blob: 84fc9c9218fb42f6cd5e3633930ad281c47b105c [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau79158882009-06-09 11:59:08 +02005 version 1.4
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreaub03d2982009-07-29 22:38:32 +02007 2009/07/27
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
21 ('\') and continue on next line. If you add sections, please update the
22 summary below for easier searching.
23
24
25Summary
26-------
27
281. Quick reminder about HTTP
291.1. The HTTP transaction model
301.2. HTTP request
311.2.1. The Request line
321.2.2. The request headers
331.3. HTTP response
341.3.1. The Response line
351.3.2. The response headers
36
372. Configuring HAProxy
382.1. Configuration file format
392.2. Time format
40
413. Global parameters
423.1. Process management and security
433.2. Performance tuning
443.3. Debugging
45
464. Proxies
474.1. Proxy keywords matrix
484.2. Alphabetically sorted keywords reference
49
505. Server options
51
526. HTTP header manipulation
53
547. Using ACLs
557.1. Matching integers
567.2. Matching strings
577.3. Matching regular expressions (regexes)
587.4. Matching IPv4 addresses
597.5. Available matching criteria
607.5.1. Matching at Layer 4 and below
617.5.2. Matching contents at Layer 4
627.5.3. Matching at Layer 7
637.6. Pre-defined ACLs
647.7. Using ACLs to form conditions
65
668. Logging
678.1. Log levels
688.2. Log formats
698.2.1. Default log format
708.2.2. TCP log format
718.2.3. HTTP log format
728.3. Advanced logging options
738.3.1. Disabling logging of external tests
748.3.2. Logging before waiting for the session to terminate
758.3.3. Raising log level upon errors
768.3.4. Disabling logging of successful connections
778.4. Timing events
788.5. Session state at disconnection
798.6. Non-printable characters
808.7. Capturing HTTP cookies
818.8. Capturing HTTP headers
828.9. Examples of logs
83
849. Statistics and monitoring
859.1. CSV format
869.2. Unix Socket commands
87
88
891. Quick reminder about HTTP
90----------------------------
91
92When haproxy is running in HTTP mode, both the request and the response are
93fully analyzed and indexed, thus it becomes possible to build matching criteria
94on almost anything found in the contents.
95
96However, it is important to understand how HTTP requests and responses are
97formed, and how HAProxy decomposes them. It will then become easier to write
98correct rules and to debug existing configurations.
99
100
1011.1. The HTTP transaction model
102-------------------------------
103
104The HTTP protocol is transaction-driven. This means that each request will lead
105to one and only one response. Traditionnally, a TCP connection is established
106from the client to the server, a request is sent by the client on the
107connection, the server responds and the connection is closed. A new request
108will involve a new connection :
109
110 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
111
112In this mode, called the "HTTP close" mode, there are as many connection
113establishments as there are HTTP transactions. Since the connection is closed
114by the server after the response, the client does not need to know the content
115length.
116
117Due to the transactional nature of the protocol, it was possible to improve it
118to avoid closing a connection between two subsequent transactions. In this mode
119however, it is mandatory that the server indicates the content length for each
120response so that the client does not wait indefinitely. For this, a special
121header is used: "Content-length". This mode is called the "keep-alive" mode :
122
123 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
124
125Its advantages are a reduced latency between transactions, and less processing
126power required on the server side. It is generally better than the close mode,
127but not always because the clients often limit their concurrent connections to
128a smaller value. HAProxy currently does not support the HTTP keep-alive mode,
129but knows how to transform it to the close mode.
130
131A last improvement in the communications is the pipelining mode. It still uses
132keep-alive, but the client does not wait for the first response to send the
133second request. This is useful for fetching large number of images composing a
134page :
135
136 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
137
138This can obviously have a tremendous benefit on performance because the network
139latency is eliminated between subsequent requests. Many HTTP agents do not
140correctly support pipelining since there is no way to associate a response with
141the corresponding request in HTTP. For this reason, it is mandatory for the
142server to reply in the exact same order as the requests were received.
143
144Right now, HAProxy only supports the first mode (HTTP close) if it needs to
145process the request. This means that for each request, there will be one TCP
146connection. If keep-alive or pipelining are required, HAProxy will still
147support them, but will only see the first request and the first response of
148each transaction. While this is generally problematic with regards to logs,
149content switching or filtering, it most often causes no problem for persistence
150with cookie insertion.
151
152
1531.2. HTTP request
154-----------------
155
156First, let's consider this HTTP request :
157
158 Line Contents
159 number
160 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
161 2 Host: www.mydomain.com
162 3 User-agent: my small browser
163 4 Accept: image/jpeg, image/gif
164 5 Accept: image/png
165
166
1671.2.1. The Request line
168-----------------------
169
170Line 1 is the "request line". It is always composed of 3 fields :
171
172 - a METHOD : GET
173 - a URI : /serv/login.php?lang=en&profile=2
174 - a version tag : HTTP/1.1
175
176All of them are delimited by what the standard calls LWS (linear white spaces),
177which are commonly spaces, but can also be tabs or line feeds/carriage returns
178followed by spaces/tabs. The method itself cannot contain any colon (':') and
179is limited to alphabetic letters. All those various combinations make it
180desirable that HAProxy performs the splitting itself rather than leaving it to
181the user to write a complex or inaccurate regular expression.
182
183The URI itself can have several forms :
184
185 - A "relative URI" :
186
187 /serv/login.php?lang=en&profile=2
188
189 It is a complete URL without the host part. This is generally what is
190 received by servers, reverse proxies and transparent proxies.
191
192 - An "absolute URI", also called a "URL" :
193
194 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
195
196 It is composed of a "scheme" (the protocol name followed by '://'), a host
197 name or address, optionally a colon (':') followed by a port number, then
198 a relative URI beginning at the first slash ('/') after the address part.
199 This is generally what proxies receive, but a server supporting HTTP/1.1
200 must accept this form too.
201
202 - a star ('*') : this form is only accepted in association with the OPTIONS
203 method and is not relayable. It is used to inquiry a next hop's
204 capabilities.
205
206 - an address:port combination : 192.168.0.12:80
207 This is used with the CONNECT method, which is used to establish TCP
208 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
209 other protocols too.
210
211In a relative URI, two sub-parts are identified. The part before the question
212mark is called the "path". It is typically the relative path to static objects
213on the server. The part after the question mark is called the "query string".
214It is mostly used with GET requests sent to dynamic scripts and is very
215specific to the language, framework or application in use.
216
217
2181.2.2. The request headers
219--------------------------
220
221The headers start at the second line. They are composed of a name at the
222beginning of the line, immediately followed by a colon (':'). Traditionally,
223an LWS is added after the colon but that's not required. Then come the values.
224Multiple identical headers may be folded into one single line, delimiting the
225values with commas, provided that their order is respected. This is commonly
226encountered in the "Cookie:" field. A header may span over multiple lines if
227the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
228define a total of 3 values for the "Accept:" header.
229
230Contrary to a common mis-conception, header names are not case-sensitive, and
231their values are not either if they refer to other header names (such as the
232"Connection:" header).
233
234The end of the headers is indicated by the first empty line. People often say
235that it's a double line feed, which is not exact, even if a double line feed
236is one valid form of empty line.
237
238Fortunately, HAProxy takes care of all these complex combinations when indexing
239headers, checking values and counting them, so there is no reason to worry
240about the way they could be written, but it is important not to accuse an
241application of being buggy if it does unusual, valid things.
242
243Important note:
244 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
245 in the middle of headers by LWS in order to join multi-line headers. This
246 is necessary for proper analysis and helps less capable HTTP parsers to work
247 correctly and not to be fooled by such complex constructs.
248
249
2501.3. HTTP response
251------------------
252
253An HTTP response looks very much like an HTTP request. Both are called HTTP
254messages. Let's consider this HTTP response :
255
256 Line Contents
257 number
258 1 HTTP/1.1 200 OK
259 2 Content-length: 350
260 3 Content-Type: text/html
261
262
2631.3.1. The Response line
264------------------------
265
266Line 1 is the "response line". It is always composed of 3 fields :
267
268 - a version tag : HTTP/1.1
269 - a status code : 200
270 - a reason : OK
271
272The status code is always 3-digit. The first digit indicates a general status :
273 - 2xx = OK, content is following (eg: 200, 206)
274 - 3xx = OK, no content following (eg: 302, 304)
275 - 4xx = error caused by the client (eg: 401, 403, 404)
276 - 5xx = error caused by the server (eg: 500, 502, 503)
277
278Please refer to RFC2616 for the detailed meaning of all such codes. The
279"reason" field is just a hint, but is not parsed by clients. Anything can be
280found there, but it's a common practice to respect the well-established
281messages. It can be composed of one or multiple words, such as "OK", "Found",
282or "Authentication Required".
283
284Haproxy may emit the following status codes by itself :
285
286 Code When / reason
287 200 access to stats page, and when replying to monitoring requests
288 301 when performing a redirection, depending on the configured code
289 302 when performing a redirection, depending on the configured code
290 303 when performing a redirection, depending on the configured code
291 400 for an invalid or too large request
292 401 when an authentication is required to perform the action (when
293 accessing the stats page)
294 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
295 408 when the request timeout strikes before the request is complete
296 500 when haproxy encounters an unrecoverable internal error, such as a
297 memory allocation failure, which should never happen
298 502 when the server returns an empty, invalid or incomplete response, or
299 when an "rspdeny" filter blocks the response.
300 503 when no server was available to handle the request, or in response to
301 monitoring requests which match the "monitor fail" condition
302 504 when the response timeout strikes before the server responds
303
304The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3054.2).
306
307
3081.3.2. The response headers
309---------------------------
310
311Response headers work exactly like request headers, and as such, HAProxy uses
312the same parsing function for both. Please refer to paragraph 1.2.2 for more
313details.
314
315
3162. Configuring HAProxy
317----------------------
318
3192.1. Configuration file format
320------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200321
322HAProxy's configuration process involves 3 major sources of parameters :
323
324 - the arguments from the command-line, which always take precedence
325 - the "global" section, which sets process-wide parameters
326 - the proxies sections which can take form of "defaults", "listen",
327 "frontend" and "backend".
328
Willy Tarreau0ba27502007-12-24 16:55:16 +0100329The configuration file syntax consists in lines beginning with a keyword
330referenced in this manual, optionally followed by one or several parameters
331delimited by spaces. If spaces have to be entered in strings, then they must be
332preceeded by a backslash ('\') to be escaped. Backslashes also have to be
333escaped by doubling them.
334
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200335
3362.2. Time format
337----------------
338
Willy Tarreau0ba27502007-12-24 16:55:16 +0100339Some parameters involve values representating time, such as timeouts. These
340values are generally expressed in milliseconds (unless explicitly stated
341otherwise) but may be expressed in any other unit by suffixing the unit to the
342numeric value. It is important to consider this because it will not be repeated
343for every keyword. Supported units are :
344
345 - us : microseconds. 1 microsecond = 1/1000000 second
346 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
347 - s : seconds. 1s = 1000ms
348 - m : minutes. 1m = 60s = 60000ms
349 - h : hours. 1h = 60m = 3600s = 3600000ms
350 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
351
352
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003533. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200354--------------------
355
356Parameters in the "global" section are process-wide and often OS-specific. They
357are generally set once for all and do not need being changed once correct. Some
358of them have command-line equivalents.
359
360The following keywords are supported in the "global" section :
361
362 * Process management and security
363 - chroot
364 - daemon
365 - gid
366 - group
367 - log
368 - nbproc
369 - pidfile
370 - uid
371 - ulimit-n
372 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200373 - stats
Willy Tarreau6a06a402007-07-15 20:15:28 +0200374
375 * Performance tuning
376 - maxconn
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100377 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200378 - noepoll
379 - nokqueue
380 - nopoll
381 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100382 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200383 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200384 - tune.bufsize
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100385 - tune.maxaccept
386 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200387 - tune.maxrewrite
Willy Tarreau6a06a402007-07-15 20:15:28 +0200388
389 * Debugging
390 - debug
391 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200392
393
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003943.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200395------------------------------------
396
397chroot <jail dir>
398 Changes current directory to <jail dir> and performs a chroot() there before
399 dropping privileges. This increases the security level in case an unknown
400 vulnerability would be exploited, since it would make it very hard for the
401 attacker to exploit the system. This only works when the process is started
402 with superuser privileges. It is important to ensure that <jail_dir> is both
403 empty and unwritable to anyone.
404
405daemon
406 Makes the process fork into background. This is the recommended mode of
407 operation. It is equivalent to the command line "-D" argument. It can be
408 disabled by the command line "-db" argument.
409
410gid <number>
411 Changes the process' group ID to <number>. It is recommended that the group
412 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
413 be started with a user belonging to this group, or with superuser privileges.
414 See also "group" and "uid".
415
416group <group name>
417 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
418 See also "gid" and "user".
419
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200420log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200421 Adds a global syslog server. Up to two global servers can be defined. They
422 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100423 configured with "log global".
424
425 <address> can be one of:
426
Willy Tarreau2769aa02007-12-27 18:26:09 +0100427 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100428 no port is specified, 514 is used by default (the standard syslog
429 port).
430
431 - A filesystem path to a UNIX domain socket, keeping in mind
432 considerations for chroot (be sure the path is accessible inside
433 the chroot) and uid/gid (be sure the path is appropriately
434 writeable).
435
436 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200437
438 kern user mail daemon auth syslog lpr news
439 uucp cron auth2 ftp ntp audit alert cron2
440 local0 local1 local2 local3 local4 local5 local6 local7
441
442 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200443 all messages are sent. If a maximum level is specified, only messages with a
444 severity at least as important as this level will be sent. An optional minimum
445 level can be specified. If it is set, logs emitted with a more severe level
446 than this one will be capped to this level. This is used to avoid sending
447 "emerg" messages on all terminals on some default syslog configurations.
448 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200449
450 emerg alert crit err warning notice info debug
451
452nbproc <number>
453 Creates <number> processes when going daemon. This requires the "daemon"
454 mode. By default, only one process is created, which is the recommended mode
455 of operation. For systems limited to small sets of file descriptors per
456 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
457 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
458
459pidfile <pidfile>
460 Writes pids of all daemons into file <pidfile>. This option is equivalent to
461 the "-p" command line argument. The file must be accessible to the user
462 starting the process. See also "daemon".
463
Willy Tarreaufbee7132007-10-18 13:53:22 +0200464stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
465 Creates a UNIX socket in stream mode at location <path>. Any previously
466 existing socket will be backed up then replaced. Connections to this socket
467 will get a CSV-formated output of the process statistics in response to the
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +0100468 "show stat" command followed by a line feed, more general process information
469 in response to the "show info" command followed by a line feed, and a
470 complete list of all existing sessions in response to the "show sess" command
471 followed by a line feed.
Willy Tarreaua8efd362008-01-03 10:19:15 +0100472
473 On platforms which support it, it is possible to restrict access to this
474 socket by specifying numerical IDs after "uid" and "gid", or valid user and
475 group names after the "user" and "group" keywords. It is also possible to
476 restrict permissions on the socket by passing an octal value after the "mode"
477 keyword (same syntax as chmod). Depending on the platform, the permissions on
478 the socket will be inherited from the directory which hosts it, or from the
479 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200480
481stats timeout <timeout, in milliseconds>
482 The default timeout on the stats socket is set to 10 seconds. It is possible
483 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100484 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200485
486stats maxconn <connections>
487 By default, the stats socket is limited to 10 concurrent connections. It is
488 possible to change this value with "stats maxconn".
489
Willy Tarreau6a06a402007-07-15 20:15:28 +0200490uid <number>
491 Changes the process' user ID to <number>. It is recommended that the user ID
492 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
493 be started with superuser privileges in order to be able to switch to another
494 one. See also "gid" and "user".
495
496ulimit-n <number>
497 Sets the maximum number of per-process file-descriptors to <number>. By
498 default, it is automatically computed, so it is recommended not to use this
499 option.
500
501user <user name>
502 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
503 See also "uid" and "group".
504
505
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005063.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200507-----------------------
508
509maxconn <number>
510 Sets the maximum per-process number of concurrent connections to <number>. It
511 is equivalent to the command-line argument "-n". Proxies will stop accepting
512 connections when this limit is reached. The "ulimit-n" parameter is
513 automatically adjusted according to this value. See also "ulimit-n".
514
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100515maxpipes <number>
516 Sets the maximum per-process number of pipes to <number>. Currently, pipes
517 are only used by kernel-based tcp splicing. Since a pipe contains two file
518 descriptors, the "ulimit-n" value will be increased accordingly. The default
519 value is maxconn/4, which seems to be more than enough for most heavy usages.
520 The splice code dynamically allocates and releases pipes, and can fall back
521 to standard copy, so setting this value too low may only impact performance.
522
Willy Tarreau6a06a402007-07-15 20:15:28 +0200523noepoll
524 Disables the use of the "epoll" event polling system on Linux. It is
525 equivalent to the command-line argument "-de". The next polling system
526 used will generally be "poll". See also "nosepoll", and "nopoll".
527
528nokqueue
529 Disables the use of the "kqueue" event polling system on BSD. It is
530 equivalent to the command-line argument "-dk". The next polling system
531 used will generally be "poll". See also "nopoll".
532
533nopoll
534 Disables the use of the "poll" event polling system. It is equivalent to the
535 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100536 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200537 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
538 "nokqueue".
539
540nosepoll
541 Disables the use of the "speculative epoll" event polling system on Linux. It
542 is equivalent to the command-line argument "-ds". The next polling system
543 used will generally be "epoll". See also "nosepoll", and "nopoll".
544
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100545nosplice
546 Disables the use of kernel tcp splicing between sockets on Linux. It is
547 equivalent to the command line argument "-dS". Data will then be copied
548 using conventional and more portable recv/send calls. Kernel tcp splicing is
549 limited to some very recent instances of kernel 2.6. Most verstions between
550 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
551 be used. This option makes it easier to globally disable kernel splicing in
552 case of doubt. See also "option splice-auto", "option splice-request" and
553 "option splice-response".
554
Willy Tarreaufe255b72007-10-14 23:09:26 +0200555spread-checks <0..50, in percent>
556 Sometimes it is desirable to avoid sending health checks to servers at exact
557 intervals, for instance when many logical servers are located on the same
558 physical server. With the help of this parameter, it becomes possible to add
559 some randomness in the check interval between 0 and +/- 50%. A value between
560 2 and 5 seems to show good results. The default value remains at 0.
561
Willy Tarreau27a674e2009-08-17 07:23:33 +0200562tune.bufsize <number>
563 Sets the buffer size to this size (in bytes). Lower values allow more
564 sessions to coexist in the same amount of RAM, and higher values allow some
565 applications with very large cookies to work. The default value is 16384 and
566 can be changed at build time. It is strongly recommended not to change this
567 from the default value, as very low values will break some services such as
568 statistics, and values larger than default size will increase memory usage,
569 possibly causing the system to run out of memory. At least the global maxconn
570 parameter should be decreased by the same factor as this one is increased.
571
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100572tune.maxaccept <number>
573 Sets the maximum number of consecutive accepts that a process may perform on
574 a single wake up. High values give higher priority to high connection rates,
575 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100576 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100577 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
578 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100579 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100580 the limitation. It should normally not be needed to tweak this value.
581
582tune.maxpollevents <number>
583 Sets the maximum amount of events that can be processed at once in a call to
584 the polling system. The default value is adapted to the operating system. It
585 has been noticed that reducing it below 200 tends to slightly decrease
586 latency at the expense of network bandwidth, and increasing it above 200
587 tends to trade latency for slightly increased bandwidth.
588
Willy Tarreau27a674e2009-08-17 07:23:33 +0200589tune.maxrewrite <number>
590 Sets the reserved buffer space to this size in bytes. The reserved space is
591 used for header rewriting or appending. The first reads on sockets will never
592 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
593 bufsize, though that does not make much sense since there are rarely large
594 numbers of headers to add. Setting it too high prevents processing of large
595 requests or responses. Setting it too low prevents addition of new headers
596 to already large requests or to POST requests. It is generally wise to set it
597 to about 1024. It is automatically readjusted to half of bufsize if it is
598 larger than that. This means you don't have to worry about it when changing
599 bufsize.
600
Willy Tarreau6a06a402007-07-15 20:15:28 +0200601
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006023.3. Debugging
603--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200604
605debug
606 Enables debug mode which dumps to stdout all exchanges, and disables forking
607 into background. It is the equivalent of the command-line argument "-d". It
608 should never be used in a production configuration since it may prevent full
609 system startup.
610
611quiet
612 Do not display any message during startup. It is equivalent to the command-
613 line argument "-q".
614
Willy Tarreau6a06a402007-07-15 20:15:28 +0200615
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006164. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200617----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100618
Willy Tarreau6a06a402007-07-15 20:15:28 +0200619Proxy configuration can be located in a set of sections :
620 - defaults <name>
621 - frontend <name>
622 - backend <name>
623 - listen <name>
624
625A "defaults" section sets default parameters for all other sections following
626its declaration. Those default parameters are reset by the next "defaults"
627section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100628section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200629
630A "frontend" section describes a set of listening sockets accepting client
631connections.
632
633A "backend" section describes a set of servers to which the proxy will connect
634to forward incoming connections.
635
636A "listen" section defines a complete proxy with its frontend and backend
637parts combined in one section. It is generally useful for TCP-only traffic.
638
Willy Tarreau0ba27502007-12-24 16:55:16 +0100639All proxy names must be formed from upper and lower case letters, digits,
640'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
641case-sensitive, which means that "www" and "WWW" are two different proxies.
642
643Historically, all proxy names could overlap, it just caused troubles in the
644logs. Since the introduction of content switching, it is mandatory that two
645proxies with overlapping capabilities (frontend/backend) have different names.
646However, it is still permitted that a frontend and a backend share the same
647name, as this configuration seems to be commonly encountered.
648
649Right now, two major proxy modes are supported : "tcp", also known as layer 4,
650and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
651bidirectionnal traffic between two sides. In layer 7 mode, HAProxy analyzes the
652protocol, and can interact with it by allowing, blocking, switching, adding,
653modifying, or removing arbitrary contents in requests or responses, based on
654arbitrary criteria.
655
Willy Tarreau0ba27502007-12-24 16:55:16 +0100656
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006574.1. Proxy keywords matrix
658--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100659
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200660The following list of keywords is supported. Most of them may only be used in a
661limited set of section types. Some of them are marked as "deprecated" because
662they are inherited from an old syntax which may be confusing or functionally
663limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau3842f002009-06-14 11:39:52 +0200664listed with [no] can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200665option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200666and must be disabled for a specific instance. Such options may also be prefixed
667with "default" in order to restore default settings regardless of what has been
668specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100669
Willy Tarreau6a06a402007-07-15 20:15:28 +0200670
671keyword defaults frontend listen backend
672----------------------+----------+----------+---------+---------
673acl - X X X
674appsession - - X X
Willy Tarreauc73ce2b2008-01-06 10:55:10 +0100675backlog X X X -
Willy Tarreau0ba27502007-12-24 16:55:16 +0100676balance X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200677bind - X X -
Willy Tarreau0b9c02c2009-02-04 22:05:05 +0100678bind-process X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200679block - X X X
Willy Tarreau0ba27502007-12-24 16:55:16 +0100680capture cookie - X X -
681capture request header - X X -
682capture response header - X X -
Willy Tarreaue219db72007-12-03 01:30:13 +0100683clitimeout X X X - (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +0100684contimeout X - X X (deprecated)
Willy Tarreau6a06a402007-07-15 20:15:28 +0200685cookie X - X X
686default_backend - X X -
Willy Tarreau0ba27502007-12-24 16:55:16 +0100687disabled X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200688dispatch - - X X
Willy Tarreau0ba27502007-12-24 16:55:16 +0100689enabled X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200690errorfile X X X X
691errorloc X X X X
692errorloc302 X X X X
693errorloc303 X X X X
694fullconn X - X X
695grace - X X X
Willy Tarreaudbc36f62007-11-30 12:29:11 +0100696http-check disable-on-404 X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200697log X X X X
698maxconn X X X -
699mode X X X X
Willy Tarreauc7246fc2007-12-02 17:31:20 +0100700monitor fail - X X -
Willy Tarreau6a06a402007-07-15 20:15:28 +0200701monitor-net X X X -
702monitor-uri X X X -
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100703[no] option abortonclose X - X X
Willy Tarreau4076a152009-04-02 15:18:36 +0200704[no] option accept-invalid-
705 http-request X X X -
706[no] option accept-invalid-
707 http-response X - X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100708[no] option allbackups X - X X
709[no] option checkcache X - X X
710[no] option clitcpka X X X -
711[no] option contstats X X X -
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +0200712[no] option dontlog-normal X X X -
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100713[no] option dontlognull X X X -
714[no] option forceclose X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200715option forwardfor X X X X
716option httpchk X - X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100717[no] option httpclose X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200718option httplog X X X X
Willy Tarreau55165fe2009-05-10 12:02:55 +0200719[no] option http_proxy X X X X
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +0200720[no] option log-separate-
721 errors X X X -
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100722[no] option logasap X X X -
723[no] option nolinger X X X X
Willy Tarreau55165fe2009-05-10 12:02:55 +0200724option originalto X X X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100725[no] option persist X - X X
726[no] option redispatch X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200727option smtpchk X - X X
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100728[no] option splice-auto X X X X
729[no] option splice-request X X X X
730[no] option splice-response X X X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100731[no] option srvtcpka X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200732option ssl-hello-chk X - X X
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200733[no] option tcp-smart-
734 accept X X X -
Willy Tarreau6a06a402007-07-15 20:15:28 +0200735option tcpka X X X X
736option tcplog X X X X
Willy Tarreau4b1f8592008-12-23 23:13:55 +0100737[no] option transparent X - X X
Emeric Brun647caf12009-06-30 17:57:00 +0200738persist rdp-cookie X - X X
Willy Tarreau3a7d2072009-03-05 23:48:25 +0100739rate-limit sessions X X X -
Willy Tarreaub463dfb2008-06-07 23:08:56 +0200740redirect - X X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100741redisp X - X X (deprecated)
742redispatch X - X X (deprecated)
Willy Tarreau6a06a402007-07-15 20:15:28 +0200743reqadd - X X X
744reqallow - X X X
745reqdel - X X X
746reqdeny - X X X
747reqiallow - X X X
748reqidel - X X X
749reqideny - X X X
750reqipass - X X X
751reqirep - X X X
752reqisetbe - X X X
753reqitarpit - X X X
754reqpass - X X X
755reqrep - X X X
756reqsetbe - X X X
757reqtarpit - X X X
758retries X - X X
759rspadd - X X X
760rspdel - X X X
761rspdeny - X X X
762rspidel - X X X
763rspideny - X X X
764rspirep - X X X
765rsprep - X X X
766server - - X X
767source X - X X
Willy Tarreaue219db72007-12-03 01:30:13 +0100768srvtimeout X - X X (deprecated)
Willy Tarreau24e779b2007-07-24 23:43:37 +0200769stats auth X - X X
770stats enable X - X X
771stats realm X - X X
Willy Tarreaubbd42122007-07-25 07:26:38 +0200772stats refresh X - X X
Willy Tarreau24e779b2007-07-24 23:43:37 +0200773stats scope X - X X
774stats uri X - X X
Krzysztof Oledzkid9db9272007-10-15 10:05:11 +0200775stats hide-version X - X X
Willy Tarreau62644772008-07-16 18:36:06 +0200776tcp-request content accept - X X -
777tcp-request content reject - X X -
778tcp-request inspect-delay - X X -
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +0100779timeout check X - X X
Willy Tarreaue219db72007-12-03 01:30:13 +0100780timeout client X X X -
781timeout clitimeout X X X - (deprecated)
782timeout connect X - X X
783timeout contimeout X - X X (deprecated)
Willy Tarreaucd7afc02009-07-12 10:03:17 +0200784timeout http-request X X X X
Willy Tarreaue219db72007-12-03 01:30:13 +0100785timeout queue X - X X
786timeout server X - X X
787timeout srvtimeout X - X X (deprecated)
Willy Tarreau51c9bde2008-01-06 13:40:03 +0100788timeout tarpit X X X X
Willy Tarreau4b1f8592008-12-23 23:13:55 +0100789transparent X - X X (deprecated)
Willy Tarreau6a06a402007-07-15 20:15:28 +0200790use_backend - X X -
Willy Tarreau6a06a402007-07-15 20:15:28 +0200791----------------------+----------+----------+---------+---------
792keyword defaults frontend listen backend
793
Willy Tarreau0ba27502007-12-24 16:55:16 +0100794
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007954.2. Alphabetically sorted keywords reference
796---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100797
798This section provides a description of each keyword and its usage.
799
800
801acl <aclname> <criterion> [flags] [operator] <value> ...
802 Declare or complete an access list.
803 May be used in sections : defaults | frontend | listen | backend
804 no | yes | yes | yes
805 Example:
806 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
807 acl invalid_src src_port 0:1023
808 acl local_dst hdr(host) -i localhost
809
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200810 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100811
812
813appsession <cookie> len <length> timeout <holdtime>
814 Define session stickiness on an existing application cookie.
815 May be used in sections : defaults | frontend | listen | backend
816 no | no | yes | yes
817 Arguments :
818 <cookie> this is the name of the cookie used by the application and which
819 HAProxy will have to learn for each new session.
820
821 <length> this is the number of characters that will be memorized and
822 checked in each cookie value.
823
824 <holdtime> this is the time after which the cookie will be removed from
825 memory if unused. If no unit is specified, this time is in
826 milliseconds.
827
828 When an application cookie is defined in a backend, HAProxy will check when
829 the server sets such a cookie, and will store its value in a table, and
830 associate it with the server's identifier. Up to <length> characters from
831 the value will be retained. On each connection, haproxy will look for this
832 cookie both in the "Cookie:" headers, and as a URL parameter in the query
833 string. If a known value is found, the client will be directed to the server
834 associated with this value. Otherwise, the load balancing algorithm is
835 applied. Cookies are automatically removed from memory when they have been
836 unused for a duration longer than <holdtime>.
837
838 The definition of an application cookie is limited to one per backend.
839
840 Example :
841 appsession JSESSIONID len 52 timeout 3h
842
843 See also : "cookie", "capture cookie" and "balance".
844
845
Willy Tarreauc73ce2b2008-01-06 10:55:10 +0100846backlog <conns>
847 Give hints to the system about the approximate listen backlog desired size
848 May be used in sections : defaults | frontend | listen | backend
849 yes | yes | yes | no
850 Arguments :
851 <conns> is the number of pending connections. Depending on the operating
852 system, it may represent the number of already acknowledged
853 connections, of non-acknowledged ones, or both.
854
855 In order to protect against SYN flood attacks, one solution is to increase
856 the system's SYN backlog size. Depending on the system, sometimes it is just
857 tunable via a system parameter, sometimes it is not adjustable at all, and
858 sometimes the system relies on hints given by the application at the time of
859 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
860 to the listen() syscall. On systems which can make use of this value, it can
861 sometimes be useful to be able to specify a different value, hence this
862 backlog parameter.
863
864 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
865 used as a hint and the system accepts up to the smallest greater power of
866 two, and never more than some limits (usually 32768).
867
868 See also : "maxconn" and the target operating system's tuning guide.
869
870
Willy Tarreau0ba27502007-12-24 16:55:16 +0100871balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +0200872balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +0100873 Define the load balancing algorithm to be used in a backend.
874 May be used in sections : defaults | frontend | listen | backend
875 yes | no | yes | yes
876 Arguments :
877 <algorithm> is the algorithm used to select a server when doing load
878 balancing. This only applies when no persistence information
879 is available, or when a connection is redispatched to another
880 server. <algorithm> may be one of the following :
881
882 roundrobin Each server is used in turns, according to their weights.
883 This is the smoothest and fairest algorithm when the server's
884 processing time remains equally distributed. This algorithm
885 is dynamic, which means that server weights may be adjusted
886 on the fly for slow starts for instance.
887
Willy Tarreau2d2a7f82008-03-17 12:07:56 +0100888 leastconn The server with the lowest number of connections receives the
889 connection. Round-robin is performed within groups of servers
890 of the same load to ensure that all servers will be used. Use
891 of this algorithm is recommended where very long sessions are
892 expected, such as LDAP, SQL, TSE, etc... but is not very well
893 suited for protocols using short sessions such as HTTP. This
894 algorithm is dynamic, which means that server weights may be
895 adjusted on the fly for slow starts for instance.
896
Willy Tarreau0ba27502007-12-24 16:55:16 +0100897 source The source IP address is hashed and divided by the total
898 weight of the running servers to designate which server will
899 receive the request. This ensures that the same client IP
900 address will always reach the same server as long as no
901 server goes down or up. If the hash result changes due to the
902 number of running servers changing, many clients will be
903 directed to a different server. This algorithm is generally
904 used in TCP mode where no cookie may be inserted. It may also
905 be used on the Internet to provide a best-effort stickyness
906 to clients which refuse session cookies. This algorithm is
907 static, which means that changing a server's weight on the
908 fly will have no effect.
