HAProxy

Load balancer, WAF, Usage Rate Limiter...

HAProxy is well known as "The Reliable, High Performance TCP/HTTP Load Balancer". It is the central piece of our cloud and we've managed to use it for much more than just load balancing.

HEALTH MONITORING

Periodically checking operational status of backend servers. In case some server is not responding correctly HAProxy transfers all load to other servers in that group.

LOAD BALANCING

For certain parts of the application we wanted an option for horizontal scaling (using multiple backend PHP and NodeJS servers sharing the load that can get too high for a single server or for better performance reasons). "Vertical scaling" is often easier to set up, but has harder limits & often exponentially higher pricing. Live LB demo

SSL TERMINATION POINT

SSL certs are issued from Let's Encrypt and used by HAproxy serving as a SSL termination point. This helps us move apps among backend servers without additional care for certs.
We have the option to create wildcard (*.domain) cert when DNS on Cloudflare.

WEB APPLICATION FIREWALL

Used for protection of well-known target URLs (e.g. wordpress/wp-admin, Magento/admin) that hackers and their bots often target. Additionaly, usage counter will detect potential brute-force attacks and stop them at an early stage (VideoGif Demo). Steps like this allow us to provide better secured admin area on e.g. Managed Wordpress Hosting.

USAGE RATE LIMITER

A dedicated tracker for usage by individual users with rules for abuse detection & prevention (normal user, heavy user, abuser, potential DDOS) in place before requests even hit the main application servers.

"0 DOWNTIME" MIGRATIONS

HAProxy allows us to prepare a new server (swf installation, data transfer and tests) in the background in a "production like" environment. The redirection of the load from the current production server to a new one is easy and instant (0 downtime).

REDUCING USELESS TRAFFIC by BOTS

According to HAProxy "Bots make up nearly half the traffic on the Web." (Nov 28, 2018). We want "good bots" like Google & Bing to get to a website, crawl it, index it and provide relevant search engine traffic. We do not want useless and often excessive "bots" traffic to cripple performance and worsen UX of real users.

ACL BASED BACKEND SERVER TARGETING

HAproxy running in http mode gives us the ability to define different backend servers based on:
  • Root domain (e.g. klik-mall.com)
  • Sub domain (e.g. demo.klik-mall.com)
  • even URL parameters e.g. we can route "/admin" backend to different set of servers if needed. Sort of a "horizontal scaling or using more suitable servers for different parts of app. based on URL params" like /erp, /shop, /cart, /blog etc.

See below in CDN storage how this helps us get better solutions.

COMPRESSION, ENCRYPTION,...

HAproxy also provides:
  • SSL encryption for https traffic
  • HTML compression
  • HTTP/2
A single point of setup for all backend webpages + offloading main app. servers of these tasks. HAProxy is generally a single-threaded process for its routing, but can benefit on tasks like these from multiple cores.

ACCESS LOGS

All http/https requests come through HAProxy and that makes it a bit easier for overall monitoring.

 

DEMO: HAproxy is Load balancing, Monitoring usage rate and Blacklisting due to abuse of usage

In the demo you can see a screen recording of a real setup and a webpage that shows status of load balancing traffic among 3 servers.

  1. A "cloud formation" of a firewall passing traffic to HAProxy that acts as a load balancer.
  2. 3 backend servers that are taking the load in Round robin mode (load balancer passes each new request to the next server in line).
  3. Demo is simulating users's clicks by triggering auto-reloading the page 0.3sec after page is loaded. (A user with that many clicks at that speed is clearly not interested in content and is likely a bot or someone constantly refreshing the page creating unnecessary load).
  4. During these clicks HAProxy is constantly monitoring usage rate which is displayed as the legend in form of personas (Normal user, Heavy user, Abuser, Potential DDOS, Blacklist level). Persona groups are defined based on usage levels measured in NumberOfRequests/PeriodOfTime e.g. 20 Reqs/10 sec.
  5. When a user reaches the point of being flagged as "Blacklisted", the requests are not passes to backend servers anymore. At that point he is fronted with a "Stop sign".
  6. Users's further requests are blocked at HAProxy for a defined period of time (e.g. 15min, 1h, 24h etc.).

Links / Sources

Povezane vsebine

 
How we optimized our Private Cloud to provide high performance webhosting on a PHP / LEMP stack (14.08.2020)
HAProxy, WAF, LEMP, mySQL, Redis, CDN, ZFS, NodeJS


 
Toast message
Toast-Top message