HAProxy is the "Swiss Army Knife" of load balancing. Used by GitHub, Reddit, and Instagram, it operates at a scale most of us dream of. It sits in front of your web servers, distributing traffic and shielding them from the internet.
Layer 4 vs Layer 7
- Layer 4 (TCP): Faster. It just forwards packets. It doesn't look inside. It doesn't know if the request is for
/blogor/api. Useful for database load balancing. - Layer 7 (HTTP): Smarter. It reads the HTTP headers. You can route traffic based on URL, cookies, or user-agent. "Send all traffic for
/apito the API servers, and everything else to the Frontend servers."
Algorithm Choice
- Round Robin: The default. Server A, then B, then C. Simple and effective for similar servers.
- Least Connections: Sends traffic to the server with the fewest active connections. Best for long sessions (like WebSockets) where one user might stay connected for hours.
- Source IP Hash: Guarantees that User X always goes to Server A. Essential if your application stores session data locally on the server (though you should really use Redis for that).
Health Checks
HAProxy is your traffic cop. It needs to know who is alive.
Don't just ping the port. Configure an HTTP check:
option httpchk GET /health
Your app should have a /health endpoint that checks "Can I talk to the DB? Can I write to disk?" If the answer is No, HAProxy removes that server from rotation instantly, preventing users from seeing error pages.
SSL Termination
Offload encryption to HAProxy. It handles the heavy math of SSL handshakes, sending plain HTTP to your backend servers. This saves CPU on your web servers and simplifies certificate management to a single place.