HAProxy can run in two different modes: TCP or HTTP. When operating in TCP mode, we say that it acts as a layer 4 proxy. In HTTP mode, we say that it acts as a layer 7 proxy. To understand the difference, you must first learn about the Open Systems Interconnection (OSI) model, which helps IT pros conceptualize and explain where a piece of software fits in the context of a computer network.
The OSI model is really just a way to simplify how one thinks about a network and the components that reside within it. It’s made up of seven layers, each responsible for a different set of functions, but all interconnected with one another. Here are the seven layers:
Layer 7 – Application: application protocols like HTTP, SSH and SMTP
Layer 6 – Presentation: the character encoding like ASCII vs UTF-8
Layer 5 – Session: mechanisms for establishing point-to-point communication
Layer 4 – Transport: data transfer protocols like TCP and UDP
Layer 3 – Network: network routing protocols like IP and OSPF
Layer 2 – Data Link: protocols that connect the physical layer to the network layer, such as Ethernet and ARP
Layer 1 – Physical: the physical components such as cable wiring and Wi-Fi
I’ve listed them in descending order because the upper layers rely on the layers below. At the bottom, the Physical layer represents the cables, electrical signals, radio waves, and other tangible or measurable aspects that make up a network. At the top rests the most intangible layer, the Application layer, which contains high-level protocols like HTTP, which browsers and web servers use to exchange web pages. In between, the layers serve various functions including linking computers on a network, assigning computers unique addresses, and interpreting messages using the right encoding.
HAProxy can be switched into TCP mode, which corresponds to layer 4, or HTTP mode, which corresponds to layer 7, by setting its mode directive in the HAProxy configuration. Which mode you choose will change the features available to you. That’s what makes the OSI model so helpful. It categorizes the software in terms of where it fits in the strata of a network and lets you know what functionality you can expect. HAProxy Enterprise, meanwhile, also ships with a UDP mode for reliable app delivery at massive scale.
HAProxy Enterprise is a flexible data plane layer that provides high-performance load balancing for TCP, UDP, QUIC, and HTTP-based applications, an API/Al gateway, Kubernetes application routing, best-in-class SSL/TLS processing, and multi-layered security. It ships with HAProxy Fusion Control Plane, which offers full-lifecycle management, observability, and automation for large-scale HAProxy Enterprise deployments.
Both products are core components of HAProxy One: the world's fastest application delivery and security platform that is the G2 category leader in API management, container networking, DDoS protection, web application firewall (WAF), and load balancing.
Layer 4 Proxy Mode
Configure HAProxy to be a layer 4 proxy by setting its mode directive to tcp, as shown in this configuration snippet:
| defaults | |
| # mode is inherited by sections that follow | |
| mode tcp | |
| frontend db | |
| # receives traffic from clients | |
| bind :3306 | |
| default_backend databases | |
| backend databases | |
| # relays the client messages to servers | |
| server db1 192.168.0.10:3306 | |
| server db2 192.168.0.11:3306 |
Here, the mode is set in a defaults section so that it applies to any listen, frontend and backend sections that follow. You can also set it in any of those sections too to override what you set in the defaults section. Beware that a frontend and a backend, which form the two halves of the proxied connection—from the client to HAProxy and from HAProxy to the server(s)—must have the same value for mode.
Layer 4 of the OSI model is the Transport layer. It’s responsible for transferring data across a network. One of the most common protocols used here is the Transmission Control Protocol (TCP). TCP chops a message up into segments and then sends them from a source computer to a destination. The sending and receiving computers may have several conversations going on with multiple computers at the same time. For that reason, each communication stream is assigned a unique IP address and port number combination so that those conversations can happen in parallel without colliding.
When HAProxy runs in this mode, it has access to which IP address and port the client is trying to connect to on the backend server. It intercepts the messages by standing in for the server on the expected address and port. For example, if the client expects to connect to port 3306, HAProxy will listen on that port and relay the messages to the server. However, because HAProxy stands in the middle, the server is free to listen on some other IP and port.
Proxying at this layer is lightweight and fast because it is only concerned with transport. HAProxy doesn’t read the messages, it only acts as a courier passing messages back and forth. Yet, it can still add a lot of benefits including health checking servers, hiding your internal network from the public Internet, queuing connections to prevent server overload, and rate limiting connections. It works well for load balancing services that communicate over TCP such as database traffic to MySQL, Postgres and Redis servers.
Layer 7 Proxy Mode
Configure HAProxy to be a layer 7 proxy by setting its mode directive to HTTP, as shown in this configuration snippet:
| defaults | |
| # mode is inherited by sections that follow | |
| mode http | |
| frontend www | |
| # receives traffic from clients | |
| bind :80 | |
| default_backend web_servers | |
| backend web_servers | |
| # relays the client messages to servers | |
| server s1 192.168.0.10:3000 | |
| server s2 192.168.0.11:3000 |
Layer 7 is the Application layer, but it doesn’t mean application in the typical sense. It refers to the underlying protocol that an application uses, such as how a web server uses HTTP to bundle a web page. At this layer, HAProxy can make routing decisions based on any detail of a message that’s defined in layers 4 through 7. That includes all of the following:
source and destination IP addresses and ports
SSL handshake metadata
HTTP metadata including headers, cookies, URL and method
In this mode, you get what you had with mode tcp, but more. You can choose a pool of servers based on information found in the SSL handshake, such as SNI fields. Or you can route to a specific set of servers based on the requested URL path. Or you can route based on the HTTP headers received, such as the host or cookie headers. HAProxy can make smarter decisions in this mode, but it still performs at lightning speed. This mode is ideal for load balancing web applications, as you might have guessed.
The benefits of using this mode include being able to route based on higher-level protocols, the opportunity to alter HTTP messages as they pass through, more sophisticated health checking, and the ability to rate limit requests. Other features include setting new request or response headers on messages as they pass through HAProxy, issuing HTTP redirects, enabling Basic authentication, and introducing cookie-based server persistence.
At this point, we’ve covered the two modes in which HAProxy operates. Next, check out our blog post The Four Essential Sections of an HAProxy Configuration to get a feel for the other elements commonly found in a configuration file when setting up load balancing.
Conclusion
With HAProxy, you have the choice of proxying traffic at layer 4 (TCP) or layer 7 (HTTP). The former is great for load balancing non-HTTP services, such as databases, whereas the latter is perfect for load balancing web applications. This versatility means that HAProxy is capable of load balancing many types of services, not just web servers. It also opens the door to a lot of the advanced functionality found only in a layer 7 proxy. Note that a single instance of HAProxy can proxy and load balance many services at once, and some of them can operate in TCP mode while others run in HTTP mode simply by setting mode differently in their respective sections.
Want to stay up to date on similar topics? Subscribe to this blog! You can also follow us on Twitter and join the conversation on Slack.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
