blob: 04f3900b6b6e8e9087b69f685706c1725a0b72ee [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau02c7c142012-06-04 00:43:45 +02007 2012/06/04
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100565. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057
586. HTTP header manipulation
59
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100607. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200617.1. Matching integers
627.2. Matching strings
637.3. Matching regular expressions (regexes)
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200647.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200657.5. Available matching criteria
667.5.1. Matching at Layer 4 and below
677.5.2. Matching contents at Layer 4
687.5.3. Matching at Layer 7
697.6. Pre-defined ACLs
707.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100717.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072
738. Logging
748.1. Log levels
758.2. Log formats
768.2.1. Default log format
778.2.2. TCP log format
788.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100798.2.4. Custom log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200808.3. Advanced logging options
818.3.1. Disabling logging of external tests
828.3.2. Logging before waiting for the session to terminate
838.3.3. Raising log level upon errors
848.3.4. Disabling logging of successful connections
858.4. Timing events
868.5. Session state at disconnection
878.6. Non-printable characters
888.7. Capturing HTTP cookies
898.8. Capturing HTTP headers
908.9. Examples of logs
91
929. Statistics and monitoring
939.1. CSV format
949.2. Unix Socket commands
95
96
971. Quick reminder about HTTP
98----------------------------
99
100When haproxy is running in HTTP mode, both the request and the response are
101fully analyzed and indexed, thus it becomes possible to build matching criteria
102on almost anything found in the contents.
103
104However, it is important to understand how HTTP requests and responses are
105formed, and how HAProxy decomposes them. It will then become easier to write
106correct rules and to debug existing configurations.
107
108
1091.1. The HTTP transaction model
110-------------------------------
111
112The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100113to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200114from the client to the server, a request is sent by the client on the
115connection, the server responds and the connection is closed. A new request
116will involve a new connection :
117
118 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
119
120In this mode, called the "HTTP close" mode, there are as many connection
121establishments as there are HTTP transactions. Since the connection is closed
122by the server after the response, the client does not need to know the content
123length.
124
125Due to the transactional nature of the protocol, it was possible to improve it
126to avoid closing a connection between two subsequent transactions. In this mode
127however, it is mandatory that the server indicates the content length for each
128response so that the client does not wait indefinitely. For this, a special
129header is used: "Content-length". This mode is called the "keep-alive" mode :
130
131 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
132
133Its advantages are a reduced latency between transactions, and less processing
134power required on the server side. It is generally better than the close mode,
135but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200136a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200137
138A last improvement in the communications is the pipelining mode. It still uses
139keep-alive, but the client does not wait for the first response to send the
140second request. This is useful for fetching large number of images composing a
141page :
142
143 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
144
145This can obviously have a tremendous benefit on performance because the network
146latency is eliminated between subsequent requests. Many HTTP agents do not
147correctly support pipelining since there is no way to associate a response with
148the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100149server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200150
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200151By default HAProxy operates in a tunnel-like mode with regards to persistent
152connections: for each connection it processes the first request and forwards
153everything else (including additional requests) to selected server. Once
154established, the connection is persisted both on the client and server
155sides. Use "option http-server-close" to preserve client persistent connections
156while handling every incoming request individually, dispatching them one after
157another to servers, in HTTP close mode. Use "option httpclose" to switch both
158sides to HTTP close mode. "option forceclose" and "option
159http-pretend-keepalive" help working around servers misbehaving in HTTP close
160mode.
161
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200162
1631.2. HTTP request
164-----------------
165
166First, let's consider this HTTP request :
167
168 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100169 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200170 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
171 2 Host: www.mydomain.com
172 3 User-agent: my small browser
173 4 Accept: image/jpeg, image/gif
174 5 Accept: image/png
175
176
1771.2.1. The Request line
178-----------------------
179
180Line 1 is the "request line". It is always composed of 3 fields :
181
182 - a METHOD : GET
183 - a URI : /serv/login.php?lang=en&profile=2
184 - a version tag : HTTP/1.1
185
186All of them are delimited by what the standard calls LWS (linear white spaces),
187which are commonly spaces, but can also be tabs or line feeds/carriage returns
188followed by spaces/tabs. The method itself cannot contain any colon (':') and
189is limited to alphabetic letters. All those various combinations make it
190desirable that HAProxy performs the splitting itself rather than leaving it to
191the user to write a complex or inaccurate regular expression.
192
193The URI itself can have several forms :
194
195 - A "relative URI" :
196
197 /serv/login.php?lang=en&profile=2
198
199 It is a complete URL without the host part. This is generally what is
200 received by servers, reverse proxies and transparent proxies.
201
202 - An "absolute URI", also called a "URL" :
203
204 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
205
206 It is composed of a "scheme" (the protocol name followed by '://'), a host
207 name or address, optionally a colon (':') followed by a port number, then
208 a relative URI beginning at the first slash ('/') after the address part.
209 This is generally what proxies receive, but a server supporting HTTP/1.1
210 must accept this form too.
211
212 - a star ('*') : this form is only accepted in association with the OPTIONS
213 method and is not relayable. It is used to inquiry a next hop's
214 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100215
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200216 - an address:port combination : 192.168.0.12:80
217 This is used with the CONNECT method, which is used to establish TCP
218 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
219 other protocols too.
220
221In a relative URI, two sub-parts are identified. The part before the question
222mark is called the "path". It is typically the relative path to static objects
223on the server. The part after the question mark is called the "query string".
224It is mostly used with GET requests sent to dynamic scripts and is very
225specific to the language, framework or application in use.
226
227
2281.2.2. The request headers
229--------------------------
230
231The headers start at the second line. They are composed of a name at the
232beginning of the line, immediately followed by a colon (':'). Traditionally,
233an LWS is added after the colon but that's not required. Then come the values.
234Multiple identical headers may be folded into one single line, delimiting the
235values with commas, provided that their order is respected. This is commonly
236encountered in the "Cookie:" field. A header may span over multiple lines if
237the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
238define a total of 3 values for the "Accept:" header.
239
240Contrary to a common mis-conception, header names are not case-sensitive, and
241their values are not either if they refer to other header names (such as the
242"Connection:" header).
243
244The end of the headers is indicated by the first empty line. People often say
245that it's a double line feed, which is not exact, even if a double line feed
246is one valid form of empty line.
247
248Fortunately, HAProxy takes care of all these complex combinations when indexing
249headers, checking values and counting them, so there is no reason to worry
250about the way they could be written, but it is important not to accuse an
251application of being buggy if it does unusual, valid things.
252
253Important note:
254 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
255 in the middle of headers by LWS in order to join multi-line headers. This
256 is necessary for proper analysis and helps less capable HTTP parsers to work
257 correctly and not to be fooled by such complex constructs.
258
259
2601.3. HTTP response
261------------------
262
263An HTTP response looks very much like an HTTP request. Both are called HTTP
264messages. Let's consider this HTTP response :
265
266 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100267 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200268 1 HTTP/1.1 200 OK
269 2 Content-length: 350
270 3 Content-Type: text/html
271
Willy Tarreau816b9792009-09-15 21:25:21 +0200272As a special case, HTTP supports so called "Informational responses" as status
273codes 1xx. These messages are special in that they don't convey any part of the
274response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100275continue to post its request for instance. In the case of a status 100 response
276the requested information will be carried by the next non-100 response message
277following the informational one. This implies that multiple responses may be
278sent to a single request, and that this only works when keep-alive is enabled
279(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
280correctly forward and skip them, and only process the next non-100 response. As
281such, these messages are neither logged nor transformed, unless explicitly
282state otherwise. Status 101 messages indicate that the protocol is changing
283over the same connection and that haproxy must switch to tunnel mode, just as
284if a CONNECT had occurred. Then the Upgrade header would contain additional
285information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200286
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200287
2881.3.1. The Response line
289------------------------
290
291Line 1 is the "response line". It is always composed of 3 fields :
292
293 - a version tag : HTTP/1.1
294 - a status code : 200
295 - a reason : OK
296
297The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200298 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200299 - 2xx = OK, content is following (eg: 200, 206)
300 - 3xx = OK, no content following (eg: 302, 304)
301 - 4xx = error caused by the client (eg: 401, 403, 404)
302 - 5xx = error caused by the server (eg: 500, 502, 503)
303
304Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100305"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200306found there, but it's a common practice to respect the well-established
307messages. It can be composed of one or multiple words, such as "OK", "Found",
308or "Authentication Required".
309
310Haproxy may emit the following status codes by itself :
311
312 Code When / reason
313 200 access to stats page, and when replying to monitoring requests
314 301 when performing a redirection, depending on the configured code
315 302 when performing a redirection, depending on the configured code
316 303 when performing a redirection, depending on the configured code
317 400 for an invalid or too large request
318 401 when an authentication is required to perform the action (when
319 accessing the stats page)
320 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
321 408 when the request timeout strikes before the request is complete
322 500 when haproxy encounters an unrecoverable internal error, such as a
323 memory allocation failure, which should never happen
324 502 when the server returns an empty, invalid or incomplete response, or
325 when an "rspdeny" filter blocks the response.
