HAProxy has been and continues to be one of my favorite tools because of features like this. Stuff where you might have to start digging around, say, arcane and fragile Apache rewrites, becomes a series of surprisingly readable functional-like statements that make reasoning about the implications of those statements easy. Even for HAProxy newbies, they can get going really fast and have the confidence that their changes aren't going to lead to major breakage because of its readability.
Just today I deployed some haproxy acls to transparently partition traffic for new API features off of a customer's main legacy application onto a dedicated cluster of API machines. It still surprises me just how easy doing something like that is. The most difficult part of that process was remembering the business logic--to append a query string value that that API expected to see in the request for this part of the migration. This is completely unlike munging around Apache rewrites and hoping that you didn't leave off a 'L' and make it start looping, or forget to append the query string, stuff like that.
I think that if you work with anything web-facing, regardless of the scale, you'd be well served by learning even HAProxy's most basic features and building from there. You'd be astounded at how far you can get with even a basic configuration.
I absolutely love HAProxy ACLs. I use them to rewrite LetsEncrypt requests to another destination so I can cleanly request certificates on the proxy host without downtime or configuring backends or backend servers.
I've also recently migrated one proxy from Traefik to HAProxy, previously I had two proxies, one with T and one with HAP, for different IP ingests, now it's one HAP. Though I don't have failover since the networking in LXC seems to dislike multiple interfaces on the same subnet and doesn't seem to like HAProxy trying to listen on specific interfaces either, that'll have to move to VMs. (I need separated frontends with separate IPs)
The easy part there is that I fully automated HAProxy deployment including certificates with ansible, so moving from container to VM will be a breeze.
Lastly, performance is amazing. I've never had HAProxy even hiccup, even when I got DDoS'd at some point HAProxy held up like a champ.
I switched from nginx to HAProxy for my internal reverse-proxying needs and it is excellent, the configuration is a bit more verbose but it handles every app (including WebSockets, weird RPC, cookies etc) with ease.
Shameless self-plug on porting a basic HAProxy Use-case to Envoy
It might give you an insight how Istio et al are doing their magic through Envoy.
This is my first Tech-post, any comments are appreciated.
Damn. All these years and I never realized anonymous/inlined ACLs were possible.
anyone tried Traefik?
Thinking of using it for a new home based reverse proxy solution over HAProxy
I use HAProxy through PF-Sense to route external traffic to my internal network over SSL behind the firewall. It's been painless and great.