What’s new in HAProxy 1.6 (opens in new tab)

(blog.haproxy.com)

191 pointsoldmantaiter10y ago40 comments

40 comments

External check pleases me greatly, but sending emails for me seems to be overkill, there are well established ways to do this in unified manner (logparsers, snmp traps etc). Half way trough to fullfill Zawinski's Law.

jimktrains210y ago

Yeah, there's a mix of awesome and what? stuff.

> Since 1.6, HAProxy can forge SSL certificate on the fly! Yes, you can use HAProxy with your company’s CA to inspect content.

> Device Identification

(Considering it seems you need a proprietary lib)

> mailers

> lua

> Processing of HTTP request body

All seem to be be moving away from what HAProxy is/was. It's not an application server. It's not a webserver. It's not a mail server.

Florin_Andrei10y ago

Lua is kinda awesome, though. Use it with plenty of common sense and it can be a very powerful tool.

1 more reply

e12e10y ago

FWIW I recently became aware of Pen:

https://github.com/UlricE/pen

I've not tried it - but there should be some overlap in use-cases, and it would appear to be a much smaller project than HAProxy.

pentium1010y ago

Cool, now we can use Device Identification feature to route mobile users to a different backend, also love the HTTP/2 connection sharing.

msane10y ago

As always I'm skeptical of reliable device identification. Claiming to have it almost sounds like claiming to own a hen that lays golden eggs. Their blurb about it doesn't do much to convince me so far:

    Through our company, we have some customer who want us to integrate
    into HAProxy the ability to detect device type and characteristics and
    report it to the backend server. We got a couple of contributions from
    2 companies experts in this domain: 51 degrees and deviceatlas. You
    can now load those libraries in HAProxy in order to fully qualify a
    client capabilities and set up some headers your application server
    can rely on to adapt content delivered to the client or let the
    varnish cache server use it to cache multiple flavor of the same
    object based on client capabilities.

    More on this blog later on how to integrate each product.

But it would be a nice surprise if it performed well.

ronancremin10y ago

Speaking for DeviceAtlas in particular I can assure you that detection reliability is better than most assume. The stated 99% detection accuracy rate isn’t marketing speak—it is continously verified on real traffic from all around the world.

We measure two main aspects of performance:

- Per-request detection overhead: Willy’s preferred way to measure impact on HAProxy performance is the per request overhead added. DeviceAtlas adds a few µs per request. Typically this does not cause much of an issue. Example: if a load balancer is serving 20,000 requests per second with 80% CPU, that's 40µs of CPU time per request on a machine that can go up to 50µs. If we add 4µs to that we reach 88% of CPU under the same load, and the end user performance is not degraded in any meaningful way.

- Memory footprint: DeviceAtlas lets you configure the per-device property set to tailor the memory and performance impact. The resulting memory impact ranges from about 12MB to 100MB.

wheaties10y ago

Whenever I see a long list of features like these, especially something major like Lua integration, I always wonder, what was given up in the process of adding them? Normally when there's a performance bump, they show the numbers. In this case there's no numbers. Was there a performance hit? Negligible?

Thaxll10y ago

If you don't use it there is not reason to get a performance bump. Nginx is also using Lua to extend features.

Since Nginx started to add more and more features to their loadbalance it makes sense for HAProxy to get a scripting engine.

jimktrains210y ago

I'm surprised to see lua, and to see 1.6 released so quickly. 1.5 took forever to finalize and SSL termination was heavily debated because it wasn't a fast or lightweight like the original goal of HAProxy was. While I realize I don't have to use the lua scripts, it just feels out of place.

EDIT: I guess part of my concern with Lua was the example on the linked article. It seems to be able to interface with most of the system and not just as a content source, which makes more sense.

lobster_johnson10y ago

Willy might not agree, and this isn't really a criticism, but I think 1.5 simply got out of hand — he did a lot of (much-needed) architectural cleanup that took a long time to complete, but along the way a lot of new features (and subsequent bug fixes) got piled onto the same branch and intermingled with the cleanup work.

It's one of those "take apart your airplane and put it back together again" projects that one generally shouldn't do, though sometimes there is no way around it. If you need to rearrange the whole internal architecture of your engine, you should it do it quickly and not mix it with new work.

nailer10y ago

As an HAProxy user, support for logging to stdout (and hence journald) would be great. Currently HAProxy users on the major Linux distros either have to use it in debug mode or have a second log server just for the purposes of running HAProxy.

Otherwise I love HAProxy!

stonogo10y ago

HAProxy is not linux-specific. We have a POSIX logging facility, and HAProxy works just fine with syslog. If journald has problems with syslog, it's basically journald's problem.

nailer10y ago

stdout isn't Linux specific, and it's all that's needed.