326 503 when no server was available to handle the request, or in response to
327 monitoring requests which match the "monitor fail" condition
328 504 when the response timeout strikes before the server responds
329
330The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3314.2).
332
333
3341.3.2. The response headers
335---------------------------
336
337Response headers work exactly like request headers, and as such, HAProxy uses
338the same parsing function for both. Please refer to paragraph 1.2.2 for more
339details.
340
341
3422. Configuring HAProxy
343----------------------
344
3452.1. Configuration file format
346------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200347
348HAProxy's configuration process involves 3 major sources of parameters :
349
350 - the arguments from the command-line, which always take precedence
351 - the "global" section, which sets process-wide parameters
352 - the proxies sections which can take form of "defaults", "listen",
353 "frontend" and "backend".
354
Willy Tarreau0ba27502007-12-24 16:55:16 +0100355The configuration file syntax consists in lines beginning with a keyword
356referenced in this manual, optionally followed by one or several parameters
357delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100358preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100359escaped by doubling them.
360
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200361
3622.2. Time format
363----------------
364
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100365Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100366values are generally expressed in milliseconds (unless explicitly stated
367otherwise) but may be expressed in any other unit by suffixing the unit to the
368numeric value. It is important to consider this because it will not be repeated
369for every keyword. Supported units are :
370
371 - us : microseconds. 1 microsecond = 1/1000000 second
372 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
373 - s : seconds. 1s = 1000ms
374 - m : minutes. 1m = 60s = 60000ms
375 - h : hours. 1h = 60m = 3600s = 3600000ms
376 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
377
378
Patrick Mezard35da19c2010-06-12 17:02:47 +02003792.3. Examples
380-------------
381
382 # Simple configuration for an HTTP proxy listening on port 80 on all
383 # interfaces and forwarding requests to a single backend "servers" with a
384 # single server "server1" listening on 127.0.0.1:8000
385 global
386 daemon
387 maxconn 256
388
389 defaults
390 mode http
391 timeout connect 5000ms
392 timeout client 50000ms
393 timeout server 50000ms
394
395 frontend http-in
396 bind *:80
397 default_backend servers
398
399 backend servers
400 server server1 127.0.0.1:8000 maxconn 32
401
402
403 # The same configuration defined with a single listen block. Shorter but
404 # less expressive, especially in HTTP mode.
405 global
406 daemon
407 maxconn 256
408
409 defaults
410 mode http
411 timeout connect 5000ms
412 timeout client 50000ms
413 timeout server 50000ms
414
415 listen http-in
416 bind *:80
417 server server1 127.0.0.1:8000 maxconn 32
418
419
420Assuming haproxy is in $PATH, test these configurations in a shell with:
421
Willy Tarreauccb289d2010-12-11 20:19:38 +0100422 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200423
424
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004253. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200426--------------------
427
428Parameters in the "global" section are process-wide and often OS-specific. They
429are generally set once for all and do not need being changed once correct. Some
430of them have command-line equivalents.
431
432The following keywords are supported in the "global" section :
433
434 * Process management and security
435 - chroot
436 - daemon
437 - gid
438 - group
439 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100440 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200441 - nbproc
442 - pidfile
443 - uid
444 - ulimit-n
445 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200446 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200447 - node
448 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100449 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100450
Willy Tarreau6a06a402007-07-15 20:15:28 +0200451 * Performance tuning
452 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200453 - maxconnrate
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100454 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200455 - noepoll
456 - nokqueue
457 - nopoll
458 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100459 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200460 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200461 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200462 - tune.chksize
Willy Tarreauac1932d2011-10-24 19:14:41 +0200463 - tune.http.maxhdr
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100464 - tune.maxaccept
465 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200466 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200467 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100468 - tune.rcvbuf.client
469 - tune.rcvbuf.server
470 - tune.sndbuf.client
471 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100472
Willy Tarreau6a06a402007-07-15 20:15:28 +0200473 * Debugging
474 - debug
475 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200476
477
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004783.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200479------------------------------------
480
481chroot <jail dir>
482 Changes current directory to <jail dir> and performs a chroot() there before
483 dropping privileges. This increases the security level in case an unknown
484 vulnerability would be exploited, since it would make it very hard for the
485 attacker to exploit the system. This only works when the process is started
486 with superuser privileges. It is important to ensure that <jail_dir> is both
487 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100488
Willy Tarreau6a06a402007-07-15 20:15:28 +0200489daemon
490 Makes the process fork into background. This is the recommended mode of
491 operation. It is equivalent to the command line "-D" argument. It can be
492 disabled by the command line "-db" argument.
493
494gid <number>
495 Changes the process' group ID to <number>. It is recommended that the group
496 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
497 be started with a user belonging to this group, or with superuser privileges.
498 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100499
Willy Tarreau6a06a402007-07-15 20:15:28 +0200500group <group name>
501 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
502 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100503
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200504log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200505 Adds a global syslog server. Up to two global servers can be defined. They
506 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100507 configured with "log global".
508
509 <address> can be one of:
510
Willy Tarreau2769aa02007-12-27 18:26:09 +0100511 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100512 no port is specified, 514 is used by default (the standard syslog
513 port).
514
David du Colombier24bb5f52011-03-17 10:40:23 +0100515 - An IPv6 address followed by a colon and optionally a UDP port. If
516 no port is specified, 514 is used by default (the standard syslog
517 port).
518
Robert Tsai81ae1952007-12-05 10:47:29 +0100519 - A filesystem path to a UNIX domain socket, keeping in mind
520 considerations for chroot (be sure the path is accessible inside
521 the chroot) and uid/gid (be sure the path is appropriately
522 writeable).
523
524 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200525
526 kern user mail daemon auth syslog lpr news
527 uucp cron auth2 ftp ntp audit alert cron2
528 local0 local1 local2 local3 local4 local5 local6 local7
529
530 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200531 all messages are sent. If a maximum level is specified, only messages with a
532 severity at least as important as this level will be sent. An optional minimum
533 level can be specified. If it is set, logs emitted with a more severe level
534 than this one will be capped to this level. This is used to avoid sending
535 "emerg" messages on all terminals on some default syslog configurations.
536 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200537
Cyril Bontédc4d9032012-04-08 21:57:39 +0200538 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200539
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100540log-send-hostname [<string>]
541 Sets the hostname field in the syslog header. If optional "string" parameter
542 is set the header is set to the string contents, otherwise uses the hostname
543 of the system. Generally used if one is not relaying logs through an
544 intermediate syslog server or for simply customizing the hostname printed in
545 the logs.
546
Kevinm48936af2010-12-22 16:08:21 +0000547log-tag <string>
548 Sets the tag field in the syslog header to this string. It defaults to the
549 program name as launched from the command line, which usually is "haproxy".
550 Sometimes it can be useful to differentiate between multiple processes
551 running on the same host.
552
Willy Tarreau6a06a402007-07-15 20:15:28 +0200553nbproc <number>
554 Creates <number> processes when going daemon. This requires the "daemon"
555 mode. By default, only one process is created, which is the recommended mode
556 of operation. For systems limited to small sets of file descriptors per
557 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
558 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
559
560pidfile <pidfile>
561 Writes pids of all daemons into file <pidfile>. This option is equivalent to
562 the "-p" command line argument. The file must be accessible to the user
563 starting the process. See also "daemon".
564
Willy Tarreaufbee7132007-10-18 13:53:22 +0200565stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Cyril Bontédc4d9032012-04-08 21:57:39 +0200566 [level <level>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200567
Willy Tarreaufbee7132007-10-18 13:53:22 +0200568 Creates a UNIX socket in stream mode at location <path>. Any previously
569 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100570 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200571 issued. Please consult section 9.2 "Unix Socket commands" for more details.
572
573 An optional "level" parameter can be specified to restrict the nature of
574 the commands that can be issued on the socket :
575 - "user" is the least privileged level ; only non-sensitive stats can be
576 read, and no change is allowed. It would make sense on systems where it
577 is not easy to restrict access to the socket.
578
579 - "operator" is the default level and fits most common uses. All data can
Willy Tarreau3c92c5f2011-08-28 09:45:47 +0200580 be read, and only non-sensitive changes are permitted (eg: clear max
Willy Tarreau6162db22009-10-10 17:13:00 +0200581 counters).
582
583 - "admin" should be used with care, as everything is permitted (eg: clear
584 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100585
586 On platforms which support it, it is possible to restrict access to this
587 socket by specifying numerical IDs after "uid" and "gid", or valid user and
588 group names after the "user" and "group" keywords. It is also possible to
589 restrict permissions on the socket by passing an octal value after the "mode"
590 keyword (same syntax as chmod). Depending on the platform, the permissions on
591 the socket will be inherited from the directory which hosts it, or from the
592 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200593
594stats timeout <timeout, in milliseconds>
595 The default timeout on the stats socket is set to 10 seconds. It is possible
596 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100597 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200598
599stats maxconn <connections>
600 By default, the stats socket is limited to 10 concurrent connections. It is
601 possible to change this value with "stats maxconn".
602
Willy Tarreau6a06a402007-07-15 20:15:28 +0200603uid <number>
604 Changes the process' user ID to <number>. It is recommended that the user ID
605 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
606 be started with superuser privileges in order to be able to switch to another
607 one. See also "gid" and "user".
