HAProxy
Load balancer, WAF, Usage Rate Limiter...
HAProxy is well known as "The Reliable, High Performance TCP/HTTP Load Balancer". It is the central piece of our cloud and we've managed to use it for much more than just load balancing.
HEALTH MONITORING
Periodically checking operational status of backend servers. In case some server is not responding correctly HAProxy transfers all load to other servers in that group.
LOAD BALANCING
For certain parts of the application we wanted an option for horizontal scaling (using multiple backend PHP and NodeJS servers sharing the load that can get too high for a single server or for better performance reasons). "Vertical scaling" is often easier to set up, but has harder limits & often exponentially higher pricing. Live LB demo
SSL TERMINATION POINT
SSL certs are issued from Let's Encrypt and used by HAproxy serving as a SSL termination point. This helps us move apps among backend servers without additional care for certs.
We have the option to create wildcard (*.domain) cert when DNS on Cloudflare.
WEB APPLICATION FIREWALL
Used for protection of well-known target URLs (e.g. wordpress/wp-admin, Magento/admin) that hackers and their bots often target. Additionaly, usage counter will detect potential brute-force attacks and stop them at an early stage (VideoGif Demo). Steps like this allow us to provide better secured admin area on e.g. Managed Wordpress Hosting.
USAGE RATE LIMITER
A dedicated tracker for usage by individual users with rules for abuse detection & prevention (normal user, heavy user, abuser, potential DDOS) in place before requests even hit the main application servers.
"0 DOWNTIME" MIGRATIONS
HAProxy allows us to prepare a new server (swf installation, data transfer and tests) in the background in a "production like" environment. The redirection of the load from the current production server to a new one is easy and instant (0 downtime). (Blog: "0 downtime migration" after development of FullPageCache with NGINX. Case: Wordpress/Slovenia-Trips.com)
REDUCING USELESS TRAFFIC by BOTS
According to HAProxy "Bots make up nearly half the traffic on the Web." (Nov 28, 2018). We want "good bots" like Google & Bing to get to a website, crawl it, index it and provide relevant search engine traffic. We do not want useless and often excessive "bots" traffic to cripple performance and worsen UX of real users.
ACL BASED BACKEND SERVER TARGETING
- Root domain (e.g. klik-mall.com)
- Sub domain (e.g. demo.klik-mall.com)
- even URL parameters e.g. we can route "/admin" backend to different set of servers if needed. Sort of a "horizontal scaling or using more suitable servers for different parts of app. based on URL params" like /erp, /shop, /cart, /blog etc.
See below in CDN storage how this helps us get better solutions.
COMPRESSION, ENCRYPTION,...
- SSL encryption for https traffic
- HTML compression
- HTTP/2
ACCESS LOGS
All http/https requests come through HAProxy and that makes it a bit easier for overall monitoring.