909
910 uri The left part of the URI (before the question mark) is hashed
911 and divided by the total weight of the running servers. The
912 result designates which server will receive the request. This
913 ensures that a same URI will always be directed to the same
914 server as long as no server goes up or down. This is used
915 with proxy caches and anti-virus proxies in order to maximize
916 the cache hit rate. Note that this algorithm may only be used
917 in an HTTP backend. This algorithm is static, which means
918 that changing a server's weight on the fly will have no
919 effect.
920
Marek Majkowski9c30fc12008-04-27 23:25:55 +0200921 This algorithm support two optional parameters "len" and
922 "depth", both followed by a positive integer number. These
923 options may be helpful when it is needed to balance servers
924 based on the beginning of the URI only. The "len" parameter
925 indicates that the algorithm should only consider that many
926 characters at the beginning of the URI to compute the hash.
927 Note that having "len" set to 1 rarely makes sense since most
928 URIs start with a leading "/".
929
930 The "depth" parameter indicates the maximum directory depth
931 to be used to compute the hash. One level is counted for each
932 slash in the request. If both parameters are specified, the
933 evaluation stops when either is reached.
934
Willy Tarreau0ba27502007-12-24 16:55:16 +0100935 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +0200936 the query string of each HTTP GET request.
937
938 If the modifier "check_post" is used, then an HTTP POST
939 request entity will be searched for the parameter argument,
940 when the question mark indicating a query string ('?') is not
941 present in the URL. Optionally, specify a number of octets to
942 wait for before attempting to search the message body. If the
943 entity can not be searched, then round robin is used for each
944 request. For instance, if your clients always send the LB
945 parameter in the first 128 bytes, then specify that. The
946 default is 48. The entity data will not be scanned until the
947 required number of octets have arrived at the gateway, this
948 is the minimum of: (default/max_wait, Content-Length or first
949 chunk length). If Content-Length is missing or zero, it does
950 not need to wait for more data than the client promised to
951 send. When Content-Length is present and larger than
952 <max_wait>, then waiting is limited to <max_wait> and it is
953 assumed that this will be enough data to search for the
954 presence of the parameter. In the unlikely event that
955 Transfer-Encoding: chunked is used, only the first chunk is
956 scanned. Parameter values separated by a chunk boundary, may
957 be randomly balanced if at all.
958
959 If the parameter is found followed by an equal sign ('=') and
960 a value, then the value is hashed and divided by the total
961 weight of the running servers. The result designates which
962 server will receive the request.
963
964 This is used to track user identifiers in requests and ensure
965 that a same user ID will always be sent to the same server as
966 long as no server goes up or down. If no value is found or if
967 the parameter is not found, then a round robin algorithm is
968 applied. Note that this algorithm may only be used in an HTTP
969 backend. This algorithm is static, which means that changing a
970 server's weight on the fly will have no effect.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100971
Benoitaffb4812009-03-25 13:02:10 +0100972 hdr(name) The HTTP header <name> will be looked up in each HTTP request.
973 Just as with the equivalent ACL 'hdr()' function, the header
974 name in parenthesis is not case sensitive. If the header is
975 absent or if it does not contain any value, the round-robin
976 algorithm is applied instead.
977
978 An optionnal 'use_domain_only' parameter is available, for
979 reducing the hash algorithm to the main domain part with some
980 specific headers such as 'Host'. For instance, in the Host
981 value "haproxy.1wt.eu", only "1wt" will be considered.
982
Emeric Brun736aa232009-06-30 17:56:00 +0200983 rdp-cookie
984 rdp-cookie(name)
985 The RDP cookie <name> (or "mstshash" if omitted) will be
986 looked up and hashed for each incoming TCP request. Just as
987 with the equivalent ACL 'req_rdp_cookie()' function, the name
988 is not case-sensitive. This mechanism is useful as a degraded
989 persistence mode, as it makes it possible to always send the
990 same user (or the same session ID) to the same server. If the
991 cookie is not found, the normal round-robind algorithm is
992 used instead.
993
994 Note that for this to work, the frontend must ensure that an
995 RDP cookie is already present in the request buffer. For this
996 you must use 'tcp-request content accept' rule combined with
997 a 'req_rdp_cookie_cnt' ACL.
998
Willy Tarreau0ba27502007-12-24 16:55:16 +0100999 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001000 algorithms. Right now, only "url_param" and "uri" support an
1001 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001002
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001003 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001004 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001005
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001006 The load balancing algorithm of a backend is set to roundrobin when no other
1007 algorithm, mode nor option have been set. The algorithm may only be set once
1008 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001009
1010 Examples :
1011 balance roundrobin
1012 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001013 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001014 balance hdr(User-Agent)
1015 balance hdr(host)
1016 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001017
1018 Note: the following caveats and limitations on using the "check_post"
1019 extension with "url_param" must be considered :
1020
1021 - all POST requests are eligable for consideration, because there is no way
1022 to determine if the parameters will be found in the body or entity which
1023 may contain binary data. Therefore another method may be required to
1024 restrict consideration of POST requests that have no URL parameters in
1025 the body. (see acl reqideny http_end)
1026
1027 - using a <max_wait> value larger than the request buffer size does not
1028 make sense and is useless. The buffer size is set at build time, and
1029 defaults to 16 kB.
1030
1031 - Content-Encoding is not supported, the parameter search will probably
1032 fail; and load balancing will fall back to Round Robin.
1033
1034 - Expect: 100-continue is not supported, load balancing will fall back to
1035 Round Robin.
1036
1037 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1038 If the entire parameter value is not present in the first chunk, the
1039 selection of server is undefined (actually, defined by how little
1040 actually appeared in the first chunk).
1041
1042 - This feature does not support generation of a 100, 411 or 501 response.
1043
1044 - In some cases, requesting "check_post" MAY attempt to scan the entire
1045 contents of a message body. Scaning normally terminates when linear
1046 white space or control characters are found, indicating the end of what
1047 might be a URL parameter list. This is probably not a concern with SGML
1048 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001049
1050 See also : "dispatch", "cookie", "appsession", "transparent" and "http_proxy".
1051
1052
1053bind [<address>]:<port> [, ...]
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001054bind [<address>]:<port> [, ...] interface <interface>
Willy Tarreaube1b9182009-06-14 18:48:19 +02001055bind [<address>]:<port> [, ...] mss <maxseg>
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001056bind [<address>]:<port> [, ...] transparent
Willy Tarreau0ba27502007-12-24 16:55:16 +01001057 Define one or several listening addresses and/or ports in a frontend.
1058 May be used in sections : defaults | frontend | listen | backend
1059 no | yes | yes | no
1060 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001061 <address> is optional and can be a host name, an IPv4 address, an IPv6
1062 address, or '*'. It designates the address the frontend will
1063 listen on. If unset, all IPv4 addresses of the system will be
1064 listened on. The same will apply for '*' or the system's
1065 special address "0.0.0.0".
1066
1067 <port> is the TCP port number the proxy will listen on. The port is
1068 mandatory. Note that in the case of an IPv6 address, the port
1069 is always the number after the last colon (':').
Willy Tarreau0ba27502007-12-24 16:55:16 +01001070
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001071 <interface> is an optional physical interface name. This is currently
1072 only supported on Linux. The interface must be a physical
1073 interface, not an aliased interface. When specified, all
1074 addresses on the same line will only be accepted if the
1075 incoming packet physically come through the designated
1076 interface. It is also possible to bind multiple frontends to
1077 the same address if they are bound to different interfaces.
1078 Note that binding to a physical interface requires root
1079 privileges.
1080
Willy Tarreaube1b9182009-06-14 18:48:19 +02001081 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1082 advertised on incoming connections. This can be used to force
1083 a lower MSS for certain specific ports, for instance for
1084 connections passing through a VPN. Note that this relies on a
1085 kernel feature which is theorically supported under Linux but
1086 was buggy in all versions prior to 2.6.28. It may or may not
1087 work on other operating systems. The commonly advertised
1088 value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
1089
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001090 transparent is an optional keyword which is supported only on certain
1091 Linux kernels. It indicates that the addresses will be bound
1092 even if they do not belong to the local machine. Any packet
1093 targetting any of these addresses will be caught just as if
1094 the address was locally configured. This normally requires
1095 that IP forwarding is enabled. Caution! do not use this with
1096 the default address '*', as it would redirect any traffic for
1097 the specified port. This keyword is available only when
1098 HAProxy is built with USE_LINUX_TPROXY=1.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001099
1100 It is possible to specify a list of address:port combinations delimited by
1101 commas. The frontend will then listen on all of these addresses. There is no
1102 fixed limit to the number of addresses and ports which can be listened on in
1103 a frontend, as well as there is no limit to the number of "bind" statements
1104 in a frontend.
1105
1106 Example :
1107 listen http_proxy
1108 bind :80,:443
1109 bind 10.0.0.1:10080,10.0.0.1:10443
1110
1111 See also : "source".
1112
1113
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001114bind-process [ all | odd | even | <number 1-32> ] ...
1115 Limit visibility of an instance to a certain set of processes numbers.
1116 May be used in sections : defaults | frontend | listen | backend
1117 yes | yes | yes | yes
1118 Arguments :
1119 all All process will see this instance. This is the default. It
1120 may be used to override a default value.
1121
1122 odd This instance will be enabled on processes 1,3,5,...31. This
1123 option may be combined with other numbers.
1124
1125 even This instance will be enabled on processes 2,4,6,...32. This
1126 option may be combined with other numbers. Do not use it
1127 with less than 2 processes otherwise some instances might be
1128 missing from all processes.
1129
1130 number The instance will be enabled on this process number, between
1131 1 and 32. You must be careful not to reference a process
1132 number greater than the configured global.nbproc, otherwise
1133 some instances might be missing from all processes.
1134
1135 This keyword limits binding of certain instances to certain processes. This
1136 is useful in order not to have too many processes listening to the same
1137 ports. For instance, on a dual-core machine, it might make sense to set
1138 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1139 and 'even' instances.
1140
1141 At the moment, it is not possible to reference more than 32 processes using
1142 this keyword, but this should be more than enough for most setups. Please
1143 note that 'all' really means all processes and is not limited to the first
1144 32.
1145
1146 If some backends are referenced by frontends bound to other processes, the
1147 backend automatically inherits the frontend's processes.
1148
1149 Example :
1150 listen app_ip1
1151 bind 10.0.0.1:80
1152 bind_process odd
1153
1154 listen app_ip2
1155 bind 10.0.0.2:80
1156 bind_process even
1157
1158 listen management
1159 bind 10.0.0.3:80
1160 bind_process 1 2 3 4
1161
1162 See also : "nbproc" in global section.
1163
1164
Willy Tarreau0ba27502007-12-24 16:55:16 +01001165block { if | unless } <condition>
1166 Block a layer 7 request if/unless a condition is matched
1167 May be used in sections : defaults | frontend | listen | backend
1168 no | yes | yes | yes
1169
1170 The HTTP request will be blocked very early in the layer 7 processing
1171 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001172 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001173 typically used to deny access to certain sensible resources if some
1174 conditions are met or not met. There is no fixed limit to the number of
1175 "block" statements per instance.
1176
1177 Example:
1178 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1179 acl invalid_src src_port 0:1023
1180 acl local_dst hdr(host) -i localhost
1181 block if invalid_src || local_dst
1182
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001183 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001184
1185
1186capture cookie <name> len <length>
1187 Capture and log a cookie in the request and in the response.
1188 May be used in sections : defaults | frontend | listen | backend
1189 no | yes | yes | no
1190 Arguments :
1191 <name> is the beginning of the name of the cookie to capture. In order
1192 to match the exact name, simply suffix the name with an equal
1193 sign ('='). The full name will appear in the logs, which is
1194 useful with application servers which adjust both the cookie name
1195 and value (eg: ASPSESSIONXXXXX).
1196
1197 <length> is the maximum number of characters to report in the logs, which
1198 include the cookie name, the equal sign and the value, all in the
1199 standard "name=value" form. The string will be truncated on the
1200 right if it exceeds <length>.
1201
1202 Only the first cookie is captured. Both the "cookie" request headers and the
1203 "set-cookie" response headers are monitored. This is particularly useful to
1204 check for application bugs causing session crossing or stealing between
1205 users, because generally the user's cookies can only change on a login page.
1206
1207 When the cookie was not presented by the client, the associated log column
1208 will report "-". When a request does not cause a cookie to be assigned by the
1209 server, a "-" is reported in the response column.
1210
1211 The capture is performed in the frontend only because it is necessary that
1212 the log format does not change for a given frontend depending on the
1213 backends. This may change in the future. Note that there can be only one
1214 "capture cookie" statement in a frontend. The maximum capture length is
1215 configured in the souces by default to 64 characters. It is not possible to
1216 specify a capture in a "defaults" section.
1217
1218 Example:
1219 capture cookie ASPSESSION len 32
1220
1221 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001222 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001223
1224
1225capture request header <name> len <length>
1226 Capture and log the first occurrence of the specified request header.
1227 May be used in sections : defaults | frontend | listen | backend
1228 no | yes | yes | no
1229 Arguments :
1230 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001231 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001232 appear in the requests, with the first letter of each word in
1233 upper case. The header name will not appear in the logs, only the
1234 value is reported, but the position in the logs is respected.
1235
1236 <length> is the maximum number of characters to extract from the value and
1237 report in the logs. The string will be truncated on the right if
1238 it exceeds <length>.
1239
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001240 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001241 value will be added to the logs between braces ('{}'). If multiple headers
1242 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001243 in the same order they were declared in the configuration. Non-existent
1244 headers will be logged just as an empty string. Common uses for request
1245 header captures include the "Host" field in virtual hosting environments, the
1246 "Content-length" when uploads are supported, "User-agent" to quickly
1247 differenciate between real users and robots, and "X-Forwarded-For" in proxied
1248 environments to find where the request came from.
1249
1250 Note that when capturing headers such as "User-agent", some spaces may be
1251 logged, making the log analysis more difficult. Thus be careful about what
1252 you log if you know your log parser is not smart enough to rely on the
1253 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001254
1255 There is no limit to the number of captured request headers, but each capture
1256 is limited to 64 characters. In order to keep log format consistent for a
1257 same frontend, header captures can only be declared in a frontend. It is not
1258 possible to specify a capture in a "defaults" section.
1259
1260 Example:
1261 capture request header Host len 15
1262 capture request header X-Forwarded-For len 15
1263 capture request header Referrer len 15
1264
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001265 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001266 about logging.
1267
1268
1269capture response header <name> len <length>
1270 Capture and log the first occurrence of the specified response header.
1271 May be used in sections : defaults | frontend | listen | backend
1272 no | yes | yes | no
1273 Arguments :
1274 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001275 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001276 appear in the response, with the first letter of each word in
1277 upper case. The header name will not appear in the logs, only the
1278 value is reported, but the position in the logs is respected.
1279
1280 <length> is the maximum number of characters to extract from the value and
1281 report in the logs. The string will be truncated on the right if
1282 it exceeds <length>.
1283
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001284 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001285 result will be added to the logs between braces ('{}') after the captured
1286 request headers. If multiple headers are captured, they will be delimited by
1287 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001288 the configuration. Non-existent headers will be logged just as an empty
1289 string. Common uses for response header captures include the "Content-length"
1290 header which indicates how many bytes are expected to be returned, the
1291 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001292
1293 There is no limit to the number of captured response headers, but each
1294 capture is limited to 64 characters. In order to keep log format consistent
1295 for a same frontend, header captures can only be declared in a frontend. It
1296 is not possible to specify a capture in a "defaults" section.
1297
1298 Example:
1299 capture response header Content-length len 9
1300 capture response header Location len 15
1301
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001302 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001303 about logging.
1304
1305
1306clitimeout <timeout>
1307 Set the maximum inactivity time on the client side.
1308 May be used in sections : defaults | frontend | listen | backend
1309 yes | yes | yes | no
1310 Arguments :
1311 <timeout> is the timeout value is specified in milliseconds by default, but
1312 can be in any other unit if the number is suffixed by the unit,
1313 as explained at the top of this document.
1314
1315 The inactivity timeout applies when the client is expected to acknowledge or
1316 send data. In HTTP mode, this timeout is particularly important to consider
1317 during the first phase, when the client sends the request, and during the
1318 response while it is reading data sent by the server. The value is specified
1319 in milliseconds by default, but can be in any other unit if the number is
1320 suffixed by the unit, as specified at the top of this document. In TCP mode
1321 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1322 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001323 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001324 losses by specifying timeouts that are slightly above multiples of 3 seconds
1325 (eg: 4 or 5 seconds).
1326
1327 This parameter is specific to frontends, but can be specified once for all in
1328 "defaults" sections. This is in fact one of the easiest solutions not to
1329 forget about it. An unspecified timeout results in an infinite timeout, which
1330 is not recommended. Such a usage is accepted and works but reports a warning
1331 during startup because it may results in accumulation of expired sessions in
1332 the system if the system's timeouts are not configured either.
1333
1334 This parameter is provided for compatibility but is currently deprecated.
1335 Please use "timeout client" instead.
1336
Willy Tarreau036fae02008-01-06 13:24:40 +01001337 See also : "timeout client", "timeout http-request", "timeout server", and
1338 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001339
1340
1341contimeout <timeout>
1342 Set the maximum time to wait for a connection attempt to a server to succeed.
1343 May be used in sections : defaults | frontend | listen | backend
1344 yes | no | yes | yes
1345 Arguments :
1346 <timeout> is the timeout value is specified in milliseconds by default, but
1347 can be in any other unit if the number is suffixed by the unit,
1348 as explained at the top of this document.
1349
1350 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001351 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001352 cover one or several TCP packet losses by specifying timeouts that are
1353 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1354 connect timeout also presets the queue timeout to the same value if this one
1355 has not been specified. Historically, the contimeout was also used to set the
1356 tarpit timeout in a listen section, which is not possible in a pure frontend.
1357
1358 This parameter is specific to backends, but can be specified once for all in
1359 "defaults" sections. This is in fact one of the easiest solutions not to
1360 forget about it. An unspecified timeout results in an infinite timeout, which
1361 is not recommended. Such a usage is accepted and works but reports a warning
1362 during startup because it may results in accumulation of failed sessions in
1363 the system if the system's timeouts are not configured either.
1364
1365 This parameter is provided for backwards compatibility but is currently
1366 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1367 instead.
1368
1369 See also : "timeout connect", "timeout queue", "timeout tarpit",
1370 "timeout server", "contimeout".
1371
1372
Willy Tarreau55165fe2009-05-10 12:02:55 +02001373cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
1374 [ postonly ] [ domain <domain> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001375 Enable cookie-based persistence in a backend.
1376 May be used in sections : defaults | frontend | listen | backend
1377 yes | no | yes | yes
1378 Arguments :
1379 <name> is the name of the cookie which will be monitored, modified or
1380 inserted in order to bring persistence. This cookie is sent to
1381 the client via a "Set-Cookie" header in the response, and is
1382 brought back by the client in a "Cookie" header in all requests.
1383 Special care should be taken to choose a name which does not
1384 conflict with any likely application cookie. Also, if the same
1385 backends are subject to be used by the same clients (eg:
1386 HTTP/HTTPS), care should be taken to use different cookie names
1387 between all backends if persistence between them is not desired.
1388
1389 rewrite This keyword indicates that the cookie will be provided by the
1390 server and that haproxy will have to modify its value to set the
1391 server's identifier in it. This mode is handy when the management
1392 of complex combinations of "Set-cookie" and "Cache-control"
1393 headers is left to the application. The application can then
1394 decide whether or not it is appropriate to emit a persistence
1395 cookie. Since all responses should be monitored, this mode only
1396 works in HTTP close mode. Unless the application behaviour is
1397 very complex and/or broken, it is advised not to start with this
1398 mode for new deployments. This keyword is incompatible with
1399 "insert" and "prefix".
1400
1401 insert This keyword indicates that the persistence cookie will have to
1402 be inserted by haproxy in the responses. If the server emits a
1403 cookie with the same name, it will be replaced anyway. For this
1404 reason, this mode can be used to upgrade existing configurations
1405 running in the "rewrite" mode. The cookie will only be a session
1406 cookie and will not be stored on the client's disk. Due to
1407 caching effects, it is generally wise to add the "indirect" and
1408 "nocache" or "postonly" keywords (see below). The "insert"
1409 keyword is not compatible with "rewrite" and "prefix".
1410
1411 prefix This keyword indicates that instead of relying on a dedicated
1412 cookie for the persistence, an existing one will be completed.
1413 This may be needed in some specific environments where the client
1414 does not support more than one single cookie and the application
1415 already needs it. In this case, whenever the server sets a cookie
1416 named <name>, it will be prefixed with the server's identifier
1417 and a delimiter. The prefix will be removed from all client
1418 requests so that the server still finds the cookie it emitted.
1419 Since all requests and responses are subject to being modified,
1420 this mode requires the HTTP close mode. The "prefix" keyword is
1421 not compatible with "rewrite" and "insert".
1422
1423 indirect When this option is specified in insert mode, cookies will only
1424 be added when the server was not reached after a direct access,
1425 which means that only when a server is elected after applying a
1426 load-balancing algorithm, or after a redispatch, then the cookie
1427 will be inserted. If the client has all the required information
1428 to connect to the same server next time, no further cookie will
1429 be inserted. In all cases, when the "indirect" option is used in
1430 insert mode, the cookie is always removed from the requests
1431 transmitted to the server. The persistence mechanism then becomes
1432 totally transparent from the application point of view.
1433
1434 nocache This option is recommended in conjunction with the insert mode
1435 when there is a cache between the client and HAProxy, as it
1436 ensures that a cacheable response will be tagged non-cacheable if
1437 a cookie needs to be inserted. This is important because if all
1438 persistence cookies are added on a cacheable home page for
1439 instance, then all customers will then fetch the page from an
1440 outer cache and will all share the same persistence cookie,
1441 leading to one server receiving much more traffic than others.
1442 See also the "insert" and "postonly" options.
1443
1444 postonly This option ensures that cookie insertion will only be performed
1445 on responses to POST requests. It is an alternative to the
1446 "nocache" option, because POST responses are not cacheable, so
1447 this ensures that the persistence cookie will never get cached.
1448 Since most sites do not need any sort of persistence before the
1449 first POST which generally is a login request, this is a very
1450 efficient method to optimize caching without risking to find a
1451 persistence cookie in the cache.
1452 See also the "insert" and "nocache" options.
1453
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001454 domain This option allows to specify the domain at which a cookie is
1455 inserted. It requires exactly one paramater: a valid domain
1456 name.
1457
Willy Tarreau0ba27502007-12-24 16:55:16 +01001458 There can be only one persistence cookie per HTTP backend, and it can be
1459 declared in a defaults section. The value of the cookie will be the value
1460 indicated after the "cookie" keyword in a "server" statement. If no cookie
1461 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001462
Willy Tarreau0ba27502007-12-24 16:55:16 +01001463 Examples :
1464 cookie JSESSIONID prefix
1465 cookie SRV insert indirect nocache
1466 cookie SRV insert postonly indirect
1467
1468 See also : "appsession", "balance source", "capture cookie", "server".
1469
1470
1471default_backend <backend>
1472 Specify the backend to use when no "use_backend" rule has been matched.
1473 May be used in sections : defaults | frontend | listen | backend
1474 yes | yes | yes | no
1475 Arguments :
1476 <backend> is the name of the backend to use.
1477
1478 When doing content-switching between frontend and backends using the
1479 "use_backend" keyword, it is often useful to indicate which backend will be
1480 used when no rule has matched. It generally is the dynamic backend which
1481 will catch all undetermined requests.
1482
Willy Tarreau0ba27502007-12-24 16:55:16 +01001483 Example :
1484
1485 use_backend dynamic if url_dyn
1486 use_backend static if url_css url_img extension_img
1487 default_backend dynamic
1488
Willy Tarreau2769aa02007-12-27 18:26:09 +01001489 See also : "use_backend", "reqsetbe", "reqisetbe"
1490
Willy Tarreau0ba27502007-12-24 16:55:16 +01001491
1492disabled
1493 Disable a proxy, frontend or backend.
1494 May be used in sections : defaults | frontend | listen | backend
1495 yes | yes | yes | yes
1496 Arguments : none
1497
1498 The "disabled" keyword is used to disable an instance, mainly in order to
1499 liberate a listening port or to temporarily disable a service. The instance
1500 will still be created and its configuration will be checked, but it will be
1501 created in the "stopped" state and will appear as such in the statistics. It
1502 will not receive any traffic nor will it send any health-checks or logs. It
1503 is possible to disable many instances at once by adding the "disabled"
1504 keyword in a "defaults" section.
1505
1506 See also : "enabled"
1507
1508
1509enabled
1510 Enable a proxy, frontend or backend.
1511 May be used in sections : defaults | frontend | listen | backend
1512 yes | yes | yes | yes
1513 Arguments : none
1514
1515 The "enabled" keyword is used to explicitly enable an instance, when the
1516 defaults has been set to "disabled". This is very rarely used.
1517
1518 See also : "disabled"
1519
1520
1521errorfile <code> <file>
1522 Return a file contents instead of errors generated by HAProxy
1523 May be used in sections : defaults | frontend | listen | backend
1524 yes | yes | yes | yes
1525 Arguments :
1526 <code> is the HTTP status code. Currently, HAProxy is capable of
1527 generating codes 400, 403, 408, 500, 502, 503, and 504.
1528
1529 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001530 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001531 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01001532 error pages, and to use absolute paths, since files are read
1533 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001534
1535 It is important to understand that this keyword is not meant to rewrite
1536 errors returned by the server, but errors detected and returned by HAProxy.
1537 This is why the list of supported errors is limited to a small set.
1538
1539 The files are returned verbatim on the TCP socket. This allows any trick such
1540 as redirections to another URL or site, as well as tricks to clean cookies,
1541 force enable or disable caching, etc... The package provides default error
1542 files returning the same contents as default errors.
1543
Willy Tarreau59140a22009-02-22 12:02:30 +01001544 The files should not exceed the configured buffer size (BUFSIZE), which
1545 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1546 not to put any reference to local contents (eg: images) in order to avoid
1547 loops between the client and HAProxy when all servers are down, causing an
1548 error to be returned instead of an image. For better HTTP compliance, it is
1549 recommended that all header lines end with CR-LF and not LF alone.
1550
Willy Tarreau0ba27502007-12-24 16:55:16 +01001551 The files are read at the same time as the configuration and kept in memory.
1552 For this reason, the errors continue to be returned even when the process is
1553 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01001554 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001555 403 status code and interrogating a blocked URL.
1556
1557 See also : "errorloc", "errorloc302", "errorloc303"
1558
Willy Tarreau59140a22009-02-22 12:02:30 +01001559 Example :
1560 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1561 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1562 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1563
Willy Tarreau2769aa02007-12-27 18:26:09 +01001564
1565errorloc <code> <url>
1566errorloc302 <code> <url>
1567 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1568 May be used in sections : defaults | frontend | listen | backend
1569 yes | yes | yes | yes
1570 Arguments :
1571 <code> is the HTTP status code. Currently, HAProxy is capable of
1572 generating codes 400, 403, 408, 500, 502, 503, and 504.
1573
1574 <url> it is the exact contents of the "Location" header. It may contain
1575 either a relative URI to an error page hosted on the same site,
1576 or an absolute URI designating an error page on another site.
1577 Special care should be given to relative URIs to avoid redirect
1578 loops if the URI itself may generate the same error (eg: 500).
1579
1580 It is important to understand that this keyword is not meant to rewrite
1581 errors returned by the server, but errors detected and returned by HAProxy.
1582 This is why the list of supported errors is limited to a small set.
1583
1584 Note that both keyword return the HTTP 302 status code, which tells the
1585 client to fetch the designated URL using the same HTTP method. This can be
1586 quite problematic in case of non-GET methods such as POST, because the URL
1587 sent to the client might not be allowed for something other than GET. To
1588 workaround this problem, please use "errorloc303" which send the HTTP 303
1589 status code, indicating to the client that the URL must be fetched with a GET
1590 request.
1591
1592 See also : "errorfile", "errorloc303"
1593
1594
1595errorloc303 <code> <url>
1596 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1597 May be used in sections : defaults | frontend | listen | backend
1598 yes | yes | yes | yes
1599 Arguments :
1600 <code> is the HTTP status code. Currently, HAProxy is capable of
1601 generating codes 400, 403, 408, 500, 502, 503, and 504.
1602
1603 <url> it is the exact contents of the "Location" header. It may contain
1604 either a relative URI to an error page hosted on the same site,
1605 or an absolute URI designating an error page on another site.
1606 Special care should be given to relative URIs to avoid redirect
1607 loops if the URI itself may generate the same error (eg: 500).
1608
1609 It is important to understand that this keyword is not meant to rewrite
1610 errors returned by the server, but errors detected and returned by HAProxy.
1611 This is why the list of supported errors is limited to a small set.
1612
1613 Note that both keyword return the HTTP 303 status code, which tells the
1614 client to fetch the designated URL using the same HTTP GET method. This
1615 solves the usual problems associated with "errorloc" and the 302 code. It is
1616 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001617 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01001618
1619 See also : "errorfile", "errorloc", "errorloc302"
1620
1621
1622fullconn <conns>
1623 Specify at what backend load the servers will reach their maxconn
1624 May be used in sections : defaults | frontend | listen | backend
1625 yes | no | yes | yes
1626 Arguments :
1627 <conns> is the number of connections on the backend which will make the
1628 servers use the maximal number of connections.
1629
Willy Tarreau198a7442008-01-17 12:05:32 +01001630 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01001631 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01001632 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01001633 load. The server will then always accept at least <minconn> connections,
1634 never more than <maxconn>, and the limit will be on the ramp between both
1635 values when the backend has less than <conns> concurrent connections. This
1636 makes it possible to limit the load on the servers during normal loads, but
1637 push it further for important loads without overloading the servers during
1638 exceptionnal loads.
1639
1640 Example :
1641 # The servers will accept between 100 and 1000 concurrent connections each
1642 # and the maximum of 1000 will be reached when the backend reaches 10000
1643 # connections.
1644 backend dynamic
1645 fullconn 10000
1646 server srv1 dyn1:80 minconn 100 maxconn 1000
1647 server srv2 dyn2:80 minconn 100 maxconn 1000
1648
1649 See also : "maxconn", "server"
1650
1651
1652grace <time>
1653 Maintain a proxy operational for some time after a soft stop
1654 May be used in sections : defaults | frontend | listen | backend
1655 no | yes | yes | yes
1656 Arguments :
1657 <time> is the time (by default in milliseconds) for which the instance
1658 will remain operational with the frontend sockets still listening
1659 when a soft-stop is received via the SIGUSR1 signal.
1660
1661 This may be used to ensure that the services disappear in a certain order.
1662 This was designed so that frontends which are dedicated to monitoring by an
1663 external equipement fail immediately while other ones remain up for the time
1664 needed by the equipment to detect the failure.
1665
1666 Note that currently, there is very little benefit in using this parameter,
1667 and it may in fact complicate the soft-reconfiguration process more than
1668 simplify it.
1669
Willy Tarreau0ba27502007-12-24 16:55:16 +01001670
1671http-check disable-on-404
1672 Enable a maintenance mode upon HTTP/404 response to health-checks
1673 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01001674 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01001675 Arguments : none
1676
1677 When this option is set, a server which returns an HTTP code 404 will be
1678 excluded from further load-balancing, but will still receive persistent
1679 connections. This provides a very convenient method for Web administrators
1680 to perform a graceful shutdown of their servers. It is also important to note
1681 that a server which is detected as failed while it was in this mode will not
1682 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
1683 will immediately be reinserted into the farm. The status on the stats page
1684 reports "NOLB" for a server in this mode. It is important to note that this
1685 option only works in conjunction with the "httpchk" option.
1686
Willy Tarreau2769aa02007-12-27 18:26:09 +01001687 See also : "option httpchk"
1688
1689
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01001690id <value>
1691 Set a persistent value for proxy ID. Must be unique and larger than 1000, as
1692 smaller values are reserved for auto-assigned ids.
1693
1694
Willy Tarreau2769aa02007-12-27 18:26:09 +01001695log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02001696log <address> <facility> [<level> [<minlevel>]]
Willy Tarreau2769aa02007-12-27 18:26:09 +01001697 Enable per-instance logging of events and traffic.
1698 May be used in sections : defaults | frontend | listen | backend
1699 yes | yes | yes | yes
1700 Arguments :
1701 global should be used when the instance's logging parameters are the
1702 same as the global ones. This is the most common usage. "global"
1703 replaces <address>, <facility> and <level> with those of the log
1704 entries found in the "global" section. Only one "log global"
1705 statement may be used per instance, and this form takes no other
1706 parameter.
1707
1708 <address> indicates where to send the logs. It takes the same format as
1709 for the "global" section's logs, and can be one of :
1710
1711 - An IPv4 address optionally followed by a colon (':') and a UDP
1712 port. If no port is specified, 514 is used by default (the
1713 standard syslog port).