608
609ulimit-n <number>
610 Sets the maximum number of per-process file-descriptors to <number>. By
611 default, it is automatically computed, so it is recommended not to use this
612 option.
613
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100614unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
615 [ group <group> ] [ gid <gid> ]
616
617 Fixes common settings to UNIX listening sockets declared in "bind" statements.
618 This is mainly used to simplify declaration of those UNIX sockets and reduce
619 the risk of errors, since those settings are most commonly required but are
620 also process-specific. The <prefix> setting can be used to force all socket
621 path to be relative to that directory. This might be needed to access another
622 component's chroot. Note that those paths are resolved before haproxy chroots
623 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
624 all have the same meaning as their homonyms used by the "bind" statement. If
625 both are specified, the "bind" statement has priority, meaning that the
626 "unix-bind" settings may be seen as process-wide default settings.
627
Willy Tarreau6a06a402007-07-15 20:15:28 +0200628user <user name>
629 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
630 See also "uid" and "group".
631
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200632node <name>
633 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
634
635 This statement is useful in HA configurations where two or more processes or
636 servers share the same IP address. By setting a different node-name on all
637 nodes, it becomes easy to immediately spot what server is handling the
638 traffic.
639
640description <text>
641 Add a text that describes the instance.
642
643 Please note that it is required to escape certain characters (# for example)
644 and this text is inserted into a html page so you should avoid using
645 "<" and ">" characters.
646
Willy Tarreau6a06a402007-07-15 20:15:28 +0200647
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006483.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200649-----------------------
650
651maxconn <number>
652 Sets the maximum per-process number of concurrent connections to <number>. It
653 is equivalent to the command-line argument "-n". Proxies will stop accepting
654 connections when this limit is reached. The "ulimit-n" parameter is
655 automatically adjusted according to this value. See also "ulimit-n".
656
Willy Tarreau81c25d02011-09-07 15:17:21 +0200657maxconnrate <number>
658 Sets the maximum per-process number of connections per second to <number>.
659 Proxies will stop accepting connections when this limit is reached. It can be
660 used to limit the global capacity regardless of each frontend capacity. It is
661 important to note that this can only be used as a service protection measure,
662 as there will not necessarily be a fair share between frontends when the
663 limit is reached, so it's a good idea to also limit each frontend to some
664 value close to its expected share. Also, lowering tune.maxaccept can improve
665 fairness.
666
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100667maxpipes <number>
668 Sets the maximum per-process number of pipes to <number>. Currently, pipes
669 are only used by kernel-based tcp splicing. Since a pipe contains two file
670 descriptors, the "ulimit-n" value will be increased accordingly. The default
671 value is maxconn/4, which seems to be more than enough for most heavy usages.
672 The splice code dynamically allocates and releases pipes, and can fall back
673 to standard copy, so setting this value too low may only impact performance.
674
Willy Tarreau6a06a402007-07-15 20:15:28 +0200675noepoll
676 Disables the use of the "epoll" event polling system on Linux. It is
677 equivalent to the command-line argument "-de". The next polling system
678 used will generally be "poll". See also "nosepoll", and "nopoll".
679
680nokqueue
681 Disables the use of the "kqueue" event polling system on BSD. It is
682 equivalent to the command-line argument "-dk". The next polling system
683 used will generally be "poll". See also "nopoll".
684
685nopoll
686 Disables the use of the "poll" event polling system. It is equivalent to the
687 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100688 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200689 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
690 "nokqueue".
691
692nosepoll
693 Disables the use of the "speculative epoll" event polling system on Linux. It
694 is equivalent to the command-line argument "-ds". The next polling system
695 used will generally be "epoll". See also "nosepoll", and "nopoll".
696
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100697nosplice
698 Disables the use of kernel tcp splicing between sockets on Linux. It is
699 equivalent to the command line argument "-dS". Data will then be copied
700 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100701 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100702 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
703 be used. This option makes it easier to globally disable kernel splicing in
704 case of doubt. See also "option splice-auto", "option splice-request" and
705 "option splice-response".
706
Willy Tarreaufe255b72007-10-14 23:09:26 +0200707spread-checks <0..50, in percent>
708 Sometimes it is desirable to avoid sending health checks to servers at exact
709 intervals, for instance when many logical servers are located on the same
710 physical server. With the help of this parameter, it becomes possible to add
711 some randomness in the check interval between 0 and +/- 50%. A value between
712 2 and 5 seems to show good results. The default value remains at 0.
713
Willy Tarreau27a674e2009-08-17 07:23:33 +0200714tune.bufsize <number>
715 Sets the buffer size to this size (in bytes). Lower values allow more
716 sessions to coexist in the same amount of RAM, and higher values allow some
717 applications with very large cookies to work. The default value is 16384 and
718 can be changed at build time. It is strongly recommended not to change this
719 from the default value, as very low values will break some services such as
720 statistics, and values larger than default size will increase memory usage,
721 possibly causing the system to run out of memory. At least the global maxconn
722 parameter should be decreased by the same factor as this one is increased.
723
Willy Tarreau43961d52010-10-04 20:39:20 +0200724tune.chksize <number>
725 Sets the check buffer size to this size (in bytes). Higher values may help
726 find string or regex patterns in very large pages, though doing so may imply
727 more memory and CPU usage. The default value is 16384 and can be changed at
728 build time. It is not recommended to change this value, but to use better
729 checks whenever possible.
730
Willy Tarreauac1932d2011-10-24 19:14:41 +0200731tune.http.maxhdr <number>
732 Sets the maximum number of headers in a request. When a request comes with a
733 number of headers greater than this value (including the first line), it is
734 rejected with a "400 Bad Request" status code. Similarly, too large responses
735 are blocked with "502 Bad Gateway". The default value is 101, which is enough
736 for all usages, considering that the widely deployed Apache server uses the
737 same limit. It can be useful to push this limit further to temporarily allow
738 a buggy application to work by the time it gets fixed. Keep in mind that each
739 new header consumes 32bits of memory for each session, so don't push this
740 limit too high.
741
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100742tune.maxaccept <number>
743 Sets the maximum number of consecutive accepts that a process may perform on
744 a single wake up. High values give higher priority to high connection rates,
745 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100746 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100747 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
748 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100749 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100750 the limitation. It should normally not be needed to tweak this value.
751
752tune.maxpollevents <number>
753 Sets the maximum amount of events that can be processed at once in a call to
754 the polling system. The default value is adapted to the operating system. It
755 has been noticed that reducing it below 200 tends to slightly decrease
756 latency at the expense of network bandwidth, and increasing it above 200
757 tends to trade latency for slightly increased bandwidth.
758
Willy Tarreau27a674e2009-08-17 07:23:33 +0200759tune.maxrewrite <number>
760 Sets the reserved buffer space to this size in bytes. The reserved space is
761 used for header rewriting or appending. The first reads on sockets will never
762 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
763 bufsize, though that does not make much sense since there are rarely large
764 numbers of headers to add. Setting it too high prevents processing of large
765 requests or responses. Setting it too low prevents addition of new headers
766 to already large requests or to POST requests. It is generally wise to set it
767 to about 1024. It is automatically readjusted to half of bufsize if it is
768 larger than that. This means you don't have to worry about it when changing
769 bufsize.
770
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200771tune.pipesize <number>
772 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
773 are the default size for the system. But sometimes when using TCP splicing,
774 it can improve performance to increase pipe sizes, especially if it is
775 suspected that pipes are not filled and that many calls to splice() are
776 performed. This has an impact on the kernel's memory footprint, so this must
777 not be changed if impacts are not understood.
778
Willy Tarreaue803de22010-01-21 17:43:04 +0100779tune.rcvbuf.client <number>
780tune.rcvbuf.server <number>
781 Forces the kernel socket receive buffer size on the client or the server side
782 to the specified value in bytes. This value applies to all TCP/HTTP frontends
783 and backends. It should normally never be set, and the default size (0) lets
784 the kernel autotune this value depending on the amount of available memory.
785 However it can sometimes help to set it to very low values (eg: 4096) in
786 order to save kernel memory by preventing it from buffering too large amounts
787 of received data. Lower values will significantly increase CPU usage though.
788
789tune.sndbuf.client <number>
790tune.sndbuf.server <number>
791 Forces the kernel socket send buffer size on the client or the server side to
792 the specified value in bytes. This value applies to all TCP/HTTP frontends
793 and backends. It should normally never be set, and the default size (0) lets
794 the kernel autotune this value depending on the amount of available memory.
795 However it can sometimes help to set it to very low values (eg: 4096) in
796 order to save kernel memory by preventing it from buffering too large amounts
797 of received data. Lower values will significantly increase CPU usage though.
798 Another use case is to prevent write timeouts with extremely slow clients due
799 to the kernel waiting for a large part of the buffer to be read before
800 notifying haproxy again.
801
Willy Tarreau6a06a402007-07-15 20:15:28 +0200802
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008033.3. Debugging
804--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200805
806debug
807 Enables debug mode which dumps to stdout all exchanges, and disables forking
808 into background. It is the equivalent of the command-line argument "-d". It
809 should never be used in a production configuration since it may prevent full
810 system startup.
