High Performance Security

The world’s most highly trafficked sites trust HAProxy as their frontline defense to a myriad of attacks. HAProxy users receive the benefits of SSL with less hardware while reducing the number of services exposed to the Internet.

We detect and stop DDoS, Brute Force and SQL/XSS attacks. With our advanced logging, we identify intrusions and assure protocol compliance.

Try HAProxy Enterprise

DDoS Attack and Bot Protection with HAProxy Enterprise

We read about DDoS attacks and bot threats causing companies millions in lost revenues and battered reputations almost every day. By leveraging an extremely efficient and innovative design, including extensive ACL and Stick Table tracking systems, HAProxy Enterprise is able to perform the real time behavioral analysis that mitigating today’s threats demands. Rather than being caught off guard, join this webinar to see how you can use HAProxy Enterprise to create an effective, high performance threat protection solution.

Watch Now

Multilayered Security

Identifying and stopping threats in today’s ever-changing security landscape requires a multilayered approach. HAProxy delivers peace of mind by immobilizing threats at the edge without sacrificing the best-in-class performance that it’s known for.

LAYER 1 – Access Control Lists (ACLs)

The first layer is our flexible Access Control Lists (ACLs). They match on custom-defined criteria, allowing you to make routing decisions and implement protection mechanisms based on anything found within the request/response headers or metadata. You can easily create policies that match clients and requests by IP range, SSL data, headers or paths, geolocation, and device type.

ACL, Map files, and TLS ticket keys can be updated from a central location at a defined interval using the dynamic update module included in HAProxy Enterprise.

LAYER 2 – Client Fingerprinting

A second layer unmasks clients that try to sneak past with forged request data. HAProxy attaches fingerprints to clients and is able to triangulate on the data to form an accurate ID.

Bots and scanners are identified immediately, before they have a chance to do harm.

LAYER 3 – Realtime Cluster-wide Tracking

The third layer of defense deploys behavior-analysis across your entire cluster of proxies. HAProxy performs real-time tracking of client requests and stores that data to form big-picture insights about what a client may be trying to do.

Track behavior based on IP address, User-Agent string, session ID, and request path, and much more. Generated metrics include requests/sec, total number of requests made, errors/sec, total number of errors, byte rates, and more.

LAYER 4 – Web Application Firewall (WAF)

HAProxy provides a fourth layer of defense: an integrated Web Application Firewall (WAF). The WAF detects and stops Layer 7 attacks including SQL injection and cross-site scripting.

The HAProxy Enterprise WAF comes with support for ModSecurity rulesets, zero-trust mode, and an optional, simplified, set-and-forget SQLi / XSS WAF mode.

HAProxy Enterprise Security Features Include

Reverse Proxy

Proxy all traffic from the Internet to your application servers through HAProxy, exposing only intended services and logging requests.

HTTP Validation

Validate that requests comply with the protocol specifications before sending them on to application servers.

WAF Module

Enable the high performance Web Application Firewall, which supports multiple modes including custom signature-based support, zero-trust mode, and ModSecurity ruleset support.

Anomalous Behavior Protection

Combine multiple metrics about a client’s behavior for smarter routing and access decisions.

Dynamic ACL Updates

Update ACL, Map, or TLS ticket key files in memory normally loaded from disk during HAProxy startup during runtime.

Advanced Application-Based DDoS Protection

Block requests from clients based on multiple metrics and criteria over a configurable time window.

Antibot Module

Send a Javascript challenge to requests selected by ACL rules.

reCAPTCHA v2

Present a Google reCAPTCHA v2 challenge to clients that exhibit anomalous traffic patterns.

Sanitize Module

Filter and verify that HTTP header names and contents comply with the HTTP specification.

Fingerprint Module

Generate a unique identifier based on a client request.

Traffic Filtering

Use ACLs to detect any condition in HTTP(S) traffic and route or block the request as desired.

Contact the authoritative experts on HAProxy who will assist you in finding the solution that best fits your needs for deployment, scale, and security.

Contact Our Experts

Featured Resources

Visit our knowledge base to explore more topics

ON-DEMAND WEBINAR

Achieving FIPS 140-2 Encryption Compliance with HAProxy Enterprise

FIPS 140-2 is a U.S. government standard regulating encryption algorithms federal agencies may use. It seeks to safeguard data by retiring weak algorithms from its approved list. While government agencies and contractors must follow this standard, organizations in other industries also adopt it to ensure data security.

In this webinar you’ll learn how FIPS 140-2 is designed to protect data, how it relates to using TLS encryption, and how you can become compliant using HAProxy Enterprise on Red Hat Enterprise Linux.

Speaker: Daniel Corbett

FREE EBOOK

The HAProxy Guide to Multi-Layer Security

HAProxy gives you the building blocks to create a strong, layered defense against DDoS, malicious bot traffic, vulnerability scanners and more. Using its flexible configuration language, you’ll learn to:

Protect your services from application-layer DDoS attacks
Identify and stop malicious bots
Harness the power of the HAProxy Enterprise WAF to counter sophisticated, Layer 7 attacks like SQL injection and cross-site scripting