1714
1715 - A filesystem path to a UNIX domain socket, keeping in mind
1716 considerations for chroot (be sure the path is accessible
1717 inside the chroot) and uid/gid (be sure the path is
1718 appropriately writeable).
1719
1720 <facility> must be one of the 24 standard syslog facilities :
1721
1722 kern user mail daemon auth syslog lpr news
1723 uucp cron auth2 ftp ntp audit alert cron2
1724 local0 local1 local2 local3 local4 local5 local6 local7
1725
1726 <level> is optional and can be specified to filter outgoing messages. By
1727 default, all messages are sent. If a level is specified, only
1728 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02001729 will be sent. An optional minimum level can be specified. If it
1730 is set, logs emitted with a more severe level than this one will
1731 be capped to this level. This is used to avoid sending "emerg"
1732 messages on all terminals on some default syslog configurations.
1733 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01001734
1735 emerg alert crit err warning notice info debug
1736
1737 Note that up to two "log" entries may be specified per instance. However, if
1738 "log global" is used and if the "global" section already contains 2 log
1739 entries, then additional log entries will be ignored.
1740
1741 Also, it is important to keep in mind that it is the frontend which decides
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001742 what to log from a connection, and that in case of content switching, the log
1743 entries from the backend will be ignored. Connections are logged at level
1744 "info".
1745
1746 However, backend log declaration define how and where servers status changes
1747 will be logged. Level "notice" will be used to indicate a server going up,
1748 "warning" will be used for termination signals and definitive service
1749 termination, and "alert" will be used for when a server goes down.
1750
1751 Note : According to RFC3164, messages are truncated to 1024 bytes before
1752 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01001753
1754 Example :
1755 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02001756 log 127.0.0.1:514 local0 notice # only send important events
1757 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01001758
1759
1760maxconn <conns>
1761 Fix the maximum number of concurrent connections on a frontend
1762 May be used in sections : defaults | frontend | listen | backend
1763 yes | yes | yes | no
1764 Arguments :
1765 <conns> is the maximum number of concurrent connections the frontend will
1766 accept to serve. Excess connections will be queued by the system
1767 in the socket's listen queue and will be served once a connection
1768 closes.
1769
1770 If the system supports it, it can be useful on big sites to raise this limit
1771 very high so that haproxy manages connection queues, instead of leaving the
1772 clients with unanswered connection attempts. This value should not exceed the
1773 global maxconn. Also, keep in mind that a connection contains two buffers
1774 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
1775 consumed per established connection. That means that a medium system equipped
1776 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
1777 properly tuned.
1778
1779 Also, when <conns> is set to large values, it is possible that the servers
1780 are not sized to accept such loads, and for this reason it is generally wise
1781 to assign them some reasonable connection limits.
1782
1783 See also : "server", global section's "maxconn", "fullconn"
1784
1785
1786mode { tcp|http|health }
1787 Set the running mode or protocol of the instance
1788 May be used in sections : defaults | frontend | listen | backend
1789 yes | yes | yes | yes
1790 Arguments :
1791 tcp The instance will work in pure TCP mode. A full-duplex connection
1792 will be established between clients and servers, and no layer 7
1793 examination will be performed. This is the default mode. It
1794 should be used for SSL, SSH, SMTP, ...
1795
1796 http The instance will work in HTTP mode. The client request will be
1797 analyzed in depth before connecting to any server. Any request
1798 which is not RFC-compliant will be rejected. Layer 7 filtering,
1799 processing and switching will be possible. This is the mode which
1800 brings HAProxy most of its value.
1801
1802 health The instance will work in "health" mode. It will just reply "OK"
1803 to incoming connections and close the connection. Nothing will be
1804 logged. This mode is used to reply to external components health
1805 checks. This mode is deprecated and should not be used anymore as
1806 it is possible to do the same and even better by combining TCP or
1807 HTTP modes with the "monitor" keyword.
1808
1809 When doing content switching, it is mandatory that the frontend and the
1810 backend are in the same mode (generally HTTP), otherwise the configuration
1811 will be refused.
1812
1813 Example :
1814 defaults http_instances
1815 mode http
1816
1817 See also : "monitor", "monitor-net"
1818
Willy Tarreau0ba27502007-12-24 16:55:16 +01001819
1820monitor fail [if | unless] <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01001821 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001822 May be used in sections : defaults | frontend | listen | backend
1823 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01001824 Arguments :
1825 if <cond> the monitor request will fail if the condition is satisfied,
1826 and will succeed otherwise. The condition should describe a
1827 combinated test which must induce a failure if all conditions
1828 are met, for instance a low number of servers both in a
1829 backend and its backup.
1830
1831 unless <cond> the monitor request will succeed only if the condition is
1832 satisfied, and will fail otherwise. Such a condition may be
1833 based on a test on the presence of a minimum number of active
1834 servers in a list of backends.
1835
1836 This statement adds a condition which can force the response to a monitor
1837 request to report a failure. By default, when an external component queries
1838 the URI dedicated to monitoring, a 200 response is returned. When one of the
1839 conditions above is met, haproxy will return 503 instead of 200. This is
1840 very useful to report a site failure to an external component which may base
1841 routing advertisements between multiple sites on the availability reported by
1842 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreau2769aa02007-12-27 18:26:09 +01001843 criterion. Note that "monitor fail" only works in HTTP mode.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001844
1845 Example:
1846 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01001847 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01001848 acl site_dead nbsrv(dynamic) lt 2
1849 acl site_dead nbsrv(static) lt 2
1850 monitor-uri /site_alive
1851 monitor fail if site_dead
1852
Willy Tarreau2769aa02007-12-27 18:26:09 +01001853 See also : "monitor-net", "monitor-uri"
1854
1855
1856monitor-net <source>
1857 Declare a source network which is limited to monitor requests
1858 May be used in sections : defaults | frontend | listen | backend
1859 yes | yes | yes | no
1860 Arguments :
1861 <source> is the source IPv4 address or network which will only be able to
1862 get monitor responses to any request. It can be either an IPv4
1863 address, a host name, or an address followed by a slash ('/')
1864 followed by a mask.
1865
1866 In TCP mode, any connection coming from a source matching <source> will cause
1867 the connection to be immediately closed without any log. This allows another
1868 equipement to probe the port and verify that it is still listening, without
1869 forwarding the connection to a remote server.
1870
1871 In HTTP mode, a connection coming from a source matching <source> will be
1872 accepted, the following response will be sent without waiting for a request,
1873 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
1874 enough for any front-end HTTP probe to detect that the service is UP and
1875 running without forwarding the request to a backend server.
1876
1877 Monitor requests are processed very early. It is not possible to block nor
1878 divert them using ACLs. They cannot be logged either, and it is the intended
1879 purpose. They are only used to report HAProxy's health to an upper component,
1880 nothing more. Right now, it is not possible to set failure conditions on
1881 requests caught by "monitor-net".
1882
1883 Example :
1884 # addresses .252 and .253 are just probing us.
1885 frontend www
1886 monitor-net 192.168.0.252/31
1887
1888 See also : "monitor fail", "monitor-uri"
1889
1890
1891monitor-uri <uri>
1892 Intercept a URI used by external components' monitor requests
1893 May be used in sections : defaults | frontend | listen | backend
1894 yes | yes | yes | no
1895 Arguments :
1896 <uri> is the exact URI which we want to intercept to return HAProxy's
1897 health status instead of forwarding the request.
1898
1899 When an HTTP request referencing <uri> will be received on a frontend,
1900 HAProxy will not forward it nor log it, but instead will return either
1901 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
1902 conditions defined with "monitor fail". This is normally enough for any
1903 front-end HTTP probe to detect that the service is UP and running without
1904 forwarding the request to a backend server. Note that the HTTP method, the
1905 version and all headers are ignored, but the request must at least be valid
1906 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
1907
1908 Monitor requests are processed very early. It is not possible to block nor
1909 divert them using ACLs. They cannot be logged either, and it is the intended
1910 purpose. They are only used to report HAProxy's health to an upper component,
1911 nothing more. However, it is possible to add any number of conditions using
1912 "monitor fail" and ACLs so that the result can be adjusted to whatever check
1913 can be imagined (most often the number of available servers in a backend).
1914
1915 Example :
1916 # Use /haproxy_test to report haproxy's status
1917 frontend www
1918 mode http
1919 monitor-uri /haproxy_test
1920
1921 See also : "monitor fail", "monitor-net"
1922
Willy Tarreau0ba27502007-12-24 16:55:16 +01001923
Willy Tarreaubf1f8162007-12-28 17:42:56 +01001924option abortonclose
1925no option abortonclose
1926 Enable or disable early dropping of aborted requests pending in queues.
1927 May be used in sections : defaults | frontend | listen | backend
1928 yes | no | yes | yes
1929 Arguments : none
1930
1931 In presence of very high loads, the servers will take some time to respond.
1932 The per-instance connection queue will inflate, and the response time will
1933 increase respective to the size of the queue times the average per-session
1934 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01001935 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01001936 the queue, and slowing down other users, and the servers as well, because the
1937 request will eventually be served, then aborted at the first error
1938 encountered while delivering the response.
1939
1940 As there is no way to distinguish between a full STOP and a simple output
1941 close on the client side, HTTP agents should be conservative and consider
1942 that the client might only have closed its output channel while waiting for
1943 the response. However, this introduces risks of congestion when lots of users
1944 do the same, and is completely useless nowadays because probably no client at
1945 all will close the session while waiting for the response. Some HTTP agents
1946 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
1947 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01001948 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01001949 of being the single component to break rare but valid traffic is extremely
1950 low, which adds to the temptation to be able to abort a session early while
1951 still not served and not pollute the servers.
1952
1953 In HAProxy, the user can choose the desired behaviour using the option
1954 "abortonclose". By default (without the option) the behaviour is HTTP
1955 compliant and aborted requests will be served. But when the option is
1956 specified, a session with an incoming channel closed will be aborted while
1957 it is still possible, either pending in the queue for a connection slot, or
1958 during the connection establishment if the server has not yet acknowledged
1959 the connection request. This considerably reduces the queue size and the load
1960 on saturated servers when users are tempted to click on STOP, which in turn
1961 reduces the response time for other users.
1962
1963 If this option has been enabled in a "defaults" section, it can be disabled
1964 in a specific instance by prepending the "no" keyword before it.
1965
1966 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
1967
1968
Willy Tarreau4076a152009-04-02 15:18:36 +02001969option accept-invalid-http-request
1970no option accept-invalid-http-request
1971 Enable or disable relaxing of HTTP request parsing
1972 May be used in sections : defaults | frontend | listen | backend
1973 yes | yes | yes | no
1974 Arguments : none
1975
1976 By default, HAProxy complies with RFC2616 in terms of message parsing. This
1977 means that invalid characters in header names are not permitted and cause an
1978 error to be returned to the client. This is the desired behaviour as such
1979 forbidden characters are essentially used to build attacks exploiting server
1980 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1981 server will emit invalid header names for whatever reason (configuration,
1982 implementation) and the issue will not be immediately fixed. In such a case,
1983 it is possible to relax HAProxy's header name parser to accept any character
1984 even if that does not make sense, by specifying this option.
1985
1986 This option should never be enabled by default as it hides application bugs
1987 and open security breaches. It should only be deployed after a problem has
1988 been confirmed.
1989
1990 When this option is enabled, erroneous header names will still be accepted in
1991 requests, but the complete request will be captured in order to permit later
1992 analysis using the "show errors" request on the UNIX stats socket. Doing this
1993 also helps confirming that the issue has been solved.
1994
1995 If this option has been enabled in a "defaults" section, it can be disabled
1996 in a specific instance by prepending the "no" keyword before it.
1997
1998 See also : "option accept-invalid-http-response" and "show errors" on the
1999 stats socket.
2000
2001
2002option accept-invalid-http-response
2003no option accept-invalid-http-response
2004 Enable or disable relaxing of HTTP response parsing
2005 May be used in sections : defaults | frontend | listen | backend
2006 yes | no | yes | yes
2007 Arguments : none
2008
2009 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2010 means that invalid characters in header names are not permitted and cause an
2011 error to be returned to the client. This is the desired behaviour as such
2012 forbidden characters are essentially used to build attacks exploiting server
2013 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2014 server will emit invalid header names for whatever reason (configuration,
2015 implementation) and the issue will not be immediately fixed. In such a case,
2016 it is possible to relax HAProxy's header name parser to accept any character
2017 even if that does not make sense, by specifying this option.
2018
2019 This option should never be enabled by default as it hides application bugs
2020 and open security breaches. It should only be deployed after a problem has
2021 been confirmed.
2022
2023 When this option is enabled, erroneous header names will still be accepted in
2024 responses, but the complete response will be captured in order to permit
2025 later analysis using the "show errors" request on the UNIX stats socket.
2026 Doing this also helps confirming that the issue has been solved.
2027
2028 If this option has been enabled in a "defaults" section, it can be disabled
2029 in a specific instance by prepending the "no" keyword before it.
2030
2031 See also : "option accept-invalid-http-request" and "show errors" on the
2032 stats socket.
2033
2034
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002035option allbackups
2036no option allbackups
2037 Use either all backup servers at a time or only the first one
2038 May be used in sections : defaults | frontend | listen | backend
2039 yes | no | yes | yes
2040 Arguments : none
2041
2042 By default, the first operational backup server gets all traffic when normal
2043 servers are all down. Sometimes, it may be preferred to use multiple backups
2044 at once, because one will not be enough. When "option allbackups" is enabled,
2045 the load balancing will be performed among all backup servers when all normal
2046 ones are unavailable. The same load balancing algorithm will be used and the
2047 servers' weights will be respected. Thus, there will not be any priority
2048 order between the backup servers anymore.
2049
2050 This option is mostly used with static server farms dedicated to return a
2051 "sorry" page when an application is completely offline.
2052
2053 If this option has been enabled in a "defaults" section, it can be disabled
2054 in a specific instance by prepending the "no" keyword before it.
2055
2056
2057option checkcache
2058no option checkcache
2059 Analyze all server responses and block requests with cachable cookies
2060 May be used in sections : defaults | frontend | listen | backend
2061 yes | no | yes | yes
2062 Arguments : none
2063
2064 Some high-level frameworks set application cookies everywhere and do not
2065 always let enough control to the developer to manage how the responses should
2066 be cached. When a session cookie is returned on a cachable object, there is a
2067 high risk of session crossing or stealing between users traversing the same
2068 caches. In some situations, it is better to block the response than to let
2069 some sensible session information go in the wild.
2070
2071 The option "checkcache" enables deep inspection of all server responses for
2072 strict compliance with HTTP specification in terms of cachability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002073 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002074 response to check if there's a risk of caching a cookie on a client-side
2075 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01002076 to the client are :
2077 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002078 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01002079 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002080 - all those that come from a POST request, provided that the server has not
2081 set a 'Cache-Control: public' header ;
2082 - those with a 'Pragma: no-cache' header
2083 - those with a 'Cache-control: private' header
2084 - those with a 'Cache-control: no-store' header
2085 - those with a 'Cache-control: max-age=0' header
2086 - those with a 'Cache-control: s-maxage=0' header
2087 - those with a 'Cache-control: no-cache' header
2088 - those with a 'Cache-control: no-cache="set-cookie"' header
2089 - those with a 'Cache-control: no-cache="set-cookie,' header
2090 (allowing other fields after set-cookie)
2091
2092 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01002093 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002094 The session state shows "PH--" meaning that the proxy blocked the response
2095 during headers processing. Additionnaly, an alert will be sent in the logs so
2096 that admins are informed that there's something to be fixed.
2097
2098 Due to the high impact on the application, the application should be tested
2099 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002100 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002101 production, as it will report potentially dangerous application behaviours.
2102
2103 If this option has been enabled in a "defaults" section, it can be disabled
2104 in a specific instance by prepending the "no" keyword before it.
2105
2106
2107option clitcpka
2108no option clitcpka
2109 Enable or disable the sending of TCP keepalive packets on the client side
2110 May be used in sections : defaults | frontend | listen | backend
2111 yes | yes | yes | no
2112 Arguments : none
2113
2114 When there is a firewall or any session-aware component between a client and
2115 a server, and when the protocol involves very long sessions with long idle
2116 periods (eg: remote desktops), there is a risk that one of the intermediate
2117 components decides to expire a session which has remained idle for too long.
2118
2119 Enabling socket-level TCP keep-alives makes the system regularly send packets
2120 to the other end of the connection, leaving it active. The delay between
2121 keep-alive probes is controlled by the system only and depends both on the
2122 operating system and its tuning parameters.
2123
2124 It is important to understand that keep-alive packets are neither emitted nor
2125 received at the application level. It is only the network stacks which sees
2126 them. For this reason, even if one side of the proxy already uses keep-alives
2127 to maintain its connection alive, those keep-alive packets will not be
2128 forwarded to the other side of the proxy.
2129
2130 Please note that this has nothing to do with HTTP keep-alive.
2131
2132 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
2133 client side of a connection, which should help when session expirations are
2134 noticed between HAProxy and a client.
2135
2136 If this option has been enabled in a "defaults" section, it can be disabled
2137 in a specific instance by prepending the "no" keyword before it.
2138
2139 See also : "option srvtcpka", "option tcpka"
2140
2141
Willy Tarreau0ba27502007-12-24 16:55:16 +01002142option contstats
2143 Enable continuous traffic statistics updates
2144 May be used in sections : defaults | frontend | listen | backend
2145 yes | yes | yes | no
2146 Arguments : none
2147
2148 By default, counters used for statistics calculation are incremented
2149 only when a session finishes. It works quite well when serving small
2150 objects, but with big ones (for example large images or archives) or
2151 with A/V streaming, a graph generated from haproxy counters looks like
2152 a hedgehog. With this option enabled counters get incremented continuously,
2153 during a whole session. Recounting touches a hotpath directly so
2154 it is not enabled by default, as it has small performance impact (~0.5%).
2155
2156
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002157option dontlog-normal
2158no option dontlog-normal
2159 Enable or disable logging of normal, successful connections
2160 May be used in sections : defaults | frontend | listen | backend
2161 yes | yes | yes | no
2162 Arguments : none
2163
2164 There are large sites dealing with several thousand connections per second
2165 and for which logging is a major pain. Some of them are even forced to turn
2166 logs off and cannot debug production issues. Setting this option ensures that
2167 normal connections, those which experience no error, no timeout, no retry nor
2168 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
2169 mode, the response status code is checked and return codes 5xx will still be
2170 logged.
2171
2172 It is strongly discouraged to use this option as most of the time, the key to
2173 complex issues is in the normal logs which will not be logged here. If you
2174 need to separate logs, see the "log-separate-errors" option instead.
2175
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002176 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002177 logging.
2178
2179
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002180option dontlognull
2181no option dontlognull
2182 Enable or disable logging of null connections
2183 May be used in sections : defaults | frontend | listen | backend
2184 yes | yes | yes | no
2185 Arguments : none
2186
2187 In certain environments, there are components which will regularly connect to
2188 various systems to ensure that they are still alive. It can be the case from
2189 another load balancer as well as from monitoring systems. By default, even a
2190 simple port probe or scan will produce a log. If those connections pollute
2191 the logs too much, it is possible to enable option "dontlognull" to indicate
2192 that a connection on which no data has been transferred will not be logged,
2193 which typically corresponds to those probes.
2194
2195 It is generally recommended not to use this option in uncontrolled
2196 environments (eg: internet), otherwise scans and other malicious activities
2197 would not be logged.
2198
2199 If this option has been enabled in a "defaults" section, it can be disabled
2200 in a specific instance by prepending the "no" keyword before it.
2201
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002202 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002203
2204
2205option forceclose
2206no option forceclose
2207 Enable or disable active connection closing after response is transferred.
2208 May be used in sections : defaults | frontend | listen | backend
2209 yes | no | yes | yes
2210 Arguments : none
2211
2212 Some HTTP servers do not necessarily close the connections when they receive
2213 the "Connection: close" set by "option httpclose", and if the client does not
2214 close either, then the connection remains open till the timeout expires. This
2215 causes high number of simultaneous connections on the servers and shows high
2216 global session times in the logs.
2217
2218 When this happens, it is possible to use "option forceclose". It will
2219 actively close the outgoing server channel as soon as the server begins to
2220 reply and only if the request buffer is empty. Note that this should NOT be
2221 used if CONNECT requests are expected between the client and the server. This
2222 option implicitly enables the "httpclose" option.
2223
2224 If this option has been enabled in a "defaults" section, it can be disabled
2225 in a specific instance by prepending the "no" keyword before it.
2226
2227 See also : "option httpclose"
2228
2229
Ross Westaf72a1d2008-08-03 10:51:45 +02002230option forwardfor [ except <network> ] [ header <name> ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01002231 Enable insertion of the X-Forwarded-For header to requests sent to servers
2232 May be used in sections : defaults | frontend | listen | backend
2233 yes | yes | yes | yes
2234 Arguments :
2235 <network> is an optional argument used to disable this option for sources
2236 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02002237 <name> an optional argument to specify a different "X-Forwarded-For"
2238 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002239
2240 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2241 their client address. This is sometimes annoying when the client's IP address
2242 is expected in server logs. To solve this problem, the well-known HTTP header
2243 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2244 This header contains a value representing the client's IP address. Since this
2245 header is always appended at the end of the existing header list, the server
2246 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02002247 the server's manual to find how to enable use of this standard header. Note
2248 that only the last occurrence of the header must be used, since it is really
2249 possible that the client has already brought one.
2250
2251 The keyword "header" may be used to supply a different header name to replace
2252 the default "X-Forwarded-For". This can be useful where you might already
2253 have a "X-Forwarded-For" header from a different application (eg: stunnel),
2254 and you need preserve it. Also if your backend server doesn't use the
2255 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2256 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01002257
2258 Sometimes, a same HAProxy instance may be shared between a direct client
2259 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2260 used to decrypt HTTPS traffic). It is possible to disable the addition of the
2261 header for a known source address or network by adding the "except" keyword
2262 followed by the network address. In this case, any source IP matching the
2263 network will not cause an addition of this header. Most common uses are with
2264 private networks or 127.0.0.1.
2265
2266 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02002267 least one of them uses it, the header will be added. Note that the backend's
2268 setting of the header subargument takes precedence over the frontend's if
2269 both are defined.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002270
2271 It is important to note that as long as HAProxy does not support keep-alive
2272 connections, only the first request of a connection will receive the header.
2273 For this reason, it is important to ensure that "option httpclose" is set
2274 when using this option.
2275
Ross Westaf72a1d2008-08-03 10:51:45 +02002276 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01002277 # Public HTTP address also used by stunnel on the same machine
2278 frontend www
2279 mode http
2280 option forwardfor except 127.0.0.1 # stunnel already adds the header
2281
Ross Westaf72a1d2008-08-03 10:51:45 +02002282 # Those servers want the IP Address in X-Client
2283 backend www
2284 mode http
2285 option forwardfor header X-Client
2286
Willy Tarreauc27debf2008-01-06 08:57:02 +01002287 See also : "option httpclose"
2288
2289
Willy Tarreauc27debf2008-01-06 08:57:02 +01002290option httpchk
2291option httpchk <uri>
2292option httpchk <method> <uri>
2293option httpchk <method> <uri> <version>
2294 Enable HTTP protocol to check on the servers health
2295 May be used in sections : defaults | frontend | listen | backend
2296 yes | no | yes | yes
2297 Arguments :
2298 <method> is the optional HTTP method used with the requests. When not set,
2299 the "OPTIONS" method is used, as it generally requires low server
2300 processing and is easy to filter out from the logs. Any method
2301 may be used, though it is not recommended to invent non-standard
2302 ones.
2303
2304 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
2305 which is accessible by default on almost any server, but may be
2306 changed to any other URI. Query strings are permitted.
2307
2308 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
2309 but some servers might behave incorrectly in HTTP 1.0, so turning
2310 it to HTTP/1.1 may sometimes help. Note that the Host field is
2311 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
2312 after "\r\n" following the version string.
2313
2314 By default, server health checks only consist in trying to establish a TCP
2315 connection. When "option httpchk" is specified, a complete HTTP request is
2316 sent once the TCP connection is established, and responses 2xx and 3xx are
2317 considered valid, while all other ones indicate a server failure, including
2318 the lack of any response.
2319
2320 The port and interval are specified in the server configuration.
2321
2322 This option does not necessarily require an HTTP backend, it also works with
2323 plain TCP backends. This is particularly useful to check simple scripts bound
2324 to some dedicated ports using the inetd daemon.
2325
2326 Examples :
2327 # Relay HTTPS traffic to Apache instance and check service availability
2328 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
2329 backend https_relay
2330 mode tcp
Willy Tarreauebaf21a2008-03-21 20:17:14 +01002331 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
Willy Tarreauc27debf2008-01-06 08:57:02 +01002332 server apache1 192.168.1.1:443 check port 80
2333
2334 See also : "option ssl-hello-chk", "option smtpchk", "http-check" and the
2335 "check", "port" and "interval" server options.
2336
2337
2338option httpclose
2339no option httpclose
2340 Enable or disable passive HTTP connection closing
2341 May be used in sections : defaults | frontend | listen | backend
2342 yes | yes | yes | yes
2343 Arguments : none
2344
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002345 As stated in section 1, HAProxy does not yes support the HTTP keep-alive
Willy Tarreauc27debf2008-01-06 08:57:02 +01002346 mode. So by default, if a client communicates with a server in this mode, it
2347 will only analyze, log, and process the first request of each connection. To
2348 workaround this limitation, it is possible to specify "option httpclose". It
2349 will check if a "Connection: close" header is already set in each direction,
2350 and will add one if missing. Each end should react to this by actively
2351 closing the TCP connection after each transfer, thus resulting in a switch to
2352 the HTTP close mode. Any "Connection" header different from "close" will also
2353 be removed.
2354
2355 It seldom happens that some servers incorrectly ignore this header and do not
2356 close the connection eventough they reply "Connection: close". For this
2357 reason, they are not compatible with older HTTP 1.0 browsers. If this
2358 happens it is possible to use the "option forceclose" which actively closes
2359 the request connection once the server responds.
2360
2361 This option may be set both in a frontend and in a backend. It is enabled if
2362 at least one of the frontend or backend holding a connection has it enabled.
2363 If "option forceclose" is specified too, it has precedence over "httpclose".
2364
2365 If this option has been enabled in a "defaults" section, it can be disabled
2366 in a specific instance by prepending the "no" keyword before it.
2367
2368 See also : "option forceclose"
2369
2370
Emeric Brun3a058f32009-06-30 18:26:00 +02002371option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01002372 Enable logging of HTTP request, session state and timers
2373 May be used in sections : defaults | frontend | listen | backend
2374 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02002375 Arguments :
2376 clf if the "clf" argument is added, then the output format will be
2377 the CLF format instead of HAProxy's default HTTP format. You can
2378 use this when you need to feed HAProxy's logs through a specific
2379 log analyser which only support the CLF format and which is not
2380 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002381
2382 By default, the log output format is very poor, as it only contains the
2383 source and destination addresses, and the instance name. By specifying
2384 "option httplog", each log line turns into a much richer format including,
2385 but not limited to, the HTTP request, the connection timers, the session
2386 status, the connections numbers, the captured headers and cookies, the
2387 frontend, backend and server name, and of course the source address and
2388 ports.
2389
2390 This option may be set either in the frontend or the backend.
2391
Emeric Brun3a058f32009-06-30 18:26:00 +02002392 If this option has been enabled in a "defaults" section, it can be disabled
2393 in a specific instance by prepending the "no" keyword before it. Specifying
2394 only "option httplog" will automatically clear the 'clf' mode if it was set
2395 by default.
2396
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002397 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002398
Willy Tarreau55165fe2009-05-10 12:02:55 +02002399
2400option http_proxy
2401no option http_proxy
2402 Enable or disable plain HTTP proxy mode
2403 May be used in sections : defaults | frontend | listen | backend
2404 yes | yes | yes | yes
2405 Arguments : none
2406
2407 It sometimes happens that people need a pure HTTP proxy which understands
2408 basic proxy requests without caching nor any fancy feature. In this case,
2409 it may be worth setting up an HAProxy instance with the "option http_proxy"
2410 set. In this mode, no server is declared, and the connection is forwarded to
2411 the IP address and port found in the URL after the "http://" scheme.
2412
2413 No host address resolution is performed, so this only works when pure IP
2414 addresses are passed. Since this option's usage perimeter is rather limited,
2415 it will probably be used only by experts who know they need exactly it. Last,
2416 if the clients are susceptible of sending keep-alive requests, it will be
2417 needed to add "option http_close" to ensure that all requests will correctly
2418 be analyzed.
2419
2420 If this option has been enabled in a "defaults" section, it can be disabled
2421 in a specific instance by prepending the "no" keyword before it.
2422
2423 Example :
2424 # this backend understands HTTP proxy requests and forwards them directly.
2425 backend direct_forward
2426 option httpclose
2427 option http_proxy
2428
2429 See also : "option httpclose"
2430
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002431
2432option log-separate-errors
2433no option log-separate-errors
2434 Change log level for non-completely successful connections
2435 May be used in sections : defaults | frontend | listen | backend
2436 yes | yes | yes | no
2437 Arguments : none
2438
2439 Sometimes looking for errors in logs is not easy. This option makes haproxy
2440 raise the level of logs containing potentially interesting information such
2441 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
2442 level changes from "info" to "err". This makes it possible to log them
2443 separately to a different file with most syslog daemons. Be careful not to
2444 remove them from the original file, otherwise you would lose ordering which
2445 provides very important information.
2446
2447 Using this option, large sites dealing with several thousand connections per
2448 second may log normal traffic to a rotating buffer and only archive smaller
2449 error logs.
2450
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002451 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002452 logging.
2453
Willy Tarreauc27debf2008-01-06 08:57:02 +01002454
2455option logasap
2456no option logasap
2457 Enable or disable early logging of HTTP requests
2458 May be used in sections : defaults | frontend | listen | backend
2459 yes | yes | yes | no
2460 Arguments : none
2461
2462 By default, HTTP requests are logged upon termination so that the total
2463 transfer time and the number of bytes appear in the logs. When large objects
2464 are being transferred, it may take a while before the request appears in the
2465 logs. Using "option logasap", the request gets logged as soon as the server
2466 sends the complete headers. The only missing information in the logs will be
2467 the total number of bytes which will indicate everything except the amount
2468 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002469 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01002470 "Content-Length" response header so that the logs at least indicate how many
2471 bytes are expected to be transferred.
2472
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002473 Examples :
2474 listen http_proxy 0.0.0.0:80
2475 mode http
2476 option httplog
2477 option logasap
2478 log 192.168.2.200 local3
2479
2480 >>> Feb 6 12:14:14 localhost \
2481 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
2482 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
2483 "GET /image.iso HTTP/1.0"
2484
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002485 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01002486 logging.
2487
2488
Willy Tarreaua453bdd2008-01-08 19:50:52 +01002489option nolinger
2490no option nolinger
2491 Enable or disable immediate session ressource cleaning after close
2492 May be used in sections: defaults | frontend | listen | backend
2493 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01002494 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01002495
2496 When clients or servers abort connections in a dirty way (eg: they are
2497 physically disconnected), the session timeouts triggers and the session is
2498 closed. But it will remain in FIN_WAIT1 state for some time in the system,
2499 using some resources and possibly limiting the ability to establish newer
2500 connections.
2501
2502 When this happens, it is possible to activate "option nolinger" which forces
2503 the system to immediately remove any socket's pending data on close. Thus,
2504 the session is instantly purged from the system's tables. This usually has
2505 side effects such as increased number of TCP resets due to old retransmits
2506 getting immediately rejected. Some firewalls may sometimes complain about
2507 this too.
2508
2509 For this reason, it is not recommended to use this option when not absolutely
2510 needed. You know that you need it when you have thousands of FIN_WAIT1
2511 sessions on your system (TIME_WAIT ones do not count).
2512
2513 This option may be used both on frontends and backends, depending on the side
2514 where it is required. Use it on the frontend for clients, and on the backend
2515 for servers.
2516
2517 If this option has been enabled in a "defaults" section, it can be disabled
2518 in a specific instance by prepending the "no" keyword before it.
2519
2520
Willy Tarreau55165fe2009-05-10 12:02:55 +02002521option originalto [ except <network> ] [ header <name> ]
2522 Enable insertion of the X-Original-To header to requests sent to servers
2523 May be used in sections : defaults | frontend | listen | backend
2524 yes | yes | yes | yes
2525 Arguments :
2526 <network> is an optional argument used to disable this option for sources
2527 matching <network>
2528 <name> an optional argument to specify a different "X-Original-To"
2529 header name.
2530
2531 Since HAProxy can work in transparent mode, every request from a client can
2532 be redirected to the proxy and HAProxy itself can proxy every request to a
2533 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
2534 be lost. This is annoying when you want access rules based on destination ip
2535 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
2536 added by HAProxy to all requests sent to the server. This header contains a
2537 value representing the original destination IP address. Since this must be
2538 configured to always use the last occurrence of this header only. Note that
2539 only the last occurrence of the header must be used, since it is really
2540 possible that the client has already brought one.
