blob: 19b4b1e03eb5130c872246f70d1ea1161846f256 [file] [log] [blame]
Willy Tarreaud8e42b62015-08-18 21:51:36 +02001 -----------------------
2 HAProxy Starter Guide
3 -----------------------
4 version 1.6
5
6
7This document is an introduction to HAProxy for all those who don't know it, as
8well as for those who want to re-discover it when they know older versions. Its
9primary focus is to provide users with all the elements to decide if HAProxy is
10the product they're looking for or not. Advanced users may find here some parts
11of solutions to some ideas they had just because they were not aware of a given
12new feature. Some sizing information are also provided, the product's lifecycle
13is explained, and comparisons with partially overlapping products are provided.
14
15This document doesn't provide any configuration help nor hint, but it explains
16where to find the relevant documents. The summary below is meant to help you
17search sections by name and navigate through the document.
18
19Note to documentation contributors :
20 This document is formatted with 80 columns per line, with even number of
21 spaces for indentation and without tabs. Please follow these rules strictly
22 so that it remains easily printable everywhere. If you add sections, please
23 update the summary below for easier searching.
24
25
26Summary
27-------
28
291. Available documentation
30
312. Quick introduction to load balancing and load balancers
32
333. Introduction to HAProxy
343.1. What HAProxy is and is not
353.2. How HAProxy works
363.3. Basic features
373.3.1. Proxying
383.3.2. SSL
393.3.3. Monitoring
403.3.4. High availability
413.3.5. Load balancing
423.3.6. Stickiness
433.3.7. Sampling and converting information
443.3.8. Maps
453.3.9. ACLs and conditions
463.3.10. Content switching
473.3.11. Stick-tables
483.3.12. Formated strings
493.3.13. HTTP rewriting and redirection
503.3.14. Server protection
513.3.15. Logging
523.3.16. Statistics
533.4. Advanced features
543.4.1. Management
553.4.2. System-specific capabilities
563.4.3. Scripting
573.5. Sizing
583.6. How to get HAProxy
59
604. Companion products and alternatives
614.1. Apache HTTP server
624.2. NGINX
634.3. Varnish
644.4. Alternatives
65
66
671. Available documentation
68--------------------------
69
70The complete HAProxy documentation is contained in the following documents.
71Please ensure to consult the relevant documentation to save time and to get the
72most accurate response to your needs. Also please refrain from sending questions
73to the mailing list whose responses are present in these documents.
74
75 - intro.txt (this document) : it presents the basics of load balancing,
76 HAProxy as a product, what it does, what it doesn't do, some known traps to
77 avoid, some OS-specific limitations, how to get it, how it evolves, how to
78 ensure you're running with all known fixes how to update it, complements and
79 alternatives.
80
Willy Tarreaud8e42b62015-08-18 21:51:36 +020081 - configuration.txt : the reference manual details all configuration keywords
82 and their options. It is used when a configuration change is needed.
83
84 - architecture.txt : the architecture manual explains how to best architect a
85 load-balanced infrastructure and how to interact with third party products.
86
87 - coding-style.txt : this is for developers who want to propose some code to
88 the project. It explains the style to adopt for the code. It's not very
89 strict and not all the code base completely respects it but contributions
90 which diverge too much from it will be rejected.
91
92 - proxy-protocol.txt : this is the de-facto specification of the PROXY
93 protocol which is implemented by HAProxy and a number of third party
94 products.
95
96 - README : how to build haproxy from sources
97
98
992. Quick introduction to load balancing and load balancers
100----------------------------------------------------------
101
102Load balancing consists in aggregating multiple components in order to achieve
103a total processing capacity above each component's individual capacity, without
104any intervention from the end user and in a scalable way. This results in more
Willy Tarreaueff04f42015-08-27 14:44:43 +0200105operations being performed simultaneously by the time it takes a component to
Willy Tarreaud8e42b62015-08-18 21:51:36 +0200106perform only one. A single operation however will still be performed on a single
107component at a time and will not get faster than without load balancing. It
108always requires at least as many operations as available components and an
109efficient load balancing mechanism to make use of all components and to fully
110benefit from the load balancing. A good example of this is the number of lanes
111on a highway which allows as many cars to pass during the same time frame
112without increasing their individual speed.
113
114Examples of load balancing :
115
116 - Process scheduling in multi-processor systems
117 - Link load balancing (eg: EtherChannel, Bonding)
118 - IP address load balancing (eg: ECMP, DNS roundrobin)
119 - Server load balancing (via load balancers)
120
121The mechanism or component which performs the load balancing operation is
122called a load balancer. In web environments these components are called a
123"network load balancer", and more commonly a "load balancer" given that this
124activity is by far the best known case of load balancing.
125
126A load balancer may act :
127
128 - at the link level : this is called link load balancing, and it consists in
129 chosing what network link to send a packet to;
130
131 - at the network level : this is called network load balancing, and it
132 consists in chosing what route a series of packets will follow;
133
134 - at the server level : this is called server load balancing and it consists
135 in deciding what server will process a connection or request.
136
137Two distinct technologies exist and address different needs, though with some
Willy Tarreaueff04f42015-08-27 14:44:43 +0200138overlapping. In each case it is important to keep in mind that load balancing
139consists in diverting the traffic from its natural flow and that doing so always
140requires a minimum of care to maintain the required level of consistency between
141all routing decisions.
Willy Tarreaud8e42b62015-08-18 21:51:36 +0200142
143The first one acts at the packet level and processes packets more or less
144individually. There is a 1-to-1 relation between input and output packets, so
145it is possible to follow the traffic on both sides of the load balancer using a
146regular network sniffer. This technology can be very cheap and extremely fast.
147It is usually implemented in hardware (ASICs) allowing to reach line rate, such
148as switches doing ECMP. Usually stateless, it can also be stateful (consider
149the session a packet belongs to and called layer4-LB or L4), may support DSR
150(direct server return, without passing through the LB again) if the packets
151were not modified, but provides almost no content awareness. This technology is
152very well suited to network-level load balancing, though it is sometimes used
153for very basic server load balancing at high speed.
154
155The second one acts on session contents. It requires that the input streams is
156reassembled and processed as a whole. The contents may be modified, and the
157output stream is segmented into new packets. For this reason it is generally
158performed by proxies and they're often called layer 7 load balancers or L7.
159This implies that there are two distinct connections on each side, and that
160there is no relation between input and output packets sizes nor counts. Clients
161and servers are not required to use the same protocol (for example IPv4 vs
162IPv6, clear vs SSL). The operations are always stateful, and the return traffic
163must pass through the load balancer. The extra processing comes with a cost so
164it's not always possible to achieve line rate, especially with small packets.
165On the other hand, it offers wide possibilities and is generally achieved by
166pure software, even if embedded into hardware appliances. This technology is
167very well suited for server load balancing.
168
169Packet-based load balancers are generally deployed in cut-through mode, so they
170are installed on the normal path of the traffic and divert it according to the
171configuration. The return traffic doesn't necessarily pass through the load
172balancer. Some modifications may be applied to the network destination address
173in order to direct the traffic to the proper destination. In this case, it is
174mandatory that the return traffic passes through the load balancer. If the
175routes doesn't make this possible, the load balancer may also replace the
176packets' source address with its own in order to force the return traffic to
177pass through it.
178
179Proxy-based load balancers are deployed as a server with their own IP address
180and ports, without architecture changes. Sometimes this requires to perform some
181adaptations to the applications so that clients are properly directed to the
182load balancer's IP address and not directly to the server's. Some load balancers
183may have to adjust some servers' responses to make this possible (eg: the HTTP
184Location header field used in HTTP redirects). Some proxy-based load balancers
185may intercept traffic for an address they don't own, and spoof the client's
186address when connecting to the server. This allows them to be deployed as if
187they were a regular router or firewall, in a cut-through mode very similar to
188the packet based load balancers. This is particularly appreciated for products
189which combine both packet mode and proxy mode. In this case DSR is obviously
190still not possible and the return traffic still has to be routed back to the
191load balancer.
192
193A very scalable layered approach would consist in having a front router which
194receives traffic from multiple load balanced links, and uses ECMP to distribute
195this traffic to a first layer of multiple stateful packet-based load balancers
196(L4). These L4 load balancers in turn pass the traffic to an even larger number
197of proxy-based load balancers (L7), which have to parse the contents to decide
198what server will ultimately receive the traffic.
199
200The number of components and possible paths for the traffic increases the risk
201of failure; in very large environments, it is even normal to permanently have
202a few faulty components being fixed or replaced. Load balancing done without
203awareness of the whole stack's health significantly degrades availability. For
204this reason, any sane load balancer will verify that the components it intends
205to deliver the traffic to are still alive and reachable, and it will stop
206delivering traffic to faulty ones. This can be achieved using various methods.
