Re: Comparison to nginx
On Fri, Feb 01, 2013 at 12:49:59PM +, William Lewis wrote: I couldn't agree more, but I'm really in need of more concrete reasons for pushing back against this. It is very possible that nginx could do the job right for you. That said, the feedback we get from people who love haproxy for load balancing involves its ability to better resist DDoS attacks, sustain higher loads, better protect the web servers against traffic spikes, support for insane numbers of ACL patterns, and insane numbers of SSL host names to deliver the proper certificate (we already got reports of 50K+ certs loaded on a single listener with no performance degradation). Also I don't know if nginx is able to proxy websocket traffic in stable versions or not yet. However it's an excellent web/application server. You can tell your boss that many very large web sites use haproxy+varnish+nginx together and use each of them for what it does best. There is no valid reason for deciding to arbitrarily remove any of the 3 when they all excel in their domain. I do think that only incompetent management would insist on cross- dressing any of the 3 products above just for the sake of cost reduction while they're both free ! Hoping this helps, Willy
Re: Comparison to nginx
Hi William, I'm not sure I'd change anything that wasn't causing me pain. If nginx is working nicely then there are probably other things that aren't that are more rewarding of attention. Are there any pain points that you currently have? Maybe haproxy could improve some of those. Thanks, Steven On 1 February 2013 11:09, William Lewis m...@wlewis.co.uk wrote: Hi I'm looking for some advice in comparing haproxy to nginx. I've been happily using haproxy for all my load balancing needs for the past few years and in my opinion I think its great. I've recently been working to deploy it my latest role but am coming up against resistance from supporters of nginx which granted is already a technology widely used in the company but not one that I have any experience with. Below is the configuration I have developed for my requirements with haproxy, I was hoping that someone that is familiar with both technologies could comment on anything I will be losing if I indeed give in and use nginx instead. Comments on improvements to the haproxy configuration also welcomed. Thanks Will Lewis - global daemon quiet maxconn 20 pidfile /local/haproxy/haproxy.pid uid 60003 gid 1001 chroot /local/haproxy/run log 127.0.0.1 local0 log 127.0.0.1 local1 notice log-tag haproxy defaults log global balance roundrobin mode http monitor-uri /haproxy http-check send-state retries 3 timeout connect 6000 timeout client 102 timeout server 102 timeout http-request 6000 option abortonclose option forwardfor except 127.0.0.1 option http-pretend-keepalive option http-server-close option httplog option log-health-checks option log-separate-errors option redispatch option tcpka option splice-auto errorfile 200 /local/haproxy/errorfiles/200.http errorfile 400 /local/haproxy/errorfiles/400.http errorfile 403 /local/haproxy/errorfiles/403.http errorfile 408 /local/haproxy/errorfiles/408.http errorfile 500 /local/haproxy/errorfiles/500.http errorfile 502 /local/haproxy/errorfiles/502.http errorfile 503 /local/haproxy/errorfiles/503.http listen stats :7000 mode http stats uri / frontend external bind *:8081 bind *:8443 ssl crt /local/haproxy/certs/main.pem crt /local/haproxy/certs/ bind *:8444 ssl crt /local/haproxy/certs/partner.pem crt /local/haproxy/certs/ acl is_secure dst_port eq 8443 8444 maxconn 20 # Capture User-Agent and X-Forward-For headers to the log capture request header User-agent len 45 capture request header X-Forwarded-For len 15 # Capture any 302 redirects to the log capture response header Location len 20 # Capture content length to the log capture response header Content-length len 9 compression algo gzip compression type text/cmd text/css text/csv text/html text/javascript text/plain text/vcard text/xml application/json application/x-www-form-urlencoded application/javascript application/x-javascript compression offload # Remove X-Proto header added from any external source reqidel ^X-Proto:.