blob: a6baf8e2d75db9875557508c3c691302ff684706 [file] [log] [blame]
Willy Tarreau2212e6a2015-10-13 14:40:55 +02001 ------------------------
2 HAProxy Management Guide
3 ------------------------
Willy Tarreau1f973062021-05-14 09:36:37 +02004 version 2.5
Willy Tarreau2212e6a2015-10-13 14:40:55 +02005
6
7This document describes how to start, stop, manage, and troubleshoot HAProxy,
8as well as some known limitations and traps to avoid. It does not describe how
9to configure it (for this please read configuration.txt).
10
11Note to documentation contributors :
12 This document is formatted with 80 columns per line, with even number of
13 spaces for indentation and without tabs. Please follow these rules strictly
14 so that it remains easily printable everywhere. If you add sections, please
15 update the summary below for easier searching.
16
17
18Summary
19-------
20
211. Prerequisites
222. Quick reminder about HAProxy's architecture
233. Starting HAProxy
244. Stopping and restarting HAProxy
255. File-descriptor limitations
266. Memory management
277. CPU usage
288. Logging
299. Statistics and monitoring
Willy Tarreau44aed902015-10-13 14:45:29 +0200309.1. CSV format
Willy Tarreau5d8b9792016-03-11 11:09:34 +0100319.2. Typed output format
329.3. Unix Socket commands
William Lallemand142db372018-12-11 18:56:45 +0100339.4. Master CLI
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003410. Tricks for easier configuration management
3511. Well-known traps to avoid
3612. Debugging and performance issues
3713. Security considerations
38
39
401. Prerequisites
41----------------
42
43In this document it is assumed that the reader has sufficient administration
44skills on a UNIX-like operating system, uses the shell on a daily basis and is
45familiar with troubleshooting utilities such as strace and tcpdump.
46
47
482. Quick reminder about HAProxy's architecture
49----------------------------------------------
50
Willy Tarreau3f364482019-02-27 15:01:46 +010051HAProxy is a multi-threaded, event-driven, non-blocking daemon. This means is
Willy Tarreau2212e6a2015-10-13 14:40:55 +020052uses event multiplexing to schedule all of its activities instead of relying on
53the system to schedule between multiple activities. Most of the time it runs as
54a single process, so the output of "ps aux" on a system will report only one
55"haproxy" process, unless a soft reload is in progress and an older process is
56finishing its job in parallel to the new one. It is thus always easy to trace
Willy Tarreau3f364482019-02-27 15:01:46 +010057its activity using the strace utility. In order to scale with the number of
58available processors, by default haproxy will start one worker thread per
59processor it is allowed to run on. Unless explicitly configured differently,
60the incoming traffic is spread over all these threads, all running the same
61event loop. A great care is taken to limit inter-thread dependencies to the
62strict minimum, so as to try to achieve near-linear scalability. This has some
63impacts such as the fact that a given connection is served by a single thread.
64Thus in order to use all available processing capacity, it is needed to have at
65least as many connections as there are threads, which is almost always granted.
Willy Tarreau2212e6a2015-10-13 14:40:55 +020066
67HAProxy is designed to isolate itself into a chroot jail during startup, where
68it cannot perform any file-system access at all. This is also true for the
69libraries it depends on (eg: libc, libssl, etc). The immediate effect is that
70a running process will not be able to reload a configuration file to apply
71changes, instead a new process will be started using the updated configuration
72file. Some other less obvious effects are that some timezone files or resolver
73files the libc might attempt to access at run time will not be found, though
74this should generally not happen as they're not needed after startup. A nice
75consequence of this principle is that the HAProxy process is totally stateless,
76and no cleanup is needed after it's killed, so any killing method that works
77will do the right thing.
78
79HAProxy doesn't write log files, but it relies on the standard syslog protocol
80to send logs to a remote server (which is often located on the same system).
81
82HAProxy uses its internal clock to enforce timeouts, that is derived from the
83system's time but where unexpected drift is corrected. This is done by limiting
84the time spent waiting in poll() for an event, and measuring the time it really
85took. In practice it never waits more than one second. This explains why, when
86running strace over a completely idle process, periodic calls to poll() (or any
87of its variants) surrounded by two gettimeofday() calls are noticed. They are
88normal, completely harmless and so cheap that the load they imply is totally
89undetectable at the system scale, so there's nothing abnormal there. Example :
90
91 16:35:40.002320 gettimeofday({1442759740, 2605}, NULL) = 0
92 16:35:40.002942 epoll_wait(0, {}, 200, 1000) = 0
93 16:35:41.007542 gettimeofday({1442759741, 7641}, NULL) = 0
94 16:35:41.007998 gettimeofday({1442759741, 8114}, NULL) = 0
95 16:35:41.008391 epoll_wait(0, {}, 200, 1000) = 0
96 16:35:42.011313 gettimeofday({1442759742, 11411}, NULL) = 0
97
98HAProxy is a TCP proxy, not a router. It deals with established connections that
99have been validated by the kernel, and not with packets of any form nor with
100sockets in other states (eg: no SYN_RECV nor TIME_WAIT), though their existence
101may prevent it from binding a port. It relies on the system to accept incoming
102connections and to initiate outgoing connections. An immediate effect of this is
103that there is no relation between packets observed on the two sides of a
104forwarded connection, which can be of different size, numbers and even family.
105Since a connection may only be accepted from a socket in LISTEN state, all the
106sockets it is listening to are necessarily visible using the "netstat" utility
107to show listening sockets. Example :
108
109 # netstat -ltnp
110 Active Internet connections (only servers)
111 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
112 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1629/sshd
113 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2847/haproxy
114 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2847/haproxy
115
116
1173. Starting HAProxy
118-------------------
119
120HAProxy is started by invoking the "haproxy" program with a number of arguments
121passed on the command line. The actual syntax is :
122
123 $ haproxy [<options>]*
124
125where [<options>]* is any number of options. An option always starts with '-'
126followed by one of more letters, and possibly followed by one or multiple extra
127arguments. Without any option, HAProxy displays the help page with a reminder
128about supported options. Available options may vary slightly based on the
129operating system. A fair number of these options overlap with an equivalent one
130if the "global" section. In this case, the command line always has precedence
131over the configuration file, so that the command line can be used to quickly
132enforce some settings without touching the configuration files. The current
133list of options is :
134
135 -- <cfgfile>* : all the arguments following "--" are paths to configuration
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200136 file/directory to be loaded and processed in the declaration order. It is
137 mostly useful when relying on the shell to load many files that are
138 numerically ordered. See also "-f". The difference between "--" and "-f" is
139 that one "-f" must be placed before each file name, while a single "--" is
140 needed before all file names. Both options can be used together, the
141 command line ordering still applies. When more than one file is specified,
142 each file must start on a section boundary, so the first keyword of each
143 file must be one of "global", "defaults", "peers", "listen", "frontend",
144 "backend", and so on. A file cannot contain just a server list for example.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200145
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200146 -f <cfgfile|cfgdir> : adds <cfgfile> to the list of configuration files to be
147 loaded. If <cfgdir> is a directory, all the files (and only files) it
Dan Lloyd8e48b872016-07-01 21:01:18 -0400148 contains are added in lexical order (using LC_COLLATE=C) to the list of
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200149 configuration files to be loaded ; only files with ".cfg" extension are
150 added, only non hidden files (not prefixed with ".") are added.
151 Configuration files are loaded and processed in their declaration order.
152 This option may be specified multiple times to load multiple files. See
153 also "--". The difference between "--" and "-f" is that one "-f" must be
154 placed before each file name, while a single "--" is needed before all file
155 names. Both options can be used together, the command line ordering still
156 applies. When more than one file is specified, each file must start on a
157 section boundary, so the first keyword of each file must be one of
158 "global", "defaults", "peers", "listen", "frontend", "backend", and so on.
159 A file cannot contain just a server list for example.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200160
161 -C <dir> : changes to directory <dir> before loading configuration
162 files. This is useful when using relative paths. Warning when using
163 wildcards after "--" which are in fact replaced by the shell before
164 starting haproxy.
165
166 -D : start as a daemon. The process detaches from the current terminal after
167 forking, and errors are not reported anymore in the terminal. It is
168 equivalent to the "daemon" keyword in the "global" section of the
169 configuration. It is recommended to always force it in any init script so
170 that a faulty configuration doesn't prevent the system from booting.
171
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200172 -L <name> : change the local peer name to <name>, which defaults to the local
William Lallemanddaf4cd22018-04-17 16:46:13 +0200173 hostname. This is used only with peers replication. You can use the
174 variable $HAPROXY_LOCALPEER in the configuration file to reference the
175 peer name.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200176
177 -N <limit> : sets the default per-proxy maxconn to <limit> instead of the
178 builtin default value (usually 2000). Only useful for debugging.
179
180 -V : enable verbose mode (disables quiet mode). Reverts the effect of "-q" or
181 "quiet".
182
William Lallemande202b1e2017-06-01 17:38:56 +0200183 -W : master-worker mode. It is equivalent to the "master-worker" keyword in
184 the "global" section of the configuration. This mode will launch a "master"
185 which will monitor the "workers". Using this mode, you can reload HAProxy
186 directly by sending a SIGUSR2 signal to the master. The master-worker mode
187 is compatible either with the foreground or daemon mode. It is
188 recommended to use this mode with multiprocess and systemd.
189
Pavlos Parissisf65f2572018-02-07 21:42:16 +0100190 -Ws : master-worker mode with support of `notify` type of systemd service.
191 This option is only available when HAProxy was built with `USE_SYSTEMD`
192 build option enabled.
193
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200194 -c : only performs a check of the configuration files and exits before trying
195 to bind. The exit status is zero if everything is OK, or non-zero if an
Willy Tarreaubebd2122020-04-15 16:06:11 +0200196 error is encountered. Presence of warnings will be reported if any.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200197
Maximilian Maderfc0cceb2021-06-06 00:50:22 +0200198 -cc : evaluates a condition as used within a conditional block of the
199 configuration. The exit status is zero if the condition is true, 1 if the
200 condition is false or 2 if an error is encountered.
201
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200202 -d : enable debug mode. This disables daemon mode, forces the process to stay
Willy Tarreauccf42992020-10-09 19:15:03 +0200203 in foreground and to show incoming and outgoing events. It must never be
204 used in an init script.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200205
Amaury Denoyelle7b01a8d2021-03-29 10:29:07 +0200206 -dD : enable diagnostic mode. This mode will output extra warnings about
207 suspicious configuration statements. This will never prevent startup even in
208 "zero-warning" mode nor change the exit status code.
209
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200210 -dG : disable use of getaddrinfo() to resolve host names into addresses. It
211 can be used when suspecting that getaddrinfo() doesn't work as expected.
212 This option was made available because many bogus implementations of
213 getaddrinfo() exist on various systems and cause anomalies that are
214 difficult to troubleshoot.
215
Dan Lloyd8e48b872016-07-01 21:01:18 -0400216 -dM[<byte>] : forces memory poisoning, which means that each and every
Willy Tarreaubafbe012017-11-24 17:34:44 +0100217 memory region allocated with malloc() or pool_alloc() will be filled with
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200218 <byte> before being passed to the caller. When <byte> is not specified, it
219 defaults to 0x50 ('P'). While this slightly slows down operations, it is
220 useful to reliably trigger issues resulting from missing initializations in
221 the code that cause random crashes. Note that -dM0 has the effect of
222 turning any malloc() into a calloc(). In any case if a bug appears or
223 disappears when using this option it means there is a bug in haproxy, so
224 please report it.
225
226 -dS : disable use of the splice() system call. It is equivalent to the
227 "global" section's "nosplice" keyword. This may be used when splice() is
228 suspected to behave improperly or to cause performance issues, or when
229 using strace to see the forwarded data (which do not appear when using
230 splice()).
231
232 -dV : disable SSL verify on the server side. It is equivalent to having
233 "ssl-server-verify none" in the "global" section. This is useful when
234 trying to reproduce production issues out of the production
235 environment. Never use this in an init script as it degrades SSL security
236 to the servers.
237
Willy Tarreau3eb10b82020-04-15 16:42:39 +0200238 -dW : if set, haproxy will refuse to start if any warning was emitted while
239 processing the configuration. This helps detect subtle mistakes and keep the
240 configuration clean and portable across versions. It is recommended to set
241 this option in service scripts when configurations are managed by humans,
242 but it is recommended not to use it with generated configurations, which
243 tend to emit more warnings. It may be combined with "-c" to cause warnings
244 in checked configurations to fail. This is equivalent to global option
245 "zero-warning".
246
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200247 -db : disable background mode and multi-process mode. The process remains in
248 foreground. It is mainly used during development or during small tests, as
249 Ctrl-C is enough to stop the process. Never use it in an init script.
250
251 -de : disable the use of the "epoll" poller. It is equivalent to the "global"
252 section's keyword "noepoll". It is mostly useful when suspecting a bug
253 related to this poller. On systems supporting epoll, the fallback will
254 generally be the "poll" poller.
255
256 -dk : disable the use of the "kqueue" poller. It is equivalent to the
257 "global" section's keyword "nokqueue". It is mostly useful when suspecting
258 a bug related to this poller. On systems supporting kqueue, the fallback
259 will generally be the "poll" poller.
260
261 -dp : disable the use of the "poll" poller. It is equivalent to the "global"
262 section's keyword "nopoll". It is mostly useful when suspecting a bug
263 related to this poller. On systems supporting poll, the fallback will
264 generally be the "select" poller, which cannot be disabled and is limited
265 to 1024 file descriptors.
266
Willy Tarreau3eed10e2016-11-07 21:03:16 +0100267 -dr : ignore server address resolution failures. It is very common when
268 validating a configuration out of production not to have access to the same
269 resolvers and to fail on server address resolution, making it difficult to
270 test a configuration. This option simply appends the "none" method to the
271 list of address resolution methods for all servers, ensuring that even if
272 the libc fails to resolve an address, the startup sequence is not
273 interrupted.
274
Willy Tarreau70060452015-12-14 12:46:07 +0100275 -m <limit> : limit the total allocatable memory to <limit> megabytes across
276 all processes. This may cause some connection refusals or some slowdowns
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200277 depending on the amount of memory needed for normal operations. This is
Willy Tarreau70060452015-12-14 12:46:07 +0100278 mostly used to force the processes to work in a constrained resource usage
279 scenario. It is important to note that the memory is not shared between
280 processes, so in a multi-process scenario, this value is first divided by
281 global.nbproc before forking.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200282
283 -n <limit> : limits the per-process connection limit to <limit>. This is
284 equivalent to the global section's keyword "maxconn". It has precedence
285 over this keyword. This may be used to quickly force lower limits to avoid
286 a service outage on systems where resource limits are too low.
287
288 -p <file> : write all processes' pids into <file> during startup. This is
289 equivalent to the "global" section's keyword "pidfile". The file is opened
290 before entering the chroot jail, and after doing the chdir() implied by
291 "-C". Each pid appears on its own line.
292
293 -q : set "quiet" mode. This disables some messages during the configuration
294 parsing and during startup. It can be used in combination with "-c" to
295 just check if a configuration file is valid or not.
296
William Lallemand142db372018-12-11 18:56:45 +0100297 -S <bind>[,bind_options...]: in master-worker mode, bind a master CLI, which
298 allows the access to every processes, running or leaving ones.
299 For security reasons, it is recommended to bind the master CLI to a local
300 UNIX socket. The bind options are the same as the keyword "bind" in
301 the configuration file with words separated by commas instead of spaces.
302
303 Note that this socket can't be used to retrieve the listening sockets from
304 an old process during a seamless reload.
305
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200306 -sf <pid>* : send the "finish" signal (SIGUSR1) to older processes after boot
307 completion to ask them to finish what they are doing and to leave. <pid>
308 is a list of pids to signal (one per argument). The list ends on any
309 option starting with a "-". It is not a problem if the list of pids is
310 empty, so that it can be built on the fly based on the result of a command
311 like "pidof" or "pgrep".
312
313 -st <pid>* : send the "terminate" signal (SIGTERM) to older processes after
314 boot completion to terminate them immediately without finishing what they
315 were doing. <pid> is a list of pids to signal (one per argument). The list
316 is ends on any option starting with a "-". It is not a problem if the list
317 of pids is empty, so that it can be built on the fly based on the result of
318 a command like "pidof" or "pgrep".
319
320 -v : report the version and build date.
321
322 -vv : display the version, build options, libraries versions and usable
323 pollers. This output is systematically requested when filing a bug report.
324
Olivier Houchardd33fc3a2017-04-05 22:50:59 +0200325 -x <unix_socket> : connect to the specified socket and try to retrieve any
326 listening sockets from the old process, and use them instead of trying to
327 bind new ones. This is useful to avoid missing any new connection when
William Lallemandf6975e92017-05-26 17:42:10 +0200328 reloading the configuration on Linux. The capability must be enable on the
329 stats socket using "expose-fd listeners" in your configuration.
Olivier Houchardd33fc3a2017-04-05 22:50:59 +0200330
Dan Lloyd8e48b872016-07-01 21:01:18 -0400331A safe way to start HAProxy from an init file consists in forcing the daemon
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200332mode, storing existing pids to a pid file and using this pid file to notify
333older processes to finish before leaving :
334
335 haproxy -f /etc/haproxy.cfg \
336 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
337
338When the configuration is split into a few specific files (eg: tcp vs http),
339it is recommended to use the "-f" option :
340
341 haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
342 -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
343 -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
344 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
345
346When an unknown number of files is expected, such as customer-specific files,
347it is recommended to assign them a name starting with a fixed-size sequence
348number and to use "--" to load them, possibly after loading some defaults :
349
350 haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
351 -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
352 -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
353 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) \
354 -f /etc/haproxy/default-customers.cfg -- /etc/haproxy/customers/*
355
356Sometimes a failure to start may happen for whatever reason. Then it is
357important to verify if the version of HAProxy you are invoking is the expected
358version and if it supports the features you are expecting (eg: SSL, PCRE,
359compression, Lua, etc). This can be verified using "haproxy -vv". Some
360important information such as certain build options, the target system and
361the versions of the libraries being used are reported there. It is also what
362you will systematically be asked for when posting a bug report :
363
364 $ haproxy -vv
Willy Tarreau58000fe2021-05-09 06:25:16 +0200365 HAProxy version 1.6-dev7-a088d3-4 2015/10/08
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200366 Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
367
368 Build options :
369 TARGET = linux2628
370 CPU = generic
371 CC = gcc
372 CFLAGS = -pg -O0 -g -fno-strict-aliasing -Wdeclaration-after-statement \
373 -DBUFSIZE=8030 -DMAXREWRITE=1030 -DSO_MARK=36 -DTCP_REPAIR=19
374 OPTIONS = USE_ZLIB=1 USE_DLMALLOC=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
375
376 Default settings :
377 maxconn = 2000, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200
378
379 Encrypted password support via crypt(3): yes
380 Built with zlib version : 1.2.6
381 Compression algorithms supported : identity("identity"), deflate("deflate"), \
382 raw-deflate("deflate"), gzip("gzip")
383 Built with OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
384 Running on OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
385 OpenSSL library supports TLS extensions : yes
386 OpenSSL library supports SNI : yes
387 OpenSSL library supports prefer-server-ciphers : yes
388 Built with PCRE version : 8.12 2011-01-15
389 PCRE library supports JIT : no (USE_PCRE_JIT not set)
390 Built with Lua version : Lua 5.3.1
391 Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
392
393 Available polling systems :
394 epoll : pref=300, test result OK
395 poll : pref=200, test result OK
396 select : pref=150, test result OK
397 Total: 3 (3 usable), will use epoll.
398
399The relevant information that many non-developer users can verify here are :
400 - the version : 1.6-dev7-a088d3-4 above means the code is currently at commit
401 ID "a088d3" which is the 4th one after after official version "1.6-dev7".
402 Version 1.6-dev7 would show as "1.6-dev7-8c1ad7". What matters here is in
403 fact "1.6-dev7". This is the 7th development version of what will become
404 version 1.6 in the future. A development version not suitable for use in
405 production (unless you know exactly what you are doing). A stable version
406 will show as a 3-numbers version, such as "1.5.14-16f863", indicating the
407 14th level of fix on top of version 1.5. This is a production-ready version.
408
409 - the release date : 2015/10/08. It is represented in the universal
410 year/month/day format. Here this means August 8th, 2015. Given that stable
411 releases are issued every few months (1-2 months at the beginning, sometimes
412 6 months once the product becomes very stable), if you're seeing an old date
413 here, it means you're probably affected by a number of bugs or security
414 issues that have since been fixed and that it might be worth checking on the
415 official site.
416
417 - build options : they are relevant to people who build their packages
418 themselves, they can explain why things are not behaving as expected. For
419 example the development version above was built for Linux 2.6.28 or later,
Dan Lloyd8e48b872016-07-01 21:01:18 -0400420 targeting a generic CPU (no CPU-specific optimizations), and lacks any
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200421 code optimization (-O0) so it will perform poorly in terms of performance.
422
423 - libraries versions : zlib version is reported as found in the library
424 itself. In general zlib is considered a very stable product and upgrades
425 are almost never needed. OpenSSL reports two versions, the version used at
426 build time and the one being used, as found on the system. These ones may
427 differ by the last letter but never by the numbers. The build date is also
428 reported because most OpenSSL bugs are security issues and need to be taken
429 seriously, so this library absolutely needs to be kept up to date. Seeing a
430 4-months old version here is highly suspicious and indeed an update was
431 missed. PCRE provides very fast regular expressions and is highly
432 recommended. Certain of its extensions such as JIT are not present in all
433 versions and still young so some people prefer not to build with them,
Dan Lloyd8e48b872016-07-01 21:01:18 -0400434 which is why the build status is reported as well. Regarding the Lua
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200435 scripting language, HAProxy expects version 5.3 which is very young since
436 it was released a little time before HAProxy 1.6. It is important to check
437 on the Lua web site if some fixes are proposed for this branch.
438
439 - Available polling systems will affect the process's scalability when
440 dealing with more than about one thousand of concurrent connections. These
441 ones are only available when the correct system was indicated in the TARGET
442 variable during the build. The "epoll" mechanism is highly recommended on
443 Linux, and the kqueue mechanism is highly recommended on BSD. Lacking them
444 will result in poll() or even select() being used, causing a high CPU usage
445 when dealing with a lot of connections.
446
447
4484. Stopping and restarting HAProxy
449----------------------------------
450
451HAProxy supports a graceful and a hard stop. The hard stop is simple, when the
452SIGTERM signal is sent to the haproxy process, it immediately quits and all
453established connections are closed. The graceful stop is triggered when the
454SIGUSR1 signal is sent to the haproxy process. It consists in only unbinding
455from listening ports, but continue to process existing connections until they
456close. Once the last connection is closed, the process leaves.
457
458The hard stop method is used for the "stop" or "restart" actions of the service
459management script. The graceful stop is used for the "reload" action which
460tries to seamlessly reload a new configuration in a new process.
461
462Both of these signals may be sent by the new haproxy process itself during a
463reload or restart, so that they are sent at the latest possible moment and only
464if absolutely required. This is what is performed by the "-st" (hard) and "-sf"
465(graceful) options respectively.
466
William Lallemande202b1e2017-06-01 17:38:56 +0200467In master-worker mode, it is not needed to start a new haproxy process in
468order to reload the configuration. The master process reacts to the SIGUSR2
469signal by reexecuting itself with the -sf parameter followed by the PIDs of
470the workers. The master will then parse the configuration file and fork new
471workers.
472
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200473To understand better how these signals are used, it is important to understand
474the whole restart mechanism.
475
476First, an existing haproxy process is running. The administrator uses a system
Jackie Tapia749f74c2020-07-22 18:59:40 -0500477specific command such as "/etc/init.d/haproxy reload" to indicate they want to
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200478take the new configuration file into effect. What happens then is the following.
479First, the service script (/etc/init.d/haproxy or equivalent) will verify that
480the configuration file parses correctly using "haproxy -c". After that it will
481try to start haproxy with this configuration file, using "-st" or "-sf".
482
483Then HAProxy tries to bind to all listening ports. If some fatal errors happen
484(eg: address not present on the system, permission denied), the process quits
485with an error. If a socket binding fails because a port is already in use, then
486the process will first send a SIGTTOU signal to all the pids specified in the
487"-st" or "-sf" pid list. This is what is called the "pause" signal. It instructs
488all existing haproxy processes to temporarily stop listening to their ports so
489that the new process can try to bind again. During this time, the old process
490continues to process existing connections. If the binding still fails (because
491for example a port is shared with another daemon), then the new process sends a
492SIGTTIN signal to the old processes to instruct them to resume operations just
493as if nothing happened. The old processes will then restart listening to the
Jonathon Lacherc5b5e7b2021-08-04 00:29:05 -0500494ports and continue to accept connections. Note that this mechanism is system
Dan Lloyd8e48b872016-07-01 21:01:18 -0400495dependent and some operating systems may not support it in multi-process mode.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200496
497If the new process manages to bind correctly to all ports, then it sends either
498the SIGTERM (hard stop in case of "-st") or the SIGUSR1 (graceful stop in case
499of "-sf") to all processes to notify them that it is now in charge of operations
500and that the old processes will have to leave, either immediately or once they
501have finished their job.
