Basic features : Proxying
Proxying is the action of transferring data between a client and a server over two independant connections. The following basic features are supported by HAProxy regarding proxying and connection management :
Provide the server with a clean connection to protect them against any client-side defect or attack;
Listen to multiple IP address and/or ports, even port ranges;
Transparent accept : intercept traffic targetting any arbitrary IP address that doesn't even belong to the local system;
Server port doesn't need to be related to listening port, and may even be translated by a fixed offset (useful with ranges);
Transparent connect : spoof the client's (or any) IP address if needed when connecting to the server;
Provide a reliable return IP address to the servers in multi-site LBs;
Offload the server thanks to buffers and possibly short-lived connections to reduce their concurrent connection count and their memory footprint;
Optimize TCP stacks (eg: SACK), congestion control, and reduce RTT impacts;
Support different protocol families on both sides (eg: IPv4/IPv6/Unix);
Timeout enforcement : HAProxy supports multiple levels of timeouts depending on the stage the connection is, so that a dead client or server, or an attacker cannot be granted resources for too long;
Protocol validation: HTTP, SSL, or payload are inspected and invalid protocol elements are rejected, unless instructed to accept them anyway;
Policy enforcement : ensure that only what is allowed may be forwarded;
Both incoming and outgoing connections may be limited to certain network namespaces (Linux only), making it easy to build a cross-container, multi-tenant load balancer;
PROXY protocol presents the client's IP address to the server even for non-HTTP traffic. This is an HAProxy extension that was adopted by a number of third-party products by now, at least these ones at the time of writing :
- client : haproxy, stud, stunnel, exaproxy, ELB, squid
- server : haproxy, stud, postfix, exim, nginx, squid, node.js, varnish