Your Comprehensive Guide to HAProxy Protocol Support

Internet protocols are the lifeblood of internet communication, powering important connections between servers, clients, and networking devices. These rules and standards also determine how data traverses the network. Without evolving protocol development, the internet couldn’t properly support the applications driving massive traffic volumes worldwide (or vice versa). 

HAProxy’s products support a broad range of protocols. We’ll share why this enables flexible load balancing and security for a variety of evolving applications while supporting business use cases.

Where HAProxy Comes In

Internet traffic volumes are absolutely staggering. Web applications account for a massive chunk of that internet traffic. Take YouTube, for example—which attracts over 2 billion active monthly users. As much as YouTube (and other services) thrive on sustained traffic, they equally thrive on uptime. Maintaining that coveted 99.999% uptime requires resilient infrastructure that scales, security, and strong performance. 

Load balancing is one key to enabling this. HAProxy is the world’s fastest and most widely used software load balancer. It ensures that backend services receive a filtered, legitimate, and intelligently distributed stream of traffic. This prevents any one server from becoming overwhelmed while preventing bottlenecks. Plus, HAProxy Enterprise features like our Web Application Firewall (WAF), DDoS protection, and bot management prevent attackers from crippling your infrastructure. 

Broad protocol support lets a load balancer efficiently handle incoming requests from multiple sources and return any responses from diverse backend servers. By supporting the internet’s leading (and emerging) protocols, HAProxy load balancers help you serve more users while boosting reliability and performance. Deeper protocol support also means more traffic inclusivity and greater compatibility with different types of services. 

While HAProxy load balancing works primarily at OSI Layer 7 to filter and distribute incoming traffic, we also support multiple Layer 4 and Layer 3 protocols. We’ll outline our product-based protocol support, highlight some core features, and share handy use cases.

HAProxy Protocol Support at a Glance

haproxy-protocol-support-table

*Support is on a per-protocol basis.

Above is a quick snapshot of our Layers 7, 4, and 3 protocol support in HAProxy (latest stable releases). Since HAProxy focuses mainly on application layer load balancing, our support there is the most robust. However, capable load balancers must work with various protocols to handle diverse internet traffic. That’s why we support older and more “niche” protocols like FTP, FIX, and MQTT. 

HAProxy protocol support is something of a patchwork story. While we offer full and comprehensive support for protocols like HTTP and TCP, technical challenges and other factors can impact support for other protocols. Here’s how we define each support level:

  • Comprehensive – HAProxy can filter, load balance, and otherwise route or manipulate incoming requests successfully without making notable concessions. Feature support is robust and well-documented. We support the protocol’s fundamental and advanced functions. 

  • Partial – HAProxy can effectively load balance incoming traffic and supports some critical, core protocol features. However, full protocol parsing is typically missing. Technical workarounds or creative “hacks” might be needed to reach your desired level of support in HAProxy. 

  • Development/Consideration – We’re adding protocol support to our roadmap, actively developing it, porting existing features from HAProxy Community Edition to a newer version of HAProxy Enterprise, or determining if support will come.

With that in mind, let’s dive into our deepest protocol support to see where HAProxy truly shines. You’ll learn which important protocol features HAProxy products support and why those matter.

HAProxy & HTTP

haproxy-and-http-image

The Hypertext Transfer Protocol (HTTP) and its secure variant, HTTPS, are essential to today’s internet communications. HTTP transfers data in the form of requests, which contain a version, requested resource, HTTP method, request headers, and an optional request body. Web clients will typically make these requests and then receive responses from the servers they’re communicating with.

HAProxy HTTP(S) Features

There’s no denying how foundational the HTTP protocol is to all internet communications. Similarly, HTTP support is our “bread and butter” within HAProxy—we have a long history of support from day one and our products deliver numerous, related features. Here’s a snapshot of the functions our HTTP protocol support enables:

  • HTTP(S) load balancing

  • Protocol validation

  • HTTP(S) traffic filtering via Access Control Lists (ACLs)

  • Session stickiness and persistence based on HTTP request properties like cookies, headers, URIs, and more

  • Inspection, extraction, transformation, redirection, and other alteration of messages on the fly as HAProxy processes them

  • Health checks

  • HTTP version upgrades via the ALPN extension

  • HTTP/3 over QUIC support (mobile device connection reliability and performance is one of the multiple notable use cases)

  • gRPC support via HTTP/2

HAProxy supports all HTTP protocol versions, and you can easily configure HAProxy for each version. We can transform HTTP versions between client and server—letting you use HAProxy as an “HTTP Gateway” by RFC definition. 

Plus, HAProxy users can leverage roughly 70 HTTP fetch methods. These methods let you extract request data for routing, persistence, DDoS protection, and other use cases. Community input and contributions have massively helped these important functions make it into our products! 

