 This is I'm going to be HAProxy technologies. I'm demonstrating HAProxy Enterprise Edition. In this case, I'm showing two basic features. We're using maps in HAProxy to route traffic and using SSL termination because we have a number of features in that regard. So first thing, what is HAProxy? We are the LBAS driver in OpenStack. So if you're using OpenStack, you are using HAProxy. Though often people will put HAProxy in front of OpenStack in order to allow for denial of service protection isn't a special reason you'd want to keep it in front so they can eat up your denial of service attacks. Basically, HAProxy Enterprise Edition is HAProxy open source with back ported bug fixes and features from the development branch of the open source into Enterprise. We have a bunch of management and security features around that and then additionally you get a support either business hour or 24-7 support for HAProxy. As noted, we have a high-performance SSL stack so we can do about a thousand RSA key exchanges per second and additionally supports ECC and RSA which I'll get into more later. A lot of number of advanced security features of note in HAProxy namely denial of service mitigation. So if you're dealing with get or post floods, some of which some features of that which I'll mention more later. We can eat tens of thousands of requests per second and send JavaScript challenges, request capuchas, all sorts of fancy features in that regard. The Enterprise Edition additionally comes with SQLI and XSS protection module. So if you're interested in that, be sure to stop by and we'll talk more about that. There's also a lot of routing and health check options. I'll talk certainly more about routing as that's what this entire the point of this is. But we will also have a number of health check options. You can do Http requests, look for values, agent checks, basically anything you can think of because you can of course do scripting. So we can do all cover all of that. So next let's start talking about what maps can do here. The first thing you would want to be able to do with a map is move certain users to certain back ends. This is a little bit more of an advanced use of a map. But with the Http request set map option, you can say have your back end set a header on a response which moves your a client to a higher priority back end. You could have it look at cookie values to determine whether about a specific client should be considered a higher priority or move to a member's area back end versus a normal back end. There's a lot of features you can do with that kind of thing. Now the next thing a map can do is regular expressions. Basically if you want to check, especially if you're doing things with user agents or very complex URL matches, you can apply regular expressions and basically a map file and have it output values. If you're using the Enterprise Edition fingerprinting module, this is very useful because you can classify users that way. Next thing is geolocation databases. For Enterprise customers, we have a collection of scripts that can convert Max-Mine-GeoIP databases into map files and this allows you to put them into Http headers. So your back ends can just check in the Http header to find out where our client is located or if you're doing denial of service attack protection, it is very useful to take the location and put it as part of an ACL to apply stricter rate limits to a specific location as compared to the rest of your website or the rest of the world. You can combine it with ACLs so you can end up with looking at certain URLs, especially APIs need a higher rate limit than other URLs. You can put it into a map so you can have all of your various URLs matched with a specific pattern. You can feed that into a map and then put that into a stick table and get a quick report of how many requests per second you have on each part of your website. For example, there's a lot of things you can do in that regard when you combine it with stick tables. And you can basically look up any string you can fetch in HAProxy, so URLs, user agents, headers, cookies, parts of cookies can be mapped specifically to a string. So you can, that's very useful for ACLs, as I'll note, and for categorizing clients and stick tables, and there's a lot you can do there. So before I waste too much time slide, I will go to a terminal where I'm much more comfortable with anyway, and we'll show you how maps can be actually used. All right, so this is the basic use of a map of which I will demonstrate, but this is to give your bearings. This is a very basic front end. Basically, an FE example, we are terminating SSL, and we're with sending TLS ticket keys. If you're using HAProxy Enterprise Edition, we have a module that allows you to synchronize your ticket keys across an entire cluster. So all of your HAProxy servers can decrypt a ticket from any other. And I'll go into what exactly is in that directory later, but basically that is a bunch of ECC and RSA certificates for it to terminate SSL with. It also lists on 80 on the same port. We can, if you wanted to redirect from HTTP to HTTPS, or only allow HTTPS in certain parts of a website, there are sort of easy rules that can be added for that. And the next rule is just I'm trying to demonstrate how to use ACLs with maps. So in this case, I'm denying the request if the map file returns the word block. In this case, I just have a single domain for that, but it'll return a 403. And finally, I have use backend BE underscore and then the output of the map with the word default means that by default it will return the word default if some random host header is presented and it's not located in the map. Of note is that this particular string is the same format that is used in logs and HTTP headers. So anything that you can do with a collection of values of this, you can put into HTTP headers, you can put into logs. So if you want to have a country code entry in your log, or you want to have a marker of what part of the website you're using, that is easily accessible. And it's going into one of the following backends. Each of these backends, I just have a single backend server for this example, but they're just doing basic HTTP checks, nothing particularly fancy, but there's a lot more in backends we can get into and especially using maps for server persistence. So if you're interested in that kind of thing, be sure to stop by and we'll go into more detail. Now, to show an example of it in use before we continue. In this case, this rule we can make a request for image.example or api.example and it will go to the correct backend without actually having to specify the particular backends in the configuration itself. So just to give an idea of what the specific map file looks like, we have a list of maps, so we have a list of domains on the left side, we have a list of output strings that will be used for the backend on the right. Because this is stored in an EB3 format inside of HAProxy, you can have millions of entries, especially the values you can put in there are IP addresses or IP ranges, so you can