
Introduction to HAProxy ACLs - phil21
https://www.haproxy.com/blog/introduction-to-haproxy-acls/
======
theideaofcoffee
HAProxy has been and continues to be one of my favorite tools because of
features like this. Stuff where you might have to start digging around, say,
arcane and fragile Apache rewrites, becomes a series of surprisingly readable
functional-like statements that make reasoning about the implications of those
statements easy. Even for HAProxy newbies, they can get going really fast and
have the confidence that their changes aren't going to lead to major breakage
because of its readability.

Just today I deployed some haproxy acls to transparently partition traffic for
new API features off of a customer's main legacy application onto a dedicated
cluster of API machines. It still surprises me just how easy doing something
like that is. The most difficult part of that process was remembering the
business logic--to append a query string value that that API expected to see
in the request for this part of the migration. This is completely unlike
munging around Apache rewrites and hoping that you didn't leave off a 'L' and
make it start looping, or forget to append the query string, stuff like that.

I think that if you work with anything web-facing, regardless of the scale,
you'd be well served by learning even HAProxy's most basic features and
building from there. You'd be astounded at how far you can get with even a
basic configuration.

~~~
phil21
Yep. Obviously I'm a fan of HAProxy based on my post history - but it truly is
one of those transformational tools you only come across a few times during a
career.

It's basically one of those tools you end up looking for problems for it to
solve it's so elegant. I have my HAProxy hammer, and everything is a nail!

Cannot give Willy and team more kudos!

~~~
theideaofcoffee
I am the same way, I advocate a lot for replacing legacy LBs (F5? Citrix?
blech) and software not really suited for LB functions, a la Apache, with
HAProxy. It's working out well so far.

Combine that with a nice network and a tasty [EI]GP and be in pure web-serving
bliss (of which I've only worked on two networks with that kind of design
forethought, which is a shame).

~~~
amerine
What do you mean by nice network?

~~~
subway
Based on the E/IGP comment, I'd guess they mean a routed layer 3 network that
can speak routing protocols down to the host level. As opposed to the big ol
flat networks that get pushed around frequently

------
zaarn
I absolutely love HAProxy ACLs. I use them to rewrite LetsEncrypt requests to
another destination so I can cleanly request certificates on the proxy host
without downtime or configuring backends or backend servers.

I've also recently migrated one proxy from Traefik to HAProxy, previously I
had two proxies, one with T and one with HAP, for different IP ingests, now
it's one HAP. Though I don't have failover since the networking in LXC seems
to dislike multiple interfaces on the same subnet and doesn't seem to like
HAProxy trying to listen on specific interfaces either, that'll have to move
to VMs. (I need separated frontends with separate IPs)

The easy part there is that I fully automated HAProxy deployment including
certificates with ansible, so moving from container to VM will be a breeze.

Lastly, performance is amazing. I've never had HAProxy even hiccup, even when
I got DDoS'd at some point HAProxy held up like a champ.

~~~
jSherz
Any losses from Traefik now that you're fully HAP?

~~~
zaarn
I didn't rely on T's docker integration, that would have been a loss, I guess.
HAP has much better behaviour though, T tended to buffer requests a lot which
lead to several times in which either T crashed or the host system started
swapping like crazy because the server had balooned to a few gigabytes memory.

------
znedw
I switched from nginx to HAProxy for my internal reverse-proxying needs and it
is excellent, the configuration is a bit more verbose but it handles every app
(including WebSockets, weird RPC, cookies etc) with ease.

------
SirMonkey
Shameless self-plug[0] on porting a basic HAProxy Use-case to Envoy[1]

It might give you an insight how Istio et al are doing their magic through
Envoy.

This is my first Tech-post, any comments are appreciated.

[0] [https://learn.cybus.io/lessons/envoy-
primer/](https://learn.cybus.io/lessons/envoy-primer/)

[1] [https://www.envoyproxy.io/](https://www.envoyproxy.io/)

edit: formatting

------
regecks
Damn. All these years and I never realized anonymous/inlined ACLs were
possible.

------
joshbaptiste
anyone tried Traefik?

[https://github.com/containous/traefik](https://github.com/containous/traefik)

Thinking of using it for a new home based reverse proxy solution over HAProxy

~~~
haolez
It’s cool, but it’s HTTP/HTTPS only, I believe.

~~~
arthurk
It lists "Websocket, HTTP/2, GRPC ready" under Features

~~~
zaarn
HAProxy can do TCP traffic, I do that to proxy SMTP and SSH into backend
servers where they are needed.

------
bearble
I use HAProxy through PF-Sense to route external traffic to my internal
network over SSL behind the firewall. It's been painless and great.

------
nickadam
There are some strange and obvious errors in this post. Don't get me wrong I
appreciate the post and I did learn some stuff, but do some proofreading.

> 192.168..122.3 Is this some new IP format I'm not aware of?

> acl evil path_beg /evil > acl evil path_beg /evil This is the same line
> twice to demonstrate a logical OR (I guess one is supposed to be path_end)

~~~
rogerdonut
Thanks for pointing this out. We have corrected this.

------
VvR-Ox
Thank you for sharing this, I think many ppl are happy for every example and
code snippet they can get.

The configuration hassle with HAProxy however let me switch to nginx and
traefik in the meantime...

