How to Choose Among the Four Common Load‑Balancing Solutions: LVS, Nginx, HAProxy or F5
This article explains why single‑server capacity is limited, lists typical load‑balancing problems, and provides a detailed comparison of four mainstream solutions—LVS, Nginx, HAProxy, and F5—covering their principles, architectures, configuration steps, pros, cons, suitable scenarios, a decision‑tree guide, common fault‑diagnosis procedures, and production‑risk warnings.
Problem Background
In production environments a single server cannot handle unlimited request volume. When traffic grows beyond a server's capacity, traffic must be distributed across multiple servers, and load balancing becomes the core technology.
Operational issues include uneven CPU usage, session loss, backend server failures while the balancer still forwards traffic, complex routing requirements (HTTPS certificates, multi‑domain, path rewriting), and the balancer itself becoming a bottleneck under high concurrency.
Four Load‑Balancing Solutions Overview
LVS (Linux Virtual Server)
LVS is a kernel‑level load balancer operating at Layer 4 (TCP/UDP). It uses the IPVS kernel module for packet forwarding, delivering extremely high performance.
Three operating modes:
NAT mode : The client reaches the LVS director, which rewrites the destination IP/port and forwards the packet to a real server (RS). The response passes back through the director. Advantage: any OS can run on RS. Disadvantage: the director can become a bottleneck.
DR mode (Direct Routing) : LVS only changes the MAC address, sending the packet directly to the RS, which replies directly to the client. Higher performance because the return path bypasses LVS. Requires director and RS in the same subnet and hidden VIP configuration on RS.
TUN mode (IP Tunneling) : Similar to DR but uses an IP tunnel, suitable for cross‑subnet scenarios.
Typical architecture: "Director + RS". High‑availability is achieved with LVS + Keepalived (VRRP). Example configuration steps include installing ipvsadm and keepalived, creating /etc/keepalived/keepalived.conf, defining the virtual server, adding hidden VIP on each RS, and verifying with ipvsadm -Ln and related commands.
Advantages: kernel‑space forwarding with microsecond latency, support for TCP/UDP services (databases, message queues), multiple working modes, easy integration with Keepalived for HA.
Disadvantages: relatively complex configuration, potential bottleneck in NAT mode, no Layer 7 features, basic health‑check capabilities.
Typical scenarios: massive traffic entry points (CDN origin, DNS), services requiring Layer 4 load balancing, environments demanding extreme forwarding performance.
Nginx (Layer 7 Load Balancer)
Nginx is a feature‑rich web server that also provides powerful Layer 7 load balancing. It can parse HTTP/HTTPS, route based on URL, headers, cookies, and perform SSL termination.
Typical use cases include URL‑based routing, header‑based routing, session persistence via cookies, SSL offloading, and request/response modification.
Configuration example:
# Install Nginx
yum install -y nginx
apt-get install -y nginx
# Basic http block with upstreams
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "upstream: $upstream_addr upstream_status: $upstream_status';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Rate limiting
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
upstream web_cluster {
least_conn;
server 192.168.2.20:8080 weight=5;
server 192.168.2.21:8080 weight=5;
server 127.0.0.1:8080 backup;
keepalive 32;
}
upstream web_cluster_ip_hash {
ip_hash;
server 192.168.2.20:8080;
server 192.168.2.21:8080;
}
upstream api_backend {
server 192.168.2.30:9000;
server 192.168.2.31:9000;
}
upstream static_backend {
server 192.168.2.40:80;
server 192.168.2.41:80;
}
server {
listen 80;
server_name example.com;
client_max_body_size 100m;
proxy_read_timeout 300s;
proxy_connect_timeout 75s;
proxy_send_timeout 300s;
location / {
proxy_pass http://web_cluster;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /api/ { proxy_pass http://api_backend/; }
location /static/ { proxy_pass http://static_backend; expires 7d; add_header Cache-Control "public, no-transform"; }
location /health.html { return 200 'OK'; access_log off; }
limit_req zone=one burst=10 nodelay;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / { proxy_pass http://web_cluster; }
}
}Advantages: simple configuration, gentle learning curve, rich Layer 7 features (URL rewrite, request modification, rate limiting), native SSL termination, high performance event‑driven architecture, active community.
Disadvantages: lower Layer 4 performance compared to LVS, basic health checks (open‑source version), no UDP support.
Suitable scenarios: web service reverse proxy, micro‑service gateway, front‑end/back‑end separation, SSL termination.
HAProxy (Hybrid Load Balancer)
HAProxy supports both Layer 4 (TCP) and Layer 7 (HTTP/HTTPS) load balancing. It offers higher TCP performance than Nginx and comparable HTTP features, with very flexible ACL‑based routing and extensive health‑check options.
Key features include TCP load balancing for databases (MySQL, Redis, etc.), HTTP/HTTPS load balancing, ACL routing, session persistence via cookies or source IP, request rate limiting, connection limits, statistics page, and Proxy Protocol support.
Configuration example (abbreviated):
# Install HAProxy
yum install -y haproxy
apt-get install -y haproxy
# Global and defaults
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /var/run/haproxy-admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 40960
nbthread 4
tune.bufsize 16384
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout connect 10s
timeout client 30s
timeout server 30s
timeout http-request 10s
timeout http-keep-alive 10s
# Statistics page
listen stats
bind :8404
stats enable
stats uri /stats
stats refresh 30s
stats realm "HAProxy Statistics"
stats auth admin:password123
# HTTP frontend
frontend http_front
bind :80
mode http
default_backend web_backend
acl url_api path_beg /api/
acl url_admin path_beg /admin/
use_backend api_backend if url_api
use_backend admin_backend if url_admin
backend web_backend
mode http
balance roundrobin
option httpchk GET /health HTTP/1.0
http-check expect status 200
server web1 192.168.3.20:8080 check inter 2000 rise 2 fall 3 weight 100
server web2 192.168.3.21:8080 check inter 2000 rise 2 fall 3 weight 100
backend api_backend
mode http
balance leastconn
option httpchk GET /api/health
cookie SERVERID insert indirect nocache
server api1 192.168.3.30:8080 check inter 2000 rise 2 fall 3 weight 100 cookie api1
server api2 192.168.3.31:8080 check inter 2000 rise 2 fall 3 weight 100 cookie api2
backend admin_backend
mode http
balance source
option httpchk GET /admin/health
server admin1 192.168.3.40:8080 check inter 2000 rise 2 fall 3
# TCP MySQL load balancing
frontend mysql_front
bind :3306
mode tcp
default_backend mysql_backend
backend mysql_backend
mode tcp
balance roundrobin
option mysql-check user haproxy_check
server mysql1 192.168.3.30:3306 check port 3306 inter 2000 rise 2 fall 3 weight 100
server mysql2 192.168.3.31:3306 check port 3306 inter 2000 rise 2 fall 3 weight 100 backup
# TCP Redis load balancing
frontend redis_front
bind :6379
mode tcp
default_backend redis_backend
backend redis_backend
mode tcp
balance leastconn
option redis-check
server redis1 192.168.3.50:6379 check inter 2000 rise 2 fall 3
server redis2 192.168.3.51:6379 check inter 2000 rise 2 fall 3
# HTTPS termination
frontend https_front
bind :443 ssl crt /etc/haproxy/certs/example.com.pem
mode http
default_backend web_backend
acl host_api hdr(host) -i api.example.com
acl host_static hdr(host) -i static.example.com
use_backend api_backend if host_api
use_backend static_backend if host_staticAdvantages: supports both Layer 4 and Layer 7, extremely flexible ACL routing, rich health‑check mechanisms, multiple session‑persistence options, comprehensive statistics, excellent performance.
Disadvantages: configuration complexity, no hot‑reload without brief connection interruption, documentation can be dense.
Suitable scenarios: database load balancing (MySQL, PostgreSQL, Redis), mixed Layer 4/7 requirements, complex routing rules, micro‑service entry gateways.
F5 BIG‑IP (Hardware Load Balancer)
F5 BIG‑IP is an enterprise‑grade hardware appliance offering Layer 4 and Layer 7 load balancing with dedicated ASIC acceleration, carrier‑grade reliability, and full ADC (Application Delivery Controller) features.
Compared with software solutions, F5 provides hardware‑level performance (tens of Gbps), 99.999% reliability, complete ADC functions, but at a much higher license and hardware cost.
Key concepts:
Virtual Server : external IP + port presented to clients.
Pool : logical group of backend members.
Pool Member : individual backend IP + port.
Node : physical backend server IP.
Health Monitor : checks backend health.
iRule : TCL‑based traffic scripting for custom logic.
Profile : protocol‑specific processing (HTTP, SSL, etc.).
Basic configuration workflow (Big‑IP LTM):
Create nodes (e.g., create ltm node 192.168.10.20 { address 192.168.10.20 }).
Create health monitors (HTTP, TCP, HTTPS).
Create a pool and attach monitors.
Create a virtual server, bind the pool, and attach profiles.
Configure SSL termination by creating a client‑SSL profile and attaching it to the virtual server.
Save configuration with save sys config.
Typical commands for status inspection include show ltm virtual, show ltm pool, show ltm node, show net vlan, and show route.
Advantages: supports both Layer 4 and Layer 7, comprehensive feature set, excellent performance, vendor support.
Disadvantages: high cost, limited flexibility compared with software, configuration complexity, license expiration can throttle throughput.
Suitable scenarios: financial, telecom, or any industry demanding carrier‑grade stability and performance.
Horizontal Comparison of the Four Solutions
Performance : LVS and F5 deliver microsecond‑level Layer 4 throughput (millions of concurrent connections). Nginx offers high Layer 7 performance, HAProxy sits between them with strong TCP performance and high Layer 7 capability.
Feature Set : LVS only provides Layer 4 load balancing. Nginx and HAProxy both support Layer 7 routing, SSL termination, and session persistence. HAProxy adds richer health‑check options and ACL flexibility. F5 covers all features plus advanced ADC capabilities.
Cost : LVS, Nginx (open‑source), and HAProxy are free; commercial Nginx Plus adds a license. F5 requires tens of thousands of dollars for hardware and license.
Configuration Complexity : LVS is the most complex (kernel modules, Keepalived, ARP tuning). Nginx is the simplest. HAProxy is moderately complex, and F5 sits in the middle due to its extensive feature set.
Selection Decision Tree
Business Scenario
│
├─── Large traffic entry (CDN origin, DNS)
│ └─── LVS + Keepalived
│
├─── Web service reverse proxy, Layer 7 routing
│ │
│ ├─── Simple scenario, low feature demand → Nginx
│ │
│ └─── Complex routing, need flexible ACL → HAProxy
│
├─── Database, cache, other Layer 4 services
│ └─── HAProxy
│
├─── High‑end financial / telecom
│ └─── F5
│
└─── Mixed Layer 4 + Layer 7 requirements
└─── HAProxyPractical Troubleshooting Guide
Issue 1 – LVS Backend Servers All Down
Symptoms : ipvsadm -Ln shows all real servers with 0 active connections; VIP is unreachable.
Investigation Steps :
Verify Keepalived/LVS process status: systemctl status keepalived and ipvsadm -Ln --stats.
Check VRRP communication: monitor logs on backup node and capture VRRP packets with tcpdump -i eth0 vrrp -nn.
Confirm VIP is bound to the interface: ip addr show eth0.
Test connectivity to each RS from the director: curl -v http://192.168.1.20/health and telnet 192.168.1.20 80.
For DR mode, verify ARP settings on RS: cat /proc/sys/net/ipv4/conf/lo/arp_ignore (should be 1) and cat /proc/sys/net/ipv4/conf/lo/arp_announce (should be 2).
Remediation :
Restart failed backend services.
Fix ARP configuration on RS if needed (e.g., echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore).
Reload Keepalived configuration: systemctl reload keepalived.
Issue 2 – Nginx Returns 502 Bad Gateway
Symptoms : curl -v http://example.com returns HTTP 502.
Investigation Steps :
Check Nginx error log for upstream failures.
Validate upstream block syntax with nginx -t.
Confirm backend services are reachable: curl -v http://192.168.2.20:8080/health and curl -v http://192.168.2.21:8080/health.
Inspect backend processes and ports ( netstat -tlnp | grep 8080, ps aux | grep java).
Check resource usage (CPU, memory, disk) on backends.
Review connection counts via Nginx status module and system sockets.
Remediation :
Restart failed backend services.
Increase worker_connections and worker_rlimit_nofile if connections are exhausted.
Adjust proxy timeouts ( proxy_connect_timeout 60s;, proxy_read_timeout 120s;).
Issue 3 – HAProxy Backend Session Imbalance
Symptoms : Statistics show one server handling far more sessions than others.
Investigation Steps :
Check the configured load‑balancing algorithm ( grep "balance" /etc/haproxy/haproxy.cfg).
Verify server weight settings and actual effective weights via
echo "show backend" | socat stdio /var/run/haproxy-admin.sock.
Look for frequent health‑check failures on a particular server.
Confirm which servers are UP using
echo "show servers state" | socat stdio /var/run/haproxy-admin.sock.
Remediation :
Adjust weights to balance load.
Switch algorithm (e.g., from leastconn to roundrobin) if server performance is uneven.
Enable session persistence (source IP or cookie) to keep clients on the same server.
Issue 4 – F5 Virtual Server Unreachable
Investigation Steps :
Inspect virtual server status: show ltm virtual web_vs.
Check pool member health: show ltm pool web_pool members.
Verify node status: show ltm node.
Review VLAN and self‑IP configuration.
Check routing tables.
Validate SSL profile certificates.
Remediation :
Disable failing pool members, fix the backend service, then re‑enable.
Re‑upload or replace expired or corrupted certificates and recreate the SSL profile.
Production‑Level Risk Tips
LVS Risks
DR mode ARP misconfiguration can break traffic flow.
NAT mode may become a bottleneck under heavy load.
VRRP split‑brain can cause both nodes to claim the VIP.
Conflicting iptables rules may interfere with LVS forwarding.
Nginx Risks
Insufficient worker_connections limits concurrency.
Improper upstream keepalive settings can waste memory.
Missing proxy_set_header X-Forwarded-For loses client IP information.
All upstream servers down results in 502 unless a backup server is defined.
HAProxy Risks
Reloading configuration interrupts existing connections.
Incorrect maxconn values can cause queuing or rejection.
Overly aggressive health checks may generate false negatives.
Port conflicts when backend services listen on the same port as HAProxy.
F5 Risks
Unsaved configuration changes are lost after reboot.
License expiration throttles throughput to 10 Mbps.
Complex iRules can degrade performance under high traffic.
Firmware upgrades carry risk; always back up configuration and test first.
Conclusion
Each load‑balancing solution fits distinct scenarios:
LVS : Ideal for massive Layer 4 traffic entry points, paired with Keepalived for HA. Offers the highest performance but limited to basic features.
Nginx : Best for web‑service Layer 7 reverse proxy, easy to configure, suitable for small‑to‑medium deployments.
HAProxy : The most versatile software balancer, supporting both Layer 4 and Layer 7, rich health checks, and flexible ACLs—perfect for mixed workloads.
F5 : Suited for high‑end, carrier‑grade environments (finance, telecom) where stability and performance justify the cost.
Common production patterns include combining LVS as a high‑performance Layer 4 entry with Nginx or HAProxy as a Layer 7 gateway, using HAProxy as a unified entry point for mixed traffic, or employing DNS round‑robin plus LVS for simple HA. When selecting a solution, consider traffic scale, functional requirements, operational cost, and team expertise. For most internet services, starting with Nginx or HAProxy and evolving as needs grow is recommended.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.