Pool members & enrollment

Member tab layout

 

Click a member in the tab bar to open its workspace. Sub-tabs:

Tab Purpose
Control panel
Host ops: reboot, updates, hostname, TLS domain (non-HAProxy PEM)
Security
UFW firewall, SSH enable/disable, firewall backup
Status
Live HAProxy traffic stats from heartbeat (show stat)
Cron & Jobs
Scheduled tasks + job timeline
Restore Backups
List snapshots, scoped backup/restore
Recipes
One-click enable flows (admin socket, SSH, Let’s Encrypt, agent update)
Monitoring
Member-level alert thresholds
Settings
Display name, hostname, allowed IPs, geo, remove member

HAProxy-specific Management actions (install, reload, drain, TLS failover) are surfaced on Control panel and via Recipes — the dedicated HAProxy tab exists in code but is hidden until product-ready.

HAProxy-HM3.png

Enrollment security model

Each heartbeat must satisfy:

  1. Bearer token — 48-character enrollment secret (hashed in D1)
  2. CF-Connecting-IP — must match allowed source IP(s)
  3. JSON hostname — must match enrolled hostname

Mismatch → 403 (IP) or credential errors.

Agent environment

Variable Purpose
BALCTL_API_BASE
Worker URL (e.g. https://serversctl.com)
BALCTL_ENROLLMENT_SECRET
From Add member modal
BALCTL_HOSTNAME
Override OS hostname
BALCTL_DECLARE_IP
Declare public IPv4 in heartbeat
BALCTL_PROBE_PUBLIC_IP=1
Probe public IP if not declared

Agent runs as root for HAProxy install, backup/restore, admin socket, and cert writes.

Revision #2
Created 2026-06-16 00:54:58 UTC by ServersCTL
Updated 2026-06-17 20:20:14 UTC by ServersCTL