207
208The most common one consists in periodically sending probes to ensure the
209component is still operational. These probes are called "health checks". They
210must be representative of the type of failure to address. For example a ping-
211based check will not detect that a web server has crashed and doesn't listen to
212a port anymore, while a connection to the port will verify this, and a more
213advanced request may even validate that the server still works and that the
214database it relies on is still accessible. Health checks often involve a few
215retries to cover for occasional measuring errors. The period between checks
216must be small enough to ensure the faulty component is not used for too long
217after an error occurs.
218
219Other methods consist in sampling the production traffic sent to a destination
220to observe if it is processed correctly or not, and to evince the components
221which return inappropriate responses. However this requires to sacrify a part
222of the production traffic and this is not always acceptable. A combination of
223these two mechanisms provides the best of both worlds, with both of them being
224used to detect a fault, and only health checks to detect the end of the fault.
225A last method involves centralized reporting : a central monitoring agent
226periodically updates all load balancers about all components' state. This gives
227a global view of the infrastructure to all components, though sometimes with
228less accuracy or responsiveness. It's best suited for environments with many
229load balancers and many servers.
230
231Layer 7 load balancers also face another challenge known as stickiness or
232persistence. The principle is that they generally have to direct multiple
233subsequent requests or connections from a same origin (such as an end user) to
234the same target. The best known example is the shopping cart on an online
235store. If each click leads to a new connection, the user must always be sent
236to the server which holds his shopping cart. Content-awareness makes it easier
237to spot some elements in the request to identify the server to deliver it to,
238but that's not always enough. For example if the source address is used as a
239key to pick a server, it can be decided that a hash-based algorithm will be
240used and that a given IP address will always be sent to the same server based
241on a divide of the address by the number of available servers. But if one
242server fails, the result changes and all users are suddenly sent to a different
243server and lose their shopping cart. The solution against this issue consists
244in memorizing the chosen target so that each time the same visitor is seen,
245he's directed to the same server regardless of the number of available servers.
246The information may be stored in the load balancer's memory, in which case it
247may have to be replicated to other load balancers if it's not alone, or it may
248be stored in the client's memory using various methods provided that the client
249is able to present this information back with every request (cookie insertion,
250redirection to a sub-domain, etc). This mechanism provides the extra benefit of
251not having to rely on unstable or unevenly distributed information (such as the
252source IP address). This is in fact the strongest reason to adopt a layer 7
253load balancer instead of a layer 4 one.
254
255In order to extract information such as a cookie, a host header field, a URL
256or whatever, a load balancer may need to decrypt SSL/TLS traffic and even
257possibly to reencrypt it when passing it to the server. This expensive task
258explains why in some high-traffic infrastructures, sometimes there may be a
259lot of load balancers.
260
261Since a layer 7 load balancer may perform a number of complex operations on the
262traffic (decrypt, parse, modify, match cookies, decide what server to send to,
263etc), it can definitely cause some trouble and will very commonly be accused of
264being responsible for a lot of trouble that it only revealed. Often it will be
265discovered that servers are unstable and periodically go up and down, or for
266web servers, that they deliver pages with some hard-coded links forcing the
267clients to connect directly to one specific server without passing via the load
268balancer, or that they take ages to respond under high load causing timeouts.
269That's why logging is an extremely important aspect of layer 7 load balancing.
270Once a trouble is reported, it is important to figure if the load balancer took
271a wrong decision and if so why so that it doesn't happen anymore.
272
273
2743. Introduction to HAProxy
275--------------------------
276
277HAProxy is written "HAProxy" to designate the product, "haproxy" to designate
278the executable program, software package or a process, though both are commonly
279used for both purposes, and is pronounced H-A-Proxy. Very early it used to stand
280for "high availability proxy" and the name was written in two separate words,
281though by now it means nothing else than "HAProxy".
282
283
2843.1. What HAProxy is and is not
285-------------------------------
286
287HAProxy is :
288
289 - a TCP proxy : it can accept a TCP connection from a listening socket,
290 connect to a server and attach these sockets together allowing traffic to
291 flow in both directions;
292
293 - an HTTP reverse-proxy (called a "gateway" in HTTP terminology) : it presents
294 itself as a server, receives HTTP requests over connections accepted on a
295 listening TCP socket, and passes the requests from these connections to
296 servers using different connections.
297
298 - an SSL terminator / initiator / offloader : SSL/TLS may be used on the
299 connection coming from the client, on the connection going to the server,
300 or even on both connections.
301
302 - a TCP normalizer : since connections are locally terminated by the operating
303 system, there is no relation between both sides, so abnormal traffic such as
304 invalid packets, flag combinations, window advertisements, sequence numbers,
305 incomplete connections (SYN floods), or so will not be passed to the other
306 side. This protects fragile TCP stacks from protocol attacks, and also
307 allows to optimize the connection parameters with the client without having
308 to modify the servers' TCP stack settings.
309
310 - an HTTP normalizer : when configured to process HTTP traffic, only valid
311 complete requests are passed. This protects against a lot of protocol-based
312 attacks. Additionally, protocol deviations for which there is a tolerance
313 in the specification are fixed so that they don't cause problem on the
314 servers (eg: multiple-line headers).
315
316 - an HTTP fixing tool : it can modify / fix / add / remove / rewrite the URL
317 or any request or response header. This helps fixing interoperability issues
318 in complex environments.
319
320 - a content-based switch : it can consider any element from the request to
321 decide what server to pass the request or connection to. Thus it is possible
322 to handle multiple protocols over a same port (eg: http, https, ssh).
323
324 - a server load balancer : it can load balance TCP connections and HTTP
325 requests. In TCP mode, load balancing decisions are taken for the whole
326 connection. In HTTP mode, decisions are taken per request.
327
328 - a traffic regulator : it can apply some rate limiting at various points,
329 protect the servers against overloading, adjust traffic priorities based on
330 the contents, and even pass such information to lower layers and outer
331 network components by marking packets.
332
333 - a protection against DDoS and service abuse : it can maintain a wide number
334 of statistics per IP address, URL, cookie, etc and detect when an abuse is
335 happening, then take action (slow down the offenders, block them, send them
336 to outdated contents, etc).
337
338 - an observation point for network troubleshooting : due to the precision of
339 the information reported in logs, it is often used to narrow down some
340 network-related issues.
341
342 - an HTTP compression offloader : it can compress responses which were not
343 compressed by the server, thus reducing the page load time for clients with
344 poor connectivity or using high-latency, mobile networks.
345
346HAProxy is not :
347
348 - an explicit HTTP proxy, ie, the proxy that browsers use to reach the
349 internet. There are excellent open-source software dedicated for this task,
350 such as Squid. However HAProxy can be installed in front of such a proxy to
351 provide load balancing and high availability.
352
353 - a caching proxy : it will return as-is the contents its received from the
354 server and will not interfere with any caching policy. There are excellent
355 open-source software for this task such as Varnish. HAProxy can be installed
356 in front of such a cache to provide SSL offloading, and scalability through
357 smart load balancing.
358
359 - a data scrubber : it will not modify the body of requests nor responses.
360
361 - a web server : during startup, it isolates itself inside a chroot jail and
362 drops its privileges, so that it will not perform any single file-system
363 access once started. As such it cannot be turned into a web server. There
364 are excellent open-source software for this such as Apache or Nginx, and
365 HAProxy can be installed in front of them to provide load balancing and
366 high availability.
367
368 - a packet-based load balancer : it will not see IP packets nor UDP datagrams,
369 will not perform NAT or even less DSR. These are tasks for lower layers.
370 Some kernel-based components such as IPVS (Linux Virtual Server) already do
371 this pretty well and complement perfectly with HAProxy.
372
373
3743.2. How HAProxy works
375----------------------
376
377HAProxy is a single-threaded, event-driven, non-blocking engine combining a very
378fast I/O layer with a priority-based scheduler. As it is designed with a data
379forwarding goal in mind, its architecture is optimized to move data as fast as
380possible with the least possible operations. As such it implements a layered
381model offering bypass mechanisms at each level ensuring data don't reach higher
382levels when not needed. Most of the processing is performed in the kernel, and
383HAProxy does its best to help the kernel do the work as fast as possible by
384giving some hints or by avoiding certain operation when it guesses they could
385be grouped later. As a result, typical figures show 15% of the processing time
386spent in HAProxy versus 85% in the kernel in TCP or HTTP close mode, and about
38730% for HAProxy versus 70% for the kernel in HTTP keep-alive mode.
388
389A single process can run many proxy instances; configurations as large as
390300000 distinct proxies in a single process were reported to run fine. Thus
391there is usually no need to start more than one process for all instances.
