We are very excited to announce the release of HAProxy Enterprise Edition 1.8r1, which is built on top of the monumental stable release of HAProxy 1.8 with additional enterprise enhancements that help to manage and secure modern applications across the full spectrum of today’s threats.
In one of our previous blog posts titled “What’s New in HAProxy 1.8” we have outlined some of the exciting new features that were released with HAProxy 1.8. In this blog post we will take you on a tour of the important features that are contained in our flagship product HAProxy Enterprise Edition (HAPEE), which includes a robust and cutting-edge code base, enterprise suite of add-ons, expert support, and professional services from HAProxy Technologies. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code.
The features contained in HAProxy Enterprise Edition 1.8r1 span multiple categories and could be grouped as follows:
Performance and Application Acceleration
- HTTP/2 Protocol Support
- HTTP Small Object Caching
Backends in Cloud and Microservices Environments
- Hitless Reloads
- DNS for Service Discovery
- Server Templates
- Improved Runtime API
- Web Application Firewall (WAF) Module
- Stick Table Aggregator
- reCAPTCHA Module
- Single Sign On (SSO) Module
- Improved Real Time Dashboard
HAProxy Enterprise Edition 1.8r1 ships with an enterprise suite that contains administration and security-focused add-ons that have the same level of high performance that you would expect from HAProxy. The latest additions include a new Web Application Firewall, Stick Table Aggregator with real-time, cluster-wide tracking for improved DDoS attack and bot protection, direct integration with Google reCAPTCHA, Single Sign On (SSO) support, and significant improvements to the Real Time Dashboard.
Web Application Firewall (WAF)
We are proud to announce the latest addition to our suite of enterprise modules – a new Web Application Firewall (WAF). It features a whitelist-based ruleset that allows administrators to be extremely granular when controlling what data is allowed into their applications. Support for blacklists is also available. It features a learning mode that can be extremely useful during fine tuning the whitelists and prior to taking any specific actions when rulesets are violated. ModSecurity (OWASP)-compatible ruleset support is coming soon.
The WAF supports a wide range of integration in HAProxy. You are not limited to just denying a request that has violated the WAF as it can be integrated with other modules, such as the Antibot module or reCAPTCHA module. It can also be combined within ACL statements or tracked within a stick table. This would allow you, for example, to track how many WAF violations a specific IP has triggered and create a progressive response policy based on this value.
For community users, HAProxy also comes bundled with two different Web Application Firewalls, located in the “contrib” directory and named “mod_defender”(Naxsi rule set compatible) and “modsecurity” (ModSecurity rule set compatible). Both of these WAFs are Stream Processing Offload Agents (SPOA) and receive information from a Stream Processing Offload Engine (SPOE).
Being that SPOE is currently limited to analyzing the first buffer before taking a decision, these modules cannot process very large requests. Conversely, the new WAF is implemented as a native HAPEE loadable module and as such, benefits from the tightest integration with HAProxy’s core and allows it to process virtually unlimited payloads without sacrificing performance. Due to the limitations above, HAProxy Technologies only supports the native WAF module.
Stick Table Aggregator
Stick tables provide an extremely efficient, flexible, and real-time generic key-value store. As such they are an indispensable and powerful feature when it comes to mitigating DDoS attacks and bot threats. After initially being created as a generic session persistence system, StackExchange saw the potential of using stick tables to implement rate limiting of abusive clients as well as tracking data transferred on a per client basis. In cooperation with HAProxy Technologies, they funded further development of stick tables to expand the functionality and today stick tables represent an incredibly powerful subsystem within HAProxy. Many of our customers get to realize the full potential of stick tables and related features when they grow their infrastructures and start using more advanced capabilities in HAProxy.
Multiple other HAProxy features were released, including a peers protocol that allows HAProxy to share persistence information between servers and processes. The initial implementation was introduced in September 2010, allowing one table per connection per process. Peers protocol version 2 was released in May 2015 and it introduced the ability to use a single connection for all tables as well as to transfer data types. This allowed stick tables to be synchronized across multiple servers as well as to keep them in sync across reloads.
In its present form, a stick table can be used to detect and track anomalous behavior. Any number of characteristics from a request can be combined, counted, and acted on if necessary. Examples of anomalous behavior that can be detected by stick tables include request floods, web scraping, brute forcing, and vulnerability scanning.