811
812quiet
813 Do not display any message during startup. It is equivalent to the command-
814 line argument "-q".
815
Emeric Brunf099e792010-09-27 12:05:28 +0200816
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008173.4. Userlists
818--------------
819It is possible to control access to frontend/backend/listen sections or to
820http stats by allowing only authenticated and authorized users. To do this,
821it is required to create at least one userlist and to define users.
822
823userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100824 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100825 used to store authentication & authorization data for independent customers.
826
827group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100828 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100829 attach users to this group by using a comma separated list of names
830 proceeded by "users" keyword.
831
Cyril Bontéf0c60612010-02-06 14:44:47 +0100832user <username> [password|insecure-password <password>]
833 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100834 Adds user <username> to the current userlist. Both secure (encrypted) and
835 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100836 evaluated using the crypt(3) function so depending of the system's
837 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100838 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
839 DES-based method of crypting passwords.
840
841
842 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100843 userlist L1
844 group G1 users tiger,scott
845 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100846
Cyril Bontéf0c60612010-02-06 14:44:47 +0100847 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
848 user scott insecure-password elgato
849 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100850
Cyril Bontéf0c60612010-02-06 14:44:47 +0100851 userlist L2
852 group G1
853 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100854
Cyril Bontéf0c60612010-02-06 14:44:47 +0100855 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
856 user scott insecure-password elgato groups G1,G2
857 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100858
859 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200860
Emeric Brunf099e792010-09-27 12:05:28 +0200861
8623.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +0200863----------
Emeric Brunf099e792010-09-27 12:05:28 +0200864It is possible to synchronize server entries in stick tables between several
865haproxy instances over TCP connections in a multi-master fashion. Each instance
866pushes its local updates and insertions to remote peers. Server IDs are used to
867identify servers remotely, so it is important that configurations look similar
868or at least that the same IDs are forced on each server on all participants.
869Interrupted exchanges are automatically detected and recovered from the last
870known point. In addition, during a soft restart, the old process connects to
871the new one using such a TCP connection to push all its entries before the new
872process tries to connect to other peers. That ensures very fast replication
873during a reload, it typically takes a fraction of a second even for large
874tables.
875
876peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -0400877 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +0200878 which is referenced by one or more stick-tables.
879
880peer <peername> <ip>:<port>
881 Defines a peer inside a peers section.
882 If <peername> is set to the local peer name (by default hostname, or forced
883 using "-L" command line option), haproxy will listen for incoming remote peer
884 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
885 to join the remote peer, and <peername> is used at the protocol level to
886 identify and validate the remote peer on the server side.
887
888 During a soft restart, local peer <ip>:<port> is used by the old instance to
889 connect the new one and initiate a complete replication (teaching process).
890
891 It is strongly recommended to have the exact same peers declaration on all
892 peers and to only rely on the "-L" command line argument to change the local
893 peer name. This makes it easier to maintain coherent configuration files
894 across all peers.
895
Cyril Bontédc4d9032012-04-08 21:57:39 +0200896 Example:
Emeric Brunf099e792010-09-27 12:05:28 +0200897 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100898 peer haproxy1 192.168.0.1:1024
899 peer haproxy2 192.168.0.2:1024
900 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +0200901
902 backend mybackend
903 mode tcp
904 balance roundrobin
905 stick-table type ip size 20k peers mypeers
906 stick on src
907
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100908 server srv1 192.168.0.30:80
909 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +0200910
911
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009124. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200913----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100914
Willy Tarreau6a06a402007-07-15 20:15:28 +0200915Proxy configuration can be located in a set of sections :
916 - defaults <name>
917 - frontend <name>
918 - backend <name>
919 - listen <name>
920
921A "defaults" section sets default parameters for all other sections following
922its declaration. Those default parameters are reset by the next "defaults"
923section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100924section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200925
926A "frontend" section describes a set of listening sockets accepting client
927connections.
928
929A "backend" section describes a set of servers to which the proxy will connect
930to forward incoming connections.
931
932A "listen" section defines a complete proxy with its frontend and backend
933parts combined in one section. It is generally useful for TCP-only traffic.
934
Willy Tarreau0ba27502007-12-24 16:55:16 +0100935All proxy names must be formed from upper and lower case letters, digits,
936'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
937case-sensitive, which means that "www" and "WWW" are two different proxies.
938
939Historically, all proxy names could overlap, it just caused troubles in the
940logs. Since the introduction of content switching, it is mandatory that two
941proxies with overlapping capabilities (frontend/backend) have different names.
942However, it is still permitted that a frontend and a backend share the same
943name, as this configuration seems to be commonly encountered.
944
945Right now, two major proxy modes are supported : "tcp", also known as layer 4,
946and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100947bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100948protocol, and can interact with it by allowing, blocking, switching, adding,
949modifying, or removing arbitrary contents in requests or responses, based on
950arbitrary criteria.
951
Willy Tarreau0ba27502007-12-24 16:55:16 +0100952
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009534.1. Proxy keywords matrix
954--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100955
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200956The following list of keywords is supported. Most of them may only be used in a
957limited set of section types. Some of them are marked as "deprecated" because
958they are inherited from an old syntax which may be confusing or functionally
959limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100960marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200961option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200962and must be disabled for a specific instance. Such options may also be prefixed
963with "default" in order to restore default settings regardless of what has been
964specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100965
Willy Tarreau6a06a402007-07-15 20:15:28 +0200966
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100967 keyword defaults frontend listen backend
968------------------------------------+----------+----------+---------+---------
969acl - X X X
970appsession - - X X
971backlog X X X -
972balance X - X X
973bind - X X -
974bind-process X X X X
975block - X X X
976capture cookie - X X -
977capture request header - X X -
978capture response header - X X -
979clitimeout (deprecated) X X X -
980contimeout (deprecated) X - X X
981cookie X - X X
982default-server X - X X
983default_backend X X X -
984description - X X X
985disabled X X X X
986dispatch - - X X
987enabled X X X X
988errorfile X X X X
989errorloc X X X X
990errorloc302 X X X X
991-- keyword -------------------------- defaults - frontend - listen -- backend -
992errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200993force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100994fullconn X - X X
995grace X X X X
996hash-type X - X X
997http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +0100998http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +0200999http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001000http-request - X X X
1001id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001002ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001003log (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001004maxconn X X X -
1005mode X X X X
1006monitor fail - X X -
1007monitor-net X X X -
1008monitor-uri X X X -
1009option abortonclose (*) X - X X
1010option accept-invalid-http-request (*) X X X -
1011option accept-invalid-http-response (*) X - X X
1012option allbackups (*) X - X X
1013option checkcache (*) X - X X
1014option clitcpka (*) X X X -
1015option contstats (*) X X X -
1016option dontlog-normal (*) X X X -
1017option dontlognull (*) X X X -
1018option forceclose (*) X X X X
1019-- keyword -------------------------- defaults - frontend - listen -- backend -
1020option forwardfor X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001021option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001022option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001023option http-server-close (*) X X X X
1024option http-use-proxy-header (*) X X X -
1025option httpchk X - X X
1026option httpclose (*) X X X X
1027option httplog X X X X
1028option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001029option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001030option ldap-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001031option log-health-checks (*) X - X X
1032option log-separate-errors (*) X X X -
1033option logasap (*) X X X -
1034option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001035option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001036option nolinger (*) X X X X
1037option originalto X X X X
1038option persist (*) X - X X
1039option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001040option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001041option smtpchk X - X X
1042option socket-stats (*) X X X -
1043option splice-auto (*) X X X X
1044option splice-request (*) X X X X
1045option splice-response (*) X X X X
1046option srvtcpka (*) X - X X
1047option ssl-hello-chk X - X X
1048-- keyword -------------------------- defaults - frontend - listen -- backend -
1049option tcp-smart-accept (*) X X X -
1050option tcp-smart-connect (*) X - X X
1051option tcpka X X X X
1052option tcplog X X X X
1053option transparent (*) X - X X
1054persist rdp-cookie X - X X
1055rate-limit sessions X X X -
1056redirect - X X X
1057redisp (deprecated) X - X X
1058redispatch (deprecated) X - X X
1059reqadd - X X X
1060reqallow - X X X
1061reqdel - X X X
1062reqdeny - X X X
1063reqiallow - X X X
1064reqidel - X X X
1065reqideny - X X X
1066reqipass - X X X
1067reqirep - X X X
1068reqisetbe - X X X
1069reqitarpit - X X X
1070reqpass - X X X
1071reqrep - X X X
1072-- keyword -------------------------- defaults - frontend - listen -- backend -
1073reqsetbe - X X X
1074reqtarpit - X X X
1075retries X - X X
1076rspadd - X X X
1077rspdel - X X X
1078rspdeny - X X X
1079rspidel - X X X
1080rspideny - X X X
1081rspirep - X X X
1082rsprep - X X X
1083server - - X X
1084source X - X X
1085srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001086stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001087stats auth X - X X
1088stats enable X - X X
1089stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001090stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001091stats realm X - X X
1092stats refresh X - X X
1093stats scope X - X X
1094stats show-desc X - X X
1095stats show-legends X - X X
1096stats show-node X - X X
1097stats uri X - X X
1098-- keyword -------------------------- defaults - frontend - listen -- backend -
1099stick match - - X X
1100stick on - - X X
1101stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001102stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001103stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001104tcp-request connection - X X -
1105tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001106tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001107tcp-response content - - X X
1108tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001109timeout check X - X X
1110timeout client X X X -
1111timeout clitimeout (deprecated) X X X -
1112timeout connect X - X X
1113timeout contimeout (deprecated) X - X X
1114timeout http-keep-alive X X X X
1115timeout http-request X X X X
1116timeout queue X - X X
1117timeout server X - X X
1118timeout srvtimeout (deprecated) X - X X
1119timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001120timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001121transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001122unique-id-format X X X -
1123unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001124use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001125use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001126------------------------------------+----------+----------+---------+---------
1127 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001128
Willy Tarreau0ba27502007-12-24 16:55:16 +01001129
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011304.2. Alphabetically sorted keywords reference
1131---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001132
1133This section provides a description of each keyword and its usage.
