blob: f72a95b7b1b3ceb4908ea6ca0dfd0a7c220f6a35 [file] [log] [blame]
----------------------
HAProxy
Configuration Manual
----------------------
version 1.3.13
willy tarreau
2007/10/18
This document covers the configuration language as implemented in the version
specified above. It does not provide any hint, example or advice. For such
docuemntation, please refer to the Reference Manual or the Architecture Manual.
HAProxy's configuration process involves 3 major sources of parameters :
- the arguments from the command-line, which always take precedence
- the "global" section, which sets process-wide parameters
- the proxies sections which can take form of "defaults", "listen",
"frontend" and "backend".
1. Global parameters
--------------------
Parameters in the "global" section are process-wide and often OS-specific. They
are generally set once for all and do not need being changed once correct. Some
of them have command-line equivalents.
The following keywords are supported in the "global" section :
* Process management and security
- chroot
- daemon
- gid
- group
- log
- nbproc
- pidfile
- uid
- ulimit-n
- user
- stats
* Performance tuning
- maxconn
- noepoll
- nokqueue
- nopoll
- nosepoll
- tune.maxpollevents
- spread-checks
* Debugging
- debug
- quiet
1.1) Process management and security
------------------------------------
chroot <jail dir>
Changes current directory to <jail dir> and performs a chroot() there before
dropping privileges. This increases the security level in case an unknown
vulnerability would be exploited, since it would make it very hard for the
attacker to exploit the system. This only works when the process is started
with superuser privileges. It is important to ensure that <jail_dir> is both
empty and unwritable to anyone.
daemon
Makes the process fork into background. This is the recommended mode of
operation. It is equivalent to the command line "-D" argument. It can be
disabled by the command line "-db" argument.
gid <number>
Changes the process' group ID to <number>. It is recommended that the group
ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with a user belonging to this group, or with superuser privileges.
See also "group" and "uid".
group <group name>
Similar to "gid" but uses the GID of group name <group name> from /etc/group.
See also "gid" and "user".
log <address> <facility> [max level]
Adds a global syslog server. Up to two global servers can be defined. They
will receive logs for startups and exits, as well as all logs from proxies
configured with "log global". <address> is an IPv4 address optionally
followed by a colon and an UDP port. If no port is specified, 514 is used
by default (the standard syslog port). <facility> must be one of the 24
standard syslog facilities :
kern user mail daemon auth syslog lpr news
uucp cron auth2 ftp ntp audit alert cron2
local0 local1 local2 local3 local4 local5 local6 local7
An optional level can be specified to filter outgoing messages. By default,
all messages are sent. If a level is specified, only messages with a severity
at least as important as this level will be sent. 8 levels are known :
emerg alert crit err warning notice info debug
nbproc <number>
Creates <number> processes when going daemon. This requires the "daemon"
mode. By default, only one process is created, which is the recommended mode
of operation. For systems limited to small sets of file descriptors per
process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
pidfile <pidfile>
Writes pids of all daemons into file <pidfile>. This option is equivalent to
the "-p" command line argument. The file must be accessible to the user
starting the process. See also "daemon".
stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Creates a UNIX socket in stream mode at location <path>. Any previously
existing socket will be backed up then replaced. Connections to this socket
will get a CSV-formated output of the process statistics in response to the
"show stat" command followed by a line feed. On platforms which support it,
it is possible to restrict access to this socket by specifying numerical IDs
after "uid" and "gid", or valid user and group names after the "user" and
"group" keywords. It is also possible to restrict permissions on the socket
by passing an octal value after the "mode" keyword (same syntax as chmod).
Depending on the platform, the permissions on the socket will be inherited
from the directory which hosts it, or from the user the process is started
with.
stats timeout <timeout, in milliseconds>
The default timeout on the stats socket is set to 10 seconds. It is possible
to change this value with "stats timeout". The value must be passed in
milliseconds.
stats maxconn <connections>
By default, the stats socket is limited to 10 concurrent connections. It is
possible to change this value with "stats maxconn".
uid <number>
Changes the process' user ID to <number>. It is recommended that the user ID
is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with superuser privileges in order to be able to switch to another
one. See also "gid" and "user".
ulimit-n <number>
Sets the maximum number of per-process file-descriptors to <number>. By
default, it is automatically computed, so it is recommended not to use this
option.
user <user name>
Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
See also "uid" and "group".