To give you a more general idea, here follow specific examples of data that can be tracked using stick tables:
- Number of HTTP requests initiated by a client
- Average HTTP request rate in a defined period from a client
- Average HTTP error rate in a defined period from a client
- Count of unique page views made by an IP or User-Agent
- Count of unique User-Agents sent by an IP
- Rate at which an IP is changing User-Agents in a defined period
- Count of WAF violations from an IP or User-Agent
- Number of POST requests sent by a client to a specific page or spread across multiple pages
And this is just a small sample of the core functionality available with stick tables in HAProxy.
Many of our customers who were using stick tables in high traffic, active/active HAProxy environments have been interested in an aggregated view of the stick table data.
At this time we are proud to announce the Stick Table Aggregator which, addresses these needs. Written in C, with high performance in mind, HAProxy users can now have a live, aggregated view of all of the various counters and tracking data stored in stick tables across multiple HAProxy instances. It also allows aggregators to be cascaded and hierarchically organized in a tree. This would be useful to aggregate stick-tables located at multiple datacenters in the world.
The necessary configuration for the aggregation feature is quite simple. You only need to define the IP address of the Stick Table Aggregator on each of their HAProxy instances. The aggregator will automatically receive all of the stick table updates from each instance using the peers protocol, aggregate the data, and then push the updates back into the individual HAProxy instances. This greatly improves the overall speed and accuracy that anomalous activity from clients can be detected.
Being that the Stick Table Aggregator uses the peers protocol and operates as a daemon outside of HAProxy it would be possible for any community member with an understanding of the peers protocol to develop similar functionality in any language, such as Go or Python.
HAProxy Enterprise Edition 1.8r1 also includes support for presenting clients with a Google reCAPTCHA version 2 challenge. The reCAPTCHA module takes advantage of HAProxy’s Lua integration and is fully supported by HAProxy Technologies. Combined with HAProxy’s advanced ACLs and stick tables, it allows administrators to present a captcha page to clients who have exhibited anomalous traffic patterns. This helps in protecting sites from request flooding, web scraping, brute forcing, vulnerability scanning, and more, without affecting legitimate traffic.
Single Sign On (SSO)
Enterprises have ever increasing needs for allowing users to use a centralized authentication system. This allows for greater convenience and ease of use when it comes to creating new users, resetting passwords, and terminating accounts. It also has the benefit of requiring users to manage only one set of credentials. HAProxy Enterprise Edition 1.8r1 adds a new daemon that provides support for SSO. The daemon runs as an external process and HAProxy communicates with it using the Stream Processing Offload Engine (SPOE). HAPEE provides not only the agent but also a configuration template specifically for use with Microsoft Active Directory and is fully supported by HAProxy technologies.
Real Time Dashboard Improvements
HAProxy comes bundled with a built-in stats page that you can use to monitor statistics and server status. We’ve received many requests for a real-time, modern stats UI, and in HAPEE 1.7r2 we released the Real Time Dashboard. Significant improvements have been made in our latest release of the Real Time Dashboard, which is available in HAProxy Enterprise Edition 1.8r1. Embeddable builds (such as Amazon AMIs) are now supported as well.
You now have the option to issue a one-time reload instead of only enabling or disabling updates using a defined interval.
Visual alerts have been added to notify you when values reach defined thresholds. If a value reaches a defined threshold of warning or critical percentage, it will change to yellow or red.
You also have the option of toggling the number display from a raw format such as “1,000,000” to a compressed format such as “1M”. The ability to copy raw values to the clipboard is also available.
Many other layout and usage improvements were added as well to improve the overall experience. We are also excited to announce that in the near future we will be releasing further improvements such as the ability to view aggregated statistics from multiple HAProxy instances as well as the ability to visually inspect the stick tables data.
We hope you have enjoyed this quick tour of the notable features included with HAProxy Enterprise Edition 1.8r1. For a more in-depth view check out the What’s new in HAProxy Edition 1.8r1 webinar. If you would like to make use of some of the new features please see our HAProxy Enterprise Edition – Trial Version or contact HAProxy Technologies for expert advice.
HAProxy Enterprise Edition is an enterprise-class version of HAProxy that includes a robust and cutting-edge code base, enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code.
For more information on HAProxy, support, and enterprise solutions, visit www.haproxy.com. You can also follow @HAProxy on Twitter or visit us on LinkedIn and Facebook for more information about HAProxy.