wrapper
stats socket ipv4@0.0.0.0:9999 level admin expose-fd listeners
# Enable prometheus-exporter on the stats socket
stats socket ipv4@0.0.0.0:9999 level admin expose-fd listeners
For Unix socket mode, which provides better security as it’s file-system based:
global
# Other global settings...
# Runtime API configuration using Unix socket
stats socket /var/run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
Ensure that the directory exists and has proper permissions:
mkdir -p /var/run/haproxy
chown haproxy:haproxy /var/run/haproxy
chmod 755 /var/run/haproxy
HAProxy’s Statistics page provides a web-based dashboard for monitoring. To enable it, add:
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats show-legends
stats show-node
# Optional: Enable admin features if needed
# stats admin if LOCALHOST
For a more secure setup, restrict access:
frontend stats
bind 127.0.0.1:8404
stats enable
stats uri /stats
stats refresh 10s
stats auth admin:YourSecurePassword
stats hide-version
When exposing the Runtime API and Statistics page, consider these security practices:
stats socket ipv4@127.0.0.1:9999 level admin user admin password YourSecurePassword
Binding: Bind services to localhost or internal IPs only when possible
Firewall Rules: Use firewall rules to restrict access to the Runtime API and Stats ports
frontend stats
bind *:8404 ssl crt /path/to/cert.pem
stats enable
stats uri /stats
acl internal_networks src 10.0.0.0/8 192.168.0.0/16
stats admin if internal_networks
Here’s a complete example that includes both Runtime API and Statistics page:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /var/run/haproxy/admin.sock mode 660 level admin
stats socket ipv4@127.0.0.1:9999 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats auth admin:YourSecurePassword
stats hide-version
# Your other frontend/backend configurations...
If you experience issues connecting to the Runtime API or Statistics page:
ls -la /var/run/haproxy/admin.socknetstat -an | grep 9999netstat -an | grep 8404# TCP socket
echo "show info" | socat tcp-connect:127.0.0.1:9999 stdio
# Unix socket
echo "show info" | socat unix-connect:/var/run/haproxy/admin.sock stdio
# Stats page (should return HTML)
curl -s http://localhost:8404/stats
tail -f /var/log/haproxy.log
systemctl restart haproxy
# or
service haproxy restart
For more detailed information, refer to the official HAProxy documentation.