502
503It is important to note that during this timeframe, there are two small windows
504of a few milliseconds each where it is possible that a few connection failures
505will be noticed during high loads. Typically observed failure rates are around
5061 failure during a reload operation every 10000 new connections per second,
507which means that a heavily loaded site running at 30000 new connections per
508second may see about 3 failed connection upon every reload. The two situations
509where this happens are :
510
511 - if the new process fails to bind due to the presence of the old process,
512 it will first have to go through the SIGTTOU+SIGTTIN sequence, which
513 typically lasts about one millisecond for a few tens of frontends, and
514 during which some ports will not be bound to the old process and not yet
515 bound to the new one. HAProxy works around this on systems that support the
516 SO_REUSEPORT socket options, as it allows the new process to bind without
517 first asking the old one to unbind. Most BSD systems have been supporting
518 this almost forever. Linux has been supporting this in version 2.0 and
519 dropped it around 2.2, but some patches were floating around by then. It
520 was reintroduced in kernel 3.9, so if you are observing a connection
Dan Lloyd8e48b872016-07-01 21:01:18 -0400521 failure rate above the one mentioned above, please ensure that your kernel
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200522 is 3.9 or newer, or that relevant patches were backported to your kernel
523 (less likely).
524
525 - when the old processes close the listening ports, the kernel may not always
526 redistribute any pending connection that was remaining in the socket's
527 backlog. Under high loads, a SYN packet may happen just before the socket
528 is closed, and will lead to an RST packet being sent to the client. In some
529 critical environments where even one drop is not acceptable, these ones are
530 sometimes dealt with using firewall rules to block SYN packets during the
531 reload, forcing the client to retransmit. This is totally system-dependent,
532 as some systems might be able to visit other listening queues and avoid
533 this RST. A second case concerns the ACK from the client on a local socket
534 that was in SYN_RECV state just before the close. This ACK will lead to an
535 RST packet while the haproxy process is still not aware of it. This one is
Dan Lloyd8e48b872016-07-01 21:01:18 -0400536 harder to get rid of, though the firewall filtering rules mentioned above
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200537 will work well if applied one second or so before restarting the process.
538
539For the vast majority of users, such drops will never ever happen since they
540don't have enough load to trigger the race conditions. And for most high traffic
541users, the failure rate is still fairly within the noise margin provided that at
542least SO_REUSEPORT is properly supported on their systems.
543
544
5455. File-descriptor limitations
546------------------------------
547
548In order to ensure that all incoming connections will successfully be served,
549HAProxy computes at load time the total number of file descriptors that will be
550needed during the process's life. A regular Unix process is generally granted
5511024 file descriptors by default, and a privileged process can raise this limit
552itself. This is one reason for starting HAProxy as root and letting it adjust
553the limit. The default limit of 1024 file descriptors roughly allow about 500
554concurrent connections to be processed. The computation is based on the global
555maxconn parameter which limits the total number of connections per process, the
556number of listeners, the number of servers which have a health check enabled,
557the agent checks, the peers, the loggers and possibly a few other technical
558requirements. A simple rough estimate of this number consists in simply
559doubling the maxconn value and adding a few tens to get the approximate number
560of file descriptors needed.
561
562Originally HAProxy did not know how to compute this value, and it was necessary
563to pass the value using the "ulimit-n" setting in the global section. This
564explains why even today a lot of configurations are seen with this setting
565present. Unfortunately it was often miscalculated resulting in connection
566failures when approaching maxconn instead of throttling incoming connection
567while waiting for the needed resources. For this reason it is important to
Dan Lloyd8e48b872016-07-01 21:01:18 -0400568remove any vestigial "ulimit-n" setting that can remain from very old versions.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200569
570Raising the number of file descriptors to accept even moderate loads is
571mandatory but comes with some OS-specific adjustments. First, the select()
572polling system is limited to 1024 file descriptors. In fact on Linux it used
573to be capable of handling more but since certain OS ship with excessively
574restrictive SELinux policies forbidding the use of select() with more than
5751024 file descriptors, HAProxy now refuses to start in this case in order to
576avoid any issue at run time. On all supported operating systems, poll() is
577available and will not suffer from this limitation. It is automatically picked
Dan Lloyd8e48b872016-07-01 21:01:18 -0400578so there is nothing to do to get a working configuration. But poll's becomes
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200579very slow when the number of file descriptors increases. While HAProxy does its
580best to limit this performance impact (eg: via the use of the internal file
581descriptor cache and batched processing), a good rule of thumb is that using
582poll() with more than a thousand concurrent connections will use a lot of CPU.
583
584For Linux systems base on kernels 2.6 and above, the epoll() system call will
585be used. It's a much more scalable mechanism relying on callbacks in the kernel
586that guarantee a constant wake up time regardless of the number of registered
587monitored file descriptors. It is automatically used where detected, provided
588that HAProxy had been built for one of the Linux flavors. Its presence and
589support can be verified using "haproxy -vv".
590
591For BSD systems which support it, kqueue() is available as an alternative. It
592is much faster than poll() and even slightly faster than epoll() thanks to its
593batched handling of changes. At least FreeBSD and OpenBSD support it. Just like
594with Linux's epoll(), its support and availability are reported in the output
595of "haproxy -vv".
596
597Having a good poller is one thing, but it is mandatory that the process can
598reach the limits. When HAProxy starts, it immediately sets the new process's
599file descriptor limits and verifies if it succeeds. In case of failure, it
600reports it before forking so that the administrator can see the problem. As
601long as the process is started by as root, there should be no reason for this
602setting to fail. However, it can fail if the process is started by an
603unprivileged user. If there is a compelling reason for *not* starting haproxy
604as root (eg: started by end users, or by a per-application account), then the
605file descriptor limit can be raised by the system administrator for this
606specific user. The effectiveness of the setting can be verified by issuing
607"ulimit -n" from the user's command line. It should reflect the new limit.
608
609Warning: when an unprivileged user's limits are changed in this user's account,
610it is fairly common that these values are only considered when the user logs in
611and not at all in some scripts run at system boot time nor in crontabs. This is
612totally dependent on the operating system, keep in mind to check "ulimit -n"
613before starting haproxy when running this way. The general advice is never to
614start haproxy as an unprivileged user for production purposes. Another good
615reason is that it prevents haproxy from enabling some security protections.
616
617Once it is certain that the system will allow the haproxy process to use the
618requested number of file descriptors, two new system-specific limits may be
619encountered. The first one is the system-wide file descriptor limit, which is
620the total number of file descriptors opened on the system, covering all
621processes. When this limit is reached, accept() or socket() will typically
622return ENFILE. The second one is the per-process hard limit on the number of
623file descriptors, it prevents setrlimit() from being set higher. Both are very
624dependent on the operating system. On Linux, the system limit is set at boot
625based on the amount of memory. It can be changed with the "fs.file-max" sysctl.
626And the per-process hard limit is set to 1048576 by default, but it can be
627changed using the "fs.nr_open" sysctl.
628
629File descriptor limitations may be observed on a running process when they are
630set too low. The strace utility will report that accept() and socket() return
631"-1 EMFILE" when the process's limits have been reached. In this case, simply
632raising the "ulimit-n" value (or removing it) will solve the problem. If these
633system calls return "-1 ENFILE" then it means that the kernel's limits have
634been reached and that something must be done on a system-wide parameter. These
635trouble must absolutely be addressed, as they result in high CPU usage (when
636accept() fails) and failed connections that are generally visible to the user.
637One solution also consists in lowering the global maxconn value to enforce
638serialization, and possibly to disable HTTP keep-alive to force connections
639to be released and reused faster.
640
641
6426. Memory management
643--------------------
644
645HAProxy uses a simple and fast pool-based memory management. Since it relies on
646a small number of different object types, it's much more efficient to pick new
647objects from a pool which already contains objects of the appropriate size than
648to call malloc() for each different size. The pools are organized as a stack or
649LIFO, so that newly allocated objects are taken from recently released objects
650still hot in the CPU caches. Pools of similar sizes are merged together, in
651order to limit memory fragmentation.
652
653By default, since the focus is set on performance, each released object is put
654back into the pool it came from, and allocated objects are never freed since
655they are expected to be reused very soon.
656
657On the CLI, it is possible to check how memory is being used in pools thanks to
658the "show pools" command :
659
660 > show pools
661 Dumping pools usage. Use SIGQUIT to flush them.
Willy Tarreau0a93b642018-10-16 07:58:39 +0200662 - Pool cache_st (16 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccc40=03 [SHARED]
663 - Pool pipe (32 bytes) : 5 allocated (160 bytes), 5 used, 0 failures, 2 users, @0x9ccac0=00 [SHARED]
664 - Pool comp_state (48 bytes) : 3 allocated (144 bytes), 3 used, 0 failures, 5 users, @0x9cccc0=04 [SHARED]
665 - Pool filter (64 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 3 users, @0x9ccbc0=02 [SHARED]
666 - Pool vars (80 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccb40=01 [SHARED]
667 - Pool uniqueid (128 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9cd240=15 [SHARED]
668 - Pool task (144 bytes) : 55 allocated (7920 bytes), 55 used, 0 failures, 1 users, @0x9cd040=11 [SHARED]
669 - Pool session (160 bytes) : 1 allocated (160 bytes), 1 used, 0 failures, 1 users, @0x9cd140=13 [SHARED]
670 - Pool h2s (208 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccec0=08 [SHARED]
671 - Pool h2c (288 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cce40=07 [SHARED]
672 - Pool spoe_ctx (304 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccf40=09 [SHARED]
673 - Pool connection (400 bytes) : 2 allocated (800 bytes), 2 used, 0 failures, 1 users, @0x9cd1c0=14 [SHARED]
674 - Pool hdr_idx (416 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cd340=17 [SHARED]
675 - Pool dns_resolut (480 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccdc0=06 [SHARED]
676 - Pool dns_answer_ (576 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccd40=05 [SHARED]
677 - Pool stream (960 bytes) : 1 allocated (960 bytes), 1 used, 0 failures, 1 users, @0x9cd0c0=12 [SHARED]
678 - Pool requri (1024 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cd2c0=16 [SHARED]
679 - Pool buffer (8030 bytes) : 3 allocated (24090 bytes), 2 used, 0 failures, 1 users, @0x9cd3c0=18 [SHARED]
680 - Pool trash (8062 bytes) : 1 allocated (8062 bytes), 1 used, 0 failures, 1 users, @0x9cd440=19
681 Total: 19 pools, 42296 bytes allocated, 34266 used.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200682
683The pool name is only indicative, it's the name of the first object type using
684this pool. The size in parenthesis is the object size for objects in this pool.
685Object sizes are always rounded up to the closest multiple of 16 bytes. The
686number of objects currently allocated and the equivalent number of bytes is
687reported so that it is easy to know which pool is responsible for the highest
688memory usage. The number of objects currently in use is reported as well in the
689"used" field. The difference between "allocated" and "used" corresponds to the
Willy Tarreau0a93b642018-10-16 07:58:39 +0200690objects that have been freed and are available for immediate use. The address
691at the end of the line is the pool's address, and the following number is the
692pool index when it exists, or is reported as -1 if no index was assigned.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200693
694It is possible to limit the amount of memory allocated per process using the
695"-m" command line option, followed by a number of megabytes. It covers all of
696the process's addressable space, so that includes memory used by some libraries
697as well as the stack, but it is a reliable limit when building a resource
698constrained system. It works the same way as "ulimit -v" on systems which have
699it, or "ulimit -d" for the other ones.
700
701If a memory allocation fails due to the memory limit being reached or because
702the system doesn't have any enough memory, then haproxy will first start to
703free all available objects from all pools before attempting to allocate memory
704again. This mechanism of releasing unused memory can be triggered by sending
705the signal SIGQUIT to the haproxy process. When doing so, the pools state prior
706to the flush will also be reported to stderr when the process runs in
707foreground.
708
709During a reload operation, the process switched to the graceful stop state also
710automatically performs some flushes after releasing any connection so that all
711possible memory is released to save it for the new process.
712
713
7147. CPU usage
715------------
716
717HAProxy normally spends most of its time in the system and a smaller part in
718userland. A finely tuned 3.5 GHz CPU can sustain a rate about 80000 end-to-end
719connection setups and closes per second at 100% CPU on a single core. When one
720core is saturated, typical figures are :
721 - 95% system, 5% user for long TCP connections or large HTTP objects
722 - 85% system and 15% user for short TCP connections or small HTTP objects in
723 close mode
724 - 70% system and 30% user for small HTTP objects in keep-alive mode
725
726The amount of rules processing and regular expressions will increase the user
727land part. The presence of firewall rules, connection tracking, complex routing
728tables in the system will instead increase the system part.
729
730On most systems, the CPU time observed during network transfers can be cut in 4
731parts :
732 - the interrupt part, which concerns all the processing performed upon I/O
733 receipt, before the target process is even known. Typically Rx packets are
734 accounted for in interrupt. On some systems such as Linux where interrupt
735 processing may be deferred to a dedicated thread, it can appear as softirq,
736 and the thread is called ksoftirqd/0 (for CPU 0). The CPU taking care of
737 this load is generally defined by the hardware settings, though in the case
738 of softirq it is often possible to remap the processing to another CPU.
739 This interrupt part will often be perceived as parasitic since it's not
740 associated with any process, but it actually is some processing being done
741 to prepare the work for the process.
742
743 - the system part, which concerns all the processing done using kernel code
744 called from userland. System calls are accounted as system for example. All
745 synchronously delivered Tx packets will be accounted for as system time. If
746 some packets have to be deferred due to queues filling up, they may then be
747 processed in interrupt context later (eg: upon receipt of an ACK opening a
748 TCP window).
749
750 - the user part, which exclusively runs application code in userland. HAProxy
751 runs exclusively in this part, though it makes heavy use of system calls.
752 Rules processing, regular expressions, compression, encryption all add to
753 the user portion of CPU consumption.
754
755 - the idle part, which is what the CPU does when there is nothing to do. For
756 example HAProxy waits for an incoming connection, or waits for some data to
757 leave, meaning the system is waiting for an ACK from the client to push
758 these data.
759
760In practice regarding HAProxy's activity, it is in general reasonably accurate
761(but totally inexact) to consider that interrupt/softirq are caused by Rx
762processing in kernel drivers, that user-land is caused by layer 7 processing
763in HAProxy, and that system time is caused by network processing on the Tx
764path.
765
766Since HAProxy runs around an event loop, it waits for new events using poll()
767(or any alternative) and processes all these events as fast as possible before
768going back to poll() waiting for new events. It measures the time spent waiting
769in poll() compared to the time spent doing processing events. The ratio of
770polling time vs total time is called the "idle" time, it's the amount of time
771spent waiting for something to happen. This ratio is reported in the stats page
772on the "idle" line, or "Idle_pct" on the CLI. When it's close to 100%, it means
773the load is extremely low. When it's close to 0%, it means that there is
774constantly some activity. While it cannot be very accurate on an overloaded
775system due to other processes possibly preempting the CPU from the haproxy
776process, it still provides a good estimate about how HAProxy considers it is
777working : if the load is low and the idle ratio is low as well, it may indicate
778that HAProxy has a lot of work to do, possibly due to very expensive rules that
779have to be processed. Conversely, if HAProxy indicates the idle is close to
780100% while things are slow, it means that it cannot do anything to speed things
781up because it is already waiting for incoming data to process. In the example
782below, haproxy is completely idle :
783
784 $ echo "show info" | socat - /var/run/haproxy.sock | grep ^Idle
785 Idle_pct: 100
786
787When the idle ratio starts to become very low, it is important to tune the
788system and place processes and interrupts correctly to save the most possible
789CPU resources for all tasks. If a firewall is present, it may be worth trying
790to disable it or to tune it to ensure it is not responsible for a large part
791of the performance limitation. It's worth noting that unloading a stateful
792firewall generally reduces both the amount of interrupt/softirq and of system
793usage since such firewalls act both on the Rx and the Tx paths. On Linux,
794unloading the nf_conntrack and ip_conntrack modules will show whether there is
795anything to gain. If so, then the module runs with default settings and you'll
796have to figure how to tune it for better performance. In general this consists
797in considerably increasing the hash table size. On FreeBSD, "pfctl -d" will
798disable the "pf" firewall and its stateful engine at the same time.
799
800If it is observed that a lot of time is spent in interrupt/softirq, it is
801important to ensure that they don't run on the same CPU. Most systems tend to
802pin the tasks on the CPU where they receive the network traffic because for
803certain workloads it improves things. But with heavily network-bound workloads
804it is the opposite as the haproxy process will have to fight against its kernel
805counterpart. Pinning haproxy to one CPU core and the interrupts to another one,
806all sharing the same L3 cache tends to sensibly increase network performance
807because in practice the amount of work for haproxy and the network stack are
808quite close, so they can almost fill an entire CPU each. On Linux this is done
809using taskset (for haproxy) or using cpu-map (from the haproxy config), and the
810interrupts are assigned under /proc/irq. Many network interfaces support
811multiple queues and multiple interrupts. In general it helps to spread them
812across a small number of CPU cores provided they all share the same L3 cache.
813Please always stop irq_balance which always does the worst possible thing on
814such workloads.
815
816For CPU-bound workloads consisting in a lot of SSL traffic or a lot of
817compression, it may be worth using multiple processes dedicated to certain
818tasks, though there is no universal rule here and experimentation will have to
819be performed.
820
821In order to increase the CPU capacity, it is possible to make HAProxy run as
822several processes, using the "nbproc" directive in the global section. There
823are some limitations though :
824 - health checks are run per process, so the target servers will get as many
825 checks as there are running processes ;
826 - maxconn values and queues are per-process so the correct value must be set
827 to avoid overloading the servers ;
828 - outgoing connections should avoid using port ranges to avoid conflicts
829 - stick-tables are per process and are not shared between processes ;
830 - each peers section may only run on a single process at a time ;
831 - the CLI operations will only act on a single process at a time.
832
833With this in mind, it appears that the easiest setup often consists in having
834one first layer running on multiple processes and in charge for the heavy
835processing, passing the traffic to a second layer running in a single process.
836This mechanism is suited to SSL and compression which are the two CPU-heavy
837features. Instances can easily be chained over UNIX sockets (which are cheaper
fengpeiyuancc123c62016-01-15 16:40:53 +0800838than TCP sockets and which do not waste ports), and the proxy protocol which is
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200839useful to pass client information to the next stage. When doing so, it is
840generally a good idea to bind all the single-process tasks to process number 1
841and extra tasks to next processes, as this will make it easier to generate
842similar configurations for different machines.
843
844On Linux versions 3.9 and above, running HAProxy in multi-process mode is much
845more efficient when each process uses a distinct listening socket on the same
846IP:port ; this will make the kernel evenly distribute the load across all
847processes instead of waking them all up. Please check the "process" option of
848the "bind" keyword lines in the configuration manual for more information.
849
850
8518. Logging
852----------
853
854For logging, HAProxy always relies on a syslog server since it does not perform
855any file-system access. The standard way of using it is to send logs over UDP
856to the log server (by default on port 514). Very commonly this is configured to
857127.0.0.1 where the local syslog daemon is running, but it's also used over the
858network to log to a central server. The central server provides additional
859benefits especially in active-active scenarios where it is desirable to keep
860the logs merged in arrival order. HAProxy may also make use of a UNIX socket to
861send its logs to the local syslog daemon, but it is not recommended at all,
862because if the syslog server is restarted while haproxy runs, the socket will
863be replaced and new logs will be lost. Since HAProxy will be isolated inside a
864chroot jail, it will not have the ability to reconnect to the new socket. It
865has also been observed in field that the log buffers in use on UNIX sockets are
866very small and lead to lost messages even at very light loads. But this can be
867fine for testing however.
868
869It is recommended to add the following directive to the "global" section to
870make HAProxy log to the local daemon using facility "local0" :
871
872 log 127.0.0.1:514 local0
873
874and then to add the following one to each "defaults" section or to each frontend
875and backend section :
876
877 log global
878
879This way, all logs will be centralized through the global definition of where
880the log server is.
881
882Some syslog daemons do not listen to UDP traffic by default, so depending on
883the daemon being used, the syntax to enable this will vary :
884
885 - on sysklogd, you need to pass argument "-r" on the daemon's command line
886 so that it listens to a UDP socket for "remote" logs ; note that there is
887 no way to limit it to address 127.0.0.1 so it will also receive logs from
888 remote systems ;
889
890 - on rsyslogd, the following lines must be added to the configuration file :
891
892 $ModLoad imudp
893 $UDPServerAddress *
894 $UDPServerRun 514
895
896 - on syslog-ng, a new source can be created the following way, it then needs
897 to be added as a valid source in one of the "log" directives :
898
899 source s_udp {
900 udp(ip(127.0.0.1) port(514));
901 };
902
903Please consult your syslog daemon's manual for more information. If no logs are
904seen in the system's log files, please consider the following tests :
905
906 - restart haproxy. Each frontend and backend logs one line indicating it's
907 starting. If these logs are received, it means logs are working.
908
909 - run "strace -tt -s100 -etrace=sendmsg -p <haproxy's pid>" and perform some
910 activity that you expect to be logged. You should see the log messages
911 being sent using sendmsg() there. If they don't appear, restart using
912 strace on top of haproxy. If you still see no logs, it definitely means
913 that something is wrong in your configuration.
914
915 - run tcpdump to watch for port 514, for example on the loopback interface if
916 the traffic is being sent locally : "tcpdump -As0 -ni lo port 514". If the
917 packets are seen there, it's the proof they're sent then the syslogd daemon
918 needs to be troubleshooted.
919
920While traffic logs are sent from the frontends (where the incoming connections
921are accepted), backends also need to be able to send logs in order to report a
922server state change consecutive to a health check. Please consult HAProxy's
923configuration manual for more information regarding all possible log settings.
924
Dan Lloyd8e48b872016-07-01 21:01:18 -0400925It is convenient to chose a facility that is not used by other daemons. HAProxy
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200926examples often suggest "local0" for traffic logs and "local1" for admin logs
927because they're never seen in field. A single facility would be enough as well.
928Having separate logs is convenient for log analysis, but it's also important to
929remember that logs may sometimes convey confidential information, and as such
Dan Lloyd8e48b872016-07-01 21:01:18 -0400930they must not be mixed with other logs that may accidentally be handed out to
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200931unauthorized people.
932
933For in-field troubleshooting without impacting the server's capacity too much,
934it is recommended to make use of the "halog" utility provided with HAProxy.
935This is sort of a grep-like utility designed to process HAProxy log files at
936a very fast data rate. Typical figures range between 1 and 2 GB of logs per
937second. It is capable of extracting only certain logs (eg: search for some
938classes of HTTP status codes, connection termination status, search by response
939time ranges, look for errors only), count lines, limit the output to a number
940of lines, and perform some more advanced statistics such as sorting servers
941by response time or error counts, sorting URLs by time or count, sorting client
942addresses by access count, and so on. It is pretty convenient to quickly spot
943anomalies such as a bot looping on the site, and block them.
944
945
9469. Statistics and monitoring
947----------------------------
948
Willy Tarreau44aed902015-10-13 14:45:29 +0200949It is possible to query HAProxy about its status. The most commonly used
950mechanism is the HTTP statistics page. This page also exposes an alternative
951CSV output format for monitoring tools. The same format is provided on the
952Unix socket.
953
Amaury Denoyelle072f97e2020-10-05 11:49:37 +0200954Statistics are regroup in categories labelled as domains, corresponding to the
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +0500955multiple components of HAProxy. There are two domains available: proxy and dns.
Amaury Denoyellefbd0bc92020-10-05 11:49:46 +0200956If not specified, the proxy domain is selected. Note that only the proxy
957statistics are printed on the HTTP page.
Willy Tarreau44aed902015-10-13 14:45:29 +0200958
9599.1. CSV format
960---------------
961
962The statistics may be consulted either from the unix socket or from the HTTP
963page. Both means provide a CSV format whose fields follow. The first line
964begins with a sharp ('#') and has one word per comma-delimited field which
965represents the title of the column. All other lines starting at the second one
966use a classical CSV format using a comma as the delimiter, and the double quote
967('"') as an optional text delimiter, but only if the enclosed text is ambiguous
968(if it contains a quote or a comma). The double-quote character ('"') in the
969text is doubled ('""'), which is the format that most tools recognize. Please
970do not insert any column before these ones in order not to break tools which
971use hard-coded column positions.
972
Amaury Denoyelle50660a82020-10-05 11:49:39 +0200973For proxy statistics, after each field name, the types which may have a value
974for that field are specified in brackets. The types are L (Listeners), F
975(Frontends), B (Backends), and S (Servers). There is a fixed set of static
976fields that are always available in the same order. A column containing the
977character '-' delimits the end of the static fields, after which presence or
978order of the fields are not guaranteed.
Willy Tarreau44aed902015-10-13 14:45:29 +0200979
Amaury Denoyelle50660a82020-10-05 11:49:39 +0200980Here is the list of static fields using the proxy statistics domain:
Willy Tarreau44aed902015-10-13 14:45:29 +0200981 0. pxname [LFBS]: proxy name
982 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend,
983 any name for server/listener)
984 2. qcur [..BS]: current queued requests. For the backend this reports the
985 number queued without a server assigned.
986 3. qmax [..BS]: max value of qcur
987 4. scur [LFBS]: current sessions
988 5. smax [LFBS]: max sessions
989 6. slim [LFBS]: configured session limit
Willy Tarreauc73810f2016-01-11 13:52:04 +0100990 7. stot [LFBS]: cumulative number of sessions
Willy Tarreau44aed902015-10-13 14:45:29 +0200991 8. bin [LFBS]: bytes in
992 9. bout [LFBS]: bytes out
993 10. dreq [LFB.]: requests denied because of security concerns.
994 - For tcp this is because of a matched tcp-request content rule.
995 - For http this is because of a matched http-request or tarpit rule.
996 11. dresp [LFBS]: responses denied because of security concerns.
997 - For http this is because of a matched http-request rule, or
998 "option checkcache".
999 12. ereq [LF..]: request errors. Some of the possible causes are:
1000 - early termination from the client, before the request has been sent.
1001 - read error from the client
1002 - client timeout
1003 - client closed connection
1004 - various bad requests from the client.