Our open-source roots have inspired a ton of improvements over the years. Meanwhile, our enterprise users have brought their own functional requirements that we’ve subsequently added to HAProxy Community Edition. Users have continually asked for greater access to some portions of their HTTP messages and we’ve developed HAProxy products accordingly.

HAProxy HTTP Use Cases

Your web application traffic warrants an HTTP-friendly load balancer, and you’ve landed on HAProxy—so, what can you do with it? 

The first and most conventional use case is load balancing for HTTP applications and APIs. This includes those that are stateless (one request, one response, no stored knowledge) or those based on session persistence. In the latter case, these applications have persistence (“oldie but goodie” breakdown here) using either a cookie set by HAProxy or through client-server token exchange. You may have also heard persistent sessions described as “sticky sessions.” HAProxy also supports HTTP content switching—which leverages ACLs and other configured rules to make backend routing decisions. 

Second, HAProxy’s Data Plane API is a self-hosted HTTP service that helps you build configurations from the ground up. Embeddable in other software, it lets you add server pools, define listeners on the frontend, update ACLS, and even manage SSL certificates more easily. The Data Plane API supports RESTful HTTP commands and batching to help you perform multiple operations simultaneously.

Third, you can leverage HAProxy’s HTTP support to enable traffic mirroring for real-world testing. Mirroring lets you imitate production traffic and use HAProxy to send that HTTP traffic to both production-ready servers and test environments. This fire-and-forget method highlights any backend shortcomings without impacting your users. 

Finally, HAProxy supports server-sent events. Clients connecting through HAProxy can receive automatic updates from their corresponding server. 

This isn’t an exhaustive list of HTTP-related use cases, but it does represent many common scenarios for HAProxy product users. Community members have found many of their own solutions while using HAProxy, which have helped our HTTP support mature greatly.

HAProxy & TCP

The Transmission Control Protocol’s (TCP’s) roots are deep. First introduced in 1974 during the internet’s early ARPANET days, it gained traction as the public internet’s de facto communication protocol after the Network Control Protocol’s (NCP’s) retirement. Since then, TCP’s creators have released successive versions of the protocol.

TCP works by forming an internet connection between sender and receiver. It’s platform agnostic, features high recoverability in the event of drops or packet loss, and ultimately excels at ensuring messages are delivered properly. The protocol excels at efficiently splitting up data payloads to ensure reliable, back-and-forth transmission. Generally, the processing overhead for raw TCP streams is also pretty low. The HTTP/S protocol is also built atop TCP, with the exception of HTTP/3.

HAProxy TCP Features

TCP support is robust and foundational within HAProxy. Our load balancing products can handle any TCP-based traffic, and we have numerous fetch methods that let you retrieve information while routing. Here are some of the main TCP features supported across our products:

  • TCP load balancing

  • Traffic filtering

  • PacketShield™ packet filtering for TCP flood protection and DDoS mitigation (HAProxy ALOHA)

  • User session stickiness based on TCP/IP information

  • Access Control List (ACL) decision-making support based on TCP/IP information

  • Carry higher-level protocols like HTTP, FTP, SMTP, MySQL, and the Redis Serialization Protocol via the TCP stream

  • TCP performance acceleration through buffering

It’s easy to manage TCP connections and define tcp mode in HAProxy within your configuration and within the HAProxy Fusion Control Plane.

HAProxy TCP Use Cases

While it’s true that we can balance any TCP traffic, we’ve seen users uncover some powerful use cases with TCP. First, we can balance the number of protocols used to deliver messages and directory information at the TCP layer. These include SMTP, POP, IMAP, and LDAP. Users can use HAProxy in front of mail servers to load balance them. HAProxy can also preserve the original IP address.

Second is PacketShield™ packet filtering, our patented software feature that can filter up to 14.88 million packets per second on a 10 gigabit link. Plus, 40G NICs can filter even more. PacketShield™ guards your load balancer and backend against illegitimate payloads. It spares the kernel from processing this harmful data and provides DDoS protection—keeping your services running reliably even while attacks are ongoing. 

Third, HAProxy can effectively load balance MySQL clusters. However, some application level changes are needed to make this process fully efficient—namely splitting reads and writes. If the MySQL application manages writes on a primary node and reads on a scalable group of secondary servers, this process markedly improves. 

Fourth comes a nod to our data analysts and programmers. You can load balance R script requests destined for Rserve—a TCP/IP socket server meant for binary requests. By enabling remote enable in your Rserve configuration file, you can seamlessly use HAProxy. 

Last but not least, HAProxy can manage connections to services like FTP.

HAProxy & SSL/TLS

haproxy-and-ssl-tls

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are integral communication protocols that govern data encryption and authentication across the web—whether between clients, servers, applications, or other systems. 