1.2) Performance tuning
-----------------------
maxconn <number>
Sets the maximum per-process number of concurrent connections to <number>. It
is equivalent to the command-line argument "-n". Proxies will stop accepting
connections when this limit is reached. The "ulimit-n" parameter is
automatically adjusted according to this value. See also "ulimit-n".
noepoll
Disables the use of the "epoll" event polling system on Linux. It is
equivalent to the command-line argument "-de". The next polling system
used will generally be "poll". See also "nosepoll", and "nopoll".
nokqueue
Disables the use of the "kqueue" event polling system on BSD. It is
equivalent to the command-line argument "-dk". The next polling system
used will generally be "poll". See also "nopoll".
nopoll
Disables the use of the "poll" event polling system. It is equivalent to the
command-line argument "-dp". The next polling system used will be "select".
It should never be needed to didsable "poll" since it's available on all
platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
"nokqueue".
nosepoll
Disables the use of the "speculative epoll" event polling system on Linux. It
is equivalent to the command-line argument "-ds". The next polling system
used will generally be "epoll". See also "nosepoll", and "nopoll".
tune.maxpollevents <number>
Sets the maximum amount of events that can be processed at once in a call to
the polling system. The default value is adapted to the operating system. It
has been noticed that reducing it below 200 tends to slightly decrease
latency at the expense of network bandwidth, and increasing it above 200
tends to trade latency for slightly increased bandwidth.
spread-checks <0..50, in percent>
Sometimes it is desirable to avoid sending health checks to servers at exact
intervals, for instance when many logical servers are located on the same
physical server. With the help of this parameter, it becomes possible to add
some randomness in the check interval between 0 and +/- 50%. A value between
2 and 5 seems to show good results. The default value remains at 0.
1.3) Debugging
---------------
debug
Enables debug mode which dumps to stdout all exchanges, and disables forking
into background. It is the equivalent of the command-line argument "-d". It
should never be used in a production configuration since it may prevent full
system startup.
quiet
Do not display any message during startup. It is equivalent to the command-
line argument "-q".
2) Proxies
----------
Proxy configuration can be located in a set of sections :
- defaults <name>
- frontend <name>
- backend <name>
- listen <name>
A "defaults" section sets default parameters for all other sections following
its declaration. Those default parameters are reset by the next "defaults"
section. See below for the list of parameters which can be set in a "defaults"
section.
A "frontend" section describes a set of listening sockets accepting client
connections.
A "backend" section describes a set of servers to which the proxy will connect
to forward incoming connections.
A "listen" section defines a complete proxy with its frontend and backend
parts combined in one section. It is generally useful for TCP-only traffic.
The following list of keywords is supported. Most of them may only be used in a
limited set of section types.
