
HAProxy 2.0 - guthriej
https://www.haproxy.com/blog/haproxy-2-0-and-beyond/
======
johnramsden
I've always used Nginx as a proxy, but I've seen HAProxy mentioned, what are
some of the benefits of using HAProxy over nginx as a proxy or load balancer?

~~~
nickramirez
What open-source NGINX lacks that open-source HAProxy has:

* ACL rules with full support for logical if statements [1]

* active health checks

* end-to-end HTTP/2 [2]

* Robust logging or a dashboard with metrics

* The ability to read env variables

* session stickiness

* DNS service discovery [3]

These are just things I'm aware of, there could be a lot more.

HAProxy has shown itself to perform better for certain users such as
Booking.com [4]

[1]
[https://www.nginx.com/resources/wiki/start/topics/depth/ifis...](https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)
[2]
[https://trac.nginx.org/nginx/ticket/923](https://trac.nginx.org/nginx/ticket/923)
[3] [https://danielparker.me/haproxy/nginx/comparison/nginx-vs-
ha...](https://danielparker.me/haproxy/nginx/comparison/nginx-vs-haproxy) [4]
[https://events.static.linuxfound.org/sites/events/files/slid...](https://events.static.linuxfound.org/sites/events/files/slides/DLB-
LinuxConf-Berlin.pdf#page=18&zoom=auto,-104,619)

~~~
platform
WRT > end-to-end HTTP/2 [2]

I think this is supported.

We are using NGINX with its core Stream module to receive HTTP/2 encrypted
traffic, and loadbalance it (with random or least_conn) algorithms -- to each
of our backends.

Traffic stays encrypted end-to-end, and it remains HTTP/2 (because the Stream
module works at TCP level, not http so it does not care http/2 or http/1 is
used).

It seems that in the ticket [2] that you mentioned, the commenter at the end
is asking exactly for this. And that works well.

It is called often 'pass-through proxy'. The article here explains how to set
it up

[https://serversforhackers.com/c/tcp-load-balancing-with-
ngin...](https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-
pass-thru)

We loose information about the Web-browser's IP address at our backend. For
for privacy-enforcement reasons, we actually do not want to have it at our
terminating points (our backend apis). And also, if we ever need it -- I thin
this can be enabled with the proxy protocol.

~~~
nickramirez
HAProxy can proxy HTTP/2 at Layer 4 or at Layer 7, to get all the HTTP message
data and perform routing based on that, etc.

~~~
platform
Thx. Yes, NGNIX will not be able to balance HTTP/2 traffic based on HTTP
headers. But HAProxy 2.0 can.

In our case, we are not un-encrypting at the load balancer, so we cannot see
the HTTP headers anyway. Instead we use NGINX to load-balance based on TCP-
level info.

------
crb
Thoughts on HAProxy vs. Envoy, or as the data plane for a service mesh?

~~~
matahwoosh
It definitely depends on your use case, so it's hard to tell what's better for
you. HAProxy is solid and doesn't take a long time to get started.

At the same time, some of the HAProxy 2.0 features have already been available
in Envoy and tested in production, at scale (if HAProxy provided those
features, there wouldn't be a big need for Envoy). For example, Envoy is
pretty extensible, has good performance and has good support for dynamic cert
management (including service-to-service mutual TLS).

------
ricardbejarano
PSA: if you are building your own HAProxy binaries, 2.0 replaces the confusing
linux `TARGET`s (`linux2628` and the like) with a single target "`linux-
glibc`", that name may be even more confusing, as that's the target you need
to build HAProxy even if you are using musl instead of glibc.

~~~
wtarreau
If you're seeing good support for musl, I'd be interested in receiving a patch
to add it as another combination. I prefer to keep the libc apart from the
kernel (the mistake we made long ago was to mix them) so that we don't have
issues anymore when building on other libcs. For example getaddrinfo tends to
be bogus on uClibc and must not be enabled there. And threads do not work on
dietlibc if I remember well.

~~~
ricardbejarano
My experience with HAProxy is limited to maintaining
[https://github.com/ricardbejarano/haproxy](https://github.com/ricardbejarano/haproxy),
a HAProxy Docker image, which has both glibc and musl variants.

I haven't used HAProxy in any environments other than testing, but as far as I
can tell both variants behave equally. In fact, haproxy.cfg for both images is
the same, they only differ in their build flags.