2541
2542 The keyword "header" may be used to supply a different header name to replace
2543 the default "X-Original-To". This can be useful where you might already
2544 have a "X-Original-To" header from a different application, and you need
2545 preserve it. Also if your backend server doesn't use the "X-Original-To"
2546 header and requires different one.
2547
2548 Sometimes, a same HAProxy instance may be shared between a direct client
2549 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2550 used to decrypt HTTPS traffic). It is possible to disable the addition of the
2551 header for a known source address or network by adding the "except" keyword
2552 followed by the network address. In this case, any source IP matching the
2553 network will not cause an addition of this header. Most common uses are with
2554 private networks or 127.0.0.1.
2555
2556 This option may be specified either in the frontend or in the backend. If at
2557 least one of them uses it, the header will be added. Note that the backend's
2558 setting of the header subargument takes precedence over the frontend's if
2559 both are defined.
2560
2561 It is important to note that as long as HAProxy does not support keep-alive
2562 connections, only the first request of a connection will receive the header.
2563 For this reason, it is important to ensure that "option httpclose" is set
2564 when using this option.
2565
2566 Examples :
2567 # Original Destination address
2568 frontend www
2569 mode http
2570 option originalto except 127.0.0.1
2571
2572 # Those servers want the IP Address in X-Client-Dst
2573 backend www
2574 mode http
2575 option originalto header X-Client-Dst
2576
2577 See also : "option httpclose"
2578
2579
Willy Tarreaua453bdd2008-01-08 19:50:52 +01002580option persist
2581no option persist
2582 Enable or disable forced persistence on down servers
2583 May be used in sections: defaults | frontend | listen | backend
2584 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01002585 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01002586
2587 When an HTTP request reaches a backend with a cookie which references a dead
2588 server, by default it is redispatched to another server. It is possible to
2589 force the request to be sent to the dead server first using "option persist"
2590 if absolutely needed. A common use case is when servers are under extreme
2591 load and spend their time flapping. In this case, the users would still be
2592 directed to the server they opened the session on, in the hope they would be
2593 correctly served. It is recommended to use "option redispatch" in conjunction
2594 with this option so that in the event it would not be possible to connect to
2595 the server at all (server definitely dead), the client would finally be
2596 redirected to another valid server.
2597
2598 If this option has been enabled in a "defaults" section, it can be disabled
2599 in a specific instance by prepending the "no" keyword before it.
2600
2601 See also : "option redispatch", "retries"
2602
2603
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01002604option redispatch
2605no option redispatch
2606 Enable or disable session redistribution in case of connection failure
2607 May be used in sections: defaults | frontend | listen | backend
2608 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01002609 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01002610
2611 In HTTP mode, if a server designated by a cookie is down, clients may
2612 definitely stick to it because they cannot flush the cookie, so they will not
2613 be able to access the service anymore.
2614
2615 Specifying "option redispatch" will allow the proxy to break their
2616 persistence and redistribute them to a working server.
2617
2618 It also allows to retry last connection to another server in case of multiple
2619 connection failures. Of course, it requires having "retries" set to a nonzero
2620 value.
2621
2622 This form is the preferred form, which replaces both the "redispatch" and
2623 "redisp" keywords.
2624
2625 If this option has been enabled in a "defaults" section, it can be disabled
2626 in a specific instance by prepending the "no" keyword before it.
2627
2628 See also : "redispatch", "retries"
2629
Willy Tarreaua453bdd2008-01-08 19:50:52 +01002630
2631option smtpchk
2632option smtpchk <hello> <domain>
2633 Use SMTP health checks for server testing
2634 May be used in sections : defaults | frontend | listen | backend
2635 yes | no | yes | yes
2636 Arguments :
2637 <hello> is an optional argument. It is the "hello" command to use. It can
2638 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
2639 values will be turned into the default command ("HELO").
2640
2641 <domain> is the domain name to present to the server. It may only be
2642 specified (and is mandatory) if the hello command has been
2643 specified. By default, "localhost" is used.
2644
2645 When "option smtpchk" is set, the health checks will consist in TCP
2646 connections followed by an SMTP command. By default, this command is
2647 "HELO localhost". The server's return code is analyzed and only return codes
2648 starting with a "2" will be considered as valid. All other responses,
2649 including a lack of response will constitute an error and will indicate a
2650 dead server.
2651
2652 This test is meant to be used with SMTP servers or relays. Depending on the
2653 request, it is possible that some servers do not log each connection attempt,
2654 so you may want to experiment to improve the behaviour. Using telnet on port
2655 25 is often easier than adjusting the configuration.
2656
2657 Most often, an incoming SMTP server needs to see the client's IP address for
2658 various purposes, including spam filtering, anti-spoofing and logging. When
2659 possible, it is often wise to masquerade the client's IP address when
2660 connecting to the server using the "usesrc" argument of the "source" keyword,
2661 which requires the cttproxy feature to be compiled in.
2662
2663 Example :
2664 option smtpchk HELO mydomain.org
2665
2666 See also : "option httpchk", "source"
2667
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01002668
Willy Tarreauff4f82d2009-02-06 11:28:13 +01002669option splice-auto
2670no option splice-auto
2671 Enable or disable automatic kernel acceleration on sockets in both directions
2672 May be used in sections : defaults | frontend | listen | backend
2673 yes | yes | yes | yes
2674 Arguments : none
2675
2676 When this option is enabled either on a frontend or on a backend, haproxy
2677 will automatically evaluate the opportunity to use kernel tcp splicing to
2678 forward data between the client and the server, in either direction. Haproxy
2679 uses heuristics to estimate if kernel splicing might improve performance or
2680 not. Both directions are handled independantly. Note that the heuristics used
2681 are not much aggressive in order to limit excessive use of splicing. This
2682 option requires splicing to be enabled at compile time, and may be globally
2683 disabled with the global option "nosplice". Since splice uses pipes, using it
2684 requires that there are enough spare pipes.
2685
2686 Important note: kernel-based TCP splicing is a Linux-specific feature which
2687 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
2688 transfer data between sockets without copying these data to user-space, thus
2689 providing noticeable performance gains and CPU cycles savings. Since many
2690 early implementations are buggy, corrupt data and/or are inefficient, this
2691 feature is not enabled by default, and it should be used with extreme care.
2692 While it is not possible to detect the correctness of an implementation,
2693 2.6.29 is the first version offering a properly working implementation. In
2694 case of doubt, splicing may be globally disabled using the global "nosplice"
2695 keyword.
2696
2697 Example :
2698 option splice-auto
2699
2700 If this option has been enabled in a "defaults" section, it can be disabled
2701 in a specific instance by prepending the "no" keyword before it.
2702
2703 See also : "option splice-request", "option splice-response", and global
2704 options "nosplice" and "maxpipes"
2705
2706
2707option splice-request
2708no option splice-request
2709 Enable or disable automatic kernel acceleration on sockets for requests
2710 May be used in sections : defaults | frontend | listen | backend
2711 yes | yes | yes | yes
2712 Arguments : none
2713
2714 When this option is enabled either on a frontend or on a backend, haproxy
2715 will user kernel tcp splicing whenever possible to forward data going from
2716 the client to the server. It might still use the recv/send scheme if there
2717 are no spare pipes left. This option requires splicing to be enabled at
2718 compile time, and may be globally disabled with the global option "nosplice".
2719 Since splice uses pipes, using it requires that there are enough spare pipes.
2720
2721 Important note: see "option splice-auto" for usage limitations.
2722
2723 Example :
2724 option splice-request
2725
2726 If this option has been enabled in a "defaults" section, it can be disabled
2727 in a specific instance by prepending the "no" keyword before it.
2728
2729 See also : "option splice-auto", "option splice-response", and global options
2730 "nosplice" and "maxpipes"
2731
2732
2733option splice-response
2734no option splice-response
2735 Enable or disable automatic kernel acceleration on sockets for responses
2736 May be used in sections : defaults | frontend | listen | backend
2737 yes | yes | yes | yes
2738 Arguments : none
2739
2740 When this option is enabled either on a frontend or on a backend, haproxy
2741 will user kernel tcp splicing whenever possible to forward data going from
2742 the server to the client. It might still use the recv/send scheme if there
2743 are no spare pipes left. This option requires splicing to be enabled at
2744 compile time, and may be globally disabled with the global option "nosplice".
2745 Since splice uses pipes, using it requires that there are enough spare pipes.
2746
2747 Important note: see "option splice-auto" for usage limitations.
2748
2749 Example :
2750 option splice-response
2751
2752 If this option has been enabled in a "defaults" section, it can be disabled
2753 in a specific instance by prepending the "no" keyword before it.
2754
2755 See also : "option splice-auto", "option splice-request", and global options
2756 "nosplice" and "maxpipes"
2757
2758
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002759option srvtcpka
2760no option srvtcpka
2761 Enable or disable the sending of TCP keepalive packets on the server side
2762 May be used in sections : defaults | frontend | listen | backend
2763 yes | no | yes | yes
2764 Arguments : none
2765
2766 When there is a firewall or any session-aware component between a client and
2767 a server, and when the protocol involves very long sessions with long idle
2768 periods (eg: remote desktops), there is a risk that one of the intermediate
2769 components decides to expire a session which has remained idle for too long.
2770
2771 Enabling socket-level TCP keep-alives makes the system regularly send packets
2772 to the other end of the connection, leaving it active. The delay between
2773 keep-alive probes is controlled by the system only and depends both on the
2774 operating system and its tuning parameters.
2775
2776 It is important to understand that keep-alive packets are neither emitted nor
2777 received at the application level. It is only the network stacks which sees
2778 them. For this reason, even if one side of the proxy already uses keep-alives
2779 to maintain its connection alive, those keep-alive packets will not be
2780 forwarded to the other side of the proxy.
2781
2782 Please note that this has nothing to do with HTTP keep-alive.
2783
2784 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
2785 server side of a connection, which should help when session expirations are
2786 noticed between HAProxy and a server.
2787
2788 If this option has been enabled in a "defaults" section, it can be disabled
2789 in a specific instance by prepending the "no" keyword before it.
2790
2791 See also : "option clitcpka", "option tcpka"
2792
2793
Willy Tarreaua453bdd2008-01-08 19:50:52 +01002794option ssl-hello-chk
2795 Use SSLv3 client hello health checks for server testing
2796 May be used in sections : defaults | frontend | listen | backend
2797 yes | no | yes | yes
2798 Arguments : none
2799
2800 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
2801 possible to test that the server correctly talks SSL instead of just testing
2802 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
2803 SSLv3 client hello messages are sent once the connection is established to
2804 the server, and the response is analyzed to find an SSL server hello message.
2805 The server is considered valid only when the response contains this server
2806 hello message.
2807
2808 All servers tested till there correctly reply to SSLv3 client hello messages,
2809 and most servers tested do not even log the requests containing only hello
2810 messages, which is appreciable.
2811
2812 See also: "option httpchk"
2813
2814
Willy Tarreau9ea05a72009-06-14 12:07:01 +02002815option tcp-smart-accept
2816no option tcp-smart-accept
2817 Enable or disable the saving of one ACK packet during the accept sequence
2818 May be used in sections : defaults | frontend | listen | backend
2819 yes | yes | yes | no
2820 Arguments : none
2821
2822 When an HTTP connection request comes in, the system acknowledges it on
2823 behalf of HAProxy, then the client immediately sends its request, and the
2824 system acknowledges it too while it is notifying HAProxy about the new
2825 connection. HAProxy then reads the request and responds. This means that we
2826 have one TCP ACK sent by the system for nothing, because the request could
2827 very well be acknowledged by HAProxy when it sends its response.
2828
2829 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
2830 sending this useless ACK on platforms which support it (currently at least
2831 Linux). It must not cause any problem, because the system will send it anyway
2832 after 40 ms if the response takes more time than expected to come.
2833
2834 During complex network debugging sessions, it may be desirable to disable
2835 this optimization because delayed ACKs can make troubleshooting more complex
2836 when trying to identify where packets are delayed. It is then possible to
2837 fall back to normal behaviour by specifying "no option tcp-smart-accept".
2838
2839 It is also possible to force it for non-HTTP proxies by simply specifying
2840 "option tcp-smart-accept". For instance, it can make sense with some services
2841 such as SMTP where the server speaks first.
2842
2843 It is recommended to avoid forcing this option in a defaults section. In case
2844 of doubt, consider setting it back to automatic values by prepending the
2845 "default" keyword before it, or disabling it using the "no" keyword.
2846
Willy Tarreaud88edf22009-06-14 15:48:17 +02002847 See also : "option tcp-smart-connect"
2848
2849
2850option tcp-smart-connect
2851no option tcp-smart-connect
2852 Enable or disable the saving of one ACK packet during the connect sequence
2853 May be used in sections : defaults | frontend | listen | backend
2854 yes | no | yes | yes
2855 Arguments : none
2856
2857 On certain systems (at least Linux), HAProxy can ask the kernel not to
2858 immediately send an empty ACK upon a connection request, but to directly
2859 send the buffer request instead. This saves one packet on the network and
2860 thus boosts performance. It can also be useful for some servers, because they
2861 immediately get the request along with the incoming connection.
2862
2863 This feature is enabled when "option tcp-smart-connect" is set in a backend.
2864 It is not enabled by default because it makes network troubleshooting more
2865 complex.
2866
2867 It only makes sense to enable it with protocols where the client speaks first
2868 such as HTTP. In other situations, if there is no data to send in place of
2869 the ACK, a normal ACK is sent.
2870
2871 If this option has been enabled in a "defaults" section, it can be disabled
2872 in a specific instance by prepending the "no" keyword before it.
2873
2874 See also : "option tcp-smart-accept"
2875
Willy Tarreau9ea05a72009-06-14 12:07:01 +02002876
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002877option tcpka
2878 Enable or disable the sending of TCP keepalive packets on both sides
2879 May be used in sections : defaults | frontend | listen | backend
2880 yes | yes | yes | yes
2881 Arguments : none
2882
2883 When there is a firewall or any session-aware component between a client and
2884 a server, and when the protocol involves very long sessions with long idle
2885 periods (eg: remote desktops), there is a risk that one of the intermediate
2886 components decides to expire a session which has remained idle for too long.
2887
2888 Enabling socket-level TCP keep-alives makes the system regularly send packets
2889 to the other end of the connection, leaving it active. The delay between
2890 keep-alive probes is controlled by the system only and depends both on the
2891 operating system and its tuning parameters.
2892
2893 It is important to understand that keep-alive packets are neither emitted nor
2894 received at the application level. It is only the network stacks which sees
2895 them. For this reason, even if one side of the proxy already uses keep-alives
2896 to maintain its connection alive, those keep-alive packets will not be
2897 forwarded to the other side of the proxy.
2898
2899 Please note that this has nothing to do with HTTP keep-alive.
2900
2901 Using option "tcpka" enables the emission of TCP keep-alive probes on both
2902 the client and server sides of a connection. Note that this is meaningful
2903 only in "defaults" or "listen" sections. If this option is used in a
2904 frontend, only the client side will get keep-alives, and if this option is
2905 used in a backend, only the server side will get keep-alives. For this
2906 reason, it is strongly recommended to explicitly use "option clitcpka" and
2907 "option srvtcpka" when the configuration is split between frontends and
2908 backends.
2909
2910 See also : "option clitcpka", "option srvtcpka"
2911
Willy Tarreau844e3c52008-01-11 16:28:18 +01002912
2913option tcplog
2914 Enable advanced logging of TCP connections with session state and timers
2915 May be used in sections : defaults | frontend | listen | backend
2916 yes | yes | yes | yes
2917 Arguments : none
2918
2919 By default, the log output format is very poor, as it only contains the
2920 source and destination addresses, and the instance name. By specifying
2921 "option tcplog", each log line turns into a much richer format including, but
2922 not limited to, the connection timers, the session status, the connections
2923 numbers, the frontend, backend and server name, and of course the source
2924 address and ports. This option is useful for pure TCP proxies in order to
2925 find which of the client or server disconnects or times out. For normal HTTP
2926 proxies, it's better to use "option httplog" which is even more complete.
2927
2928 This option may be set either in the frontend or the backend.
2929
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002930 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01002931
2932
Willy Tarreau844e3c52008-01-11 16:28:18 +01002933option transparent
2934no option transparent
2935 Enable client-side transparent proxying
2936 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01002937 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01002938 Arguments : none
2939
2940 This option was introduced in order to provide layer 7 persistence to layer 3
2941 load balancers. The idea is to use the OS's ability to redirect an incoming
2942 connection for a remote address to a local process (here HAProxy), and let
2943 this process know what address was initially requested. When this option is
2944 used, sessions without cookies will be forwarded to the original destination
2945 IP address of the incoming request (which should match that of another
2946 equipment), while requests with cookies will still be forwarded to the
2947 appropriate server.
2948
2949 Note that contrary to a common belief, this option does NOT make HAProxy
2950 present the client's IP to the server when establishing the connection.
2951
Willy Tarreaueabeafa2008-01-16 16:17:06 +01002952 See also: the "usersrc" argument of the "source" keyword, and the
2953 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01002954
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002955
Emeric Brun647caf12009-06-30 17:57:00 +02002956persist rdp-cookie
2957persist rdp-cookie(name)
2958 Enable RDP cookie-based persistence
2959 May be used in sections : defaults | frontend | listen | backend
2960 yes | no | yes | yes
2961 Arguments :
2962 <name> is the optional name of the RDP cookie to check. If omitted, the
2963 default cookie name "mstshash" will be used. There currently is
2964 no valid reason to change this name.
2965
2966 This statement enables persistence based on an RDP cookie. The RDP cookie
2967 contains all information required to find the server in the list of known
2968 servers. So when this option is set in the backend, the request is analysed
2969 and if an RDP cookie is found, it is decoded. If it matches a known server
2970 which is still UP (or if "option persist" is set), then the connection is
2971 forwarded to this server.
2972
2973 Note that this only makes sense in a TCP backend, but for this to work, the
2974 frontend must have waited long enough to ensure that an RDP cookie is present
2975 in the request buffer. This is the same requirement as with the "rdp-cookie"
2976 load-balancing method. Thus it is higly recommended to put all statements in
2977 a single "listen" section.
2978
2979 Example :
2980 listen tse-farm
2981 bind :3389
2982 # wait up to 5s for an RDP cookie in the request
2983 tcp-request inspect-delay 5s
2984 tcp-request content accept if RDP_COOKIE
2985 # apply RDP cookie persistence
2986 persist rdp-cookie
2987 # if server is unknown, let's balance on the same cookie.
2988 # alternatively, "balance leastconn" may be useful too.
2989 balance rdp-cookie
2990 server srv1 1.1.1.1:3389
2991 server srv2 1.1.1.2:3389
2992
2993 See also : "balance rdp-cookie", "tcp-request" and the "req_rdp_cookie" ACL.
2994
2995
Willy Tarreau3a7d2072009-03-05 23:48:25 +01002996rate-limit sessions <rate>
2997 Set a limit on the number of new sessions accepted per second on a frontend
2998 May be used in sections : defaults | frontend | listen | backend
2999 yes | yes | yes | no
3000 Arguments :
3001 <rate> The <rate> parameter is an integer designating the maximum number
3002 of new sessions per second to accept on the frontend.
3003
3004 When the frontend reaches the specified number of new sessions per second, it
3005 stops accepting new connections until the rate drops below the limit again.
3006 During this time, the pending sessions will be kept in the socket's backlog
3007 (in system buffers) and haproxy will not even be aware that sessions are
3008 pending. When applying very low limit on a highly loaded service, it may make
3009 sense to increase the socket's backlog using the "backlog" keyword.
3010
3011 This feature is particularly efficient at blocking connection-based attacks
3012 or service abuse on fragile servers. Since the session rate is measured every
3013 millisecond, it is extremely accurate. Also, the limit applies immediately,
3014 no delay is needed at all to detect the threshold.
3015
3016 Example : limit the connection rate on SMTP to 10 per second max
3017 listen smtp
3018 mode tcp
3019 bind :25
3020 rate-limit sessions 10
3021 server 127.0.0.1:1025
3022
3023 Note : when the maximum rate is reached, the frontend's status appears as
3024 "FULL" in the statistics, exactly as when it is saturated.
3025
3026 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
3027
3028
Willy Tarreau0140f252008-11-19 21:07:09 +01003029redirect location <to> [code <code>] <option> {if | unless} <condition>
3030redirect prefix <to> [code <code>] <option> {if | unless} <condition>
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003031 Return an HTTP redirection if/unless a condition is matched
3032 May be used in sections : defaults | frontend | listen | backend
3033 no | yes | yes | yes
3034
3035 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreau0140f252008-11-19 21:07:09 +01003036 response.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003037
Willy Tarreau0140f252008-11-19 21:07:09 +01003038 Arguments :
3039 <to> With "redirect location", the exact value in <to> is placed into
3040 the HTTP "Location" header. In case of "redirect prefix", the
3041 "Location" header is built from the concatenation of <to> and the
3042 complete URI, including the query string, unless the "drop-query"
Willy Tarreaufe651a52008-11-19 21:15:17 +01003043 option is specified (see below). As a special case, if <to>
3044 equals exactly "/" in prefix mode, then nothing is inserted
3045 before the original URI. It allows one to redirect to the same
3046 URL.
Willy Tarreau0140f252008-11-19 21:07:09 +01003047
3048 <code> The code is optional. It indicates which type of HTTP redirection
3049 is desired. Only codes 301, 302 and 303 are supported, and 302 is
3050 used if no code is specified. 301 means "Moved permanently", and
3051 a browser may cache the Location. 302 means "Moved permanently"
3052 and means that the browser should not cache the redirection. 303
3053 is equivalent to 302 except that the browser will fetch the
3054 location with a GET method.
3055
3056 <option> There are several options which can be specified to adjust the
3057 expected behaviour of a redirection :
3058
3059 - "drop-query"
3060 When this keyword is used in a prefix-based redirection, then the
3061 location will be set without any possible query-string, which is useful
3062 for directing users to a non-secure page for instance. It has no effect
3063 with a location-type redirect.
3064
3065 - "set-cookie NAME[=value]"
3066 A "Set-Cookie" header will be added with NAME (and optionally "=value")
3067 to the response. This is sometimes used to indicate that a user has
3068 been seen, for instance to protect against some types of DoS. No other
3069 cookie option is added, so the cookie will be a session cookie. Note
3070 that for a browser, a sole cookie name without an equal sign is
3071 different from a cookie with an equal sign.
3072
3073 - "clear-cookie NAME[=]"
3074 A "Set-Cookie" header will be added with NAME (and optionally "="), but
3075 with the "Max-Age" attribute set to zero. This will tell the browser to
3076 delete this cookie. It is useful for instance on logout pages. It is
3077 important to note that clearing the cookie "NAME" will not remove a
3078 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
3079 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003080
3081 Example: move the login URL only to HTTPS.
3082 acl clear dst_port 80
3083 acl secure dst_port 8080
3084 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01003085 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01003086 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01003087 acl cookie_set hdr_sub(cookie) SEEN=1
3088
3089 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01003090 redirect prefix https://mysite.com if login_page !secure
3091 redirect prefix http://mysite.com drop-query if login_page !uid_given
3092 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01003093 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003094
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003095 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003096
3097
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003098redisp (deprecated)
3099redispatch (deprecated)
3100 Enable or disable session redistribution in case of connection failure
3101 May be used in sections: defaults | frontend | listen | backend
3102 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003103 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003104
3105 In HTTP mode, if a server designated by a cookie is down, clients may
3106 definitely stick to it because they cannot flush the cookie, so they will not
3107 be able to access the service anymore.
3108
3109 Specifying "redispatch" will allow the proxy to break their persistence and
3110 redistribute them to a working server.
3111
3112 It also allows to retry last connection to another server in case of multiple
3113 connection failures. Of course, it requires having "retries" set to a nonzero
3114 value.
3115
3116 This form is deprecated, do not use it in any new configuration, use the new
3117 "option redispatch" instead.
3118
3119 See also : "option redispatch"
3120
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003121
Willy Tarreau303c0352008-01-17 19:01:39 +01003122reqadd <string>
3123 Add a header at the end of the HTTP request
3124 May be used in sections : defaults | frontend | listen | backend
3125 no | yes | yes | yes
3126 Arguments :
3127 <string> is the complete line to be added. Any space or known delimiter
3128 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003129 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003130
3131 A new line consisting in <string> followed by a line feed will be added after
3132 the last header of an HTTP request.
3133
3134 Header transformations only apply to traffic which passes through HAProxy,
3135 and not to traffic generated by HAProxy, such as health-checks or error
3136 responses.
3137
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003138 See also: "rspadd" and section 6 about HTTP header manipulation
Willy Tarreau303c0352008-01-17 19:01:39 +01003139
3140
3141reqallow <search>
3142reqiallow <search> (ignore case)
3143 Definitely allow an HTTP request if a line matches a regular expression
3144 May be used in sections : defaults | frontend | listen | backend
3145 no | yes | yes | yes
3146 Arguments :
3147 <search> is the regular expression applied to HTTP headers and to the
3148 request line. This is an extended regular expression. Parenthesis
3149 grouping is supported and no preliminary backslash is required.
3150 Any space or known delimiter must be escaped using a backslash
3151 ('\'). The pattern applies to a full line at a time. The
3152 "reqallow" keyword strictly matches case while "reqiallow"
3153 ignores case.
3154
3155 A request containing any line which matches extended regular expression
3156 <search> will mark the request as allowed, even if any later test would
3157 result in a deny. The test applies both to the request line and to request
3158 headers. Keep in mind that URLs in request line are case-sensitive while
3159 header names are not.
3160
3161 It is easier, faster and more powerful to use ACLs to write access policies.
3162 Reqdeny, reqallow and reqpass should be avoided in new designs.
3163
3164 Example :
3165 # allow www.* but refuse *.local
3166 reqiallow ^Host:\ www\.
3167 reqideny ^Host:\ .*\.local
3168
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003169 See also: "reqdeny", "acl", "block" and section 6 about HTTP header
Willy Tarreau303c0352008-01-17 19:01:39 +01003170 manipulation
3171
3172
3173reqdel <search>
3174reqidel <search> (ignore case)
3175 Delete all headers matching a regular expression in an HTTP request
3176 May be used in sections : defaults | frontend | listen | backend
3177 no | yes | yes | yes
3178 Arguments :
3179 <search> is the regular expression applied to HTTP headers and to the
3180 request line. This is an extended regular expression. Parenthesis
3181 grouping is supported and no preliminary backslash is required.
3182 Any space or known delimiter must be escaped using a backslash
3183 ('\'). The pattern applies to a full line at a time. The "reqdel"
3184 keyword strictly matches case while "reqidel" ignores case.
3185
3186 Any header line matching extended regular expression <search> in the request
3187 will be completely deleted. Most common use of this is to remove unwanted
3188 and/or dangerous headers or cookies from a request before passing it to the
3189 next servers.
3190
3191 Header transformations only apply to traffic which passes through HAProxy,
3192 and not to traffic generated by HAProxy, such as health-checks or error
3193 responses. Keep in mind that header names are not case-sensitive.
3194
3195 Example :
3196 # remove X-Forwarded-For header and SERVER cookie
3197 reqidel ^X-Forwarded-For:.*
3198 reqidel ^Cookie:.*SERVER=
3199
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003200 See also: "reqadd", "reqrep", "rspdel" and section 6 about HTTP header
Willy Tarreau303c0352008-01-17 19:01:39 +01003201 manipulation
3202
3203
3204reqdeny <search>
3205reqideny <search> (ignore case)
3206 Deny an HTTP request if a line matches a regular expression
3207 May be used in sections : defaults | frontend | listen | backend
3208 no | yes | yes | yes
3209 Arguments :
3210 <search> is the regular expression applied to HTTP headers and to the
3211 request line. This is an extended regular expression. Parenthesis
3212 grouping is supported and no preliminary backslash is required.
3213 Any space or known delimiter must be escaped using a backslash
3214 ('\'). The pattern applies to a full line at a time. The
3215 "reqdeny" keyword strictly matches case while "reqideny" ignores
3216 case.
3217
3218 A request containing any line which matches extended regular expression
3219 <search> will mark the request as denied, even if any later test would
3220 result in an allow. The test applies both to the request line and to request
3221 headers. Keep in mind that URLs in request line are case-sensitive while
3222 header names are not.
3223
Willy Tarreauced27012008-01-17 20:35:34 +01003224 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003225 complete request has been parsed. This is consistent with what is practiced
Willy Tarreauced27012008-01-17 20:35:34 +01003226 using ACLs.
3227
Willy Tarreau303c0352008-01-17 19:01:39 +01003228 It is easier, faster and more powerful to use ACLs to write access policies.
3229 Reqdeny, reqallow and reqpass should be avoided in new designs.
3230
3231 Example :
3232 # refuse *.local, then allow www.*
3233 reqideny ^Host:\ .*\.local
3234 reqiallow ^Host:\ www\.
3235
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003236 See also: "reqallow", "rspdeny", "acl", "block" and section 6 about HTTP
Willy Tarreau303c0352008-01-17 19:01:39 +01003237 header manipulation
3238
3239
3240reqpass <search>
3241reqipass <search> (ignore case)
3242 Ignore any HTTP request line matching a regular expression in next rules
3243 May be used in sections : defaults | frontend | listen | backend
3244 no | yes | yes | yes
3245 Arguments :
3246 <search> is the regular expression applied to HTTP headers and to the
3247 request line. This is an extended regular expression. Parenthesis
3248 grouping is supported and no preliminary backslash is required.
3249 Any space or known delimiter must be escaped using a backslash
3250 ('\'). The pattern applies to a full line at a time. The
3251 "reqpass" keyword strictly matches case while "reqipass" ignores
3252 case.
3253
3254 A request containing any line which matches extended regular expression
3255 <search> will skip next rules, without assigning any deny or allow verdict.
3256 The test applies both to the request line and to request headers. Keep in
3257 mind that URLs in request line are case-sensitive while header names are not.
3258
3259 It is easier, faster and more powerful to use ACLs to write access policies.
3260 Reqdeny, reqallow and reqpass should be avoided in new designs.
3261
3262 Example :
3263 # refuse *.local, then allow www.*, but ignore "www.private.local"
3264 reqipass ^Host:\ www.private\.local
3265 reqideny ^Host:\ .*\.local
3266 reqiallow ^Host:\ www\.
3267
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003268 See also: "reqallow", "reqdeny", "acl", "block" and section 6 about HTTP
Willy Tarreau303c0352008-01-17 19:01:39 +01003269 header manipulation
3270
3271
3272reqrep <search> <string>
3273reqirep <search> <string> (ignore case)
3274 Replace a regular expression with a string in an HTTP request line
3275 May be used in sections : defaults | frontend | listen | backend
3276 no | yes | yes | yes
3277 Arguments :
3278 <search> is the regular expression applied to HTTP headers and to the
3279 request line. This is an extended regular expression. Parenthesis
3280 grouping is supported and no preliminary backslash is required.
3281 Any space or known delimiter must be escaped using a backslash
3282 ('\'). The pattern applies to a full line at a time. The "reqrep"
3283 keyword strictly matches case while "reqirep" ignores case.
3284
3285 <string> is the complete line to be added. Any space or known delimiter
3286 must be escaped using a backslash ('\'). References to matched
3287 pattern groups are possible using the common \N form, with N
3288 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003289 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003290
3291 Any line matching extended regular expression <search> in the request (both
3292 the request line and header lines) will be completely replaced with <string>.
3293 Most common use of this is to rewrite URLs or domain names in "Host" headers.
3294
3295 Header transformations only apply to traffic which passes through HAProxy,
3296 and not to traffic generated by HAProxy, such as health-checks or error
3297 responses. Note that for increased readability, it is suggested to add enough
3298 spaces between the request and the response. Keep in mind that URLs in
3299 request line are case-sensitive while header names are not.
3300
3301 Example :
3302 # replace "/static/" with "/" at the beginning of any request path.
3303 reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
3304 # replace "www.mydomain.com" with "www" in the host name.
3305 reqirep ^Host:\ www.mydomain.com Host:\ www
3306
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003307 See also: "reqadd", "reqdel", "rsprep" and section 6 about HTTP header
Willy Tarreau303c0352008-01-17 19:01:39 +01003308 manipulation
3309
3310
3311reqtarpit <search>
3312reqitarpit <search> (ignore case)
3313 Tarpit an HTTP request containing a line matching a regular expression
3314 May be used in sections : defaults | frontend | listen | backend
3315 no | yes | yes | yes
3316 Arguments :
3317 <search> is the regular expression applied to HTTP headers and to the
3318 request line. This is an extended regular expression. Parenthesis
3319 grouping is supported and no preliminary backslash is required.
3320 Any space or known delimiter must be escaped using a backslash
3321 ('\'). The pattern applies to a full line at a time. The
3322 "reqtarpit" keyword strictly matches case while "reqitarpit"
3323 ignores case.
