Tula Networks
Documentation
Toggle sidebar

Layer 7 Load Balancing

Configure HTTP/HTTPS load balancing with HAProxy

Layer 7 Load Balancing

Layer 7 load balancing operates at the application layer of the OSI model, inspecting the content of HTTP and HTTPS requests to make intelligent routing decisions. This enables advanced traffic management capabilities including host-based routing, path-based routing, header manipulation, and SSL termination.

How It Works

Tula's Layer 7 load balancing is powered by HAProxy, a widely deployed, high-performance reverse proxy and load balancer. Unlike Layer 4 balancing, L7 load balancing terminates the client connection at the load balancer. HAProxy establishes a separate connection to the selected backend server, acting as a full application-layer proxy. This architecture allows the load balancer to inspect, modify, and route requests based on their HTTP content.

When a client sends a request to an L7 VIP, HAProxy parses the HTTP headers, evaluates the configured routing rules, selects a backend server, and forwards the request. The backend's response follows the reverse path through HAProxy back to the client.

HTTP and HTTPS Support

Layer 7 VIPs can be configured for plain HTTP or HTTPS:

  • HTTP: HAProxy listens for unencrypted HTTP traffic on the configured port. Use this for internal services or when SSL is terminated upstream.
  • HTTPS: HAProxy terminates SSL/TLS, decrypting incoming traffic and forwarding requests to backends over HTTP or re-encrypting them for end-to-end SSL. Tula integrates with Let's Encrypt for automated certificate provisioning and renewal. See the SSL documentation for details.

Host-Based Routing

Host-based routing directs traffic to different backend pools based on the Host header in the HTTP request. This allows a single VIP to serve multiple domains or subdomains, each with its own set of backend servers.

For example, requests to app.example.com can be routed to application servers while requests to api.example.com are routed to API servers, all sharing the same IP address and port.

To configure host-based routing, define routing rules within the VIP configuration specifying the hostname pattern and the target backend group for each rule.

Path-Based Routing

Path-based routing selects backends based on the URL path of incoming requests. This is useful for architectures where different services handle different URL prefixes.

A typical configuration might route /api/* to a pool of API servers and /static/* to a pool of content servers, with a default rule sending all other traffic to the main application pool.

Path rules are evaluated in order, and the first matching rule determines the target backend group.

Header Manipulation

HAProxy can inspect, add, modify, and remove HTTP headers on both requests and responses. Common use cases include:

  • X-Forwarded-For: Inserting the client's real IP address so backend servers can identify the originating client.
  • X-Forwarded-Proto: Indicating whether the original client connection used HTTP or HTTPS.
  • Custom headers: Adding or stripping headers for security, routing, or application-specific purposes.
  • HSTS: Adding Strict-Transport-Security headers to enforce HTTPS connections.

Connection Reuse

HAProxy maintains persistent connections to backend servers and reuses them across multiple client requests. This reduces the overhead of repeatedly establishing TCP connections and performing TLS handshakes with backends. Connection reuse is enabled by default and is particularly beneficial for high-request-rate workloads where connection setup costs would otherwise be significant.

Configuring an L7 VIP

  1. Navigate to Load Balancing > Virtual IPs and click Add VIP.
  2. Set the Protocol to HTTP or HTTPS.
  3. Provide the VIP IP address and port (typically 80 for HTTP, 443 for HTTPS).
  4. Configure routing rules for host-based or path-based routing as needed.
  5. Add backend servers to each backend group.
  6. Configure health checks. HTTP health checks that verify a specific URL and expected response code are recommended for L7 services.
  7. Save and Apply the configuration.

Next Steps

Learn about the available scheduling strategies in Load Balancing Algorithms, or configure Session Persistence for stateful applications.