HAproxy with internal https/2.0

Question

The following image is how my system works, they all ran on docker. I used HAproxy instance as a router. The question is: should we use it like that? Is there any risk or does it slow down the system? Should we use internal https/2.0?

Answer 1

In my opinion there is little reason or need to speak HTTP/2 all the way through your stack as discussed in my answer to this question. The main benefits for HTTP/2 are over high latency client to server connections and there are not as many benefits over low latency server-server connections, especially as support of HTTP/2 is not universal and support of back end HTTP/2 connections is particularly weak (only Apache supports this at the moment as far as I’m aware).

One of the few reasons for back end connections to be over HTTP/2 is perhaps to allow push from downstream servers, but even that is best handled by the edge server (HAproxy in your case - though that doesn’t yet support this) using link headers and possibly 103 responses. Otherwise you end up with lots of confusion as to whether to push when client doesn’t support push but intermediary does. Plus no configuration that I’m aware of supports push all the way through anyway (Apache doesn’t for sure and sees little reason to).

Which brings us back to your setup. It’s fine, and perhaps even recommended, not use HTTP/2 all the way through for reasons do discussed above. I’m not sure what HAProxy is providing for you and what you mean by front end and backend. Is HAProxy offloading HTTPS for you? Or is there as a load balancer for many front ends and back ends? Or is it just there to separate frontend and backend requests? How are they differentiated (by domain? By path?)? I presume front end is serving static files using Nginx or Apache and backend is serving dynamically generated content using an application server like Java or Node? Depending on answers to those questions you may want to consider alternatives to your current setup:

Option 1 - Remove HAproxy and pass everything through front end web server:

Front end ==> Back end

Advantages - allows web server to sit in front of app server and add HTTPS, HTTP/2 support (including HTTP/2 Push), security, performance, central logging... etc.

Option 2 - Have HAProxy work in TCP mode and have Front End handle HTTP/2 plus more:

HAProxy ==TCP==> Front end ==HTTP/1==> Back end

Advantages - allows web server to sit in front of app server and add HTTPS, HTTP/2 support (including HTTP/2 Push), security, performance, central logging... etc. Still allows HAproxy to offload HTTPS and/or load balancing.

Option 3 - Stick with what you have

HAProxy ==HTTP/1==> Front end
HAProxy ==HTTP/1==> Back end

Advantages - still gives you HTTP/2, requires no changes. Disadvantages - does not allow HTTP/2 Push until HAproxy supports it, does not allow front end features to be used in backend (e.g. simpler set up of common HTTP features for security and performance, consolidated logging, HTTP/2 Push... etc.).

I discuss a lot of these things in my upcoming book which is available in early preview now if interested in more on this topic.