3324
3325 A request containing any line which matches extended regular expression
3326 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01003327 be kept open for a pre-defined time, then will return an HTTP error 500 so
3328 that the attacker does not suspect it has been tarpitted. The status 500 will
3329 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01003330 delay is defined by "timeout tarpit", or "timeout connect" if the former is
3331 not set.
3332
3333 The goal of the tarpit is to slow down robots attacking servers with
3334 identifiable requests. Many robots limit their outgoing number of connections
3335 and stay connected waiting for a reply which can take several minutes to
3336 come. Depending on the environment and attack, it may be particularly
3337 efficient at reducing the load on the network and firewalls.
3338
3339 Example :
3340 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
3341 # block all others.
3342 reqipass ^User-Agent:\.*(Mozilla|MSIE)
3343 reqitarpit ^User-Agent:
3344
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003345 See also: "reqallow", "reqdeny", "reqpass", and section 6 about HTTP header
Willy Tarreau303c0352008-01-17 19:01:39 +01003346 manipulation
3347
3348
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02003349retries <value>
3350 Set the number of retries to perform on a server after a connection failure
3351 May be used in sections: defaults | frontend | listen | backend
3352 yes | no | yes | yes
3353 Arguments :
3354 <value> is the number of times a connection attempt should be retried on
3355 a server when a connection either is refused or times out. The
3356 default value is 3.
3357
3358 It is important to understand that this value applies to the number of
3359 connection attempts, not full requests. When a connection has effectively
3360 been established to a server, there will be no more retry.
3361
3362 In order to avoid immediate reconnections to a server which is restarting,
3363 a turn-around timer of 1 second is applied before a retry occurs.
3364
3365 When "option redispatch" is set, the last retry may be performed on another
3366 server even if a cookie references a different server.
3367
3368 See also : "option redispatch"
3369
3370
Willy Tarreau303c0352008-01-17 19:01:39 +01003371rspadd <string>
3372 Add a header at the end of the HTTP response
3373 May be used in sections : defaults | frontend | listen | backend
3374 no | yes | yes | yes
3375 Arguments :
3376 <string> is the complete line to be added. Any space or known delimiter
3377 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003378 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003379
3380 A new line consisting in <string> followed by a line feed will be added after
3381 the last header of an HTTP response.
3382
3383 Header transformations only apply to traffic which passes through HAProxy,
3384 and not to traffic generated by HAProxy, such as health-checks or error
3385 responses.
3386
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003387 See also: "reqadd" and section 6 about HTTP header manipulation
Willy Tarreau303c0352008-01-17 19:01:39 +01003388
3389
3390rspdel <search>
3391rspidel <search> (ignore case)
3392 Delete all headers matching a regular expression in an HTTP response
3393 May be used in sections : defaults | frontend | listen | backend
3394 no | yes | yes | yes
3395 Arguments :
3396 <search> is the regular expression applied to HTTP headers and to the
3397 response line. This is an extended regular expression, so
3398 parenthesis grouping is supported and no preliminary backslash
3399 is required. Any space or known delimiter must be escaped using
3400 a backslash ('\'). The pattern applies to a full line at a time.
3401 The "rspdel" keyword strictly matches case while "rspidel"
3402 ignores case.
3403
3404 Any header line matching extended regular expression <search> in the response
3405 will be completely deleted. Most common use of this is to remove unwanted
3406 and/or sensible headers or cookies from a response before passing it to the
3407 client.
3408
3409 Header transformations only apply to traffic which passes through HAProxy,
3410 and not to traffic generated by HAProxy, such as health-checks or error
3411 responses. Keep in mind that header names are not case-sensitive.
3412
3413 Example :
3414 # remove the Server header from responses
3415 reqidel ^Server:.*
3416
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003417 See also: "rspadd", "rsprep", "reqdel" and section 6 about HTTP header
Willy Tarreau303c0352008-01-17 19:01:39 +01003418 manipulation
3419
3420
3421rspdeny <search>
3422rspideny <search> (ignore case)
3423 Block an HTTP response if a line matches a regular expression
3424 May be used in sections : defaults | frontend | listen | backend
3425 no | yes | yes | yes
3426 Arguments :
3427 <search> is the regular expression applied to HTTP headers and to the
3428 response line. This is an extended regular expression, so
3429 parenthesis grouping is supported and no preliminary backslash
3430 is required. Any space or known delimiter must be escaped using
3431 a backslash ('\'). The pattern applies to a full line at a time.
3432 The "rspdeny" keyword strictly matches case while "rspideny"
3433 ignores case.
3434
3435 A response containing any line which matches extended regular expression
3436 <search> will mark the request as denied. The test applies both to the
3437 response line and to response headers. Keep in mind that header names are not
3438 case-sensitive.
3439
3440 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01003441 block the response before it reaches the client. If a response is denied, it
3442 will be replaced with an HTTP 502 error so that the client never retrieves
3443 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01003444
3445 It is easier, faster and more powerful to use ACLs to write access policies.
3446 Rspdeny should be avoided in new designs.
3447
3448 Example :
3449 # Ensure that no content type matching ms-word will leak
3450 rspideny ^Content-type:\.*/ms-word
3451
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003452 See also: "reqdeny", "acl", "block" and section 6 about HTTP header
Willy Tarreau303c0352008-01-17 19:01:39 +01003453 manipulation
3454
3455
3456rsprep <search> <string>
3457rspirep <search> <string> (ignore case)
3458 Replace a regular expression with a string in an HTTP response line
3459 May be used in sections : defaults | frontend | listen | backend
3460 no | yes | yes | yes
3461 Arguments :
3462 <search> is the regular expression applied to HTTP headers and to the
3463 response line. This is an extended regular expression, so
3464 parenthesis grouping is supported and no preliminary backslash
3465 is required. Any space or known delimiter must be escaped using
3466 a backslash ('\'). The pattern applies to a full line at a time.
3467 The "rsprep" keyword strictly matches case while "rspirep"
3468 ignores case.
3469
3470 <string> is the complete line to be added. Any space or known delimiter
3471 must be escaped using a backslash ('\'). References to matched
3472 pattern groups are possible using the common \N form, with N
3473 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003474 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003475
3476 Any line matching extended regular expression <search> in the response (both
3477 the response line and header lines) will be completely replaced with
3478 <string>. Most common use of this is to rewrite Location headers.
3479
3480 Header transformations only apply to traffic which passes through HAProxy,
3481 and not to traffic generated by HAProxy, such as health-checks or error
3482 responses. Note that for increased readability, it is suggested to add enough
3483 spaces between the request and the response. Keep in mind that header names
3484 are not case-sensitive.
3485
3486 Example :
3487 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
3488 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
3489
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003490 See also: "rspadd", "rspdel", "reqrep" and section 6 about HTTP header
Willy Tarreau303c0352008-01-17 19:01:39 +01003491 manipulation
3492
3493
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003494server <name> <address>[:port] [param*]
3495 Declare a server in a backend
3496 May be used in sections : defaults | frontend | listen | backend
3497 no | no | yes | yes
3498 Arguments :
3499 <name> is the internal name assigned to this server. This name will
3500 appear in logs and alerts.
3501
3502 <address> is the IPv4 address of the server. Alternatively, a resolvable
3503 hostname is supported, but this name will be resolved during
3504 start-up.
3505
3506 <ports> is an optional port specification. If set, all connections will
3507 be sent to this port. If unset, the same port the client
3508 connected to will be used. The port may also be prefixed by a "+"
3509 or a "-". In this case, the server's port will be determined by
3510 adding this value to the client's port.
3511
3512 <param*> is a list of parameters for this server. The "server" keywords
3513 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003514 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003515
3516 Examples :
3517 server first 10.1.1.1:1080 cookie first check inter 1000
3518 server second 10.1.1.2:1080 cookie second check inter 1000
3519
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003520 See also : section 5 about server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003521
3522
3523source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01003524source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003525 Set the source address for outgoing connections
3526 May be used in sections : defaults | frontend | listen | backend
3527 yes | no | yes | yes
3528 Arguments :
3529 <addr> is the IPv4 address HAProxy will bind to before connecting to a
3530 server. This address is also used as a source for health checks.
3531 The default value of 0.0.0.0 means that the system will select
3532 the most appropriate address to reach its destination.
3533
3534 <port> is an optional port. It is normally not needed but may be useful
3535 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02003536 the system will select a free port. Note that port ranges are not
3537 supported in the backend. If you want to force port ranges, you
3538 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003539
3540 <addr2> is the IP address to present to the server when connections are
3541 forwarded in full transparent proxy mode. This is currently only
3542 supported on some patched Linux kernels. When this address is
3543 specified, clients connecting to the server will be presented
3544 with this address, while health checks will still use the address
3545 <addr>.
3546
3547 <port2> is the optional port to present to the server when connections
3548 are forwarded in full transparent proxy mode (see <addr2> above).
3549 The default value of zero means the system will select a free
3550 port.
3551
Willy Tarreaud53f96b2009-02-04 18:46:54 +01003552 <name> is an optional interface name to which to bind to for outgoing
3553 traffic. On systems supporting this features (currently, only
3554 Linux), this allows one to bind all traffic to the server to
3555 this interface even if it is not the one the system would select
3556 based on routing tables. This should be used with extreme care.
3557 Note that using this option requires root privileges.
3558
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003559 The "source" keyword is useful in complex environments where a specific
3560 address only is allowed to connect to the servers. It may be needed when a
3561 private address must be used through a public gateway for instance, and it is
3562 known that the system cannot determine the adequate source address by itself.
3563
3564 An extension which is available on certain patched Linux kernels may be used
3565 through the "usesrc" optional keyword. It makes it possible to connect to the
3566 servers with an IP address which does not belong to the system itself. This
3567 is called "full transparent proxy mode". For this to work, the destination
3568 servers have to route their traffic back to this address through the machine
3569 running HAProxy, and IP forwarding must generally be enabled on this machine.
3570
3571 In this "full transparent proxy" mode, it is possible to force a specific IP
3572 address to be presented to the servers. This is not much used in fact. A more
3573 common use is to tell HAProxy to present the client's IP address. For this,
3574 there are two methods :
3575
3576 - present the client's IP and port addresses. This is the most transparent
3577 mode, but it can cause problems when IP connection tracking is enabled on
3578 the machine, because a same connection may be seen twice with different
3579 states. However, this solution presents the huge advantage of not
3580 limiting the system to the 64k outgoing address+port couples, because all
3581 of the client ranges may be used.
3582
3583 - present only the client's IP address and select a spare port. This
3584 solution is still quite elegant but slightly less transparent (downstream
3585 firewalls logs will not match upstream's). It also presents the downside
3586 of limiting the number of concurrent connections to the usual 64k ports.
3587 However, since the upstream and downstream ports are different, local IP
3588 connection tracking on the machine will not be upset by the reuse of the
3589 same session.
3590
3591 Note that depending on the transparent proxy technology used, it may be
3592 required to force the source address. In fact, cttproxy version 2 requires an
3593 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
3594 IP address because it creates NAT entries which much match the exact outgoing
3595 address. Tproxy version 4 and some other kernel patches which work in pure
3596 forwarding mode generally will not have this limitation.
3597
3598 This option sets the default source for all servers in the backend. It may
3599 also be specified in a "defaults" section. Finer source address specification
3600 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003601 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003602
3603 Examples :
3604 backend private
3605 # Connect to the servers using our 192.168.1.200 source address
3606 source 192.168.1.200
3607
3608 backend transparent_ssl1
3609 # Connect to the SSL farm from the client's source address
3610 source 192.168.1.200 usesrc clientip
3611
3612 backend transparent_ssl2
3613 # Connect to the SSL farm from the client's source address and port
3614 # not recommended if IP conntrack is present on the local machine.
3615 source 192.168.1.200 usesrc client
3616
3617 backend transparent_ssl3
3618 # Connect to the SSL farm from the client's source address. It
3619 # is more conntrack-friendly.
3620 source 192.168.1.200 usesrc clientip
3621
3622 backend transparent_smtp
3623 # Connect to the SMTP farm from the client's source address/port
3624 # with Tproxy version 4.
3625 source 0.0.0.0 usesrc clientip
3626
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003627 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003628 the Linux kernel on www.balabit.com, the "bind" keyword.
3629
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003630
Willy Tarreau844e3c52008-01-11 16:28:18 +01003631srvtimeout <timeout> (deprecated)
3632 Set the maximum inactivity time on the server side.
3633 May be used in sections : defaults | frontend | listen | backend
3634 yes | no | yes | yes
3635 Arguments :
3636 <timeout> is the timeout value specified in milliseconds by default, but
3637 can be in any other unit if the number is suffixed by the unit,
3638 as explained at the top of this document.
3639
3640 The inactivity timeout applies when the server is expected to acknowledge or
3641 send data. In HTTP mode, this timeout is particularly important to consider
3642 during the first phase of the server's response, when it has to send the
3643 headers, as it directly represents the server's processing time for the
3644 request. To find out what value to put there, it's often good to start with
3645 what would be considered as unacceptable response times, then check the logs
3646 to observe the response time distribution, and adjust the value accordingly.
3647
3648 The value is specified in milliseconds by default, but can be in any other
3649 unit if the number is suffixed by the unit, as specified at the top of this
3650 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
3651 recommended that the client timeout remains equal to the server timeout in
3652 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003653 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01003654 packet losses by specifying timeouts that are slightly above multiples of 3
3655 seconds (eg: 4 or 5 seconds minimum).
3656
3657 This parameter is specific to backends, but can be specified once for all in
3658 "defaults" sections. This is in fact one of the easiest solutions not to
3659 forget about it. An unspecified timeout results in an infinite timeout, which
3660 is not recommended. Such a usage is accepted and works but reports a warning
3661 during startup because it may results in accumulation of expired sessions in
3662 the system if the system's timeouts are not configured either.
3663
3664 This parameter is provided for compatibility but is currently deprecated.
3665 Please use "timeout server" instead.
3666
3667 See also : "timeout server", "timeout client" and "clitimeout".
3668
3669
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003670stats auth <user>:<passwd>
3671 Enable statistics with authentication and grant access to an account
3672 May be used in sections : defaults | frontend | listen | backend
3673 yes | no | yes | yes
3674 Arguments :
3675 <user> is a user name to grant access to
3676
3677 <passwd> is the cleartext password associated to this user
3678
3679 This statement enables statistics with default settings, and restricts access
3680 to declared users only. It may be repeated as many times as necessary to
3681 allow as many users as desired. When a user tries to access the statistics
3682 without a valid account, a "401 Forbidden" response will be returned so that
3683 the browser asks the user to provide a valid user and password. The real
3684 which will be returned to the browser is configurable using "stats realm".
3685
3686 Since the authentication method is HTTP Basic Authentication, the passwords
3687 circulate in cleartext on the network. Thus, it was decided that the
3688 configuration file would also use cleartext passwords to remind the users
3689 that those ones should not be sensible and not shared with any other account.
3690
3691 It is also possible to reduce the scope of the proxies which appear in the
3692 report using "stats scope".
3693
3694 Though this statement alone is enough to enable statistics reporting, it is
3695 recommended to set all other settings in order to avoid relying on default
3696 unobvious parameters.
3697
3698 Example :
3699 # public access (limited to this backend only)
3700 backend public_www
3701 server srv1 192.168.0.1:80
3702 stats enable
3703 stats hide-version
3704 stats scope .
3705 stats uri /admin?stats
3706 stats realm Haproxy\ Statistics
3707 stats auth admin1:AdMiN123
3708 stats auth admin2:AdMiN321
3709
3710 # internal monitoring access (unlimited)
3711 backend private_monitoring
3712 stats enable
3713 stats uri /admin?stats
3714 stats refresh 5s
3715
3716 See also : "stats enable", "stats realm", "stats scope", "stats uri"
3717
3718
3719stats enable
3720 Enable statistics reporting with default settings
3721 May be used in sections : defaults | frontend | listen | backend
3722 yes | no | yes | yes
3723 Arguments : none
3724
3725 This statement enables statistics reporting with default settings defined
3726 at build time. Unless stated otherwise, these settings are used :
3727 - stats uri : /haproxy?stats
3728 - stats realm : "HAProxy Statistics"
3729 - stats auth : no authentication
3730 - stats scope : no restriction
3731
3732 Though this statement alone is enough to enable statistics reporting, it is
3733 recommended to set all other settings in order to avoid relying on default
3734 unobvious parameters.
3735
3736 Example :
3737 # public access (limited to this backend only)
3738 backend public_www
3739 server srv1 192.168.0.1:80
3740 stats enable
3741 stats hide-version
3742 stats scope .
3743 stats uri /admin?stats
3744 stats realm Haproxy\ Statistics
3745 stats auth admin1:AdMiN123
3746 stats auth admin2:AdMiN321
3747
3748 # internal monitoring access (unlimited)
3749 backend private_monitoring
3750 stats enable
3751 stats uri /admin?stats
3752 stats refresh 5s
3753
3754 See also : "stats auth", "stats realm", "stats uri"
3755
3756
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02003757stats node-name [ <name> ]
3758 Enable reporting of a host name on the statistics page.
3759 May be used in sections : defaults | frontend | listen | backend
3760 yes | no | yes | yes
3761 Arguments :
3762 <name> is an optional name to be reported. If unspecified, the system's
3763 hostname is automatically used instead.
3764
3765 The node-name is read as a single word, so any spaces in it should be escaped
3766 using a backslash ('\'). If it is left unspecified, the system's hostname is
3767 used instead.
3768
3769 This statement is useful in HA configurations where two or more processes or
3770 servers share a same IP address. By setting a different node-name on all
3771 nodes, it becomes easy to immediately spot what server is handling the
3772 traffic.
3773
3774 Though this statement alone is enough to enable statistics reporting, it is
3775 recommended to set all other settings in order to avoid relying on default
3776 unobvious parameters.
3777
3778 Example :
3779 # internal monitoring access (unlimited)
3780 backend private_monitoring
3781 stats enable
3782 stats node-name master
3783 stats uri /admin?stats
3784 stats refresh 5s
3785
3786 See also : "stats enable", "stats uri"
3787
3788
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003789stats realm <realm>
3790 Enable statistics and set authentication realm
3791 May be used in sections : defaults | frontend | listen | backend
3792 yes | no | yes | yes
3793 Arguments :
3794 <realm> is the name of the HTTP Basic Authentication realm reported to
3795 the browser. The browser uses it to display it in the pop-up
3796 inviting the user to enter a valid username and password.
3797
3798 The realm is read as a single word, so any spaces in it should be escaped
3799 using a backslash ('\').
3800
3801 This statement is useful only in conjunction with "stats auth" since it is
3802 only related to authentication.
3803
3804 Though this statement alone is enough to enable statistics reporting, it is
3805 recommended to set all other settings in order to avoid relying on default
3806 unobvious parameters.
3807
3808 Example :
3809 # public access (limited to this backend only)
3810 backend public_www
3811 server srv1 192.168.0.1:80
3812 stats enable
3813 stats hide-version
3814 stats scope .
3815 stats uri /admin?stats
3816 stats realm Haproxy\ Statistics
3817 stats auth admin1:AdMiN123
3818 stats auth admin2:AdMiN321
3819
3820 # internal monitoring access (unlimited)
3821 backend private_monitoring
3822 stats enable
3823 stats uri /admin?stats
3824 stats refresh 5s
3825
3826 See also : "stats auth", "stats enable", "stats uri"
3827
3828
3829stats refresh <delay>
3830 Enable statistics with automatic refresh
3831 May be used in sections : defaults | frontend | listen | backend
3832 yes | no | yes | yes
3833 Arguments :
3834 <delay> is the suggested refresh delay, specified in seconds, which will
3835 be returned to the browser consulting the report page. While the
3836 browser is free to apply any delay, it will generally respect it
3837 and refresh the page this every seconds. The refresh interval may
3838 be specified in any other non-default time unit, by suffixing the
3839 unit after the value, as explained at the top of this document.
3840
3841 This statement is useful on monitoring displays with a permanent page
3842 reporting the load balancer's activity. When set, the HTML report page will
3843 include a link "refresh"/"stop refresh" so that the user can select whether
3844 he wants automatic refresh of the page or not.
3845
3846 Though this statement alone is enough to enable statistics reporting, it is
3847 recommended to set all other settings in order to avoid relying on default
3848 unobvious parameters.
3849
3850 Example :
3851 # public access (limited to this backend only)
3852 backend public_www
3853 server srv1 192.168.0.1:80
3854 stats enable
3855 stats hide-version
3856 stats scope .
3857 stats uri /admin?stats
3858 stats realm Haproxy\ Statistics
3859 stats auth admin1:AdMiN123
3860 stats auth admin2:AdMiN321
3861
3862 # internal monitoring access (unlimited)
3863 backend private_monitoring
3864 stats enable
3865 stats uri /admin?stats
3866 stats refresh 5s
3867
3868 See also : "stats auth", "stats enable", "stats realm", "stats uri"
3869
3870
3871stats scope { <name> | "." }
3872 Enable statistics and limit access scope
3873 May be used in sections : defaults | frontend | listen | backend
3874 yes | no | yes | yes
3875 Arguments :
3876 <name> is the name of a listen, frontend or backend section to be
3877 reported. The special name "." (a single dot) designates the
3878 section in which the statement appears.
3879
3880 When this statement is specified, only the sections enumerated with this
3881 statement will appear in the report. All other ones will be hidden. This
3882 statement may appear as many times as needed if multiple sections need to be
3883 reported. Please note that the name checking is performed as simple string
3884 comparisons, and that it is never checked that a give section name really
3885 exists.
3886
3887 Though this statement alone is enough to enable statistics reporting, it is
3888 recommended to set all other settings in order to avoid relying on default
3889 unobvious parameters.
3890
3891 Example :
3892 # public access (limited to this backend only)
3893 backend public_www
3894 server srv1 192.168.0.1:80
3895 stats enable
3896 stats hide-version
3897 stats scope .
3898 stats uri /admin?stats
3899 stats realm Haproxy\ Statistics
3900 stats auth admin1:AdMiN123
3901 stats auth admin2:AdMiN321
3902
3903 # internal monitoring access (unlimited)
3904 backend private_monitoring
3905 stats enable
3906 stats uri /admin?stats
3907 stats refresh 5s
3908
3909 See also : "stats auth", "stats enable", "stats realm", "stats uri"
3910
3911
3912stats uri <prefix>
3913 Enable statistics and define the URI prefix to access them
3914 May be used in sections : defaults | frontend | listen | backend
3915 yes | no | yes | yes
3916 Arguments :
3917 <prefix> is the prefix of any URI which will be redirected to stats. This
3918 prefix may contain a question mark ('?') to indicate part of a
3919 query string.
3920
3921 The statistics URI is intercepted on the relayed traffic, so it appears as a
3922 page within the normal application. It is strongly advised to ensure that the
3923 selected URI will never appear in the application, otherwise it will never be
3924 possible to reach it in the application.
3925
3926 The default URI compiled in haproxy is "/haproxy?stats", but this may be
3927 changed at build time, so it's better to always explictly specify it here.
3928 It is generally a good idea to include a question mark in the URI so that
3929 intermediate proxies refrain from caching the results. Also, since any string
3930 beginning with the prefix will be accepted as a stats request, the question
3931 mark helps ensuring that no valid URI will begin with the same words.
3932
3933 It is sometimes very convenient to use "/" as the URI prefix, and put that
3934 statement in a "listen" instance of its own. That makes it easy to dedicate
3935 an address or a port to statistics only.
3936
3937 Though this statement alone is enough to enable statistics reporting, it is
3938 recommended to set all other settings in order to avoid relying on default
3939 unobvious parameters.
3940
3941 Example :
3942 # public access (limited to this backend only)
3943 backend public_www
3944 server srv1 192.168.0.1:80
3945 stats enable
3946 stats hide-version
3947 stats scope .
3948 stats uri /admin?stats
3949 stats realm Haproxy\ Statistics
3950 stats auth admin1:AdMiN123
3951 stats auth admin2:AdMiN321
3952
3953 # internal monitoring access (unlimited)
3954 backend private_monitoring
3955 stats enable
3956 stats uri /admin?stats
3957 stats refresh 5s
3958
3959 See also : "stats auth", "stats enable", "stats realm"
3960
3961
3962stats hide-version
3963 Enable statistics and hide HAProxy version reporting
3964 May be used in sections : defaults | frontend | listen | backend
3965 yes | no | yes | yes
3966 Arguments : none
3967
3968 By default, the stats page reports some useful status information along with
3969 the statistics. Among them is HAProxy's version. However, it is generally
3970 considered dangerous to report precise version to anyone, as it can help them
3971 target known weaknesses with specific attacks. The "stats hide-version"
3972 statement removes the version from the statistics report. This is recommended
3973 for public sites or any site with a weak login/password.
3974
3975 Though this statement alone is enough to enable statistics reporting, it is
3976 recommended to set all other settings in order to avoid relying on default
3977 unobvious parameters.
3978
3979 Example :
3980 # public access (limited to this backend only)
3981 backend public_www
3982 server srv1 192.168.0.1:80
3983 stats enable
3984 stats hide-version
3985 stats scope .
3986 stats uri /admin?stats
3987 stats realm Haproxy\ Statistics
3988 stats auth admin1:AdMiN123
3989 stats auth admin2:AdMiN321
3990
3991 # internal monitoring access (unlimited)
3992 backend private_monitoring
3993 stats enable
3994 stats uri /admin?stats
3995 stats refresh 5s
3996
3997 See also : "stats auth", "stats enable", "stats realm", "stats uri"
3998
3999
Willy Tarreau62644772008-07-16 18:36:06 +02004000tcp-request content accept [{if | unless} <condition>]
4001 Accept a connection if/unless a content inspection condition is matched
4002 May be used in sections : defaults | frontend | listen | backend
4003 no | yes | yes | no
4004
4005 During TCP content inspection, the connection is immediately validated if the
4006 condition is true (when used with "if") or false (when used with "unless").
4007 Most of the time during content inspection, a condition will be in an
4008 uncertain state which is neither true nor false. The evaluation immediately
4009 stops when such a condition is encountered. It is important to understand
4010 that "accept" and "reject" rules are evaluated in their exact declaration
4011 order, so that it is possible to build complex rules from them. There is no
4012 specific limit to the number of rules which may be inserted.
4013
4014 Note that the "if/unless" condition is optionnal. If no condition is set on
4015 the action, it is simply performed unconditionally.
4016
4017 If no "tcp-request content" rules are matched, the default action already is
4018 "accept". Thus, this statement alone does not bring anything without another
4019 "reject" statement.
4020
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004021 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02004022
Willy Tarreau55165fe2009-05-10 12:02:55 +02004023 See also : "tcp-request content reject", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02004024
4025
4026tcp-request content reject [{if | unless} <condition>]
4027 Reject a connection if/unless a content inspection condition is matched
4028 May be used in sections : defaults | frontend | listen | backend
4029 no | yes | yes | no
4030
4031 During TCP content inspection, the connection is immediately rejected if the
4032 condition is true (when used with "if") or false (when used with "unless").
4033 Most of the time during content inspection, a condition will be in an
4034 uncertain state which is neither true nor false. The evaluation immediately
4035 stops when such a condition is encountered. It is important to understand
4036 that "accept" and "reject" rules are evaluated in their exact declaration
4037 order, so that it is possible to build complex rules from them. There is no
4038 specific limit to the number of rules which may be inserted.
4039
4040 Note that the "if/unless" condition is optionnal. If no condition is set on
4041 the action, it is simply performed unconditionally.
4042
4043 If no "tcp-request content" rules are matched, the default action is set to
4044 "accept".
4045
4046 Example:
4047 # reject SMTP connection if client speaks first
4048 tcp-request inspect-delay 30s
4049 acl content_present req_len gt 0
4050 tcp-request reject if content_present
4051
4052 # Forward HTTPS connection only if client speaks
4053 tcp-request inspect-delay 30s
4054 acl content_present req_len gt 0
4055 tcp-request accept if content_present
4056 tcp-request reject
4057
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004058 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02004059
Willy Tarreau55165fe2009-05-10 12:02:55 +02004060 See also : "tcp-request content accept", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02004061
4062
4063tcp-request inspect-delay <timeout>
4064 Set the maximum allowed time to wait for data during content inspection
4065 May be used in sections : defaults | frontend | listen | backend
4066 no | yes | yes | no
4067 Arguments :
4068 <timeout> is the timeout value specified in milliseconds by default, but
4069 can be in any other unit if the number is suffixed by the unit,
4070 as explained at the top of this document.
4071
4072 People using haproxy primarily as a TCP relay are often worried about the
4073 risk of passing any type of protocol to a server without any analysis. In
4074 order to be able to analyze the request contents, we must first withhold
4075 the data then analyze them. This statement simply enables withholding of
4076 data for at most the specified amount of time.
4077
4078 Note that when performing content inspection, haproxy will evaluate the whole
4079 rules for every new chunk which gets in, taking into account the fact that
4080 those data are partial. If no rule matches before the aforementionned delay,
4081 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01004082 contents are definitive. If no delay is set, haproxy will not wait at all
4083 and will immediately apply a verdict based on the available information.
4084 Obviously this is unlikely to be very useful and might even be racy, so such
4085 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02004086
4087 As soon as a rule matches, the request is released and continues as usual. If
4088 the timeout is reached and no rule matches, the default policy will be to let
4089 it pass through unaffected.
4090
4091 For most protocols, it is enough to set it to a few seconds, as most clients
4092 send the full request immediately upon connection. Add 3 or more seconds to
4093 cover TCP retransmits but that's all. For some protocols, it may make sense
4094 to use large values, for instance to ensure that the client never talks
4095 before the server (eg: SMTP), or to wait for a client to talk before passing
4096 data to the server (eg: SSL). Note that the client timeout must cover at
4097 least the inspection delay, otherwise it will expire first.
4098
Willy Tarreau55165fe2009-05-10 12:02:55 +02004099 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02004100 "timeout client".
4101
4102
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01004103timeout check <timeout>
4104 Set additional check timeout, but only after a connection has been already
4105 established.
4106
4107 May be used in sections: defaults | frontend | listen | backend
4108 yes | no | yes | yes
4109 Arguments:
4110 <timeout> is the timeout value specified in milliseconds by default, but
4111 can be in any other unit if the number is suffixed by the unit,
4112 as explained at the top of this document.
4113
4114 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
4115 for check and "timeout check" as an additional read timeout. The "min" is
4116 used so that people running with *very* long "timeout connect" (eg. those
4117 who needed this due to the queue or tarpit) do not slow down their checks.
4118 Of course it is better to use "check queue" and "check tarpit" instead of
4119 long "timeout connect".
4120
4121 If "timeout check" is not set haproxy uses "inter" for complete check
4122 timeout (connect + read) exactly like all <1.3.15 version.
4123
4124 In most cases check request is much simpler and faster to handle than normal
4125 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01004126 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01004127
4128 This parameter is specific to backends, but can be specified once for all in
4129 "defaults" sections. This is in fact one of the easiest solutions not to
4130 forget about it.
4131
Willy Tarreau41a340d2008-01-22 12:25:31 +01004132 See also: "timeout connect", "timeout queue", "timeout server",
4133 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01004134
4135
Willy Tarreau0ba27502007-12-24 16:55:16 +01004136timeout client <timeout>
4137timeout clitimeout <timeout> (deprecated)
4138 Set the maximum inactivity time on the client side.
4139 May be used in sections : defaults | frontend | listen | backend
4140 yes | yes | yes | no
4141 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01004142 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01004143 can be in any other unit if the number is suffixed by the unit,
4144 as explained at the top of this document.
4145
4146 The inactivity timeout applies when the client is expected to acknowledge or
4147 send data. In HTTP mode, this timeout is particularly important to consider
4148 during the first phase, when the client sends the request, and during the
4149 response while it is reading data sent by the server. The value is specified
4150 in milliseconds by default, but can be in any other unit if the number is
4151 suffixed by the unit, as specified at the top of this document. In TCP mode
4152 (and to a lesser extent, in HTTP mode), it is highly recommended that the
4153 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004154 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01004155 losses by specifying timeouts that are slightly above multiples of 3 seconds
4156 (eg: 4 or 5 seconds).
4157
4158 This parameter is specific to frontends, but can be specified once for all in
4159 "defaults" sections. This is in fact one of the easiest solutions not to
4160 forget about it. An unspecified timeout results in an infinite timeout, which
4161 is not recommended. Such a usage is accepted and works but reports a warning
4162 during startup because it may results in accumulation of expired sessions in
4163 the system if the system's timeouts are not configured either.
4164
4165 This parameter replaces the old, deprecated "clitimeout". It is recommended
4166 to use it to write new configurations. The form "timeout clitimeout" is
4167 provided only by backwards compatibility but its use is strongly discouraged.
4168
4169 See also : "clitimeout", "timeout server".
4170
4171
4172timeout connect <timeout>
4173timeout contimeout <timeout> (deprecated)
4174 Set the maximum time to wait for a connection attempt to a server to succeed.
4175 May be used in sections : defaults | frontend | listen | backend
4176 yes | no | yes | yes
4177 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01004178 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01004179 can be in any other unit if the number is suffixed by the unit,
4180 as explained at the top of this document.