1134
1135
1136acl <aclname> <criterion> [flags] [operator] <value> ...
1137 Declare or complete an access list.
1138 May be used in sections : defaults | frontend | listen | backend
1139 no | yes | yes | yes
1140 Example:
1141 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1142 acl invalid_src src_port 0:1023
1143 acl local_dst hdr(host) -i localhost
1144
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001145 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001146
1147
Cyril Bontéb21570a2009-11-29 20:04:48 +01001148appsession <cookie> len <length> timeout <holdtime>
1149 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001150 Define session stickiness on an existing application cookie.
1151 May be used in sections : defaults | frontend | listen | backend
1152 no | no | yes | yes
1153 Arguments :
1154 <cookie> this is the name of the cookie used by the application and which
1155 HAProxy will have to learn for each new session.
1156
Cyril Bontéb21570a2009-11-29 20:04:48 +01001157 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001158 checked in each cookie value.
1159
1160 <holdtime> this is the time after which the cookie will be removed from
1161 memory if unused. If no unit is specified, this time is in
1162 milliseconds.
1163
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001164 request-learn
1165 If this option is specified, then haproxy will be able to learn
1166 the cookie found in the request in case the server does not
1167 specify any in response. This is typically what happens with
1168 PHPSESSID cookies, or when haproxy's session expires before
1169 the application's session and the correct server is selected.
1170 It is recommended to specify this option to improve reliability.
1171
Cyril Bontéb21570a2009-11-29 20:04:48 +01001172 prefix When this option is specified, haproxy will match on the cookie
1173 prefix (or URL parameter prefix). The appsession value is the
1174 data following this prefix.
1175
1176 Example :
1177 appsession ASPSESSIONID len 64 timeout 3h prefix
1178
1179 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1180 the appsession value will be XXXX=XXXXX.
1181
1182 mode This option allows to change the URL parser mode.
1183 2 modes are currently supported :
1184 - path-parameters :
1185 The parser looks for the appsession in the path parameters
1186 part (each parameter is separated by a semi-colon), which is
1187 convenient for JSESSIONID for example.
1188 This is the default mode if the option is not set.
1189 - query-string :
1190 In this mode, the parser will look for the appsession in the
1191 query string.
1192
Willy Tarreau0ba27502007-12-24 16:55:16 +01001193 When an application cookie is defined in a backend, HAProxy will check when
1194 the server sets such a cookie, and will store its value in a table, and
1195 associate it with the server's identifier. Up to <length> characters from
1196 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001197 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1198 the mode used). If a known value is found, the client will be directed to the
1199 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001200 applied. Cookies are automatically removed from memory when they have been
1201 unused for a duration longer than <holdtime>.
1202
1203 The definition of an application cookie is limited to one per backend.
1204
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001205 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1206 unless you know what you do : memory is not shared between the
1207 processes, which can result in random behaviours.
1208
Willy Tarreau0ba27502007-12-24 16:55:16 +01001209 Example :
1210 appsession JSESSIONID len 52 timeout 3h
1211
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001212 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1213 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001214
1215
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001216backlog <conns>
1217 Give hints to the system about the approximate listen backlog desired size
1218 May be used in sections : defaults | frontend | listen | backend
1219 yes | yes | yes | no
1220 Arguments :
1221 <conns> is the number of pending connections. Depending on the operating
1222 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001223 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001224
1225 In order to protect against SYN flood attacks, one solution is to increase
1226 the system's SYN backlog size. Depending on the system, sometimes it is just
1227 tunable via a system parameter, sometimes it is not adjustable at all, and
1228 sometimes the system relies on hints given by the application at the time of
1229 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1230 to the listen() syscall. On systems which can make use of this value, it can
1231 sometimes be useful to be able to specify a different value, hence this
1232 backlog parameter.
1233
1234 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1235 used as a hint and the system accepts up to the smallest greater power of
1236 two, and never more than some limits (usually 32768).
1237
1238 See also : "maxconn" and the target operating system's tuning guide.
1239
1240
Willy Tarreau0ba27502007-12-24 16:55:16 +01001241balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001242balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001243 Define the load balancing algorithm to be used in a backend.
1244 May be used in sections : defaults | frontend | listen | backend
1245 yes | no | yes | yes
1246 Arguments :
1247 <algorithm> is the algorithm used to select a server when doing load
1248 balancing. This only applies when no persistence information
1249 is available, or when a connection is redispatched to another
1250 server. <algorithm> may be one of the following :
1251
1252 roundrobin Each server is used in turns, according to their weights.
1253 This is the smoothest and fairest algorithm when the server's
1254 processing time remains equally distributed. This algorithm
1255 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001256 on the fly for slow starts for instance. It is limited by
1257 design to 4128 active servers per backend. Note that in some
1258 large farms, when a server becomes up after having been down
1259 for a very short time, it may sometimes take a few hundreds
1260 requests for it to be re-integrated into the farm and start
1261 receiving traffic. This is normal, though very rare. It is
1262 indicated here in case you would have the chance to observe
1263 it, so that you don't worry.
1264
1265 static-rr Each server is used in turns, according to their weights.
1266 This algorithm is as similar to roundrobin except that it is
1267 static, which means that changing a server's weight on the
1268 fly will have no effect. On the other hand, it has no design
1269 limitation on the number of servers, and when a server goes
1270 up, it is always immediately reintroduced into the farm, once
1271 the full map is recomputed. It also uses slightly less CPU to
1272 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001273
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001274 leastconn The server with the lowest number of connections receives the
1275 connection. Round-robin is performed within groups of servers
1276 of the same load to ensure that all servers will be used. Use
1277 of this algorithm is recommended where very long sessions are
1278 expected, such as LDAP, SQL, TSE, etc... but is not very well
1279 suited for protocols using short sessions such as HTTP. This
1280 algorithm is dynamic, which means that server weights may be
1281 adjusted on the fly for slow starts for instance.
1282
Willy Tarreauf09c6602012-02-13 17:12:08 +01001283 first The first server with available connection slots receives the
1284 connection. The servers are choosen from the lowest numeric
1285 identifier to the highest (see server parameter "id"), which
1286 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001287 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001288 not make sense to use this algorithm without setting maxconn.
1289 The purpose of this algorithm is to always use the smallest
1290 number of servers so that extra servers can be powered off
1291 during non-intensive hours. This algorithm ignores the server
1292 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001293 or IMAP than HTTP, though it can be useful there too. In
1294 order to use this algorithm efficiently, it is recommended
1295 that a cloud controller regularly checks server usage to turn
1296 them off when unused, and regularly checks backend queue to
1297 turn new servers on when the queue inflates. Alternatively,
1298 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001299
Willy Tarreau0ba27502007-12-24 16:55:16 +01001300 source The source IP address is hashed and divided by the total
1301 weight of the running servers to designate which server will
1302 receive the request. This ensures that the same client IP
1303 address will always reach the same server as long as no
1304 server goes down or up. If the hash result changes due to the
1305 number of running servers changing, many clients will be
1306 directed to a different server. This algorithm is generally
1307 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001308 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001309 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001310 static by default, which means that changing a server's
1311 weight on the fly will have no effect, but this can be
1312 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001313
Oskar Stolc8dc41842012-05-19 10:19:54 +01001314 uri This algorithm hashes either the left part of the URI (before
1315 the question mark) or the whole URI (if the "whole" parameter
1316 is present) and divides the hash value by the total weight of
1317 the running servers. The result designates which server will
1318 receive the request. This ensures that the same URI will
1319 always be directed to the same server as long as no server
1320 goes up or down. This is used with proxy caches and
1321 anti-virus proxies in order to maximize the cache hit rate.
1322 Note that this algorithm may only be used in an HTTP backend.
1323 This algorithm is static by default, which means that
1324 changing a server's weight on the fly will have no effect,
1325 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001326
Oskar Stolc8dc41842012-05-19 10:19:54 +01001327 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001328 "depth", both followed by a positive integer number. These
1329 options may be helpful when it is needed to balance servers
1330 based on the beginning of the URI only. The "len" parameter
1331 indicates that the algorithm should only consider that many
1332 characters at the beginning of the URI to compute the hash.