~~~
wtarreau
Oh yes absolutely! For example last time I checked libmusl, you didn't need
-lrt, -ldl, -lcrypt nor a few others which I forgot about. It just provides
empty stubs for those so that you can use the same build options as you
regularly use with glibc. However for me threads were not supported (it was on
a MIPS, lacking some 64-bit atomic ops haproxy relies on). So I'd be tempted
to suggest having less options by default with musl since it's mostly aimed at
embedded systems, and leaving it to users to choose if they want to enable
more or not.

Correction: this requires to add -latomic there (just tested). I should
mention this in the INSTALL file.

------
synack
This is a list of nearly every feature I've ever wanted from haproxy. Truly
wonderful work!

~~~
kawsper
Same here, except for a Consul integration, so we didn't have to rely on SRV-
records, but I guess you can't have everything :)

~~~
nickramirez
With the Data Plane API, expect to see tighter integration with Consul. For
now, there is this integration [https://www.haproxy.com/blog/building-a-
service-mesh-with-ha...](https://www.haproxy.com/blog/building-a-service-mesh-
with-haproxy-and-consul/)

------
no_wizard
The conversation in this thread has made me wonder after reading it if anyone
uses Apache2 as their webserver anymore.

Edit: seems many still do! I thought it was dying slowly as php popularity was
going down.

~~~
aduitsis
What conversation?

Been using apache2 for like 20+ years now. It is doable to switch to something
else, but would probably require effort with various details, etc. It works
well for our moderate loads, so not really urgent to change it.

~~~
no_wizard
No one up till this point ever mentioned using HAProxy with Apache

~~~
stephenr
The conversation has mostly been about NGinx vs HAProxy, at the balancer
level, has it not?

------
thecodemonkey
Proper Layer 7 retrying is huge. I’ve been waiting for this for a while.

------
morrbo
Is the v1 config backwards compatible with this? I can't see it mentioned
anywhere so assume you can just upgrade in place?

~~~
TimWolla
Apart from a few new warnings for long-deprecated options it is compatible.
HAProxy 2.0 is not a major version. Willy apparently just dislikes two-digit
versions in the second place.

~~~
wtarreau
Exactly, I want directory listings to remain alphanumerically ordered, not
like when you want to download Git and end up believing 2.9 is the latest one
:-)

------
exabrial
Now that HaProxy uses HTX internally to quickly represent header flags, I wish
they'd add that to their "Proxy Protocol". Back in the day, Apache/Tomcat used
AJP to transmit parsed HTTP state to backend servers to avoid the re-parsing
overhead.

------
snvzz
email version of the announcement: [https://www.mail-
archive.com/haproxy@formilux.org/msg34215.h...](https://www.mail-
archive.com/haproxy@formilux.org/msg34215.html)

------
johnchristopher
Some months ago I decided to move every little things running on some VPS to
docker (so I could move those apps at will and have apps with incompatible
dependencies running on the same VPS).

I looked into Haproxy, set a bunch of rules and fall into static IP management
hell. Then I tried Traefik mainly because of the HTTPS auto-renewal feature
but the ability to tag docker containers with DNS regex (so traefik knows how
to reverse proxy traffic) is a god send.

Is there something like that in HaProxy 2.0 (HTTPS auto-renewal and container
tagging) ?

~~~
theturtletalks
I would check out
[https://github.com/caprover/caprover](https://github.com/caprover/caprover).
You can run multiple apps on 1 VPS and HTTPS renewal is automatic.

------
zeeZ
If I were to use it as a k8s ingress, how would I do OCSP stapling? nginx does
that for you, but with haproxy you've always had to hack something together to
add a .ocsp file (which has to exist at startup) and reload externally.