1005 - request was tarpitted.
1006 13. econ [..BS]: number of requests that encountered an error trying to
1007 connect to a backend server. The backend stat is the sum of the stat
1008 for all servers of that backend, plus any connection errors not
1009 associated with a particular server (such as the backend having no
1010 active servers).
1011 14. eresp [..BS]: response errors. srv_abrt will be counted here also.
1012 Some other errors are:
1013 - write error on the client socket (won't be counted for the server stat)
1014 - failure applying filters to the response.
1015 15. wretr [..BS]: number of times a connection to a server was retried.
1016 16. wredis [..BS]: number of times a request was redispatched to another
1017 server. The server value counts the number of times that server was
1018 switched away from.
Willy Tarreaub96dd282016-11-09 14:45:51 +01001019 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)/MAINT(resolution)...)
Willy Tarreaubd715102020-10-23 22:44:30 +02001020 18. weight [..BS]: total effective weight (backend), effective weight (server)
Willy Tarreau44aed902015-10-13 14:45:29 +02001021 19. act [..BS]: number of active servers (backend), server is active (server)
1022 20. bck [..BS]: number of backup servers (backend), server is backup (server)
1023 21. chkfail [...S]: number of failed checks. (Only counts checks failed when
1024 the server is up.)
1025 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
1026 transitions to the whole backend being down, rather than the sum of the
1027 counters for each server.
1028 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition
1029 24. downtime [..BS]: total downtime (in seconds). The value for the backend
1030 is the downtime for the whole backend, not the sum of the server downtime.
1031 25. qlimit [...S]: configured maxqueue for the server, or nothing in the
1032 value is 0 (default, meaning no limit)
1033 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...)
1034 27. iid [LFBS]: unique proxy id
1035 28. sid [L..S]: server id (unique inside a proxy)
1036 29. throttle [...S]: current throttle percentage for the server, when
1037 slowstart is active, or no value if not in slowstart.
1038 30. lbtot [..BS]: total number of times a server was selected, either for new
1039 sessions, or when re-dispatching. The server counter is the number
1040 of times that server was selected.
1041 31. tracked [...S]: id of proxy/server if tracking is enabled.
1042 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener)
1043 33. rate [.FBS]: number of sessions per second over last elapsed second
1044 34. rate_lim [.F..]: configured limit on new sessions per second
1045 35. rate_max [.FBS]: max number of new sessions per second
1046 36. check_status [...S]: status of last health check, one of:
1047 UNK -> unknown
1048 INI -> initializing
1049 SOCKERR -> socket error
1050 L4OK -> check passed on layer 4, no upper layers testing enabled
1051 L4TOUT -> layer 1-4 timeout
1052 L4CON -> layer 1-4 connection problem, for example
1053 "Connection refused" (tcp rst) or "No route to host" (icmp)
1054 L6OK -> check passed on layer 6
1055 L6TOUT -> layer 6 (SSL) timeout
1056 L6RSP -> layer 6 invalid response - protocol error
1057 L7OK -> check passed on layer 7
1058 L7OKC -> check conditionally passed on layer 7, for example 404 with
1059 disable-on-404
1060 L7TOUT -> layer 7 (HTTP/SMTP) timeout
1061 L7RSP -> layer 7 invalid response - protocol error
1062 L7STS -> layer 7 response error, for example HTTP 5xx
Daniel Schnellerb6c8b0d2017-09-01 19:13:55 +02001063 Notice: If a check is currently running, the last known status will be
1064 reported, prefixed with "* ". e. g. "* L7OK".
Willy Tarreau44aed902015-10-13 14:45:29 +02001065 37. check_code [...S]: layer5-7 code, if available
1066 38. check_duration [...S]: time in ms took to finish last health check
1067 39. hrsp_1xx [.FBS]: http responses with 1xx code
1068 40. hrsp_2xx [.FBS]: http responses with 2xx code
1069 41. hrsp_3xx [.FBS]: http responses with 3xx code
1070 42. hrsp_4xx [.FBS]: http responses with 4xx code
1071 43. hrsp_5xx [.FBS]: http responses with 5xx code
1072 44. hrsp_other [.FBS]: http responses with other codes (protocol error)
1073 45. hanafail [...S]: failed health checks details
1074 46. req_rate [.F..]: HTTP requests per second over last elapsed second
1075 47. req_rate_max [.F..]: max number of HTTP requests per second observed
Willy Tarreaufb981bd2016-12-12 14:31:46 +01001076 48. req_tot [.FB.]: total number of HTTP requests received
Willy Tarreau44aed902015-10-13 14:45:29 +02001077 49. cli_abrt [..BS]: number of data transfers aborted by the client
1078 50. srv_abrt [..BS]: number of data transfers aborted by the server
1079 (inc. in eresp)
1080 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor
1081 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor
1082 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor
1083 (CPU/BW limit)
1084 54. comp_rsp [.FB.]: number of HTTP responses that were compressed
1085 55. lastsess [..BS]: number of seconds since last session assigned to
1086 server/backend
1087 56. last_chk [...S]: last health check contents or textual error
1088 57. last_agt [...S]: last agent check contents or textual error
1089 58. qtime [..BS]: the average queue time in ms over the 1024 last requests
1090 59. ctime [..BS]: the average connect time in ms over the 1024 last requests
1091 60. rtime [..BS]: the average response time in ms over the 1024 last requests
1092 (0 for TCP)
1093 61. ttime [..BS]: the average total session time in ms over the 1024 last
1094 requests
Willy Tarreau7f618842016-01-08 11:40:03 +01001095 62. agent_status [...S]: status of last agent check, one of:
1096 UNK -> unknown
1097 INI -> initializing
1098 SOCKERR -> socket error
1099 L4OK -> check passed on layer 4, no upper layers testing enabled
1100 L4TOUT -> layer 1-4 timeout
1101 L4CON -> layer 1-4 connection problem, for example
1102 "Connection refused" (tcp rst) or "No route to host" (icmp)
1103 L7OK -> agent reported "up"
1104 L7STS -> agent reported "fail", "stop", or "down"
1105 63. agent_code [...S]: numeric code reported by agent if any (unused for now)
1106 64. agent_duration [...S]: time in ms taken to finish last check
Willy Tarreaudd7354b2016-01-08 13:47:26 +01001107 65. check_desc [...S]: short human-readable description of check_status
1108 66. agent_desc [...S]: short human-readable description of agent_status
Willy Tarreau3141f592016-01-08 14:25:28 +01001109 67. check_rise [...S]: server's "rise" parameter used by checks
1110 68. check_fall [...S]: server's "fall" parameter used by checks
1111 69. check_health [...S]: server's health check value between 0 and rise+fall-1
1112 70. agent_rise [...S]: agent's "rise" parameter, normally 1
1113 71. agent_fall [...S]: agent's "fall" parameter, normally 1
1114 72. agent_health [...S]: agent's health parameter, between 0 and rise+fall-1
Willy Tarreaua6f5a732016-01-08 16:59:56 +01001115 73. addr [L..S]: address:port or "unix". IPv6 has brackets around the address.
Willy Tarreaue4847c62016-01-08 15:43:54 +01001116 74: cookie [..BS]: server's cookie value or backend's cookie name
Willy Tarreauf8211df2016-01-11 14:09:38 +01001117 75: mode [LFBS]: proxy mode (tcp, http, health, unknown)
Willy Tarreauf1516d92016-01-11 14:48:36 +01001118 76: algo [..B.]: load balancing algorithm
Willy Tarreauc73810f2016-01-11 13:52:04 +01001119 77: conn_rate [.F..]: number of connections over the last elapsed second
1120 78: conn_rate_max [.F..]: highest known conn_rate
1121 79: conn_tot [.F..]: cumulative number of connections
Willy Tarreau5b9bdff2016-01-11 14:40:47 +01001122 80: intercepted [.FB.]: cum. number of intercepted requests (monitor, stats)
Willy Tarreau8a90b8e2016-10-21 18:15:32 +02001123 81: dcon [LF..]: requests denied by "tcp-request connection" rules
Willy Tarreaua5bc36b2016-10-21 18:16:27 +02001124 82: dses [LF..]: requests denied by "tcp-request session" rules
Willy Tarreauea96a822018-05-28 15:15:43 +02001125 83: wrew [LFBS]: cumulative number of failed header rewriting warnings
Jérôme Magnin708eb882019-07-17 09:24:46 +02001126 84: connect [..BS]: cumulative number of connection establishment attempts
1127 85: reuse [..BS]: cumulative number of connection reuses
Willy Tarreau72974292019-11-08 07:29:34 +01001128 86: cache_lookups [.FB.]: cumulative number of cache lookups
Jérôme Magnin34ebb5c2019-07-17 14:04:40 +02001129 87: cache_hits [.FB.]: cumulative number of cache hits
Christopher Faulet2ac25742019-11-08 15:27:27 +01001130 88: srv_icur [...S]: current number of idle connections available for reuse
1131 89: src_ilim [...S]: limit on the number of available idle connections
1132 90. qtime_max [..BS]: the maximum observed queue time in ms
1133 91. ctime_max [..BS]: the maximum observed connect time in ms
1134 92. rtime_max [..BS]: the maximum observed response time in ms (0 for TCP)
1135 93. ttime_max [..BS]: the maximum observed total session time in ms
Christopher Faulet0159ee42019-12-16 14:40:39 +01001136 94. eint [LFBS]: cumulative number of internal errors
Pierre Cheynier08eb7182020-10-08 16:37:14 +02001137 95. idle_conn_cur [...S]: current number of unsafe idle connections
1138 96. safe_conn_cur [...S]: current number of safe idle connections
1139 97. used_conn_cur [...S]: current number of connections in use
1140 98. need_conn_est [...S]: estimated needed number of connections
Willy Tarreaubd715102020-10-23 22:44:30 +02001141 99. uweight [..BS]: total user weight (backend), server user weight (server)
Willy Tarreau44aed902015-10-13 14:45:29 +02001142
Amaury Denoyelle50660a82020-10-05 11:49:39 +02001143For all other statistics domains, the presence or the order of the fields are
1144not guaranteed. In this case, the header line should always be used to parse
1145the CSV data.
Willy Tarreau44aed902015-10-13 14:45:29 +02001146
Phil Schererb931f962020-12-02 19:36:08 +000011479.2. Typed output format
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001148------------------------
1149
1150Both "show info" and "show stat" support a mode where each output value comes
1151with its type and sufficient information to know how the value is supposed to
1152be aggregated between processes and how it evolves.
1153
1154In all cases, the output consists in having a single value per line with all
1155the information split into fields delimited by colons (':').
1156
1157The first column designates the object or metric being dumped. Its format is
1158specific to the command producing this output and will not be described in this
1159section. Usually it will consist in a series of identifiers and field names.
1160
1161The second column contains 3 characters respectively indicating the origin, the
1162nature and the scope of the value being reported. The first character (the
1163origin) indicates where the value was extracted from. Possible characters are :
1164
1165 M The value is a metric. It is valid at one instant any may change depending
1166 on its nature .
1167
1168 S The value is a status. It represents a discrete value which by definition
1169 cannot be aggregated. It may be the status of a server ("UP" or "DOWN"),
1170 the PID of the process, etc.
1171
1172 K The value is a sorting key. It represents an identifier which may be used
1173 to group some values together because it is unique among its class. All
1174 internal identifiers are keys. Some names can be listed as keys if they
1175 are unique (eg: a frontend name is unique). In general keys come from the
Dan Lloyd8e48b872016-07-01 21:01:18 -04001176 configuration, even though some of them may automatically be assigned. For
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001177 most purposes keys may be considered as equivalent to configuration.
1178
1179 C The value comes from the configuration. Certain configuration values make
1180 sense on the output, for example a concurrent connection limit or a cookie
1181 name. By definition these values are the same in all processes started
1182 from the same configuration file.
1183
1184 P The value comes from the product itself. There are very few such values,
1185 most common use is to report the product name, version and release date.
1186 These elements are also the same between all processes.
1187
1188The second character (the nature) indicates the nature of the information
1189carried by the field in order to let an aggregator decide on what operation to
1190use to aggregate multiple values. Possible characters are :
1191
1192 A The value represents an age since a last event. This is a bit different
1193 from the duration in that an age is automatically computed based on the
1194 current date. A typical example is how long ago did the last session
1195 happen on a server. Ages are generally aggregated by taking the minimum
1196 value and do not need to be stored.
1197
1198 a The value represents an already averaged value. The average response times
1199 and server weights are of this nature. Averages can typically be averaged
1200 between processes.
1201
1202 C The value represents a cumulative counter. Such measures perpetually
1203 increase until they wrap around. Some monitoring protocols need to tell
1204 the difference between a counter and a gauge to report a different type.
1205 In general counters may simply be summed since they represent events or
1206 volumes. Examples of metrics of this nature are connection counts or byte
1207 counts.
1208
1209 D The value represents a duration for a status. There are a few usages of
1210 this, most of them include the time taken by the last health check and
1211 the time a server has spent down. Durations are generally not summed,
1212 most of the time the maximum will be retained to compute an SLA.
1213
1214 G The value represents a gauge. It's a measure at one instant. The memory
1215 usage or the current number of active connections are of this nature.
1216 Metrics of this type are typically summed during aggregation.
1217
1218 L The value represents a limit (generally a configured one). By nature,
1219 limits are harder to aggregate since they are specific to the point where
1220 they were retrieved. In certain situations they may be summed or be kept
1221 separate.
1222
1223 M The value represents a maximum. In general it will apply to a gauge and
1224 keep the highest known value. An example of such a metric could be the
1225 maximum amount of concurrent connections that was encountered in the
1226 product's life time. To correctly aggregate maxima, you are supposed to
1227 output a range going from the maximum of all maxima and the sum of all
1228 of them. There is indeed no way to know if they were encountered
1229 simultaneously or not.
1230
1231 m The value represents a minimum. In general it will apply to a gauge and
1232 keep the lowest known value. An example of such a metric could be the
1233 minimum amount of free memory pools that was encountered in the product's
1234 life time. To correctly aggregate minima, you are supposed to output a
1235 range going from the minimum of all minima and the sum of all of them.
1236 There is indeed no way to know if they were encountered simultaneously
1237 or not.
1238
1239 N The value represents a name, so it is a string. It is used to report
1240 proxy names, server names and cookie names. Names have configuration or
1241 keys as their origin and are supposed to be the same among all processes.
1242
1243 O The value represents a free text output. Outputs from various commands,
1244 returns from health checks, node descriptions are of such nature.
1245
1246 R The value represents an event rate. It's a measure at one instant. It is
1247 quite similar to a gauge except that the recipient knows that this measure
1248 moves slowly and may decide not to keep all values. An example of such a
1249 metric is the measured amount of connections per second. Metrics of this
1250 type are typically summed during aggregation.
1251
1252 T The value represents a date or time. A field emitting the current date
1253 would be of this type. The method to aggregate such information is left
1254 as an implementation choice. For now no field uses this type.
1255
1256The third character (the scope) indicates what extent the value reflects. Some
1257elements may be per process while others may be per configuration or per system.
1258The distinction is important to know whether or not a single value should be
1259kept during aggregation or if values have to be aggregated. The following
1260characters are currently supported :
1261
1262 C The value is valid for a whole cluster of nodes, which is the set of nodes
1263 communicating over the peers protocol. An example could be the amount of
1264 entries present in a stick table that is replicated with other peers. At
1265 the moment no metric use this scope.
1266
1267 P The value is valid only for the process reporting it. Most metrics use
1268 this scope.
1269
1270 S The value is valid for the whole service, which is the set of processes
1271 started together from the same configuration file. All metrics originating
1272 from the configuration use this scope. Some other metrics may use it as
1273 well for some shared resources (eg: shared SSL cache statistics).
1274
1275 s The value is valid for the whole system, such as the system's hostname,
1276 current date or resource usage. At the moment this scope is not used by
1277 any metric.
1278
1279Consumers of these information will generally have enough of these 3 characters
1280to determine how to accurately report aggregated information across multiple
1281processes.
1282
1283After this column, the third column indicates the type of the field, among "s32"
1284(signed 32-bit integer), "s64" (signed 64-bit integer), "u32" (unsigned 32-bit
1285integer), "u64" (unsigned 64-bit integer), "str" (string). It is important to
1286know the type before parsing the value in order to properly read it. For example
1287a string containing only digits is still a string an not an integer (eg: an
1288error code extracted by a check).
1289
1290Then the fourth column is the value itself, encoded according to its type.
1291Strings are dumped as-is immediately after the colon without any leading space.
1292If a string contains a colon, it will appear normally. This means that the
1293output should not be exclusively split around colons or some check outputs
1294or server addresses might be truncated.
1295
1296
12979.3. Unix Socket commands
Willy Tarreau44aed902015-10-13 14:45:29 +02001298-------------------------
1299
1300The stats socket is not enabled by default. In order to enable it, it is
1301necessary to add one line in the global section of the haproxy configuration.
1302A second line is recommended to set a larger timeout, always appreciated when
1303issuing commands by hand :
1304
1305 global
1306 stats socket /var/run/haproxy.sock mode 600 level admin
1307 stats timeout 2m
1308
1309It is also possible to add multiple instances of the stats socket by repeating
1310the line, and make them listen to a TCP port instead of a UNIX socket. This is
1311never done by default because this is dangerous, but can be handy in some
1312situations :
1313
1314 global
1315 stats socket /var/run/haproxy.sock mode 600 level admin
1316 stats socket ipv4@192.168.0.1:9999 level admin
1317 stats timeout 2m
1318
1319To access the socket, an external utility such as "socat" is required. Socat is
1320a swiss-army knife to connect anything to anything. We use it to connect
1321terminals to the socket, or a couple of stdin/stdout pipes to it for scripts.
1322The two main syntaxes we'll use are the following :
1323
1324 # socat /var/run/haproxy.sock stdio
1325 # socat /var/run/haproxy.sock readline
1326
1327The first one is used with scripts. It is possible to send the output of a
1328script to haproxy, and pass haproxy's output to another script. That's useful
1329for retrieving counters or attack traces for example.
1330
1331The second one is only useful for issuing commands by hand. It has the benefit
1332that the terminal is handled by the readline library which supports line
1333editing and history, which is very convenient when issuing repeated commands
1334(eg: watch a counter).
1335
1336The socket supports two operation modes :
1337 - interactive
1338 - non-interactive
1339
1340The non-interactive mode is the default when socat connects to the socket. In
1341this mode, a single line may be sent. It is processed as a whole, responses are
1342sent back, and the connection closes after the end of the response. This is the
1343mode that scripts and monitoring tools use. It is possible to send multiple
1344commands in this mode, they need to be delimited by a semi-colon (';'). For
1345example :
1346
1347 # echo "show info;show stat;show table" | socat /var/run/haproxy stdio
1348
Dragan Dosena1c35ab2016-11-24 11:33:12 +01001349If a command needs to use a semi-colon or a backslash (eg: in a value), it
Joseph Herlant71b4b152018-11-13 16:55:16 -08001350must be preceded by a backslash ('\').
Chad Lavoiee3f50312016-05-26 16:42:25 -04001351
Willy Tarreau44aed902015-10-13 14:45:29 +02001352The interactive mode displays a prompt ('>') and waits for commands to be
1353entered on the line, then processes them, and displays the prompt again to wait
1354for a new command. This mode is entered via the "prompt" command which must be
1355sent on the first line in non-interactive mode. The mode is a flip switch, if
1356"prompt" is sent in interactive mode, it is disabled and the connection closes
1357after processing the last command of the same line.
1358
1359For this reason, when debugging by hand, it's quite common to start with the
1360"prompt" command :
1361
1362 # socat /var/run/haproxy readline
1363 prompt
1364 > show info
1365 ...
1366 >
1367
1368Since multiple commands may be issued at once, haproxy uses the empty line as a
1369delimiter to mark an end of output for each command, and takes care of ensuring
1370that no command can emit an empty line on output. A script can thus easily
1371parse the output even when multiple commands were pipelined on a single line.
1372
Aurélien Nephtaliabbf6072018-04-18 13:26:46 +02001373Some commands may take an optional payload. To add one to a command, the first
1374line needs to end with the "<<\n" pattern. The next lines will be treated as
1375the payload and can contain as many lines as needed. To validate a command with
1376a payload, it needs to end with an empty line.
1377
1378Limitations do exist: the length of the whole buffer passed to the CLI must
1379not be greater than tune.bfsize and the pattern "<<" must not be glued to the
1380last word of the line.
1381
1382When entering a paylod while in interactive mode, the prompt will change from
1383"> " to "+ ".
1384
Willy Tarreau44aed902015-10-13 14:45:29 +02001385It is important to understand that when multiple haproxy processes are started
1386on the same sockets, any process may pick up the request and will output its
1387own stats.
1388
1389The list of commands currently supported on the stats socket is provided below.
1390If an unknown command is sent, haproxy displays the usage message which reminds
1391all supported commands. Some commands support a more complex syntax, generally
1392it will explain what part of the command is invalid when this happens.
1393
Olivier Doucetd8703e82017-08-31 11:05:10 +02001394Some commands require a higher level of privilege to work. If you do not have
1395enough privilege, you will get an error "Permission denied". Please check
1396the "level" option of the "bind" keyword lines in the configuration manual
1397for more information.
1398
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001399abort ssl ca-file <cafile>
1400 Abort and destroy a temporary CA file update transaction.
1401
1402 See also "set ssl ca-file" and "commit ssl ca-file".
1403
William Lallemand6ab08b32019-11-29 16:48:43 +01001404abort ssl cert <filename>
1405 Abort and destroy a temporary SSL certificate update transaction.
1406
1407 See also "set ssl cert" and "commit ssl cert".
1408
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02001409abort ssl crl-file <crlfile>
1410 Abort and destroy a temporary CRL file update transaction.
1411
1412 See also "set ssl crl-file" and "commit ssl crl-file".
1413
Willy Tarreaubb51c442021-04-30 15:23:36 +02001414add acl [@<ver>] <acl> <pattern>
Willy Tarreau44aed902015-10-13 14:45:29 +02001415 Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
Willy Tarreaubb51c442021-04-30 15:23:36 +02001416 "show acl". This command does not verify if the entry already exists. Entries
1417 are added to the current version of the ACL, unless a specific version is
1418 specified with "@<ver>". This version number must have preliminary been
1419 allocated by "prepare acl", and it will be comprised between the versions
1420 reported in "curr_ver" and "next_ver" on the output of "show acl". Entries
1421 added with a specific version number will not match until a "commit acl"
1422 operation is performed on them. They may however be consulted using the
1423 "show acl @<ver>" command, and cleared using a "clear acl @<ver>" command.
1424 This command cannot be used if the reference <acl> is a file also used with
1425 a map. In this case, the "add map" command must be used instead.
Willy Tarreau44aed902015-10-13 14:45:29 +02001426
Willy Tarreaubb51c442021-04-30 15:23:36 +02001427add map [@<ver>] <map> <key> <value>
1428add map [@<ver>] <map> <payload>
Willy Tarreau44aed902015-10-13 14:45:29 +02001429 Add an entry into the map <map> to associate the value <value> to the key
1430 <key>. This command does not verify if the entry already exists. It is
Willy Tarreaubb51c442021-04-30 15:23:36 +02001431 mainly used to fill a map after a "clear" or "prepare" operation. Entries
1432 are added to the current version of the ACL, unless a specific version is
1433 specified with "@<ver>". This version number must have preliminary been
1434 allocated by "prepare acl", and it will be comprised between the versions
1435 reported in "curr_ver" and "next_ver" on the output of "show acl". Entries
1436 added with a specific version number will not match until a "commit map"
1437 operation is performed on them. They may however be consulted using the
1438 "show map @<ver>" command, and cleared using a "clear acl @<ver>" command.
1439 If the designated map is also used as an ACL, the ACL will only match the
1440 <key> part and will ignore the <value> part. Using the payload syntax it is
1441 possible to add multiple key/value pairs by entering them on separate lines.
1442 On each new line, the first word is the key and the rest of the line is
1443 considered to be the value which can even contains spaces.
Aurélien Nephtali25650ce2018-04-18 14:04:47 +02001444
1445 Example:
1446
1447 # socat /tmp/sock1 -
1448 prompt
1449
1450 > add map #-1 <<
1451 + key1 value1
1452 + key2 value2 with spaces
1453 + key3 value3 also with spaces
1454 + key4 value4
1455
1456 >
Willy Tarreau44aed902015-10-13 14:45:29 +02001457
Amaury Denoyellef99f77a2021-03-08 17:13:32 +01001458add server <backend>/<server> [args]*
1459 Instantiate a new server attached to the backend <backend>. Only supported on
1460 a CLI connection running in experimental mode (see "experimental-mode on").
1461 This method is still in development and may change in the future.
1462
1463 The <server> name must not be already used in the backend. A special
Amaury Denoyelleeafd7012021-04-29 14:59:42 +02001464 restriction is put on the backend which must used a dynamic load-balancing
1465 algorithm. A subset of keywords from the server config file statement can be
1466 used to configure the server behavior. Also note that no settings will be
1467 reused from an hypothetical 'default-server' statement in the same backend.
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001468
Amaury Denoyelleefbf35c2021-06-10 17:34:10 +02001469 Currently a dynamic server is statically initialized with the "none"
1470 init-addr method. This means that no resolution will be undertaken if a FQDN
1471 is specified as an address, even if the server creation will be validated.
1472
Amaury Denoyelle56eb8ed2021-07-13 10:36:03 +02001473 A dynamic server may use the "track" keyword to follow the check status of
1474 another server from the configuration. However, it is not possible to track
1475 another dynamic server. This is to ensure that the tracking chain is kept
1476 consistent even in the case of dynamic servers deletion.