4181
4182 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004183 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreau0ba27502007-12-24 16:55:16 +01004184 cover one or several TCP packet losses by specifying timeouts that are
4185 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01004186 connect timeout also presets both queue and tarpit timeouts to the same value
4187 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004188
4189 This parameter is specific to backends, but can be specified once for all in
4190 "defaults" sections. This is in fact one of the easiest solutions not to
4191 forget about it. An unspecified timeout results in an infinite timeout, which
4192 is not recommended. Such a usage is accepted and works but reports a warning
4193 during startup because it may results in accumulation of failed sessions in
4194 the system if the system's timeouts are not configured either.
4195
4196 This parameter replaces the old, deprecated "contimeout". It is recommended
4197 to use it to write new configurations. The form "timeout contimeout" is
4198 provided only by backwards compatibility but its use is strongly discouraged.
4199
Willy Tarreau41a340d2008-01-22 12:25:31 +01004200 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
4201 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01004202
4203
Willy Tarreau036fae02008-01-06 13:24:40 +01004204timeout http-request <timeout>
4205 Set the maximum allowed time to wait for a complete HTTP request
4206 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02004207 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01004208 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01004209 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01004210 can be in any other unit if the number is suffixed by the unit,
4211 as explained at the top of this document.
4212
4213 In order to offer DoS protection, it may be required to lower the maximum
4214 accepted time to receive a complete HTTP request without affecting the client
4215 timeout. This helps protecting against established connections on which
4216 nothing is sent. The client timeout cannot offer a good protection against
4217 this abuse because it is an inactivity timeout, which means that if the
4218 attacker sends one character every now and then, the timeout will not
4219 trigger. With the HTTP request timeout, no matter what speed the client
4220 types, the request will be aborted if it does not complete in time.
4221
4222 Note that this timeout only applies to the header part of the request, and
4223 not to any data. As soon as the empty line is received, this timeout is not
4224 used anymore.
4225
4226 Generally it is enough to set it to a few seconds, as most clients send the
4227 full request immediately upon connection. Add 3 or more seconds to cover TCP
4228 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
4229 generally work on local networks as long as there are no packet losses. This
4230 will prevent people from sending bare HTTP requests using telnet.
4231
4232 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02004233 chunk of the incoming request. It should be set in the frontend to take
4234 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
4235 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01004236
4237 See also : "timeout client".
4238
Willy Tarreau844e3c52008-01-11 16:28:18 +01004239
4240timeout queue <timeout>
4241 Set the maximum time to wait in the queue for a connection slot to be free
4242 May be used in sections : defaults | frontend | listen | backend
4243 yes | no | yes | yes
4244 Arguments :
4245 <timeout> is the timeout value specified in milliseconds by default, but
4246 can be in any other unit if the number is suffixed by the unit,
4247 as explained at the top of this document.
4248
4249 When a server's maxconn is reached, connections are left pending in a queue
4250 which may be server-specific or global to the backend. In order not to wait
4251 indefinitely, a timeout is applied to requests pending in the queue. If the
4252 timeout is reached, it is considered that the request will almost never be
4253 served, so it is dropped and a 503 error is returned to the client.
4254
4255 The "timeout queue" statement allows to fix the maximum time for a request to
4256 be left pending in a queue. If unspecified, the same value as the backend's
4257 connection timeout ("timeout connect") is used, for backwards compatibility
4258 with older versions with no "timeout queue" parameter.
4259
4260 See also : "timeout connect", "contimeout".
4261
4262
4263timeout server <timeout>
4264timeout srvtimeout <timeout> (deprecated)
4265 Set the maximum inactivity time on the server side.
4266 May be used in sections : defaults | frontend | listen | backend
4267 yes | no | yes | yes
4268 Arguments :
4269 <timeout> is the timeout value specified in milliseconds by default, but
4270 can be in any other unit if the number is suffixed by the unit,
4271 as explained at the top of this document.
4272
4273 The inactivity timeout applies when the server is expected to acknowledge or
4274 send data. In HTTP mode, this timeout is particularly important to consider
4275 during the first phase of the server's response, when it has to send the
4276 headers, as it directly represents the server's processing time for the
4277 request. To find out what value to put there, it's often good to start with
4278 what would be considered as unacceptable response times, then check the logs
4279 to observe the response time distribution, and adjust the value accordingly.
4280
4281 The value is specified in milliseconds by default, but can be in any other
4282 unit if the number is suffixed by the unit, as specified at the top of this
4283 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
4284 recommended that the client timeout remains equal to the server timeout in
4285 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004286 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01004287 packet losses by specifying timeouts that are slightly above multiples of 3
4288 seconds (eg: 4 or 5 seconds minimum).
4289
4290 This parameter is specific to backends, but can be specified once for all in
4291 "defaults" sections. This is in fact one of the easiest solutions not to
4292 forget about it. An unspecified timeout results in an infinite timeout, which
4293 is not recommended. Such a usage is accepted and works but reports a warning
4294 during startup because it may results in accumulation of expired sessions in
4295 the system if the system's timeouts are not configured either.
4296
4297 This parameter replaces the old, deprecated "srvtimeout". It is recommended
4298 to use it to write new configurations. The form "timeout srvtimeout" is
4299 provided only by backwards compatibility but its use is strongly discouraged.
4300
4301 See also : "srvtimeout", "timeout client".
4302
4303
4304timeout tarpit <timeout>
4305 Set the duration for which tapitted connections will be maintained
4306 May be used in sections : defaults | frontend | listen | backend
4307 yes | yes | yes | yes
4308 Arguments :
4309 <timeout> is the tarpit duration specified in milliseconds by default, but
4310 can be in any other unit if the number is suffixed by the unit,
4311 as explained at the top of this document.
4312
4313 When a connection is tarpitted using "reqtarpit", it is maintained open with
4314 no activity for a certain amount of time, then closed. "timeout tarpit"
4315 defines how long it will be maintained open.
4316
4317 The value is specified in milliseconds by default, but can be in any other
4318 unit if the number is suffixed by the unit, as specified at the top of this
4319 document. If unspecified, the same value as the backend's connection timeout
4320 ("timeout connect") is used, for backwards compatibility with older versions
4321 with no "timeout tapit" parameter.
4322
4323 See also : "timeout connect", "contimeout".
4324
4325
4326transparent (deprecated)
4327 Enable client-side transparent proxying
4328 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01004329 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01004330 Arguments : none
4331
4332 This keyword was introduced in order to provide layer 7 persistence to layer
4333 3 load balancers. The idea is to use the OS's ability to redirect an incoming
4334 connection for a remote address to a local process (here HAProxy), and let
4335 this process know what address was initially requested. When this option is
4336 used, sessions without cookies will be forwarded to the original destination
4337 IP address of the incoming request (which should match that of another
4338 equipment), while requests with cookies will still be forwarded to the
4339 appropriate server.
4340
4341 The "transparent" keyword is deprecated, use "option transparent" instead.
4342
4343 Note that contrary to a common belief, this option does NOT make HAProxy
4344 present the client's IP to the server when establishing the connection.
4345
Willy Tarreau844e3c52008-01-11 16:28:18 +01004346 See also: "option transparent"
4347
4348
4349use_backend <backend> if <condition>
4350use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02004351 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004352 May be used in sections : defaults | frontend | listen | backend
4353 no | yes | yes | no
4354 Arguments :
4355 <backend> is the name of a valid backend or "listen" section.
4356
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004357 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004358
4359 When doing content-switching, connections arrive on a frontend and are then
4360 dispatched to various backends depending on a number of conditions. The
4361 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02004362 "use_backend" keyword. While it is normally used with HTTP processing, it can
4363 also be used in pure TCP, either without content using stateless ACLs (eg:
4364 source address validation) or combined with a "tcp-request" rule to wait for
4365 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004366
4367 There may be as many "use_backend" rules as desired. All of these rules are
4368 evaluated in their declaration order, and the first one which matches will
4369 assign the backend.
4370
4371 In the first form, the backend will be used if the condition is met. In the
4372 second form, the backend will be used if the condition is not met. If no
4373 condition is valid, the backend defined with "default_backend" will be used.
4374 If no default backend is defined, either the servers in the same section are
4375 used (in case of a "listen" section) or, in case of a frontend, no server is
4376 used and a 503 service unavailable response is returned.
4377
Willy Tarreau51aecc72009-07-12 09:47:04 +02004378 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
4379 this case, etiher the frontend has already checked that the protocol is HTTP,
4380 and backend processing will immediately follow, or the backend will wait for
4381 a complete HTTP request to get in. This feature is useful when a frontend
4382 must decode several protocols on a unique port, one of them being HTTP.
4383
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02004384 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004385
Willy Tarreau036fae02008-01-06 13:24:40 +01004386
Willy Tarreauc57f0e22009-05-10 13:12:33 +020043875. Server options
4388-----------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02004389
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004390The "server" keyword supports a certain number of settings which are all passed
4391as arguments on the server line. The order in which those arguments appear does
4392not count, and they are all optional. Some of those settings are single words
4393(booleans) while others expect one or several values after them. In this case,
4394the values must immediately follow the setting name. All those settings must be
4395specified after the server's address if they are used :
Willy Tarreau6a06a402007-07-15 20:15:28 +02004396
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004397 server <name> <address>[:port] [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02004398
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004399The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004400
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004401addr <ipv4>
4402 Using the "addr" parameter, it becomes possible to use a different IP address
4403 to send health-checks. On some servers, it may be desirable to dedicate an IP
4404 address to specific component able to perform complex tests which are more
4405 suitable to health-checks than the application. This parameter is ignored if
4406 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02004407
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004408backup
4409 When "backup" is present on a server line, the server is only used in load
4410 balancing when all other non-backup servers are unavailable. Requests coming
4411 with a persistence cookie referencing the server will always be served
4412 though. By default, only the first operational backup server is used, unless
4413 the "allbackups" option is set in the backend. See also the "allbackups"
4414 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02004415
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004416check
4417 This option enables health checks on the server. By default, a server is
4418 always considered available. If "check" is set, the server will receive
4419 periodic health checks to ensure that it is really able to serve requests.
4420 The default address and port to send the tests to are those of the server,
4421 and the default source is the same as the one defined in the backend. It is
4422 possible to change the address using the "addr" parameter, the port using the
4423 "port" parameter, the source address using the "source" address, and the
4424 interval and timers using the "inter", "rise" and "fall" parameters. The
4425 request method is define in the backend using the "httpchk", "smtpchk",
4426 and "ssl-hello-chk" options. Please refer to those options and parameters for
4427 more information.
4428
4429cookie <value>
4430 The "cookie" parameter sets the cookie value assigned to the server to
4431 <value>. This value will be checked in incoming requests, and the first
4432 operational server possessing the same value will be selected. In return, in
4433 cookie insertion or rewrite modes, this value will be assigned to the cookie
4434 sent to the client. There is nothing wrong in having several servers sharing
4435 the same cookie value, and it is in fact somewhat common between normal and
4436 backup servers. See also the "cookie" keyword in backend section.
4437
4438fall <count>
4439 The "fall" parameter states that a server will be considered as dead after
4440 <count> consecutive unsuccessful health checks. This value defaults to 3 if
4441 unspecified. See also the "check", "inter" and "rise" parameters.
4442
4443id <value>
4444 Set a persistent value for server ID. Must be unique and larger than 1000, as
4445 smaller values are reserved for auto-assigned ids.
4446
4447inter <delay>
4448fastinter <delay>
4449downinter <delay>
4450 The "inter" parameter sets the interval between two consecutive health checks
4451 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
4452 It is also possible to use "fastinter" and "downinter" to optimize delays
4453 between checks depending on the server state :
4454
4455 Server state | Interval used
4456 ---------------------------------+-----------------------------------------
4457 UP 100% (non-transitional) | "inter"
4458 ---------------------------------+-----------------------------------------
4459 Transitionally UP (going down), |
4460 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
4461 or yet unchecked. |
4462 ---------------------------------+-----------------------------------------
4463 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
4464 ---------------------------------+-----------------------------------------
4465
4466 Just as with every other time-based parameter, they can be entered in any
4467 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
4468 serves as a timeout for health checks sent to servers if "timeout check" is
4469 not set. In order to reduce "resonance" effects when multiple servers are
4470 hosted on the same hardware, the health-checks of all servers are started
4471 with a small time offset between them. It is also possible to add some random
4472 noise in the health checks interval using the global "spread-checks"
4473 keyword. This makes sense for instance when a lot of backends use the same
4474 servers.
4475
4476maxconn <maxconn>
4477 The "maxconn" parameter specifies the maximal number of concurrent
4478 connections that will be sent to this server. If the number of incoming
4479 concurrent requests goes higher than this value, they will be queued, waiting
4480 for a connection to be released. This parameter is very important as it can
4481 save fragile servers from going down under extreme loads. If a "minconn"
4482 parameter is specified, the limit becomes dynamic. The default value is "0"
4483 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
4484 the backend's "fullconn" keyword.
4485
4486maxqueue <maxqueue>
4487 The "maxqueue" parameter specifies the maximal number of connections which
4488 will wait in the queue for this server. If this limit is reached, next
4489 requests will be redispatched to other servers instead of indefinitely
4490 waiting to be served. This will break persistence but may allow people to
4491 quickly re-log in when the server they try to connect to is dying. The
4492 default value is "0" which means the queue is unlimited. See also the
4493 "maxconn" and "minconn" parameters.
4494
4495minconn <minconn>
4496 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
4497 limit following the backend's load. The server will always accept at least
4498 <minconn> connections, never more than <maxconn>, and the limit will be on
4499 the ramp between both values when the backend has less than <fullconn>
4500 concurrent connections. This makes it possible to limit the load on the
4501 server during normal loads, but push it further for important loads without
4502 overloading the server during exceptionnal loads. See also the "maxconn"
4503 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
4504
4505port <port>
4506 Using the "port" parameter, it becomes possible to use a different port to
4507 send health-checks. On some servers, it may be desirable to dedicate a port
4508 to a specific component able to perform complex tests which are more suitable
4509 to health-checks than the application. It is common to run a simple script in
4510 inetd for instance. This parameter is ignored if the "check" parameter is not
4511 set. See also the "addr" parameter.
4512
4513redir <prefix>
4514 The "redir" parameter enables the redirection mode for all GET and HEAD
4515 requests addressing this server. This means that instead of having HAProxy
4516 forward the request to the server, it will send an "HTTP 302" response with
4517 the "Location" header composed of this prefix immediately followed by the
4518 requested URI beginning at the leading '/' of the path component. That means
4519 that no trailing slash should be used after <prefix>. All invalid requests
4520 will be rejected, and all non-GET or HEAD requests will be normally served by
4521 the server. Note that since the response is completely forged, no header
4522 mangling nor cookie insertion is possible in the respose. However, cookies in
4523 requests are still analysed, making this solution completely usable to direct
4524 users to a remote location in case of local disaster. Main use consists in
4525 increasing bandwidth for static servers by having the clients directly
4526 connect to them. Note: never use a relative location here, it would cause a
4527 loop between the client and HAProxy!
4528
4529 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
4530
4531rise <count>
4532 The "rise" parameter states that a server will be considered as operational
4533 after <count> consecutive successful health checks. This value defaults to 2
4534 if unspecified. See also the "check", "inter" and "fall" parameters.
4535
4536slowstart <start_time_in_ms>
4537 The "slowstart" parameter for a server accepts a value in milliseconds which
4538 indicates after how long a server which has just come back up will run at
4539 full speed. Just as with every other time-based parameter, it can be entered
4540 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
4541 linearly from 0 to 100% during this time. The limitation applies to two
4542 parameters :
4543
4544 - maxconn: the number of connections accepted by the server will grow from 1
4545 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
4546
4547 - weight: when the backend uses a dynamic weighted algorithm, the weight
4548 grows linearly from 1 to 100%. In this case, the weight is updated at every
4549 health-check. For this reason, it is important that the "inter" parameter
4550 is smaller than the "slowstart", in order to maximize the number of steps.
4551
4552 The slowstart never applies when haproxy starts, otherwise it would cause
4553 trouble to running servers. It only applies when a server has been previously
4554 seen as failed.
4555
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004556source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
4557source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004558 The "source" parameter sets the source address which will be used when
4559 connecting to the server. It follows the exact same parameters and principle
4560 as the backend "source" keyword, except that it only applies to the server
4561 referencing it. Please consult the "source" keyword for details.
4562
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004563 Additionally, the "source" statement on a server line allows one to specify a
4564 source port range by indicating the lower and higher bounds delimited by a
4565 dash ('-'). Some operating systems might require a valid IP address when a
4566 source port range is specified. It is permitted to have the same IP/range for
4567 several servers. Doing so makes it possible to bypass the maximum of 64k
4568 total concurrent connections. The limit will then reach 64k connections per
4569 server.
4570
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004571track [<proxy>/]<server>
4572 This option enables ability to set the current state of the server by
4573 tracking another one. Only a server with checks enabled can be tracked
4574 so it is not possible for example to track a server that tracks another
4575 one. If <proxy> is omitted the current one is used. If disable-on-404 is
4576 used, it has to be enabled on both proxies.
4577
4578weight <weight>
4579 The "weight" parameter is used to adjust the server's weight relative to
4580 other servers. All servers will receive a load proportional to their weight
4581 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02004582 load. The default weight is 1, and the maximal value is 256. A value of 0
4583 means the server will not participate in load-balancing but will still accept
4584 persistent connections. If this parameter is used to distribute the load
4585 according to server's capacity, it is recommended to start with values which
4586 can both grow and shrink, for instance between 10 and 100 to leave enough
4587 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004588
4589
45906. HTTP header manipulation
4591---------------------------
4592
4593In HTTP mode, it is possible to rewrite, add or delete some of the request and
4594response headers based on regular expressions. It is also possible to block a
4595request or a response if a particular header matches a regular expression,
4596which is enough to stop most elementary protocol attacks, and to protect
4597against information leak from the internal network. But there is a limitation
4598to this : since HAProxy's HTTP engine does not support keep-alive, only headers
4599passed during the first request of a TCP session will be seen. All subsequent
4600headers will be considered data only and not analyzed. Furthermore, HAProxy
4601never touches data contents, it stops analysis at the end of headers.
4602
4603This section covers common usage of the following keywords, described in detail
4604in section 4.2 :
4605
4606 - reqadd <string>
4607 - reqallow <search>
4608 - reqiallow <search>
4609 - reqdel <search>
4610 - reqidel <search>
4611 - reqdeny <search>
4612 - reqideny <search>
4613 - reqpass <search>
4614 - reqipass <search>
4615 - reqrep <search> <replace>
4616 - reqirep <search> <replace>
4617 - reqtarpit <search>
4618 - reqitarpit <search>
4619 - rspadd <string>
4620 - rspdel <search>
4621 - rspidel <search>
4622 - rspdeny <search>
4623 - rspideny <search>
4624 - rsprep <search> <replace>
4625 - rspirep <search> <replace>
4626
4627With all these keywords, the same conventions are used. The <search> parameter
4628is a POSIX extended regular expression (regex) which supports grouping through
4629parenthesis (without the backslash). Spaces and other delimiters must be
4630prefixed with a backslash ('\') to avoid confusion with a field delimiter.
4631Other characters may be prefixed with a backslash to change their meaning :
4632
4633 \t for a tab
4634 \r for a carriage return (CR)
4635 \n for a new line (LF)
4636 \ to mark a space and differentiate it from a delimiter
4637 \# to mark a sharp and differentiate it from a comment
4638 \\ to use a backslash in a regex
4639 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
4640 \xXX to write the ASCII hex code XX as in the C language
4641
4642The <replace> parameter contains the string to be used to replace the largest
4643portion of text matching the regex. It can make use of the special characters
4644above, and can reference a substring which is delimited by parenthesis in the
4645regex, by writing a backslash ('\') immediately followed by one digit from 0 to
46469 indicating the group position (0 designating the entire line). This practice
4647is very common to users of the "sed" program.
4648
4649The <string> parameter represents the string which will systematically be added
4650after the last header line. It can also use special character sequences above.
4651
4652Notes related to these keywords :
4653---------------------------------
4654 - these keywords are not always convenient to allow/deny based on header
4655 contents. It is strongly recommended to use ACLs with the "block" keyword
4656 instead, resulting in far more flexible and manageable rules.
4657
4658 - lines are always considered as a whole. It is not possible to reference
4659 a header name only or a value only. This is important because of the way
4660 headers are written (notably the number of spaces after the colon).
4661
4662 - the first line is always considered as a header, which makes it possible to
4663 rewrite or filter HTTP requests URIs or response codes, but in turn makes
4664 it harder to distinguish between headers and request line. The regex prefix
4665 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
4666 ^[^ \t:]*: matches any header name followed by a colon.
4667
4668 - for performances reasons, the number of characters added to a request or to
4669 a response is limited at build time to values between 1 and 4 kB. This
4670 should normally be far more than enough for most usages. If it is too short
4671 on occasional usages, it is possible to gain some space by removing some
4672 useless headers before adding new ones.
4673
4674 - keywords beginning with "reqi" and "rspi" are the same as their couterpart
4675 without the 'i' letter except that they ignore case when matching patterns.
4676
4677 - when a request passes through a frontend then a backend, all req* rules
4678 from the frontend will be evaluated, then all req* rules from the backend
4679 will be evaluated. The reverse path is applied to responses.
4680
4681 - req* statements are applied after "block" statements, so that "block" is
4682 always the first one, but before "use_backend" in order to permit rewriting
4683 before switching.
4684
4685
46867. Using ACLs
4687-------------
4688
4689The use of Access Control Lists (ACL) provides a flexible solution to perform
4690content switching and generally to take decisions based on content extracted
4691from the request, the response or any environmental status. The principle is
4692simple :
4693
4694 - define test criteria with sets of values
4695 - perform actions only if a set of tests is valid
4696
4697The actions generally consist in blocking the request, or selecting a backend.
4698
4699In order to define a test, the "acl" keyword is used. The syntax is :
4700
4701 acl <aclname> <criterion> [flags] [operator] <value> ...
4702
4703This creates a new ACL <aclname> or completes an existing one with new tests.
4704Those tests apply to the portion of request/response specified in <criterion>
4705and may be adjusted with optional flags [flags]. Some criteria also support
4706an operator which may be specified before the set of values. The values are
4707of the type supported by the criterion, and are separated by spaces.
4708
4709ACL names must be formed from upper and lower case letters, digits, '-' (dash),
4710'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
4711which means that "my_acl" and "My_Acl" are two different ACLs.
4712
4713There is no enforced limit to the number of ACLs. The unused ones do not affect
4714performance, they just consume a small amount of memory.
4715
4716The following ACL flags are currently supported :
4717
4718 -i : ignore case during matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02004719 -- : force end of flags. Useful when a string looks like one of the flags.
4720
4721Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01004722
Willy Tarreau6a06a402007-07-15 20:15:28 +02004723 - integers or integer ranges
4724 - strings
4725 - regular expressions
4726 - IP addresses and networks
4727
4728
Willy Tarreauc57f0e22009-05-10 13:12:33 +020047297.1. Matching integers
4730----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02004731
4732Matching integers is special in that ranges and operators are permitted. Note
4733that integer matching only applies to positive values. A range is a value
4734expressed with a lower and an upper bound separated with a colon, both of which
4735may be omitted.
4736
4737For instance, "1024:65535" is a valid range to represent a range of
4738unprivileged ports, and "1024:" would also work. "0:1023" is a valid
4739representation of privileged ports, and ":1023" would also work.
4740
Willy Tarreau62644772008-07-16 18:36:06 +02004741As a special case, some ACL functions support decimal numbers which are in fact
4742two integers separated by a dot. This is used with some version checks for
4743instance. All integer properties apply to those decimal numbers, including
4744ranges and operators.
4745
Willy Tarreau6a06a402007-07-15 20:15:28 +02004746For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01004747operators with ranges does not make much sense and is strongly discouraged.
4748Similarly, it does not make much sense to perform order comparisons with a set
4749of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02004750
Willy Tarreau0ba27502007-12-24 16:55:16 +01004751Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02004752
4753 eq : true if the tested value equals at least one value
4754 ge : true if the tested value is greater than or equal to at least one value
4755 gt : true if the tested value is greater than at least one value
4756 le : true if the tested value is less than or equal to at least one value
4757 lt : true if the tested value is less than at least one value
4758
Willy Tarreau0ba27502007-12-24 16:55:16 +01004759For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02004760
4761 acl negative-length hdr_val(content-length) lt 0
4762
Willy Tarreau62644772008-07-16 18:36:06 +02004763This one matches SSL versions between 3.0 and 3.1 (inclusive) :
4764
4765 acl sslv3 req_ssl_ver 3:3.1
4766
Willy Tarreau6a06a402007-07-15 20:15:28 +02004767
Willy Tarreauc57f0e22009-05-10 13:12:33 +020047687.2. Matching strings
4769---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02004770
4771String matching applies to verbatim strings as they are passed, with the
4772exception of the backslash ("\") which makes it possible to escape some
4773characters such as the space. If the "-i" flag is passed before the first
4774string, then the matching will be performed ignoring the case. In order
4775to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01004776before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02004777
4778
Willy Tarreauc57f0e22009-05-10 13:12:33 +020047797.3. Matching regular expressions (regexes)
4780-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02004781
4782Just like with string matching, regex matching applies to verbatim strings as
4783they are passed, with the exception of the backslash ("\") which makes it
4784possible to escape some characters such as the space. If the "-i" flag is
4785passed before the first regex, then the matching will be performed ignoring
4786the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01004787the "--" flag before the first string. Same principle applies of course to
4788match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02004789
4790
Willy Tarreauc57f0e22009-05-10 13:12:33 +020047917.4. Matching IPv4 addresses
4792----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02004793
4794IPv4 addresses values can be specified either as plain addresses or with a
4795netmask appended, in which case the IPv4 address matches whenever it is
4796within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004797host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01004798difficult to read and debug configurations. If hostnames are used, you should
4799at least ensure that they are present in /etc/hosts so that the configuration
4800does not depend on any random DNS match at the moment the configuration is
4801parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02004802
4803
Willy Tarreauc57f0e22009-05-10 13:12:33 +020048047.5. Available matching criteria
4805--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02004806
Willy Tarreauc57f0e22009-05-10 13:12:33 +020048077.5.1. Matching at Layer 4 and below
4808------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01004809
4810A first set of criteria applies to information which does not require any
4811analysis of the request or response contents. Those generally include TCP/IP
4812addresses and ports, as well as internal values independant on the stream.
4813
Willy Tarreau6a06a402007-07-15 20:15:28 +02004814always_false
4815 This one never matches. All values and flags are ignored. It may be used as
4816 a temporary replacement for another one when adjusting configurations.
4817
4818always_true
4819 This one always matches. All values and flags are ignored. It may be used as
4820 a temporary replacement for another one when adjusting configurations.
4821
4822src <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01004823 Applies to the client's IPv4 address. It is usually used to limit access to
Willy Tarreau6a06a402007-07-15 20:15:28 +02004824 certain resources such as statistics. Note that it is the TCP-level source
4825 address which is used, and not the address of a client behind a proxy.
4826
4827src_port <integer>
4828 Applies to the client's TCP source port. This has a very limited usage.
4829
4830dst <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01004831 Applies to the local IPv4 address the client connected to. It can be used to
Willy Tarreau6a06a402007-07-15 20:15:28 +02004832 switch to a different backend for some alternative addresses.
4833
4834dst_port <integer>
4835 Applies to the local port the client connected to. It can be used to switch
4836 to a different backend for some alternative ports.
4837
4838dst_conn <integer>
4839 Applies to the number of currently established connections on the frontend,
4840 including the one being evaluated. It can be used to either return a sorry
Willy Tarreau0ba27502007-12-24 16:55:16 +01004841 page before hard-blocking, or to use a specific backend to drain new requests
Willy Tarreau6a06a402007-07-15 20:15:28 +02004842 when the farm is considered saturated.
4843
Willy Tarreau0ba27502007-12-24 16:55:16 +01004844nbsrv <integer>
4845nbsrv(backend) <integer>
4846 Returns true when the number of usable servers of either the current backend
4847 or the named backend matches the values or ranges specified. This is used to
4848 switch to an alternate backend when the number of servers is too low to
4849 to handle some load. It is useful to report a failure when combined with
4850 "monitor fail".
4851
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08004852connslots <integer>
4853connslots(backend) <integer>
4854 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02004855 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08004856 usage; see "use_backend" keyword) can be redirected to a different backend.
4857
Willy Tarreau55165fe2009-05-10 12:02:55 +02004858 'connslots' = number of available server connection slots, + number of
4859 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08004860
Willy Tarreau55165fe2009-05-10 12:02:55 +02004861 Note that while "dst_conn" may be used, "connslots" comes in especially
4862 useful when you have a case of traffic going to one single ip, splitting into
4863 multiple backends (perhaps using acls to do name-based load balancing) and
4864 you want to be able to differentiate between different backends, and their
4865 available "connslots". Also, whereas "nbsrv" only measures servers that are
4866 actually *down*, this acl is more fine-grained and looks into the number of
4867 available connection slots as well.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08004868
Willy Tarreau55165fe2009-05-10 12:02:55 +02004869 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
4870 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
4871 then this acl clearly does not make sense, in which case the value returned
4872 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08004873
Willy Tarreau079ff0a2009-03-05 21:34:28 +01004874fe_sess_rate <integer>
4875fe_sess_rate(frontend) <integer>
4876 Returns true when the session creation rate on the current or the named
4877 frontend matches the specified values or ranges, expressed in new sessions
4878 per second. This is used to limit the connection rate to acceptable ranges in
4879 order to prevent abuse of service at the earliest moment. This can be
4880 combined with layer 4 ACLs in order to force the clients to wait a bit for
4881 the rate to go down below the limit.
4882
4883 Example :
4884 # This frontend limits incoming mails to 10/s with a max of 100
4885 # concurrent connections. We accept any connection below 10/s, and
4886 # force excess clients to wait for 100 ms. Since clients are limited to
4887 # 100 max, there cannot be more than 10 incoming mails per second.
4888 frontend mail
4889 bind :25
4890 mode tcp
4891 maxconn 100
4892 acl too_fast fe_sess_rate ge 10
4893 tcp-request inspect-delay 100ms
4894 tcp-request content accept if ! too_fast
4895 tcp-request content accept if WAIT_END
4896
4897be_sess_rate <integer>
4898be_sess_rate(backend) <integer>
4899 Returns true when the sessions creation rate on the backend matches the
4900 specified values or ranges, in number of new sessions per second. This is
4901 used to switch to an alternate backend when an expensive or fragile one
4902 reaches too high a session rate, or to limite abuse of service (eg. prevent
4903 sucking of an online dictionary).
4904
4905 Example :
4906 # Redirect to an error page if the dictionary is requested too often
4907 backend dynamic
4908 mode http
4909 acl being_scanned be_sess_rate gt 100
4910 redirect location /denied.html if being_scanned
4911
Willy Tarreau0ba27502007-12-24 16:55:16 +01004912
Willy Tarreauc57f0e22009-05-10 13:12:33 +020049137.5.2. Matching contents at Layer 4
4914-----------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02004915
4916A second set of criteria depends on data found in buffers, but which can change
4917during analysis. This requires that some data has been buffered, for instance
4918through TCP request content inspection. Please see the "tcp-request" keyword
4919for more detailed information on the subject.
4920
4921req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02004922 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02004923 specified range. It is important to understand that this test does not
4924 return false as long as the buffer is changing. This means that a check with
4925 equality to zero will almost always immediately match at the beginning of the
4926 session, while a test for more data will wait for that data to come in and
4927 return false only when haproxy is certain that no more data will come in.
4928 This test was designed to be used with TCP request content inspection.
4929
Willy Tarreau2492d5b2009-07-11 00:06:00 +02004930req_proto_http
4931 Returns true when data in the request buffer look like HTTP and correctly
4932 parses as such. It is the same parser as the common HTTP request parser which
4933 is used so there should be no surprizes. This test can be used for instance
4934 to direct HTTP traffic to a given port and HTTPS traffic to another one
4935 using TCP request content inspection rules.
4936
Emeric Brunbede3d02009-06-30 17:54:00 +02004937req_rdp_cookie <string>
4938req_rdp_cookie(name) <string>
4939 Returns true when data in the request buffer look like the RDP protocol, and
4940 a cookie is present and equal to <string>. By default, any cookie name is
4941 checked, but a specific cookie name can be specified in parenthesis. The
4942 parser only checks for the first cookie, as illustrated in the RDP protocol
4943 specification. The cookie name is case insensitive. This ACL can be useful
4944 with the "MSTS" cookie, as it can contain the user name of the client
4945 connecting to the server if properly configured on the client. This can be
4946 used to restrict access to certain servers to certain users.
4947
4948req_rdp_cookie_cnt <integer>
4949req_rdp_cookie_cnt(name) <integer>
4950 Returns true when the data in the request buffer look like the RDP protocol
4951 and the number of RDP cookies matches the specified range (typically zero or
4952 one). Optionally a specific cookie name can be checked. This is a simple way
4953 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
4954 cookies.
