Fight off threats at the frontline.

Web Application and API Security

With the growing trend to migrate web applications to the cloud, dissolving the clear boundary between internal network and public web, security threats have in turn begun to turn their sights toward these often vulnerable targets. Whether it is securing a backend API not intended to be visible to outside clients, or fighting off attacks to a dynamic PHP website, the HAProxy suite of products offers a wealth of powerful features to neutralize threats.

The HAProxy Enterprise Web Application Firewall (WAF) is the ultimate line of defense against common, emerging, obfuscated, and zero-day attacks targeting web applications and APIs. Powered by our Intelligent WAF Engine and with optional OWASP Core Rule Set (CRS) compatibility, HAProxy Enterprise WAF offers exceptional balanced accuracy and ultra low latency. Global rate limiting protects APIs and web applications from sophisticated abuse with dynamic, real-time cluster-wide tracking powered by our Global Profiling Engine. By also implementing Basic or mTLS authentication at the load balancer tier to restrict access to APIs, you can be sure only valid requests are routing through to sensitive backend servers. You can customize security controls for each backend application or API for unprecedented granular traffic control.

Data Protection

Traffic encryption can also be a powerful tool against preventing malicious intruders and is essential for customers handling sensitive data. With built-in SSL/TLS offloading, without the need for an extra network component, data is also secured from end-to-end as it travels between systems. This is especially important for financial sector customers, who can take advantage of HAProxy Enterprise’s FIX protocol support, and configure settings restricting which versions of SSL and TLS clients can use, or a preferred list of cryptographic ciphers, in order to prevent protocol downgrade attacks. Using OpenSSL, the industry leading open-source encryption library, our data security is battle tested and internationally trusted.

Denial of Service (DoS) and Bot Management

To protect your system from threats to its availability via DDoS attacks, HAProxy Technologies offers the industry-leading PacketShield. Particular to HAProxy ALOHA, this patented software is a powerful defense against packet floods, a common denial of service attack. Providing stateful packet filtering and blocking illegitimate packets before they need to be processed by the kernel, this allows services to stay operational even when under attack.

HAProxy Enterprise offers Global Rate Limiting at either the connection or application layer, meaning customers can implement thresholds and prevent unfair usage. The Global Profiling Engine provides cluster-wide tracking to aggregate client behavior patterns across load balancer clusters. In addition, the HAProxy Enterprise Bot Management Module, flexible Access Control Lists, and client fingerprinting ensure your services are protected from vulnerability scanners, scrapers, brute-force bots, and more, saving your resources for legitimate traffic.

System Visibility

If the HAProxy Enterprise load balancer is the security center orchestrating all these features, the windows of its watchtower must also offer impeccable visibility on all comings and goings to the system. With verbose logging on not only the content and metadata of each request and response, but also the time taken to complete each phase processing it, customers are able to capture in-depth details about suspicious activity. And by implementing these logs using the widely-supported Syslog protocol, HAProxy Enterprise users can stream it to nearly any log aggregation and analysis tool.

Systems administrators can then track behavior based on IP address, User-Agent string, session ID, and request path, and much more, allowing careful analysis and evaluation of their security needs. Generated metrics also include requests/sec, total number of requests made, errors/sec, total number of errors, byte rates, and more.