1477
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001478 Use the "check" keyword to enable health-check support. Note that the
1479 health-check is disabled by default and must be enabled independently from
Amaury Denoyelleb65f4ca2021-08-04 11:33:14 +02001480 the server using the "enable health" command. For agent checks, use the
1481 "agent-check" keyword and the "enable agent" command. Note that in this case
1482 the server may be activated via the agent depending on the status reported,
1483 without an explicit "enable server" command. This also means that extra care
1484 is required when removing a dynamic server with agent check. The agent should
1485 be first deactivated via "disable agent" to be able to put the server in the
1486 required maintenance mode before removal.
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001487
Amaury Denoyelle414a6122021-08-06 10:25:32 +02001488 It may be possible to reach the fd limit when using a large number of dynamic
1489 servers. Please refer to the "u-limit" global keyword documentation in this
1490 case.
1491
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001492 Here is the list of the currently supported keywords :
1493
Amaury Denoyelleb65f4ca2021-08-04 11:33:14 +02001494 - agent-addr
1495 - agent-check
1496 - agent-inter
1497 - agent-port
1498 - agent-send
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001499 - allow-0rtt
1500 - alpn
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001501 - addr
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001502 - backup
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001503 - ca-file
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001504 - check
1505 - check-proto
1506 - check-send-proxy
1507 - check-via-socks4
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001508 - ciphers
1509 - ciphersuites
1510 - crl-file
1511 - crt
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001512 - disabled
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001513 - downinter
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001514 - enabled
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001515 - fall
1516 - fastinter
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001517 - force-sslv3/tlsv10/tlsv11/tlsv12/tlsv13
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001518 - id
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001519 - inter
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001520 - maxconn
1521 - maxqueue
1522 - minconn
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001523 - no-ssl-reuse
1524 - no-sslv3/tlsv10/tlsv11/tlsv12/tlsv13
1525 - no-tls-tickets
1526 - npn
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001527 - pool-low-conn
1528 - pool-max-conn
1529 - pool-purge-delay
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001530 - port
Amaury Denoyelle30467232021-03-12 18:03:27 +01001531 - proto
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001532 - proxy-v2-options
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001533 - rise
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001534 - send-proxy
1535 - send-proxy-v2
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001536 - send-proxy-v2-ssl
1537 - send-proxy-v2-ssl-cn
1538 - sni
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001539 - source
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001540 - ssl
1541 - ssl-max-ver
1542 - ssl-min-ver
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001543 - tfo
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001544 - tls-tickets
Amaury Denoyelle56eb8ed2021-07-13 10:36:03 +02001545 - track
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001546 - usesrc
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001547 - verify
1548 - verifyhost
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001549 - weight
1550
1551 Their syntax is similar to the server line from the configuration file,
1552 please refer to their individual documentation for details.
Amaury Denoyellef99f77a2021-03-08 17:13:32 +01001553
William Lallemandaccac232020-04-02 17:42:51 +02001554add ssl crt-list <crtlist> <certificate>
1555add ssl crt-list <crtlist> <payload>
1556 Add an certificate in a crt-list. It can also be used for directories since
1557 directories are now loaded the same way as the crt-lists. This command allow
1558 you to use a certificate name in parameter, to use SSL options or filters a
1559 crt-list line must sent as a payload instead. Only one crt-list line is
1560 supported in the payload. This command will load the certificate for every
1561 bind lines using the crt-list. To push a new certificate to HAProxy the
1562 commands "new ssl cert" and "set ssl cert" must be used.
1563
1564 Example:
1565 $ echo "new ssl cert foobar.pem" | socat /tmp/sock1 -
1566 $ echo -e "set ssl cert foobar.pem <<\n$(cat foobar.pem)\n" | socat
1567 /tmp/sock1 -
1568 $ echo "commit ssl cert foobar.pem" | socat /tmp/sock1 -
1569 $ echo "add ssl crt-list certlist1 foobar.pem" | socat /tmp/sock1 -
1570
1571 $ echo -e 'add ssl crt-list certlist1 <<\nfoobar.pem [allow-0rtt] foo.bar.com
1572 !test1.com\n' | socat /tmp/sock1 -
1573
Willy Tarreau44aed902015-10-13 14:45:29 +02001574clear counters
1575 Clear the max values of the statistics counters in each proxy (frontend &
Willy Tarreaud80cb4e2018-01-20 19:30:13 +01001576 backend) and in each server. The accumulated counters are not affected. The
1577 internal activity counters reported by "show activity" are also reset. This
Willy Tarreau44aed902015-10-13 14:45:29 +02001578 can be used to get clean counters after an incident, without having to
1579 restart nor to clear traffic counters. This command is restricted and can
1580 only be issued on sockets configured for levels "operator" or "admin".
1581
1582clear counters all
1583 Clear all statistics counters in each proxy (frontend & backend) and in each
1584 server. This has the same effect as restarting. This command is restricted
1585 and can only be issued on sockets configured for level "admin".
1586
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001587clear acl [@<ver>] <acl>
Willy Tarreau44aed902015-10-13 14:45:29 +02001588 Remove all entries from the acl <acl>. <acl> is the #<id> or the <file>
1589 returned by "show acl". Note that if the reference <acl> is a file and is
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001590 shared with a map, this map will be also cleared. By default only the current
1591 version of the ACL is cleared (the one being matched against). However it is
1592 possible to specify another version using '@' followed by this version.
Willy Tarreau44aed902015-10-13 14:45:29 +02001593
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001594clear map [@<ver>] <map>
Willy Tarreau44aed902015-10-13 14:45:29 +02001595 Remove all entries from the map <map>. <map> is the #<id> or the <file>
1596 returned by "show map". Note that if the reference <map> is a file and is
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001597 shared with a acl, this acl will be also cleared. By default only the current
1598 version of the map is cleared (the one being matched against). However it is
1599 possible to specify another version using '@' followed by this version.
Willy Tarreau44aed902015-10-13 14:45:29 +02001600
1601clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
1602 Remove entries from the stick-table <table>.
1603
1604 This is typically used to unblock some users complaining they have been
1605 abusively denied access to a service, but this can also be used to clear some
1606 stickiness entries matching a server that is going to be replaced (see "show
1607 table" below for details). Note that sometimes, removal of an entry will be
1608 refused because it is currently tracked by a session. Retrying a few seconds
1609 later after the session ends is usual enough.
1610
1611 In the case where no options arguments are given all entries will be removed.
1612
1613 When the "data." form is used entries matching a filter applied using the
1614 stored data (see "stick-table" in section 4.2) are removed. A stored data
1615 type must be specified in <type>, and this data type must be stored in the
1616 table otherwise an error is reported. The data is compared according to
1617 <operator> with the 64-bit integer <value>. Operators are the same as with
1618 the ACLs :
1619
1620 - eq : match entries whose data is equal to this value
1621 - ne : match entries whose data is not equal to this value
1622 - le : match entries whose data is less than or equal to this value
1623 - ge : match entries whose data is greater than or equal to this value
1624 - lt : match entries whose data is less than this value
1625 - gt : match entries whose data is greater than this value
1626
1627 When the key form is used the entry <key> is removed. The key must be of the
1628 same type as the table, which currently is limited to IPv4, IPv6, integer and
1629 string.
1630
1631 Example :
1632 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1633 >>> # table: http_proxy, type: ip, size:204800, used:2
1634 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
1635 bytes_out_rate(60000)=187
1636 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
1637 bytes_out_rate(60000)=191
1638
1639 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
1640
1641 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1642 >>> # table: http_proxy, type: ip, size:204800, used:1
1643 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
1644 bytes_out_rate(60000)=191
1645 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
1646 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1647 >>> # table: http_proxy, type: ip, size:204800, used:1
1648
Willy Tarreau7a562ca2021-04-30 15:10:01 +02001649commit acl @<ver> <acl>
1650 Commit all changes made to version <ver> of ACL <acl>, and deletes all past
1651 versions. <acl> is the #<id> or the <file> returned by "show acl". The
1652 version number must be between "curr_ver"+1 and "next_ver" as reported in
1653 "show acl". The contents to be committed to the ACL can be consulted with
1654 "show acl @<ver> <acl>" if desired. The specified version number has normally
1655 been created with the "prepare acl" command. The replacement is atomic. It
1656 consists in atomically updating the current version to the specified version,
1657 which will instantly cause all entries in other versions to become invisible,
1658 and all entries in the new version to become visible. It is also possible to
1659 use this command to perform an atomic removal of all visible entries of an
1660 ACL by calling "prepare acl" first then committing without adding any
1661 entries. This command cannot be used if the reference <acl> is a file also
1662 used as a map. In this case, the "commit map" command must be used instead.
1663
1664commit map @<ver> <map>
1665 Commit all changes made to version <ver> of map <map>, and deletes all past
1666 versions. <map> is the #<id> or the <file> returned by "show map". The
1667 version number must be between "curr_ver"+1 and "next_ver" as reported in
1668 "show map". The contents to be committed to the map can be consulted with
1669 "show map @<ver> <map>" if desired. The specified version number has normally
1670 been created with the "prepare map" command. The replacement is atomic. It
1671 consists in atomically updating the current version to the specified version,
1672 which will instantly cause all entries in other versions to become invisible,
1673 and all entries in the new version to become visible. It is also possible to
1674 use this command to perform an atomic removal of all visible entries of an
1675 map by calling "prepare map" first then committing without adding any
1676 entries.
1677
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001678commit ssl ca-file <cafile>
1679 Commit a temporary SSL CA file update transaction.
1680
1681 In the case of an existing CA file (in a "Used" state in "show ssl ca-file"),
1682 the new CA file tree entry is inserted in the CA file tree and every instance
1683 that used the CA file entry is rebuilt, along with the SSL contexts it needs.
1684 All the contexts previously used by the rebuilt instances are removed.
1685 Upon success, the previous CA file entry is removed from the tree.
1686 Upon failure, nothing is removed or deleted, and all the original SSL
1687 contexts are kept and used.
1688 Once the temporary transaction is committed, it is destroyed.
1689
1690 In the case of a new CA file (after a "new ssl ca-file" and in a "Unused"
1691 state in "show ssl ca-file"), the CA file will be inserted in the CA file
1692 tree but it won't be used anywhere in HAProxy. To use it and generate SSL
1693 contexts that use it, you will need to add it to a crt-list with "add ssl
1694 crt-list".
1695
1696 See also "new ssl ca-file", "set ssl ca-file", "abort ssl ca-file" and
1697 "add ssl crt-list".
1698
William Lallemand6ab08b32019-11-29 16:48:43 +01001699commit ssl cert <filename>
William Lallemandc184d872020-06-26 15:39:57 +02001700 Commit a temporary SSL certificate update transaction.
1701
1702 In the case of an existing certificate (in a "Used" state in "show ssl
1703 cert"), generate every SSL contextes and SNIs it need, insert them, and
1704 remove the previous ones. Replace in memory the previous SSL certificates
1705 everywhere the <filename> was used in the configuration. Upon failure it
1706 doesn't remove or insert anything. Once the temporary transaction is
1707 committed, it is destroyed.
1708
1709 In the case of a new certificate (after a "new ssl cert" and in a "Unused"
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +05001710 state in "show ssl cert"), the certificate will be committed in a certificate
William Lallemandc184d872020-06-26 15:39:57 +02001711 storage, but it won't be used anywhere in haproxy. To use it and generate
1712 its SNIs you will need to add it to a crt-list or a directory with "add ssl
1713 crt-list".
William Lallemand6ab08b32019-11-29 16:48:43 +01001714
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001715 See also "new ssl cert", "set ssl cert", "abort ssl cert" and
William Lallemandc184d872020-06-26 15:39:57 +02001716 "add ssl crt-list".
William Lallemand6ab08b32019-11-29 16:48:43 +01001717
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02001718commit ssl crl-file <crlfile>
1719 Commit a temporary SSL CRL file update transaction.
1720
1721 In the case of an existing CRL file (in a "Used" state in "show ssl
1722 crl-file"), the new CRL file entry is inserted in the CA file tree (which
1723 holds both the CA files and the CRL files) and every instance that used the
1724 CRL file entry is rebuilt, along with the SSL contexts it needs.
1725 All the contexts previously used by the rebuilt instances are removed.
1726 Upon success, the previous CRL file entry is removed from the tree.
1727 Upon failure, nothing is removed or deleted, and all the original SSL
1728 contexts are kept and used.
1729 Once the temporary transaction is committed, it is destroyed.
1730
1731 In the case of a new CRL file (after a "new ssl crl-file" and in a "Unused"
1732 state in "show ssl crl-file"), the CRL file will be inserted in the CRL file
1733 tree but it won't be used anywhere in HAProxy. To use it and generate SSL
1734 contexts that use it, you will need to add it to a crt-list with "add ssl
1735 crt-list".
1736
1737 See also "new ssl crl-file", "set ssl crl-file", "abort ssl crl-file" and
1738 "add ssl crt-list".
1739
Willy Tarreau6bdf3e92019-05-20 14:25:05 +02001740debug dev <command> [args]*
Willy Tarreaub24ab222019-10-24 18:03:39 +02001741 Call a developer-specific command. Only supported on a CLI connection running
1742 in expert mode (see "expert-mode on"). Such commands are extremely dangerous
1743 and not forgiving, any misuse may result in a crash of the process. They are
1744 intended for experts only, and must really not be used unless told to do so.
1745 Some of them are only available when haproxy is built with DEBUG_DEV defined
1746 because they may have security implications. All of these commands require
1747 admin privileges, and are purposely not documented to avoid encouraging their
1748 use by people who are not at ease with the source code.
Willy Tarreau6bdf3e92019-05-20 14:25:05 +02001749
Willy Tarreau44aed902015-10-13 14:45:29 +02001750del acl <acl> [<key>|#<ref>]
1751 Delete all the acl entries from the acl <acl> corresponding to the key <key>.
1752 <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used,
1753 this command delete only the listed reference. The reference can be found with
1754 listing the content of the acl. Note that if the reference <acl> is a file and
1755 is shared with a map, the entry will be also deleted in the map.
1756
1757del map <map> [<key>|#<ref>]
1758 Delete all the map entries from the map <map> corresponding to the key <key>.
1759 <map> is the #<id> or the <file> returned by "show map". If the <ref> is used,
1760 this command delete only the listed reference. The reference can be found with
1761 listing the content of the map. Note that if the reference <map> is a file and
1762 is shared with a acl, the entry will be also deleted in the map.
1763
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001764del ssl ca-file <cafile>
1765 Delete a CA file tree entry from HAProxy. The CA file must be unused and
1766 removed from any crt-list. "show ssl ca-file" displays the status of the CA
1767 files. The deletion doesn't work with a certificate referenced directly with
1768 the "ca-file" or "ca-verify-file" directives in the configuration.
1769
William Lallemand419e6342020-04-08 12:05:39 +02001770del ssl cert <certfile>
1771 Delete a certificate store from HAProxy. The certificate must be unused and
1772 removed from any crt-list or directory. "show ssl cert" displays the status
1773 of the certificate. The deletion doesn't work with a certificate referenced
1774 directly with the "crt" directive in the configuration.
1775
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02001776del ssl crl-file <crlfile>
1777 Delete a CRL file tree entry from HAProxy. The CRL file must be unused and
1778 removed from any crt-list. "show ssl crl-file" displays the status of the CRL
1779 files. The deletion doesn't work with a certificate referenced directly with
1780 the "crl-file" directive in the configuration.
1781
William Lallemand0a9b9412020-04-06 17:43:05 +02001782del ssl crt-list <filename> <certfile[:line]>
1783 Delete an entry in a crt-list. This will delete every SNIs used for this
1784 entry in the frontends. If a certificate is used several time in a crt-list,
1785 you will need to provide which line you want to delete. To display the line
1786 numbers, use "show ssl crt-list -n <crtlist>".
1787
Amaury Denoyellee5580432021-04-15 14:41:20 +02001788del server <backend>/<server>
1789 Remove a server attached to the backend <backend>. Only valid on a server
1790 added at runtime. The server must be put in maintenance mode prior to its
1791 deletion. The operation is cancelled if the serveur still has active
1792 or idle connection or its connection queue is not empty.
1793
Willy Tarreau44aed902015-10-13 14:45:29 +02001794disable agent <backend>/<server>
1795 Mark the auxiliary agent check as temporarily stopped.
1796
1797 In the case where an agent check is being run as a auxiliary check, due
1798 to the agent-check parameter of a server directive, new checks are only
Dan Lloyd8e48b872016-07-01 21:01:18 -04001799 initialized when the agent is in the enabled. Thus, disable agent will
Willy Tarreau44aed902015-10-13 14:45:29 +02001800 prevent any new agent checks from begin initiated until the agent
1801 re-enabled using enable agent.
1802
1803 When an agent is disabled the processing of an auxiliary agent check that
1804 was initiated while the agent was set as enabled is as follows: All
1805 results that would alter the weight, specifically "drain" or a weight
1806 returned by the agent, are ignored. The processing of agent check is
1807 otherwise unchanged.
1808
1809 The motivation for this feature is to allow the weight changing effects
1810 of the agent checks to be paused to allow the weight of a server to be
1811 configured using set weight without being overridden by the agent.
1812
1813 This command is restricted and can only be issued on sockets configured for
1814 level "admin".
1815
Olivier Houchard614f8d72017-03-14 20:08:46 +01001816disable dynamic-cookie backend <backend>
Ilya Shipitsin2a950d02020-03-06 13:07:38 +05001817 Disable the generation of dynamic cookies for the backend <backend>
Olivier Houchard614f8d72017-03-14 20:08:46 +01001818
Willy Tarreau44aed902015-10-13 14:45:29 +02001819disable frontend <frontend>
1820 Mark the frontend as temporarily stopped. This corresponds to the mode which
1821 is used during a soft restart : the frontend releases the port but can be
1822 enabled again if needed. This should be used with care as some non-Linux OSes
1823 are unable to enable it back. This is intended to be used in environments
1824 where stopping a proxy is not even imaginable but a misconfigured proxy must
1825 be fixed. That way it's possible to release the port and bind it into another
1826 process to restore operations. The frontend will appear with status "STOP"
1827 on the stats page.
1828
1829 The frontend may be specified either by its name or by its numeric ID,
1830 prefixed with a sharp ('#').
1831
1832 This command is restricted and can only be issued on sockets configured for
1833 level "admin".
1834
1835disable health <backend>/<server>
1836 Mark the primary health check as temporarily stopped. This will disable
1837 sending of health checks, and the last health check result will be ignored.
1838 The server will be in unchecked state and considered UP unless an auxiliary
1839 agent check forces it down.
1840
1841 This command is restricted and can only be issued on sockets configured for
1842 level "admin".
1843
1844disable server <backend>/<server>
1845 Mark the server DOWN for maintenance. In this mode, no more checks will be
1846 performed on the server until it leaves maintenance.
1847 If the server is tracked by other servers, those servers will be set to DOWN
1848 during the maintenance.
1849
1850 In the statistics page, a server DOWN for maintenance will appear with a
1851 "MAINT" status, its tracking servers with the "MAINT(via)" one.
1852
1853 Both the backend and the server may be specified either by their name or by
1854 their numeric ID, prefixed with a sharp ('#').
1855
1856 This command is restricted and can only be issued on sockets configured for
1857 level "admin".
1858
1859enable agent <backend>/<server>
1860 Resume auxiliary agent check that was temporarily stopped.
1861
1862 See "disable agent" for details of the effect of temporarily starting
1863 and stopping an auxiliary agent.
1864
1865 This command is restricted and can only be issued on sockets configured for
1866 level "admin".
1867
Olivier Houchard614f8d72017-03-14 20:08:46 +01001868enable dynamic-cookie backend <backend>
n9@users.noreply.github.com25a1c8e2019-08-23 11:21:05 +02001869 Enable the generation of dynamic cookies for the backend <backend>.
1870 A secret key must also be provided.
Olivier Houchard614f8d72017-03-14 20:08:46 +01001871
Willy Tarreau44aed902015-10-13 14:45:29 +02001872enable frontend <frontend>
1873 Resume a frontend which was temporarily stopped. It is possible that some of
1874 the listening ports won't be able to bind anymore (eg: if another process
1875 took them since the 'disable frontend' operation). If this happens, an error
1876 is displayed. Some operating systems might not be able to resume a frontend
1877 which was disabled.
1878
1879 The frontend may be specified either by its name or by its numeric ID,
1880 prefixed with a sharp ('#').
1881
1882 This command is restricted and can only be issued on sockets configured for
1883 level "admin".
1884
1885enable health <backend>/<server>
1886 Resume a primary health check that was temporarily stopped. This will enable
1887 sending of health checks again. Please see "disable health" for details.
1888
1889 This command is restricted and can only be issued on sockets configured for
1890 level "admin".
1891
1892enable server <backend>/<server>
1893 If the server was previously marked as DOWN for maintenance, this marks the
1894 server UP and checks are re-enabled.
1895
1896 Both the backend and the server may be specified either by their name or by
1897 their numeric ID, prefixed with a sharp ('#').
1898
1899 This command is restricted and can only be issued on sockets configured for
1900 level "admin".
1901
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01001902experimental-mode [on|off]
1903 Without options, this indicates whether the experimental mode is enabled or
1904 disabled on the current connection. When passed "on", it turns the
1905 experimental mode on for the current CLI connection only. With "off" it turns
1906 it off.
1907
1908 The experimental mode is used to access to extra features still in
1909 development. These features are currently not stable and should be used with
Ilya Shipitsinba13f162021-03-19 22:21:44 +05001910 care. They may be subject to breaking changes across versions.
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01001911
Willy Tarreauabb9f9b2019-10-24 17:55:53 +02001912expert-mode [on|off]
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01001913 This command is similar to experimental-mode but is used to toggle the
1914 expert mode.
1915
1916 The expert mode enables displaying of expert commands that can be extremely
Willy Tarreauabb9f9b2019-10-24 17:55:53 +02001917 dangerous for the process and which may occasionally help developers collect
1918 important information about complex bugs. Any misuse of these features will
1919 likely lead to a process crash. Do not use this option without being invited
1920 to do so. Note that this command is purposely not listed in the help message.
1921 This command is only accessible in admin level. Changing to another level
1922 automatically resets the expert mode.
1923
Willy Tarreau44aed902015-10-13 14:45:29 +02001924get map <map> <value>
1925get acl <acl> <value>
1926 Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl>
1927 are the #<id> or the <file> returned by "show map" or "show acl". This command
1928 returns all the matching patterns associated with this map. This is useful for
1929 debugging maps and ACLs. The output format is composed by one line par
1930 matching type. Each line is composed by space-delimited series of words.
1931
1932 The first two words are:
1933
1934 <match method>: The match method applied. It can be "found", "bool",
1935 "int", "ip", "bin", "len", "str", "beg", "sub", "dir",
1936 "dom", "end" or "reg".
1937
1938 <match result>: The result. Can be "match" or "no-match".
1939
1940 The following words are returned only if the pattern matches an entry.
1941
1942 <index type>: "tree" or "list". The internal lookup algorithm.
1943
1944 <case>: "case-insensitive" or "case-sensitive". The
1945 interpretation of the case.
1946
1947 <entry matched>: match="<entry>". Return the matched pattern. It is
1948 useful with regular expressions.
1949
1950 The two last word are used to show the returned value and its type. With the
1951 "acl" case, the pattern doesn't exist.
1952
1953 return=nothing: No return because there are no "map".
1954 return="<value>": The value returned in the string format.
1955 return=cannot-display: The value cannot be converted as string.
1956
1957 type="<type>": The type of the returned sample.
1958
Willy Tarreauc35eb382021-03-26 14:51:31 +01001959get var <name>
1960 Show the existence, type and contents of the process-wide variable 'name'.
1961 Only process-wide variables are readable, so the name must begin with
1962 'proc.' otherwise no variable will be found. This command requires levels
1963 "operator" or "admin".
1964
Willy Tarreau44aed902015-10-13 14:45:29 +02001965get weight <backend>/<server>
1966 Report the current weight and the initial weight of server <server> in
1967 backend <backend> or an error if either doesn't exist. The initial weight is
1968 the one that appears in the configuration file. Both are normally equal
1969 unless the current weight has been changed. Both the backend and the server
1970 may be specified either by their name or by their numeric ID, prefixed with a
1971 sharp ('#').
1972
Willy Tarreau0b1b8302021-05-09 20:59:23 +02001973help [<command>]
1974 Print the list of known keywords and their basic usage, or commands matching
1975 the requested one. The same help screen is also displayed for unknown
1976 commands.
Willy Tarreau44aed902015-10-13 14:45:29 +02001977
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001978new ssl ca-file <cafile>
1979 Create a new empty CA file tree entry to be filled with a set of CA
1980 certificates and added to a crt-list. This command should be used in
1981 combination with "set ssl ca-file" and "add ssl crt-list".
1982
William Lallemandaccac232020-04-02 17:42:51 +02001983new ssl cert <filename>
1984 Create a new empty SSL certificate store to be filled with a certificate and
1985 added to a directory or a crt-list. This command should be used in
1986 combination with "set ssl cert" and "add ssl crt-list".
1987
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02001988new ssl crl-file <crlfile>
1989 Create a new empty CRL file tree entry to be filled with a set of CRLs
1990 and added to a crt-list. This command should be used in combination with "set
1991 ssl crl-file" and "add ssl crt-list".
1992
Willy Tarreau97218ce2021-04-30 14:57:03 +02001993prepare acl <acl>
1994 Allocate a new version number in ACL <acl> for atomic replacement. <acl> is
1995 the #<id> or the <file> returned by "show acl". The new version number is
1996 shown in response after "New version created:". This number will then be
1997 usable to prepare additions of new entries into the ACL which will then
1998 atomically replace the current ones once committed. It is reported as
1999 "next_ver" in "show acl". There is no impact of allocating new versions, as
2000 unused versions will automatically be removed once a more recent version is
2001 committed. Version numbers are unsigned 32-bit values which wrap at the end,
2002 so care must be taken when comparing them in an external program. This
2003 command cannot be used if the reference <acl> is a file also used as a map.