I also see no option for client certificate auth or TLS versions and cipher
suites in the repo.

I guess it's still better to handle TLS outside of haproxy.

~~~
wtarreau
Strange that you see no option for client certs because that has been
supported from day one. In addition we even support SNI-based client auth even
with wildcard certs. Same for TLS versions and cipher suites.

Further, just look at [https://istlsfastyet.com/](https://istlsfastyet.com/)
and you'll see that haproxy, H2O and nghttpx are the only 3 implementations
checking everything (and haproxy was the one inventing dynamic record sizing).

So it seems your opinion on haproxy's TLS support is not that spread!

~~~
zeeZ
I know haproxy itself supports that and have used those features with static
configuration, but does the k8s ingress controller out of the box?

~~~
wtarreau
I don't know as I have no use for it. Just check the article, it presents some
of the things done with the ingress controller, it should answer some of your
questions I guess.

------
sansnomme
Are there any programmble http proxy servers? I write a fair bit of
VM/container control software and often need to map URLs to specific entities
on the network dynamically. Never found a good programmable proxy with routing
table API and always had to hand roll.

~~~
tbrock
By programmable you mean configurable via a REST api?

~~~
sansnomme
Yes, pretty much. E.g. DigitalOcean's online SSH terminal. Programmable
routing of websockets code to backend VM.

------
xmichael999
Such a great project! I was a squid guy, then nginx and now since nginx
stopped getting new features due to the commercial edition I am switching.
Thank you developers for this amazing work!

~~~
wtarreau
To be fair to squid and nginx, they don't do the same things. Squid is mainly
a forward proxy. Nginx is mainly a web server. There's no reason for not using
them anymore for these use cases where they excel.

~~~
3xblah
I use haproxy as a forward proxy on my personal computers mainly for ability
to control SSL options, sniffing SSL traffic and to support non-SSL enabled
clients. I do not need any caching so squid seems inappropriate.

~~~
3xblah
s/non-SSL/non-SNI/

------
humbleMouse
Can HA proxy serve static files like nginx?

~~~
nickramirez
Although HAProxy is not a web server, it does have Small Object Caching so
files can be cached on the proxy. [https://www.haproxy.com/blog/whats-new-
haproxy-1-8/#http-sma...](https://www.haproxy.com/blog/whats-new-
haproxy-1-8/#http-small-object-caching)

------
jaytaylor
Does it have proper support for HTTP/2.0?

Last I checked, only Nginx really did it right.

~~~
stephenr
As of last April, several implementations (including HAProxy) were more
"right" than Nginx:
[https://twitter.com/tunetheweb/status/988196156697169920](https://twitter.com/tunetheweb/status/988196156697169920)

~~~
wtarreau
I never saw this classification. Since 1.9 haproxy passes 100% of the h2spec
tests.

~~~
stephenr
Nice work!

------
jrockway
Sounds like HAProxy 2.0 is Envoy. I would personally (and do) just use Envoy,
as everyone else is already using it and the bugs they've found have been
fixed.

~~~
wtarreau
This is a strange assertion. This is not envoy, it's haproxy as you've always
known it plus all the features people have been asking for recently, without
removing what makes it fast, robust, compact and flexible. From what I've seen
you can't for example use dynamic weights in envoy, protect from DDoS, perform
queuing to protect your servers, use true leastconn or weighted
hash/roundrobin, stick on arbitrary information nor synchronize it between
members of the cluster, create complex routing rules, set the source address
from headers, perform transparent proxing, etc.

These are two different projects. One was initially designed for the hostile
edge and excels here. The other one was initially designed to be used as a
side car deep into your infrastructure and excels there. There is obviously
quite some overlap between the two, sometimes with different terminology (like
"circuit breaking" in envoy that haproxy calls "timeouts" and "queue limits"),
and users demands make each of them evolve a bit in the area they are less
good (i.e. where the other one excels). But they are still quite different
beasts.

