Intro
HAProxy (Community and Enterprise) is hailed as the most widely used software load balancer and recently eclipsed 2 million requests per second on one machine by its principal engineer, Willy Tarreau.

We won’t claim HAProxy fits best every proxying, balancing, or gateway scenario, but we’re quite confident it’s compelling for many, and regardless of workload/scale. Documentation on Enterprise pricing, Community vs. Enterprise comparison, configuration, etc. is abundant so we focus here on how its load balancing strengths and speed may also be leveraged for security and boosting application efficiency within Enterprise’s or Community’s feature set.

Load balancing
Distinguishing HAProxy from many in this context is twofold:

Exclusive focus on proxying/backend balancing
HAProxy operates at L4 or L7 depending on config. It is not intended to be an HTTP server or do work outside of reverse proxying, load balancing, and connection management. We feel HAProxy’s extensive Configuration Guide underscores this.

Efficiency
Debuting with 1.8, HAProxy’s architecture focuses on threading producing a notable performance boost. Mr. Tarreau has published much on this but, suffice to say, we’ve used HAProxy since 1.5 and what was already a speed demon went supersonic with 1.8.

We’ve conducted numerous variations of the 2 million rps milestone–generally following the same methodology, but with fewer than 64 cores, throwing load at an actual site/API with several proxies in the chain, and using various load generation. A typical scenario simulates a DOS while parallel “good agent” load is gauged to measure potential response time impact. h1load DOS-simulation resulting in 15K rps hammering a four thread HAProxy with no “good agent” response time degradation has been the rule with no exceptions.

Security
Where one may consider placing HAProxy (or, normally, more than one) in the chain is addressed under the Performance section, which overlaps this one, and although defense-in-depth requires defense postures for every service/node, HAProxy is particularly well suited to man the turrets at appropriate places.

Topologies obviously vary greatly, but consider the following logical diagram focusing on HAProxy filtering unwanted traffic in its tracks–a “noise gate”:

Again, this is a conceptual illustration and HAProxy provides a 130+ page book on multi-layer security. One response may be, “OK, but our G6 Huge IP does all that”. That may very well be true, but we challenge such claims to identify a reverse proxy performing all these functions, at the speed of HAProxy, while also balancing load and managing connections, at equal or lower cost.

Performance
Reiterating that deep defense dictates services must assume nothing, nevertheless when HAProxy is configured for multi-layered security, namely ACLs and other configuration depicted above, and knowing it won’t break a sweat, it’s necessarily less upstream work.

Consider the firewall as receiving the full volume of everything attempting ingress and thus filtering some percentage. However, much traffic is still permitted and while DOS appliances/services, WAFs, and other roles perform valuable functions (many of which are available in HAProxy’s Enterprise edition), as we place a high-performing reverse proxy farther left, upstream services focus much more on signal, much less on noise, thereby realizing an efficiency boost by increasing capacity by decreasing workload (“addition by subtraction”).

Conclusion
We understand this distills to “offload”, certainly nothing new, but HAProxy’s impressive efficiency makes it an ideal candidate for not only reverse-proxying/load balancing, but also multi-purposed as a high-performance noise filter increasing upstream signal acuity.