Haproxy tutorial pdf


  • HAProxy – sysadmin’s swiss army knife
  • Benchmarking 5 Popular Load Balancers: Nginx, HAProxy, Envoy, Traefik, and ALB
  • 8 Top Open Source Reverse Proxy Servers for Linux
  • How to Setup HAProxy as Load Balancer for Nginx on CentOS 8
  • How to Install and Configure HAProxy on Rocky Linux 8
  • HAProxy – sysadmin’s swiss army knife

    Quick reminder about HTTP When HAProxy is running in HTTP mode, both the request and the response are fully analyzed and indexed, thus it becomes possible to build matching criteria on almost anything found in the contents. It will then become easier to write correct rules and to debug existing configurations.

    This means that each request will lead to one and only one response. Traditionally, a TCP connection is established from the client to the server, a request is sent by the client through the connection, the server responds, and the connection is closed. Since the connection is closed by the server after the response, the client does not need to know the content length. Due to the transactional nature of the protocol, it was possible to improve it to avoid closing a connection between two subsequent transactions.

    In this mode however, it is mandatory that the server indicates the content length for each response so that the client does not wait indefinitely. For this, a special header is used: "Content-length". Its advantages are a reduced latency between transactions, and less processing power required on the server side. It is generally better than the close mode, but not always because the clients often limit their concurrent connections to a smaller value.

    Another improvement in the communications is the pipelining mode. It still uses keep-alive, but the client does not wait for the first response to send the second request. This can obviously have a tremendous benefit on performance because the network latency is eliminated between subsequent requests.

    For this reason, it is mandatory for the server to reply in the exact same order as the requests were received. This time, each transaction is assigned a single stream identifier, and all streams are multiplexed over an existing connection.

    Many requests can be sent in parallel by the client, and responses can arrive in any order since they also carry the stream identifier. By default HAProxy operates in keep-alive mode with regards to persistent connections: for each connection it processes each request and response, and leaves the connection idle on both sides between the end of a response and the start of a new request.

    HAProxy supports 4 connection modes : - keep alive : all requests and responses are processed default - tunnel : only the first request and response are processed, everything else is forwarded with no analysis deprecated. The Request line Line 1 is the "request line". The method itself cannot contain any colon ':' and is limited to alphabetic letters.

    All those various combinations make it desirable that HAProxy performs the splitting itself rather than leaving it to the user to write a complex or inaccurate regular expression. This is generally what is received by servers, reverse proxies and transparent proxies. It is used to inquiry a next hop's capabilities. In a relative URI, two sub-parts are identified. The part before the question mark is called the " path ". It is typically the relative path to static objects on the server.

    The part after the question mark is called the "query string". It is mostly used with GET requests sent to dynamic scripts and is very specific to the language, framework or application in use. The request headers The headers start at the second line. They are composed of a name at the beginning of the line, immediately followed by a colon ':'.

    Traditionally, an LWS is added after the colon but that's not required. Then come the values. Multiple identical headers may be folded into one single line, delimiting the values with commas, provided that their order is respected. This is commonly encountered in the "Cookie:" field. A header may span over multiple lines if the subsequent lines begin with an LWS.

    In the example in 1. Contrary to a common misconception, header names are not case-sensitive, and their values are not either if they refer to other header names such as the "Connection:" header. The end of the headers is indicated by the first empty line. People often say that it's a double line feed, which is not exact, even if a double line feed is one valid form of empty line. Fortunately, HAProxy takes care of all these complex combinations when indexing headers, checking values and counting them, so there is no reason to worry about the way they could be written, but it is important not to accuse an application of being buggy if it does unusual, valid things.

    This is necessary for proper analysis and helps less capable HTTP parsers to work correctly and not to be fooled by such complex constructs. Both are called HTTP messages. These messages are special in that they don't convey any part of the response, they're just used as sort of a signaling message to ask a client to continue to post its request for instance. In the case of a status response the requested information will be carried by the next non response message following the informational one.

    HAProxy handles these messages and is able to correctly forward and skip them, and only process the next non response. As such, these messages are neither logged nor transformed, unless explicitly state otherwise. Status messages indicate that the protocol is changing over the same connection and that haproxy must switch to tunnel mode, just as if a CONNECT had occurred. Then the Upgrade header would contain additional information about the type of protocol the connection is switching to.

    The response line Line 1 is the "response line". The "reason" field is just a hint, but is not parsed by clients. Anything can be found there, but it's a common practice to respect the well-established messages.

    The response headers Response headers work exactly like request headers, and as such, HAProxy uses the same parsing function for both. Please refer to paragraph 1.

