12

I have little experience in web site infrastructural architecture design. I know it might be situation specific. The web site is supposed to:

1) Need HTTPS support for some page (e.g. login page) while others are just HTTP page.

2) Need multiple web servers so that some load balancing is required.

3) Need HTTP caching and compression to boost performance.

4) Some requests (e.g. image uploading) should be routed to dedicated backend servers. So, URL-based balancing is required.

I know that NginX and HAProxy are both nice open-sourced Reverse Proxy and/or Load Balancer. Since HAProxy doesn't support SSL, while Nginx load balancing is not as good as HAProxy. I'll take both.

So, should I put Nginx (as reverse proxy) in the front of HAProxy (as load balancer), or opposite?

Thanks

Morgan Cheng
  • 2,114
  • 2
  • 16
  • 13

3 Answers3

8

If you plan to have every web server available over HTTPS, then you'll need to install Nginx in front of HAProxy. With that configuration, your Nginx will handle all the SSL work and send the decrypted HTTP traffic directly to the HAProxy frontend, which will then load-balance requests to your web servers based on the rules you specify.

The idea of using LVS, as mentioned by womble is that it's somewhat less intrusive since it doesn't hold a connection between your web server and the client accessing the site. On the other hand, LVS will only provide you with simple load-balancing and won't allow you to forward requests based on file extension, requested URL, headers, etc. That's why HAProxy is used in many situations.

If you only need SSL on one server (non load-balanced) then you're safe to use HAProxy for everything without using Nginx. On the other hand you'll have one issue with being unable to see the client's source IP address in the web server's HTTPS logs (because HAProxy rewrites that address). The IP will be in HAProxy logs if you enable it though ;)

  • Thanks. since "Some requests (e.g. image uploading) should be routed to dedicated backend servers. So, URL-based balancing is required." (as I updated the question). LVS might not serve my requirements. – Morgan Cheng Jul 25 '11 at 03:39
  • BTW, the hiding of IP address by HAProxy is just for HTTPS, or for HTTP as well? – Morgan Cheng Jul 25 '11 at 03:39
  • It's only for TCP-mode backends, so anything that's not HTTP will not see the IP address since it's sent as an HTTP Header (X-Forwarded-For). –  Jul 25 '11 at 06:55
  • Not exactly. Haproxy may connect to the server using the client's IP address, but that requires kernel cooperation (eg: TPROXY feature). This should be avoided wherever possible though. – Willy Tarreau Jul 30 '11 at 10:52
  • @Morgan, Hiding of ip is just for HTTPS. –  Jul 25 '11 at 06:50
3

haproxy since v. 1.5, released in 2014, does support SSL like a charm, including SNI.

Therefore I would put haproxy in front of nginx.

Greg Dubicki
  • 1,239
  • 1
  • 17
  • 33
2

You should just use nginx, it does everything you need as a frontend webserver. If you need front-end load-balancing, use an L3 load balancer such as Linux Virtual Server, because it doesn't get in the way like HAproxy does. Use HAproxy if required to do behind-the-scenes load balancing, like balancing requests to a pool of backend workers.

womble
  • 96,255
  • 29
  • 175
  • 230
  • 2
    It is said that NginX load balancing is simple, just round robin approach. That's the reason I'm taking HAProxy into consideration. – Morgan Cheng Jul 24 '11 at 09:17
  • 1
    It is said correctly; I've said it myself. That's why I don't recommend using nginx as a load balancer, and you won't find any mention of using nginx as a load balancer in this (or any other) answer of mine. – womble Jul 24 '11 at 09:34
  • That's only if you're afraid of using your own compile from source (or ports on FreeBSD). There are multiple 3rd party modules which improve load balancing: http://wiki.nginx.org/3rdPartyModules – Martin Fjordvald Jul 24 '11 at 10:33
  • 2
    Improve, yes. Make adequate, no. My thoughts on this can be found in http://hezmatt.org/~mpalmer/blog/2011/07/24/followup-to-ssl-session-caching-with-nginx.html (search for "not pretty"). – womble Jul 24 '11 at 10:49