DOC: configuration: fix alphabetical order of bind options
Put the curves, ecdhe, severity-output, v4v6 and v6only keyword at the
right place.
Fix issue #2594.
Could be backported in every stable versions.
(cherry picked from commit 0cc2913aec965dabc579cd90a3d91a440f29967c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit f06071283a6e359815a71ea41f4540b724dfb89a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit c642f7118cf8a3e1dd32471146e86dd052fd5749)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 18ae41d..54d4957 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14971,19 +14971,6 @@
Sets the socket's backlog to this value. If unspecified or 0, the frontend's
backlog is used instead, which generally defaults to the maxconn value.
-curves <curves>
- This setting is only available when support for OpenSSL was built in. It sets
- the string describing the list of elliptic curves algorithms ("curve suite")
- that are negotiated during the SSL/TLS handshake with ECDHE. The format of the
- string is a colon-delimited list of curve name.
- Example: "X25519:P-256" (without quote)
- When "curves" is set, "ecdhe" parameter is ignored.
-
-ecdhe <named curve>
- This setting is only available when support for OpenSSL was built in. It sets
- the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
- used named curve is prime256v1.
-
ca-file <cafile>
This setting is only available when support for OpenSSL was built in. It
designates a PEM file from which to load CA certificates used to verify
@@ -15227,6 +15214,14 @@
certW.pem *.domain.tld !secure.domain.tld
certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384] secure.domain.tld
+curves <curves>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the string describing the list of elliptic curves algorithms ("curve suite")
+ that are negotiated during the SSL/TLS handshake with ECDHE. The format of the
+ string is a colon-delimited list of curve name.
+ Example: "X25519:P-256" (without quote)
+ When "curves" is set, "ecdhe" parameter is ignored.
+
defer-accept
Is an optional keyword which is supported only on certain Linux kernels. It
states that a connection will only be accepted once some data arrive on it,
@@ -15240,6 +15235,11 @@
an established connection while the proxy will only see it in SYN_RECV. This
option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
+ecdhe <named curve>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
+ used named curve is prime256v1.
+
expose-fd listeners
This option is only usable with the stats socket. It gives your stats socket
the capability to pass listeners FD to another HAProxy process.
@@ -15338,18 +15338,6 @@
- "admin" should be used with care, as everything is permitted (e.g. clear
all counters).
-severity-output <format>
- This setting is used with the stats sockets only to configure severity
- level output prepended to informational feedback messages. Severity
- level of messages can range between 0 and 7, conforming to syslog
- rfc5424. Valid and successful socket commands requesting data
- (i.e. "show map", "get acl foo" etc.) will never have a severity level
- prepended. It is ignored by other sockets. <format> can be one of :
- - "none" (default) no severity level is prepended to feedback messages.
- - "number" severity level is prepended as a number.
- - "string" severity level is prepended as a string following the
- rfc5424 convention.
-
maxconn <maxconn>
Limits the sockets to this number of concurrent connections. Extraneous
connections will remain in the system's backlog until a connection is
@@ -15613,6 +15601,18 @@
See https://www.rfc-editor.org/rfc/rfc9000.html#section-8.1.2 for more
information about QUIC retry.
+severity-output <format>
+ This setting is used with the stats sockets only to configure severity
+ level output prepended to informational feedback messages. Severity
+ level of messages can range between 0 and 7, conforming to syslog
+ rfc5424. Valid and successful socket commands requesting data
+ (i.e. "show map", "get acl foo" etc.) will never have a severity level
+ prepended. It is ignored by other sockets. <format> can be one of :
+ - "none" (default) no severity level is prepended to feedback messages.
+ - "number" severity level is prepended as a number.
+ - "string" severity level is prepended as a string following the
+ rfc5424 convention.
+
shards <number> | by-thread | by-group
In multi-threaded mode, on operating systems supporting multiple listeners on
the same IP:port, this will automatically create this number of multiple
@@ -15791,20 +15791,6 @@
kernel version. Some distribution kernels include backports of the feature,
so check for support with your vendor.
-v4v6
- Is an optional keyword which is supported only on most recent systems
- including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
- and IPv6 when it uses the default address. Doing so is sometimes necessary
- on systems which bind to IPv6 only by default. It has no effect on non-IPv6
- sockets, and is overridden by the "v6only" option.
-
-v6only
- Is an optional keyword which is supported only on most recent systems
- including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
- when it uses the default address. Doing so is sometimes preferred to doing it
- system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
- has precedence over the "v4v6" option.
-
uid <uid>
Sets the owner of the UNIX sockets to the designated system uid. It can also
be set by default in the global section's "unix-bind" statement. Note that
@@ -15819,6 +15805,20 @@
setting except that the user name is used instead of its uid. This setting is
ignored by non UNIX sockets.
+v4v6
+ Is an optional keyword which is supported only on most recent systems
+ including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
+ and IPv6 when it uses the default address. Doing so is sometimes necessary
+ on systems which bind to IPv6 only by default. It has no effect on non-IPv6
+ sockets, and is overridden by the "v6only" option.
+
+v6only
+ Is an optional keyword which is supported only on most recent systems
+ including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
+ when it uses the default address. Doing so is sometimes preferred to doing it
+ system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
+ has precedence over the "v4v6" option.
+
verify [none|optional|required]
This setting is only available when support for OpenSSL was built in. If set
to 'none', client certificate is not requested. This is the default. In other