Edit: solved this one myself with a little research. Systemd also implements the /dev/log Unix domain socket (even with the silly syslog facility names, without needing syslog installed) - so:

    global
            log /dev/log local0 info

I've added this as an answer on Stack and try and get it into the docs for anyone else.

pmahoney10y ago

In the spirit of avoiding code duplication and making daemontools-like process supervisors happy (that includes systemd for these purposes), I greatly appreciate when logs can be sent to stderr

If the admin wants the logs in syslog, 2>&1 | logger or similar. If the admin wants to use multilog, s6-log, or journald, that's also easy.

(For the same reasons, daemons should not include daemonization routines but should run in the foreground. If I want it in the background, I'll arrange for my process supervisor to start it.)

1 more reply

bedis910y ago

what about this type of configuration:

  global
    log /dev/stdout local0 info

nailer10y ago

It expects a syslog socket, hence the syslog facility names (uucp, fax, local0, etc). Trying the config you suggested:

    [ALERT] 286/160528 (20831) : sendto logger #1 failed: Connection refused (errno=111)

ris10y ago

Something I've always wanted to do but from what I can see is impossible in Apache is simply limit the number of connections a single IP can have open at once.

Is this possible with HAProxy? If it is, the documentation doesn't make it clear how.

yc101010y ago

Well its possible with nginx for sure, havent used apache in about 10 years now (first lighttpd then nginx) i think, after switching to nginx no going back.

Haproxy btw is fantastic too, useful for hiding real location of web server from attacks

dexcs10y ago

Nice. It supports lua and mail alerts on changing servers now...

numbsafari10y ago

The mail thing seems like a not healthy growth of functionality.

Most people already have logging infrastructure in place for this.

Unix philosophy and all that.

nly10y ago

Sending email alerts probably take very little code. Receiving mail is where the complexity is.

jimktrains210y ago

Neither seems like good functionality to add to HAProxy. They both seem superfluous and almost antithetical to what it was in 1.5.

Why is it nice?

eropple10y ago

I can see some value to Lua; it allows for more complex routing rules in a way that's comfortable for a programmer. (This is pretty much what I use Lua for in nginx, too.)

Mail, though--yeah, nope.

1 more reply

binaryanomaly10y ago

Great!

But no http2 so it won't get in front of my nginx instances, yet ;)

A01010y ago

It's too late to include new draft HTTP/2 in 1.6, so it'll be in 1.7

ausjke10y ago

I was comparing HAproxy to Squid a while ago and could not figure out what's haproxy's advantage over squid? I ended up using Squid but still am very interested in HAproxy, would like to learn more about it.

Squid remains to be the only one that can deal with SSL proxying(yes it's kind of MITM, but it's needed sometimes), and it's also the real "pure" open source. HAproxy might be better fit for enterprises that need support?

jdub10y ago

HAProxy is a TCP/HTTP load balancer, so the entire perspective of the software (from configuration to feature emphasis) stems from that.

Squid is a caching HTTP proxy, which began with forward proxying but also supports reverse proxying. I wouldn't regard it as relevant to modern, dynamic architectures as HAProxy or Varnish (another caching-focused project).

There's no real difference in open source purity between any of these projects, unless you dislike the stewardship of a company. HAProxy has existed for a long time without such stewardship (as has Varnish). Indeed, Squid's lack of commercial backing might be a hint as to its current relevance.

A01010y ago

Varnish is a good HTTP caching server, but with the rise of HTTPS and soon HTTP/2 I'm not sure it'll change since last time I heard its developers don't intend to support TLS at all.

3 more replies

bedis910y ago

"pure" opensource doesn't exist: There is open source and there is closed source. HAProxy is open source, products developed by HAProxy Technologies are also open source for our customers!!!

on the other side, you have varnish plus and nginx plus which are closed source, which means their clients can't have access to the source code, they don't know what they run.

teh_klev10y ago

Just so you know, you don't need to sign your comments (with Baptiste). You may wish to review the guidelines on commenting here:

https://news.ycombinator.com/newsguidelines.html

"Please don't sign comments; they're already signed with your username. If other users want to learn more about you, they can click on it to see your profile."

ErikRogneby10y ago

Lots of goodness!

wpblogheader10y ago

Supports Lua? SWEET!

j / k navigate · click thread line to collapse

40 comments

radoslawc10y ago

jimktrains210y ago

Yeah, there's a mix of awesome and what? stuff.

> Since 1.6, HAProxy can forge SSL certificate on the fly! Yes, you can use HAProxy with your company’s CA to inspect content.

> Device Identification

(Considering it seems you need a proprietary lib)

> mailers

> lua

> Processing of HTTP request body

All seem to be be moving away from what HAProxy is/was. It's not an application server. It's not a webserver. It's not a mail server.

Florin_Andrei10y ago

Lua is kinda awesome, though. Use it with plenty of common sense and it can be a very powerful tool.