2004 In this case, the "prepare map" command must be used instead.
2005
2006prepare map <map>
2007 Allocate a new version number in map <map> for atomic replacement. <map> is
2008 the #<id> or the <file> returned by "show map". The new version number is
2009 shown in response after "New version created:". This number will then be
2010 usable to prepare additions of new entries into the map which will then
2011 atomically replace the current ones once committed. It is reported as
2012 "next_ver" in "show map". There is no impact of allocating new versions, as
2013 unused versions will automatically be removed once a more recent version is
2014 committed. Version numbers are unsigned 32-bit values which wrap at the end,
2015 so care must be taken when comparing them in an external program.
2016
Willy Tarreau44aed902015-10-13 14:45:29 +02002017prompt
2018 Toggle the prompt at the beginning of the line and enter or leave interactive
2019 mode. In interactive mode, the connection is not closed after a command
2020 completes. Instead, the prompt will appear again, indicating the user that
2021 the interpreter is waiting for a new command. The prompt consists in a right
2022 angle bracket followed by a space "> ". This mode is particularly convenient
2023 when one wants to periodically check information such as stats or errors.
2024 It is also a good idea to enter interactive mode before issuing a "help"
2025 command.
2026
2027quit
2028 Close the connection when in interactive mode.
2029
Olivier Houchard614f8d72017-03-14 20:08:46 +01002030set dynamic-cookie-key backend <backend> <value>
2031 Modify the secret key used to generate the dynamic persistent cookies.
2032 This will break the existing sessions.
2033
Willy Tarreau44aed902015-10-13 14:45:29 +02002034set map <map> [<key>|#<ref>] <value>
2035 Modify the value corresponding to each key <key> in a map <map>. <map> is the
2036 #<id> or <file> returned by "show map". If the <ref> is used in place of
2037 <key>, only the entry pointed by <ref> is changed. The new value is <value>.
2038
2039set maxconn frontend <frontend> <value>
2040 Dynamically change the specified frontend's maxconn setting. Any positive
2041 value is allowed including zero, but setting values larger than the global
2042 maxconn does not make much sense. If the limit is increased and connections
2043 were pending, they will immediately be accepted. If it is lowered to a value
2044 below the current number of connections, new connections acceptation will be
2045 delayed until the threshold is reached. The frontend might be specified by
2046 either its name or its numeric ID prefixed with a sharp ('#').
2047
Andrew Hayworthedb93a72015-10-27 21:46:25 +00002048set maxconn server <backend/server> <value>
2049 Dynamically change the specified server's maxconn setting. Any positive
2050 value is allowed including zero, but setting values larger than the global
2051 maxconn does not make much sense.
2052
Willy Tarreau44aed902015-10-13 14:45:29 +02002053set maxconn global <maxconn>
2054 Dynamically change the global maxconn setting within the range defined by the
2055 initial global maxconn setting. If it is increased and connections were
2056 pending, they will immediately be accepted. If it is lowered to a value below
2057 the current number of connections, new connections acceptation will be
2058 delayed until the threshold is reached. A value of zero restores the initial
2059 setting.
2060
Willy Tarreau00dd44f2021-05-05 16:44:23 +02002061set profiling { tasks | memory } { auto | on | off }
2062 Enables or disables CPU or memory profiling for the indicated subsystem. This
2063 is equivalent to setting or clearing the "profiling" settings in the "global"
Willy Tarreaucfa71012021-01-29 11:56:21 +01002064 section of the configuration file. Please also see "show profiling". Note
2065 that manually setting the tasks profiling to "on" automatically resets the
2066 scheduler statistics, thus allows to check activity over a given interval.
Willy Tarreau00dd44f2021-05-05 16:44:23 +02002067 The memory profiling is limited to certain operating systems (known to work
2068 on the linux-glibc target), and requires USE_MEMORY_PROFILING to be set at
2069 compile time.
Willy Tarreau75c62c22018-11-22 11:02:09 +01002070
Willy Tarreau44aed902015-10-13 14:45:29 +02002071set rate-limit connections global <value>
2072 Change the process-wide connection rate limit, which is set by the global
2073 'maxconnrate' setting. A value of zero disables the limitation. This limit
2074 applies to all frontends and the change has an immediate effect. The value
2075 is passed in number of connections per second.
2076
2077set rate-limit http-compression global <value>
2078 Change the maximum input compression rate, which is set by the global
2079 'maxcomprate' setting. A value of zero disables the limitation. The value is
2080 passed in number of kilobytes per second. The value is available in the "show
2081 info" on the line "CompressBpsRateLim" in bytes.
2082
2083set rate-limit sessions global <value>
2084 Change the process-wide session rate limit, which is set by the global
2085 'maxsessrate' setting. A value of zero disables the limitation. This limit
2086 applies to all frontends and the change has an immediate effect. The value
2087 is passed in number of sessions per second.
2088
2089set rate-limit ssl-sessions global <value>
2090 Change the process-wide SSL session rate limit, which is set by the global
2091 'maxsslrate' setting. A value of zero disables the limitation. This limit
2092 applies to all frontends and the change has an immediate effect. The value
2093 is passed in number of sessions per second sent to the SSL stack. It applies
2094 before the handshake in order to protect the stack against handshake abuses.
2095
Baptiste Assmann3749ebf2016-08-03 22:34:12 +02002096set server <backend>/<server> addr <ip4 or ip6 address> [port <port>]
Willy Tarreau44aed902015-10-13 14:45:29 +02002097 Replace the current IP address of a server by the one provided.
Michael Prokop4438c602019-05-24 10:25:45 +02002098 Optionally, the port can be changed using the 'port' parameter.
Baptiste Assmann3749ebf2016-08-03 22:34:12 +02002099 Note that changing the port also support switching from/to port mapping
2100 (notation with +X or -Y), only if a port is configured for the health check.
Willy Tarreau44aed902015-10-13 14:45:29 +02002101
2102set server <backend>/<server> agent [ up | down ]
2103 Force a server's agent to a new state. This can be useful to immediately
2104 switch a server's state regardless of some slow agent checks for example.
2105 Note that the change is propagated to tracking servers if any.
2106
William Dauchy7cabc062021-02-11 22:51:24 +01002107set server <backend>/<server> agent-addr <addr> [port <port>]
Misiek43972902017-01-09 09:53:06 +01002108 Change addr for servers agent checks. Allows to migrate agent-checks to
2109 another address at runtime. You can specify both IP and hostname, it will be
2110 resolved.
William Dauchy7cabc062021-02-11 22:51:24 +01002111 Optionally, change the port agent.
2112
2113set server <backend>/<server> agent-port <port>
2114 Change the port used for agent checks.
Misiek43972902017-01-09 09:53:06 +01002115
2116set server <backend>/<server> agent-send <value>
2117 Change agent string sent to agent check target. Allows to update string while
2118 changing server address to keep those two matching.
2119
Willy Tarreau44aed902015-10-13 14:45:29 +02002120set server <backend>/<server> health [ up | stopping | down ]
2121 Force a server's health to a new state. This can be useful to immediately
2122 switch a server's state regardless of some slow health checks for example.
2123 Note that the change is propagated to tracking servers if any.
2124
William Dauchyb456e1f2021-02-11 22:51:23 +01002125set server <backend>/<server> check-addr <ip4 | ip6> [port <port>]
2126 Change the IP address used for server health checks.
2127 Optionally, change the port used for server health checks.
2128
Baptiste Assmann50946562016-08-31 23:26:29 +02002129set server <backend>/<server> check-port <port>
2130 Change the port used for health checking to <port>
2131
Willy Tarreau44aed902015-10-13 14:45:29 +02002132set server <backend>/<server> state [ ready | drain | maint ]
2133 Force a server's administrative state to a new state. This can be useful to
2134 disable load balancing and/or any traffic to a server. Setting the state to
2135 "ready" puts the server in normal mode, and the command is the equivalent of
2136 the "enable server" command. Setting the state to "maint" disables any traffic
2137 to the server as well as any health checks. This is the equivalent of the
2138 "disable server" command. Setting the mode to "drain" only removes the server
2139 from load balancing but still allows it to be checked and to accept new
2140 persistent connections. Changes are propagated to tracking servers if any.
2141
2142set server <backend>/<server> weight <weight>[%]
2143 Change a server's weight to the value passed in argument. This is the exact
2144 equivalent of the "set weight" command below.
2145
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002146set server <backend>/<server> fqdn <FQDN>
Lukas Tribusc5dd5a52018-08-14 11:39:35 +02002147 Change a server's FQDN to the value passed in argument. This requires the
2148 internal run-time DNS resolver to be configured and enabled for this server.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002149
William Dauchyf6370442020-11-14 19:25:33 +01002150set server <backend>/<server> ssl [ on | off ]
2151 This option configures SSL ciphering on outgoing connections to the server.
2152
Andjelko Iharosc4df59e2017-07-20 11:59:48 +02002153set severity-output [ none | number | string ]
2154 Change the severity output format of the stats socket connected to for the
2155 duration of the current session.
2156
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02002157set ssl ca-file <cafile> <payload>
2158 This command is part of a transaction system, the "commit ssl ca-file" and
2159 "abort ssl ca-file" commands could be required.
2160 If there is no on-going transaction, it will create a CA file tree entry into
2161 which the certificates contained in the payload will be stored. The CA file
2162 entry will not be stored in the CA file tree and will only be kept in a
2163 temporary transaction. If a transaction with the same filename already exists,
2164 the previous CA file entry will be deleted and replaced by the new one.
2165 Once the modifications are done, you have to commit the transaction through
2166 a "commit ssl ca-file" call.
2167
2168 Example:
2169 echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \
2170 socat /var/run/haproxy.stat -
2171 echo "commit ssl ca-file cafile.pem" | socat /var/run/haproxy.stat -
2172
William Lallemand6ab08b32019-11-29 16:48:43 +01002173set ssl cert <filename> <payload>
2174 This command is part of a transaction system, the "commit ssl cert" and
2175 "abort ssl cert" commands could be required.
Remi Tricot-Le Breton34459092021-04-14 16:19:28 +02002176 This whole transaction system works on any certificate displayed by the
Remi Tricot-Le Bretonb5f0fac2021-04-14 16:19:29 +02002177 "show ssl cert" command, so on any frontend or backend certificate.
William Lallemand6ab08b32019-11-29 16:48:43 +01002178 If there is no on-going transaction, it will duplicate the certificate
2179 <filename> in memory to a temporary transaction, then update this
2180 transaction with the PEM file in the payload. If a transaction exists with
2181 the same filename, it will update this transaction. It's also possible to
2182 update the files linked to a certificate (.issuer, .sctl, .oscp etc.)
2183 Once the modification are done, you have to "commit ssl cert" the
2184 transaction.
2185
2186 Example:
2187 echo -e "set ssl cert localhost.pem <<\n$(cat 127.0.0.1.pem)\n" | \
2188 socat /var/run/haproxy.stat -
2189 echo -e \
2190 "set ssl cert localhost.pem.issuer <<\n $(cat 127.0.0.1.pem.issuer)\n" | \
2191 socat /var/run/haproxy.stat -
2192 echo -e \
2193 "set ssl cert localhost.pem.ocsp <<\n$(base64 -w 1000 127.0.0.1.pem.ocsp)\n" | \
2194 socat /var/run/haproxy.stat -
2195 echo "commit ssl cert localhost.pem" | socat /var/run/haproxy.stat -
2196
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02002197set ssl crl-file <crlfile> <payload>
2198 This command is part of a transaction system, the "commit ssl crl-file" and
2199 "abort ssl crl-file" commands could be required.
2200 If there is no on-going transaction, it will create a CRL file tree entry into
2201 which the Revocation Lists contained in the payload will be stored. The CRL
2202 file entry will not be stored in the CRL file tree and will only be kept in a
2203 temporary transaction. If a transaction with the same filename already exists,
2204 the previous CRL file entry will be deleted and replaced by the new one.
2205 Once the modifications are done, you have to commit the transaction through
2206 a "commit ssl crl-file" call.
2207
2208 Example:
2209 echo -e "set ssl crl-file crlfile.pem <<\n$(cat rootCRL.pem)\n" | \
2210 socat /var/run/haproxy.stat -
2211 echo "commit ssl crl-file crlfile.pem" | socat /var/run/haproxy.stat -
2212
Aurélien Nephtali1e0867c2018-04-18 14:04:58 +02002213set ssl ocsp-response <response | payload>
Willy Tarreau44aed902015-10-13 14:45:29 +02002214 This command is used to update an OCSP Response for a certificate (see "crt"
2215 on "bind" lines). Same controls are performed as during the initial loading of
2216 the response. The <response> must be passed as a base64 encoded string of the
Emmanuel Hocdet2c32d8f2017-05-22 14:58:00 +02002217 DER encoded response from the OCSP server. This command is not supported with
2218 BoringSSL.
Willy Tarreau44aed902015-10-13 14:45:29 +02002219
2220 Example:
2221 openssl ocsp -issuer issuer.pem -cert server.pem \
2222 -host ocsp.issuer.com:80 -respout resp.der
2223 echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
2224 socat stdio /var/run/haproxy.stat
2225
Aurélien Nephtali1e0867c2018-04-18 14:04:58 +02002226 using the payload syntax:
2227 echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \
2228 socat stdio /var/run/haproxy.stat
2229
Willy Tarreau44aed902015-10-13 14:45:29 +02002230set ssl tls-key <id> <tlskey>
2231 Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
2232 ultimate key, while the penultimate one is used for encryption (others just
2233 decrypt). The oldest TLS key present is overwritten. <id> is either a numeric
2234 #<id> or <file> returned by "show tls-keys". <tlskey> is a base64 encoded 48
Emeric Brun9e754772019-01-10 17:51:55 +01002235 or 80 bits TLS ticket key (ex. openssl rand 80 | openssl base64 -A).
Willy Tarreau44aed902015-10-13 14:45:29 +02002236
2237set table <table> key <key> [data.<data_type> <value>]*
2238 Create or update a stick-table entry in the table. If the key is not present,
2239 an entry is inserted. See stick-table in section 4.2 to find all possible
2240 values for <data_type>. The most likely use consists in dynamically entering
2241 entries for source IP addresses, with a flag in gpc0 to dynamically block an
2242 IP address or affect its quality of service. It is possible to pass multiple
2243 data_types in a single call.
2244
2245set timeout cli <delay>
2246 Change the CLI interface timeout for current connection. This can be useful
2247 during long debugging sessions where the user needs to constantly inspect
2248 some indicators without being disconnected. The delay is passed in seconds.
2249
Willy Tarreau4000ff02021-04-30 14:45:53 +02002250set var <name> <expression>
2251 Allows to set or overwrite the process-wide variable 'name' with the result
2252 of expression <expression>. Only process-wide variables may be used, so the
2253 name must begin with 'proc.' otherwise no variable will be set. The
2254 <expression> may only involve "internal" sample fetch keywords and converters
2255 even though the most likely useful ones will be str('something') or int().
2256 Note that the command line parser doesn't know about quotes, so any space in
2257 the expression must be preceded by a backslash. This command requires levels
2258 "operator" or "admin". This command is only supported on a CLI connection
2259 running in experimental mode (see "experimental-mode on").
2260
Willy Tarreau44aed902015-10-13 14:45:29 +02002261set weight <backend>/<server> <weight>[%]
2262 Change a server's weight to the value passed in argument. If the value ends
2263 with the '%' sign, then the new weight will be relative to the initially
2264 configured weight. Absolute weights are permitted between 0 and 256.
2265 Relative weights must be positive with the resulting absolute weight is
2266 capped at 256. Servers which are part of a farm running a static
2267 load-balancing algorithm have stricter limitations because the weight
2268 cannot change once set. Thus for these servers, the only accepted values
2269 are 0 and 100% (or 0 and the initial weight). Changes take effect
2270 immediately, though certain LB algorithms require a certain amount of
2271 requests to consider changes. A typical usage of this command is to
2272 disable a server during an update by setting its weight to zero, then to
2273 enable it again after the update by setting it back to 100%. This command
2274 is restricted and can only be issued on sockets configured for level
2275 "admin". Both the backend and the server may be specified either by their
2276 name or by their numeric ID, prefixed with a sharp ('#').
2277
Willy Tarreau95f753e2021-04-30 12:09:54 +02002278show acl [[@<ver>] <acl>]
Willy Tarreaud6129fc2017-07-28 16:52:23 +02002279 Dump info about acl converters. Without argument, the list of all available
Willy Tarreau95f753e2021-04-30 12:09:54 +02002280 acls is returned. If a <acl> is specified, its contents are dumped. <acl> is
2281 the #<id> or <file>. By default the current version of the ACL is shown (the
2282 version currently being matched against and reported as 'curr_ver' in the ACL
2283 list). It is possible to instead dump other versions by prepending '@<ver>'
2284 before the ACL's identifier. The version works as a filter and non-existing
2285 versions will simply report no result. The dump format is the same as for the
2286 maps even for the sample values. The data returned are not a list of
2287 available ACL, but are the list of all patterns composing any ACL. Many of
Dragan Dosena75eea72021-05-21 16:59:15 +02002288 these patterns can be shared with maps. The 'entry_cnt' value represents the
2289 count of all the ACL entries, not just the active ones, which means that it
2290 also includes entries currently being added.
Willy Tarreaud6129fc2017-07-28 16:52:23 +02002291
2292show backend
2293 Dump the list of backends available in the running process
2294
William Lallemand67a234f2018-12-13 09:05:45 +01002295show cli level
2296 Display the CLI level of the current CLI session. The result could be
2297 'admin', 'operator' or 'user'. See also the 'operator' and 'user' commands.
2298
2299 Example :
2300
2301 $ socat /tmp/sock1 readline
2302 prompt
2303 > operator
2304 > show cli level
2305 operator
2306 > user
2307 > show cli level
2308 user
2309 > operator
2310 Permission denied
2311
2312operator
2313 Decrease the CLI level of the current CLI session to operator. It can't be
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01002314 increased. It also drops expert and experimental mode. See also "show cli
2315 level".
William Lallemand67a234f2018-12-13 09:05:45 +01002316
2317user
2318 Decrease the CLI level of the current CLI session to user. It can't be
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01002319 increased. It also drops expert and experimental mode. See also "show cli
2320 level".
William Lallemand67a234f2018-12-13 09:05:45 +01002321
Willy Tarreau4c356932019-05-16 17:39:32 +02002322show activity
2323 Reports some counters about internal events that will help developers and
2324 more generally people who know haproxy well enough to narrow down the causes
2325 of reports of abnormal behaviours. A typical example would be a properly
2326 running process never sleeping and eating 100% of the CPU. The output fields
2327 will be made of one line per metric, and per-thread counters on the same
Thayne McCombscdbcca92021-01-07 21:24:41 -07002328 line. These counters are 32-bit and will wrap during the process's life, which
Willy Tarreau4c356932019-05-16 17:39:32 +02002329 is not a problem since calls to this command will typically be performed
2330 twice. The fields are purposely not documented so that their exact meaning is
2331 verified in the code where the counters are fed. These values are also reset
2332 by the "clear counters" command.
2333
William Lallemand51132162016-12-16 16:38:58 +01002334show cli sockets
2335 List CLI sockets. The output format is composed of 3 fields separated by
2336 spaces. The first field is the socket address, it can be a unix socket, a
2337 ipv4 address:port couple or a ipv6 one. Socket of other types won't be dump.
2338 The second field describe the level of the socket: 'admin', 'user' or
2339 'operator'. The last field list the processes on which the socket is bound,
2340 separated by commas, it can be numbers or 'all'.
2341
2342 Example :
2343
2344 $ echo 'show cli sockets' | socat stdio /tmp/sock1
2345 # socket lvl processes
2346 /tmp/sock1 admin all
2347 127.0.0.1:9999 user 2,3,4
2348 127.0.0.2:9969 user 2
2349 [::1]:9999 operator 2
2350
William Lallemand86d0df02017-11-24 21:36:45 +01002351show cache
Cyril Bonté7b888f12017-11-26 22:24:31 +01002352 List the configured caches and the objects stored in each cache tree.
William Lallemand86d0df02017-11-24 21:36:45 +01002353
2354 $ echo 'show cache' | socat stdio /tmp/sock1
2355 0x7f6ac6c5b03a: foobar (shctx:0x7f6ac6c5b000, available blocks:3918)
2356 1 2 3 4
2357
2358 1. pointer to the cache structure
2359 2. cache name
2360 3. pointer to the mmap area (shctx)
2361 4. number of blocks available for reuse in the shctx
2362
Remi Tricot-Le Bretone3e1e5f2020-11-27 15:48:40 +01002363 0x7f6ac6c5b4cc hash:286881868 vary:0x0011223344556677 size:39114 (39 blocks), refcount:9, expire:237
2364 1 2 3 4 5 6 7
William Lallemand86d0df02017-11-24 21:36:45 +01002365
2366 1. pointer to the cache entry
2367 2. first 32 bits of the hash
Remi Tricot-Le Bretone3e1e5f2020-11-27 15:48:40 +01002368 3. secondary hash of the entry in case of vary
2369 4. size of the object in bytes
2370 5. number of blocks used for the object
2371 6. number of transactions using the entry
2372 7. expiration time, can be negative if already expired
William Lallemand86d0df02017-11-24 21:36:45 +01002373
Willy Tarreauae795722016-02-16 11:27:28 +01002374show env [<name>]
2375 Dump one or all environment variables known by the process. Without any
2376 argument, all variables are dumped. With an argument, only the specified
2377 variable is dumped if it exists. Otherwise "Variable not found" is emitted.
2378 Variables are dumped in the same format as they are stored or returned by the
2379 "env" utility, that is, "<name>=<value>". This can be handy when debugging
2380 certain configuration files making heavy use of environment variables to
2381 ensure that they contain the expected values. This command is restricted and
2382 can only be issued on sockets configured for levels "operator" or "admin".
2383
Willy Tarreau35069f82016-11-25 09:16:37 +01002384show errors [<iid>|<proxy>] [request|response]
Willy Tarreau44aed902015-10-13 14:45:29 +02002385 Dump last known request and response errors collected by frontends and
2386 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau234ba2d2016-11-25 08:39:10 +01002387 either frontend or backend whose ID is <iid>. Proxy ID "-1" will cause
2388 all instances to be dumped. If a proxy name is specified instead, its ID
Willy Tarreau35069f82016-11-25 09:16:37 +01002389 will be used as the filter. If "request" or "response" is added after the
2390 proxy name or ID, only request or response errors will be dumped. This
2391 command is restricted and can only be issued on sockets configured for
2392 levels "operator" or "admin".
Willy Tarreau44aed902015-10-13 14:45:29 +02002393
2394 The errors which may be collected are the last request and response errors
2395 caused by protocol violations, often due to invalid characters in header
2396 names. The report precisely indicates what exact character violated the
2397 protocol. Other important information such as the exact date the error was
2398 detected, frontend and backend names, the server name (when known), the
2399 internal session ID and the source address which has initiated the session
2400 are reported too.
2401
2402 All characters are returned, and non-printable characters are encoded. The
2403 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
2404 letter following a backslash. The backslash itself is encoded as '\\' to
2405 avoid confusion. Other non-printable characters are encoded '\xNN' where
2406 NN is the two-digits hexadecimal representation of the character's ASCII
2407 code.
2408
2409 Lines are prefixed with the position of their first character, starting at 0
2410 for the beginning of the buffer. At most one input line is printed per line,
2411 and large lines will be broken into multiple consecutive output lines so that
2412 the output never goes beyond 79 characters wide. It is easy to detect if a
2413 line was broken, because it will not end with '\n' and the next line's offset
2414 will be followed by a '+' sign, indicating it is a continuation of previous
2415 line.
2416
2417 Example :
Willy Tarreau35069f82016-11-25 09:16:37 +01002418 $ echo "show errors -1 response" | socat stdio /tmp/sock1
Willy Tarreau44aed902015-10-13 14:45:29 +02002419 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
2420 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
2421 response length 213 bytes, error at position 23:
2422
2423 00000 HTTP/1.0 200 OK\r\n
2424 00017 header/bizarre:blah\r\n
2425 00038 Location: blah\r\n
2426 00054 Long-line: this is a very long line which should b
2427 00104+ e broken into multiple lines on the output buffer,
2428 00154+ otherwise it would be too large to print in a ter
2429 00204+ minal\r\n
2430 00211 \r\n
2431
2432 In the example above, we see that the backend "http-in" which has internal
2433 ID 2 has blocked an invalid response from its server s2 which has internal
2434 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
2435 received by frontend fe-eth0 whose ID is 1. The total response length was
2436 213 bytes when the error was detected, and the error was at byte 23. This
2437 is the slash ('/') in header name "header/bizarre", which is not a valid
2438 HTTP character for a header name.
2439
Willy Tarreau1d181e42019-08-30 11:17:01 +02002440show events [<sink>] [-w] [-n]
Willy Tarreau9f830d72019-08-26 18:17:04 +02002441 With no option, this lists all known event sinks and their types. With an
2442 option, it will dump all available events in the designated sink if it is of
Willy Tarreau1d181e42019-08-30 11:17:01 +02002443 type buffer. If option "-w" is passed after the sink name, then once the end
2444 of the buffer is reached, the command will wait for new events and display
2445 them. It is possible to stop the operation by entering any input (which will
2446 be discarded) or by closing the session. Finally, option "-n" is used to
2447 directly seek to the end of the buffer, which is often convenient when
2448 combined with "-w" to only report new events. For convenience, "-wn" or "-nw"
2449 may be used to enable both options at once.