* # Presence of X-Proto: SSL header now genuinely indicates we have received communication on SSL reqadd X-Proto:\ SSL if is_secure # We keep track of connection rates and connection numbers stick-table type ip size 200k expire 2m store conn_rate(3s),conn_cur # And we do this per source address tcp-request connection track-sc1 src acl source_rate_abuser sc1_conn_rate gt 500 acl source_connections_abuser sc1_conn_cur gt 5000 use_backend be_sf-slow if source_rate_abuser || source_connections_abuser default_backend be_sf backend be_sf cookie srv-eu insert domain .example.com server srv_1 10.0.0.1:9081 cookie b802 check inter 5000 maxconn 700 server srv_2 10.0.0.2:9081 cookie b803 check inter 5000 maxconn 700 server srv_3 10.0.0.3:9081 cookie b804 check inter 5000 maxconn 700 server srv_4 10.0.0.4:9081 cookie b805 check inter 5000 maxconn 700 server srv_5 10.0.0.5:9081 cookie b806 check inter 5000 maxconn 700 server srv_6 10.0.0.6:9081 cookie b807 check inter 5000 maxconn 700 server srv_7 10.0.0.7:9081 cookie b808 check inter 5000 maxconn 700 server srv_8 10.0.0.8:9081 cookie b809 check inter 5000 maxconn 700 server srv_9 10.0.0.9:9081 cookie b80a check inter 5000 maxconn 700 backend be_sf-slow cookie srv-eu insert domain .example.com server srv_1 10.0.0.1:9081 cookie b802 check inter 5000 maxconn 100 server srv_2 10.0.0.2:9081 cookie b803 check inter 5000 maxconn 100 server srv_3 10.0.0.3:9081 cookie b804 check inter 5000 maxconn 100 server srv_4 10.0.0.4:9081 cookie b805 check inter 5000 maxconn 100 server srv_5 10.0.0.5:9081
Re: Comparison to nginx
Hi Steve, Its not a question of replacing nginx with haproxy. The existing solution was dns round robin directly to application servers, that then proxy on to a different node if they didn't hold the required state (which is horrible) I've deployed haproxy in front of this setup but I'm now being asked to replace it again with nginx to harmonize with other infrastructure in the company, and I'm trying to understand what I might lose (other than my time and sanity) in doing that. Thanks Will On Feb 1, 2013, at 11:15 AM, Steven Acreman steven.acre...@alfresco.com wrote: Hi William, I'm not sure I'd change anything that wasn't causing me pain. If nginx is working nicely then there are probably other things that aren't that are more rewarding of attention. Are there any pain points that you currently have? Maybe haproxy could improve some of those. Thanks, Steven On 1 February 2013 11:09, William Lewis m...@wlewis.co.uk wrote: Hi I'm looking for some advice in comparing haproxy to nginx. I've been happily using haproxy for all my load balancing needs for the past few years and in my opinion I think its great. I've recently been working to deploy it my latest role but am coming up against resistance from supporters of nginx which granted is already a technology widely used in the company but not one that I have any experience with. Below is the configuration I have developed for my requirements with haproxy, I was hoping that someone that is familiar with both technologies could comment on anything I will be losing if I indeed give in and use nginx instead. Comments on improvements to the haproxy configuration also welcomed. Thanks Will Lewis - global daemon quiet maxconn 20 pidfile /local/haproxy/haproxy.pid uid 60003 gid 1001 chroot /local/haproxy/run log 127.0.0.1 local0 log 127.0.0.1 local1 notice log-tag haproxy defaults log global balance roundrobin mode http monitor-uri /haproxy http-check send-state retries 3 timeout connect 6000 timeout client 102 timeout server 102 timeout http-request 6000 option abortonclose option forwardfor except 127.0.0.1 option http-pretend-keepalive option http-server-close option httplog option log-health-checks option log-separate-errors option redispatch option tcpka option splice-auto errorfile 200 /local/haproxy/errorfiles/200.http errorfile 400 /local/haproxy/errorfiles/400.http errorfile 403 /local/haproxy/errorfiles/403.http errorfile 408 /local/haproxy/errorfiles/408.http errorfile 500 /local/haproxy/errorfiles/500.http errorfile 502 /local/haproxy/errorfiles/502.http errorfile 503 /local/haproxy/errorfiles/503.http listen stats :7000 mode http stats uri / frontend external bind *:8081 bind *:8443 ssl crt /local/haproxy/certs/main.pem crt /local/haproxy/certs/ bind *:8444 ssl crt /local/haproxy/certs/partner.pem crt /local/haproxy/certs/ acl is_secure dst_port eq 8443 8444 maxconn 20 # Capture User-Agent and X-Forward-For headers to the log capture request header User-agent len 45 capture request header X-Forwarded-For len 15 # Capture any 302 redirects to the log capture response header Location len 20 # Capture content length to the log capture response header Content-length len 9 compression algo gzip compression type text/cmd text/css text/csv text/html text/javascript text/plain text/vcard text/xml application/json application/x-www-form-urlencoded application/javascript application/x-javascript compression offload # Remove X-Proto header added from any external source reqidel ^X-Proto:.* # Presence of X-Proto: SSL header now genuinely indicates we have received communication on SSL reqadd X-Proto:\ SSL if is_secure # We keep track of connection rates and connection numbers stick-table type ip size 200k expire 2m store conn_rate(3s),conn_cur # And we do this per source address tcp-request connection track-sc1 src acl source_rate_abuser sc1_conn_rate gt 500 acl source_connections_abuser sc1_conn_cur gt 5000 use_backend be_sf-slow if source_rate_abuser || source_connections_abuser default_backend be_sf backend be_sf cookie srv-eu insert domain .example.com server srv_1 10.0.0.1:9081 cookie b802 check inter 5000 maxconn 700 server srv_2 10.0.0.2:9081 cookie b803 check inter 5000 maxconn 700 server srv_3 10.0.0.3:9081 cookie b804 check inter 5000 maxconn 700 server srv_4 10.0.0.4:9081 cookie b805 check inter 5000 maxconn 700 server srv_5 10.0.0.5:9081 cookie b806 check inter 5000 maxconn 700 server
Re: Comparison to nginx
On Fri, Feb 1, 2013 at 11:22 AM, William Lewis m...@wlewis.co.uk wrote: Hi Steve, Its not a question of replacing nginx with haproxy. The existing solution was dns round robin directly to application servers, that then proxy on to a different node if they didn't hold the required state (which is horrible) I've deployed haproxy in front of this setup but I'm now being asked to replace it again with nginx to harmonize with other infrastructure in the company, and I'm trying to understand what I might lose (other than my time and sanity) in doing that. Thanks Will On Feb 1, 2013, at 11:15 AM, Steven Acreman steven.acre...@alfresco.com wrote: Hi William, I'm not sure I'd change anything that wasn't causing me pain. If nginx is working nicely then there are probably other things that aren't that are more rewarding of attention. Are there any pain points that you currently have? Maybe haproxy could improve some of those. Thanks, Steven On 1 February 2013 11:09, William Lewis m...@wlewis.co.uk wrote: Hi I'm looking for some advice in comparing haproxy to nginx. I've been happily using haproxy for all my load balancing needs for the past few years and in my opinion I think its great. I've recently been working to deploy it my latest role but am coming up against resistance from supporters of nginx which granted is already a technology widely used in the company but not one that I have any experience with. Below is the configuration I have developed for my requirements with haproxy, I was hoping that someone that is familiar with both technologies could comment on anything I will be losing if I indeed give in and use nginx instead. Comments on improvements to the haproxy configuration also welcomed. Thanks Will Lewis - global daemon quiet maxconn 20 pidfile /local/haproxy/haproxy.pid uid 60003 gid 1001 chroot /local/haproxy/run log 127.0.0.1 local0 log 127.0.0.1 local1 notice log-tag haproxy defaults log global balance roundrobin mode http monitor-uri /haproxy http-check send-state retries 3 timeout connect 6000 timeout client 102 timeout server 102 timeout http-request 6000 option abortonclose option forwardfor except 127.0.0.1 option http-pretend-keepalive option http-server-close option httplog option log-health-checks option log-separate-errors option redispatch option tcpka option splice-auto errorfile 200 /local/haproxy/errorfiles/200.http errorfile 400 /local/haproxy/errorfiles/400.http errorfile 403 /local/haproxy/errorfiles/403.http errorfile 408 /local/haproxy/errorfiles/408.http errorfile 500 /local/haproxy/errorfiles/500.http errorfile 502 /local/haproxy/errorfiles/502.http errorfile 503 /local/haproxy/errorfiles/503.http listen stats :7000 mode http stats uri / frontend external bind *:8081 bind *:8443 ssl crt /local/haproxy/certs/main.pem crt /local/haproxy/certs/ bind *:8444 ssl crt /local/haproxy/certs/partner.pem crt /local/haproxy/certs/ acl is_secure dst_port eq 8443 8444 maxconn 20 # Capture User-Agent and X-Forward-For headers to the log capture request header User-agent len 45 capture request header X-Forwarded-For len 15 # Capture any 302 redirects to the log capture response header Location len 20 # Capture content length to the log capture response header Content-length len 9 compression algo gzip compression type text/cmd text/css text/csv text/html text/javascript text/plain text/vcard text/xml application/json application/x-www-form-urlencoded application/javascript application/x-javascript compression offload # Remove X-Proto header added from any external source reqidel ^X-Proto:.* # Presence of X-Proto: SSL header now genuinely indicates we have received communication on SSL reqadd X-Proto:\ SSL if is_secure # We keep track of connection rates and connection numbers stick-table type ip size 200k expire 2m store conn_rate(3s),conn_cur # And we do this per source address tcp-request connection track-sc1 src acl source_rate_abuser sc1_conn_rate gt 500 acl source_connections_abuser sc1_conn_cur gt 5000 use_backend be_sf-slow if source_rate_abuser || source_connections_abuser default_backend be_sf backend be_sf cookie srv-eu insert domain .example.com server srv_1 10.0.0.1:9081 cookie b802 check inter 5000 maxconn 700 server srv_2 10.0.0.2:9081 cookie b803 check inter 5000 maxconn 700 server srv_3 10.0.0.3:9081 cookie b804 check inter 5000 maxconn 700 server srv_4 10.0.0.4:9081 cookie b805 check inter 5000 maxconn 700 server srv_5 10.0.0.5:9081 cookie b806 check inter 5000 maxconn 700
Re: Comparison to nginx
I couldn't agree more, but I'm really in need of more concrete reasons for pushing back against this. On Feb 1, 2013, at 12:40 PM, shouldbe q931 shouldbeq...@gmail.com wrote: On Fri, Feb 1, 2013 at 11:22 AM, William Lewis m...@wlewis.co.uk wrote: Hi Steve, Its not a question of replacing nginx with haproxy. The existing solution was dns round robin directly to application servers, that then proxy on to a different node if they didn't hold the required state (which is horrible) I've deployed haproxy in front of this setup but I'm now being asked to replace it again with nginx to harmonize with other infrastructure in the company, and I'm trying to understand what I might lose (other than my time and sanity) in doing that. Thanks Will On Feb 1, 2013, at 11:15 AM, Steven Acreman steven.acre...@alfresco.com wrote: Hi William, I'm not sure I'd change anything that wasn't causing me pain. If nginx is working nicely then there are probably other things that aren't that are more rewarding of attention. Are there any pain points that you currently have? Maybe haproxy could improve some of those. Thanks, Steven On 1 February 2013 11:09, William Lewis m...@wlewis.co.uk wrote: Hi I'm looking for some advice in comparing haproxy to nginx. I've been happily using haproxy for all my load balancing needs for the past few years and in my opinion I think its great. I've recently been working to deploy it my latest role but am coming up against resistance from supporters of nginx which granted is already a technology widely used in the company but not one that I have any experience with. Below is the configuration I have developed for my requirements with haproxy, I was hoping that someone that is familiar with both technologies could comment on anything I will be losing if I indeed give in and use nginx instead. Comments on improvements to the haproxy configuration also welcomed. Thanks Will Lewis - global daemon quiet maxconn 20 pidfile /local/haproxy/haproxy.pid uid 60003 gid 1001 chroot /local/haproxy/run log 127.0.0.1 