392
393It is possible to make HAProxy run over multiple processes, but it comes with
394a few limitations. In general it doesn't make sense in HTTP close or TCP modes
395because the kernel-side doesn't scale very well with some operations such as
396connect(). It scales pretty well for HTTP keep-alive mode but the performance
397that can be achieved out of a single process generaly outperforms common needs
398by an order of magnitude. It does however make sense when used as an SSL
399offloader, and this feature is well supported in multi-process mode.
400
401HAProxy only requires the haproxy executable and a configuration file to run.
402For logging it is highly recommended to have a properly configured syslog daemon
403and log rotations in place. The configuration files are parsed before starting,
404then HAProxy tries to bind all listening sockets, and refuses to start if
405anything fails. Past this point it cannot fail anymore. This means that there
406are no runtime failures and that if it accepts to start, it will work until it
407is stopped.
408
409Once HAProxy is started, it does exactly 3 things :
410
411 - process incoming connections;
412
413 - periodically check the servers' status (known as health checks);
414
415 - exchange information with other haproxy nodes.
416
417Processing incoming connections is by far the most complex task as it depends
418on a lot of configuration possibilities, but it can be summarized as the 9 steps
419below :
420
421 - accept incoming connections from listening sockets that belong to a
422 configuration entity known as a "frontend", which references one or multiple
423 listening addresses;
424
425 - apply the frontend-specific processing rules to these connections that may
426 result in blocking them, modifying some headers, or intercepting them to
427 execute some internal applets such as the statistics page or the CLI;
428
429 - pass these incoming connections to another configuration entity representing
430 a server farm known as a "backend", which contains the list of servers and
431 the load balancing strategy for this server farm;
432
433 - apply the backend-specific processing rules to these connections;
434
435 - decide which server to forward the connection to according to the load
436 balancing strategy;
437
438 - apply the backend-specific processing rules to the response data;
439
440 - apply the frontend-specific processing rules to the response data;
441
442 - emit a log to report what happened in fine details;
443
444 - in HTTP, loop back to the second step to wait for a new request, otherwise
445 close the connection.
446
447Frontends and backends are sometimes considered as half-proxies, since they only
448look at one side of an end-to-end connection; the frontend only cares about the
449clients while the backend only cares about the servers. HAProxy also supports
450full proxies which are exactly the union of a frontend and a backend. When HTTP
451processing is desired, the configuration will generally be split into frontends
452and backends as they open a lot of possibilities since any frontend may pass a
453connection to any backend. With TCP-only proxies, using frontends and backends
454rarely provides a benefit and the configuration can be more readable with full
455proxies.
456
457
4583.3. Basic features
459-------------------
460
461This section will enumerate a number of features that HAProxy implements, some
462of which are generally expected from any modern load balancer, and some of
463which are a direct benefit of HAProxy's architecture. More advanced features
464will be detailed in the next section.
465
466
4673.3.1. Basic features : Proxying
468--------------------------------
469
470Proxying is the action of transferring data between a client and a server over
471two independant connections. The following basic features are supported by
472HAProxy regarding proxying and connection management :
473
474 - Provide the server with a clean connection to protect them against any
475 client-side defect or attack;
476
477 - Listen to multiple IP address and/or ports, even port ranges;
478
479 - Transparent accept : intercept traffic targetting any arbitrary IP address
480 that doesn't even belong to the local system;
481
482 - Server port doesn't need to be related to listening port, and may even be
483 translated by a fixed offset (useful with ranges);
484
485 - Transparent connect : spoof the client's (or any) IP address if needed
486 when connecting to the server;
487
488 - Provide a reliable return IP address to the servers in multi-site LBs;
489
490 - Offload the server thanks to buffers and possibly short-lived connections
491 to reduce their concurrent connection count and their memory footprint;
492
493 - Optimize TCP stacks (eg: SACK), congestion control, and reduce RTT impacts;
494
495 - Support different protocol families on both sides (eg: IPv4/IPv6/Unix);
496
497 - Timeout enforcement : HAProxy supports multiple levels of timeouts depending
498 on the stage the connection is, so that a dead client or server, or an
499 attacker cannot be granted resources for too long;
500
501 - Protocol validation: HTTP, SSL, or payload are inspected and invalid
502 protocol elements are rejected, unless instructed to accept them anyway;
503
504 - Policy enforcement : ensure that only what is allowed may be forwarded;
505
506 - Both incoming and outgoing connections may be limited to certain network
507 namespaces (Linux only), making it easy to build a cross-container,
508 multi-tenant load balancer;
509
510 - PROXY protocol presents the client's IP address to the server even for
511 non-HTTP traffic. This is an HAProxy extension that was adopted by a number
512 of third-party products by now, at least these ones at the time of writing :
513 - client : haproxy, stud, stunnel, exaproxy, ELB, squid
514 - server : haproxy, stud, postfix, exim, nginx, squid, node.js, varnish
515
516
5173.3.2. Basic features : SSL
518---------------------------
519
520HAProxy's SSL stack is recognized as one of the most featureful according to
521Google's engineers (http://istlsfastyet.com/). The most commonly used features
522making it quite complete are :
523
524 - SNI-based multi-hosting with no limit on sites count and focus on
525 performance. At least one deployment is known for running 50000 domains
526 with their respective certificates;
527
528 - support for wildcard certificates reduces the need for many certificates ;
529
530 - certificate-based client authentication with configurable policies on
531 failure to present a valid certificate. This allows to present a different
532 server farm to regenerate the client certificate for example;
533
534 - authentication of the backend server ensures the backend server is the real
535 one and not a man in the middle;
536
537 - authentication with the backend server lets the backend server it's really
538 the expected haproxy node that is connecting to it;
539
540 - TLS NPN and ALPN extensions make it possible to reliably offload SPDY/HTTP2
541 connections and pass them in clear text to backend servers;
542
543 - OCSP stapling further reduces first page load time by delivering inline an
544 OCSP response when the client requests a Certificate Status Request;
545
546 - Dynamic record sizing provides both high performance and low latency, and
547 significantly reduces page load time by letting the browser start to fetch
548 new objects while packets are still in flight;
549
550 - permanent access to all relevant SSL/TLS layer information for logging,
551 access control, reporting etc... These elements can be embedded into HTTP
552 header or even as a PROXY protocol extension so that the offloaded server
553 gets all the information it would have had if it performed the SSL
554 termination itself.
555
556 - Detect, log and block certain known attacks even on vulnerable SSL libs,
557 such as the Heartbleed attack affecting certain versions of OpenSSL.
558
Pavlos Parissisba56d9c2015-08-24 13:14:32 +0200559 - support for stateless session resumption (RFC 5077 TLS Ticket extension).
560 TLS tickets can be updated from CLI which provides them means to implement
561 Perfect Forward Secrecy by frequently rotating the tickets.
562
Willy Tarreaud8e42b62015-08-18 21:51:36 +0200563
5643.3.3. Basic features : Monitoring
565----------------------------------
566
567HAProxy focuses a lot on availability. As such it cares about servers state,
568and about reporting its own state to other network components :
569
570 - Servers state is continuously monitored using per-server parameters. This
571 ensures the path to the server is operational for regular traffic;
572
573 - Health checks support two hysteresis for up and down transitions in order
574 to protect against state flapping;
575
576 - Checks can be sent to a different address/port/protocol : this makes it
577 easy to check a single service that is considered representative of multiple
578 ones, for example the HTTPS port for an HTTP+HTTPS server.
579
580 - Servers can track other servers and go down simultaneously : this ensures
581 that servers hosting multiple services can fail atomically and that noone
582 will be sent to a partially failed server;
583
584 - Agents may be deployed on the server to monitor load and health : a server
585 may be interested in reporting its load, operational status, administrative
586 status independantly from what health checks can see. By running a simple
587 agent on the server, it's possible to consider the server's view of its own
588 health in addition to the health checks validating the whole path;
589
590 - Various check methods are available : TCP connect, HTTP request, SMTP hello,
591 SSL hello, LDAP, SQL, Redis, send/expect scripts, all with/without SSL;
592
593 - State change is notified in the logs and stats page with the failure reason
Willy Tarreaueff04f42015-08-27 14:44:43 +0200594 (eg: the HTTP response received at the moment the failure was detected). An
595 e-mail can also be sent to a configurable address upon such a change ;
Willy Tarreaud8e42b62015-08-18 21:51:36 +0200596
597 - Server state is also reported on the stats interface and can be used to take
598 routing decisions so that traffic may be sent to different farms depending
599 on their sizes and/or health (eg: loss of an inter-DC link);
600
601 - HAProxy can use health check requests to pass information to the servers,
602 such as their names, weight, the number of other servers in the farm etc...