Willy Tarreau9f830d72019-08-26 18:17:04 +02002450
Willy Tarreau7a4a0ac2017-07-25 19:32:50 +02002451show fd [<fd>]
2452 Dump the list of either all open file descriptors or just the one number <fd>
2453 if specified. This is only aimed at developers who need to observe internal
2454 states in order to debug complex issues such as abnormal CPU usages. One fd
2455 is reported per lines, and for each of them, its state in the poller using
2456 upper case letters for enabled flags and lower case for disabled flags, using
2457 "P" for "polled", "R" for "ready", "A" for "active", the events status using
2458 "H" for "hangup", "E" for "error", "O" for "output", "P" for "priority" and
2459 "I" for "input", a few other flags like "N" for "new" (just added into the fd
2460 cache), "U" for "updated" (received an update in the fd cache), "L" for
2461 "linger_risk", "C" for "cloned", then the cached entry position, the pointer
2462 to the internal owner, the pointer to the I/O callback and its name when
2463 known. When the owner is a connection, the connection flags, and the target
2464 are reported (frontend, proxy or server). When the owner is a listener, the
2465 listener's state and its frontend are reported. There is no point in using
2466 this command without a good knowledge of the internals. It's worth noting
2467 that the output format may evolve over time so this output must not be parsed
Willy Tarreau8050efe2021-01-21 08:26:06 +01002468 by tools designed to be durable. Some internal structure states may look
2469 suspicious to the function listing them, in this case the output line will be
2470 suffixed with an exclamation mark ('!'). This may help find a starting point
2471 when trying to diagnose an incident.
Willy Tarreau7a4a0ac2017-07-25 19:32:50 +02002472
Willy Tarreau27456202021-05-08 07:54:24 +02002473show info [typed|json] [desc] [float]
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002474 Dump info about haproxy status on current process. If "typed" is passed as an
2475 optional argument, field numbers, names and types are emitted as well so that
2476 external monitoring products can easily retrieve, possibly aggregate, then
2477 report information found in fields they don't know. Each field is dumped on
Simon Horman05ee2132017-01-04 09:37:25 +01002478 its own line. If "json" is passed as an optional argument then
2479 information provided by "typed" output is provided in JSON format as a
2480 list of JSON objects. By default, the format contains only two columns
2481 delimited by a colon (':'). The left one is the field name and the right
2482 one is the value. It is very important to note that in typed output
2483 format, the dump for a single object is contiguous so that there is no
Willy Tarreau27456202021-05-08 07:54:24 +02002484 need for a consumer to store everything at once. If "float" is passed as an
2485 optional argument, some fields usually emitted as integers may switch to
2486 floats for higher accuracy. It is purposely unspecified which ones are
2487 concerned as this might evolve over time. Using this option implies that the
2488 consumer is able to process floats. The output format used is sprintf("%f").
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002489
2490 When using the typed output format, each line is made of 4 columns delimited
2491 by colons (':'). The first column is a dot-delimited series of 3 elements. The
2492 first element is the numeric position of the field in the list (starting at
2493 zero). This position shall not change over time, but holes are to be expected,
2494 depending on build options or if some fields are deleted in the future. The
2495 second element is the field name as it appears in the default "show info"
2496 output. The third element is the relative process number starting at 1.
2497
2498 The rest of the line starting after the first colon follows the "typed output
2499 format" described in the section above. In short, the second column (after the
2500 first ':') indicates the origin, nature and scope of the variable. The third
2501 column indicates the type of the field, among "s32", "s64", "u32", "u64" and
2502 "str". Then the fourth column is the value itself, which the consumer knows
2503 how to parse thanks to column 3 and how to process thanks to column 2.
2504
2505 Thus the overall line format in typed mode is :
2506
2507 <field_pos>.<field_name>.<process_num>:<tags>:<type>:<value>
2508
Willy Tarreau6b19b142019-10-09 15:44:21 +02002509 When "desc" is appended to the command, one extra colon followed by a quoted
2510 string is appended with a description for the metric. At the time of writing,
2511 this is only supported for the "typed" and default output formats.
2512
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002513 Example :
2514
2515 > show info
2516 Name: HAProxy
2517 Version: 1.7-dev1-de52ea-146
2518 Release_date: 2016/03/11
2519 Nbproc: 1
2520 Process_num: 1
2521 Pid: 28105
2522 Uptime: 0d 0h00m04s
2523 Uptime_sec: 4
2524 Memmax_MB: 0
2525 PoolAlloc_MB: 0
2526 PoolUsed_MB: 0
2527 PoolFailed: 0
2528 (...)
2529
2530 > show info typed
2531 0.Name.1:POS:str:HAProxy
2532 1.Version.1:POS:str:1.7-dev1-de52ea-146
2533 2.Release_date.1:POS:str:2016/03/11
2534 3.Nbproc.1:CGS:u32:1
2535 4.Process_num.1:KGP:u32:1
2536 5.Pid.1:SGP:u32:28105
2537 6.Uptime.1:MDP:str:0d 0h00m08s
2538 7.Uptime_sec.1:MDP:u32:8
2539 8.Memmax_MB.1:CLP:u32:0
2540 9.PoolAlloc_MB.1:MGP:u32:0
2541 10.PoolUsed_MB.1:MGP:u32:0
2542 11.PoolFailed.1:MCP:u32:0
2543 (...)
2544
Simon Horman1084a362016-11-21 17:00:24 +01002545 In the typed format, the presence of the process ID at the end of the
2546 first column makes it very easy to visually aggregate outputs from
2547 multiple processes.
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002548 Example :
2549
2550 $ ( echo show info typed | socat /var/run/haproxy.sock1 ; \
2551 echo show info typed | socat /var/run/haproxy.sock2 ) | \
2552 sort -t . -k 1,1n -k 2,2 -k 3,3n
2553 0.Name.1:POS:str:HAProxy
2554 0.Name.2:POS:str:HAProxy
2555 1.Version.1:POS:str:1.7-dev1-868ab3-148
2556 1.Version.2:POS:str:1.7-dev1-868ab3-148
2557 2.Release_date.1:POS:str:2016/03/11
2558 2.Release_date.2:POS:str:2016/03/11
2559 3.Nbproc.1:CGS:u32:2
2560 3.Nbproc.2:CGS:u32:2
2561 4.Process_num.1:KGP:u32:1
2562 4.Process_num.2:KGP:u32:2
2563 5.Pid.1:SGP:u32:30120
2564 5.Pid.2:SGP:u32:30121
2565 6.Uptime.1:MDP:str:0d 0h01m28s
2566 6.Uptime.2:MDP:str:0d 0h01m28s
2567 (...)
Willy Tarreau44aed902015-10-13 14:45:29 +02002568
Simon Horman05ee2132017-01-04 09:37:25 +01002569 The format of JSON output is described in a schema which may be output
Simon Horman6f6bb382017-01-04 09:37:26 +01002570 using "show schema json".
Simon Horman05ee2132017-01-04 09:37:25 +01002571
2572 The JSON output contains no extra whitespace in order to reduce the
2573 volume of output. For human consumption passing the output through a
2574 pretty printer may be helpful. Example :
2575
2576 $ echo "show info json" | socat /var/run/haproxy.sock stdio | \
2577 python -m json.tool
2578
Simon Horman6f6bb382017-01-04 09:37:26 +01002579 The JSON output contains no extra whitespace in order to reduce the
2580 volume of output. For human consumption passing the output through a
2581 pretty printer may be helpful. Example :
2582
2583 $ echo "show info json" | socat /var/run/haproxy.sock stdio | \
2584 python -m json.tool
2585
Willy Tarreau95f753e2021-04-30 12:09:54 +02002586show map [[@<ver>] <map>]
Willy Tarreau44aed902015-10-13 14:45:29 +02002587 Dump info about map converters. Without argument, the list of all available
2588 maps is returned. If a <map> is specified, its contents are dumped. <map> is
Willy Tarreau95f753e2021-04-30 12:09:54 +02002589 the #<id> or <file>. By default the current version of the map is shown (the
2590 version currently being matched against and reported as 'curr_ver' in the map
2591 list). It is possible to instead dump other versions by prepending '@<ver>'
2592 before the map's identifier. The version works as a filter and non-existing
Dragan Dosena75eea72021-05-21 16:59:15 +02002593 versions will simply report no result. The 'entry_cnt' value represents the
2594 count of all the map entries, not just the active ones, which means that it
2595 also includes entries currently being added.
Willy Tarreau95f753e2021-04-30 12:09:54 +02002596
2597 In the output, the first column is a unique entry identifier, which is usable
2598 as a reference for operations "del map" and "set map". The second column is
Willy Tarreau44aed902015-10-13 14:45:29 +02002599 the pattern and the third column is the sample if available. The data returned
2600 are not directly a list of available maps, but are the list of all patterns
2601 composing any map. Many of these patterns can be shared with ACL.
2602
Willy Tarreau49962b52021-02-12 16:56:22 +01002603show peers [dict|-] [<peers section>]
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002604 Dump info about the peers configured in "peers" sections. Without argument,
2605 the list of the peers belonging to all the "peers" sections are listed. If
2606 <peers section> is specified, only the information about the peers belonging
Willy Tarreau49962b52021-02-12 16:56:22 +01002607 to this "peers" section are dumped. When "dict" is specified before the peers
2608 section name, the entire Tx/Rx dictionary caches will also be dumped (very
2609 large). Passing "-" may be required to dump a peers section called "dict".
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002610
Michael Prokop4438c602019-05-24 10:25:45 +02002611 Here are two examples of outputs where hostA, hostB and hostC peers belong to
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002612 "sharedlb" peers sections. Only hostA and hostB are connected. Only hostA has
2613 sent data to hostB.
2614
2615 $ echo "show peers" | socat - /tmp/hostA
2616 0x55deb0224320: [15/Apr/2019:11:28:01] id=sharedlb state=0 flags=0x3 \
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002617 resync_timeout=<PAST> task_calls=45122
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002618 0x55deb022b540: id=hostC(remote) addr=127.0.0.12:10002 status=CONN \
2619 reconnect=4s confirm=0
2620 flags=0x0
2621 0x55deb022a440: id=hostA(local) addr=127.0.0.10:10000 status=NONE \
2622 reconnect=<NEVER> confirm=0
2623 flags=0x0
2624 0x55deb0227d70: id=hostB(remote) addr=127.0.0.11:10001 status=ESTA
2625 reconnect=2s confirm=0
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002626 flags=0x20000200 appctx:0x55deb028fba0 st0=7 st1=0 task_calls=14456 \
2627 state=EST
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002628 xprt=RAW src=127.0.0.1:37257 addr=127.0.0.10:10000
2629 remote_table:0x55deb0224a10 id=stkt local_id=1 remote_id=1
2630 last_local_table:0x55deb0224a10 id=stkt local_id=1 remote_id=1
2631 shared tables:
2632 0x55deb0224a10 local_id=1 remote_id=1 flags=0x0 remote_data=0x65
2633 last_acked=0 last_pushed=3 last_get=0 teaching_origin=0 update=3
2634 table:0x55deb022d6a0 id=stkt update=3 localupdate=3 \
2635 commitupdate=3 syncing=0
2636
2637 $ echo "show peers" | socat - /tmp/hostB
2638 0x55871b5ab320: [15/Apr/2019:11:28:03] id=sharedlb state=0 flags=0x3 \
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002639 resync_timeout=<PAST> task_calls=3
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002640 0x55871b5b2540: id=hostC(remote) addr=127.0.0.12:10002 status=CONN \
2641 reconnect=3s confirm=0
2642 flags=0x0
2643 0x55871b5b1440: id=hostB(local) addr=127.0.0.11:10001 status=NONE \
2644 reconnect=<NEVER> confirm=0
2645 flags=0x0
2646 0x55871b5aed70: id=hostA(remote) addr=127.0.0.10:10000 status=ESTA \
2647 reconnect=2s confirm=0
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002648 flags=0x20000200 appctx:0x7fa46800ee00 st0=7 st1=0 task_calls=62356 \
2649 state=EST
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002650 remote_table:0x55871b5ab960 id=stkt local_id=1 remote_id=1
2651 last_local_table:0x55871b5ab960 id=stkt local_id=1 remote_id=1
2652 shared tables:
2653 0x55871b5ab960 local_id=1 remote_id=1 flags=0x0 remote_data=0x65
2654 last_acked=3 last_pushed=0 last_get=3 teaching_origin=0 update=0
2655 table:0x55871b5b46a0 id=stkt update=1 localupdate=0 \
2656 commitupdate=0 syncing=0
2657
Willy Tarreau44aed902015-10-13 14:45:29 +02002658show pools
2659 Dump the status of internal memory pools. This is useful to track memory
2660 usage when suspecting a memory leak for example. It does exactly the same
2661 as the SIGQUIT when running in foreground except that it does not flush
2662 the pools.
2663
Willy Tarreauf1c8a382021-05-13 10:00:17 +02002664show profiling [{all | status | tasks | memory}] [byaddr] [<max_lines>]
Willy Tarreau75c62c22018-11-22 11:02:09 +01002665 Dumps the current profiling settings, one per line, as well as the command
Willy Tarreau1bd67e92021-01-29 00:07:40 +01002666 needed to change them. When tasks profiling is enabled, some per-function
2667 statistics collected by the scheduler will also be emitted, with a summary
Willy Tarreau42712cb2021-05-05 17:48:13 +02002668 covering the number of calls, total/avg CPU time and total/avg latency. When
2669 memory profiling is enabled, some information such as the number of
2670 allocations/releases and their sizes will be reported. It is possible to
2671 limit the dump to only the profiling status, the tasks, or the memory
2672 profiling by specifying the respective keywords; by default all profiling
2673 information are dumped. It is also possible to limit the number of lines
Willy Tarreauf1c8a382021-05-13 10:00:17 +02002674 of output of each category by specifying a numeric limit. If is possible to
2675 request that the output is sorted by address instead of usage, e.g. to ease
2676 comparisons between subsequent calls. Please note that profiling is
2677 essentially aimed at developers since it gives hints about where CPU cycles
2678 or memory are wasted in the code. There is nothing useful to monitor there.
Willy Tarreau75c62c22018-11-22 11:02:09 +01002679
Willy Tarreau87ef3232021-01-29 12:01:46 +01002680show resolvers [<resolvers section id>]
2681 Dump statistics for the given resolvers section, or all resolvers sections
2682 if no section is supplied.
2683
2684 For each name server, the following counters are reported:
2685 sent: number of DNS requests sent to this server
2686 valid: number of DNS valid responses received from this server
2687 update: number of DNS responses used to update the server's IP address
2688 cname: number of CNAME responses
2689 cname_error: CNAME errors encountered with this server
2690 any_err: number of empty response (IE: server does not support ANY type)
2691 nx: non existent domain response received from this server
2692 timeout: how many time this server did not answer in time
2693 refused: number of requests refused by this server
2694 other: any other DNS errors
2695 invalid: invalid DNS response (from a protocol point of view)
2696 too_big: too big response
2697 outdated: number of response arrived too late (after an other name server)
2698
Willy Tarreau69f591e2020-07-01 07:00:59 +02002699show servers conn [<backend>]
2700 Dump the current and idle connections state of the servers belonging to the
2701 designated backend (or all backends if none specified). A backend name or
2702 identifier may be used.
2703
2704 The output consists in a header line showing the fields titles, then one
2705 server per line with for each, the backend name and ID, server name and ID,
2706 the address, port and a series or values. The number of fields varies
2707 depending on thread count.
2708
2709 Given the threaded nature of idle connections, it's important to understand
2710 that some values may change once read, and that as such, consistency within a
2711 line isn't granted. This output is mostly provided as a debugging tool and is
2712 not relevant to be routinely monitored nor graphed.
2713
Willy Tarreau44aed902015-10-13 14:45:29 +02002714show servers state [<backend>]
2715 Dump the state of the servers found in the running configuration. A backend
2716 name or identifier may be provided to limit the output to this backend only.
2717
2718 The dump has the following format:
2719 - first line contains the format version (1 in this specification);
2720 - second line contains the column headers, prefixed by a sharp ('#');
2721 - third line and next ones contain data;
2722 - each line starting by a sharp ('#') is considered as a comment.
2723
Dan Lloyd8e48b872016-07-01 21:01:18 -04002724 Since multiple versions of the output may co-exist, below is the list of
Willy Tarreau44aed902015-10-13 14:45:29 +02002725 fields and their order per file format version :
2726 1:
2727 be_id: Backend unique id.
2728 be_name: Backend label.
2729 srv_id: Server unique id (in the backend).
2730 srv_name: Server label.
2731 srv_addr: Server IP address.
2732 srv_op_state: Server operational state (UP/DOWN/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002733 0 = SRV_ST_STOPPED
2734 The server is down.
2735 1 = SRV_ST_STARTING
2736 The server is warming up (up but
2737 throttled).
2738 2 = SRV_ST_RUNNING
2739 The server is fully up.
2740 3 = SRV_ST_STOPPING
2741 The server is up but soft-stopping
2742 (eg: 404).
Willy Tarreau44aed902015-10-13 14:45:29 +02002743 srv_admin_state: Server administrative state (MAINT/DRAIN/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002744 The state is actually a mask of values :
2745 0x01 = SRV_ADMF_FMAINT
2746 The server was explicitly forced into
2747 maintenance.
2748 0x02 = SRV_ADMF_IMAINT
2749 The server has inherited the maintenance
2750 status from a tracked server.
2751 0x04 = SRV_ADMF_CMAINT
2752 The server is in maintenance because of
2753 the configuration.
2754 0x08 = SRV_ADMF_FDRAIN
2755 The server was explicitly forced into
2756 drain state.
2757 0x10 = SRV_ADMF_IDRAIN
2758 The server has inherited the drain status
2759 from a tracked server.
Baptiste Assmann89aa7f32016-11-02 21:31:27 +01002760 0x20 = SRV_ADMF_RMAINT
2761 The server is in maintenance because of an
2762 IP address resolution failure.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002763 0x40 = SRV_ADMF_HMAINT
2764 The server FQDN was set from stats socket.
2765
Willy Tarreau44aed902015-10-13 14:45:29 +02002766 srv_uweight: User visible server's weight.
2767 srv_iweight: Server's initial weight.
2768 srv_time_since_last_change: Time since last operational change.
2769 srv_check_status: Last health check status.
2770 srv_check_result: Last check result (FAILED/PASSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002771 0 = CHK_RES_UNKNOWN
2772 Initialized to this by default.
2773 1 = CHK_RES_NEUTRAL
2774 Valid check but no status information.
2775 2 = CHK_RES_FAILED
2776 Check failed.
2777 3 = CHK_RES_PASSED
2778 Check succeeded and server is fully up
2779 again.
2780 4 = CHK_RES_CONDPASS
2781 Check reports the server doesn't want new
2782 sessions.
Willy Tarreau44aed902015-10-13 14:45:29 +02002783 srv_check_health: Checks rise / fall current counter.
2784 srv_check_state: State of the check (ENABLED/PAUSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002785 The state is actually a mask of values :
2786 0x01 = CHK_ST_INPROGRESS
2787 A check is currently running.
2788 0x02 = CHK_ST_CONFIGURED
2789 This check is configured and may be
2790 enabled.
2791 0x04 = CHK_ST_ENABLED
2792 This check is currently administratively
2793 enabled.
2794 0x08 = CHK_ST_PAUSED
2795 Checks are paused because of maintenance
2796 (health only).
Willy Tarreau44aed902015-10-13 14:45:29 +02002797 srv_agent_state: State of the agent check (ENABLED/PAUSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002798 This state uses the same mask values as
2799 "srv_check_state", adding this specific one :
2800 0x10 = CHK_ST_AGENT
2801 Check is an agent check (otherwise it's a
2802 health check).
Willy Tarreau44aed902015-10-13 14:45:29 +02002803 bk_f_forced_id: Flag to know if the backend ID is forced by
2804 configuration.
2805 srv_f_forced_id: Flag to know if the server's ID is forced by
2806 configuration.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002807 srv_fqdn: Server FQDN.
Frédéric Lécaille31694712017-08-01 08:47:19 +02002808 srv_port: Server port.
Baptiste Assmann6d0f38f2018-07-02 17:00:54 +02002809 srvrecord: DNS SRV record associated to this SRV.
William Dauchyf6370442020-11-14 19:25:33 +01002810 srv_use_ssl: use ssl for server connections.
William Dauchyd1a7b852021-02-11 22:51:26 +01002811 srv_check_port: Server health check port.
2812 srv_check_addr: Server health check address.
2813 srv_agent_addr: Server health agent address.
2814 srv_agent_port: Server health agent port.
Willy Tarreau44aed902015-10-13 14:45:29 +02002815
2816show sess
2817 Dump all known sessions. Avoid doing this on slow connections as this can
2818 be huge. This command is restricted and can only be issued on sockets
Willy Tarreauc6e7a1b2020-06-28 01:24:12 +02002819 configured for levels "operator" or "admin". Note that on machines with
2820 quickly recycled connections, it is possible that this output reports less
2821 entries than really exist because it will dump all existing sessions up to
2822 the last one that was created before the command was entered; those which
2823 die in the mean time will not appear.
Willy Tarreau44aed902015-10-13 14:45:29 +02002824
2825show sess <id>
2826 Display a lot of internal information about the specified session identifier.
2827 This identifier is the first field at the beginning of the lines in the dumps
2828 of "show sess" (it corresponds to the session pointer). Those information are
2829 useless to most users but may be used by haproxy developers to troubleshoot a
2830 complex bug. The output format is intentionally not documented so that it can
2831 freely evolve depending on demands. You may find a description of all fields
2832 returned in src/dumpstats.c
2833
2834 The special id "all" dumps the states of all sessions, which must be avoided
2835 as much as possible as it is highly CPU intensive and can take a lot of time.
2836
Daniel Corbettc40edac2020-11-01 10:54:17 -05002837show stat [domain <dns|proxy>] [{<iid>|<proxy>} <type> <sid>] [typed|json] \
Willy Tarreau698097b2020-10-23 20:19:47 +02002838 [desc] [up|no-maint]
Daniel Corbettc40edac2020-11-01 10:54:17 -05002839 Dump statistics. The domain is used to select which statistics to print; dns
2840 and proxy are available for now. By default, the CSV format is used; you can
Amaury Denoyelle072f97e2020-10-05 11:49:37 +02002841 activate the extended typed output format described in the section above if
2842 "typed" is passed after the other arguments; or in JSON if "json" is passed
2843 after the other arguments. By passing <id>, <type> and <sid>, it is possible
2844 to dump only selected items :
Willy Tarreaua1b1ed52016-11-25 08:50:58 +01002845 - <iid> is a proxy ID, -1 to dump everything. Alternatively, a proxy name
2846 <proxy> may be specified. In this case, this proxy's ID will be used as
2847 the ID selector.
Willy Tarreau44aed902015-10-13 14:45:29 +02002848 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
2849 backends, 4 for servers, -1 for everything. These values can be ORed,
2850 for example:
2851 1 + 2 = 3 -> frontend + backend.
2852 1 + 2 + 4 = 7 -> frontend + backend + server.
2853 - <sid> is a server ID, -1 to dump everything from the selected proxy.
2854
2855 Example :
2856 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
2857 >>> Name: HAProxy
2858 Version: 1.4-dev2-49
2859 Release_date: 2009/09/23
2860 Nbproc: 1
2861 Process_num: 1
2862 (...)
2863
2864 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
2865 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
2866 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
2867 (...)
2868 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
2869
2870 $
2871
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002872 In this example, two commands have been issued at once. That way it's easy to
2873 find which process the stats apply to in multi-process mode. This is not
2874 needed in the typed output format as the process number is reported on each
2875 line. Notice the empty line after the information output which marks the end
2876 of the first block. A similar empty line appears at the end of the second
2877 block (stats) so that the reader knows the output has not been truncated.
2878
2879 When "typed" is specified, the output format is more suitable to monitoring
2880 tools because it provides numeric positions and indicates the type of each
2881 output field. Each value stands on its own line with process number, element
2882 number, nature, origin and scope. This same format is available via the HTTP
2883 stats by passing ";typed" after the URI. It is very important to note that in
Dan Lloyd8e48b872016-07-01 21:01:18 -04002884 typed output format, the dump for a single object is contiguous so that there
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002885 is no need for a consumer to store everything at once.
2886
Willy Tarreau698097b2020-10-23 20:19:47 +02002887 The "up" modifier will result in listing only servers which reportedly up or
2888 not checked. Those down, unresolved, or in maintenance will not be listed.
2889 This is analogous to the ";up" option on the HTTP stats. Similarly, the
2890 "no-maint" modifier will act like the ";no-maint" HTTP modifier and will
2891 result in disabled servers not to be listed. The difference is that those
2892 which are enabled but down will not be evicted.
2893
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002894 When using the typed output format, each line is made of 4 columns delimited
2895 by colons (':'). The first column is a dot-delimited series of 5 elements. The
2896 first element is a letter indicating the type of the object being described.
2897 At the moment the following object types are known : 'F' for a frontend, 'B'
2898 for a backend, 'L' for a listener, and 'S' for a server. The second element
2899 The second element is a positive integer representing the unique identifier of
2900 the proxy the object belongs to. It is equivalent to the "iid" column of the
2901 CSV output and matches the value in front of the optional "id" directive found
2902 in the frontend or backend section. The third element is a positive integer
2903 containing the unique object identifier inside the proxy, and corresponds to
2904 the "sid" column of the CSV output. ID 0 is reported when dumping a frontend
2905 or a backend. For a listener or a server, this corresponds to their respective
2906 ID inside the proxy. The fourth element is the numeric position of the field
2907 in the list (starting at zero). This position shall not change over time, but
2908 holes are to be expected, depending on build options or if some fields are
2909 deleted in the future. The fifth element is the field name as it appears in
2910 the CSV output. The sixth element is a positive integer and is the relative
2911 process number starting at 1.
