HAProxy Enterprise Documentation 1.8r2

Overview

Today, many web applications experience high traffic demands, and traffic spikes can lead to server overloads and a deteriorating user experience.

The HAProxy Enterprise software load balancer spreads traffic across a pool of healthy servers, allowing you to scale out your capacity for handling concurrent requests. You can then easily answer the demand, while also improving performance and availability.

[Traffic flow with a load balancer]

You can seamlessly integrate HAProxy Enterprise with your existing infrastructure, either:

  • at the edge of a network to replace traditional, hardware load balancers,

  • in the cloud to replace expensive virtual load balancers,

  • or inside a container network as a sidecar proxy.

The job of a load balancer

A load balancer sits in front of your web servers and receives requests directly from clients before relaying them to one of your servers. In this way, it can distribute requests evenly, allowing the work to be shared. This prevents any backend server from becoming overworked and, as a result, your servers operate more efficiently. A load balancer differs from a web or application server in that it does not host your web application directly. Instead, its job is to spread the work across your cluster of servers.

Because all requests pass through the load balancer on their way to a server, the load balancer becomes the ideal place to redirect clients, inspect for malicious behavior, and generate traffic statistics, among other duties. HAProxy Enterprise provides security and management features in addition to load-balancing. You can use it to load balance any TCP/IP service including databases, message queues, mail servers, and IoT devices.

HAProxy Enterprise functionalities

HAProxy Enterprise offers traffic rate-limiting, health checks, switching rules (ACLs), a Web Application Firewall, application-layer DDoS attack protection, SSL termination, HTTP compression, and best-in-class observability.

The following table presents the main features of the HAProxy Enterprise load balancer in more detail:

Rate limiting

To keep resource usage fair, you can stop a client from making too many requests during a window of time.

Health checks

HAProxy Enterprise monitors the health of web servers and backend servers to ensure they can handle requests. It removes unhealthy servers from the pool and puts them back in place once they're up and running.

Switching rules (ACLs)

You can filter and direct traffic in real time through conditional statements (ACLs).

  • Route requests to the right server.

  • Redirect requests to other pages.

  • Block malicious requests.

Web Application Firewall

The HAProxy Enterprise Web Application Firewall (WAF) stops attacks against web applications.

It supports three modes:

  • SQLi / XSS mode

  • Safelist-only mode

  • ModSecurity mode.

    The comprehensive ModSecurity sets of rules can thwart, among other threats:

    • SQL injection attacks (SQLi)

    • Cross-site scripting (XSS)

    • Remote file inclusion (RFI)

    • Remote code execution (RCE)

Application-Layer DDoS Attack Protection

HAProxy Enterprise mitigates today's threats through real-time behavioral analysis.

  • Protect against application-based DDoS attacks such as HTTP request flooding

  • Protect against bot threats such as web scraping, brute forcing, and vulnerability scanning

  • Implement an advanced threat response policy with the Antibot and Google reCAPTCHA modules

  • Implement cluster-wide threat protection with Realtime Cluster-wide Tracking

  • Enhance bot threat protection with add-ons such as the WAF and Fingerprint modules

  • Dynamically maintain cluster-wide allowlists and denylists with the LB-Update module

SSL termination

Maintaining SSL certificates across a pool of servers is tedious, error-prone and a waste of processing power on application or web servers.

With SSL termination, or SSL offloading, you perform all encryption and decryption at the edge of your network.

  • Maintain certificates in fewer places.

  • Don't expose your servers to the Internet for certificate renewal.

  • Save processing power on backend servers.

HTTP compression

Save network bandwidth and reduce latency by compressing the body of a response before it's relayed to the client.

Observability

Analyze live metrics, monitor threat protection, or disable servers depending on their status with the Real-time Dashboard.

Data Plane API

You can leverage the Data Plane API to:

  • populate the HAProxy configuration on the fly through the Consul service networking solution,

  • manage files outside of HAProxy Enterprise, such as:

    • SSL certificates and keys,

    • Map files used to route traffic, apply rate limiting, and activate servers, and

    • SPOE configuration files to pass messages to external programs.

HAProxy Enterprise architecture

HAProxy Enterprise integrates seamlessly with your existing infrastructure. Internally, it is comprised of frontends, ACLs, default and conditional backends, and servers.

It routes traffic to any number of pools of servers, which are comprised of physical servers, VMs, Kubernetes pods, containers, and so on.

The following table presents the main components of the HAProxy Enterprise load balancer in more detail:

Seamless integration

HAProxy Enterprise stands as a reverse proxy in front of your backend servers and integrates seamlessly with your network infrastructure.

Frontend

A frontend exposes a website to the Internet, for instance, www.example.com.

You may add as many frontend sections as needed. A frontend contains one or more listeners.

Binds

A bind defines the IP addresses and ports that clients can connect to. You can, for example, associate multiple binds with a frontend, e.g., one for HTTP and another for HTTPS requests.

ACLs

You can test various conditions through Access Control Lists (ACLs), and perform a given action based on those tests.

You can:

  • search for strings or patterns within requests or responses,

  • check origin IPs,

  • check a client's request rate,

  • check the server's response status,

  • etc.

You can then:

  • make routing decisions

  • redirect requests

  • returning static responses,

  • and much more.

You can easily create complex conditions through logic operators (AND, OR, NOT).

Default backend

A backend is a group of servers that handle requests in a load-balanced fashion. The default backend is the pool of servers to send traffic to if requests do not match any ACL.

Conditional backends

A conditional backend is a pool of servers to send traffic to if requests match an ACL.

A given conditional backend will typically handle requests for either static or dynamic content.

Server

A server defines the IP address and port of an actual server that will be load-balanced and process client requests.

A server may be any of the following:

  • A physical server

  • A virtual server

  • Any type of container, for example, a Docker container

Next up

Hardware Recommendations