603 so that servers can adjust their response and decisions based on this
604 knowledge (eg: postpone backups to keep more CPU available);
605
606 - Servers can use health checks to report more detailed state than just on/off
607 (eg: I would like to stop, please stop sending new visitors);
608
609 - HAProxy itself can report its state to external components such as routers
610 or other load balancers, allowing to build very complete multi-path and
611 multi-layer infrastructures.
612
613
6143.3.4. Basic features : High availability
615-----------------------------------------
616
617Just like any serious load balancer, HAProxy cares a lot about availability to
618ensure the best global service continuity :
619
620 - Only valid servers are used ; the other ones are automatically evinced from
621 load balancing farms ; under certain conditions it is still possible to
622 force to use them though;
623
624 - Support for a graceful shutdown so that it is possible to take servers out
625 of a farm without affecting any connection;
626
627 - Backup servers are automatically used when active servers are down and
628 replace them so that sessions are not lost when possible. This also allows
629 to build multiple paths to reach the same server (eg: multiple interfaces);
630
631 - Ability to return a global failed status for a farm when too many servers
632 are down. This, combined with the monitoring capabilities makes it possible
633 for an upstream component to choose a different LB node for a given service;
634
635 - Stateless design makes it easy to build clusters : by design, HAProxy does
636 its best to ensure the highest service continuity without having to store
637 information that could be lost in the event of a failure. This ensures that
638 a takeover is the most seamless possible;
639
640 - Integrates well with standard VRRP daemon keepalived : HAProxy easily tells
641 keepalived about its state and copes very will with floating virtual IP
642 addresses. Note: only use IP redundancy protocols (VRRP/CARP) over cluster-
643 based solutions (Heartbeat, ...) as they're the ones offering the fastest,
644 most seamless, and most reliable switchover.
645
646
6473.3.5. Basic features : Load balancing
648--------------------------------------
649
650HAProxy offers a fairly complete set of load balancing features, most of which
651are unfortunately not available in a number of other load balancing products :
652
653 - no less than 9 load balancing algorithms are supported, some of which apply
654 to input data to offer an infinite list of possibilities. The most common
655 ones are round-robin (for short connections, pick each server in turn),
656 leastconn (for long connections, pick the least recently used of the servers
657 with the lowest connection count), source (for SSL farms or terminal server
658 farms, the server directly depends on the client's source address), uri (for
659 HTTP caches, the server directly depends on the HTTP URI), hdr (the server
660 directly depends on the contents of a specific HTTP header field), first
661 (for short-lived virtual machines, all connections are packed on the
662 smallest possible subset of servers so that unused ones can be powered
663 down);
664
665 - all algorithms above support per-server weights so that it is possible to
666 accommodate from different server generations in a farm, or direct a small
667 fraction of the traffic to specific servers (debug mode, running the next
668 version of the software, etc);
669
670 - dynamic weights are supported for round-robin, leastconn and consistent
671 hashing ; this allows server weights to be modified on the fly from the CLI
672 or even by an agent running on the server;
673
674 - slow-start is supported whenever a dynamic weight is supported; this allows
675 a server to progressively take the traffic. This is an important feature
676 for fragile application servers which require to compile classes at runtime
677 as well as cold caches which need to fill up before being run at full
678 throttle;
679
680 - hashing can apply to various elements such as client's source address, URL
681 components, query string element, header field values, POST parameter, RDP
682 cookie;
683
684 - consistent hashing protects server farms against massive redistribution when
685 adding or removing servers in a farm. That's very important in large cache
686 farms and it allows slow-start to be used to refill cold caches;
687
688 - a number of internal metrics such as the number of connections per server,
689 per backend, the amount of available connection slots in a backend etc makes
690 it possible to build very advanced load balancing strategies.
691
692
6933.3.6. Basic features : Stickiness
694----------------------------------
695
696Application load balancing would be useless without stickiness. HAProxy provides
697a fairly comprehensive set of possibilities to maintain a visitor on the same
698server even across various events such as server addition/removal, down/up
699cycles, and some methods are designed to be resistant to the distance between
700multiple load balancing nodes in that they don't require any replication :
701
702 - stickiness information can be individually matched and learned from
703 different places if desired. For example a JSESSIONID cookie may be matched
704 both in a cookie and in the URL. Up to 8 parallel sources can be learned at
705 the same time and each of them may point to a different stick-table;
706
707 - stickiness information can come from anything that can be seen within a
708 request or response, including source address, TCP payload offset and
709 length, HTTTP query string elements, header field values, cookies, and so
710 on...
711
712 - stick-tables are replicated between all nodes in a multi-master fashion ;
713
714 - commonly used elements such as SSL-ID or RDP cookies (for TSE farms) are
715 directly accessible to ease manipulation;
716
717 - all sticking rules may be dynamically conditionned by ACLs;
718
719 - it is possible to decide not to stick to certain servers, such as backup
720 servers, so that when the nominal server comes back, it automatically takes
721 the load back. This is often used in multi-path environments;
722
723 - in HTTP it is often prefered not to learn anything and instead manipulate
724 a cookie dedicated to stickiness. For this, it's possible to detect,
725 rewrite, insert or prefix such a cookie to let the client remember what
726 server was assigned;
727
728 - the server may decide to change or clean the stickiness cookie on logout,
729 so that leaving visitors are automatically unbound from the server;
730
731 - using ACL-based rules it is also possible to selectively ignore or enforce
732 stickiness regardless of the server's state; combined with advanced health
733 checks, that helps admins verify that the server they're installing is up
734 and running before presenting it to the whole world;
735
736 - an innovative mechanism to set a maximum idle time and duration on cookies
737 ensures that stickiness can be smoothly stopped on devices which are never
738 closed (smartphones, TVs, home appliances) without having to store them on
739 persistent storage;
740
741 - multiple server entries may share the same stickiness keys so that
742 stickiness is not lost in multi-path environments when one path goes down;
743
744 - soft-stop ensures that only users with stickiness information will continue
745 to reach the server they've been assigned to but no new users will go there.
746
747
7483.3.7. Basic features : Sampling and converting information
749-----------------------------------------------------------
750
751HAProxy supports information sampling using a wide set of "sample fetch
752functions". The principle is to extract pieces of information known as samples,
753for immediate use. This is used for stickiness, to build conditions, to produce
754information in logs or to enrich HTTP headers.
755
756Samples can be fetched from various sources :
757
758 - constants : integers, strings, IP addresses, binary blocks;
759
760 - the process : date, environment variables, server/frontend/backend/process
761 state, byte/connection counts/rates, queue length, random generator, ...
762
763 - variables : per-session, per-request, per-response variables;
764
765 - the client connection : source and destination addresses and ports, and all
766 related statistics counters;
767
768 - the SSL client session : protocol, version, algorithm, cipher, key size,
769 session ID, all client and server certificate fields, certificate serial,
770 SNI, ALPN, NPN, client support for certain extensions;
771
772 - request and response buffers contents : arbitrary payload at offset/length,
773 data length, RDP cookie, decoding of SSL hello type, decoding of TLS SNI;
774
775 - HTTP (request and response) : method, URI, path, query string arguments,
776 status code, headers values, positionnal header value, cookies, captures,
777 authentication, body elements;
778
779A sample may then pass through a number of operators known as "converters" to
780experience some transformation. A converter consumes a sample and produces a
781new one, possibly of a completely different type. For example, a converter may
782be used to return only the integer length of the input string, or could turn a
783string to upper case. Any arbitrary number of converters may be applied in
784series to a sample before final use. Among all available sample converters, the
785following ones are the most commonly used :
786
787 - arithmetic and logic operators : they make it possible to perform advanced
788 computation on input data, such as computing ratios, percentages or simply
789 converting from one unit to another one;
790
791 - IP address masks are useful when some addresses need to be grouped by larger
792 networks;
793
794 - data representation : url-decode, base64, hex, JSON strings, hashing;
795
796 - string conversion : extract substrings at fixed positions, fixed length,
797 extract specific fields around certain delimiters, extract certain words,
798 change case, apply regex-based substitution ;
799
800 - date conversion : convert to http date format, convert local to UTC and
801 conversely, add or remove offset;
802
803 - lookup an entry in a stick table to find statistics or assigned server;
804
805 - map-based key-to-value conversion from a file (mostly used for geolocation).
806
807
8083.3.8. Basic features : Maps
809----------------------------
810
811Maps are a powerful type of converter consisting in loading a two-columns file
812into memory at boot time, then looking up each input sample from the first
813column and either returning the corresponding pattern on the second column if
814the entry was found, or returning a default value. The output information also
815being a sample, it can in turn experience other transformations including other
816map lookups. Maps are most commonly used to translate the client's IP address
817to an AS number or country code since they support a longest match for network
818addresses but they can be used for various other purposes.
819
820Part of their strength comes from being updatable on the fly either from the CLI
821or from certain actions using other samples, making them capable of storing and
822retrieving information between subsequent accesses. Another strength comes from
823the binary tree based indexation which makes them extremely fast event when they
824contain hundreds of thousands of entries, making geolocation very cheap and easy
825to set up.
826
827
8283.3.9. Basic features : ACLs and conditions
829-------------------------------------------
830
831Most operations in HAProxy can be made conditional. Conditions are built by
832combining multiple ACLs using logic operators (AND, OR, NOT). Each ACL is a
833series of tests based on the following elements :
834
835 - a sample fetch method to retrieve the element to test ;
836
837 - an optional series of converters to transform the element ;
838
839 - a list of patterns to match against ;
840
841 - a matching method to indicate how to compare the patterns with the sample
842
843For example, the sample may be taken from the HTTP "Host" header, it could then
844be converted to lower case, then matched against a number of regex patterns
845using the regex matching method.
846
847Technically, ACLs are built on the same core as the maps, they share the exact
848same internal structure, pattern matching methods and performance. The only real
849difference is that instead of returning a sample, they only return "found" or
850or "not found". In terms of usage, ACL patterns may be declared inline in the
851configuration file and do not require their own file. ACLs may be named for ease
852of use or to make configurations understandable. A named ACL may be declared
853multiple times and it will evaluate all definitions in turn until one matches.
854
855About 13 different pattern matching methods are provided, among which IP address
856mask, integer ranges, substrings, regex. They work like functions, and just like
857with any programming language, only what is needed is evaluated, so when a
858condition involving an OR is already true, next ones are not evaluated, and
859similarly when a condition involving an AND is already false, the rest of the
860condition is not evaluated.
861
862There is no practical limit to the number of declared ACLs, and a handful of
863commonly used ones are provided. However experience has shown that setups using
864a lot of named ACLs are quite hard to troubleshoot and that sometimes using
865anynmous ACLs inline is easier as it requires less references out of the scope
866being analysed.
867
868
8693.3.10. Basic features : Content switching
870------------------------------------------
871
872HAProxy implements a mechanism known as content-based switching. The principle
873is that a connection or request arrives on a frontend, then the information
874carried with this request or connection are processed, and at this point it is
875possible to write ACLs-based conditions making use of these information to
876decide what backend will process the request. Thus the traffic is directed to
877one backend or another based on the request's contents. The most common example
878consists in using the Host header and/or elements from the path (sub-directories
879or file-name extensions) to decide whether an HTTP request targets a static
880object or the application, and to route static objects traffic to a backend made
881of fast and light servers, and all the remaining traffic to a more complex
882application server, thus constituting a fine-grained virtual hosting solution.
883This is quite convenient to make multiple technologies coexist as a more global
884solution.
885
886Another use case of content-switching consists in using different load balancing
887algorithms depending on various criteria. A cache may use a URI hash while an
888application would use round robin.
889
890Last but not least, it allows multiple customers to use a small share of a
891common resource by enforcing per-backend (thus per-customer connection limits).
892
893Content switching rules scale very well, though their performance may depend on
894the number and complexity of the ACLs in use. But it is also possible to write
895dynamic content switching rules where a sample value directly turns into a
896backend name and without making use of ACLs at all. Such configurations have
897been reported to work fine at least with 300000 backends in production.
898
899
9003.3.11. Basic features : Stick-tables
901-------------------------------------
902
903Stick-tables are commonly used to store stickiness information, that is, to keep
904a reference to the server a certain visitor was directed to. The key is then the
905identifier associated with the visitor (its source address, the SSL ID of the
906connection, an HTTP or RDP cookie, the customer number extracted from the URL or
907from the payload, ...) and the stored value is then the server's identifier.
908
909Stick tables may use 3 different types of samples for their keys : integers,
910strings and addresses. Only one stick-table may be referenced in a proxy, and it
911is designated everywhere with the proxy name. Up to 8 key may be tracked in
912parallel. The server identifier is committed during request or response
913processing once both the key and the server are known.
914
915Stick-table contents may be replicated in active-active mode with other HAProxy
916nodes known as "peers" as well as with the new process during a reload operation
917so that all load balancing nodes share the same information and take the same
918routing decision if a client's requests are spread over multiple nodes.
919
920Since stick-tables are indexed on what allows to recognize a client, they are
921often also used to store extra information such as per-client statistics. The
922extra statistics take some extra space and need to be explicitly declared. The
923type of statistics that may be stored includes the input and output bandwidth,
924the number of concurrent connections, the connection rate and count over a
925period, the amount and frequency of errors, some specific tags and counters,
926etc... In order to support keeping such information without being forced to
927stick to a given server, a special "tracking" feature is implemented and allows
928to track up to 3 simultaneous keys from different tables at the same time
929regardless of stickiness rules. Each stored statistics may be searched, dumped
930and cleared from the CLI and adds to the live troubleshooting capabilities.
931
932While this mechanism can be used to surclass a returning visitor or to adjust
933the delivered quality of service depending on good or bad behaviour, it is
934mostly used to fight against service abuse and more generally DDoS as it allows
935to build complex models to detect certain bad behaviours at a high processing
936speed.
937
938
9393.3.12. Basic features : Formated strings
940-----------------------------------------
941
942There are many places where HAProxy needs to manipulate character strings, such
943as logs, redirects, header additions, and so on. In order to provide the
944greatest flexibility, the notion of formated strings was introduced, initially
945for logging purposes, which explains why it's still called "log-format". These
946strings contain escape characters allowing to introduce various dynamic data
947including variables and sample fetch expressions into strings, and even to
948adjust the encoding while the result is being turned into a string (for example,
949adding quotes). This provides a powerful way to build header contents or to
950customize log lines. Additionally, in order to remain simple to build most
951common strings, about 50 special tags are provided as shortcuts for information
952commonly used in logs.
953
954
9553.3.13. Basic features : HTTP rewriting and redirection
956-------------------------------------------------------
957
958Installing a load balancer in front of an application that was never designed
959for this can be a challenging task without the proper tools. One of the most
960commonly requested operation in this case is to adjust requests and response
961headers to make the load balancer appear as the origin server and to fix hard
962coded information. This comes with changing the path in requests (which is
963strongly advised against), modifying Host header field, modifying the Location
964response header field for redirects, modifying the path and domain attribute
965for cookies, and so on. It also happens that a number of servers are somewhat
966verbose and tend to leak too much information in the response, making them more
967vulnerable to targetted attacks. While it's theorically not the role of a load
968balancer to clean this up, in practice it's located at the best place in the
969infrastructure to guarantee that everything is cleaned up.
970
971Similarly, sometimes the load balancer will have to intercept some requests and
972respond with a redirect to a new target URL. While some people tend to confuse
973redirects and rewriting, these are two completely different concepts, since the
974rewriting makes the client and the server see different things (and disagree on
975the location of the page being visited) while redirects ask the client to visit
976the new URL so that it sees the same location as the server.
977
978In order to do this, HAProxy supports various possibilities for rewriting and
979redirect, among which :
980
981 - regex-based URL and header rewriting in requests and responses. Regex are
982 the most commonly used tool to modify header values since they're easy to
983 manipulate and well understood;
984
985 - headers may also be appended, deleted or replaced based on formated strings
986 so that it is possible to pass information there (eg: client side TLS
987 algorithm and cipher);
988
989 - HTTP redirects can use any 3xx code to a relative, absolute, or completely
990 dynamic (formated string) URI;
991
992 - HTTP redirects also support some extra options such as setting or clearing
993 a specific cookie, dropping the query string, appending a slash if missing,
994 and so on;
995
996 - all operations support ACL-based conditions;
997
998
9993.3.14. Basic features : Server protection
1000------------------------------------------
1001
1002HAProxy does a lot to maximize service availability, and for this it deploys
1003large efforts to protect servers against overloading and attacks. The first
1004and most important point is that only complete and valid requests are forwarded
1005to the servers. The initial reason is that HAProxy needs to find the protocol
1006elements it needs to stay synchronized with the byte stream, and the second
1007reason is that until the request is complete, there is no way to know if some
1008elements will change its semantics. The direct benefit from this is that servers
1009are not exposed to invalid or incomplete requests. This is a very effective
1010protection against slowloris attacks, which have almost no impact on HAProxy.
1011
1012Another important point is that HAProxy contains buffers to store requests and
1013responses, and that by only sending a request to a server when it's complete and
1014by reading the whole response very quickly from the local network, the server
1015side connection is used for a very short time and this preserves server
1016resources as much as possible.
1017
1018A direct extension to this is that HAProxy can artificially limit the number of
1019concurrent connections or outstanding requests to a server, which guarantees
1020that the server will never be overloaded even if it continuously runs at 100% of
1021its capacity during traffic spikes. All excess requests will simply be queued to
1022be processed when one slot is released. In the end, this huge resource savings
1023most often ensures so much better server response times that it ends up actually
1024being faster than by overloading the server. Queued requests may be redispatched
1025to other servers, or even aborted in queue when the client aborts, which also
1026protects the servers against the "reload effect", where each click on "reload"
1027by a visitor on a slow-loading page usually induces a new request and maintains
1028the server in an overloaded state.