keyword defaults frontend listen backend
----------------------+----------+----------+---------+---------
acl - X X X
appsession - - X X
balance - - X X
bind - X X -
block - X X X
capture cookie X X X X
capture request header X X X X
capture response header X X X X
clitimeout X X X -
contimeout X X X X
cookie X - X X
default_backend - X X -
disabled - X X X
dispatch - - X X
enabled - X X X
errorfile X X X X
errorloc X X X X
errorloc302 X X X X
errorloc303 X X X X
fullconn X - X X
grace - X X X
log X X X X
maxconn X X X -
mode X X X X
monitor-net X X X -
monitor-uri X X X -
option abortonclose X - X X
option allbackups X - X X
option checkcache X - X X
option clitcpka X X X -
option dontlognull X X X -
option forceclose X - X X
option forwardfor X X X X
option httpchk X - X X
option httpclose X X X X
option httplog X X X X
option logasap X X X -
option nolinger X X X X
option persist X - X X
option redispatch X - X X
option smtpchk X - X X
option srvtcpka X - X X
option ssl-hello-chk X - X X
option tcpka X X X X
option tcplog X X X X
option tcpsplice X X X X
option transparent X X X -
redisp X - X X
redispatch X - X X
reqadd - X X X
reqallow - X X X
reqdel - X X X
reqdeny - X X X
reqiallow - X X X
reqidel - X X X
reqideny - X X X
reqipass - X X X
reqirep - X X X
reqisetbe - X X X
reqitarpit - X X X
reqpass - X X X
reqrep - X X X
reqsetbe - X X X
reqtarpit - X X X
retries X - X X
rspadd - X X X
rspdel - X X X
rspdeny - X X X
rspidel - X X X
rspideny - X X X
rspirep - X X X
rsprep - X X X
server - - X X
source X - X X
srvtimeout X - X X
stats auth X - X X
stats enable X - X X
stats realm X - X X
stats refresh X - X X
stats scope X - X X
stats uri X - X X
stats hide-version X - X X
transparent X X X -
use_backend - X X -
usesrc X - X X
----------------------+----------+----------+---------+---------
keyword defaults frontend listen backend
2.1) using ACLs
---------------
The use of Access Control Lists (ACL) provides a flexible solution to perform
content switching. The principle is simple :
- define test criteria with sets of values
- perform actions only if a set of tests is valid
The actions generally consist in blocking the request, or selecting a backend.
In order to define a test, the "acl" keyword is used. The syntax is :
acl <aclname> <criterion> [flags] [operator] <value> ...
This creates an ACL <aclname> or completes an existing one with new
tests. Those tests apply to the portion of request specified in <criterion>
and may be adjusted with optional flags [flags]. Some criteria also support
an operator which may be specified before the set of values. The values are
of the type supported by the criterion, and are separated by spaces.
There is no limit to the number of ACLs. The unused ones do not affect
performance, they just consume a small amount of memory.
The current flags are currently supported :
-i : ignore case during matching.
-- : force end of flags. Useful when a string looks like one of the flags.
Supported types of values are :
- integers or integer ranges
- strings
- regular expressions
- IP addresses and networks
2.1.1) Matching integers
------------------------
Matching integers is special in that ranges and operators are permitted. Note
that integer matching only applies to positive values. A range is a value
expressed with a lower and an upper bound separated with a colon, both of which
may be omitted.
For instance, "1024:65535" is a valid range to represent a range of
unprivileged ports, and "1024:" would also work. "0:1023" is a valid
representation of privileged ports, and ":1023" would also work.
For an easier usage, comparison operators are also supported. Note that using
operators with ranges does not make much sense and is discouraged. Also, it
does not make much sense to perform order comparisons with a set of values.
Available operators are :
eq : true if the tested value equals at least one value
ge : true if the tested value is greater than or equal to at least one value
gt : true if the tested value is greater than at least one value
le : true if the tested value is less than or equal to at least one value
lt : true if the tested value is less than at least one value
For instance, the following ACL matches negative Content-Length headers :
acl negative-length hdr_val(content-length) lt 0
2.1.2) Matching strings
-----------------------
String matching applies to verbatim strings as they are passed, with the
exception of the backslash ("\") which makes it possible to escape some
characters such as the space. If the "-i" flag is passed before the first
string, then the matching will be performed ignoring the case. In order
to match the string "-i", either set it second, or pass the "--" flag
before the first string.
2.1.3) Matching regular expressions (regexes)
---------------------------------------------
Just like with string matching, regex matching applies to verbatim strings as
they are passed, with the exception of the backslash ("\") which makes it
possible to escape some characters such as the space. If the "-i" flag is
passed before the first regex, then the matching will be performed ignoring
the case. In order to match the string "-i", either set it second, or pass
the "--" flag before the first string.
2.1.4) Matching IPv4 addresses
----------------------------
IPv4 addresses values can be specified either as plain addresses or with a
netmask appended, in which case the IPv4 address matches whenever it is
within the network. Plain addresses may also be replaced with a resolvable
host name, but this practise is generally discouraged as it makes it more
difficult to read configurations.
