High Performance Security
HAProxy Enterprise detects and stops DDoS attacks, brute force and credential stuffing attempts, web scraping, and vulnerability scanning. With advanced logging, it identifies intrusion attempts and assures protocol compliance.
Multilayered Security
Identifying and stopping threats in today’s ever-changing security landscape requires a multilayered approach. HAProxy delivers peace of mind by immobilizing threats at the edge without sacrificing the best-in-class performance that it’s known for.
LAYER 1 – Access Control Lists (ACLs)
The first layer is our flexible Access Control Lists (ACLs). They match on custom-defined criteria, allowing you to make routing decisions and implement protection mechanisms based on anything found within the request/response headers or metadata. You can easily create policies that match clients and requests by IP range, SSL data, headers or paths, geolocation, and device type.
ACL, Map files, and TLS ticket keys can be updated from a central location at a defined interval using the dynamic update module included in HAProxy Enterprise.
LAYER 2 – Client Fingerprinting
The second layer provides the ability to identify a client regardless of user-agent or IP address. HAProxy Enterprise generates a fingerprint for clients allowing for identification from the very first request.
Client fingerprinting is very useful for identifying bots and vulnerability scanners.
LAYER 3 – Realtime Cluster-wide Tracking
The third layer of defense deploys behavior-analysis across your entire cluster of proxies. HAProxy Enterprise performs real-time tracking of client requests and stores that data to form big-picture insights about what a client may be trying to do.
Track behavior based on IP address, User-Agent string, session ID, and request path, and much more. Generated metrics include requests/sec, total number of requests made, errors/sec, total number of errors, byte rates, and more.
LAYER 4 – Web Application Firewall (WAF)
HAProxy Enterprise provides a fourth layer of defense: an integrated triple-mode Web Application Firewall (WAF). The WAF detects and stops Layer 7 attacks including SQL injection and cross-site scripting.
The HAProxy Enterprise WAF comes with support for ModSecurity rulesets, zero-trust mode, and an optional, simplified, set-and-forget SQLi / XSS WAF mode. Learn more about the HAProxy Enterprise WAF.
FREE EBOOK
The HAProxy Guide to Multilayered Security
HAProxy gives you the building blocks to create a strong, layered defense against DDoS, malicious bot traffic, vulnerability scanners and more. Using its flexible configuration language, you’ll learn to:
- Protect your services from application-layer DDoS attacks
- Identify and stop malicious bots
- Harness the power of the HAProxy Enterprise WAF to counter sophisticated, Layer 7 attacks like SQL injection and cross-site scripting
Learn how leading companies implement HAProxy Enterprise security solutions
Our customers use HAProxy Enterprise to achieve the utmost performance, observability, and security. HAProxy Enterprise security solutions are deployed to protect some of the most popular websites in the world.
HAProxy Enterprise Security Features Include
Reverse Proxy
Proxy all traffic from the Internet to your application servers through HAProxy Enterprise, exposing only intended services and logging requests.
HTTP Validation
Validate that requests comply with the protocol specifications before sending them on to application servers.
WAF Module
Enable the high performance Web Application Firewall, which supports multiple modes including custom signature-based support, zero-trust mode, and ModSecurity ruleset support.
Anomalous Behavior Protection
Combine multiple metrics about a client’s behavior for smarter routing and access decisions.
Dynamic ACL Updates
Update ACL, Map, or TLS ticket key files in memory normally loaded from disk during HAProxy Enterprise startup during runtime.
Advanced Application-Based DDoS Protection
Block requests from clients based on multiple metrics and criteria over a configurable time window.
Antibot Module
Send a Javascript challenge to requests selected by ACL rules.
reCAPTCHA
Present a Google reCAPTCHA v2 or v3 challenge to clients that exhibit anomalous traffic patterns.
Fingerprint Module
Generate a unique identifier based on a client request.
Traffic Filtering
Use ACLs to detect any condition in HTTP(S) traffic and route or block the request as desired.
Search Engine Verification
Check the authenticity of any client that claims to be a search engine crawler and enforce response policies against those it categorizes as phony. The verification is performed in the background in real-time so that legitimate web crawlers are not blocked.
Contact the authoritative experts on HAProxy who will assist you in finding the solution that best fits your needs for deployment, scale, and security.
Featured Resources
Visit our knowledge base to explore more topics
ON-DEMAND WEBINAR
Multilayered Security with HAProxy Enterprise
Did you know that an HAProxy Enterprise load balancer can protect your applications from common threats? In this webinar, we’ll give you an overview of the multilayered security solution provided by HAProxy Enterprise.
We will cover how to:
- use the HAProxy Enterprise WAF to protect web applications
- identify vulnerability scanners by their behavior and fingerprints
- implement escalating response policies to block malicious requests before they can even reach the WAF
ON-DEMAND WEBINAR
DDoS Attack and Bot Protection with HAProxy Enterprise: Defending Your Application Against Ever-increasing Threats
By leveraging an extremely efficient and innovative design, including extensive ACL and Stick Table tracking systems, HAProxy Enterprise is able to perform the real time behavioral analysis that mitigating today’s threats demands.
In this webinar we will present how to:
- Protect against application-based DDoS attacks such as HTTP request flooding
- Protect against bot threats such as web scraping, brute forcing, and vulnerability scanning
- Implement an advanced threat response policy with the Antibot and Google reCAPTCHA modules
- Implement cluster wide threat protection with the Stick Table Aggregator
- Enhance bot threat protection with add-ons such as the WAF and Fingerprint modules
- Dynamically maintain cluster wide whitelists and blacklists with the LB-Update module
- Monitor threat protection status with the Real Time Dashboard