1029
1030The slow-start mechanism also protects restarting servers against high traffic
1031levels while they're still finalizing their startup or compiling some classes.
1032
1033Regarding the protocol-level protection, it is possible to relax the HTTP parser
1034to accept non stardard-compliant but harmless requests or responses and even to
1035fix them. This allows bogus applications to be accessible while a fix is being
1036developped. In parallel, offending messages are completely captured with a
1037detailed report that help developers spot the issue in the application. The most
1038dangerous protocol violations are properly detected and dealt with and fixed.
1039For example malformed requests or responses with two Content-length headers are
1040either fixed if the values are exactly the same, or rejected if they differ,
1041since it becomes a security problem. Protocol inspection is not limited to HTTP,
1042it is also available for other protocols like TLS or RDP.
1043
1044When a protocol violation or attack is detected, there are various options to
1045respond to the user, such as returning the common "HTTP 400 bad request",
1046closing the connection with a TCP reset, faking an error after a long delay
1047("tarpit") to confuse the attacker. All of these contribute to protecting the
1048servers by discouraging the offending client from pursuing an attack that
1049becomes very expensive to maintain.
1050
1051HAProxy also proposes some more advanced options to protect against accidental
1052data leaks and session crossing. Not only it can log suspicious server responses
1053but it will also log and optionally block a response which might affect a given
1054visitors' confidentiality. One such example is a cacheable cookie appearing in a
1055cacheable response and which may result in an intermediary cache to deliver it
1056to another visitor, causing an accidental session sharing.
1057
1058
10593.3.15. Basic features : Logging
1060--------------------------------
1061
1062Logging is an extremely important feature for a load balancer, first because a
1063load balancer is often accused of the trouble it reveals, and second because it
1064is placed at a critical point in an infrastructure where all normal and abnormal
1065activity needs to be analysed and correlated with other components.
1066
1067HAProxy provides very detailed logs, with millisecond accuracy and the exact
1068connection accept time that can be searched in firewalls logs (eg: for NAT
1069correlation). By default, TCP and HTTP logs are quite detailed an contain
1070everything needed for troubleshooting, such as source IP address and port,
1071frontend, backend, server, timers (request receipt duration, queue duration,
1072connection setup time, response headers time, data transfer time), global
1073process state, connection counts, queue status, retries count, detailed
1074stickiness actions and disconnect reasons, header captures with a safe output
1075encoding. It is then possible to extend or replace this format to include any
1076sampled data, variables, captures, resulting in very detailed information. For
1077example it is possible to log the number cumulated requests for this client or
1078the number of different URLs for the client.
1079
1080The log level may be adjusted per request using standard ACLs, so it is possible
1081to automatically silent some logs considered as pollution and instead raise
1082warnings when some abnormal behaviour happen for a small part of the traffic
1083(eg: too many URLs or HTTP errors for a source address). Administrative logs are
1084also emitted with their own levels to inform about the loss or recovery of a
1085server for example.
1086
1087Each frontend and backend may use multiple independant log outputs, which eases
1088multi-tenancy. Logs are preferably sent over UDP, maybe JSON-encoded, and are
1089truncated after a configurable line length in order to guarantee delivery.
1090
1091
10923.3.16. Basic features : Statistics
1093-----------------------------------
1094
1095HAProxy provides a web-based statistics reporting interface with authentication,
1096security levels and scopes. It is thus possible to provide each hosted customer
1097with his own page showing only his own instances. This page can be located in a
1098hidden URL part of the regular web site so that no new port needs to be opened.
1099This page may also report the availability of other HAProxy nodes so that it is
1100easy to spot if everything works as expected at a glance. The view is synthetic
1101with a lot of details accessible (such as error causes, last access and last
1102change duration, etc), which are also accessible as a CSV table that other tools
1103may import to draw graphs. The page may self-refresh to be used as a monitoring
1104page on a large display. In administration mode, the page also allows to change
1105server state to ease maintenance operations.
1106
1107
11083.4. Advanced features
1109----------------------
1110
11113.4.1. Advanced features : Management
1112-------------------------------------
1113
1114HAProxy is designed to remain extremely stable and safe to manage in a regular
1115production environment. It is provided as a single executable file which doesn't
1116require any installation process. Multiple versions can easily coexist, meaning
1117that it's possible (and recommended) to upgrade instances progressively by
1118order of criticity instead of migrating all of them at once. Configuration files
1119are easily versionned. Configuration checking is done off-line so it doesn't
1120require to restart a service that will possibly fail. During configuration
1121checks, a number of advanced mistakes may be detected (eg: for example, a rule
1122hiding another one, or stickiness that will not work) and detailed warnings and
1123configuration hints are proposed to fix them. Backwards configuration file
1124compatibility goes very far away in time, with version 1.5 still fully
1125supporting configurations for versions 1.1 written 13 years before, and 1.6
1126only dropping support for almost unused, obsolete keywords that can be done
1127differently. The configuration and software upgrade mechanism is smooth and non
1128disruptive in that it allows old and new processes to coexist on the system,
1129each handling its own connections. System status, build options and library
1130compatibility are reported on startup.
1131
1132Some advanced features allow an application administrator to smoothly stop a
1133server, detect when there's no activity on it anymore, then take it off-line,
1134stop it, upgrade it and ensure it doesn't take any traffic while being upgraded,
1135then test it again through the normal path without opening it to the public, and
1136all of this without touching HAProxy at all. This ensures that even complicated
1137production operations may be done during opening hours with all technical
1138resources available.
1139
1140The process tries to save resources as much as possible, uses memory pools to
1141save on allocation time and limit memory fragmentation, releases payload buffers
1142as soon as their contents are sent, and supports enforcing strong memory limits
1143above which connections have to wait for a buffer to become available instead of
1144allocating more memory. This system helps guarantee memory usage in certain
1145strict environments.
1146
1147A command line interface (CLI) is available as a UNIX or TCP socket, to perform
1148a number of operations and to retrieve troubleshooting information. Everything
1149done on this socket doesn't require a configuration change, so it is mostly used
1150for temporary changes. Using this interface it is possible to change a server's
1151address, weight and status, to consult statistics and clear counters, dump and
1152clear stickiness tables, possibly selectively by key criteria, dump and kill
1153client-side and server-side connections, dump captured errors with a detailed
1154analysis of the exact cause and location of the error, dump, add and remove
1155entries from ACLs and maps, update TLS shared secrets, apply connection limits
1156and rate limits on the fly to arbitrary frontends (useful in shared hosting
1157environments), and disable a specific frontend to release a listening port
1158(useful when daytime operations are forbidden and a fix is needed nonetheless).
1159
1160For environments where SNMP is mandatory, at least two agents exist, one is
1161provided with the HAProxy sources and relies on the Net-SNMP perl module.
1162Another one is provided with the commercial packages and doesn't require Perl.
1163Both are roughly equivalent in terms of coverage.
1164
1165It is often recommended to install 4 utilities on the machine where HAProxy is
1166deployed :
1167
1168 - socat (in order to connect to the CLI, though certain forks of netcat can
1169 also do it to some extents);
1170
1171 - halog from the latest HAProxy version : this is the log analysis tool, it
1172 parses native TCP and HTTP logs extremely fast (1 to 2 GB per second) and
1173 extracts useful information and statistics such as requests per URL, per
1174 source address, URLs sorted by response time or error rate, termination
1175 codes etc... It was designed to be deployed on the production servers to
1176 help troubleshoot live issues so it has to be there ready to be used;
1177
1178 - tcpdump : this is highly recommended to take the network traces needed to
1179 troubleshoot an issue that was made visible in the logs. There is a moment
1180 where application and haproxy's analysis will diverge and the network traces
1181 are the only way to say who's right and who's wrong. It's also fairly common
1182 to detect bugs in network stacks and hypervisors thanks to tcpdump;
1183
1184 - strace : it is tcpdump's companion. It will report what HAProxy really sees
1185 and will help sort out the issues the operating system is responsible for
1186 from the ones HAProxy is responsible for. Strace is often requested when a
1187 bug in HAProxy is suspected;
1188
1189
11903.4.2. Advanced features : System-specific capabilities
1191-------------------------------------------------------
1192
1193Depending on the operating system HAProxy is deployed on, certain extra features
1194may be available or needed. While it is supported on a number of platforms,
1195HAProxy is primarily developped on Linux, which explains why some features are
1196only available on this platform.