have especially from a GUIP map, you will end up with ranges, you can have millions of them or strings or regular expressions or even binary values if you want to match specific backends and then the output. Especially if you're not interested in this and all you're doing is looking to block a bunch of IP addresses or a bunch of patterns, you do not need the second column and instead it's an ACL file, which works exactly the same way. If you're using HAProxy Enterprise Edition, you can add an update LB section to the configuration and you can give it a URL and it will automatically handle updating this URL across your entire cluster. So to show the a little bit about how exactly SSL termination works, which I'll go into a little bit more detail in later, in this case, this is what I just passed to HAProxy, the search directory in its configuration and it's reading up these six different files. For the purposes of the demonstration, each of these only have a single common name, so when I requested API.example, it picked the API.example file. It also understands that there's a .ecdsa and .rsa file. So in this case, because of my cipher priorities, which I'll mention more later, it automatically picked the Elliptic Curve certificate instead of the RSA one, because that's substantially faster. So another thing of note it supports there is you can add .ocsp and you can have ocsp stapling in HAProxy, which is very useful. And if you're interested in that kind of thing, I have some shell scripts for Enterprise Edition to automatically update your ocsp stapling and ensure that your clients know that your cert is actually valid. So to go over some of the a few basic things of note in an HAProxy configuration, which are often interesting and overlooked, I have nbproc2 here, so if you're terminating a lot of SSL, you will want to make sure that HAProxy will run on a number of cores. The stat sockets are separate, but if you've noticed in front of our booth here today, I've had an example of Grafana running influxDB and graphing stats combining both of these processes together and you can combine from your entire cluster. So if you're interested in that, I have a guide for installing it that comes with the Enterprise Edition. It's always important to set maxcon, so that you don't it's much better to have HAProxy queue your connections if you end up under a massive and unexpected load rather than running out of memory, so especially when using large stick tables. That's of note CPU map will pin the HAProxy and SysSys to specific cores and in this case I have the networking pin to core 3, so you generally want the networking pin to a core that is on the same physical CPU as HAProxy, so that's how I have it configured there. Sys logging, I don't have too much in the way of log formats here, but we still get fully featured logs with just this sending it to SysLog. That includes important things such as termination states. So if you're looking to debug exactly why a client got an error message, there's a very nice code that'll tell you exactly what went wrong with the connection. Very specific timings that say exactly how long a request took and which part of the request so you can easily determine exactly what's going on with your configuration. Don't worry about this bind slifer line if you are for all the enterprise customers. I have an example of this. You could just copy and paste it, but basically I'm telling it to prefer elliptic curve over RSA because that's substantially faster. I'm telling it not to use SSL and I'm telling it that the it should use a 2048 Diffie-Hellman parameter, but it's unlikely to get there because all the modern clients will have gotten picked off in the surf-roll the list ahead of time. So just to give a basic idea of what I'm doing here, I have a whole bunch of my different back ends. They're all basically identical and there's nothing that particularly has to tag them. As you may have noticed, we have a recent new feature of Hitless Reload. So if you wanted to modify this configuration, we can reload HAProxy with absolutely no downtime. But additionally, we can start going into the socket and we can view all of the all of the back ends. We can actually change the addresses and port numbers. If you want that brings me probably to the next point, which is you can update maps dynamically via the HAProxy socket. So even if you are using the community version and using these maps, it's a simple socket command to update them, to view them, or notably if you're using stick tables to view the stick table values so you can output all of your HTTP request rates that you logged with this kind of thing. So before I get into showing off anything else that's not particularly worthwhile, does anyone have any questions about HAProxy or anything that I've blabbered on about here? Yeah, it's a full feature to see. So by default, we are the LBAAS driver. So when you configure a load balancer in the OpenStack UI, that is generally where that's the default place for HAProxy. We have a lot of customers. There's two other ways you can deploy it. You can either put HAProxy entirely outside of OpenStack and have it load balanced to your various OpenStack services. The benefit of that is that you don't have any of the other, none of the other services get involved yet, so your logging can show your complete timing of everything that's happened inside of OpenStack. Additionally, if you do get a denial of service attack, you're going to want to process and block the request as close as possible to the client so that you don't have them going through your entire OpenStack infrastructure before it determines the fact that the request is invalid and needs to be challenged. Anything else? So I will give a quick, for anyone who did not notice before, I will give a quick overview of our Grafina dashboard. Unfortunately, I don't have any data because I haven't made any requests recently, but this is live. This is refreshing every five seconds from data that's been, that's retrieved from the HAProxy sockets. In this case, I have errors per backend and overall request rate, but you can do almost anything in that regard that you want. Another thing of note, I think I removed it from this configuration originally, but HAProxy does have a status page, which is of note you will want to, you can either have a CSV value output to view all the statuses of your individual front-ends and back-ends. Very useful for monitoring pages, and additionally you can make API calls to it. So I have example curl commands if you want to say have your maintenance infrastructure automatically disable a given back-end so that you can try tests on it, put your back-ends into maintenance. HAProxy will redirect the traffic elsewhere, and then when you're ready you can enable it on one, make sure it's healthy, make sure that the 2XX request rate is right from the output, and then you can go through and re-enable it on all of your other load balancers. I think that's everything that I have to yell at you about today, so if there are no further questions, thank you.