2912
2913 The rest of the line starting after the first colon follows the "typed output
2914 format" described in the section above. In short, the second column (after the
2915 first ':') indicates the origin, nature and scope of the variable. The third
Willy Tarreau589722e2021-05-08 07:46:44 +02002916 column indicates the field type, among "s32", "s64", "u32", "u64", "flt' and
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002917 "str". Then the fourth column is the value itself, which the consumer knows
2918 how to parse thanks to column 3 and how to process thanks to column 2.
2919
Willy Tarreau6b19b142019-10-09 15:44:21 +02002920 When "desc" is appended to the command, one extra colon followed by a quoted
2921 string is appended with a description for the metric. At the time of writing,
2922 this is only supported for the "typed" output format.
2923
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002924 Thus the overall line format in typed mode is :
2925
2926 <obj>.<px_id>.<id>.<fpos>.<fname>.<process_num>:<tags>:<type>:<value>
2927
2928 Here's an example of typed output format :
2929
2930 $ echo "show stat typed" | socat stdio unix-connect:/tmp/sock1
2931 F.2.0.0.pxname.1:MGP:str:private-frontend
2932 F.2.0.1.svname.1:MGP:str:FRONTEND
2933 F.2.0.8.bin.1:MGP:u64:0
2934 F.2.0.9.bout.1:MGP:u64:0
2935 F.2.0.40.hrsp_2xx.1:MGP:u64:0
2936 L.2.1.0.pxname.1:MGP:str:private-frontend
2937 L.2.1.1.svname.1:MGP:str:sock-1
2938 L.2.1.17.status.1:MGP:str:OPEN
2939 L.2.1.73.addr.1:MGP:str:0.0.0.0:8001
2940 S.3.13.60.rtime.1:MCP:u32:0
2941 S.3.13.61.ttime.1:MCP:u32:0
2942 S.3.13.62.agent_status.1:MGP:str:L4TOUT
2943 S.3.13.64.agent_duration.1:MGP:u64:2001
2944 S.3.13.65.check_desc.1:MCP:str:Layer4 timeout
2945 S.3.13.66.agent_desc.1:MCP:str:Layer4 timeout
2946 S.3.13.67.check_rise.1:MCP:u32:2
2947 S.3.13.68.check_fall.1:MCP:u32:3
2948 S.3.13.69.check_health.1:SGP:u32:0
2949 S.3.13.70.agent_rise.1:MaP:u32:1
2950 S.3.13.71.agent_fall.1:SGP:u32:1
2951 S.3.13.72.agent_health.1:SGP:u32:1
2952 S.3.13.73.addr.1:MCP:str:1.255.255.255:8888
2953 S.3.13.75.mode.1:MAP:str:http
2954 B.3.0.0.pxname.1:MGP:str:private-backend
2955 B.3.0.1.svname.1:MGP:str:BACKEND
2956 B.3.0.2.qcur.1:MGP:u32:0
2957 B.3.0.3.qmax.1:MGP:u32:0
2958 B.3.0.4.scur.1:MGP:u32:0
2959 B.3.0.5.smax.1:MGP:u32:0
2960 B.3.0.6.slim.1:MGP:u32:1000
2961 B.3.0.55.lastsess.1:MMP:s32:-1
2962 (...)
2963
Simon Horman1084a362016-11-21 17:00:24 +01002964 In the typed format, the presence of the process ID at the end of the
2965 first column makes it very easy to visually aggregate outputs from
2966 multiple processes, as show in the example below where each line appears
2967 for each process :
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002968
2969 $ ( echo show stat typed | socat /var/run/haproxy.sock1 - ; \
2970 echo show stat typed | socat /var/run/haproxy.sock2 - ) | \
2971 sort -t . -k 1,1 -k 2,2n -k 3,3n -k 4,4n -k 5,5 -k 6,6n
2972 B.3.0.0.pxname.1:MGP:str:private-backend
2973 B.3.0.0.pxname.2:MGP:str:private-backend
2974 B.3.0.1.svname.1:MGP:str:BACKEND
2975 B.3.0.1.svname.2:MGP:str:BACKEND
2976 B.3.0.2.qcur.1:MGP:u32:0
2977 B.3.0.2.qcur.2:MGP:u32:0
2978 B.3.0.3.qmax.1:MGP:u32:0
2979 B.3.0.3.qmax.2:MGP:u32:0
2980 B.3.0.4.scur.1:MGP:u32:0
2981 B.3.0.4.scur.2:MGP:u32:0
2982 B.3.0.5.smax.1:MGP:u32:0
2983 B.3.0.5.smax.2:MGP:u32:0
2984 B.3.0.6.slim.1:MGP:u32:1000
2985 B.3.0.6.slim.2:MGP:u32:1000
2986 (...)
Willy Tarreau44aed902015-10-13 14:45:29 +02002987
Simon Horman05ee2132017-01-04 09:37:25 +01002988 The format of JSON output is described in a schema which may be output
Simon Horman6f6bb382017-01-04 09:37:26 +01002989 using "show schema json".
2990
2991 The JSON output contains no extra whitespace in order to reduce the
2992 volume of output. For human consumption passing the output through a
2993 pretty printer may be helpful. Example :
2994
2995 $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
2996 python -m json.tool
Simon Horman05ee2132017-01-04 09:37:25 +01002997
2998 The JSON output contains no extra whitespace in order to reduce the
2999 volume of output. For human consumption passing the output through a
3000 pretty printer may be helpful. Example :
3001
3002 $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
3003 python -m json.tool
3004
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02003005show ssl ca-file [<cafile>[:<index>]]
3006 Display the list of CA files used by HAProxy and their respective certificate
3007 counts. If a filename is prefixed by an asterisk, it is a transaction which
3008 is not committed yet. If a <cafile> is specified without <index>, it will show
3009 the status of the CA file ("Used"/"Unused") followed by details about all the
3010 certificates contained in the CA file. The details displayed for every
3011 certificate are the same as the ones displayed by a "show ssl cert" command.
3012 If a <cafile> is specified followed by an <index>, it will only display the
3013 details of the certificate having the specified index. Indexes start from 1.
3014 If the index is invalid (too big for instance), nothing will be displayed.
3015 This command can be useful to check if a CA file was properly updated.
3016 You can also display the details of an ongoing transaction by prefixing the
3017 filename by an asterisk.
3018
3019 Example :
3020
3021 $ echo "show ssl ca-file" | socat /var/run/haproxy.master -
3022 # transaction
3023 *cafile.crt - 2 certificate(s)
3024 # filename
3025 cafile.crt - 1 certificate(s)
3026
3027 $ echo "show ssl ca-file cafile.crt" | socat /var/run/haproxy.master -
3028 Filename: /home/tricot/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt
3029 Status: Used
3030
3031 Certificate #1:
3032 Serial: 11A4D2200DC84376E7D233CAFF39DF44BF8D1211
3033 notBefore: Apr 1 07:40:53 2021 GMT
3034 notAfter: Aug 17 07:40:53 2048 GMT
3035 Subject Alternative Name:
3036 Algorithm: RSA4096
3037 SHA1 FingerPrint: A111EF0FEFCDE11D47FE3F33ADCA8435EBEA4864
3038 Subject: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA
3039 Issuer: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA
3040
3041 $ echo "show ssl ca-file *cafile.crt:2" | socat /var/run/haproxy.master -
3042 Filename: */home/tricot/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt
3043 Status: Unused
3044
3045 Certificate #2:
3046 Serial: 587A1CE5ED855040A0C82BF255FF300ADB7C8136
3047 [...]
3048
William Lallemandd4f946c2019-12-05 10:26:40 +01003049show ssl cert [<filename>]
Remi Tricot-Le Bretonb5f0fac2021-04-14 16:19:29 +02003050 Display the list of certificates used on frontends and backends.
3051 If a filename is prefixed by an asterisk, it is a transaction which is not
3052 committed yet. If a filename is specified, it will show details about the
3053 certificate. This command can be useful to check if a certificate was well
3054 updated. You can also display details on a transaction by prefixing the
3055 filename by an asterisk.
Remi Tricot-Le Breton6056e612021-06-10 13:51:15 +02003056 This command can also be used to display the details of a certificate's OCSP
3057 response by suffixing the filename with a ".ocsp" extension. It works for
3058 committed certificates as well as for ongoing transactions. On a committed
3059 certificate, this command is equivalent to calling "show ssl ocsp-response"
3060 with the certificate's corresponding OCSP response ID.
William Lallemandd4f946c2019-12-05 10:26:40 +01003061
3062 Example :
3063
3064 $ echo "@1 show ssl cert" | socat /var/run/haproxy.master -
3065 # transaction
3066 *test.local.pem
3067 # filename
3068 test.local.pem
3069
3070 $ echo "@1 show ssl cert test.local.pem" | socat /var/run/haproxy.master -
3071 Filename: test.local.pem
3072 Serial: 03ECC19BA54B25E85ABA46EE561B9A10D26F
3073 notBefore: Sep 13 21:20:24 2019 GMT
3074 notAfter: Dec 12 21:20:24 2019 GMT
3075 Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
3076 Subject: /CN=test.local
3077 Subject Alternative Name: DNS:test.local, DNS:imap.test.local
3078 Algorithm: RSA2048
3079 SHA1 FingerPrint: 417A11CAE25F607B24F638B4A8AEE51D1E211477
3080
3081 $ echo "@1 show ssl cert *test.local.pem" | socat /var/run/haproxy.master -
3082 Filename: *test.local.pem
3083 [...]
3084
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02003085show ssl crl-file [<crlfile>[:<index>]]
3086 Display the list of CRL files used by HAProxy.
3087 If a filename is prefixed by an asterisk, it is a transaction which is not
3088 committed yet. If a <crlfile> is specified without <index>, it will show the
3089 status of the CRL file ("Used"/"Unused") followed by details about all the
3090 Revocation Lists contained in the CRL file. The details displayed for every
3091 list are based on the output of "openssl crl -text -noout -in <file>".
3092 If a <crlfile> is specified followed by an <index>, it will only display the
3093 details of the list having the specified index. Indexes start from 1.
3094 If the index is invalid (too big for instance), nothing will be displayed.
3095 This command can be useful to check if a CRL file was properly updated.
3096 You can also display the details of an ongoing transaction by prefixing the
3097 filename by an asterisk.
3098
3099 Example :
3100
3101 $ echo "show ssl crl-file" | socat /var/run/haproxy.master -
3102 # transaction
3103 *crlfile.pem
3104 # filename
3105 crlfile.pem
3106
3107 $ echo "show ssl crl-file crlfile.pem" | socat /var/run/haproxy.master -
3108 Filename: /home/tricot/work/haproxy/reg-tests/ssl/crlfile.pem
3109 Status: Used
3110
3111 Certificate Revocation List #1:
3112 Version 1
3113 Signature Algorithm: sha256WithRSAEncryption
3114 Issuer: /C=FR/O=HAProxy Technologies/CN=Intermediate CA2
3115 Last Update: Apr 23 14:45:39 2021 GMT
3116 Next Update: Sep 8 14:45:39 2048 GMT
3117 Revoked Certificates:
3118 Serial Number: 1008
3119 Revocation Date: Apr 23 14:45:36 2021 GMT
3120
3121 Certificate Revocation List #2:
3122 Version 1
3123 Signature Algorithm: sha256WithRSAEncryption
3124 Issuer: /C=FR/O=HAProxy Technologies/CN=Root CA
3125 Last Update: Apr 23 14:30:44 2021 GMT
3126 Next Update: Sep 8 14:30:44 2048 GMT
3127 No Revoked Certificates.
3128
William Lallemandc69f02d2020-04-06 19:07:03 +02003129show ssl crt-list [-n] [<filename>]
William Lallemandaccac232020-04-02 17:42:51 +02003130 Display the list of crt-list and directories used in the HAProxy
William Lallemandc69f02d2020-04-06 19:07:03 +02003131 configuration. If a filename is specified, dump the content of a crt-list or
3132 a directory. Once dumped the output can be used as a crt-list file.
3133 The '-n' option can be used to display the line number, which is useful when
3134 combined with the 'del ssl crt-list' option when a entry is duplicated. The
3135 output with the '-n' option is not compatible with the crt-list format and
3136 not loadable by haproxy.
William Lallemandaccac232020-04-02 17:42:51 +02003137
3138 Example:
William Lallemandc69f02d2020-04-06 19:07:03 +02003139 echo "show ssl crt-list -n localhost.crt-list" | socat /tmp/sock1 -
William Lallemandaccac232020-04-02 17:42:51 +02003140 # localhost.crt-list
William Lallemandc69f02d2020-04-06 19:07:03 +02003141 common.pem:1 !not.test1.com *.test1.com !localhost
3142 common.pem:2
3143 ecdsa.pem:3 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
3144 ecdsa.pem:4 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
William Lallemandaccac232020-04-02 17:42:51 +02003145
Remi Tricot-Le Bretond92fd112021-06-10 13:51:13 +02003146show ssl ocsp-response [<id>]
3147 Display the IDs of the OCSP tree entries corresponding to all the OCSP
3148 responses used in HAProxy, as well as the issuer's name and key hash and the
3149 serial number of the certificate for which the OCSP response was built.
3150 If a valid <id> is provided, display the contents of the corresponding OCSP
3151 response. The information displayed is the same as in an "openssl ocsp -respin
3152 <ocsp-response> -text" call.
3153
3154 Example :
3155
3156 $ echo "show ssl ocsp-response" | socat /var/run/haproxy.master -
3157 # Certificate IDs
3158 Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a
3159 Certificate ID:
3160
3161 Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
3162 Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
3163 Serial Number: 100A
3164
3165 $ echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | socat /var/run/haproxy.master -
3166 OCSP Response Data:
3167 OCSP Response Status: successful (0x0)
3168 Response Type: Basic OCSP Response
3169 Version: 1 (0x0)
3170 Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com
3171 Produced At: May 27 15:43:38 2021 GMT
3172 Responses:
3173 Certificate ID:
3174 Hash Algorithm: sha1
3175 Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
3176 Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
3177 Serial Number: 100A
3178 Cert Status: good
3179 This Update: May 27 15:43:38 2021 GMT
3180 Next Update: Oct 12 15:43:38 2048 GMT
3181 [...]
3182
Willy Tarreau44aed902015-10-13 14:45:29 +02003183show table
3184 Dump general information on all known stick-tables. Their name is returned
3185 (the name of the proxy which holds them), their type (currently zero, always
3186 IP), their size in maximum possible number of entries, and the number of
3187 entries currently in use.
3188
3189 Example :
3190 $ echo "show table" | socat stdio /tmp/sock1
3191 >>> # table: front_pub, type: ip, size:204800, used:171454
3192 >>> # table: back_rdp, type: ip, size:204800, used:0
3193
Adis Nezirovic1a693fc2020-01-16 15:19:29 +01003194show table <name> [ data.<type> <operator> <value> [data.<type> ...]] | [ key <key> ]
Willy Tarreau44aed902015-10-13 14:45:29 +02003195 Dump contents of stick-table <name>. In this mode, a first line of generic
3196 information about the table is reported as with "show table", then all
3197 entries are dumped. Since this can be quite heavy, it is possible to specify
3198 a filter in order to specify what entries to display.
3199
3200 When the "data." form is used the filter applies to the stored data (see
3201 "stick-table" in section 4.2). A stored data type must be specified
3202 in <type>, and this data type must be stored in the table otherwise an
3203 error is reported. The data is compared according to <operator> with the
3204 64-bit integer <value>. Operators are the same as with the ACLs :
3205
3206 - eq : match entries whose data is equal to this value
3207 - ne : match entries whose data is not equal to this value
3208 - le : match entries whose data is less than or equal to this value
3209 - ge : match entries whose data is greater than or equal to this value
3210 - lt : match entries whose data is less than this value
3211 - gt : match entries whose data is greater than this value
3212
Adis Nezirovic1a693fc2020-01-16 15:19:29 +01003213 In this form, you can use multiple data filter entries, up to a maximum
3214 defined during build time (4 by default).
Willy Tarreau44aed902015-10-13 14:45:29 +02003215
3216 When the key form is used the entry <key> is shown. The key must be of the
3217 same type as the table, which currently is limited to IPv4, IPv6, integer,
3218 and string.
3219
3220 Example :
3221 $ echo "show table http_proxy" | socat stdio /tmp/sock1
3222 >>> # table: http_proxy, type: ip, size:204800, used:2
3223 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
3224 bytes_out_rate(60000)=187
3225 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3226 bytes_out_rate(60000)=191
3227
3228 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
3229 >>> # table: http_proxy, type: ip, size:204800, used:2
3230 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3231 bytes_out_rate(60000)=191
3232
3233 $ echo "show table http_proxy data.conn_rate gt 5" | \
3234 socat stdio /tmp/sock1
3235 >>> # table: http_proxy, type: ip, size:204800, used:2
3236 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3237 bytes_out_rate(60000)=191
3238
3239 $ echo "show table http_proxy key 127.0.0.2" | \
3240 socat stdio /tmp/sock1
3241 >>> # table: http_proxy, type: ip, size:204800, used:2
3242 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3243 bytes_out_rate(60000)=191
3244
3245 When the data criterion applies to a dynamic value dependent on time such as
3246 a bytes rate, the value is dynamically computed during the evaluation of the
3247 entry in order to decide whether it has to be dumped or not. This means that
3248 such a filter could match for some time then not match anymore because as
3249 time goes, the average event rate drops.
3250
3251 It is possible to use this to extract lists of IP addresses abusing the
3252 service, in order to monitor them or even blacklist them in a firewall.
3253 Example :
3254 $ echo "show table http_proxy data.gpc0 gt 0" \
3255 | socat stdio /tmp/sock1 \
3256 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
3257 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
3258
Willy Tarreau7eff06e2021-01-29 11:32:55 +01003259show tasks
3260 Dumps the number of tasks currently in the run queue, with the number of
3261 occurrences for each function, and their average latency when it's known
3262 (for pure tasks with task profiling enabled). The dump is a snapshot of the
3263 instant it's done, and there may be variations depending on what tasks are
3264 left in the queue at the moment it happens, especially in mono-thread mode
3265 as there's less chance that I/Os can refill the queue (unless the queue is
3266 full). This command takes exclusive access to the process and can cause
3267 minor but measurable latencies when issued on a highly loaded process, so
3268 it must not be abused by monitoring bots.
3269
Willy Tarreau4e2b6462019-05-16 17:44:30 +02003270show threads
3271 Dumps some internal states and structures for each thread, that may be useful
3272 to help developers understand a problem. The output tries to be readable by
Willy Tarreauc7091d82019-05-17 10:08:49 +02003273 showing one block per thread. When haproxy is built with USE_THREAD_DUMP=1,
3274 an advanced dump mechanism involving thread signals is used so that each
3275 thread can dump its own state in turn. Without this option, the thread
3276 processing the command shows all its details but the other ones are less
Willy Tarreaue6a02fa2019-05-22 07:06:44 +02003277 detailed. A star ('*') is displayed in front of the thread handling the
3278 command. A right angle bracket ('>') may also be displayed in front of
3279 threads which didn't make any progress since last invocation of this command,
3280 indicating a bug in the code which must absolutely be reported. When this
3281 happens between two threads it usually indicates a deadlock. If a thread is
3282 alone, it's a different bug like a corrupted list. In all cases the process
3283 needs is not fully functional anymore and needs to be restarted.
3284
3285 The output format is purposely not documented so that it can easily evolve as
3286 new needs are identified, without having to maintain any form of backwards
3287 compatibility, and just like with "show activity", the values are meaningless
3288 without the code at hand.
Willy Tarreau4e2b6462019-05-16 17:44:30 +02003289
William Lallemandbb933462016-05-31 21:09:53 +02003290show tls-keys [id|*]
3291 Dump all loaded TLS ticket keys references. The TLS ticket key reference ID
3292 and the file from which the keys have been loaded is shown. Both of those
3293 can be used to update the TLS keys using "set ssl tls-key". If an ID is
3294 specified as parameter, it will dump the tickets, using * it will dump every
3295 keys from every references.
Willy Tarreau44aed902015-10-13 14:45:29 +02003296
Simon Horman6f6bb382017-01-04 09:37:26 +01003297show schema json
3298 Dump the schema used for the output of "show info json" and "show stat json".
3299
3300 The contains no extra whitespace in order to reduce the volume of output.
3301 For human consumption passing the output through a pretty printer may be
3302 helpful. Example :
3303
3304 $ echo "show schema json" | socat /var/run/haproxy.sock stdio | \
3305 python -m json.tool
3306
3307 The schema follows "JSON Schema" (json-schema.org) and accordingly
3308 verifiers may be used to verify the output of "show info json" and "show
3309 stat json" against the schema.
3310
Willy Tarreauf909c912019-08-22 20:06:04 +02003311show trace [<source>]
3312 Show the current trace status. For each source a line is displayed with a
3313 single-character status indicating if the trace is stopped, waiting, or
3314 running. The output sink used by the trace is indicated (or "none" if none
3315 was set), as well as the number of dropped events in this sink, followed by a
3316 brief description of the source. If a source name is specified, a detailed
3317 list of all events supported by the source, and their status for each action
3318 (report, start, pause, stop), indicated by a "+" if they are enabled, or a
3319 "-" otherwise. All these events are independent and an event might trigger
3320 a start without being reported and conversely.
Simon Horman6f6bb382017-01-04 09:37:26 +01003321
Willy Tarreau44aed902015-10-13 14:45:29 +02003322shutdown frontend <frontend>
3323 Completely delete the specified frontend. All the ports it was bound to will
3324 be released. It will not be possible to enable the frontend anymore after
3325 this operation. This is intended to be used in environments where stopping a
3326 proxy is not even imaginable but a misconfigured proxy must be fixed. That
3327 way it's possible to release the port and bind it into another process to
3328 restore operations. The frontend will not appear at all on the stats page
3329 once it is terminated.
3330
3331 The frontend may be specified either by its name or by its numeric ID,
3332 prefixed with a sharp ('#').
3333
3334 This command is restricted and can only be issued on sockets configured for
3335 level "admin".
3336
3337shutdown session <id>
3338 Immediately terminate the session matching the specified session identifier.
3339 This identifier is the first field at the beginning of the lines in the dumps
3340 of "show sess" (it corresponds to the session pointer). This can be used to
3341 terminate a long-running session without waiting for a timeout or when an
3342 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
3343 flag in the logs.
3344
3345shutdown sessions server <backend>/<server>
3346 Immediately terminate all the sessions attached to the specified server. This
3347 can be used to terminate long-running sessions after a server is put into
3348 maintenance mode, for instance. Such terminated sessions are reported with a
3349 'K' flag in the logs.
3350
Willy Tarreauf909c912019-08-22 20:06:04 +02003351trace
3352 The "trace" command alone lists the trace sources, their current status, and
3353 their brief descriptions. It is only meant as a menu to enter next levels,
3354 see other "trace" commands below.
3355
3356trace 0
3357 Immediately stops all traces. This is made to be used as a quick solution
3358 to terminate a debugging session or as an emergency action to be used in case
3359 complex traces were enabled on multiple sources and impact the service.
3360
3361trace <source> event [ [+|-|!]<name> ]
3362 Without argument, this will list all the events supported by the designated
3363 source. They are prefixed with a "-" if they are not enabled, or a "+" if
3364 they are enabled. It is important to note that a single trace may be labelled
3365 with multiple events, and as long as any of the enabled events matches one of
3366 the events labelled on the trace, the event will be passed to the trace
3367 subsystem. For example, receiving an HTTP/2 frame of type HEADERS may trigger
3368 a frame event and a stream event since the frame creates a new stream. If
3369 either the frame event or the stream event are enabled for this source, the
3370 frame will be passed to the trace framework.
3371
3372 With an argument, it is possible to toggle the state of each event and
3373 individually enable or disable them. Two special keywords are supported,
3374 "none", which matches no event, and is used to disable all events at once,
3375 and "any" which matches all events, and is used to enable all events at
3376 once. Other events are specific to the event source. It is possible to
3377 enable one event by specifying its name, optionally prefixed with '+' for
3378 better readability. It is possible to disable one event by specifying its
3379 name prefixed by a '-' or a '!'.
3380
3381 One way to completely disable a trace source is to pass "event none", and
3382 this source will instantly be totally ignored.
3383
3384trace <source> level [<level>]
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003385 Without argument, this will list all trace levels for this source, and the
Willy Tarreauf909c912019-08-22 20:06:04 +02003386 current one will be indicated by a star ('*') prepended in front of it. With
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003387 an argument, this will change the trace level to the specified level. Detail
Willy Tarreauf909c912019-08-22 20:06:04 +02003388 levels are a form of filters that are applied before reporting the events.
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003389 These filters are used to selectively include or exclude events depending on
3390 their level of importance. For example a developer might need to know
3391 precisely where in the code an HTTP header was considered invalid while the
3392 end user may not even care about this header's validity at all. There are
3393 currently 5 distinct levels for a trace :
Willy Tarreauf909c912019-08-22 20:06:04 +02003394
3395 user this will report information that are suitable for use by a
3396 regular haproxy user who wants to observe his traffic.
3397 Typically some HTTP requests and responses will be reported
3398 without much detail. Most sources will set this as the
3399 default level to ease operations.
3400
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003401 proto in addition to what is reported at the "user" level, it also
3402 displays protocol-level updates. This can for example be the
3403 frame types or HTTP headers after decoding.