1333 Note that having "len" set to 1 rarely makes sense since most
1334 URIs start with a leading "/".
1335
1336 The "depth" parameter indicates the maximum directory depth
1337 to be used to compute the hash. One level is counted for each
1338 slash in the request. If both parameters are specified, the
1339 evaluation stops when either is reached.
1340
Willy Tarreau0ba27502007-12-24 16:55:16 +01001341 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001342 the query string of each HTTP GET request.
1343
1344 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001345 request entity will be searched for the parameter argument,
1346 when it is not found in a query string after a question mark
1347 ('?') in the URL. Optionally, specify a number of octets to
1348 wait for before attempting to search the message body. If the
1349 entity can not be searched, then round robin is used for each
1350 request. For instance, if your clients always send the LB
1351 parameter in the first 128 bytes, then specify that. The
1352 default is 48. The entity data will not be scanned until the
1353 required number of octets have arrived at the gateway, this
1354 is the minimum of: (default/max_wait, Content-Length or first
1355 chunk length). If Content-Length is missing or zero, it does
1356 not need to wait for more data than the client promised to
1357 send. When Content-Length is present and larger than
1358 <max_wait>, then waiting is limited to <max_wait> and it is
1359 assumed that this will be enough data to search for the
1360 presence of the parameter. In the unlikely event that
1361 Transfer-Encoding: chunked is used, only the first chunk is
1362 scanned. Parameter values separated by a chunk boundary, may
1363 be randomly balanced if at all.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001364
1365 If the parameter is found followed by an equal sign ('=') and
1366 a value, then the value is hashed and divided by the total
1367 weight of the running servers. The result designates which
1368 server will receive the request.
1369
1370 This is used to track user identifiers in requests and ensure
1371 that a same user ID will always be sent to the same server as
1372 long as no server goes up or down. If no value is found or if
1373 the parameter is not found, then a round robin algorithm is
1374 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001375 backend. This algorithm is static by default, which means
1376 that changing a server's weight on the fly will have no
1377 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001378
Cyril Bontédc4d9032012-04-08 21:57:39 +02001379 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1380 request. Just as with the equivalent ACL 'hdr()' function,
1381 the header name in parenthesis is not case sensitive. If the
1382 header is absent or if it does not contain any value, the
1383 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001384
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001385 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001386 reducing the hash algorithm to the main domain part with some
1387 specific headers such as 'Host'. For instance, in the Host
1388 value "haproxy.1wt.eu", only "1wt" will be considered.
1389
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001390 This algorithm is static by default, which means that
1391 changing a server's weight on the fly will have no effect,
1392 but this can be changed using "hash-type".
1393
Emeric Brun736aa232009-06-30 17:56:00 +02001394 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001395 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001396 The RDP cookie <name> (or "mstshash" if omitted) will be
1397 looked up and hashed for each incoming TCP request. Just as
1398 with the equivalent ACL 'req_rdp_cookie()' function, the name
1399 is not case-sensitive. This mechanism is useful as a degraded
1400 persistence mode, as it makes it possible to always send the
1401 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001402 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001403 used instead.
1404
1405 Note that for this to work, the frontend must ensure that an
1406 RDP cookie is already present in the request buffer. For this
1407 you must use 'tcp-request content accept' rule combined with
1408 a 'req_rdp_cookie_cnt' ACL.
1409
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001410 This algorithm is static by default, which means that
1411 changing a server's weight on the fly will have no effect,
1412 but this can be changed using "hash-type".
1413
Cyril Bontédc4d9032012-04-08 21:57:39 +02001414 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001415
Willy Tarreau0ba27502007-12-24 16:55:16 +01001416 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001417 algorithms. Right now, only "url_param" and "uri" support an
1418 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001419
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001420 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001421 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001422
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001423 The load balancing algorithm of a backend is set to roundrobin when no other
1424 algorithm, mode nor option have been set. The algorithm may only be set once
1425 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001426
1427 Examples :
1428 balance roundrobin
1429 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001430 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001431 balance hdr(User-Agent)
1432 balance hdr(host)
1433 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001434
1435 Note: the following caveats and limitations on using the "check_post"
1436 extension with "url_param" must be considered :
1437
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001438 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001439 to determine if the parameters will be found in the body or entity which
1440 may contain binary data. Therefore another method may be required to
1441 restrict consideration of POST requests that have no URL parameters in
1442 the body. (see acl reqideny http_end)
1443
1444 - using a <max_wait> value larger than the request buffer size does not
1445 make sense and is useless. The buffer size is set at build time, and
1446 defaults to 16 kB.
1447
1448 - Content-Encoding is not supported, the parameter search will probably
1449 fail; and load balancing will fall back to Round Robin.
1450
1451 - Expect: 100-continue is not supported, load balancing will fall back to
1452 Round Robin.
1453
1454 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1455 If the entire parameter value is not present in the first chunk, the
1456 selection of server is undefined (actually, defined by how little
1457 actually appeared in the first chunk).
1458
1459 - This feature does not support generation of a 100, 411 or 501 response.
1460
1461 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001462 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001463 white space or control characters are found, indicating the end of what
1464 might be a URL parameter list. This is probably not a concern with SGML
1465 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001466
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001467 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1468 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001469
1470
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001471bind [<address>]:<port_range> [, ...]
1472bind [<address>]:<port_range> [, ...] interface <interface>
1473bind [<address>]:<port_range> [, ...] mss <maxseg>
1474bind [<address>]:<port_range> [, ...] transparent
1475bind [<address>]:<port_range> [, ...] id <id>
1476bind [<address>]:<port_range> [, ...] name <name>
1477bind [<address>]:<port_range> [, ...] defer-accept
Willy Tarreau71c814e2010-10-29 21:56:16 +02001478bind [<address>]:<port_range> [, ...] accept-proxy
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001479bind /<path> [, ...]
1480bind /<path> [, ...] mode <mode>
1481bind /<path> [, ...] [ user <user> | uid <uid> ]
1482bind /<path> [, ...] [ group <user> | gid <gid> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001483 Define one or several listening addresses and/or ports in a frontend.
1484 May be used in sections : defaults | frontend | listen | backend
1485 no | yes | yes | no
1486 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001487 <address> is optional and can be a host name, an IPv4 address, an IPv6
1488 address, or '*'. It designates the address the frontend will
1489 listen on. If unset, all IPv4 addresses of the system will be
1490 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001491 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001492
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001493 <port_range> is either a unique TCP port, or a port range for which the
1494 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001495 above. The port is mandatory for TCP listeners. Note that in
1496 the case of an IPv6 address, the port is always the number
1497 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001498 - a numerical port (ex: '80')
1499 - a dash-delimited ports range explicitly stating the lower
1500 and upper bounds (ex: '2000-2100') which are included in
1501 the range.
1502
1503 Particular care must be taken against port ranges, because
1504 every <address:port> couple consumes one socket (= a file
1505 descriptor), so it's easy to consume lots of descriptors
1506 with a simple range, and to run out of sockets. Also, each
1507 <address:port> couple must be used only once among all
1508 instances running on a same system. Please note that binding
1509 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001510 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001511 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001512
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001513 <path> is a UNIX socket path beginning with a slash ('/'). This is
1514 alternative to the TCP listening port. Haproxy will then
1515 receive UNIX connections on the socket located at this place.
1516 The path must begin with a slash and by default is absolute.
1517 It can be relative to the prefix defined by "unix-bind" in
1518 the global section. Note that the total length of the prefix
1519 followed by the socket path cannot exceed some system limits
1520 for UNIX sockets, which commonly are set to 107 characters.
1521
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001522 <interface> is an optional physical interface name. This is currently
1523 only supported on Linux. The interface must be a physical
1524 interface, not an aliased interface. When specified, all
1525 addresses on the same line will only be accepted if the
1526 incoming packet physically come through the designated
1527 interface. It is also possible to bind multiple frontends to
1528 the same address if they are bound to different interfaces.
1529 Note that binding to a physical interface requires root
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001530 privileges. This parameter is only compatible with TCP
1531 sockets.
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001532
Willy Tarreaube1b9182009-06-14 18:48:19 +02001533 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1534 advertised on incoming connections. This can be used to force
1535 a lower MSS for certain specific ports, for instance for
1536 connections passing through a VPN. Note that this relies on a
Jamie Gloudonaaa21002012-08-25 00:18:33 -04001537 kernel feature which is theoretically supported under Linux
1538 but was buggy in all versions prior to 2.6.28. It may or may
1539 not work on other operating systems. It may also not change
1540 the advertised value but change the effective size of
1541 outgoing segments. The commonly advertised value on Ethernet
1542 networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
1543 positive, it will be used as the advertised MSS. If it is
1544 negative, it will indicate by how much to reduce the incoming
1545 connection's advertised MSS for outgoing segments. This
1546 parameter is only compatible with TCP sockets.