    Benchmarking 5 Popular Load Balancers: Nginx, HAProxy, Envoy, Traefik, and ALB

    Benchmarking, especially micro-benchmarks, are not a full performance indicator of every configuration and workload. To understand the performance profiles of these applications, we need to put them under load.

    We will use a simple load generator, Hey , to generate some sample traffic for these applications to access a simple backend service. To give us an idea of performance, we will test for three metrics on each load balancer: request rate, request duration, and error rate. Together, these are known as the RED metrics and are a good way of getting a baseline for health on any service. Additionally, we will be performing this test across two categories. To gather sufficient data for each point, we will issue 1,, requests for each test.

    This is an arbitrary number with the intent of helping ensure that there are enough requests to run to get meaningful data at higher concurrency levels. This in and of itself will affect the performance of our system, but gives us valuable forensic data and would normally be turned on in a production environment. This is not an exhaustive list of things we can test. Some, but not all, of these load balancers will perform L4, or TCP, load balancing, which is a simple pass-through of traffic and can be much faster.

    L4 load balancing prevents us from doing TLS termination, so we are skipping it for this test. Finally, as a basis of comparison, we will include one cloud-based load balancer: Amazon ALB. Cloud load balancers typically scale to provide consistent performance under load. With our other load balancers restricted to their out-of-the-box configuration, this might not seem fair, but we are evaluating these load balancers on features as well as performance, so ALB is included as a comparison point.

    Finally, we need consistent hardware to run our software on, to provide a similar environment across all of our tests.

    With the exception of our cloud load balancer, we will run these benchmarks on a single t2. Our Load Balancers We are testing five different load balancers, chosen in part for their current and historical popularity, feature set, and use in real-world environments.

    There are many other load balancers, so remember to evaluate the features you need and analyze performance based on your environment. As of August , it serves HAProxy — open-source load balancer HAProxy is an open-source, microcode-optimized load balancer and claims to feature a , event-driven model. It is used by some of the highest traffic applications on the Internet to power their edge and internal load balancing.

    Additionally, Envoy can be used as a service mesh proxy and an edge load balancer, a feature that other tools lack.

    This enables it to run in a single process but still achieve parallelism using every CPU available to it. Envoy also supports multiple configurations. It supports static configuration, API-based configuration, and service-discovery-based configuration. It is based on the Go Programming Language , which encapsulates concurrency and parallelism features into the runtime to use all available resources on the system.

    Our ALB is configured to accept traffic on port 80 and and forward it to our AWS instance on port , where our back-end service is running.

    Results During our tests, we collected the total requests per second, the latency distribution, and a number of successful responses. The raw data can be viewed on Google Sheets.

    This is a great deal of data to parse through, so we will look at a few trends across the data. Concurrency vs. When using percentiles, tail latency is important because it shows the minority of requests that potentially have issues, even when the vast majority of requests are fast. At the 95th and 90th percentile, our response profile starts to change a bit.

    While requests at a concurrency level of 50 are still fast, they increase at the 99th percentile level for concurrency, and dramatically starting at the 95th percentile for concurrency. This could mean several things, but at the core, it appears that load balancers perform worse under high bursts of traffic and take longer to respond to requests, affecting overall performance. This means that concurrency is severely affected by choice of protocol. At the far extremes of concurrency and latency, TLS has a serious performance effect upon our response times.

    From a response time perspective, HAProxy and Envoy both perform more consistently under load than any other option. Requests per second performance Next, we will look at our requests per second. This measures the throughput of each of these systems under load, giving us a good idea of the performance profile for each of these load balancers as they scale: Chart of Requests per Second over HTTP by Load Balancer and Concurrency Level Surprisingly, Envoy has a far higher throughput than all other load balancers at the concurrency range.

    While Envoy is also higher at other concurrency levels, the magnitude of the difference is especially high at the concurrency level. This may be due to some intelligent load balancing or caching inside of Envoy as part of the defaults. It warrants further investigation to determine if this result is representative of real-world performance outside our limited benchmark.

    Traefik stays more consistent under load than Nginx and HAProxy, but this may be mitigated by more optimized configuration of the other load balancers. This may be a combination of factors: SSL libraries used by the load balancer, ciphers supported by the client and server, and other factors such as key length for some algorithms.

    This, however, is only one view of the picture. Loggly is a great way to plot trend graphs of performance logs. During this process, our load balancers were forwarding their request logs to Loggly via syslog. After the load tests, we generated a chart using the Loggly charting feature to see the HAProxy view of the time it took to hit our backend server during the course of the event: HAProxy Backend average response times via Loggly.

    Loggly gives you the power to choose from several statistics like average or percentile. Here, you can see the round trip times from our load balancer to our backend. We are plotting an average of the HAProxy Tr field , which shows the average time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.

