
Haproxy 2.2 - dragonsh
https://www.haproxy.com/#
======
lukeqsee
HAProxy is a unique piece of software.

I’ve had the privilege to interact directly with Willy (the main developer for
many years, still the project lead) on the mailing list, in person at the
conference, and even though I’ve never paid a dime, the interaction has been
the best open-source experience I’ve ever had. Willy routinely writes multi-
paragraph responses on the mailing list to my hair-brained suggestions for how
HAProxy could be better for my company’s rather unique needs.

I often feel bad that I cannot do more for the project, because it is so well
thought-through and delivered.

The software cuts no corners and delivers at fractions of the TCO of
competition (limited by my opinion and experience, of course). For instance,
just last week, I spun a rate limiting solution in half a morning, that
mitigated some annoying proxy bots instantly (and is flexible enough to
automatically block offenders without affecting legitimate users).

The stats, DNS support, and integrations and many other featured are second to
none among other load balancers.

It’s an impressive and refreshing project. We could all learn something from
HAProxy and the team.

~~~
apple4ever
Why do you choose HAProxy over Ngxinx?

It's sounds like you love it, and I have had no experience with HAProxy. So
I'm curious about the reasons you love it.

(Just to be clear this is a sincere question to learn since tone is hard to
express clearly with text.)

~~~
lukeqsee
As a load balancer, NGINX is subpar in almost every feature comparison,
especially at the open-source (free to use) tier.

HAProxy gives you the following that are musts for load balancing (in my
opinion), that NGINX does not, at least not easily:

1) A HTML (or JSON) stats page that precisely and completely tells you what’s
going on at a high-level. A visit to this during outages is often all that’s
required.

2) Support for DNS (and other) discovery mechanisms in a flexible way. (This
is paid in NGINX)

3) Active health checks (also paid in NGINX)

4) The ACL system, while somewhat difficult to learn, is amazingly powerful.

5) Flexible L7 retries are brilliant.

We replaced NGINX with HAProxy and eliminated a whole class of bugs, micro-
outages, and annoyances just by following HAProxy’s best practices.

I still use NGINX when I need a static web file server, though. :)

~~~
raghava
HAProxy - traffic shaping { load-balancing, req-throttling, health-checks }

nginx - { static file serving, good proxy for python/ruby apps, req
manipulation with advanced scripting capabilities via lua engine through open-
resty [mirroring, WAF(naxsi), url rewriting etc] }

A combo of haproxy + nginx would always bring good delight for many
practitioners.

~~~
wtarreau
This is actually what I often recommend and often encounter in field: haproxy
for LB, varnish serving as a smart cache, and nginx for the
applications+static file serving.

All 3 components are free, combine extremely well because they've grown
together, and are extremely efficient. This is important in virtualised or
containerized environments where you want to save resources to minimize
response time and leave the CPU for the applications.

Of course each of them can do a little bit of the other ones' job. This is
fine, it allows easier initial deployments, but as your site grows, whichever
you initially start with, you'll always end up installing the two other ones
to constitute the most robust stack ever. And it's easy to insert one next to
the others without having to break everything, which further adds to the fun.

~~~
lukeqsee
Yes. We use all three at different points of the stack for different purposes.

It's great.

------
aduitsis
Haproxy is such a nice piece of software, sensible configuration, very stable
and versatile. And, one thing that is highly appreciated, I've never seen it
do something I wasn't expecting it to. This quality of minimal surprises in
its operation isn't going unnoticed by any measure.

~~~
closeparen
Has it solved the reloading problem yet?

~~~
rbjorklin
Yup, [https://www.haproxy.com/blog/hitless-reloads-with-haproxy-
ho...](https://www.haproxy.com/blog/hitless-reloads-with-haproxy-howto/)

------
jontro
Here is the announcement blogpost [https://www.haproxy.com/blog/announcing-
haproxy-2-2/](https://www.haproxy.com/blog/announcing-haproxy-2-2/)

------
js4ever
Finally full SSL certs management at runtime through the API is here! No need
to restart Haproxy anymore to add or update a cert! Brilliant, thanks!

~~~
kitotik
FWIW the ability to send a SIGUSR2 to reload certs has been there for awhile.

------
leehampton
I love HA Proxy, but one thing I'm confused about is why the http-tunnel
feature was removed in this release (and deprecated in earlier 2.x releases).
http-tunnel allowed you to start a session with an HTTP request/response, then
keep the socket to the backend alive without further inspection of the
protocol.

This is useful for things like RTSP where you kick things off with HTTP but
then stream lower level TCP content over the same socket. There are also lots
of other custom protocols that benefit from this type of set up, including one
that I'm working on wrangling HA Proxy to work with now.

Does anyone know if there's some replacement way to handle this in HA Proxy
that I'm overlooking?

~~~
thayne
> why the http-tunnel feature was removed in this release

From the haproxy 2.0 documentation:

> This mode should not be used as it creates lots of trouble with logging and
> HTTP processing. And because it cannot work in HTTP/2, this option is
> deprecated and it is only supported on legacy HTTP frontends. In HTX, it is
> ignored and a warning is emitted during HAProxy startup.

As for a way to handle this, I believe if you are using an HTTP CONNECT or a
websocket (Connection: Upgrade), then haproxy will detect that it is a tunnel,
and handle that correctly. If that's not the case, you might be able to use
haproxy in tcp mode.

~~~
thedanbob
There is a bug in 2.2 which prevents websockets (and other tunneling
protocols?) from working[0]. Maybe what the OP is running into.