2.1.5) Available matching criteria
----------------------------------
always_false
This one never matches. All values and flags are ignored. It may be used as
a temporary replacement for another one when adjusting configurations.
always_true
This one always matches. All values and flags are ignored. It may be used as
a temporary replacement for another one when adjusting configurations.
src <ip_address>
Applies to the client's IP address. It is usually used to limit access to
certain resources such as statistics. Note that it is the TCP-level source
address which is used, and not the address of a client behind a proxy.
src_port <integer>
Applies to the client's TCP source port. This has a very limited usage.
dst <ip_address>
Applies to the local IP address the client connected to. It can be used to
switch to a different backend for some alternative addresses.
dst_port <integer>
Applies to the local port the client connected to. It can be used to switch
to a different backend for some alternative ports.
dst_conn <integer>
Applies to the number of currently established connections on the frontend,
including the one being evaluated. It can be used to either return a sorry
page before hard-blocking, or to use a specific backend to drain the requests
when the farm is considered saturated.
method <string>
Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
already check for most common methods.
req_ver <string>
Applies to the version string in the HTTP request, eg: "1.0". Some predefined
ACL already check for versions 1.0 and 1.1.
path <string>
Returns true when the path part of the request, which starts at the first
slash and ends before the question mark, equals one of the strings. It may be
used to match known files, such as /favicon.ico.
path_beg <string>
Returns true when the path begins with one of the strings. This can be used to
send certain directory names to alternative backends.
path_end <string>
Returns true when the path ends with one of the strings. This may be used to
control file name extension.
path_sub <string>
Returns true when the path contains one of the strings. It can be used to
detect particular patterns in paths, such as "../" for example. See also
"path_dir".
path_dir <string>
Returns true when one of the strings is found isolated or delimited with
slashes in the path. This is used to perform filename or directory name
matching without the risk of wrong match due to colliding prefixes. See also
"url_dir" and "path_sub".
path_dom <string>
Returns true when one of the strings is found isolated or delimited with dots
in the path. This may be used to perform domain name matching in proxy
requests. See also "path_sub" and "url_dom".
path_reg <regex>
Returns true when the path matches one of the regular expressions. It can be
used any time, but it is important to remember that regex matching is slower
than other methods. See also "url_reg" and all "path_" criteria.
url <string>
Applies to the whole URL passed in the request. The only real use is to match
"*", for which there already is a predefined ACL.
url_beg <string>
Returns true when the URL begins with one of the strings. This can be used to
check whether a URL begins with a slash or with a protocol scheme.
url_end <string>
Returns true when the URL ends with one of the strings. It has very limited
use. "path_end" should be used instead for filename matching.
url_sub <string>
Returns true when the URL contains one of the strings. It can be used to
detect particular patterns in query strings for example. See also "path_sub".
url_dir <string>
Returns true when one of the strings is found isolated or delimited with
slashes in the URL. This is used to perform filename or directory name
matching without the risk of wrong match due to colliding prefixes. See also
"path_dir" and "url_sub".
url_dom <string>
Returns true when one of the strings is found isolated or delimited with dots
in the URL. This is used to perform domain name matching without the risk of
wrong match due to colliding prefixes. See also "url_sub".
url_reg <regex>
Returns true when the URL matches one of the regular expressions. It can be
used any time, but it is important to remember that regex matching is slower
than other methods. See also "path_reg" and all "url_" criteria.
hdr <string>
hdr(header) <string>
Note: all the "hdr*" matching criteria either apply to all headers, or to a
particular header whose name is passed between parenthesis and without any
space. The header matching complies with RFC2616, and treats as separate
headers all values delimited by comas.
