# HAPROXY - General principle
# Communication flow
# Frontends
- Listen on unique TCP ports.
- Handle incoming layer 4 (Transport).
- Optionally:
- Handle incoming layer 5 (Session),
e.g. Result of TLS negotiations. - Handle incoming layer 6 (Presentation),
e.g. raw payload buffers. - Handle incoming layer 7 (Application),
e.g. http request, http headers
- Handle incoming layer 5 (Session),
Each of the handled layers are accessible by specific ACL conditions, functions and general connection or request based commands.
Multiple frontends are possible, but ports have to be unique.
A frontend finally routes a connection or request to a single backend.
# Backends
- Implement outgoing traffic,
possibly applying:- Modification of request and response
- header modifications
- URI modifications
- Definition of target servers
- Definition of load balancing
- Definition of rate limitation
- Definition of http behaviour,
e.g. keepalive, timeouts
- Modification of request and response
# ACLs
Matching rules (resolve boolean) which can be implemented both inside frontends and backends.
ACLs are scoped within their frontend or backend; A backend cannot use an ACL from a frontend. However, the frontend can add a variable to the request object which is then available from the backend.
# Logging
Logging output is possible to:
- File
- syslog service
- stdout / stderr
The log output is highly configurable.
Log levels can be defined at any place (frontends or backends),
possibly following ACLs.
# Caching
Newer versions support Caching. This is not currently used at Giffits.
# Special features
# DNS resolver
Server definitions in backends are resolved once during startup.
If IP addresses dynamically change (as with many AWS service names)
the server definitions can use resolvers. A resolver keeps DNS
entries for a certain amount of time and re-resolves after expiry.
# LUA
HAPROXY features a builtin LUA interpreter.
All Scripts are loaded and compiled during startup.
The LUA implementation forbids any synchronous or
potentially blocking commands during runtime. If a script needs
file access it can only perform this during startup. All
loaded data is kept in memory throughout the whole runtime
(there no free() or other disallocation).
# Letsencrypt a.c.m.e handshake
...is implemented as LUA plugin which works in cooperation with
a.c.m.e clients like certbot.
# Peers
High availability implementations use multiple HAPROXY instances with shared state tables.
Not currently used at Giffits.
# Custom errors
The http error responses are fully customizable. However, each customized "page" is loaded into Memory during startup.
# Statistics
Internal state is accessible through a POSIX named socket.
There's clients for this, but it features a simple ASCII protocol
usable by socket-capable commands like socat.
Some state is also visible and partly changeable through a web interface. This is mainly used to check backends and set maintenance states of single servers.
# Proxy protocol
HAPROXY is mainly an upstream proxy - completely transparent and not distinguishable from a web server.
It can also be used as downstream proxy. It features all proxy protocol options but is a bad choice for caching and content security implementations.
# Links & references
- general description (opens new window)
- haproxy.org docs (opens new window)
The aws installation is currently at version 2.4.
← Introduction Frontend →