Willy Tarreaube1b9182009-06-14 18:48:19 +02001547
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001548 <id> is a persistent value for socket ID. Must be positive and
1549 unique in the proxy. An unused value will automatically be
1550 assigned if unset. Can only be used when defining only a
1551 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001552
1553 <name> is an optional name provided for stats
1554
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001555 <mode> is the octal mode used to define access permissions on the
1556 UNIX socket. It can also be set by default in the global
1557 section's "unix-bind" statement. Note that some platforms
1558 simply ignore this.
1559
1560 <user> is the name of user that will be marked owner of the UNIX
1561 socket. It can also be set by default in the global
1562 section's "unix-bind" statement. Note that some platforms
1563 simply ignore this.
1564
1565 <group> is the name of a group that will be used to create the UNIX
1566 socket. It can also be set by default in the global section's
1567 "unix-bind" statement. Note that some platforms simply ignore
1568 this.
1569
1570 <uid> is the uid of user that will be marked owner of the UNIX
1571 socket. It can also be set by default in the global section's
1572 "unix-bind" statement. Note that some platforms simply ignore
1573 this.
1574
1575 <gid> is the gid of a group that will be used to create the UNIX
1576 socket. It can also be set by default in the global section's
1577 "unix-bind" statement. Note that some platforms simply ignore
1578 this.
1579
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001580 transparent is an optional keyword which is supported only on certain
1581 Linux kernels. It indicates that the addresses will be bound
1582 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001583 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001584 the address was locally configured. This normally requires
1585 that IP forwarding is enabled. Caution! do not use this with
1586 the default address '*', as it would redirect any traffic for
1587 the specified port. This keyword is available only when
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001588 HAProxy is built with USE_LINUX_TPROXY=1. This parameter is
1589 only compatible with TCP sockets.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001590
Willy Tarreau59f89202010-10-02 11:54:00 +02001591 defer-accept is an optional keyword which is supported only on certain
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001592 Linux kernels. It states that a connection will only be
1593 accepted once some data arrive on it, or at worst after the
1594 first retransmit. This should be used only on protocols for
1595 which the client talks first (eg: HTTP). It can slightly
1596 improve performance by ensuring that most of the request is
1597 already available when the connection is accepted. On the
1598 other hand, it will not be able to detect connections which
1599 don't talk. It is important to note that this option is
1600 broken in all kernels up to 2.6.31, as the connection is
1601 never accepted until the client talks. This can cause issues
1602 with front firewalls which would see an established
1603 connection while the proxy will only see it in SYN_RECV.
1604
Willy Tarreau71c814e2010-10-29 21:56:16 +02001605 accept-proxy is an optional keyword which enforces use of the PROXY
1606 protocol over any connection accepted by this listener. The
1607 PROXY protocol dictates the layer 3/4 addresses of the
1608 incoming connection to be used everywhere an address is used,
1609 with the only exception of "tcp-request connection" rules
1610 which will only see the real connection address. Logs will
1611 reflect the addresses indicated in the protocol, unless it is
1612 violated, in which case the real address will still be used.
1613 This keyword combined with support from external components
1614 can be used as an efficient and reliable alternative to the
1615 X-Forwarded-For mechanism which is not always reliable and
1616 not even always usable.
1617
Willy Tarreau0ba27502007-12-24 16:55:16 +01001618 It is possible to specify a list of address:port combinations delimited by
1619 commas. The frontend will then listen on all of these addresses. There is no
1620 fixed limit to the number of addresses and ports which can be listened on in
1621 a frontend, as well as there is no limit to the number of "bind" statements
1622 in a frontend.
1623
1624 Example :
1625 listen http_proxy
1626 bind :80,:443
1627 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001628 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001629
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001630 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreau71c814e2010-10-29 21:56:16 +02001631 documentation.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001632
1633
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001634bind-process [ all | odd | even | <number 1-32> ] ...
1635 Limit visibility of an instance to a certain set of processes numbers.
1636 May be used in sections : defaults | frontend | listen | backend
1637 yes | yes | yes | yes
1638 Arguments :
1639 all All process will see this instance. This is the default. It
1640 may be used to override a default value.
1641
1642 odd This instance will be enabled on processes 1,3,5,...31. This
1643 option may be combined with other numbers.
1644
1645 even This instance will be enabled on processes 2,4,6,...32. This
1646 option may be combined with other numbers. Do not use it
1647 with less than 2 processes otherwise some instances might be
1648 missing from all processes.
1649
1650 number The instance will be enabled on this process number, between
1651 1 and 32. You must be careful not to reference a process
1652 number greater than the configured global.nbproc, otherwise
1653 some instances might be missing from all processes.
1654
1655 This keyword limits binding of certain instances to certain processes. This
1656 is useful in order not to have too many processes listening to the same
1657 ports. For instance, on a dual-core machine, it might make sense to set
1658 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1659 and 'even' instances.
1660
1661 At the moment, it is not possible to reference more than 32 processes using
1662 this keyword, but this should be more than enough for most setups. Please
1663 note that 'all' really means all processes and is not limited to the first
1664 32.
1665
1666 If some backends are referenced by frontends bound to other processes, the
1667 backend automatically inherits the frontend's processes.
1668
1669 Example :
1670 listen app_ip1
1671 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001672 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001673
1674 listen app_ip2
1675 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001676 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001677
1678 listen management
1679 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001680 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001681
1682 See also : "nbproc" in global section.
1683
1684
Willy Tarreau0ba27502007-12-24 16:55:16 +01001685block { if | unless } <condition>
1686 Block a layer 7 request if/unless a condition is matched
1687 May be used in sections : defaults | frontend | listen | backend
1688 no | yes | yes | yes
1689
1690 The HTTP request will be blocked very early in the layer 7 processing
1691 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001692 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02001693 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01001694 conditions are met or not met. There is no fixed limit to the number of
1695 "block" statements per instance.
1696
1697 Example:
1698 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1699 acl invalid_src src_port 0:1023
1700 acl local_dst hdr(host) -i localhost
1701 block if invalid_src || local_dst
1702
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001703 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001704
1705
1706capture cookie <name> len <length>
1707 Capture and log a cookie in the request and in the response.
1708 May be used in sections : defaults | frontend | listen | backend
1709 no | yes | yes | no
1710 Arguments :
1711 <name> is the beginning of the name of the cookie to capture. In order
1712 to match the exact name, simply suffix the name with an equal
1713 sign ('='). The full name will appear in the logs, which is
1714 useful with application servers which adjust both the cookie name
1715 and value (eg: ASPSESSIONXXXXX).
1716
1717 <length> is the maximum number of characters to report in the logs, which
1718 include the cookie name, the equal sign and the value, all in the
1719 standard "name=value" form. The string will be truncated on the
1720 right if it exceeds <length>.
1721
1722 Only the first cookie is captured. Both the "cookie" request headers and the
1723 "set-cookie" response headers are monitored. This is particularly useful to
1724 check for application bugs causing session crossing or stealing between
1725 users, because generally the user's cookies can only change on a login page.
1726
1727 When the cookie was not presented by the client, the associated log column
1728 will report "-". When a request does not cause a cookie to be assigned by the
1729 server, a "-" is reported in the response column.
1730
1731 The capture is performed in the frontend only because it is necessary that
1732 the log format does not change for a given frontend depending on the
1733 backends. This may change in the future. Note that there can be only one
1734 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001735 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001736 specify a capture in a "defaults" section.
1737
1738 Example:
1739 capture cookie ASPSESSION len 32
1740
1741 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001742 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001743
1744
1745capture request header <name> len <length>
1746 Capture and log the first occurrence of the specified request header.
1747 May be used in sections : defaults | frontend | listen | backend
1748 no | yes | yes | no
1749 Arguments :
1750 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001751 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001752 appear in the requests, with the first letter of each word in
1753 upper case. The header name will not appear in the logs, only the
1754 value is reported, but the position in the logs is respected.
1755
1756 <length> is the maximum number of characters to extract from the value and
1757 report in the logs. The string will be truncated on the right if
1758 it exceeds <length>.
1759
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001760 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001761 value will be added to the logs between braces ('{}'). If multiple headers
1762 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001763 in the same order they were declared in the configuration. Non-existent
1764 headers will be logged just as an empty string. Common uses for request
1765 header captures include the "Host" field in virtual hosting environments, the
1766 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001767 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001768 environments to find where the request came from.
1769
1770 Note that when capturing headers such as "User-agent", some spaces may be
1771 logged, making the log analysis more difficult. Thus be careful about what
1772 you log if you know your log parser is not smart enough to rely on the
1773 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001774
1775 There is no limit to the number of captured request headers, but each capture
1776 is limited to 64 characters. In order to keep log format consistent for a
1777 same frontend, header captures can only be declared in a frontend. It is not
1778 possible to specify a capture in a "defaults" section.
1779
1780 Example:
1781 capture request header Host len 15
1782 capture request header X-Forwarded-For len 15
1783 capture request header Referrer len 15
1784
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001785 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001786 about logging.
1787
1788
1789capture response header <name> len <length>
1790 Capture and log the first occurrence of the specified response header.
1791 May be used in sections : defaults | frontend | listen | backend
1792 no | yes | yes | no
1793 Arguments :
1794 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001795 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001796 appear in the response, with the first letter of each word in
1797 upper case. The header name will not appear in the logs, only the
1798 value is reported, but the position in the logs is respected.
