HAProxy ALOHA Documentation 15.5

Overview

Today, many web applications experience high traffic demands and traffic spikes can lead to server overloads and a deteriorating user experience.

HAProxy ALOHA appliances spread traffic across a pool of healthy servers, allowing you to scale out your capacity for handling concurrent requests. You can then easily answer the demand, while also improving performance and availability.

https://cdn.haproxy.com/documentation/aloha/latest/assets/aloha-overview-c737b3e0e2fe4b264d6fa7af6d63614fb1d945db5bf5804bfabcadfc4c085da8.png

You can seamlessly integrate HAProxy ALOHA with your existing infrastructure at the edge of your network, either as a hardware or as a virtual appliance.

The job of a load balancer

A load balancer sits in front of your web servers and receives requests directly from clients before relaying them to one of your servers. In this way, it can distribute requests evenly, allowing the work to be shared. This prevents any backend server from becoming overworked and, as a result, your servers operate more efficiently. A load balancer differs from a web or application server in that it does not host your web application directly. Instead, its job is to spread the work across your cluster of servers.

HAProxy ALOHA features

HAProxy ALOHA provides security and management features in addition to load balancing. You can use it to load balance any TCP/IP service including databases, message queues, mail servers, and IoT devices.

HAProxy ALOHA offers traffic rate-limiting, health checks, switching rules (ACLs), an optional Web Application Firewall, application-layer DDoS attack protection, SSL termination, HTTP compression, and best-in-class observability.

Hardware HAProxy ALOHA appliances feature PacketShield, which provides stateful packet filtering and enhanced protection against DDoS attacks.

The following table presents the main features of the HAProxy ALOHA appliance in more detail:

Rate limiting

To keep resource usage fair, you can stop a client from making too many requests during a window of time.

Health checks

HAProxy ALOHA monitors the health of web servers and backend servers to ensure they can handle requests. It removes unhealthy servers from the pool and puts them back in place once they're up and running.

Switching rules (ACLs)

You can filter and direct traffic in real time through conditional statements (ACLs).

  • Route requests to the right server.

  • Redirect requests to other pages.

  • Block malicious requests.

Optional Web Application Firewall

The optional HAProxy ALOHA Web Application Firewall (WAF) stops attacks against web applications.

The comprehensive ModSecurity sets of rules can thwart, among other threats:

  • SQL injection attacks (SQLi)

  • Cross-site scripting (XSS)

  • Remote file inclusion (RFI)

  • Remote code execution (RCE)

Application-Layer DDoS Attack Protection

HAProxy ALOHA mitigates today's threats through real-time behavioral analysis.

  • Protect against application-based DDoS attacks such as HTTP request flooding

  • Protect against bot threats such as web scraping, brute forcing, and vulnerability scanning

  • Implement an advanced threat response policy with the Antibot module

  • Enhance bot threat protection with add-ons such as the WAF and Fingerprint modules

  • Dynamically maintain cluster-wide allowlists and denylists with the LB-Update module

  • Implement SSO on a Microsoft Active Directory domain, or through Kerberos, Microsoft Active Directory, OpenLDAP, or SAML.

SSL termination

Maintaining SSL certificates across a pool of servers is tedious, error-prone and a waste of processing power on application or web servers.

With SSL termination, or SSL offloading, you perform all encryption and decryption at the edge of your network.

  • Maintain certificates in fewer places.

  • Don't expose your servers to the Internet for certificate renewal.

  • Save processing power on backend servers.

HTTP compression

Save network bandwidth and reduce latency by compressing the body of a response before it's relayed to the client.

Optional Data Plane API

You can leverage the optional Data Plane API to:

  • populate HAProxy ALOHA configuration on the fly through the Consul service networking solution,

  • manage files outside of HAProxy ALOHA, such as:

    • SSL certificates and keys,

    • Map files used to route traffic, apply rate limiting, and activate servers, and

    • SPOE configuration files to pass messages to external programs.

HAProxy ALOHA architecture

The HAProxy ALOHA layer 7 reverse proxy integrates seamlessly with your existing infrastructure. Internally, it is composed of frontends, ACLs, default and conditional backends, and servers.

It routes traffic to any number of pools of servers, which are composed of physical servers, VMs, Kubernetes pods, containers, and so on.

The following table presents the main architectural elements of HAProxy ALOHA appliance in more detail:

Seamless integration

HAProxy ALOHA stands as a reverse proxy in front of your backend servers and integrates seamlessly with your network infrastructure.

Frontend

A frontend exposes a website to the Internet, for instance, www.example.com.

You may add as many frontend sections as needed. A frontend contains one or more listeners.

Binds

A bind defines the IP addresses and ports that clients can connect to. You can, for example, associate multiple binds with a frontend, for example one for HTTP and another for HTTPS requests.

ACLs

You can test various conditions through Access Control Lists (ACLs), and perform a given action based on those tests.

You can:

  • search for strings or patterns within requests or responses,

  • check origin IPs,

  • check a client's request rate,

  • check the server's response status,

  • etc.

You can then:

  • make routing decisions

  • redirect requests

  • returning static responses,

  • and much more.

You can easily create complex conditions through logic operators (AND, OR, NOT).

Default backend

A backend is a group of servers that handle requests in a load-balanced fashion. The default backend is the pool of servers to send traffic to if requests do not match any ACL.

Conditional backends

A conditional backend is a pool of servers to send traffic to if requests match an ACL.

A given conditional backend will typically handle requests for either static or dynamic content.

Server

A server defines the IP address and port of an actual server that will be load-balanced and process client requests.

A server may be any of the following:

  • A physical server

  • A virtual server

  • Any type of container, for example, a Docker container

HAProxy ALOHA Flow manager and Linux Virtual Server

In addition to the HAProxy ALOHA layer 7 reverse proxy described above, HAProxy ALOHA supports an alternative architecture composed of the HAProxy flow manager and the Linux Virtual Server (LVS) load balancer.

The flow manager serves as a firewall capable of filtering incoming packets based on NIC interface, protocol, and IP address/port (both source and destination). It can then apply policies such as allow, drop, forward to an LVS director, or route according to a routing table.

Linux Virtual Server (LVS) is an open-source component that provides load balancing at layer 4. It supports a variety of load balancing algorithms, health check features, and more.


Next up

Hardware Models