local0 log 127.0.0.1 local1 notice log-tag haproxy defaults log global balance roundrobin mode http monitor-uri /haproxy http-check send-state retries 3 timeout connect 6000 timeout client 102 timeout server 102 timeout http-request 6000 option abortonclose option forwardfor except 127.0.0.1 option http-pretend-keepalive option http-server-close option httplog option log-health-checks option log-separate-errors option redispatch option tcpka option splice-auto errorfile 200 /local/haproxy/errorfiles/200.http errorfile 400 /local/haproxy/errorfiles/400.http errorfile 403 /local/haproxy/errorfiles/403.http errorfile 408 /local/haproxy/errorfiles/408.http errorfile 500 /local/haproxy/errorfiles/500.http errorfile 502 /local/haproxy/errorfiles/502.http errorfile 503 /local/haproxy/errorfiles/503.http listen stats :7000 mode http stats uri / frontend external bind *:8081 bind *:8443 ssl crt /local/haproxy/certs/main.pem crt /local/haproxy/certs/ bind *:8444 ssl crt /local/haproxy/certs/partner.pem crt /local/haproxy/certs/ acl is_secure dst_port eq 8443 8444 maxconn 20 # Capture User-Agent and X-Forward-For headers to the log capture request header User-agent len 45 capture request header X-Forwarded-For len 15 # Capture any 302 redirects to the log capture response header Location len 20 # Capture content length to the log capture response header Content-length len 9 compression algo gzip compression type text/cmd text/css text/csv text/html text/javascript text/plain text/vcard text/xml application/json application/x-www-form-urlencoded application/javascript application/x-javascript compression offload # Remove X-Proto header added from any external source reqidel ^X-Proto:.* # Presence of X-Proto: SSL header now genuinely indicates we have received communication on SSL reqadd X-Proto:\ SSL if is_secure # We keep track of connection rates and connection numbers stick-table type ip size 200k expire 2m store conn_rate(3s),conn_cur # And we do this per source address tcp-request connection track-sc1 src acl source_rate_abuser sc1_conn_rate gt 500 acl source_connections_abuser sc1_conn_cur gt 5000 use_backend be_sf-slow if source_rate_abuser || source_connections_abuser default_backend be_sf backend be_sf cookie srv-eu insert domain .example.com server srv_1 10.0.0.1:9081 cookie b802 check inter 5000 maxconn 700 server srv_2 10.0.0.2:9081
RE: Comparison to nginx
For example, Nginx doesn't have uri based load-balancing, you need to code it yourself. We have tried to use Nginx as a load-balancer for 10Gbit infra, and we got problems with IOps as it was not splice + max speed of 3Gbit/s on Nginx server, while if you go with HAproxy you get 9.6Gbit/s for same amount of requests and files. From: William Lewis [mailto:will...@netproteus.net] On Behalf Of William Lewis Sent: vrijdag 1 februari 2013 13:50 To: shouldbe q931 Cc: Steven Acreman; haproxy@formilux.org Subject: Re: Comparison to nginx I couldn't agree more, but I'm really in need of more concrete reasons for pushing back against this. On Feb 1, 2013, at 12:40 PM, shouldbe q931 shouldbeq...@gmail.com wrote: On Fri, Feb 1, 2013 at 11:22 AM, William Lewis m...@wlewis.co.uk wrote: Hi Steve, Its not a question of replacing nginx with haproxy. The existing solution was dns round robin directly to application servers, that then proxy on to a different node if they didn't hold the required state (which is horrible) I've deployed haproxy in front of this setup but I'm now being asked to replace it again with nginx to harmonize with other infrastructure in the company, and I'm trying to understand what I might lose (other than my time and sanity) in doing that. Thanks Will On Feb 1, 2013, at 11:15 AM, Steven Acreman steven.acre...@alfresco.com wrote: Hi William, I'm not sure I'd change anything that wasn't causing me pain. If nginx is working nicely then there are probably other things that aren't that are more rewarding of attention. Are there any pain points that you currently have? Maybe haproxy could improve some of those. Thanks, Steven On 1 February 2013 11:09, William Lewis m...