In our previous blog post, Using HAProxy as an API Gateway, Part 2 [Authentication], you learned that when you operate HAProxy as an API gateway, you can restrict access to your APIs to only clients that present a valid OAuth 2 access token. In this post, we take it a step further. You will learn how to leverage tokens to grant some users more access than others and then charge for the service.
The HAProxy Kubernetes Ingress Controller publishes two sets of logs: the ingress controller logs and the HAProxy access logs. After you install the HAProxy Kubernetes Ingress Controller, logging jumps to mind as one of the first features to configure. Logs will tell you whether the controller has started up correctly and which version of the controller you’re running, and they will assist in pinpointing any user experience issues.
HAProxy publishes more than 100 metrics about the traffic flowing through it. When you use HAProxy as an API gateway, these give you insight into how clients are accessing your APIs. Several metrics come to mind as particularly useful, since they can help you determine whether you’re meeting your service-level objectives and can detect issues with your services early on. Let’s discuss several that might come in handy.
Your HAProxy load balancer may only ever need to relay traffic for a single domain name, but HAProxy can handle two, ten, or even ten million routing rules without breaking a sweat.
HAProxy connection limits and queues can help protect your servers and boost throughput when load balancing heavy amounts of traffic. When you use HAProxy as an API gateway in front of your services, it has the ability to protect those servers from traffic spikes. By utilizing connection limits and queues, you can ensure traffic flows through your network at an even pace.
We’ve released version 1.5 of the HAProxy Kubernetes Ingress Controller. This version unlocks access to the raw HAProxy configuration language for power users to gain more control. You can also enable mutual TLS authentication between the ingress controller and services, enforce Basic authentication, and return custom error pages to users.
The HAProxy Data Plane API 2.2 lays the foundation for first-class service discovery and introduces native support for Consul. It also adds storage and file handling for SSL certificates, Map files, and SPOE configuration files.
With HAProxy, you can implement a circuit breaker to protect services from widespread failure. Martin Fowler, who is famous for being one of the Gang of Four authors who wrote Design Patterns: Elements of Reusable Object-Oriented Software, hosts a website where he catalogues software design patterns. He defines the Circuit Breaker pattern like this: The basic idea behind the circuit breaker is very simple. You wrap a protected function call in a circuit breaker object, which monitors for failures.
Route SSH connections through HAProxy using the SSH ProxyCommand feature and SNI. Did you know that you can proxy SSH connections through HAProxy and route based on hostname? The advantage is that you can relay all SSH traffic through one public-facing server instead of needing to grant users direct access to potentially hundreds of internal servers from outside the network.
