Introduction

HAPEE stands for HAProxy Enterprise Edition.

It’s a version of HAProxy packaged by HAProxy Technologies and which comes with some third party components to allow anybody to deploy a state of the art Load-Balancer with OpenSource software and associated support.

Subscription levels and Extensions

HAPEE is available through three level of subscription:

  1. starter
  2. business
  3. Premium

The main difference is the support coverage period and the third party components associated.

Some Extensions are available on top of HAPEE Business and Premium:

  • Advanced Persistent threat protection
  • RHI (Route Health Injection)

This list may grow later.

HAPEE Starter

This version includes minimal required components to build a load-balancer:

  • the Load-Balancer: HAProxy
  • Load-Balancer CLI secured client: socat (compiled without any netwok protocols)
  • System tunning

For more information about HAPEE subscriptions, please read http://haproxy.com/products/haproxy-enterprise-edition/.

HAPEE Business and Premium

This version includes the starter packages plus add-ons to ease monitoring and management:

  • the Load-Balancer with advanced Extensions: HAProxy
  • Load-Balancer CLI client: socat
  • VRRP high availability: keepalived
  • System tunning
  • Management scripts
  • SNMP server: net-snmp (patched for 64 bits counters)
  • Syslog configuration, scripts and template

For more information about HAPEE subscriptions, please read http://haproxy.com/products/haproxy-enterprise-edition/.

Advance persistent threat protection extension

HTTP protocol deep inspection and clean up extension, to enforce security of web applications.

Botnet protection

A challenge response module which allows HAProxy to block non-legitimate HTTP clients by sending them a javascript challenge to resolve.

RHI extension

RHI stands for Route Health Injection.

Ability to announce the availability of a virtual service through routing protocols (BGP / OSPF / ...).

This extension includes two components:

  1. a routing daemon, bird (patched to accept volatile routes)
  2. a monitoring daemon which update the routing daemon based on status found in the load-balancing software

Components

Summary

The table below describes briefly each component:

HAPEE components
Name Tool Subscription level Desciption
hapee-1.5r2-base   Starter Common settings required by other components
hapee-1.5r2-lb HAProxy Starter HAProxy Load-balancer with SSL, IPv6, etc...
hapee-1.5r2-cli socat Starter Client to get connected to interract with currently running HAProxy instance
hapee-1.5r2-vrrp keepalived Business or Premium Virtual IP high-availability between nodes of a cluster
hapee-1.5r2-cli-lb   Business or Premium Scripts to ease control of HAProxy through its socket
hapee-1.5r2-update HAProxy Business or Premium HAProxy Extension to allow automatic map or acl updates download through HTTP
hapee-1.5r2-log   Business or Premium Autonomous log system based on default operating system syslog daemon
hapee-1.5r2-snmp net-snmp Business or Premium Improved SNMP daemon (64 bits counters) its socket
hapee-1.5r2-snmp-lb   Business or Premium Load-Balancing counters available through SNMP daemon
hapee-1.5r2-lb-sanitize HAProxy Extension Advanced Persistent Threat protection
hapee-1.5r2-lb-antibot HAProxy Extension Challenge/response botnet protection module
hapee-1.5r2-route bird / rhi Extension Route Health Injection

Interactions

The picture below shows interactions between HAPEE components:

_images/components_interactions.png

Operating System qualified

HAPEE has been qualified and is currently available for the following operating systems:

  • CentOS 5 32 and 64 bits
  • CentOS 6 64 bits
  • CentOS 7 64 bits
  • Debian 7 (wheezy) 64 bits
  • Debian 8 (jessie) 64 bits
  • RedHat Enterprise 5 32 and 64 bits
  • RedHat Enterprise 6 64 bits
  • RedHat Enterprise 7 64 bits
  • RedHat Enterprise 7 ppc64el
  • Ubuntu 12.04 LTS 64 bits
  • Ubuntu 14.04 LTS 64 bits
  • Ubuntu 14.04 LTS ppc64el

Hardware requirements

HAPEE hardware requirements looks like HAProxy’s one and really depends on the workload it has to manage.

Only CPU and Memory are taken into consideration. Disk size depends on your operating system and the amount of log you want to keep.

Note

Indications below are informational. Please contact HAProxy Technologies for an assistance on sizing your servers.

low level workload

This work load corresponds to the following:

  • TCP or HTTP traffic
  • up to 1000 conn/s
  • very low SSL traffic or gzip compression

This type of workload can be achieved either by a Virtual Machine or a bare metal server.

You need at least:

  • 1 CPU core
  • 1G of RAM

Mid level workload

This work load corresponds to the following:

  • TCP or HTTP traffic (including HTTP manipulation)
  • up to 4000 conn/s
  • low SSL traffic or gzip compression

This type of workload can be achieved either by a Virtual Machine or a bare metal server.

You need at least:

  • 2 CPU cores
  • 1G of RAM

High level workload

This work load corresponds to the following:

  • TCP or HTTP traffic (including HTTP manipulation)
  • up to 20000 conn/s
  • 10% of traffic ciphered (SSL) or compressed

This type of workload can be achieved by a bare metal server only.

You need at least:

  • 2 CPU cores, as fast as possible
  • 4G of RAM
  • powerful network card

Other workload

HAProxy Technologies can assist you to achieve some specific workloads such as:

  • huge HTTP connections per second
  • huge SSL capacity
  • huge compression capacity

Such workloads must combine a good hardware and a smart architecture of the server components (kernel, processes, etc...)

