# Pool members & enrollment ### Member tab layout Click a member in the tab bar to open its workspace. Sub-tabs:
TabPurpose
Control panel
Host ops: reboot, updates, hostname, TLS domain (non-HAProxy PEM)
Security
UFW firewall, SSH enable/disable, firewall backup
Status
Live HAProxy traffic stats from heartbeat (`show stat`)
Cron & Jobs
Scheduled tasks + job timeline
Restore Backups
List snapshots, scoped backup/restore
Recipes
One-click enable flows (admin socket, SSH, Let’s Encrypt, agent update)
Monitoring
Member-level alert thresholds
Settings
Display name, hostname, allowed IPs, geo, remove member
HAProxy-specific Management actions (install, reload, drain, TLS failover) are surfaced on Control panel and via Recipes — the dedicated HAProxy tab exists in code but is hidden until product-ready. [![HAProxy-HM3.png](https://docs.serversctl.com/uploads/images/gallery/2026-06/scaled-1680-/haproxy-hm3.png)](https://docs.serversctl.com/uploads/images/gallery/2026-06/haproxy-hm3.png) ### Enrollment security model Each heartbeat must satisfy: 1. Bearer token — 48-character enrollment secret (hashed in D1) 2. `CF-Connecting-IP` — must match allowed source IP(s) 3. JSON `hostname` — must match enrolled hostname Mismatch → 403 (IP) or credential errors. ### Agent environment
VariablePurpose
`BALCTL_API_BASE`
Worker URL (e.g. `https://serversctl.com`)
`BALCTL_ENROLLMENT_SECRET`
From Add member modal
`BALCTL_HOSTNAME`
Override OS hostname
`BALCTL_DECLARE_IP`
Declare public IPv4 in heartbeat
`BALCTL_PROBE_PUBLIC_IP=1`
Probe public IP if not declared
Agent runs as root for HAProxy install, backup/restore, admin socket, and cert writes.