1 more reply

e12e10y ago

FWIW I recently became aware of Pen:

https://github.com/UlricE/pen

I've not tried it - but there should be some overlap in use-cases, and it would appear to be a much smaller project than HAProxy.

pentium1010y ago

Cool, now we can use Device Identification feature to route mobile users to a different backend, also love the HTTP/2 connection sharing.

msane10y ago

    Through our company, we have some customer who want us to integrate
    into HAProxy the ability to detect device type and characteristics and
    report it to the backend server. We got a couple of contributions from
    2 companies experts in this domain: 51 degrees and deviceatlas. You
    can now load those libraries in HAProxy in order to fully qualify a
    client capabilities and set up some headers your application server
    can rely on to adapt content delivered to the client or let the
    varnish cache server use it to cache multiple flavor of the same
    object based on client capabilities.

    More on this blog later on how to integrate each product.

But it would be a nice surprise if it performed well.

ronancremin10y ago

We measure two main aspects of performance:

- Memory footprint: DeviceAtlas lets you configure the per-device property set to tailor the memory and performance impact. The resulting memory impact ranges from about 12MB to 100MB.

wheaties10y ago

Thaxll10y ago

If you don't use it there is not reason to get a performance bump. Nginx is also using Lua to extend features.

Since Nginx started to add more and more features to their loadbalance it makes sense for HAProxy to get a scripting engine.

jimktrains210y ago

EDIT: I guess part of my concern with Lua was the example on the linked article. It seems to be able to interface with most of the system and not just as a content source, which makes more sense.

lobster_johnson10y ago

nailer10y ago

Otherwise I love HAProxy!

stonogo10y ago

HAProxy is not linux-specific. We have a POSIX logging facility, and HAProxy works just fine with syslog. If journald has problems with syslog, it's basically journald's problem.

nailer10y ago

stdout isn't Linux specific, and it's all that's needed.

Edit: solved this one myself with a little research. Systemd also implements the /dev/log Unix domain socket (even with the silly syslog facility names, without needing syslog installed) - so:

    global
            log /dev/log local0 info

I've added this as an answer on Stack and try and get it into the docs for anyone else.

pmahoney10y ago

In the spirit of avoiding code duplication and making daemontools-like process supervisors happy (that includes systemd for these purposes), I greatly appreciate when logs can be sent to stderr

If the admin wants the logs in syslog, 2>&1 | logger or similar. If the admin wants to use multilog, s6-log, or journald, that's also easy.

(For the same reasons, daemons should not include daemonization routines but should run in the foreground. If I want it in the background, I'll arrange for my process supervisor to start it.)

1 more reply

bedis910y ago

what about this type of configuration:

  global
    log /dev/stdout local0 info

nailer10y ago

It expects a syslog socket, hence the syslog facility names (uucp, fax, local0, etc). Trying the config you suggested:

    [ALERT] 286/160528 (20831) : sendto logger #1 failed: Connection refused (errno=111)

ris10y ago

Something I've always wanted to do but from what I can see is impossible in Apache is simply limit the number of connections a single IP can have open at once.

Is this possible with HAProxy? If it is, the documentation doesn't make it clear how.

yc101010y ago

Well its possible with nginx for sure, havent used apache in about 10 years now (first lighttpd then nginx) i think, after switching to nginx no going back.

Haproxy btw is fantastic too, useful for hiding real location of web server from attacks

dexcs10y ago

Nice. It supports lua and mail alerts on changing servers now...

numbsafari10y ago

The mail thing seems like a not healthy growth of functionality.

Most people already have logging infrastructure in place for this.

Unix philosophy and all that.

nly10y ago

Sending email alerts probably take very little code. Receiving mail is where the complexity is.

jimktrains210y ago

Neither seems like good functionality to add to HAProxy. They both seem superfluous and almost antithetical to what it was in 1.5.

Why is it nice?

eropple10y ago

I can see some value to Lua; it allows for more complex routing rules in a way that's comfortable for a programmer. (This is pretty much what I use Lua for in nginx, too.)

Mail, though--yeah, nope.

1 more reply

binaryanomaly10y ago

Great!

But no http2 so it won't get in front of my nginx instances, yet ;)

A01010y ago

It's too late to include new draft HTTP/2 in 1.6, so it'll be in 1.7

ausjke10y ago

jdub10y ago

HAProxy is a TCP/HTTP load balancer, so the entire perspective of the software (from configuration to feature emphasis) stems from that.

A01010y ago

Varnish is a good HTTP caching server, but with the rise of HTTPS and soon HTTP/2 I'm not sure it'll change since last time I heard its developers don't intend to support TLS at all.

3 more replies

bedis910y ago

"pure" opensource doesn't exist: There is open source and there is closed source. HAProxy is open source, products developed by HAProxy Technologies are also open source for our customers!!!

on the other side, you have varnish plus and nginx plus which are closed source, which means their clients can't have access to the source code, they don't know what they run.

teh_klev10y ago

Just so you know, you don't need to sign your comments (with Baptiste). You may wish to review the guidelines on commenting here:

https://news.ycombinator.com/newsguidelines.html

"Please don't sign comments; they're already signed with your username. If other users want to learn more about you, they can click on it to see your profile."

ErikRogneby10y ago

Lots of goodness!

wpblogheader10y ago

Supports Lua? SWEET!

j / k navigate · click thread line to collapse