4955
Willy Tarreau62644772008-07-16 18:36:06 +02004956req_ssl_ver <decimal>
4957 Returns true when data in the request buffer look like SSL, with a protocol
4958 version matching the specified range. Both SSLv2 hello messages and SSLv3
4959 messages are supported. The test tries to be strict enough to avoid being
4960 easily fooled. In particular, it waits for as many bytes as announced in the
4961 message header if this header looks valid (bound to the buffer size). Note
4962 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
4963 with TCP request content inspection.
4964
Willy Tarreaub6fb4202008-07-20 11:18:28 +02004965wait_end
4966 Waits for the end of the analysis period to return true. This may be used in
4967 conjunction with content analysis to avoid returning a wrong verdict early.
4968 It may also be used to delay some actions, such as a delayed reject for some
4969 special addresses. Since it either stops the rules evaluation or immediately
4970 returns true, it is recommended to use this acl as the last one in a rule.
4971 Please note that the default ACL "WAIT_END" is always usable without prior
4972 declaration. This test was designed to be used with TCP request content
4973 inspection.
4974
4975 Examples :
4976 # delay every incoming request by 2 seconds
4977 tcp-request inspect-delay 2s
4978 tcp-request content accept if WAIT_END
4979
4980 # don't immediately tell bad guys they are rejected
4981 tcp-request inspect-delay 10s
4982 acl goodguys src 10.0.0.0/24
4983 acl badguys src 10.0.1.0/24
4984 tcp-request content accept if goodguys
4985 tcp-request content reject if badguys WAIT_END
4986 tcp-request content reject
4987
Willy Tarreau62644772008-07-16 18:36:06 +02004988
Willy Tarreauc57f0e22009-05-10 13:12:33 +020049897.5.3. Matching at Layer 7
4990--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01004991
Willy Tarreau62644772008-07-16 18:36:06 +02004992A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01004993application layer (layer 7). Those require that a full HTTP request has been
4994read, and are only evaluated then. They may require slightly more CPU resources
4995than the layer 4 ones, but not much since the request and response are indexed.
4996
Willy Tarreau6a06a402007-07-15 20:15:28 +02004997method <string>
4998 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
4999 already check for most common methods.
5000
5001req_ver <string>
5002 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
5003 ACL already check for versions 1.0 and 1.1.
5004
5005path <string>
5006 Returns true when the path part of the request, which starts at the first
5007 slash and ends before the question mark, equals one of the strings. It may be
5008 used to match known files, such as /favicon.ico.
5009
5010path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01005011 Returns true when the path begins with one of the strings. This can be used
5012 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005013
5014path_end <string>
5015 Returns true when the path ends with one of the strings. This may be used to
5016 control file name extension.
5017
5018path_sub <string>
5019 Returns true when the path contains one of the strings. It can be used to
5020 detect particular patterns in paths, such as "../" for example. See also
5021 "path_dir".
5022
5023path_dir <string>
5024 Returns true when one of the strings is found isolated or delimited with
5025 slashes in the path. This is used to perform filename or directory name
5026 matching without the risk of wrong match due to colliding prefixes. See also
5027 "url_dir" and "path_sub".
5028
5029path_dom <string>
5030 Returns true when one of the strings is found isolated or delimited with dots
5031 in the path. This may be used to perform domain name matching in proxy
5032 requests. See also "path_sub" and "url_dom".
5033
5034path_reg <regex>
5035 Returns true when the path matches one of the regular expressions. It can be
5036 used any time, but it is important to remember that regex matching is slower
5037 than other methods. See also "url_reg" and all "path_" criteria.
5038
5039url <string>
5040 Applies to the whole URL passed in the request. The only real use is to match
5041 "*", for which there already is a predefined ACL.
5042
5043url_beg <string>
5044 Returns true when the URL begins with one of the strings. This can be used to
5045 check whether a URL begins with a slash or with a protocol scheme.
5046
5047url_end <string>
5048 Returns true when the URL ends with one of the strings. It has very limited
5049 use. "path_end" should be used instead for filename matching.
5050
5051url_sub <string>
5052 Returns true when the URL contains one of the strings. It can be used to
5053 detect particular patterns in query strings for example. See also "path_sub".
5054
5055url_dir <string>
5056 Returns true when one of the strings is found isolated or delimited with
5057 slashes in the URL. This is used to perform filename or directory name
5058 matching without the risk of wrong match due to colliding prefixes. See also
5059 "path_dir" and "url_sub".
5060
5061url_dom <string>
5062 Returns true when one of the strings is found isolated or delimited with dots
5063 in the URL. This is used to perform domain name matching without the risk of
5064 wrong match due to colliding prefixes. See also "url_sub".
5065
5066url_reg <regex>
5067 Returns true when the URL matches one of the regular expressions. It can be
5068 used any time, but it is important to remember that regex matching is slower
5069 than other methods. See also "path_reg" and all "url_" criteria.
5070
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01005071url_ip <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01005072 Applies to the IP address specified in the absolute URI in an HTTP request.
5073 It can be used to prevent access to certain resources such as local network.
Willy Tarreau198a7442008-01-17 12:05:32 +01005074 It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01005075
5076url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01005077 Applies to the port specified in the absolute URI in an HTTP request. It can
5078 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01005079 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01005080 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01005081
Willy Tarreau6a06a402007-07-15 20:15:28 +02005082hdr <string>
5083hdr(header) <string>
5084 Note: all the "hdr*" matching criteria either apply to all headers, or to a
5085 particular header whose name is passed between parenthesis and without any
Willy Tarreau0ba27502007-12-24 16:55:16 +01005086 space. The header name is not case-sensitive. The header matching complies
5087 with RFC2616, and treats as separate headers all values delimited by commas.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005088
5089 The "hdr" criteria returns true if any of the headers matching the criteria
Willy Tarreau0ba27502007-12-24 16:55:16 +01005090 match any of the strings. This can be used to check exact for values. For
Willy Tarreau6a06a402007-07-15 20:15:28 +02005091 instance, checking that "connection: close" is set :
5092
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005093 hdr(Connection) -i close
Willy Tarreau21d2af32008-02-14 20:25:24 +01005094
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005095hdr_beg <string>
5096hdr_beg(header) <string>
5097 Returns true when one of the headers begins with one of the strings. See
5098 "hdr" for more information on header matching.
Willy Tarreau21d2af32008-02-14 20:25:24 +01005099
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005100hdr_end <string>
5101hdr_end(header) <string>
5102 Returns true when one of the headers ends with one of the strings. See "hdr"
5103 for more information on header matching.
Willy Tarreau198a7442008-01-17 12:05:32 +01005104
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005105hdr_sub <string>
5106hdr_sub(header) <string>
5107 Returns true when one of the headers contains one of the strings. See "hdr"
5108 for more information on header matching.
Willy Tarreau5764b382007-11-30 17:46:49 +01005109
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005110hdr_dir <string>
5111hdr_dir(header) <string>
5112 Returns true when one of the headers contains one of the strings either
5113 isolated or delimited by slashes. This is used to perform filename or
5114 directory name matching, and may be used with Referer. See "hdr" for more
5115 information on header matching.
Willy Tarreau5764b382007-11-30 17:46:49 +01005116
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005117hdr_dom <string>
5118hdr_dom(header) <string>
5119 Returns true when one of the headers contains one of the strings either
5120 isolated or delimited by dots. This is used to perform domain name matching,
5121 and may be used with the Host header. See "hdr" for more information on
5122 header matching.
Willy Tarreau5764b382007-11-30 17:46:49 +01005123
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005124hdr_reg <regex>
5125hdr_reg(header) <regex>
5126 Returns true when one of the headers matches of the regular expressions. It
5127 can be used at any time, but it is important to remember that regex matching
5128 is slower than other methods. See also other "hdr_" criteria, as well as
5129 "hdr" for more information on header matching.
Willy Tarreau5764b382007-11-30 17:46:49 +01005130
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005131hdr_val <integer>
5132hdr_val(header) <integer>
5133 Returns true when one of the headers starts with a number which matches the
5134 values or ranges specified. This may be used to limit content-length to
5135 acceptable values for example. See "hdr" for more information on header
5136 matching.
Willy Tarreau198a7442008-01-17 12:05:32 +01005137
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005138hdr_cnt <integer>
5139hdr_cnt(header) <integer>
5140 Returns true when the number of occurrence of the specified header matches
5141 the values or ranges specified. It is important to remember that one header
5142 line may count as several headers if it has several values. This is used to
5143 detect presence, absence or abuse of a specific header, as well as to block
5144 request smugling attacks by rejecting requests which contain more than one
5145 of certain headers. See "hdr" for more information on header matching.
Krzysztof Piotr Oledzkic8b16fc2008-02-18 01:26:35 +01005146
Willy Tarreau198a7442008-01-17 12:05:32 +01005147
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051487.6. Pre-defined ACLs
5149---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01005150
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005151Some predefined ACLs are hard-coded so that they do not have to be declared in
5152every frontend which needs them. They all have their names in upper case in
5153order to avoid confusion. Their equivalence is provided below. Please note that
5154only the first three ones are not layer 7 based.
Willy Tarreauced27012008-01-17 20:35:34 +01005155
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005156ACL name Equivalent to Usage
5157---------------+-----------------------------+---------------------------------
5158TRUE always_true always match
5159FALSE always_false never match
5160LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreau2492d5b2009-07-11 00:06:00 +02005161HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005162HTTP_1.0 req_ver 1.0 match HTTP version 1.0
5163HTTP_1.1 req_ver 1.1 match HTTP version 1.1
5164METH_CONNECT method CONNECT match HTTP CONNECT method
5165METH_GET method GET HEAD match HTTP GET or HEAD method
5166METH_HEAD method HEAD match HTTP HEAD method
5167METH_OPTIONS method OPTIONS match HTTP OPTIONS method
5168METH_POST method POST match HTTP POST method
5169METH_TRACE method TRACE match HTTP TRACE method
5170HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
5171HTTP_URL_SLASH url_beg / match URL begining with "/"
5172HTTP_URL_STAR url * match URL equal to "*"
5173HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
Emeric Brunbede3d02009-06-30 17:54:00 +02005174RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005175REQ_CONTENT req_len gt 0 match data in the request buffer
5176WAIT_END wait_end wait for end of content analysis
5177---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01005178
Willy Tarreauced27012008-01-17 20:35:34 +01005179
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051807.7. Using ACLs to form conditions
5181----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01005182
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005183Some actions are only performed upon a valid condition. A condition is a
5184combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01005185
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005186 - AND (implicit)
5187 - OR (explicit with the "or" keyword or the "||" operator)
5188 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01005189
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005190A condition is formed as a disjonctive form :
Willy Tarreauced27012008-01-17 20:35:34 +01005191
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005192 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01005193
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005194Such conditions are generally used after an "if" or "unless" statement,
5195indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01005196
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005197For instance, to block HTTP requests to the "*" URL with methods other than
5198"OPTIONS", as well as POST requests without content-length, and GET or HEAD
5199requests with a content-length greater than 0, and finally every request which
5200is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01005201
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005202 acl missing_cl hdr_cnt(Content-length) eq 0
5203 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
5204 block if METH_GET HTTP_CONTENT
5205 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01005206
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005207To select a different backend for requests to static contents on the "www" site
5208and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01005209
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005210 acl url_static path_beg /static /images /img /css
5211 acl url_static path_end .gif .png .jpg .css .js
5212 acl host_www hdr_beg(host) -i www
5213 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01005214
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005215 # now use backend "static" for all static-only hosts, and for static urls
5216 # of host "www". Use backend "www" for the rest.
5217 use_backend static if host_static or host_www url_static
5218 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01005219
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005220See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01005221
Willy Tarreau5764b382007-11-30 17:46:49 +01005222
Willy Tarreauc57f0e22009-05-10 13:12:33 +020052238. Logging
5224----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01005225
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005226One of HAProxy's strong points certainly lies is its precise logs. It probably
5227provides the finest level of information available for such a product, which is
5228very important for troubleshooting complex environments. Standard information
5229provided in logs include client ports, TCP/HTTP state timers, precise session
5230state at termination and precise termination cause, information about decisions
5231to direct trafic to a server, and of course the ability to capture arbitrary
5232headers.
5233
5234In order to improve administrators reactivity, it offers a great transparency
5235about encountered problems, both internal and external, and it is possible to
5236send logs to different sources at the same time with different level filters :
5237
5238 - global process-level logs (system errors, start/stop, etc..)
5239 - per-instance system and internal errors (lack of resource, bugs, ...)
5240 - per-instance external troubles (servers up/down, max connections)
5241 - per-instance activity (client connections), either at the establishment or
5242 at the termination.
5243
5244The ability to distribute different levels of logs to different log servers
5245allow several production teams to interact and to fix their problems as soon
5246as possible. For example, the system team might monitor system-wide errors,
5247while the application team might be monitoring the up/down for their servers in
5248real time, and the security team might analyze the activity logs with one hour
5249delay.
5250
5251
Willy Tarreauc57f0e22009-05-10 13:12:33 +020052528.1. Log levels
5253---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005254
5255TCP and HTTP connections can be logged with informations such as date, time,
5256source IP address, destination address, connection duration, response times,
5257HTTP request, the HTTP return code, number of bytes transmitted, the conditions
5258in which the session ended, and even exchanged cookies values, to track a
5259particular user's problems for example. All messages are sent to up to two
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005260syslog servers. Check the "log" keyword in section 4.2 for more info about log
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005261facilities.
5262
5263
Willy Tarreauc57f0e22009-05-10 13:12:33 +020052648.2. Log formats
5265----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005266
Emeric Brun3a058f32009-06-30 18:26:00 +02005267HAProxy supports 4 log formats. Several fields are common between these formats
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005268and will be detailed in the next sections. A few of them may slightly vary with
5269the configuration, due to indicators specific to certain options. The supported
5270formats are the following ones :
5271
5272 - the default format, which is very basic and very rarely used. It only
5273 provides very basic information about the incoming connection at the moment
5274 it is accepted : source IP:port, destination IP:port, and frontend-name.
5275 This mode will eventually disappear so it will not be described to great
5276 extents.
5277
5278 - the TCP format, which is more advanced. This format is enabled when "option
5279 tcplog" is set on the frontend. HAProxy will then usually wait for the
5280 connection to terminate before logging. This format provides much richer
5281 information, such as timers, connection counts, queue size, etc... This
5282 format is recommended for pure TCP proxies.
5283
5284 - the HTTP format, which is the most advanced for HTTP proxying. This format
5285 is enabled when "option httplog" is set on the frontend. It provides the
5286 same information as the TCP format with some HTTP-specific fields such as
5287 the request, the status code, and captures of headers and cookies. This
5288 format is recommended for HTTP proxies.
5289
Emeric Brun3a058f32009-06-30 18:26:00 +02005290 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
5291 fields arranged in the same order as the CLF format. In this mode, all
5292 timers, captures, flags, etc... appear one per field after the end of the
5293 common fields, in the same order they appear in the standard HTTP format.
5294
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005295Next sections will go deeper into details for each of these formats. Format
5296specification will be performed on a "field" basis. Unless stated otherwise, a
5297field is a portion of text delimited by any number of spaces. Since syslog
5298servers are susceptible of inserting fields at the beginning of a line, it is
5299always assumed that the first field is the one containing the process name and
5300identifier.
5301
5302Note : Since log lines may be quite long, the log examples in sections below
5303 might be broken into multiple lines. The example log lines will be
5304 prefixed with 3 closing angle brackets ('>>>') and each time a log is
5305 broken into multiple lines, each non-final line will end with a
5306 backslash ('\') and the next line will start indented by two characters.
5307
5308
Willy Tarreauc57f0e22009-05-10 13:12:33 +020053098.2.1. Default log format
5310-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005311
5312This format is used when no specific option is set. The log is emitted as soon
5313as the connection is accepted. One should note that this currently is the only
5314format which logs the request's destination IP and ports.
5315
5316 Example :
5317 listen www
5318 mode http
5319 log global
5320 server srv1 127.0.0.1:8000
5321
5322 >>> Feb 6 12:12:09 localhost \
5323 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
5324 (www/HTTP)
5325
5326 Field Format Extract from the example above
5327 1 process_name '[' pid ']:' haproxy[14385]:
5328 2 'Connect from' Connect from
5329 3 source_ip ':' source_port 10.0.1.2:33312
5330 4 'to' to
5331 5 destination_ip ':' destination_port 10.0.3.31:8012
5332 6 '(' frontend_name '/' mode ')' (www/HTTP)
5333
5334Detailed fields description :
5335 - "source_ip" is the IP address of the client which initiated the connection.
5336 - "source_port" is the TCP port of the client which initiated the connection.
5337 - "destination_ip" is the IP address the client connected to.
5338 - "destination_port" is the TCP port the client connected to.
5339 - "frontend_name" is the name of the frontend (or listener) which received
5340 and processed the connection.
5341 - "mode is the mode the frontend is operating (TCP or HTTP).
5342
5343It is advised not to use this deprecated format for newer installations as it
5344will eventually disappear.
5345
5346
Willy Tarreauc57f0e22009-05-10 13:12:33 +020053478.2.2. TCP log format
5348---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005349
5350The TCP format is used when "option tcplog" is specified in the frontend, and
5351is the recommended format for pure TCP proxies. It provides a lot of precious
5352information for troubleshooting. Since this format includes timers and byte
5353counts, the log is normally emitted at the end of the session. It can be
5354emitted earlier if "option logasap" is specified, which makes sense in most
5355environments with long sessions such as remote terminals. Sessions which match
5356the "monitor" rules are never logged. It is also possible not to emit logs for
5357sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02005358specifying "option dontlognull" in the frontend. Successful connections will
5359not be logged if "option dontlog-normal" is specified in the frontend. A few
5360fields may slightly vary depending on some configuration options, those are
5361marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005362
5363 Example :
5364 frontend fnt
5365 mode tcp
5366 option tcplog
5367 log global
5368 default_backend bck
5369
5370 backend bck
5371 server srv1 127.0.0.1:8000
5372
5373 >>> Feb 6 12:12:56 localhost \
5374 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
5375 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
5376
5377 Field Format Extract from the example above
5378 1 process_name '[' pid ']:' haproxy[14387]:
5379 2 client_ip ':' client_port 10.0.1.2:33313
5380 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
5381 4 frontend_name fnt
5382 5 backend_name '/' server_name bck/srv1
5383 6 Tw '/' Tc '/' Tt* 0/0/5007
5384 7 bytes_read* 212
5385 8 termination_state --
5386 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
5387 10 srv_queue '/' backend_queue 0/0
5388
5389Detailed fields description :
5390 - "client_ip" is the IP address of the client which initiated the TCP
5391 connection to haproxy.
5392
5393 - "client_port" is the TCP port of the client which initiated the connection.
5394
5395 - "accept_date" is the exact date when the connection was received by haproxy
5396 (which might be very slightly different from the date observed on the
5397 network if there was some queuing in the system's backlog). This is usually
5398 the same date which may appear in any upstream firewall's log.
5399
5400 - "frontend_name" is the name of the frontend (or listener) which received
5401 and processed the connection.
5402
5403 - "backend_name" is the name of the backend (or listener) which was selected
5404 to manage the connection to the server. This will be the same as the
5405 frontend if no switching rule has been applied, which is common for TCP
5406 applications.
5407
5408 - "server_name" is the name of the last server to which the connection was
5409 sent, which might differ from the first one if there were connection errors
5410 and a redispatch occurred. Note that this server belongs to the backend
5411 which processed the request. If the connection was aborted before reaching
5412 a server, "<NOSRV>" is indicated instead of a server name.
5413
5414 - "Tw" is the total time in milliseconds spent waiting in the various queues.
5415 It can be "-1" if the connection was aborted before reaching the queue.
5416 See "Timers" below for more details.
5417
5418 - "Tc" is the total time in milliseconds spent waiting for the connection to
5419 establish to the final server, including retries. It can be "-1" if the
5420 connection was aborted before a connection could be established. See
5421 "Timers" below for more details.
5422
5423 - "Tt" is the total time in milliseconds elapsed between the accept and the
5424 last close. It covers all possible processings. There is one exception, if
5425 "option logasap" was specified, then the time counting stops at the moment
5426 the log is emitted. In this case, a '+' sign is prepended before the value,
5427 indicating that the final one will be larger. See "Timers" below for more
5428 details.
5429
5430 - "bytes_read" is the total number of bytes transmitted from the server to
5431 the client when the log is emitted. If "option logasap" is specified, the
5432 this value will be prefixed with a '+' sign indicating that the final one
5433 may be larger. Please note that this value is a 64-bit counter, so log
5434 analysis tools must be able to handle it without overflowing.
5435
5436 - "termination_state" is the condition the session was in when the session
5437 ended. This indicates the session state, which side caused the end of
5438 session to happen, and for what reason (timeout, error, ...). The normal
5439 flags should be "--", indicating the session was closed by either end with
5440 no data remaining in buffers. See below "Session state at disconnection"
5441 for more details.
5442
5443 - "actconn" is the total number of concurrent connections on the process when
5444 the session was logged. It it useful to detect when some per-process system
5445 limits have been reached. For instance, if actconn is close to 512 when
5446 multiple connection errors occur, chances are high that the system limits
5447 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005448 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005449
5450 - "feconn" is the total number of concurrent connections on the frontend when
5451 the session was logged. It is useful to estimate the amount of resource
5452 required to sustain high loads, and to detect when the frontend's "maxconn"
5453 has been reached. Most often when this value increases by huge jumps, it is
5454 because there is congestion on the backend servers, but sometimes it can be
5455 caused by a denial of service attack.
5456
5457 - "beconn" is the total number of concurrent connections handled by the
5458 backend when the session was logged. It includes the total number of
5459 concurrent connections active on servers as well as the number of
5460 connections pending in queues. It is useful to estimate the amount of
5461 additional servers needed to support high loads for a given application.
5462 Most often when this value increases by huge jumps, it is because there is
5463 congestion on the backend servers, but sometimes it can be caused by a
5464 denial of service attack.
5465
5466 - "srv_conn" is the total number of concurrent connections still active on
5467 the server when the session was logged. It can never exceed the server's
5468 configured "maxconn" parameter. If this value is very often close or equal
5469 to the server's "maxconn", it means that traffic regulation is involved a
5470 lot, meaning that either the server's maxconn value is too low, or that
5471 there aren't enough servers to process the load with an optimal response
5472 time. When only one of the server's "srv_conn" is high, it usually means
5473 that this server has some trouble causing the connections to take longer to
5474 be processed than on other servers.
5475
5476 - "retries" is the number of connection retries experienced by this session
5477 when trying to connect to the server. It must normally be zero, unless a
5478 server is being stopped at the same moment the connection was attempted.
5479 Frequent retries generally indicate either a network problem between
5480 haproxy and the server, or a misconfigured system backlog on the server
5481 preventing new connections from being queued. This field may optionally be
5482 prefixed with a '+' sign, indicating that the session has experienced a
5483 redispatch after the maximal retry count has been reached on the initial
5484 server. In this case, the server name appearing in the log is the one the
5485 connection was redispatched to, and not the first one, though both may
5486 sometimes be the same in case of hashing for instance. So as a general rule
5487 of thumb, when a '+' is present in front of the retry count, this count
5488 should not be attributed to the logged server.
5489
5490 - "srv_queue" is the total number of requests which were processed before
5491 this one in the server queue. It is zero when the request has not gone
5492 through the server queue. It makes it possible to estimate the approximate
5493 server's response time by dividing the time spent in queue by the number of
5494 requests in the queue. It is worth noting that if a session experiences a
5495 redispatch and passes through two server queues, their positions will be
5496 cumulated. A request should not pass through both the server queue and the
5497 backend queue unless a redispatch occurs.
5498
5499 - "backend_queue" is the total number of requests which were processed before
5500 this one in the backend's global queue. It is zero when the request has not
5501 gone through the global queue. It makes it possible to estimate the average
5502 queue length, which easily translates into a number of missing servers when
5503 divided by a server's "maxconn" parameter. It is worth noting that if a
5504 session experiences a redispatch, it may pass twice in the backend's queue,
5505 and then both positions will be cumulated. A request should not pass
5506 through both the server queue and the backend queue unless a redispatch
5507 occurs.
5508
5509
Willy Tarreauc57f0e22009-05-10 13:12:33 +020055108.2.3. HTTP log format
5511----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005512
5513The HTTP format is the most complete and the best suited for HTTP proxies. It
5514is enabled by when "option httplog" is specified in the frontend. It provides
5515the same level of information as the TCP format with additional features which
5516are specific to the HTTP protocol. Just like the TCP format, the log is usually
5517emitted at the end of the session, unless "option logasap" is specified, which
5518generally only makes sense for download sites. A session which matches the
5519"monitor" rules will never logged. It is also possible not to log sessions for
5520which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02005521frontend. Successful connections will not be logged if "option dontlog-normal"
5522is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005523
5524Most fields are shared with the TCP log, some being different. A few fields may
5525slightly vary depending on some configuration options. Those ones are marked
5526with a star ('*') after the field name below.
5527
5528 Example :
5529 frontend http-in
5530 mode http
5531 option httplog
5532 log global
5533 default_backend bck
5534
5535 backend static
5536 server srv1 127.0.0.1:8000
5537
5538 >>> Feb 6 12:14:14 localhost \
5539 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
5540 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
5541 {} "GET /index.html HTTP/1.1"
5542
5543 Field Format Extract from the example above
5544 1 process_name '[' pid ']:' haproxy[14389]:
5545 2 client_ip ':' client_port 10.0.1.2:33317
5546 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
5547 4 frontend_name http-in
5548 5 backend_name '/' server_name static/srv1
5549 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
5550 7 status_code 200
5551 8 bytes_read* 2750
5552 9 captured_request_cookie -
5553 10 captured_response_cookie -
5554 11 termination_state ----
5555 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
5556 13 srv_queue '/' backend_queue 0/0
5557 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
5558 15 '{' captured_response_headers* '}' {}
5559 16 '"' http_request '"' "GET /index.html HTTP/1.1"
5560
5561
5562Detailed fields description :
5563 - "client_ip" is the IP address of the client which initiated the TCP
5564 connection to haproxy.
5565
5566 - "client_port" is the TCP port of the client which initiated the connection.
5567
5568 - "accept_date" is the exact date when the TCP connection was received by
5569 haproxy (which might be very slightly different from the date observed on
5570 the network if there was some queuing in the system's backlog). This is
5571 usually the same date which may appear in any upstream firewall's log. This
5572 does not depend on the fact that the client has sent the request or not.
5573
5574 - "frontend_name" is the name of the frontend (or listener) which received
5575 and processed the connection.
5576
5577 - "backend_name" is the name of the backend (or listener) which was selected
5578 to manage the connection to the server. This will be the same as the
5579 frontend if no switching rule has been applied.
5580
5581 - "server_name" is the name of the last server to which the connection was
5582 sent, which might differ from the first one if there were connection errors
5583 and a redispatch occurred. Note that this server belongs to the backend
5584 which processed the request. If the request was aborted before reaching a
5585 server, "<NOSRV>" is indicated instead of a server name. If the request was
5586 intercepted by the stats subsystem, "<STATS>" is indicated instead.
5587
5588 - "Tq" is the total time in milliseconds spent waiting for the client to send
5589 a full HTTP request, not counting data. It can be "-1" if the connection
5590 was aborted before a complete request could be received. It should always
5591 be very small because a request generally fits in one single packet. Large
5592 times here generally indicate network trouble between the client and
5593 haproxy. See "Timers" below for more details.
5594
5595 - "Tw" is the total time in milliseconds spent waiting in the various queues.
5596 It can be "-1" if the connection was aborted before reaching the queue.
5597 See "Timers" below for more details.
5598
5599 - "Tc" is the total time in milliseconds spent waiting for the connection to
5600 establish to the final server, including retries. It can be "-1" if the
5601 request was aborted before a connection could be established. See "Timers"
5602 below for more details.
5603
5604 - "Tr" is the total time in milliseconds spent waiting for the server to send
5605 a full HTTP response, not counting data. It can be "-1" if the request was
5606 aborted before a complete response could be received. It generally matches
5607 the server's processing time for the request, though it may be altered by
5608 the amount of data sent by the client to the server. Large times here on
5609 "GET" requests generally indicate an overloaded server. See "Timers" below
5610 for more details.
5611
5612 - "Tt" is the total time in milliseconds elapsed between the accept and the
5613 last close. It covers all possible processings. There is one exception, if
5614 "option logasap" was specified, then the time counting stops at the moment
5615 the log is emitted. In this case, a '+' sign is prepended before the value,
5616 indicating that the final one will be larger. See "Timers" below for more
5617 details.
5618
5619 - "status_code" is the HTTP status code returned to the client. This status
5620 is generally set by the server, but it might also be set by haproxy when
5621 the server cannot be reached or when its response is blocked by haproxy.
5622
5623 - "bytes_read" is the total number of bytes transmitted to the client when
5624 the log is emitted. This does include HTTP headers. If "option logasap" is
5625 specified, the this value will be prefixed with a '+' sign indicating that
5626 the final one may be larger. Please note that this value is a 64-bit
5627 counter, so log analysis tools must be able to handle it without
5628 overflowing.
5629
5630 - "captured_request_cookie" is an optional "name=value" entry indicating that
5631 the client had this cookie in the request. The cookie name and its maximum
5632 length are defined by the "capture cookie" statement in the frontend
5633 configuration. The field is a single dash ('-') when the option is not
5634 set. Only one cookie may be captured, it is generally used to track session
5635 ID exchanges between a client and a server to detect session crossing
5636 between clients due to application bugs. For more details, please consult
5637 the section "Capturing HTTP headers and cookies" below.
5638
5639 - "captured_response_cookie" is an optional "name=value" entry indicating
5640 that the server has returned a cookie with its response. The cookie name
5641 and its maximum length are defined by the "capture cookie" statement in the
5642 frontend configuration. The field is a single dash ('-') when the option is
5643 not set. Only one cookie may be captured, it is generally used to track
5644 session ID exchanges between a client and a server to detect session
5645 crossing between clients due to application bugs. For more details, please
5646 consult the section "Capturing HTTP headers and cookies" below.
5647
5648 - "termination_state" is the condition the session was in when the session
5649 ended. This indicates the session state, which side caused the end of
5650 session to happen, for what reason (timeout, error, ...), just like in TCP
5651 logs, and information about persistence operations on cookies in the last
5652 two characters. The normal flags should begin with "--", indicating the
5653 session was closed by either end with no data remaining in buffers. See
5654 below "Session state at disconnection" for more details.
5655
5656 - "actconn" is the total number of concurrent connections on the process when
5657 the session was logged. It it useful to detect when some per-process system
5658 limits have been reached. For instance, if actconn is close to 512 or 1024
5659 when multiple connection errors occur, chances are high that the system
5660 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005661 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005662 system.
5663
5664 - "feconn" is the total number of concurrent connections on the frontend when
5665 the session was logged. It is useful to estimate the amount of resource
5666 required to sustain high loads, and to detect when the frontend's "maxconn"
5667 has been reached. Most often when this value increases by huge jumps, it is
5668 because there is congestion on the backend servers, but sometimes it can be
5669 caused by a denial of service attack.
5670
5671 - "beconn" is the total number of concurrent connections handled by the
5672 backend when the session was logged. It includes the total number of
5673 concurrent connections active on servers as well as the number of
5674 connections pending in queues. It is useful to estimate the amount of
5675 additional servers needed to support high loads for a given application.
5676 Most often when this value increases by huge jumps, it is because there is
5677 congestion on the backend servers, but sometimes it can be caused by a
5678 denial of service attack.
5679
5680 - "srv_conn" is the total number of concurrent connections still active on
5681 the server when the session was logged. It can never exceed the server's
5682 configured "maxconn" parameter. If this value is very often close or equal
5683 to the server's "maxconn", it means that traffic regulation is involved a
5684 lot, meaning that either the server's maxconn value is too low, or that
5685 there aren't enough servers to process the load with an optimal response
5686 time. When only one of the server's "srv_conn" is high, it usually means
5687 that this server has some trouble causing the requests to take longer to be
5688 processed than on other servers.
5689
5690 - "retries" is the number of connection retries experienced by this session
5691 when trying to connect to the server. It must normally be zero, unless a
5692 server is being stopped at the same moment the connection was attempted.
5693 Frequent retries generally indicate either a network problem between
5694 haproxy and the server, or a misconfigured system backlog on the server
5695 preventing new connections from being queued. This field may optionally be
5696 prefixed with a '+' sign, indicating that the session has experienced a
5697 redispatch after the maximal retry count has been reached on the initial
5698 server. In this case, the server name appearing in the log is the one the
5699 connection was redispatched to, and not the first one, though both may
5700 sometimes be the same in case of hashing for instance. So as a general rule
5701 of thumb, when a '+' is present in front of the retry count, this count
5702 should not be attributed to the logged server.
