HAProxy package has landed!

What started originally as a base system option written by Remco Hoef was rescued from the dead, brought up to the latest HAProxy standard and then turned into a full blown package so that it can run on 1.2.3 and 2.0!

Check out these screen shots:


Install the package and let us know what you think!

Share this Post:

13 Responses to “HAProxy package has landed!”

  1. M Says:

    I don’t understand what this offers beyond just plain varnish or pound.

  2. Scott Ullrich Says:

    @M check out the HAProxy website, they can sell it better than I can: http://haproxy.1wt.eu/

  3. Oroboros Says:

    The first thing I noticed reading that URL is that HAProxy lacks SSL support which pound and relayd both have.

    I didn’t go further, since my primary LB need also requires SSL offload. I wanted to use relayd for it originally, but as of OpenBSD 4.4 relayd lacked persistence when transitioning to https from http.

    BTW, had to leave pfsense for that project because I couldn’t figure out how to get a working version of pound on it (no compiler and no references systems available on a tight deadline unfortunately).

  4. JPM Says:

    @ Scott Ullrich — the URL you list results in a:

    503 Service Unavailable
    No server is available to handle this request.

  5. Chris Buechler Says:

    JPM: not sure which URL you’re talking about, every URL in the post and comments loads fine for me.

  6. TBF Says:

    I have used haproxy for years. It’s awesome. I’m not sure what your issue with SSL is. I pass SSL through it without any issues whatsoever. This is a huge value add to pfsense in my book!

  7. Aldo Says:

    I used to install pfSense and and some OpenBSD machines to have haproxy run on it.
    Having a singole machine cn speed up deployment a lot.
    I’m going to try to see how this all matches up with HA and failover capabilities.

  8. Oroboros Says:

    @TBF: I need SSL offloading (per client’s specifications). HAProxy appears capable of doing simple tcp relaying to the SSL port, but not actual offloading. The Sept 24th update says “Developments to support keep-alive have already started, and if time permits, SSL integration will be attempted. ”

    So it looks hopeful that will be added someday, and if I ever get a real SSL load-balancer with sticky http -> https transitions in pfsense, I’m committed to moving back to that architecture for this project.

  9. Oroboros Says:

    Also, the HAproxy people say this:

    Having SSL in the load balancer itself means that it becomes the bottleneck. When the load balancer’s CPU is saturated, the overall response times will increase and the only solution will be to multiply the load balancer with another load balancer in front of them.

    We have a very high volume site running on pound with SSL offload, and I barely see the CPU being touched. On a quad core I am running about 5% peak on one core (and suspect that pound lacks true SMP capabilities as other cores appear much more idle).

    Client claims their peak usage rate is 1 million visitors a day. Not sure what percentage are doing SSL though. That is only needed in the check-out process, and is likely very small relative to overall load.

    With this architecture, the client makes an HTTPS request to the front-end which fulfills it with a plain HTTP request on the back end. In that way, each back-end can service more requests since they don’t have SSL overhead.

    I’d like to do arp load-sharing on the front end, but I don’t think that is possible with an application proxy since client-specific values are held in pound’s memory and there is no simple way to share that.

  10. Willy Tarreau Says:

    @Oroboros: I don’t think your SSL load can be qualified as “high” as it simply does not affect a single machine. I have customers running 4 quad-proc dual-core machines at 30% CPU at only 6000 SSL connections per second. Do the math: 0.30 * 4*4*2 = 10 cores at 100% CPU. I already don’t have any single machine able to sustain this load alone. A more common quad-core machine would barely surpass 2400 SSL connections per second, or about 600 SSL connections per second per core. A same machine can to 30000 HTTP connections per second on a single core. You have a ratio of 1:50 between HTTP and HTTPS here. So I will endlessly repeat it, doing SSL on a single point is wrong if you’re looking for scalability. Doing it in order to simplify a deployment of small to medium applications however is fine.

  11. Ask Bjørn Hansen Says:

    On 1.2.3-RC3 the install aborts with “Parse error: syntax error, unexpected T_STRING in /usr/local/pkg/haproxy.inc on line 92”.

  12. Peter van A Says:

    I have the same message as Ask Bjørn Hansen only I am on 1.2.3-RC1

  13. rpg Says:

    haproxy doesn’t install on 1.2.3-RC3 embedded. Any assistance is appreciated.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply