The main use-case for fabio is to distribute incoming HTTP(S) requestsfrom the internet to frontend (FE) services which can handle these requests.In this scenario the FE services then use the service discovery feature inconsul to find backend (BE) services they need in orderto serve the request.

That means that fabio is currently not used as an FE-BE or BE-BE router toroute traffic among the services themselves since the service discovery ofconsul already solves that problem. Having said that,there is nothing that inherently prevents fabio from being used that way.It just means that we are not doing it.

In the following setup fabio is configured to listen on the public ip(s)where it can optionally terminate SSL traffic for one or more domains - one ip per domain.

                                           +--> service-a                                           |internet -- HTTP/HTTPS --> fabio -- HTTP --+--> service-b                                           |                                           +--> service-c

To scale fabio you can deploy it together with the frontend services which provideshigh-availability and distributes the network bandwidth.

           +- HTTP/HTTPS -> fabio -+- HTTP -> service-a (host-a)           |                       |internet --+- HTTP/HTTPS -> fabio -+- HTTP -> service-b (host-b)           |                       |           +- HTTP/HTTPS -> fabio -+- HTTP -> service-c (host-c)

In the following setup fabio is configured receive all incoming trafficfrom an existing gateway which also terminates SSL for one or more domains.

                                                          +--> service-a                                                          |internet -- HTTP/HTTPS --> LB -- HTTP --> fabio -- HTTP --+--> service-b                                                          |                                                          +--> service-c

Again, to scale fabio you can deploy it together with the frontend serviceswhich provides high-availability and distributes the network bandwidth.

                               +- HTTP -> fabio -+-> service-a (host-a)                               |                 |internet -- HTTP/HTTPS --> LB -+- HTTP -> fabio -+-> service-b (host-b)                               |                 |                               +- HTTP -> fabio -+-> service-c (host-c)

You can deploy fabio behind anAmazon ELB and enablePROXY protocol supportto get the remote address and port of the client.

                                +- HTTP w/PROXY proto -> fabio -+-> service-a (host-a)                                |                               |internet -- HTTP/HTTPS --> ELB -+- HTTP w/PROXY proto -> fabio -+-> service-b (host-b)                                |                               |                                +- HTTP w/PROXY proto -> fabio -+-> service-c (host-c)

You can deploy fabio as the target of anAmazon API Gateway.

internet -- HTTP/HTTPS --> API GW -+- HTTP -> fabio -+-> service-b (host-b)

or behind an ELB with PROXY protocol support:

                                           +- HTTP w/PROXY -> fabio -+-> service-a (host-a)                                           |                         |internet -- HTTP/HTTPS --> API GW --> ELB -+- HTTP w/PROXY -> fabio -+-> service-b (host-b)                                           |                         |                                           +- HTTP w/PROXY -> fabio -+-> service-c (host-c)

You can authenticate calls from the API Gateway with a client certificate. This requires that youconfigure an HTTPS listener on fabio with a valid certificate.

internet -- HTTPS --> API GW -+- HTTPS w/client cert -> fabio -+-> service

To enable fabio to validate the Amazongenerated certificate you need to configure theaws.apigw.cert.cn as follows:

proxy.addr = 1.2.3.4:9999;your/cert.pem;your/key.pem;api-gw-cert.pemaws.apigw.cert.cn = ApiGateway

api-gw-cert.pem is the certificate generated in the AWS Management Console.your/cert.pem andyour/key.pemis the certificate/key pair for the HTTPS certificate. Since the Amazon API Gateway certificates don't have theCA flag set fabio needs to trust them for the client certificate authentication to work. Otherwise, you will get anTLS handshake error: failed to verify client's certificate. SeeIssue 108 for details.

Note: Theaws.apigw.cert.cn parameter will not be supported in the upcoming 1.2 release which supports dynamic certificate sources. You will have to add thecaupgcn=ApiGateway parameter to the certificate source configuration instead. SeeCertificate Stores for more detail.