The "hdr" criteria returns true if any of the headers matching the criteria
match any of the strings. This can be used to check exact values. For
instance, checking that "connection: close" is set :
hdr(Connection) -i close
hdr_beg <string>
hdr_beg(header) <string>
Returns true when one of the headers begins with one of the strings. See
"hdr" for more information on header matching.
hdr_end <string>
hdr_end(header) <string>
Returns true when one of the headers ends with one of the strings. See "hdr"
for more information on header matching.
hdr_sub <string>
hdr_sub(header) <string>
Returns true when one of the headers contains one of the strings. See "hdr"
for more information on header matching.
hdr_dir <string>
hdr_dir(header) <string>
Returns true when one of the headers contains one of the strings either
isolated or delimited by slashes. This is used to perform filename or
directory name matching, and may be used with Referer. See "hdr" for more
information on header matching.
hdr_dom <string>
hdr_dom(header) <string>
Returns true when one of the headers contains one of the strings either
isolated or delimited by dots. This is used to perform domain name matching,
and may be used with the Host header. See "hdr" for more information on
header matching.
hdr_reg <regex>
hdr_reg(header) <regex>
Returns true when one of the headers matches of the regular expressions. It
can be used at any time, but it is important to remember that regex matching
is slower than other methods. See also other "hdr_" criteria, as well as
"hdr" for more information on header matching.
hdr_val <integer>
hdr_val(header) <integer>
Returns true when one of the headers starts with a number which matches the
values or ranges specified. This may be used to limit content-length to
acceptable values for example. See "hdr" for more information on header
matching.
hdr_cnt <integer>
hdr_cnt(header) <integer>
Returns true when the count of the headers which matches the values or ranges
specified. This is used to detect presence or absence of a specific header,
as well as to block request smugling attacks by rejecting requests which
contain more than one of certain headers. See "hdr" for more information on
header matching.
2.1.6) Pre-defined ACLs
-----------------------
Some predefined ACLs are hard-coded so that they do not have to be declared in
every frontend which needs them. They all have their names in upper case in
order to avoid confusion. Their equivalence is provided below :
ACL name Equivalent to Usage
---------------+-----------------------------+---------------------------------
TRUE always_true 1 always match
FALSE always_false 0 never match
LOCALHOST src 127.0.0.1/8 match connection from local host
HTTP_1.0 req_ver 1.0 match HTTP version 1.0
HTTP_1.1 req_ver 1.1 match HTTP version 1.1
METH_CONNECT method CONNECT match HTTP CONNECT method
METH_GET method GET HEAD match HTTP GET or HEAD method
METH_HEAD method HEAD match HTTP HEAD method
METH_OPTIONS method OPTIONS match HTTP OPTIONS method
METH_POST method POST match HTTP POST method
METH_TRACE method TRACE match HTTP TRACE method
HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
HTTP_URL_SLASH url_beg / match URL begining with "/"
HTTP_URL_STAR url * match URL equal to "*"
HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
---------------+-----------------------------+---------------------------------
2.1.7) Using ACLs to form conditions
------------------------------------
Some actions are only performed upon a valid condition. A condition is a
combination of ACLs with operators. 3 operators are supported :
- AND (implicit)
- OR (explicit with the "or" keyword or the "||" operator)
- Negation with the exclamation mark ("!")
A condition is formed as a disjonctive form :
[!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Such conditions are generally used after an "if" or "unless" statement,
indicating when the condition will trigger the action.
For instance, to block HTTP requests to the "*" URL with methods other than
"OPTIONS", as well as POST requests without content-length, and GET/HEAD
requests with a content-length greater than 0, and finally every request
which is not either GET/HEAD/POST/OPTIONS !
acl missing_cl hdr_cnt(Content-length) eq 0
block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
block if METH_GET HTTP_CONTENT
block unless METH_GET or METH_POST or METH_OPTIONS
To select a different backend for requests to static contents on the "www" site
and to every request on the "img", "video", "download" and "ftp" hosts :
acl url_static path_beg /static /images /img /css
acl url_static path_end .gif .png .jpg .css .js
acl host_www hdr_beg(host) -i www
acl host_static hdr_beg(host) -i img. video. download. ftp.
# now use backend "static" for all static-only hosts, and for static urls
# of host "www". Use backend "www" for the rest.
use_backend static if host_static or host_www url_static
use_backend www if host_www
See below for the detailed help on the "block" and "use_backend" keywords.