5703
5704 - "srv_queue" is the total number of requests which were processed before
5705 this one in the server queue. It is zero when the request has not gone
5706 through the server queue. It makes it possible to estimate the approximate
5707 server's response time by dividing the time spent in queue by the number of
5708 requests in the queue. It is worth noting that if a session experiences a
5709 redispatch and passes through two server queues, their positions will be
5710 cumulated. A request should not pass through both the server queue and the
5711 backend queue unless a redispatch occurs.
5712
5713 - "backend_queue" is the total number of requests which were processed before
5714 this one in the backend's global queue. It is zero when the request has not
5715 gone through the global queue. It makes it possible to estimate the average
5716 queue length, which easily translates into a number of missing servers when
5717 divided by a server's "maxconn" parameter. It is worth noting that if a
5718 session experiences a redispatch, it may pass twice in the backend's queue,
5719 and then both positions will be cumulated. A request should not pass
5720 through both the server queue and the backend queue unless a redispatch
5721 occurs.
5722
5723 - "captured_request_headers" is a list of headers captured in the request due
5724 to the presence of the "capture request header" statement in the frontend.
5725 Multiple headers can be captured, they will be delimited by a vertical bar
5726 ('|'). When no capture is enabled, the braces do not appear, causing a
5727 shift of remaining fields. It is important to note that this field may
5728 contain spaces, and that using it requires a smarter log parser than when
5729 it's not used. Please consult the section "Capturing HTTP headers and
5730 cookies" below for more details.
5731
5732 - "captured_response_headers" is a list of headers captured in the response
5733 due to the presence of the "capture response header" statement in the
5734 frontend. Multiple headers can be captured, they will be delimited by a
5735 vertical bar ('|'). When no capture is enabled, the braces do not appear,
5736 causing a shift of remaining fields. It is important to note that this
5737 field may contain spaces, and that using it requires a smarter log parser
5738 than when it's not used. Please consult the section "Capturing HTTP headers
5739 and cookies" below for more details.
5740
5741 - "http_request" is the complete HTTP request line, including the method,
5742 request and HTTP version string. Non-printable characters are encoded (see
5743 below the section "Non-printable characters"). This is always the last
5744 field, and it is always delimited by quotes and is the only one which can
5745 contain quotes. If new fields are added to the log format, they will be
5746 added before this field. This field might be truncated if the request is
5747 huge and does not fit in the standard syslog buffer (1024 characters). This
5748 is the reason why this field must always remain the last one.
5749
5750
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057518.3. Advanced logging options
5752-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005753
5754Some advanced logging options are often looked for but are not easy to find out
5755just by looking at the various options. Here is an entry point for the few
5756options which can enable better logging. Please refer to the keywords reference
5757for more information about their usage.
5758
5759
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057608.3.1. Disabling logging of external tests
5761------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005762
5763It is quite common to have some monitoring tools perform health checks on
5764haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
5765commercial load-balancer, and sometimes it will simply be a more complete
5766monitoring system such as Nagios. When the tests are very frequent, users often
5767ask how to disable logging for those checks. There are three possibilities :
5768
5769 - if connections come from everywhere and are just TCP probes, it is often
5770 desired to simply disable logging of connections without data exchange, by
5771 setting "option dontlognull" in the frontend. It also disables logging of
5772 port scans, which may or may not be desired.
5773
5774 - if the connection come from a known source network, use "monitor-net" to
5775 declare this network as monitoring only. Any host in this network will then
5776 only be able to perform health checks, and their requests will not be
5777 logged. This is generally appropriate to designate a list of equipments
5778 such as other load-balancers.
5779
5780 - if the tests are performed on a known URI, use "monitor-uri" to declare
5781 this URI as dedicated to monitoring. Any host sending this request will
5782 only get the result of a health-check, and the request will not be logged.
5783
5784
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057858.3.2. Logging before waiting for the session to terminate
5786----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005787
5788The problem with logging at end of connection is that you have no clue about
5789what is happening during very long sessions, such as remote terminal sessions
5790or large file downloads. This problem can be worked around by specifying
5791"option logasap" in the frontend. Haproxy will then log as soon as possible,
5792just before data transfer begins. This means that in case of TCP, it will still
5793log the connection status to the server, and in case of HTTP, it will log just
5794after processing the server headers. In this case, the number of bytes reported
5795is the number of header bytes sent to the client. In order to avoid confusion
5796with normal logs, the total time field and the number of bytes are prefixed
5797with a '+' sign which means that real numbers are certainly larger.
5798
5799
Willy Tarreauc57f0e22009-05-10 13:12:33 +020058008.3.3. Raising log level upon errors
5801------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02005802
5803Sometimes it is more convenient to separate normal traffic from errors logs,
5804for instance in order to ease error monitoring from log files. When the option
5805"log-separate-errors" is used, connections which experience errors, timeouts,
5806retries, redispatches or HTTP status codes 5xx will see their syslog level
5807raised from "info" to "err". This will help a syslog daemon store the log in
5808a separate file. It is very important to keep the errors in the normal traffic
5809file too, so that log ordering is not altered. You should also be careful if
5810you already have configured your syslog daemon to store all logs higher than
5811"notice" in an "admin" file, because the "err" level is higher than "notice".
5812
5813
Willy Tarreauc57f0e22009-05-10 13:12:33 +020058148.3.4. Disabling logging of successful connections
5815--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02005816
5817Although this may sound strange at first, some large sites have to deal with
5818multiple thousands of logs per second and are experiencing difficulties keeping
5819them intact for a long time or detecting errors within them. If the option
5820"dontlog-normal" is set on the frontend, all normal connections will not be
5821logged. In this regard, a normal connection is defined as one without any
5822error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
5823and a response with a status 5xx is not considered normal and will be logged
5824too. Of course, doing is is really discouraged as it will remove most of the
5825useful information from the logs. Do this only if you have no other
5826alternative.
5827
5828
Willy Tarreauc57f0e22009-05-10 13:12:33 +020058298.4. Timing events
5830------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005831
5832Timers provide a great help in troubleshooting network problems. All values are
5833reported in milliseconds (ms). These timers should be used in conjunction with
5834the session termination flags. In TCP mode with "option tcplog" set on the
5835frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
5836mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
5837
5838 - Tq: total time to get the client request (HTTP mode only). It's the time
5839 elapsed between the moment the client connection was accepted and the
5840 moment the proxy received the last HTTP header. The value "-1" indicates
5841 that the end of headers (empty line) has never been seen. This happens when
5842 the client closes prematurely or times out.
5843
5844 - Tw: total time spent in the queues waiting for a connection slot. It
5845 accounts for backend queue as well as the server queues, and depends on the
5846 queue size, and the time needed for the server to complete previous
5847 requests. The value "-1" means that the request was killed before reaching
5848 the queue, which is generally what happens with invalid or denied requests.
5849
5850 - Tc: total time to establish the TCP connection to the server. It's the time
5851 elapsed between the moment the proxy sent the connection request, and the
5852 moment it was acknowledged by the server, or between the TCP SYN packet and
5853 the matching SYN/ACK packet in return. The value "-1" means that the
5854 connection never established.
5855
5856 - Tr: server response time (HTTP mode only). It's the time elapsed between
5857 the moment the TCP connection was established to the server and the moment
5858 the server sent its complete response headers. It purely shows its request
5859 processing time, without the network overhead due to the data transmission.
5860 It is worth noting that when the client has data to send to the server, for
5861 instance during a POST request, the time already runs, and this can distort
5862 apparent response time. For this reason, it's generally wise not to trust
5863 too much this field for POST requests initiated from clients behind an
5864 untrusted network. A value of "-1" here means that the last the response
5865 header (empty line) was never seen, most likely because the server timeout
5866 stroke before the server managed to process the request.
5867
5868 - Tt: total session duration time, between the moment the proxy accepted it
5869 and the moment both ends were closed. The exception is when the "logasap"
5870 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
5871 prefixed with a '+' sign. From this field, we can deduce "Td", the data
5872 transmission time, by substracting other timers when valid :
5873
5874 Td = Tt - (Tq + Tw + Tc + Tr)
5875
5876 Timers with "-1" values have to be excluded from this equation. In TCP
5877 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
5878 negative.
5879
5880These timers provide precious indications on trouble causes. Since the TCP
5881protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
5882that timers close to multiples of 3s are nearly always related to lost packets
5883due to network problems (wires, negociation, congestion). Moreover, if "Tt" is
5884close to a timeout value specified in the configuration, it often means that a
5885session has been aborted on timeout.
5886
5887Most common cases :
5888
5889 - If "Tq" is close to 3000, a packet has probably been lost between the
5890 client and the proxy. This is very rare on local networks but might happen
5891 when clients are on far remote networks and send large requests. It may
5892 happen that values larger than usual appear here without any network cause.
5893 Sometimes, during an attack or just after a resource starvation has ended,
5894 haproxy may accept thousands of connections in a few milliseconds. The time
5895 spent accepting these connections will inevitably slightly delay processing
5896 of other connections, and it can happen that request times in the order of
5897 a few tens of milliseconds are measured after a few thousands of new
5898 connections have been accepted at once.
5899
5900 - If "Tc" is close to 3000, a packet has probably been lost between the
5901 server and the proxy during the server connection phase. This value should
5902 always be very low, such as 1 ms on local networks and less than a few tens
5903 of ms on remote networks.
5904
Willy Tarreau55165fe2009-05-10 12:02:55 +02005905 - If "Tr" is nearly always lower than 3000 except some rare values which seem
5906 to be the average majored by 3000, there are probably some packets lost
5907 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005908
5909 - If "Tt" is large even for small byte counts, it generally is because
5910 neither the client nor the server decides to close the connection, for
5911 instance because both have agreed on a keep-alive connection mode. In order
5912 to solve this issue, it will be needed to specify "option httpclose" on
5913 either the frontend or the backend. If the problem persists, it means that
5914 the server ignores the "close" connection mode and expects the client to
5915 close. Then it will be required to use "option forceclose". Having the
5916 smallest possible 'Tt' is important when connection regulation is used with
5917 the "maxconn" option on the servers, since no new connection will be sent
5918 to the server until another one is released.
5919
5920Other noticeable HTTP log cases ('xx' means any value to be ignored) :
5921
5922 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
5923 was emitted before the data phase. All the timers are valid
5924 except "Tt" which is shorter than reality.
5925
5926 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
5927 or it aborted too early. Check the session termination flags
5928 then "timeout http-request" and "timeout client" settings.
5929
5930 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
5931 servers were out of order, because the request was invalid
5932 or forbidden by ACL rules. Check the session termination
5933 flags.
5934
5935 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
5936 actively refused it or it timed out after Tt-(Tq+Tw) ms.
5937 Check the session termination flags, then check the
5938 "timeout connect" setting. Note that the tarpit action might
5939 return similar-looking patterns, with "Tw" equal to the time
5940 the client connection was maintained open.
5941
5942 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
5943 a complete response in time, or it closed its connexion
5944 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
5945 termination flags, then check the "timeout server" setting.
5946
5947
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059488.5. Session state at disconnection
5949-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005950
5951TCP and HTTP logs provide a session termination indicator in the
5952"termination_state" field, just before the number of active connections. It is
59532-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
5954each of which has a special meaning :
5955
5956 - On the first character, a code reporting the first event which caused the
5957 session to terminate :
5958
5959 C : the TCP session was unexpectedly aborted by the client.
5960
5961 S : the TCP session was unexpectedly aborted by the server, or the
5962 server explicitly refused it.
5963
5964 P : the session was prematurely aborted by the proxy, because of a
5965 connection limit enforcement, because a DENY filter was matched,
5966 because of a security check which detected and blocked a dangerous
5967 error in server response which might have caused information leak
5968 (eg: cacheable cookie), or because the response was processed by
5969 the proxy (redirect, stats, etc...).
5970
5971 R : a resource on the proxy has been exhausted (memory, sockets, source
5972 ports, ...). Usually, this appears during the connection phase, and
5973 system logs should contain a copy of the precise error. If this
5974 happens, it must be considered as a very serious anomaly which
5975 should be fixed as soon as possible by any means.
5976
5977 I : an internal error was identified by the proxy during a self-check.
5978 This should NEVER happen, and you are encouraged to report any log
5979 containing this, because this would almost certainly be a bug. It
5980 would be wise to preventively restart the process after such an
5981 event too, in case it would be caused by memory corruption.
5982
5983 c : the client-side timeout expired while waiting for the client to
5984 send or receive data.
5985
5986 s : the server-side timeout expired while waiting for the server to
5987 send or receive data.
5988
5989 - : normal session completion, both the client and the server closed
5990 with nothing left in the buffers.
5991
5992 - on the second character, the TCP or HTTP session state when it was closed :
5993
5994 R : th proxy was waiting for a complete, valid REQUEST from the client
5995 (HTTP mode only). Nothing was sent to any server.
5996
5997 Q : the proxy was waiting in the QUEUE for a connection slot. This can
5998 only happen when servers have a 'maxconn' parameter set. It can
5999 also happen in the global queue after a redispatch consecutive to
6000 a failed attempt to connect to a dying server. If no redispatch is
6001 reported, then no connection attempt was made to any server.
6002
6003 C : the proxy was waiting for the CONNECTION to establish on the
6004 server. The server might at most have noticed a connection attempt.
6005
6006 H : the proxy was waiting for complete, valid response HEADERS from the
6007 server (HTTP only).
6008
6009 D : the session was in the DATA phase.
6010
6011 L : the proxy was still transmitting LAST data to the client while the
6012 server had already finished. This one is very rare as it can only
6013 happen when the client dies while receiving the last packets.
6014
6015 T : the request was tarpitted. It has been held open with the client
6016 during the whole "timeout tarpit" duration or until the client
6017 closed, both of which will be reported in the "Tw" timer.
6018
6019 - : normal session completion after end of data transfer.
6020
6021 - the third character tells whether the persistence cookie was provided by
6022 the client (only in HTTP mode) :
6023
6024 N : the client provided NO cookie. This is usually the case for new
6025 visitors, so counting the number of occurrences of this flag in the
6026 logs generally indicate a valid trend for the site frequentation.
6027
6028 I : the client provided an INVALID cookie matching no known server.
6029 This might be caused by a recent configuration change, mixed
6030 cookies between HTTP/HTTPS sites, or an attack.
6031
6032 D : the client provided a cookie designating a server which was DOWN,
6033 so either "option persist" was used and the client was sent to
6034 this server, or it was not set and the client was redispatched to
6035 another server.
6036
6037 V : the client provided a valid cookie, and was sent to the associated
6038 server.
6039
6040 - : does not apply (no cookie set in configuration).
6041
6042 - the last character reports what operations were performed on the persistence
6043 cookie returned by the server (only in HTTP mode) :
6044
6045 N : NO cookie was provided by the server, and none was inserted either.
6046
6047 I : no cookie was provided by the server, and the proxy INSERTED one.
6048 Note that in "cookie insert" mode, if the server provides a cookie,
6049 it will still be overwritten and reported as "I" here.
6050
6051 P : a cookie was PROVIDED by the server and transmitted as-is.
6052
6053 R : the cookie provided by the server was REWRITTEN by the proxy, which
6054 happens in "cookie rewrite" or "cookie prefix" modes.
6055
6056 D : the cookie provided by the server was DELETED by the proxy.
6057
6058 - : does not apply (no cookie set in configuration).
6059
6060The combination of the two first flags give a lot of information about what was
6061happening when the session terminated, and why it did terminate. It can be
6062helpful to detect server saturation, network troubles, local system resource
6063starvation, attacks, etc...
6064
6065The most common termination flags combinations are indicated below. They are
6066alphabetically sorted, with the lowercase set just after the upper case for
6067easier finding and understanding.
6068
6069 Flags Reason
6070
6071 -- Normal termination.
6072
6073 CC The client aborted before the connection could be established to the
6074 server. This can happen when haproxy tries to connect to a recently
6075 dead (or unchecked) server, and the client aborts while haproxy is
6076 waiting for the server to respond or for "timeout connect" to expire.
6077
6078 CD The client unexpectedly aborted during data transfer. This can be
6079 caused by a browser crash, by an intermediate equipment between the
6080 client and haproxy which decided to actively break the connection,
6081 by network routing issues between the client and haproxy, or by a
6082 keep-alive session between the server and the client terminated first
6083 by the client.
6084
6085 cD The client did not send nor acknowledge any data for as long as the
6086 "timeout client" delay. This is often caused by network failures on
6087 the client side, or the client simply leaving the net uncleanly.
6088
6089 CH The client aborted while waiting for the server to start responding.
6090 It might be the server taking too long to respond or the client
6091 clicking the 'Stop' button too fast.
6092
6093 cH The "timeout client" stroke while waiting for client data during a
6094 POST request. This is sometimes caused by too large TCP MSS values
6095 for PPPoE networks which cannot transport full-sized packets. It can
6096 also happen when client timeout is smaller than server timeout and
6097 the server takes too long to respond.
6098
6099 CQ The client aborted while its session was queued, waiting for a server
6100 with enough empty slots to accept it. It might be that either all the
6101 servers were saturated or that the assigned server was taking too
6102 long a time to respond.
6103
6104 CR The client aborted before sending a full HTTP request. Most likely
6105 the request was typed by hand using a telnet client, and aborted
6106 too early. The HTTP status code is likely a 400 here. Sometimes this
6107 might also be caused by an IDS killing the connection between haproxy
6108 and the client.
6109
6110 cR The "timeout http-request" stroke before the client sent a full HTTP
6111 request. This is sometimes caused by too large TCP MSS values on the
6112 client side for PPPoE networks which cannot transport full-sized
6113 packets, or by clients sending requests by hand and not typing fast
6114 enough, or forgetting to enter the empty line at the end of the
6115 request. The HTTP status code is likely a 408 here.
6116
6117 CT The client aborted while its session was tarpitted. It is important to
6118 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +02006119 wrong tarpit rules have been written. If a lot of them happen, it
6120 might make sense to lower the "timeout tarpit" value to something
6121 closer to the average reported "Tw" timer, in order not to consume
6122 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006123
6124 SC The server or an equipement between it and haproxy explicitly refused
6125 the TCP connection (the proxy received a TCP RST or an ICMP message
6126 in return). Under some circumstances, it can also be the network
6127 stack telling the proxy that the server is unreachable (eg: no route,
6128 or no ARP response on local network). When this happens in HTTP mode,
6129 the status code is likely a 502 or 503 here.
6130
6131 sC The "timeout connect" stroke before a connection to the server could
6132 complete. When this happens in HTTP mode, the status code is likely a
6133 503 or 504 here.
6134
6135 SD The connection to the server died with an error during the data
6136 transfer. This usually means that haproxy has received an RST from
6137 the server or an ICMP message from an intermediate equipment while
6138 exchanging data with the server. This can be caused by a server crash
6139 or by a network issue on an intermediate equipment.
6140
6141 sD The server did not send nor acknowledge any data for as long as the
6142 "timeout server" setting during the data phase. This is often caused
6143 by too short timeouts on L4 equipements before the server (firewalls,
6144 load-balancers, ...), as well as keep-alive sessions maintained
6145 between the client and the server expiring first on haproxy.
6146
6147 SH The server aborted before sending its full HTTP response headers, or
6148 it crashed while processing the request. Since a server aborting at
6149 this moment is very rare, it would be wise to inspect its logs to
6150 control whether it crashed and why. The logged request may indicate a
6151 small set of faulty requests, demonstrating bugs in the application.
6152 Sometimes this might also be caused by an IDS killing the connection
6153 between haproxy and the server.
6154
6155 sH The "timeout server" stroke before the server could return its
6156 response headers. This is the most common anomaly, indicating too
6157 long transactions, probably caused by server or database saturation.
6158 The immediate workaround consists in increasing the "timeout server"
6159 setting, but it is important to keep in mind that the user experience
6160 will suffer from these long response times. The only long term
6161 solution is to fix the application.
6162
6163 sQ The session spent too much time in queue and has been expired. See
6164 the "timeout queue" and "timeout connect" settings to find out how to
6165 fix this if it happens too often. If it often happens massively in
6166 short periods, it may indicate general problems on the affected
6167 servers due to I/O or database congestion, or saturation caused by
6168 external attacks.
6169
6170 PC The proxy refused to establish a connection to the server because the
6171 process' socket limit has been reached while attempting to connect.
6172 The global "maxconn" parameter may be increased in the configuration
6173 so that it does not happen anymore. This status is very rare and
6174 might happen when the global "ulimit-n" parameter is forced by hand.
6175
6176 PH The proxy blocked the server's response, because it was invalid,
6177 incomplete, dangerous (cache control), or matched a security filter.
6178 In any case, an HTTP 502 error is sent to the client. One possible
6179 cause for this error is an invalid syntax in an HTTP header name
6180 containing unauthorized characters.
6181
6182 PR The proxy blocked the client's HTTP request, either because of an
6183 invalid HTTP syntax, in which case it returned an HTTP 400 error to
6184 the client, or because a deny filter matched, in which case it
6185 returned an HTTP 403 error.
6186
6187 PT The proxy blocked the client's request and has tarpitted its
6188 connection before returning it a 500 server error. Nothing was sent
6189 to the server. The connection was maintained open for as long as
6190 reported by the "Tw" timer field.
6191
6192 RC A local resource has been exhausted (memory, sockets, source ports)
6193 preventing the connection to the server from establishing. The error
6194 logs will tell precisely what was missing. This is very rare and can
6195 only be solved by proper system tuning.
6196
6197
Willy Tarreauc57f0e22009-05-10 13:12:33 +020061988.6. Non-printable characters
6199-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006200
6201In order not to cause trouble to log analysis tools or terminals during log
6202consulting, non-printable characters are not sent as-is into log files, but are
6203converted to the two-digits hexadecimal representation of their ASCII code,
6204prefixed by the character '#'. The only characters that can be logged without
6205being escaped are comprised between 32 and 126 (inclusive). Obviously, the
6206escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
6207is the same for the character '"' which becomes "#22", as well as '{', '|' and
6208'}' when logging headers.
6209
6210Note that the space character (' ') is not encoded in headers, which can cause
6211issues for tools relying on space count to locate fields. A typical header
6212containing spaces is "User-Agent".
6213
6214Last, it has been observed that some syslog daemons such as syslog-ng escape
6215the quote ('"') with a backslash ('\'). The reverse operation can safely be
6216performed since no quote may appear anywhere else in the logs.
6217
6218
Willy Tarreauc57f0e22009-05-10 13:12:33 +020062198.7. Capturing HTTP cookies
6220---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006221
6222Cookie capture simplifies the tracking a complete user session. This can be
6223achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006224section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006225cookie will simultaneously be checked in the request ("Cookie:" header) and in
6226the response ("Set-Cookie:" header). The respective values will be reported in
6227the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006228locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006229not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
6230user switches to a new session for example, because the server will reassign it
6231a new cookie. It is also possible to detect if a server unexpectedly sets a
6232wrong cookie to a client, leading to session crossing.
6233
6234 Examples :
6235 # capture the first cookie whose name starts with "ASPSESSION"
6236 capture cookie ASPSESSION len 32
6237
6238 # capture the first cookie whose name is exactly "vgnvisitor"
6239 capture cookie vgnvisitor= len 32
6240
6241
Willy Tarreauc57f0e22009-05-10 13:12:33 +020062428.8. Capturing HTTP headers
6243---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006244
6245Header captures are useful to track unique request identifiers set by an upper
6246proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
6247the response, one can search for information about the response length, how the
6248server asked the cache to behave, or an object location during a redirection.
6249
6250Header captures are performed using the "capture request header" and "capture
6251response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006252section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006253
6254It is possible to include both request headers and response headers at the same
6255time. Non-existant headers are logged as empty strings, and if one header
6256appears more than once, only its last occurence will be logged. Request headers
6257are grouped within braces '{' and '}' in the same order as they were declared,
6258and delimited with a vertical bar '|' without any space. Response headers
6259follow the same representation, but are displayed after a space following the
6260request headers block. These blocks are displayed just before the HTTP request
6261in the logs.
6262
6263 Example :
6264 # This instance chains to the outgoing proxy
6265 listen proxy-out
6266 mode http
6267 option httplog
6268 option logasap
6269 log global
6270 server cache1 192.168.1.1:3128
6271
6272 # log the name of the virtual server
6273 capture request header Host len 20
6274
6275 # log the amount of data uploaded during a POST
6276 capture request header Content-Length len 10
6277
6278 # log the beginning of the referrer
6279 capture request header Referer len 20
6280
6281 # server name (useful for outgoing proxies only)
6282 capture response header Server len 20
6283
6284 # logging the content-length is useful with "option logasap"
6285 capture response header Content-Length len 10
6286
6287 # log the expected cache behaviour on the response
6288 capture response header Cache-Control len 8
6289
6290 # the Via header will report the next proxy's name
6291 capture response header Via len 20
6292
6293 # log the URL location during a redirection
6294 capture response header Location len 20
6295
6296 >>> Aug 9 20:26:09 localhost \
6297 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
6298 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
6299 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
6300 "GET http://fr.adserver.yahoo.com/"
6301
6302 >>> Aug 9 20:30:46 localhost \
6303 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
6304 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
6305 {w.ods.org||} {Formilux/0.1.8|3495|||} \
6306 "GET http://trafic.1wt.eu/ HTTP/1.1"
6307
6308 >>> Aug 9 20:30:46 localhost \
6309 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
6310 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
6311 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
6312 {Apache|230|||http://www.sytadin.} \
6313 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
6314
6315
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063168.9. Examples of logs
6317---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006318
6319These are real-world examples of logs accompanied with an explanation. Some of
6320them have been made up by hand. The syslog part has been removed for better
6321reading. Their sole purpose is to explain how to decipher them.
6322
6323 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
6324 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
6325 "HEAD / HTTP/1.0"
6326
6327 => long request (6.5s) entered by hand through 'telnet'. The server replied
6328 in 147 ms, and the session ended normally ('----')
6329
6330 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
6331 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
6332 0/9 "HEAD / HTTP/1.0"
6333
6334 => Idem, but the request was queued in the global queue behind 9 other
6335 requests, and waited there for 1230 ms.
6336
6337 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
6338 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
6339 "GET /image.iso HTTP/1.0"
6340
6341 => request for a long data transfer. The "logasap" option was specified, so
6342 the log was produced just before transfering data. The server replied in
6343 14 ms, 243 bytes of headers were sent to the client, and total time from
6344 accept to first data byte is 30 ms.
6345
6346 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
6347 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
6348 "GET /cgi-bin/bug.cgi? HTTP/1.0"
6349
6350 => the proxy blocked a server response either because of an "rspdeny" or
6351 "rspideny" filter, or because the response was improperly formatted and
6352 not HTTP-compliant, or because it blocked sensible information which
6353 risked being cached. In this case, the response is replaced with a "502
6354 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
6355 to return the 502 and not the server.
6356
6357 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
6358 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
6359
6360 => the client never completed its request and aborted itself ("C---") after
6361 8.5s, while the proxy was waiting for the request headers ("-R--").
6362 Nothing was sent to any server.
6363
6364 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
6365 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
6366
6367 => The client never completed its request, which was aborted by the
6368 time-out ("c---") after 50s, while the proxy was waiting for the request
6369 headers ("-R--"). Nothing was sent to any server, but the proxy could
6370 send a 408 return code to the client.
6371
6372 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
6373 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
6374
6375 => This log was produced with "option tcplog". The client timed out after
6376 5 seconds ("c----").
6377
6378 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
6379 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
6380 0/0 "HEAD / HTTP/1.0"
6381
6382 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006383 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006384 (config says 'retries 3'), and no redispatch (otherwise we would have
6385 seen "/+3"). Status code 503 was returned to the client. There were 115
6386 connections on this server, 202 connections on this proxy, and 205 on
6387 the global process. It is possible that the server refused the
6388 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006389
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01006390
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063919. Statistics and monitoring
6392----------------------------
6393
6394It is possible to query HAProxy about its status. The most commonly used
6395mechanism is the HTTP statistics page. This page also exposes an alternative
6396CSV output format for monitoring tools. The same format is provided on the
6397Unix socket.
6398
6399
64009.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01006401---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01006402
Willy Tarreau7f062c42009-03-05 18:43:00 +01006403The statistics may be consulted either from the unix socket or from the HTTP
6404page. Both means provide a CSV format whose fields follow.
6405
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01006406 0. pxname: proxy name
6407 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
6408 for server)
6409 2. qcur: current queued requests
6410 3. qmax: max queued requests
6411 4. scur: current sessions
6412 5. smax: max sessions
6413 6. slim: sessions limit
6414 7. stot: total sessions
6415 8. bin: bytes in
6416 9. bout: bytes out
6417 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01006418 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01006419 12. ereq: request errors
6420 13. econ: connection errors
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01006421 14. eresp: response errors
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01006422 15. wretr: retries (warning)
6423 16. wredis: redispatches (warning)
6424 17. status: status (UP/DOWN/...)
6425 18. weight: server weight (server), total weight (backend)
6426 19. act: server is active (server), number of active servers (backend)
6427 20. bck: server is backup (server), number of backup servers (backend)
6428 21. chkfail: number of failed checks
6429 22. chkdown: number of UP->DOWN transitions
6430 23. lastchg: last status change (in seconds)
6431 24. downtime: total downtime (in seconds)
6432 25. qlimit: queue limit
6433 26. pid: process id (0 for first instance, 1 for second, ...)
6434 27. iid: unique proxy id
6435 28. sid: service id (unique inside a proxy)
6436 29. throttle: warm up status
6437 30. lbtot: total number of times a server was selected
6438 31. tracked: id of proxy/server if tracking is enabled
6439 32. type (0=frontend, 1=backend, 2=server)
Willy Tarreau7f062c42009-03-05 18:43:00 +01006440 33. rate (number of sessions per second over last elapsed second)
Willy Tarreau844e3c52008-01-11 16:28:18 +01006441
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01006442
Willy Tarreauc57f0e22009-05-10 13:12:33 +020064439.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01006444-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01006445
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01006446The following commands are supported on the UNIX stats socket ; all of them
6447must be terminated by a line feed. It is important to understand that when
6448multiple haproxy processes are started on the same sockets, any process may
6449pick up the request and will output its own stats.
6450
6451show stat [<iid> <type> <sid>]
6452 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
6453 possible to dump only selected items :
6454 - <iid> is a proxy ID, -1 to dump everything
6455 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
6456 backends, 4 for servers, -1 for everything. These values can be ORed,
6457 for example:
6458 1 + 2 = 3 -> frontend + backend.
6459 1 + 2 + 4 = 7 -> frontend + backend + server.
6460 - <sid> is a server ID, -1 to dump everything from the selected proxy.
6461
6462show info
6463 Dump info about haproxy status on current process.
6464
6465show sess
6466 Dump all known sessions. Avoid doing this on slow connections as this can
6467 be huge.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01006468
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01006469show errors [<iid>]
6470 Dump last known request and response errors collected by frontends and
6471 backends. If <iid> is specified, the limit the dump to errors concerning
6472 either frontend or backend whose ID is <iid>.
6473
6474 The errors which may be collected are the last request and response errors
6475 caused by protocol violations, often due to invalid characters in header
6476 names. The report precisely indicates what exact character violated the
6477 protocol. Other important information such as the exact date the error was
6478 detected, frontend and backend names, the server name (when known), the
6479 internal session ID and the source address which has initiated the session
6480 are reported too.
6481
6482 All characters are returned, and non-printable characters are encoded. The
6483 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
6484 letter following a backslash. The backslash itself is encoded as '\\' to
6485 avoid confusion. Other non-printable characters are encoded '\xNN' where
6486 NN is the two-digits hexadecimal representation of the character's ASCII
6487 code.
6488
6489 Lines are prefixed with the position of their first character, starting at 0
6490 for the beginning of the buffer. At most one input line is printed per line,
6491 and large lines will be broken into multiple consecutive output lines so that
6492 the output never goes beyond 79 characters wide. It is easy to detect if a
6493 line was broken, because it will not end with '\n' and the next line's offset
6494 will be followed by a '+' sign, indicating it is a continuation of previous
6495 line.
6496
6497 Example :
6498 >>> $ echo "show errors" | socat stdio /tmp/sock1
6499 [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
6500 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
6501 response length 213 bytes, error at position 23:
6502
6503 00000 HTTP/1.0 200 OK\r\n
6504 00017 header/bizarre:blah\r\n
6505 00038 Location: blah\r\n
6506 00054 Long-line: this is a very long line which should b
6507 00104+ e broken into multiple lines on the output buffer,
6508 00154+ otherwise it would be too large to print in a ter
6509 00204+ minal\r\n
6510 00211 \r\n
6511
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006512 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01006513 ID 2 has blocked an invalid response from its server s2 which has internal
6514 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
6515 received by frontend fe-eth0 whose ID is 1. The total response length was
6516 213 bytes when the error was detected, and the error was at byte 23. This
6517 is the slash ('/') in header name "header/bizarre", which is not a valid
6518 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01006519
Willy Tarreau0ba27502007-12-24 16:55:16 +01006520/*
6521 * Local variables:
6522 * fill-column: 79
6523 * End:
6524 */