Web Application and API Security

With the growing trend to migrate web applications to the cloud, dissolving the clear boundary between internal network and public web, security threats have in turn begun to turn their sights toward these often vulnerable targets. Whether it is securing a back end API not intended to be visible to outside clients, or fighting off attacks to a dynamic PHP web site, the HAProxy suite of products offers a wealth of powerful features to neutralize threats.

The HAProxy Web Application Firewall is the first, and most significant line of defense, providing specialized protection tailored to these web applications and APIs. With both a version of ModSecurity customized for superior performance, and an Advanced WAF with a highly restrictive ruleset, HAProxy Enterprise and its sibling load balancers offer industry leading firewalls to inspect and protect traffic flowing through a system. HAProxy Technologies customers can also implement options like rate limiting and other security policies that are specific to each load balanced API or web app in a network, meaning a load balancer that offers unprecedented control to police your traffic. By also implementing Basic or mTLS authentication at the load balancer tier to restrict access to APIs, you can be sure only valid requests are routing through to sensitive back-end servers.

With the growing trend to migrate web applications to the cloud, dissolving the clear boundary between internal network and public web, security threats have in turn begun to turn their sights toward these often vulnerable targets. Whether it is securing a back end API not intended to be visible to outside clients, or fighting off attacks to a dynamic PHP web site, the HAProxy suite of products offers a wealth of powerful features to neutralize threats.

The HAProxy Web Application Firewall is the first, and most significant line of defense, providing specialized protection tailored to these web applications and APIs. With both a version of ModSecurity customized for superior performance, and an Advanced WAF with a highly restrictive ruleset, HAProxy Enterprise and its sibling load balancers offer industry leading firewalls to inspect and protect traffic flowing through a system. HAProxy Technologies customers can also implement options like rate limiting and other security policies that are specific to each load balanced API or web app in a network, meaning a load balancer that offers unprecedented control to police your traffic. By also implementing Basic or mTLS authentication at the load balancer tier to restrict access to APIs, you can be sure only valid requests are routing through to sensitive back-end servers.

Data Protection

Encryption of traffic can also be a powerful tool against preventing malicious intruders, and is essential for customers handling sensitive data. With in-built SSL/TLS offloading, without the need for an extra network component, data is also secured from end-to-end as it travels between systems. This is especially important for financial sector customers, who can take advantage of HAProxy Enterprise’s FIX protocol support, and configure settings restricting which versions of SSL and TLS clients can use, or a preferred list of cryptographic ciphers, in order to prevent protocol downgrade attacks. Using OpenSSL, the industry leading open-source encryption library, our data security is battle tested and internationally trusted.

Encryption of traffic can also be a powerful tool against preventing malicious intruders, and is essential for customers handling sensitive data. With in-built SSL/TLS offloading, without the need for an extra network component, data is also secured from end-to-end as it travels between systems. This is especially important for financial sector customers, who can take advantage of HAProxy Enterprise’s FIX protocol support, and configure settings restricting which versions of SSL and TLS clients can use, or a preferred list of cryptographic ciphers, in order to prevent protocol downgrade attacks. Using OpenSSL, the industry leading open-source encryption library, our data security is battle tested and internationally trusted.

Denial of Service and Bot Prevention

To protect your system from threats to its availability via DDoS attacks, HAProxy Technologies offers the industry-leading PacketShield. Particular to HAProxy ALOHA, this patented software is a powerful defense against packet floods, a common denial of service attack. Providing stateful packet filtering and blocking illegitimate packets before they need to be processed by the kernel, this allows services to stay operational even when under attack.

HAProxy Enterprise load balancers also offer rate limiting at either the connection or application layer, meaning customers can implement thresholds and prevent unfair usage, as well as cluster-wide tracking to aggregate client behavior patterns across load balancer instances. In addition, a thorough array of bot protection measures like flexible Access Control Lists and client fingerprinting ensures your services are protected from vulnerability scraping, brute-force bots, and crawlers, saving your bandwidth for valid guests.

To protect your system from threats to its availability via DDoS attacks, HAProxy Technologies offers the industry-leading PacketShield. Particular to HAProxy ALOHA, this patented software is a powerful defense against packet floods, a common denial of service attack. Providing stateful packet filtering and blocking illegitimate packets before they need to be processed by the kernel, this allows services to stay operational even when under attack.

HAProxy Enterprise load balancers also offer rate limiting at either the connection or application layer, meaning customers can implement thresholds and prevent unfair usage, as well as cluster-wide tracking to aggregate client behavior patterns across load balancer instances. In addition, a thorough array of bot protection measures like flexible Access Control Lists and client fingerprinting ensures your services are protected from vulnerability scraping, brute-force bots, and crawlers, saving your bandwidth for valid guests.

System Visibility

If the HAProxy Enterprise load balancer is the security center orchestrating all these features, the windows of its watchtower must also offer impeccable visibility on all comings and goings to the system. With verbose logging on not only the content and metadata of each request and response, but also the time taken to complete each phase processing it, customers are able to capture in depth details about suspicious activity. And by implementing these logs using the widely-supported Syslog protocol, HAProxy Enterprise users can stream it to nearly any log aggregation and analysis tool.

Systems administrators can then track behavior based on IP address, User-Agent string, session ID, and request path, and much more, allowing careful analysis and evaluation of their security needs. Generated metrics also include requests/sec, total number of requests made, errors/sec, total number of errors, byte rates, and more.

If the HAProxy Enterprise load balancer is the security center orchestrating all these features, the windows of its watchtower must also offer impeccable visibility on all comings and goings to the system. With verbose logging on not only the content and metadata of each request and response, but also the time taken to complete each phase processing it, customers are able to capture in depth details about suspicious activity. And by implementing these logs using the widely-supported Syslog protocol, HAProxy Enterprise users can stream it to nearly any log aggregation and analysis tool.

Systems administrators can then track behavior based on IP address, User-Agent string, session ID, and request path, and much more, allowing careful analysis and evaluation of their security needs. Generated metrics also include requests/sec, total number of requests made, errors/sec, total number of errors, byte rates, and more.