Backported features

HAPEE 1.5r2 is based on Community version 1.5 and embeds the following features from development version of HAProxy in a stable and reliable way:

  • HTTP parsing compliancy with RFC7230
  • pattern response cache for higher performance
  • peers / stick-table:
    • disabled : disable a peers section
    • enable : enable a peers section
    • peers compatible with configuration with nbproc > 1
  • Proxy (frontend / backend) directive:
    • log-format-sd : Specifies the RFC5424 structured-data log format string
    • log-tag : specifies the log tag to yse for all outgoing logs
    • option http-buffer-request : enable waiting for whole HTTP request body before proceessing
    • option http-ignore-probes : disable logging of null connections and request timeouts (408s)
    • tcp-check comment : insert a comment in a tcp-check rule for a custom log reporting in case of failure
  • http-request rules:
    • capture : convenient way to capture data and use it at any time in the session (same request/response) and log it
    • set-method : rewrite HTTP method
    • set-path : rewrite request’s URI path
    • set-query : rewrite request’s query
    • set-uri : rewrite whole URI (scheme, path and query strings)
    • track-sc : tacking sticky counters
  • bind options:
    • tcp-ut : set a TCP User Timeout for all incoming connection on the associated socket. Safe way to detect silently disconnected clients on TCP or websocket farms while keeping long timeout on client, server and tunnel.
  • server options:
    • no-ssl-reuse : for a new TLS key for each connection on the server side. Debugging purpose only, since drastically increases the load on the server.
    • tcp-ut : set a TCP User Timeout for all outgoing connections on the associated socket. Safe way to detect silently disconnected servers on TCP or websocket farms while keeping long timeout on client, server and tunnel.
    • sni : server side TLS SNI
  • SSL / TLS protocol:
    • tls-ticket-keys : TLS ticket keys file to load the keys from
  • 3 track-sc* against 2
  • Converters:
    • add : addition
    • and : bitwise AND
    • bool : positive boolean
    • bytes : extracts bytes (substring)
    • cpl : two complement on input bits
    • crc32 : CRC32 hash
    • div : division
    • djb2 : DJB2 hash
    • even : is the input an even number
    • field : extract substring based on a delimiter
    • in_table : search input in a table
    • json : Escapes the input string to make it JSON compliant
    • ltime : convert an EPOCH into local time string
    • mod : return the remainder of a division
    • mul : multiplication
    • neg : opposite value
    • not : negative boolean
    • odd : is the input an odd number
    • or : bitwise OR
    • regsub : sed-like regex based substitution
    • sdbm : SDBM hash
    • sub : substraction
    • table_bytes_in_rate : returns the average bytes in transfer from a table for the input string
    • table_bytes_out_rate : return the average bytes in transfer from a table for the input string
    • table_conn_cnt : return the cumulated amount of connection from a table for the input string
    • table_conn_cur : return the current number of connection from a table for the input string
    • table_conn_rate : return the current connection rate from a table for the input string
    • table_gpc0 : return the value of gpc0 counter from a table for the input string
    • table_gpc0_rate : return the value of gpc0 increase rater from a table for the input string
    • table_http_err_cnt : return the number of HTTP errors from a table for the input string
    • table_http_err_rate : return the HTTP errors rate from a table for the input string
    • table_http_req_cnt : return the cumulated HTTP requests from a table for the input string
    • table_http_req_rate : return the HTTP request rate from a table for the input string
    • table_kbytes_in : returns the cumulated amount of data transfered (client to server) from a table for the input string
    • table_kbytes_out : returns the cumulated amount of data transfered (server to client) from a table for the input string
    • table_server_id : return the server id associated from a stick table for the input string
    • table_sess_rate : return the incoming session count from a table for the input string
    • table_sess_rate : return the incoming session rate from a table for the input string
    • table_trackers : return the number of concurrent trackers from a table for the input string
    • url_dec : return the decoded version of an encoded URL
    • utime : convert an interver into UTC time
    • word : extract a word from a string using delimiters
    • wt6 : WT6 hash
    • xor : bitwise XOR
  • New fetch methods:
    • ssl_fc_is_resumed : returns true when the SSL/TLS session has been resumed
    • req.ssl_ec_ext : returns true identifying when a client sent the Supported Elliptic Curves Extension as defined in RFC4492
    • req.body : returns the HTTP request’s available body as a block of data
    • req.body_param([<name>]) : extracts the first occurrence of the parameter <name> in the body
    • req.body_len : returns the length of the HTTP request’s available body in bytes
    • req.body_size : returns the advertised length of the HTTP request’s body in bytes
    • query : extracts the request’s query string
    • req.hdr_names : builds a string made from the concatenation of all header names as they appear in the request
    • res.hdr_names : builds a string made from the concatenation of all header names as they appear in the response
  • New stats socket commands:
    • set ssl tls-key <id> <tlskey> : Set the next TLS key for the listener <id>
    • show env [<name>] : show environment variables
    • show backend : Dump the list of backends available in the running process
    • show servers state [<backend>] : Dump the state of the servers found in the running configuration
    • show tls-keys : Dump all loaded TLS ticket keys

License

HAPEE respects licenses from each software it embeds.

  • keepalived (hapee-1.5r2-vrrp): GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or any later version

  • net-snmp (hapee-1.5r2-snmp): http://www.net-snmp.org/about/license.html

  • socat (hapee-1.5r2-cli): GNU General Public License as published by the Free Software Foundation, version 2 of the License

  • HAProxy (hapee-1.5r2-lb) uses two licenses:

    • all the source code is under GNU General Public License version 2
    • all exportable include files are by default under GNU Lesser General Public License (LGPL) version 2.1
    • for more information about HAProxy licences, please read LICENSE file provided by haproxy.org site
  • HAProxy Extensions: the code can use any license, thanks to LGPL mentioned above.