Should Nginx be at the front of HAProxy or opposite?

nginx load-balancing reverse-proxy haproxy
7,549

Solution 1

If you plan to have every web server available over HTTPS, then you'll need to install Nginx in front of HAProxy. With that configuration, your Nginx will handle all the SSL work and send the decrypted HTTP traffic directly to the HAProxy frontend, which will then load-balance requests to your web servers based on the rules you specify.

The idea of using LVS, as mentioned by womble is that it's somewhat less intrusive since it doesn't hold a connection between your web server and the client accessing the site. On the other hand, LVS will only provide you with simple load-balancing and won't allow you to forward requests based on file extension, requested URL, headers, etc. That's why HAProxy is used in many situations.

If you only need SSL on one server (non load-balanced) then you're safe to use HAProxy for everything without using Nginx. On the other hand you'll have one issue with being unable to see the client's source IP address in the web server's HTTPS logs (because HAProxy rewrites that address). The IP will be in HAProxy logs if you enable it though ;)

Solution 2

haproxy since v. 1.5, released in 2014, does support SSL like a charm, including SNI.

Therefore I would put haproxy in front of nginx.

Solution 3

You should just use nginx, it does everything you need as a frontend webserver. If you need front-end load-balancing, use an L3 load balancer such as Linux Virtual Server, because it doesn't get in the way like HAproxy does. Use HAproxy if required to do behind-the-scenes load balancing, like balancing requests to a pool of backend workers.

Share:
7,549
Morgan Cheng
Author by

Morgan Cheng

Updated on September 18, 2022

Comments

  • Morgan Cheng
    Morgan Cheng over 1 year

    I have little experience in web site infrastructural architecture design. I know it might be situation specific. The web site is supposed to:

    1) Need HTTPS support for some page (e.g. login page) while others are just HTTP page.

    2) Need multiple web servers so that some load balancing is required.

    3) Need HTTP caching and compression to boost performance.

    4) Some requests (e.g. image uploading) should be routed to dedicated backend servers. So, URL-based balancing is required.

    I know that NginX and HAProxy are both nice open-sourced Reverse Proxy and/or Load Balancer. Since HAProxy doesn't support SSL, while Nginx load balancing is not as good as HAProxy. I'll take both.

    So, should I put Nginx (as reverse proxy) in the front of HAProxy (as load balancer), or opposite?

    Thanks

  • Morgan Cheng
    Morgan Cheng almost 13 years
    It is said that NginX load balancing is simple, just round robin approach. That's the reason I'm taking HAProxy into consideration.
  • womble
    womble almost 13 years
    It is said correctly; I've said it myself. That's why I don't recommend using nginx as a load balancer, and you won't find any mention of using nginx as a load balancer in this (or any other) answer of mine.
  • Martin Fjordvald
    Martin Fjordvald almost 13 years
    That's only if you're afraid of using your own compile from source (or ports on FreeBSD). There are multiple 3rd party modules which improve load balancing: wiki.nginx.org/3rdPartyModules
  • womble
    womble almost 13 years
    Improve, yes. Make adequate, no. My thoughts on this can be found in hezmatt.org/~mpalmer/blog/2011/07/24/… (search for "not pretty").
  • Morgan Cheng
    Morgan Cheng almost 13 years
    Thanks. since "Some requests (e.g. image uploading) should be routed to dedicated backend servers. So, URL-based balancing is required." (as I updated the question). LVS might not serve my requirements.
  • Morgan Cheng
    Morgan Cheng almost 13 years
    BTW, the hiding of IP address by HAProxy is just for HTTPS, or for HTTP as well?
  • Rajesh Hegde
    Rajesh Hegde almost 13 years
    @Morgan, Hiding of ip is just for HTTPS.
  • Rajesh Hegde
    Rajesh Hegde almost 13 years
    It's only for TCP-mode backends, so anything that's not HTTP will not see the IP address since it's sent as an HTTP Header (X-Forwarded-For).
  • Willy Tarreau
    Willy Tarreau almost 13 years
    Not exactly. Haproxy may connect to the server using the client's IP address, but that requires kernel cooperation (eg: TPROXY feature). This should be avoided wherever possible though.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How many reverse proxies (nginx, haproxy) is too many?
What are the Differences between HAProxy and Ngnix in reverse proxy mode?
Load balancing PHP web application with three servers
Is it possible to run HAProxy load balancer on Windows Server 2012 R2 Base for production?
Reverse Proxy Server Cloud Architecture (AWS + nginx)
Reverse proxy for mixed tcp, udp, and http services
Does NGINX support SNI or does it not?
Nginx Reverse proxy leading to Redirect loop
Nginx Load Balance / Proxy to Upstream with Path / Rewrite
haproxy as load-balancer and nginx as webserver?