[0]
[https://github.com/haproxy/haproxy/issues/737](https://github.com/haproxy/haproxy/issues/737)

------
therockspush
Seeing a lot of love for Willy, the main developer for years, on here. I've
dabbled in HAProxy, definitely a lovable product.

Looked up Willy on LinkedIn,"DO NOT SEND ME F __CKING INVITES IF WE HAVE NOT
WORKED TOGETHER! "

No F __cking around with this guy.

------
snvzz
It's amazing how much better the .org site is over the .com.

~~~
rumanator
Isn't it the other way around? Haproxy.org is not responsive and looks like it
was designed in the 90s.

~~~
zokier
> looks like it was designed in the 90s.

I think plenty of HNers will see that as a positive aspect.

~~~
rumanator
I understand the nostalgia or liking the retro look, but the site is
completely unreadable in mobile. There is absolutely no redeeming quality in
that.

Claiming that an unreadable version of a site is better than a readable one is
simply wrong.

~~~
somehnguy
In my opinion a site like this working perfectly on mobile is in the 'who
cares' category. Almost nobody is going to haproxy.org on their smartphone
with any intention of actually doing anything with the software. Almost nobody
is installing or configuring haproxy from mobile.

It's information dense, which is much appreciated on desktop. The .com looks
like every other generic 'look at our product!' site, and to actually do
anything you have to sort through 5 different dropdowns and other UI items
designed to grab your attention.

When I have to install or configure the software I want the .org, 100%.

~~~
rumanator
> Almost nobody is going to haproxy.org on their smartphone with any intention
> of actually doing anything with the software.

This is where you get it entirely wrong. I read this news and I, as an
extensive nginx/traffic user, wanted to check out haproxy to understand if it
was worth a shot. The .org page is plagued with general usability and
readability problems to the point that it's practically unreadable when
compared with the page served through the .com domain. There is no way around
it.

You don't fix problems by turning a blind eye and playing the denying card.
More importantly, this sort of technical snafu is helps form the public image
of the product, and thus this sort of poor performance reflects poorly on the
product.

~~~
somehnguy
If you were actually serious about it you would just mentally note it and
revisit when you were on a more capable device. Perusing for replacement
infrastructure software via mobile is just a casual thing, and foolish if
you're actually trying to get anything done.

Nobody is swapping out any tech via their mobile browser impression. All this
is pretty complicated software and you're going to want to do a lot of
reading/inspection before making decisions like that. That is not done via a
5" display.

I stand with my view that there is no problem to fix here. The site is clear &
understandable to anyone who seriously plans on using it or is using it.

------
netcraft
Slightly OT, we have several different kinds of services that need rate
limiting, written in different stacks. We would like to have one solution for
rate limiting, ideally that we could put in front of any service, that was
light weight, but also could work with AWS target groups that are already
splitting traffic across nodes inside a service - so I believe that means some
sort of clustered solution or at least communication. Is haproxy a good fit
for this? Maybe nginx (paid)?

~~~
social_quotient
We use HAproxy for similar reasons you describe if I’m understanding
correctly.

As one of the other posts kinda suggested you can get a ton done with a few
hours, it might be worth just standing up a box real quick and trying it out.
As a note when we try stuff like this we put behind a AWS LB so we can push
partial traffic to our experiment and aren’t betting the farm whilst testing
in prod.

Good luck!

------
warmfusion
Haproxy is brilliant, we've used it for years as a simple mesh on all our
services, but we're considering moving to envoy as we need opentracing support
to help understand how requests flow between services.

Anyone managed to make this work on haproxy?

~~~
rogerdonut
There's an opentracing integration coming very soon! We were hoping to have it
available with the 2.2 release but there were still a few things to finalize.

------
arrty88
The only open source software better than Haproxy is redis IMHO.

~~~
stephenr
I agree that Redis is "good", I wouldn't put it at the level of HAProxy -
particularly when it comes to "what stuff is deliberately kept out of the open
source version".

If I had to choose a project/tool to put at a similar 'level' as HAProxy in
terms of: doing one thing well; a working open source project with a private
company backing it; and a well run project, I'd say it's Varnish, which just
happens to pair very well with HAProxy.

------
sillysaurusx
Haproxy isn’t quite as fast as iptables (we switched because of this) but it
was delightful to configure. The tradeoff is definitely worth it in most
cases.

~~~
enitihas
Just curious, what were you doing where you needed the performance of iptables
over haproxy?

~~~
sillysaurusx
We forward a cluster of 2,560 TPU pod cores from our GCE project to other GCE
projects in europe-west4-a. Originally it was because we had a separate GCE
project with a bunch of credits, but that project had no access to TPUs. The
question was, could we still take advantage of the credits? It turns out, we
could; the solution involved VPC Network Peering, which I later learned is how
the TPUs themselves work. Some configuration details are here:
[https://www.shawwn.com/swarm#iptables](https://www.shawwn.com/swarm#iptables)

Nowadays we forward the TPU pods to pretty much anyone who wants to try them
out, in hopes of getting more people involved in the TPU programming scene.
The TPUs are managed via a website
([https://www.tensorfork.com/tpus](https://www.tensorfork.com/tpus)) and we
coordinate TPU access via spreadsheet. Each researcher has their own GCE
project, and we simply flip a switch to give them access.

If anyone reading this happens to be into ML and into programming for big
hardware rigs, feel free to hop into the Tensorfork discord server and we can
show you the ropes. [https://github.com/shawwn/tpunicorn#ml-
community](https://github.com/shawwn/tpunicorn#ml-community)