@wlewis.co.uk wrote: Hi I'm looking for some advice in comparing haproxy to nginx. I've been happily using haproxy for all my load balancing needs for the past few years and in my opinion I think its great. I've recently been working to deploy it my latest role but am coming up against resistance from supporters of nginx which granted is already a technology widely used in the company but not one that I have any experience with. Below is the configuration I have developed for my requirements with haproxy, I was hoping that someone that is familiar with both technologies could comment on anything I will be losing if I indeed give in and use nginx instead. Comments on improvements to the haproxy configuration also welcomed. Thanks Will Lewis - global daemon quiet maxconn 20 pidfile /local/haproxy/haproxy.pid uid 60003 gid 1001 chroot /local/haproxy/run log 127.0.0.1 local0 log 127.0.0.1 local1 notice log-tag haproxy defaults log global balance roundrobin mode http monitor-uri /haproxy http-check send-state retries 3 timeout connect 6000 timeout client 102 timeout server 102 timeout http-request 6000 option abortonclose option forwardfor except 127.0.0.1 option http-pretend-keepalive option http-server-close option httplog option log-health-checks option log-separate-errors option redispatch option tcpka option splice-auto errorfile 200 /local/haproxy/errorfiles/200.http errorfile 400 /local/haproxy/errorfiles/400.http errorfile 403 /local/haproxy/errorfiles/403.http errorfile 408 /local/haproxy/errorfiles/408.http errorfile 500 /local/haproxy/errorfiles/500.http errorfile 502 /local/haproxy/errorfiles/502.http errorfile 503 /local/haproxy/errorfiles/503.http listen stats :7000 mode http stats uri / frontend external bind *:8081 bind *:8443 ssl crt /local/haproxy/certs/main.pem crt /local/haproxy/certs/ bind *:8444 ssl crt /local/haproxy/certs/partner.pem crt /local/haproxy/certs/ acl is_secure dst_port eq 8443 8444 maxconn 20 # Capture User-Agent and X-Forward-For headers to the log capture request header User-agent len 45 capture request header X-Forwarded-For len 15 # Capture any 302 redirects to the log capture response header Location len 20 # Capture content length to the log capture response header Content-length len 9 compression algo gzip compression type text/cmd text/css text/csv text/html text/javascript text/plain text/vcard text/xml application/json application/x-www-form-urlencoded application/javascript application/x-javascript compression offload # Remove X-Proto header added from any external source reqidel ^X-Proto:.* # Presence of X-Proto: SSL header now genuinely indicates we have received communication on SSL reqadd X-Proto:\ SSL if is_secure # We keep track of connection rates and connection numbers stick
Re: Comparison to nginx
How about going the other way and fully commenting the config, sending it to them and asking them how they would implement all of the things that you are using in HAProxy in nginx. If they pass it back to you as that's your job, then you can reasonably ask them that as you have a working solution in HAProxy, would this not be a waste of resource ? You could even suggest that it might be better for the organisation to move to using HAProxy instead of nginx for its advanced reverse proxy and load balancing capabilities.
Re: Comparison to nginx
Hi, The reason is simple: You need a load-balancer. HAProxy is a load-balancer with advanced features: many weighted algorithm, many different persistence type (even using application cookies), advanced reporting, etc... Nginx isn't, despite very basic features, a load-balancer. That said, it can be used in simple deployment.. cheers On Fri, Feb 1, 2013 at 2:14 PM, shouldbe q931 shouldbeq...@gmail.com wrote: How about going the other way and fully commenting the config, sending it to them and asking them how they would implement all of the things that you are using in HAProxy in nginx. If they pass it back to you as that's your job, then you can reasonably ask them that as you have a working solution in HAProxy, would this not be a waste of resource ? You could even suggest that it might be better for the organisation to move to using HAProxy instead of nginx for its advanced reverse proxy and load balancing capabilities.