1197
1198The transparent bind and connect features, the support for binding connections
1199to a specific network interface, as well as the ability to bind multiple
1200processes to the same IP address and ports are only available on Linux and BSD
1201systems, though only Linux performs a kernel-side load balancing of the incoming
1202requests between the available processes.
1203
1204On Linux, there are also a number of extra features and optimizations including
1205support for network namespaces (also known as "containers") allowing HAProxy to
1206be a gateway between all containers, the ability to set the MSS, Netfilter marks
1207and IP TOS field on the client side connection, support for TCP FastOpen on the
1208listening side, TCP user timeouts to let the kernel quickly kill connections
1209when it detects the client has disappeared before the configured timeouts, TCP
1210splicing to let the kernel forward data between the two sides of a connections
1211thus avoiding multiple memory copies, the ability to enable the "defer-accept"
1212bind option to only get notified of an incoming connection once data become
1213available in the kernel buffers, and the ability to send the request with the
1214ACK confirming a connect (sometimes called "biggy-back") which is enabled with
1215the "tcp-smart-connect" option. On Linux, HAProxy also takes great care of
1216manipulating the TCP delayed ACKs to save as many packets as possible on the
1217network.
1218
1219Some systems have an unreliable clock which jumps back and forth in the past
1220and in the future. This used to happen with some NUMA systems where multiple
1221processors didn't see the exact same time of day, and recently it became more
1222common in virtualized environments where the virtual clock has no relation with
1223the real clock, resulting in huge time jumps (sometimes up to 30 seconds have
1224been observed). This causes a lot of trouble with respect to timeout enforcement
1225in general. Due to this flaw of these systems, HAProxy maintains its own
1226monotonic clock which is based on the system's clock but where drift is measured
1227and compensated for. This ensures that even with a very bad system clock, timers
1228remain reasonably accurate and timeouts continue to work. Note that this problem
1229affects all the software running on such systems and is not specific to HAProxy.
1230The common effects are spurious timeouts or application freezes. Thus if this
1231behaviour is detected on a system, it must be fixed, regardless of the fact that
1232HAProxy protects itself against it.
1233
1234
12353.4.3. Advanced features : Scripting
1236------------------------------------
1237
1238HAProxy can be built with support for the Lua embedded language, which opens a
1239wide area of new possibilities related to complex manipulation of requests or
1240responses, routing decisions, statistics processing and so on. Using Lua it is
1241even possible to establish parallel connections to other servers to exchange
1242information. This way it becomes possible (though complex) to develop an
1243authentication system for example. Please refer to the documentation in the file
1244"doc/lua-api/index.rst" for more information on how to use Lua.
1245
1246
12473.5. Sizing
1248-----------
1249
1250Typical CPU usage figures show 15% of the processing time spent in HAProxy
1251versus 85% in the kernel in TCP or HTTP close mode, and about 30% for HAProxy
1252versus 70% for the kernel in HTTP keep-alive mode. This means that the operating
1253system and its tuning have a strong impact on the global performance.
1254
1255Usages vary a lot between users, some focus on bandwidth, other ones on request
1256rate, others on connection concurrency, others on SSL performance. this section
1257aims at providing a few elements to help in this task.
1258
1259It is important to keep in mind that every operation comes with a cost, so each
1260individual operation adds its overhead on top of the other ones, which may be
1261negligible in certain circumstances, and which may dominate in other cases.
1262
1263When processing the requests from a connection, we can say that :
1264
1265 - forwarding data costs less than parsing request or response headers;
1266
1267 - parsing request or response headers cost less than establishing then closing
1268 a connection to a server;
1269
1270 - establishing an closing a connection costs less than a TLS resume operation;
1271
1272 - a TLS resume operation costs less than a full TLS handshake with a key
1273 computation;
1274
1275 - an idle connection costs less CPU than a connection whose buffers hold data;
1276
1277 - a TLS context costs even more memory than a connection with data;
1278
1279So in practice, it is cheaper to process payload bytes than header bytes, thus
1280it is easier to achieve high network bandwidth with large objects (few requests
1281per volume unit) than with small objects (many requests per volume unit). This
1282explains why maximum bandwidth is always measured with large objects, while
1283request rate or connection rates are measured with small objects.
1284
1285Some operations scale well on multiple process spread over multiple processors,
1286and others don't scale as well. Network bandwidth doesn't scale very far because
1287the CPU is rarely the bottleneck for large objects, it's mostly the network
1288bandwidth and data busses to reach the network interfaces. The connection rate
1289doesn't scale well over multiple processors due to a few locks in the system
1290when dealing with the local ports table. The request rate over persistent
1291connections scales very well as it doesn't involve much memory nor network
1292bandwidth and doesn't require to access locked structures. TLS key computation
1293scales very well as it's totally CPU-bound. TLS resume scales moderately well,
1294but reaches its limits around 4 processes where the overhead of accessing the
1295shared table offsets the small gains expected from more power.
1296
1297The performance numbers one can expect from a very well tuned system are in the
1298following range. It is important to take them as orders of magnitude and to
1299expect significant variations in any direction based on the processor, IRQ
1300setting, memory type, network interface type, operating system tuning and so on.
1301
1302The following numbers were found on a Core i7 running at 3.7 GHz equiped with
1303a dual-port 10 Gbps NICs running Linux kernel 3.10, HAProxy 1.6 and OpenSSL
13041.0.2. HAProxy was running as a single process on a single dedicated CPU core,
1305and two extra cores were dedicated to network interrupts :
1306
1307 - 20 Gbps of maximum network bandwidth in clear text for objects 256 kB or
1308 higher, 10 Gbps for 41kB or higher;
1309
1310 - 4.6 Gbps of TLS traffic using AES256-GCM cipher with large objects;
1311
1312 - 83000 TCP connections per second from client to server;
1313
1314 - 82000 HTTP connections per second from client to server;
1315
1316 - 97000 HTTP requests per second in server-close mode (keep-alive with the
1317 client, close with the server);
1318
1319 - 243000 HTTP requests per second in end-to-end keep-alive mode;
1320
1321 - 300000 filtered TCP connections per second (anti-DDoS)
1322
1323 - 160000 HTTPS requests per second in keep-alive mode over persistent TLS
1324 connections;
1325
1326 - 13100 HTTPS requests per second using TLS resumed connections;
1327
1328 - 1300 HTTPS connections per second using TLS connections renegociated with
1329 RSA2048;
1330
1331 - 20000 concurrent saturated connections per GB of RAM, including the memory
1332 required for system buffers; it is possible to do better with careful tuning
1333 but this setting it easy to achieve.
1334
1335 - about 8000 concurrent TLS connections (client-side only) per GB of RAM,
1336 including the memory required for system buffers;
1337
1338 - about 5000 concurrent end-to-end TLS connections (both sides) per GB of
1339 RAM including the memory required for system buffers;
1340
1341Thus a good rule of thumb to keep in mind is that the request rate is divided
1342by 10 between TLS keep-alive and TLS resume, and between TLS resume and TLS
1343renegociation, while it's only divided by 3 between HTTP keep-alive and HTTP
1344close. Another good rule of thumb is to remember that a high frequency core
1345with AES instructions can do around 5 Gbps of AES-GCM per core.
1346
1347Having more core rarely helps (except for TLS) and is even counter-productive
1348due to the lower frequency. In general a small number of high frequency cores
1349is better.
1350
1351Another good rule of thumb is to consider that on the same server, HAProxy will
1352be able to saturate :
1353
1354 - about 5-10 static file servers or caching proxies;
1355
1356 - about 100 anti-virus proxies;
1357
Willy Tarreau16af23c2015-08-27 16:30:53 +02001358 - and about 100-1000 application servers depending on the technology in use.
Willy Tarreaud8e42b62015-08-18 21:51:36 +02001359
1360
13613.6. How to get HAProxy
1362-----------------------
1363
1364HAProxy is an opensource project covered by the GPLv2 license, meaning that
1365everyone is allowed to redistribute it provided that access to the sources is
1366also provided upon request, especially if any modifications were made.
1367
1368HAProxy evolves as a main development branch called "master" or "mainline", from
1369which new branches are derived once the code is considered stable. A lot of web
1370sites run some development branches in production on a voluntarily basis, either
1371to participate to the project or because they need a bleeding edge feature, and
1372their feedback is highly valuable to fix bugs and judge the overall quality and
1373stability of the version being developped.
1374
1375The new branches that are created when the code is stable enough constitute a
1376stable version and are generally maintained for several years, so that there is
1377no emergency to migrate to a newer branch even when you're not on the latest.
1378Once a stable branch is issued, it may only receive bug fixes, and very rarely
1379minor feature updates when that makes users' life easier. All fixes that go into
1380a stable branch necessarily come from the master branch. This guarantees that no
1381fix will be lost after an upgrade. For this reason, if you fix a bug, please
1382make the patch against the master branch, not the stable branch. You may even
1383discover it was already fixed. This process also ensures that regressions in a
1384stable branch are extremely rare, so there is never any excuse for not upgrading
1385to the latest version in your current branch.
