HAProxy - Mind Palace

**HAProxy** is an open source, high-performance TCP/HTTP load balancer and proxy server — one of the most battle-tested pieces of infrastructure software in existence. It handles billions of requests per day at companies like GitHub, Reddit, Airbnb, and Stack Overflow. In an open source hyperscaler, it serves as the frontend load balancer for tenant-facing APIs, control planes, and web services. --- ### First Principle: The load balancer is the entry point to everything. It must be fast, predictable, and never the bottleneck. HAProxy's design philosophy is simplicity and performance. It does one thing — proxy TCP and HTTP traffic — with extraordinary efficiency. A single HAProxy process can handle hundreds of thousands of requests per second with sub-millisecond latency on modern hardware. --- ### Key Considerations - **Layer 4 and Layer 7**: HAProxy can operate at L4 (TCP passthrough) or L7 (HTTP/HTTPS — inspect headers, route by host/path, add/remove headers, terminate TLS). - **ACLs and Routing**: HAProxy's ACL system routes traffic by Host header, URL path, source IP, request header values, or TLS SNI — making it a powerful ingress for multi-tenant platforms. - **Health Checks**: HAProxy monitors backends with active health checks (HTTP probe, TCP connect, custom scripts) and automatically removes unhealthy backends from rotation. - **TLS Termination**: HAProxy terminates TLS using [[cert-manager]]-managed certificates — stripping TLS at the edge and forwarding plain HTTP to backends. - **Stats & Metrics**: HAProxy's stats socket and Prometheus exporter provide real-time visibility into connection rates, response times, error rates, and backend health. - **vs [[Envoy]]**: HAProxy is simpler, battle-tested, and more performant for straightforward L4/L7 load balancing. [[Envoy]] is more programmable and extensible for service mesh and complex L7 routing. --- ### How It Fits ``` External traffic (TCP/HTTP/HTTPS) → HAProxy (L4/L7 load balancing, TLS termination) → [[Kubernetes]] NodePorts / [[MetalLB]] load balancer IPs → [[Envoy]] (service mesh / advanced L7 routing) → Backend pods ``` [[Envoy]] | [[MetalLB]] | [[Traefik]] | [[cert-manager]] | [[Open Source Hyperscaler MoC]]