    This graph shows the load test running at the concurrency level with HAProxy, followed by a break, then the concurrency level. We can see that the backend response time starts off low and increases as we increase the concurrency level.

    At its peak, we see the average backend response time at 3. This makes sense because we are loading the backend more heavily so it should take longer to respond.

    This can give operators important information about what needs to be scaled in a stack. When your service exceeds an acceptable threshold, you can alert your team to investigate and take action.

    Conclusion Envoy came out as the overall winner in this benchmark. It had the highest throughput in terms of requests per second. Different configurations can optimize each of these load balancers, and different workloads can have different results. Always benchmark using your tooling for different optimizations. Also, each load balancer supports a different feature set that may be more important to your needs than latency or throughput, such as ease of dynamic configuration changes.

    All other trademarks are the property of their respective owners. Gerred Dillon.

    Due to the transactional nature of the protocol, it was possible to improve it to avoid closing a connection between two subsequent transactions. In this mode however, it is mandatory that the server indicates the content length for each response so that the client does not wait indefinitely. For this, a special header is used: "Content-length". Its advantages are a reduced latency between transactions, and less processing power required on the server side.

    It is generally better than the close mode, but not always because the clients often limit their concurrent connections to a smaller value. Another improvement in the communications is the pipelining mode.

    It still uses keep-alive, but the client does not wait for the first response to send the second request. This can obviously have a tremendous benefit on performance because the network latency is eliminated between subsequent requests. For this reason, it is mandatory for the server to reply in the exact same order as the requests were received. This time, each transaction is assigned a single stream identifier, and all streams are multiplexed over an existing connection.

    Many requests can be sent in parallel by the client, and responses can arrive in any order since they also carry the stream identifier. By default HAProxy operates in keep-alive mode with regards to persistent connections: for each connection it processes each request and response, and leaves the connection idle on both sides between the end of a response and the start of a new request.

    HAProxy supports 4 connection modes : - keep alive : all requests and responses are processed default - tunnel : only the first request and response are processed, everything else is forwarded with no analysis deprecated. The Request line Line 1 is the "request line". The method itself cannot contain any colon ':' and is limited to alphabetic letters.

    All those various combinations make it desirable that HAProxy performs the splitting itself rather than leaving it to the user to write a complex or inaccurate regular expression. This is generally what is received by servers, reverse proxies and transparent proxies. It is used to inquiry a next hop's capabilities. In a relative URI, two sub-parts are identified. The part before the question mark is called the " path ".

    It is typically the relative path to static objects on the server. The part after the question mark is called the "query string".

    8 Top Open Source Reverse Proxy Servers for Linux

    It is mostly used with GET requests sent to dynamic scripts and is very specific to the language, framework or application in use. The request headers The headers start at the second line. They are composed of a name at the beginning of the line, immediately followed by a colon ':'. Traditionally, an LWS is added after the colon but that's not required. Backend — this section describes a set of servers to which the proxy will connect to forward incoming connections.

    To understand the options under global settings and defaults, read the HAProxy documentation link provided at the end of the article. For this guide, we will use the defaults. HAProxy when once deployed will play a significant role in your IT infrastructure, thus configuring logging for it is a basic requirement; this allows you to get insights about each connection to your backend web servers.

    The log parameter highlighted in the following screenshot declares a global Syslog server such as rsyslog the default in CentOS that will receive log messages. More than one server can be declared here. The default configuration points to the localhost Next, you need to tell the rsyslog server how to receive and process HAProxy log messages. Save the file and close it. Then restart the rsyslog service to apply the recent changes. In this section, we will demonstrate how to configure the front-end and back-end proxies.

    How to Setup HAProxy as Load Balancer for Nginx on CentOS 8

    Go back to the HAProxy configuration file and modify the default front-end and backend sections as follows. We will not go into a detailed explanation of each parameter, you can always refer to the official documentation. The following configuration defines a listen section used to serve up the HAProxy Stats page. The stats auth setting is used to add a basic authentication when accessing the page replace haproxy and [email protected] with a username and password of your choice.

    How to Install and Configure HAProxy on Rocky Linux 8

    The next configuration defines a frontend section called TL you can give a name of your liking. The mode parameter defines the mode HAProxy operates in. The acl Access Control List parameter is used to make a decision based on content extracted from the request. Then the http-request set-header setting is used to add an HTTP header to the request.

    Then we need to define a backend section where the balance setting defines how HAProxy selects the back-end servers to process a request if no persistence method overrides that selection. One key option is check which tells HAProxy to keep checking on the availability of a server and report on the stats page.

    Now restart the HAProxy service to apply the new changes.


    Haproxy tutorial pdf