HAProxy, a popular open source application developed to implement High-Availability load balancing solution for websites that attracts massive traffic. HAProxy is well-known for its stability, reliability and performance in terms of CPU and memory usage. It is widely used by high-traffic websites such as Tumblr, Twitter, Stack Overflow, GitHub, etc…

Although, HAProxy is primarily famous for a HTTP and TCP load balancing, but the possibilities offered by this application make is like a “Swiss Army Knife” to deal with high loads on web/databases.

As mentioned above, HAProxy stands for High Availability Proxy and a standard choice for TCP/HTTP Load Balancer and Proxying solution and can be run on Linux, Solaris and FreeBSD machines. The primary objective of HAProxy is to enhance the performance and consistency of a server cluster by distributing the load through several servers (for an example, web applications, databases, etc…).

In addition, reliability and performance make it a major asset in a server cluster. In this article, we will see some examples to understand how we could combine high-availability hardware and software to increase the overall performance and stability of your website.

1) Supports encryption (SSL)

HAProxy supports client-side SSL encryption as server side.

To do this we can add *bind* to the standard SSL port, i.e. 443 and let HAProxy know where exactly the SSL certificates are:

bind: 443 ssl crt /etc/haproxy/site.pem
http mode
10.0.0.1:443 server_name1  ssl verify check 
10.0.0.2:443 server_name2  ssl verify check

It manages many extensions to TLS, such as NIS, NPN / ALPN and OCSP, including the validation of server side certificates and client side certificates.

Bind 192.168.10.1:443 ssl ca ./server.pem crt-file ./ca.crt verify required

2) Extended support for IPv6 & UNIX Sockets

It is possible to use either IPv4 or IPv6 or the socket UNIX client side as server side:

listen mysql_proxy
/var/tmp/mysql.sock bind mysql user guide 666 
fashion tcp
option mysql-check user haproxy post-41
mysql server check 192.168.10.100:3306 maxconn 200
server mysql_slave fe80: 482: a200 :: Coffee: e8ff: FE65: a: 3306 check backup

3) End-to-End HTTPS keep-alive

The keep-alive is to successively pass multiple HTTP requests in the same TCP request. In general, a full web architecture, somewhat there are several services with special roles. For example, authentication service, service for dynamic content, another for static resources, etc…

The main purpose is HAProxy must inspect each request to determine what service to send. So far, the keep-alive from start to finish did not allow the inspection of the first query and therefore several times administrators spent hours wondering why such a request did not come to the right place.

This why the option *http-server-close* is present to the keep-alive (client-side only), and often used. This problem is now solved.

In addition to the overhead network, the keep-alive server side is important because some web servers do not use a chunk if it is turned off (though, this problem is managed by the option *http-pretend-keepalive*).

4) HAProxy Terminology

While talking about load balancing and Proxying it is essential to first understand some key terms and models. Hence, we will discuss all those commonly used terms to make your journey easy. However, before the leap into the basic types of load balancing, first, we will see ACLs, backends, and frontends.

5) ACL (Access Control List)

In relation to load balancing, ACLs are primarily used to test a number of settings and execute an action such as server selection or blocking a request) on the basis of the test result. Using ACL also allows flexible network traffic forwarding constructed on various factors such as equivalent configuration and the number of connections to a backend.

ACL Example:

acl url_blog path_beg /blog

For example, if the path of a user’s request starts with /blog that means this ACL is matched. This would also equal a request of http://domain.com/blog/blog-post-1.

In addition, a direct consequence of improved catch opportunities is that it is now possible to create access control lists (ACLs) on all catchable data.

acl hello payload (0.6) -m bin 48656c6c6f0a

We can also use variables:

http-request redirect code 301 rental www.% [HDR (host)]% [req.uri] \
UNLESS {hdr_beg (host) -i www}

For more information on ACL procedure, access HAProxy Configuration Manual – http://cbonte.github.io/haproxy-dconv/index.html

6) Backend

A server cluster that receives forwarded requests. It is well-defined in the particular section of configuration, which is normally called as “backend section”. Basically, it can be defined by:

• Which load balancing algorithm to use
• List of server and ports

It can contain one or more servers and you can also add more to increase the capacity of load distribution across multiple servers. Through this way it is also possible to improve reliability as in the case of a number of servers suddenly becomes no longer available.

To understand this in a better way, here will take an example of two configurations. Each one contains two servers and both listening on port 80:

backend web-backend
loadbalance roundrobin
server server_name1 server_name1.domain.com:80 check
server server_name2 server_name2.domain.com:80 check

backend blog-backend
loadbalance roundrobin
mode http
server db1 db1.domain.com:80 check
server db1 db2.yourdomain.com:80 check

The check states that the health checks should be done on backend servers.

The mode http states that layer 7 load-balancing will be used. We will see more details of Load balancing types in next phase of article…

7) Frontend

Describes in which way requests need to be forwarded. They are defined by:

• A set of IP and a Port
• Access Control Lists
• Use_backend rules (what backend to use)

In addition, it can also be formed for various types of network traffic that we will see in the next part…

Reference: https://github.com/joyeecheung/my-tech-diary/blob/master/2015/09/2015-09-09.md