TLS is the official successor to SSL. It supports faster, implicit certificate verification handshakes, enables improved error messaging, adds HMAC support, and includes advanced cipher suites. And although SSL is officially deprecated, it’s not uncommon for people to mention “SSL” when they’re really referencing TLS.

HAProxy SSL/TLS Features

A good, security-focused load balancer must have strong SSL/TLS support. And HAProxy’s SSL stack is best in class thanks to robust feature support. Here are some of the many features included across our products:

  • TLS offloading

  • TLS termination and re-encryption (man in the middle)

  • TLS gateway functionality to help identify weak TLS servers

  • TLS passthrough for end-to-end encryption

  • Mutual TLS (mTLS)

  • HTTP to HTTPS redirects

  • Advanced TLS algorithm selection and certificate optimization

  • TLS extensions support for SNI, ALPN, and TLS session tickets

  • Routing based on TLS client certificate and inspection of the certificate’s distinguished name fields

  • Automated TLS certificate management with Let’s Encrypt integration

  • Automatic OCSP stapling

  • TLS ticket key synchronization and dynamic updates

  • Dynamic certificate/certificate authority generation and updates at runtime

  • SSL dual stack, where HAProxy supports two private keys (RSA and ECDSA) for one domain

  • Error handling

HAProxy products include numerous SSL/TLS features out of the box. We’re regularly adding new features and capabilities as the industry continues to shift more towards TLS. OpenSSL has also formed the backbone of SSL/TLS support in HAProxy for some time. 

SSL/TLS support is a first-class citizen across HAProxy products, and our TLS performance exemplifies this. Not only do we never exceed 5 milliseconds of latency for TLS handshakes, but past testing has shown that just 1 request per 100,000 exceeds 1.6 milliseconds! Even at CPU saturation, HAProxy provides TLS support nearly for free. And we’ve since been working hard to keep improving performance across the board.

HAProxy SSL/TLS Use Cases

To start, HAProxy’s primary TLS use cases involve TLS offloading and TLS re-encryption (MITM). HAProxy intercepts encrypted traffic and decrypts it before it reaches the backend. This alleviates the processing burden from your web servers. In the latter case, we ensure that traffic is protected before traveling to its destination. 

Second, we’ve previously touched on one important SSL/TLS use case: using HAProxy with Let’s Encrypt. We’ve added deeper Let’s Encrypt integration in HAProxy 2.8, and expect these acme.sh improvements to hit HAProxy Enterprise very soon. 

Third, certificate management is central to strong security. HAProxy supports client certificate revocation via Certificate Revocation List (CRL) files or Online Certificate Status Protocol (OCSP) files. Revocation is useful for blocking a client’s service access when a private key is compromised. 

Fourth, you can restrict API access using client certificates. To learn more, check out our guide on using root and intermediate certificate authorities—alongside client certificates—to enable authentication in HAProxy. 

Lastly, HAProxy’s default configuration earns top marks via SSL inspection. We currently earn an “A” grade from SSL Labs, and their SSL Server Testing tool highlights minor optimizations needed for an “A+” rating.

HAProxy and IPv4/IPv6

IPv4 and IPv6 are core standards-based networking protocols that assign unique IP addresses to all internet-connected devices. We support both protocol versions across HAProxy. It’s worth noting that ISPs have started moving away from IPv4 due to availability constraints, but NAT-dependent private networks or local networks can still safely leverage IPv4 instead of IPv6. In any case, the kernel beneath HAProxy performs IP management and routing. 

IP addresses and routing protocols ultimately enable devices to send and receive information over the internet. They’re crucial components in packet routing and sharing data pathways that traverse the web. Without IP addresses, we’d have no idea which networks host devices (computers or otherwise) belong to. 

There are some ways in which we commonly use IP information. One is allowlisting and denylisting, which lets HAProxy accept or reject incoming traffic from predetermined sources. This lookup process is incredibly efficient and takes roughly 100 nanoseconds to parse one million entries. We also support safelisting within HAProxy Enterprise Kubernetes Ingress Controller.

Notes on HAProxy & IPv6

The growth of internet traffic and the availability of connected devices have made IPv6 adoption critical. Its predecessor, IPv4, could only support roughly 4.3 billion unique addresses—corresponding to an equal number of internet devices. We’ve outgrown this number globally, which prompted IPv6’s release. 

IPv6 ensures that incoming, internet-enabled devices will have their own unique identifiers and can send or receive data. It’ll power the web’s expansion for numerous years to come. We can currently proxy IPv6 to IPv4—or any combination of versions. HAProxy can also forward client IP information to backend servers. Last but not least, organizations who’ve gone fully NAT-less have a home within the HAProxy product lineup.

Watch for Upcoming Protocol Support!

The internet is always on the move, and so are we. Because a good load balancer must have broad protocol support, we’re continually adding new features and functions to better handle evolving web traffic. Remember to visit our blog and product documentation to monitor important updates and releases!

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.