Willy Tarreauf909c912019-08-22 20:06:04 +02003404
3405 state in addition to what is reported at the "proto" level, it
3406 will also display state transitions (or failed transitions)
3407 which happen in parsers, so this will show attempts to
3408 perform an operation while the "proto" level only shows
3409 the final operation.
3410
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003411 data in addition to what is reported at the "state" level, it
3412 will also include data transfers between the various layers.
3413
Willy Tarreauf909c912019-08-22 20:06:04 +02003414 developer it reports everything available, which can include advanced
3415 information such as "breaking out of this loop" that are
3416 only relevant to a developer trying to understand a bug that
Willy Tarreau09fb0df2019-08-29 08:40:59 +02003417 only happens once in a while in field. Function names are
3418 only reported at this level.
Willy Tarreauf909c912019-08-22 20:06:04 +02003419
3420 It is highly recommended to always use the "user" level only and switch to
3421 other levels only if instructed to do so by a developer. Also it is a good
3422 idea to first configure the events before switching to higher levels, as it
3423 may save from dumping many lines if no filter is applied.
3424
3425trace <source> lock [criterion]
3426 Without argument, this will list all the criteria supported by this source
3427 for lock-on processing, and display the current choice by a star ('*') in
3428 front of it. Lock-on means that the source will focus on the first matching
3429 event and only stick to the criterion which triggered this event, and ignore
3430 all other ones until the trace stops. This allows for example to take a trace
3431 on a single connection or on a single stream. The following criteria are
3432 supported by some traces, though not necessarily all, since some of them
3433 might not be available to the source :
3434
3435 backend lock on the backend that started the trace
3436 connection lock on the connection that started the trace
3437 frontend lock on the frontend that started the trace
3438 listener lock on the listener that started the trace
3439 nothing do not lock on anything
3440 server lock on the server that started the trace
3441 session lock on the session that started the trace
3442 thread lock on the thread that started the trace
3443
3444 In addition to this, each source may provide up to 4 specific criteria such
3445 as internal states or connection IDs. For example in HTTP/2 it is possible
3446 to lock on the H2 stream and ignore other streams once a strace starts.
3447
3448 When a criterion is passed in argument, this one is used instead of the
3449 other ones and any existing tracking is immediately terminated so that it can
3450 restart with the new criterion. The special keyword "nothing" is supported by
3451 all sources to permanently disable tracking.
3452
3453trace <source> { pause | start | stop } [ [+|-|!]event]
3454 Without argument, this will list the events enabled to automatically pause,
3455 start, or stop a trace for this source. These events are specific to each
3456 trace source. With an argument, this will either enable the event for the
3457 specified action (if optionally prefixed by a '+') or disable it (if
3458 prefixed by a '-' or '!'). The special keyword "now" is not an event and
3459 requests to take the action immediately. The keywords "none" and "any" are
3460 supported just like in "trace event".
3461
3462 The 3 supported actions are respectively "pause", "start" and "stop". The
3463 "pause" action enumerates events which will cause a running trace to stop and
3464 wait for a new start event to restart it. The "start" action enumerates the
3465 events which switch the trace into the waiting mode until one of the start
3466 events appears. And the "stop" action enumerates the events which definitely
3467 stop the trace until it is manually enabled again. In practice it makes sense
3468 to manually start a trace using "start now" without caring about events, and
3469 to stop it using "stop now". In order to capture more subtle event sequences,
3470 setting "start" to a normal event (like receiving an HTTP request) and "stop"
3471 to a very rare event like emitting a certain error, will ensure that the last
3472 captured events will match the desired criteria. And the pause event is
3473 useful to detect the end of a sequence, disable the lock-on and wait for
3474 another opportunity to take a capture. In this case it can make sense to
3475 enable lock-on to spot only one specific criterion (e.g. a stream), and have
3476 "start" set to anything that starts this criterion (e.g. all events which
3477 create a stream), "stop" set to the expected anomaly, and "pause" to anything
3478 that ends that criterion (e.g. any end of stream event). In this case the
3479 trace log will contain complete sequences of perfectly clean series affecting
3480 a single object, until the last sequence containing everything from the
3481 beginning to the anomaly.
3482
3483trace <source> sink [<sink>]
3484 Without argument, this will list all event sinks available for this source,
3485 and the currently configured one will have a star ('*') prepended in front
3486 of it. Sink "none" is always available and means that all events are simply
3487 dropped, though their processing is not ignored (e.g. lock-on does occur).
3488 Other sinks are available depending on configuration and build options, but
3489 typically "stdout" and "stderr" will be usable in debug mode, and in-memory
3490 ring buffers should be available as well. When a name is specified, the sink
3491 instantly changes for the specified source. Events are not changed during a
3492 sink change. In the worst case some may be lost if an invalid sink is used
3493 (or "none"), but operations do continue to a different destination.
3494
Willy Tarreau370a6942019-08-29 08:24:16 +02003495trace <source> verbosity [<level>]
3496 Without argument, this will list all verbosity levels for this source, and the
3497 current one will be indicated by a star ('*') prepended in front of it. With
3498 an argument, this will change the verbosity level to the specified one.
3499
3500 Verbosity levels indicate how far the trace decoder should go to provide
3501 detailed information. It depends on the trace source, since some sources will
3502 not even provide a specific decoder. Level "quiet" is always available and
3503 disables any decoding. It can be useful when trying to figure what's
3504 happening before trying to understand the details, since it will have a very
3505 low impact on performance and trace size. When no verbosity levels are
3506 declared by a source, level "default" is available and will cause a decoder
3507 to be called when specified in the traces. It is an opportunistic decoding.
3508 When the source declares some verbosity levels, these ones are listed with
3509 a description of what they correspond to. In this case the trace decoder
3510 provided by the source will be as accurate as possible based on the
3511 information available at the trace point. The first level above "quiet" is
3512 set by default.
3513
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003514
William Lallemand142db372018-12-11 18:56:45 +010035159.4. Master CLI
3516---------------
3517
3518The master CLI is a socket bound to the master process in master-worker mode.
3519This CLI gives access to the unix socket commands in every running or leaving
3520processes and allows a basic supervision of those processes.
3521
3522The master CLI is configurable only from the haproxy program arguments with
3523the -S option. This option also takes bind options separated by commas.
3524
3525Example:
3526
3527 # haproxy -W -S 127.0.0.1:1234 -f test1.cfg
3528 # haproxy -Ws -S /tmp/master-socket,uid,1000,gid,1000,mode,600 -f test1.cfg
William Lallemandb7ea1412018-12-13 09:05:47 +01003529 # haproxy -W -S /tmp/master-socket,level,user -f test1.cfg
William Lallemand142db372018-12-11 18:56:45 +01003530
3531The master CLI introduces a new 'show proc' command to surpervise the
3532processes:
3533
3534Example:
3535
3536 $ echo 'show proc' | socat /var/run/haproxy-master.sock -
William Lallemand1dc69632019-06-12 19:11:33 +02003537 #<PID> <type> <relative PID> <reloads> <uptime> <version>
3538 1162 master 0 5 0d00h02m07s 2.0-dev7-0124c9-7
William Lallemand142db372018-12-11 18:56:45 +01003539 # workers
William Lallemand1dc69632019-06-12 19:11:33 +02003540 1271 worker 1 0 0d00h00m00s 2.0-dev7-0124c9-7
3541 1272 worker 2 0 0d00h00m00s 2.0-dev7-0124c9-7
William Lallemand142db372018-12-11 18:56:45 +01003542 # old workers
William Lallemand1dc69632019-06-12 19:11:33 +02003543 1233 worker [was: 1] 3 0d00h00m43s 2.0-dev3-6019f6-289
William Lallemand142db372018-12-11 18:56:45 +01003544
3545
3546In this example, the master has been reloaded 5 times but one of the old
3547worker is still running and survived 3 reloads. You could access the CLI of
3548this worker to understand what's going on.
3549
Willy Tarreau52880f92018-12-15 13:30:03 +01003550When the prompt is enabled (via the "prompt" command), the context the CLI is
3551working on is displayed in the prompt. The master is identified by the "master"
3552string, and other processes are identified with their PID. In case the last
3553reload failed, the master prompt will be changed to "master[ReloadFailed]>" so
3554that it becomes visible that the process is still running on the previous
3555configuration and that the new configuration is not operational.
3556
William Lallemand142db372018-12-11 18:56:45 +01003557The master CLI uses a special prefix notation to access the multiple
3558processes. This notation is easily identifiable as it begins by a @.
3559
3560A @ prefix can be followed by a relative process number or by an exclamation
3561point and a PID. (e.g. @1 or @!1271). A @ alone could be use to specify the
3562master. Leaving processes are only accessible with the PID as relative process
3563number are only usable with the current processes.
3564
3565Examples:
3566
3567 $ socat /var/run/haproxy-master.sock readline
3568 prompt
3569 master> @1 show info; @2 show info
3570 [...]
3571 Process_num: 1
3572 Pid: 1271
3573 [...]
3574 Process_num: 2
3575 Pid: 1272
3576 [...]
3577 master>
3578
3579 $ echo '@!1271 show info; @!1272 show info' | socat /var/run/haproxy-master.sock -
3580 [...]
3581
3582A prefix could be use as a command, which will send every next commands to
3583the specified process.
3584
3585Examples:
3586
3587 $ socat /var/run/haproxy-master.sock readline
3588 prompt
3589 master> @1
3590 1271> show info
3591 [...]
3592 1271> show stat
3593 [...]
3594 1271> @
3595 master>
3596
3597 $ echo '@1; show info; show stat; @2; show info; show stat' | socat /var/run/haproxy-master.sock -
3598 [...]
3599
William Lallemanda57b7e32018-12-14 21:11:31 +01003600You can also reload the HAProxy master process with the "reload" command which
3601does the same as a `kill -USR2` on the master process, provided that the user
3602has at least "operator" or "admin" privileges.
3603
3604Example:
3605
varnav5a3fe9f2021-05-10 10:29:57 -04003606 $ echo "reload" | socat /var/run/haproxy-master.sock stdin
William Lallemanda57b7e32018-12-14 21:11:31 +01003607
3608Note that a reload will close the connection to the master CLI.
3609
William Lallemand142db372018-12-11 18:56:45 +01003610
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200361110. Tricks for easier configuration management
3612----------------------------------------------
3613
3614It is very common that two HAProxy nodes constituting a cluster share exactly
3615the same configuration modulo a few addresses. Instead of having to maintain a
3616duplicate configuration for each node, which will inevitably diverge, it is
3617possible to include environment variables in the configuration. Thus multiple
3618configuration may share the exact same file with only a few different system
3619wide environment variables. This started in version 1.5 where only addresses
3620were allowed to include environment variables, and 1.6 goes further by
3621supporting environment variables everywhere. The syntax is the same as in the
3622UNIX shell, a variable starts with a dollar sign ('$'), followed by an opening
3623curly brace ('{'), then the variable name followed by the closing brace ('}').
3624Except for addresses, environment variables are only interpreted in arguments
3625surrounded with double quotes (this was necessary not to break existing setups
3626using regular expressions involving the dollar symbol).
3627
3628Environment variables also make it convenient to write configurations which are
3629expected to work on various sites where only the address changes. It can also
3630permit to remove passwords from some configs. Example below where the the file
3631"site1.env" file is sourced by the init script upon startup :
3632
3633 $ cat site1.env
3634 LISTEN=192.168.1.1
3635 CACHE_PFX=192.168.11
3636 SERVER_PFX=192.168.22
3637 LOGGER=192.168.33.1
3638 STATSLP=admin:pa$$w0rd
3639 ABUSERS=/etc/haproxy/abuse.lst
3640 TIMEOUT=10s
3641
3642 $ cat haproxy.cfg
3643 global
3644 log "${LOGGER}:514" local0
3645
3646 defaults
3647 mode http
3648 timeout client "${TIMEOUT}"
3649 timeout server "${TIMEOUT}"
3650 timeout connect 5s
3651
3652 frontend public
3653 bind "${LISTEN}:80"
3654 http-request reject if { src -f "${ABUSERS}" }
3655 stats uri /stats
3656 stats auth "${STATSLP}"
3657 use_backend cache if { path_end .jpg .css .ico }
3658 default_backend server
3659
3660 backend cache
3661 server cache1 "${CACHE_PFX}.1:18080" check
3662 server cache2 "${CACHE_PFX}.2:18080" check
3663
3664 backend server
3665 server cache1 "${SERVER_PFX}.1:8080" check
3666 server cache2 "${SERVER_PFX}.2:8080" check
3667
3668
366911. Well-known traps to avoid
3670-----------------------------
3671
3672Once in a while, someone reports that after a system reboot, the haproxy
3673service wasn't started, and that once they start it by hand it works. Most
3674often, these people are running a clustered IP address mechanism such as
3675keepalived, to assign the service IP address to the master node only, and while
3676it used to work when they used to bind haproxy to address 0.0.0.0, it stopped
3677working after they bound it to the virtual IP address. What happens here is
3678that when the service starts, the virtual IP address is not yet owned by the
3679local node, so when HAProxy wants to bind to it, the system rejects this
3680because it is not a local IP address. The fix doesn't consist in delaying the
3681haproxy service startup (since it wouldn't stand a restart), but instead to
3682properly configure the system to allow binding to non-local addresses. This is
3683easily done on Linux by setting the net.ipv4.ip_nonlocal_bind sysctl to 1. This
3684is also needed in order to transparently intercept the IP traffic that passes
3685through HAProxy for a specific target address.
3686
3687Multi-process configurations involving source port ranges may apparently seem
3688to work but they will cause some random failures under high loads because more
3689than one process may try to use the same source port to connect to the same
3690server, which is not possible. The system will report an error and a retry will
3691happen, picking another port. A high value in the "retries" parameter may hide
3692the effect to a certain extent but this also comes with increased CPU usage and
3693processing time. Logs will also report a certain number of retries. For this
3694reason, port ranges should be avoided in multi-process configurations.
3695
Dan Lloyd8e48b872016-07-01 21:01:18 -04003696Since HAProxy uses SO_REUSEPORT and supports having multiple independent
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003697processes bound to the same IP:port, during troubleshooting it can happen that
3698an old process was not stopped before a new one was started. This provides
3699absurd test results which tend to indicate that any change to the configuration
3700is ignored. The reason is that in fact even the new process is restarted with a
3701new configuration, the old one also gets some incoming connections and
3702processes them, returning unexpected results. When in doubt, just stop the new
3703process and try again. If it still works, it very likely means that an old
3704process remains alive and has to be stopped. Linux's "netstat -lntp" is of good
3705help here.
3706
3707When adding entries to an ACL from the command line (eg: when blacklisting a
3708source address), it is important to keep in mind that these entries are not
3709synchronized to the file and that if someone reloads the configuration, these
3710updates will be lost. While this is often the desired effect (for blacklisting)
3711it may not necessarily match expectations when the change was made as a fix for
3712a problem. See the "add acl" action of the CLI interface.
3713
3714
371512. Debugging and performance issues
3716------------------------------------
3717
3718When HAProxy is started with the "-d" option, it will stay in the foreground
3719and will print one line per event, such as an incoming connection, the end of a
3720connection, and for each request or response header line seen. This debug
3721output is emitted before the contents are processed, so they don't consider the
3722local modifications. The main use is to show the request and response without
3723having to run a network sniffer. The output is less readable when multiple
3724connections are handled in parallel, though the "debug2ansi" and "debug2html"
3725scripts found in the examples/ directory definitely help here by coloring the
3726output.
3727
3728If a request or response is rejected because HAProxy finds it is malformed, the
3729best thing to do is to connect to the CLI and issue "show errors", which will
3730report the last captured faulty request and response for each frontend and
3731backend, with all the necessary information to indicate precisely the first
3732character of the input stream that was rejected. This is sometimes needed to
3733prove to customers or to developers that a bug is present in their code. In
3734this case it is often possible to relax the checks (but still keep the
3735captures) using "option accept-invalid-http-request" or its equivalent for
3736responses coming from the server "option accept-invalid-http-response". Please
3737see the configuration manual for more details.
3738
3739Example :
3740
3741 > show errors
3742 Total events captured on [13/Oct/2015:13:43:47.169] : 1
3743
3744 [13/Oct/2015:13:43:40.918] frontend HAProxyLocalStats (#2): invalid request
3745 backend <NONE> (#-1), server <NONE> (#-1), event #0
3746 src 127.0.0.1:51981, session #0, session flags 0x00000080
3747 HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000
3748 HTTP chunk len 0 bytes, HTTP body len 0 bytes
3749 buffer flags 0x00808002, out 0 bytes, total 31 bytes
3750 pending 31 bytes, wrapping at 8040, error at position 13:
3751
3752 00000 GET /invalid request HTTP/1.1\r\n
3753
3754
3755The output of "show info" on the CLI provides a number of useful information
3756regarding the maximum connection rate ever reached, maximum SSL key rate ever
3757reached, and in general all information which can help to explain temporary
3758issues regarding CPU or memory usage. Example :
3759
3760 > show info
3761 Name: HAProxy
3762 Version: 1.6-dev7-e32d18-17
3763 Release_date: 2015/10/12
3764 Nbproc: 1
3765 Process_num: 1
3766 Pid: 7949
3767 Uptime: 0d 0h02m39s
3768 Uptime_sec: 159
3769 Memmax_MB: 0
3770 Ulimit-n: 120032
3771 Maxsock: 120032
3772 Maxconn: 60000
3773 Hard_maxconn: 60000
3774 CurrConns: 0
3775 CumConns: 3
3776 CumReq: 3
3777 MaxSslConns: 0
3778 CurrSslConns: 0
3779 CumSslConns: 0
3780 Maxpipes: 0
3781 PipesUsed: 0
3782 PipesFree: 0
3783 ConnRate: 0
3784 ConnRateLimit: 0
3785 MaxConnRate: 1
3786 SessRate: 0
3787 SessRateLimit: 0
3788 MaxSessRate: 1
3789 SslRate: 0
3790 SslRateLimit: 0
3791 MaxSslRate: 0
3792 SslFrontendKeyRate: 0
3793 SslFrontendMaxKeyRate: 0
3794 SslFrontendSessionReuse_pct: 0
3795 SslBackendKeyRate: 0
3796 SslBackendMaxKeyRate: 0
3797 SslCacheLookups: 0
3798 SslCacheMisses: 0
3799 CompressBpsIn: 0
3800 CompressBpsOut: 0
3801 CompressBpsRateLim: 0
3802 ZlibMemUsage: 0
3803 MaxZlibMemUsage: 0
3804 Tasks: 5
3805 Run_queue: 1
3806 Idle_pct: 100
3807 node: wtap
3808 description:
3809
3810When an issue seems to randomly appear on a new version of HAProxy (eg: every
3811second request is aborted, occasional crash, etc), it is worth trying to enable
Dan Lloyd8e48b872016-07-01 21:01:18 -04003812memory poisoning so that each call to malloc() is immediately followed by the
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003813filling of the memory area with a configurable byte. By default this byte is
38140x50 (ASCII for 'P'), but any other byte can be used, including zero (which
3815will have the same effect as a calloc() and which may make issues disappear).
Dan Lloyd8e48b872016-07-01 21:01:18 -04003816Memory poisoning is enabled on the command line using the "-dM" option. It
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003817slightly hurts performance and is not recommended for use in production. If
Dan Lloyd8e48b872016-07-01 21:01:18 -04003818an issue happens all the time with it or never happens when poisoning uses
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003819byte zero, it clearly means you've found a bug and you definitely need to
3820report it. Otherwise if there's no clear change, the problem it is not related.
3821
3822When debugging some latency issues, it is important to use both strace and
3823tcpdump on the local machine, and another tcpdump on the remote system. The
3824reason for this is that there are delays everywhere in the processing chain and
3825it is important to know which one is causing latency to know where to act. In
3826practice, the local tcpdump will indicate when the input data come in. Strace
3827will indicate when haproxy receives these data (using recv/recvfrom). Warning,
3828openssl uses read()/write() syscalls instead of recv()/send(). Strace will also
3829show when haproxy sends the data, and tcpdump will show when the system sends
3830these data to the interface. Then the external tcpdump will show when the data
3831sent are really received (since the local one only shows when the packets are
3832queued). The benefit of sniffing on the local system is that strace and tcpdump
3833will use the same reference clock. Strace should be used with "-tts200" to get
3834complete timestamps and report large enough chunks of data to read them.
3835Tcpdump should be used with "-nvvttSs0" to report full packets, real sequence
3836numbers and complete timestamps.
3837
3838In practice, received data are almost always immediately received by haproxy
3839(unless the machine has a saturated CPU or these data are invalid and not
3840delivered). If these data are received but not sent, it generally is because
3841the output buffer is saturated (ie: recipient doesn't consume the data fast
3842enough). This can be confirmed by seeing that the polling doesn't notify of
3843the ability to write on the output file descriptor for some time (it's often
3844easier to spot in the strace output when the data finally leave and then roll
3845back to see when the write event was notified). It generally matches an ACK
3846received from the recipient, and detected by tcpdump. Once the data are sent,
3847they may spend some time in the system doing nothing. Here again, the TCP
3848congestion window may be limited and not allow these data to leave, waiting for
3849an ACK to open the window. If the traffic is idle and the data take 40 ms or
3850200 ms to leave, it's a different issue (which is not an issue), it's the fact
3851that the Nagle algorithm prevents empty packets from leaving immediately, in
3852hope that they will be merged with subsequent data. HAProxy automatically
3853disables Nagle in pure TCP mode and in tunnels. However it definitely remains
3854enabled when forwarding an HTTP body (and this contributes to the performance
3855improvement there by reducing the number of packets). Some HTTP non-compliant
3856applications may be sensitive to the latency when delivering incomplete HTTP
3857response messages. In this case you will have to enable "option http-no-delay"
3858to disable Nagle in order to work around their design, keeping in mind that any
3859other proxy in the chain may similarly be impacted. If tcpdump reports that data
3860leave immediately but the other end doesn't see them quickly, it can mean there
Dan Lloyd8e48b872016-07-01 21:01:18 -04003861is a congested WAN link, a congested LAN with flow control enabled and
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003862preventing the data from leaving, or more commonly that HAProxy is in fact
3863running in a virtual machine and that for whatever reason the hypervisor has
3864decided that the data didn't need to be sent immediately. In virtualized
3865environments, latency issues are almost always caused by the virtualization
3866layer, so in order to save time, it's worth first comparing tcpdump in the VM
3867and on the external components. Any difference has to be credited to the
3868hypervisor and its accompanying drivers.
3869
3870When some TCP SACK segments are seen in tcpdump traces (using -vv), it always
3871means that the side sending them has got the proof of a lost packet. While not
3872seeing them doesn't mean there are no losses, seeing them definitely means the
3873network is lossy. Losses are normal on a network, but at a rate where SACKs are
3874not noticeable at the naked eye. If they appear a lot in the traces, it is
3875worth investigating exactly what happens and where the packets are lost. HTTP
3876doesn't cope well with TCP losses, which introduce huge latencies.
3877
3878The "netstat -i" command will report statistics per interface. An interface
3879where the Rx-Ovr counter grows indicates that the system doesn't have enough
3880resources to receive all incoming packets and that they're lost before being
3881processed by the network driver. Rx-Drp indicates that some received packets
3882were lost in the network stack because the application doesn't process them
3883fast enough. This can happen during some attacks as well. Tx-Drp means that
3884the output queues were full and packets had to be dropped. When using TCP it
Dan Lloyd8e48b872016-07-01 21:01:18 -04003885should be very rare, but will possibly indicate a saturated outgoing link.
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003886
3887
388813. Security considerations
3889---------------------------
3890
3891HAProxy is designed to run with very limited privileges. The standard way to
3892use it is to isolate it into a chroot jail and to drop its privileges to a
3893non-root user without any permissions inside this jail so that if any future
3894vulnerability were to be discovered, its compromise would not affect the rest
3895of the system.
3896
Dan Lloyd8e48b872016-07-01 21:01:18 -04003897In order to perform a chroot, it first needs to be started as a root user. It is
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003898pointless to build hand-made chroots to start the process there, these ones are
3899painful to build, are never properly maintained and always contain way more
3900bugs than the main file-system. And in case of compromise, the intruder can use
3901the purposely built file-system. Unfortunately many administrators confuse
3902"start as root" and "run as root", resulting in the uid change to be done prior
3903to starting haproxy, and reducing the effective security restrictions.
3904
3905HAProxy will need to be started as root in order to :
3906 - adjust the file descriptor limits
3907 - bind to privileged port numbers
3908 - bind to a specific network interface
3909 - transparently listen to a foreign address
3910 - isolate itself inside the chroot jail
3911 - drop to another non-privileged UID
3912
3913HAProxy may require to be run as root in order to :
3914 - bind to an interface for outgoing connections
3915 - bind to privileged source ports for outgoing connections
Dan Lloyd8e48b872016-07-01 21:01:18 -04003916 - transparently bind to a foreign address for outgoing connections
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003917
3918Most users will never need the "run as root" case. But the "start as root"
3919covers most usages.
3920
3921A safe configuration will have :
3922
3923 - a chroot statement pointing to an empty location without any access
3924 permissions. This can be prepared this way on the UNIX command line :
3925
3926 # mkdir /var/empty && chmod 0 /var/empty || echo "Failed"
3927
3928 and referenced like this in the HAProxy configuration's global section :
3929
3930 chroot /var/empty
3931
3932 - both a uid/user and gid/group statements in the global section :
3933
3934 user haproxy
3935 group haproxy
3936
3937 - a stats socket whose mode, uid and gid are set to match the user and/or
3938 group allowed to access the CLI so that nobody may access it :
3939
3940 stats socket /var/run/haproxy.stat uid hatop gid hatop mode 600
3941