1386
1387Branches are numberred with two digits delimited with a dot, such as "1.6". A
1388complete version includes one or two sub-version numbers indicating the level of
1389fix. For example, version 1.5.14 is the 14th fix release in branch 1.5 after
1390version 1.5.0 was issued. It contains 126 fixes for individual bugs, 24 updates
1391on the documentation, and 75 other backported patches, most of which were needed
1392to fix the aforementionned 126 bugs. An existing feature may never be modified
1393nor removed in a stable branch, in order to guarantee that upgrades within the
1394same branch will always be harmless.
1395
1396HAProxy is available from multiple sources, at different release rhythms :
1397
1398 - The official community web site : http://www.haproxy.org/ : this site
1399 provides the sources of the latest development release, all stable releases,
1400 as well as nightly snapshots for each branch. The release cycle is not fast,
1401 several months between stable releases, or between development snapshots.
1402 Very old versions are still supported there. Everything is provided as
1403 sources only, so whatever comes from there needs to be rebuilt and/or
1404 repackaged;
1405
1406 - A number of operating systems such as Linux distributions and BSD ports.
1407 These systems generally provide long-term maintained versions which do not
1408 always contain all the fixes from the official ones, but which at least
1409 contain the critical fixes. It often is a good option for most users who do
1410 not seek advanced configurations and just want to keep updates easy;
1411
1412 - Commercial versions from http://www.haproxy.com/ : these are supported
1413 professional packages built for various operating systems or provided as
1414 appliances, based on the latest stable versions and including a number of
1415 features backported from the next release for which there is a strong
1416 demand. It is the best option for users seeking the latest features with
1417 the reliability of a stable branch, the fastest response time to fix bugs,
1418 or simply support contracts on top of an opensource product;
1419
1420
1421In order to ensure that the version you're using is the latest one in your
1422branch, you need to proceed this way :
1423
1424 - verify which HAProxy executable you're running : some systems ship it by
1425 default and administrators install their versions somewhere else on the
1426 system, so it is important to verify in the startup scripts which one is
1427 used;
1428
1429 - determine which source your HAProxy version comes from. For this, it's
1430 generally sufficient to type "haproxy -v". A development version will
1431 appear like this, with the "dev" word after the branch number :
1432
1433 HA-Proxy version 1.6-dev3-385ecc-68 2015/08/18
1434
1435 A stable version will appear like this, as well as unmodified stable
1436 versions provided by operating system vendors :
1437
1438 HA-Proxy version 1.5.14 2015/07/02
1439
1440 And a nightly snapshot of a stable version will appear like this with an
1441 hexadecimal sequence after the version, and with the date of the snapshot
1442 instead of the date of the release :
1443
1444 HA-Proxy version 1.5.14-e4766ba 2015/07/29
1445
1446 Any other format may indicate a system-specific package with its own
1447 patch set. For example HAProxy Enterprise versions will appear with the
1448 following format (<branch>-<latest commit>-<revision>) :
1449
1450 HA-Proxy version 1.5.0-994126-357 2015/07/02
1451
1452 - for system-specific packages, you have to check with your vendor's package
1453 repository or update system to ensure that your system is still supported,
1454 and that fixes are still provided for your branch. For community versions
1455 coming from haproxy.org, just visit the site, verify the status of your
1456 branch and compare the latest version with yours to see if you're on the
1457 latest one. If not you can upgrade. If your branch is not maintained
1458 anymore, you're definitely very late and will have to consider an upgrade
1459 to a more recent branch (carefully read the README when doing so).
1460
1461HAProxy will have to be updated according to the source it came from. Usually it
1462follows the system vendor's way of upgrading a package. If it was taken from
1463sources, please read the README file in the sources directory after extracting
1464the sources and follow the instructions for your operating system.
1465
1466
14674. Companion products and alternatives
1468--------------------------------------
1469
1470HAProxy integrates fairly well with certain products listed below, which is why
1471they are mentionned here even if not directly related to HAProxy.
1472
1473
14744.1. Apache HTTP server
1475-----------------------
1476
1477Apache is the de-facto standard HTTP server. It's a very complete and modular
1478project supporting both file serving and dynamic contents. It can serve as a
1479frontend for some application servers. In can even proxy requests and cache
1480responses. In all of these use cases, a front load balancer is commonly needed.
1481Apache can work in various modes, certain being heavier than other ones. Certain
1482modules still require the heavier pre-forked model and will prevent Apache from
1483scaling well with a high number of connections. In this case HAProxy can provide
1484a tremendous help by enforcing the per-server connection limits to a safe value
1485and will significantly speed up the server and preserve its resources that will
1486be better used by the application.
1487
1488Apache can extract the client's address from the X-Forwarded-For header by using
1489the "mod_rpaf" extension. HAProxy will automatically feed this header when
1490"option forwardfor" is specified in its configuration. HAProxy may also offer a
1491nice protection to Apache when exposed to the internet, where it will better
1492resist to a wide number of types of DoS.
1493
1494
14954.2. NGINX
1496----------
1497
1498NGINX is the second de-facto standard HTTP server. Just like Apache, it covers a
1499wide range of features. NGINX is built on a similar model as HAProxy so it has
1500no problem dealing with tens of thousands of concurrent connections. When used
1501as a gateway to some applications (eg: using the included PHP FPM), it can often
1502be beneficial to set up some frontend connection limiting to reduce the load
1503on the PHP application. HAProxy will clearly be useful there both as a regular
1504load balancer and as the traffic regulator to speed up PHP by decongestionning
1505it. Also since both products use very little CPU thanks to their event-driven
1506architecture, it's often easy to install both of them on the same system. NGINX
1507implements HAProxy's PROXY protocol, thus it is easy for HAProxy to pass the
1508client's connection information to NGINX so that the application gets all the
1509relevant information. Some benchmarks have also shown that for large static
1510file serving, implementing consistent hash on HAProxy in front of NGINX can be
1511beneficial by optimizing the OS' cache hit ratio, which is basically multiplied
1512by the number of server nodes.
1513
1514
15154.3. Varnish
1516------------
1517
1518Varnish is a smart caching reverse-proxy, probably best described as a web
1519application accelerator. Varnish doesn't implement SSL/TLS and wants to dedicate
1520all of its CPU cycles to what it does best. Varnish also implements HAProxy's
1521PROXY protocol so that HAProxy can very easily be deployed in front of Varnish
1522as an SSL offloader as well as a load balancer and pass it all relevant client
1523information. Also, Varnish naturally supports decompression from the cache when
1524a server has provided a compressed object, but doesn't compress however. HAProxy
1525can then be used to compress outgoing data when backend servers do not implement
1526compression, though it's rarely a good idea to compress on the load balancer
1527unless the traffic is low.
1528
1529When building large caching farms across multiple nodes, HAProxy can make use of
1530consistent URL hashing to intelligently distribute the load to the caching nodes
1531and avoid cache duplication, resulting in a total cache size which is the sum of
1532all caching nodes.
1533
1534
15354.4. Alternatives
1536-----------------
1537
1538Linux Virtual Server (LVS or IPVS) is the layer 4 load balancer included within
1539the Linux kernel. It works at the packet level and handles TCP and UDP. In most
1540cases it's more a complement than an alternative since it doesn't have layer 7
1541knowledge at all.
1542
1543Pound is another well-known load balancer. It's much simpler and has much less
1544features than HAProxy but for many very basic setups both can be used. Its
1545author has always focused on code auditability first and wants to maintain the
1546set of features low. Its thread-based architecture scales less well with high
1547connection counts, but it's a good product.
1548
1549Pen is a quite light load balancer. It supports SSL, maintains persistence using
1550a fixed-size table of its clients' IP addresses. It supports a packet-oriented
1551mode allowing it to support direct server return and UDP to some extents. It is
1552meant for small loads (the persistence table only has 2048 entries).
1553
1554NGINX can do some load balancing to some extents, though it's clearly not its
1555primary function. Production traffic is used to detect server failures, the
1556load balancing algorithms are more limited, and the stickiness is very limited.
1557But it can make sense in some simple deployment scenarios where it is already
1558present. The good thing is that since it integrates very well with HAProxy,
1559there's nothing wrong with adding HAProxy later when its limits have been faced.
1560
1561Varnish also does some load balancing of its backend servers and does support
1562real health checks. It doesn't implement stickiness however, so just like with
1563NGINX, as long as stickiness is not needed that can be enough to start with.
1564And similarly, since HAProxy and Varnish integrate so well together, it's easy
1565to add it later into the mix to complement the feature set.
1566