# HAProxy — High-Performance TCP/HTTP Load Balancer

> The reliable, open-source load balancer that runs the internet — L4/L7, HTTP/2, HTTP/3, and TLS 1.3, with millisecond reloads.

## Install

Save in your project root:

# HAProxy — High-Performance TCP/HTTP Load Balancer

## Quick Use
```bash
# Docker
docker run -d --name haproxy -p 80:80 -p 8404:8404 
  -v $(pwd)/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro 
  haproxy:3.1

# Minimal haproxy.cfg
# frontend http
#   bind :80
#   default_backend webs
# backend webs
#   server w1 10.0.0.1:8080 check
#   server w2 10.0.0.2:8080 check
```

## Introduction
HAProxy (High Availability Proxy) has routed traffic for Instagram, Reddit, and GitHub for over 20 years. It is the reference open-source layer-4 and layer-7 load balancer, known for sub-millisecond decision latency, thousands of concurrent TLS terminations per core, and single-digit-second config reloads.

## What HAProxy Does
- Balances TCP, HTTP/1.1, HTTP/2, HTTP/3 (QUIC), and gRPC traffic.
- Terminates TLS 1.3 with SNI, ALPN, OCSP stapling, and client cert auth.
- Does health checks with dozens of probe types (TCP, HTTP, MySQL, Redis, LDAP).
- Implements rate limiting, denylists, and bot protection via stick tables.
- Exports metrics to Prometheus, a runtime CLI, and a built-in stats dashboard.

## Architecture Overview
HAProxy is a single-process, event-driven C program using epoll (Linux) or kqueue. Workers share nothing by default; since 2.4 they support multi-thread mode with per-CPU pinning. Traffic flows frontend → ACL engine → backend → server, with Lua and SPOE plug-ins for custom logic. Stats and stick tables are memory-resident for microsecond lookups.

## Self-Hosting & Configuration
- Distro packages cover Debian, RHEL, Alpine; official Docker image tracks stable + LTS.
- `haproxy -c -f haproxy.cfg` validates config before a reload.
- `socat /var/run/haproxy.sock` gives you a live admin console — drain, disable, stats.
- Enable hitless reloads with `expose-fd listeners` for zero dropped connections.
- Data Plane API lets CI/CD push config via REST instead of file edits.

## Key Features
- Hitless reloads keep sockets open during config changes.
- Runtime API edits ACLs, maps, and server weights without restart.
- Built-in WAF-lite via Lua + SPOE (ModSecurity integration available).
- Transparent mode preserves client source IP end-to-end.
- Runs on one core at hundreds of thousands of RPS; scales vertically with threads.

## Comparison with Similar Tools
- **NGINX** — web server first, LB second; easier config but fewer LB primitives.
- **Envoy** — modern service-mesh proxy, richer APIs, more memory per connection.
- **Traefik** — dynamic config from Docker/K8s labels, simpler, lower throughput.
- **LVS/IPVS** — kernel L4 LB, blazing fast, no L7 features.
- **Cloud ELB/ALB** — managed but vendor-locked and pricier at scale.

## FAQ
**Q:** HAProxy vs NGINX?
A: For pure load balancing HAProxy is usually faster and more observable; NGINX wins when you also serve static files or PHP.

**Q:** HTTP/3 support?
A: Yes, QUIC + HTTP/3 are stable since HAProxy 2.6.

**Q:** Kubernetes ingress?
A: Use the official HAProxy Ingress Controller or HAProxy Kubernetes Ingress Operator.

**Q:** License?
A: GPLv2 with enterprise support available from HAProxy Technologies.

## Sources
- https://github.com/haproxy/haproxy
- https://www.haproxy.org/

---
Source: https://tokrepo.com/en/workflows/40c924ac-3919-11f1-9bc6-00163e2b0d79
Author: AI Open Source