1799
1800 <length> is the maximum number of characters to extract from the value and
1801 report in the logs. The string will be truncated on the right if
1802 it exceeds <length>.
1803
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001804 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001805 result will be added to the logs between braces ('{}') after the captured
1806 request headers. If multiple headers are captured, they will be delimited by
1807 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001808 the configuration. Non-existent headers will be logged just as an empty
1809 string. Common uses for response header captures include the "Content-length"
1810 header which indicates how many bytes are expected to be returned, the
1811 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001812
1813 There is no limit to the number of captured response headers, but each
1814 capture is limited to 64 characters. In order to keep log format consistent
1815 for a same frontend, header captures can only be declared in a frontend. It
1816 is not possible to specify a capture in a "defaults" section.
1817
1818 Example:
1819 capture response header Content-length len 9
1820 capture response header Location len 15
1821
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001822 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001823 about logging.
1824
1825
Cyril Bontéf0c60612010-02-06 14:44:47 +01001826clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001827 Set the maximum inactivity time on the client side.
1828 May be used in sections : defaults | frontend | listen | backend
1829 yes | yes | yes | no
1830 Arguments :
1831 <timeout> is the timeout value is specified in milliseconds by default, but
1832 can be in any other unit if the number is suffixed by the unit,
1833 as explained at the top of this document.
1834
1835 The inactivity timeout applies when the client is expected to acknowledge or
1836 send data. In HTTP mode, this timeout is particularly important to consider
1837 during the first phase, when the client sends the request, and during the
1838 response while it is reading data sent by the server. The value is specified
1839 in milliseconds by default, but can be in any other unit if the number is
1840 suffixed by the unit, as specified at the top of this document. In TCP mode
1841 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1842 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001843 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001844 losses by specifying timeouts that are slightly above multiples of 3 seconds
1845 (eg: 4 or 5 seconds).
1846
1847 This parameter is specific to frontends, but can be specified once for all in
1848 "defaults" sections. This is in fact one of the easiest solutions not to
1849 forget about it. An unspecified timeout results in an infinite timeout, which
1850 is not recommended. Such a usage is accepted and works but reports a warning
1851 during startup because it may results in accumulation of expired sessions in
1852 the system if the system's timeouts are not configured either.
1853
1854 This parameter is provided for compatibility but is currently deprecated.
1855 Please use "timeout client" instead.
1856
Willy Tarreau036fae02008-01-06 13:24:40 +01001857 See also : "timeout client", "timeout http-request", "timeout server", and
1858 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001859
1860
Cyril Bontéf0c60612010-02-06 14:44:47 +01001861contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001862 Set the maximum time to wait for a connection attempt to a server to succeed.
1863 May be used in sections : defaults | frontend | listen | backend
1864 yes | no | yes | yes
1865 Arguments :
1866 <timeout> is the timeout value is specified in milliseconds by default, but
1867 can be in any other unit if the number is suffixed by the unit,
1868 as explained at the top of this document.
1869
1870 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001871 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001872 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001873 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1874 connect timeout also presets the queue timeout to the same value if this one
1875 has not been specified. Historically, the contimeout was also used to set the
1876 tarpit timeout in a listen section, which is not possible in a pure frontend.
1877
1878 This parameter is specific to backends, but can be specified once for all in
1879 "defaults" sections. This is in fact one of the easiest solutions not to
1880 forget about it. An unspecified timeout results in an infinite timeout, which
1881 is not recommended. Such a usage is accepted and works but reports a warning
1882 during startup because it may results in accumulation of failed sessions in
1883 the system if the system's timeouts are not configured either.
1884
1885 This parameter is provided for backwards compatibility but is currently
1886 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1887 instead.
1888
1889 See also : "timeout connect", "timeout queue", "timeout tarpit",
1890 "timeout server", "contimeout".
1891
1892
Willy Tarreau55165fe2009-05-10 12:02:55 +02001893cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02001894 [ postonly ] [ preserve ] [ httponly ] [ secure ]
1895 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001896 Enable cookie-based persistence in a backend.
1897 May be used in sections : defaults | frontend | listen | backend
1898 yes | no | yes | yes
1899 Arguments :
1900 <name> is the name of the cookie which will be monitored, modified or
1901 inserted in order to bring persistence. This cookie is sent to
1902 the client via a "Set-Cookie" header in the response, and is
1903 brought back by the client in a "Cookie" header in all requests.
1904 Special care should be taken to choose a name which does not
1905 conflict with any likely application cookie. Also, if the same
1906 backends are subject to be used by the same clients (eg:
1907 HTTP/HTTPS), care should be taken to use different cookie names
1908 between all backends if persistence between them is not desired.
1909
1910 rewrite This keyword indicates that the cookie will be provided by the
1911 server and that haproxy will have to modify its value to set the
1912 server's identifier in it. This mode is handy when the management
1913 of complex combinations of "Set-cookie" and "Cache-control"
1914 headers is left to the application. The application can then
1915 decide whether or not it is appropriate to emit a persistence
1916 cookie. Since all responses should be monitored, this mode only
1917 works in HTTP close mode. Unless the application behaviour is
1918 very complex and/or broken, it is advised not to start with this
1919 mode for new deployments. This keyword is incompatible with
1920 "insert" and "prefix".
1921
1922 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02001923 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001924
Willy Tarreaua79094d2010-08-31 22:54:15 +02001925 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001926 server. When used without the "preserve" option, if the server
1927 emits a cookie with the same name, it will be remove before
1928 processing. For this reason, this mode can be used to upgrade
1929 existing configurations running in the "rewrite" mode. The cookie
1930 will only be a session cookie and will not be stored on the
1931 client's disk. By default, unless the "indirect" option is added,
1932 the server will see the cookies emitted by the client. Due to
1933 caching effects, it is generally wise to add the "nocache" or
1934 "postonly" keywords (see below). The "insert" keyword is not
1935 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001936
1937 prefix This keyword indicates that instead of relying on a dedicated
1938 cookie for the persistence, an existing one will be completed.
1939 This may be needed in some specific environments where the client
1940 does not support more than one single cookie and the application
1941 already needs it. In this case, whenever the server sets a cookie
1942 named <name>, it will be prefixed with the server's identifier
1943 and a delimiter. The prefix will be removed from all client
1944 requests so that the server still finds the cookie it emitted.
1945 Since all requests and responses are subject to being modified,
1946 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02001947 not compatible with "rewrite" and "insert". Note: it is highly
1948 recommended not to use "indirect" with "prefix", otherwise server
1949 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001950
Willy Tarreaua79094d2010-08-31 22:54:15 +02001951 indirect When this option is specified, no cookie will be emitted to a
1952 client which already has a valid one for the server which has
1953 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001954 it will be removed, unless the "preserve" option is also set. In
1955 "insert" mode, this will additionally remove cookies from the
1956 requests transmitted to the server, making the persistence
1957 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02001958 Note: it is highly recommended not to use "indirect" with
1959 "prefix", otherwise server cookie updates would not be sent to
1960 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001961
1962 nocache This option is recommended in conjunction with the insert mode
1963 when there is a cache between the client and HAProxy, as it
1964 ensures that a cacheable response will be tagged non-cacheable if
1965 a cookie needs to be inserted. This is important because if all
1966 persistence cookies are added on a cacheable home page for
1967 instance, then all customers will then fetch the page from an
1968 outer cache and will all share the same persistence cookie,
1969 leading to one server receiving much more traffic than others.
1970 See also the "insert" and "postonly" options.
1971
1972 postonly This option ensures that cookie insertion will only be performed
1973 on responses to POST requests. It is an alternative to the
1974 "nocache" option, because POST responses are not cacheable, so
1975 this ensures that the persistence cookie will never get cached.
1976 Since most sites do not need any sort of persistence before the
1977 first POST which generally is a login request, this is a very
1978 efficient method to optimize caching without risking to find a
1979 persistence cookie in the cache.
1980 See also the "insert" and "nocache" options.
1981
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001982 preserve This option may only be used with "insert" and/or "indirect". It
1983 allows the server to emit the persistence cookie itself. In this
1984 case, if a cookie is found in the response, haproxy will leave it
1985 untouched. This is useful in order to end persistence after a
1986 logout request for instance. For this, the server just has to
1987 emit a cookie with an invalid value (eg: empty) or with a date in
1988 the past. By combining this mechanism with the "disable-on-404"
1989 check option, it is possible to perform a completely graceful
1990 shutdown because users will definitely leave the server after
1991 they logout.
1992
Willy Tarreau4992dd22012-05-31 21:02:17 +02001993 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
1994 when a cookie is inserted. This attribute is used so that a
1995 user agent doesn't share the cookie with non-HTTP components.
1996 Please check RFC6265 for more information on this attribute.
1997
1998 secure This option tells haproxy to add a "Secure" cookie attribute when
1999 a cookie is inserted. This attribute is used so that a user agent
2000 never emits this cookie over non-secure channels, which means
2001 that a cookie learned with this flag will be presented only over
2002 SSL/TLS connections. Please check RFC6265 for more information on
2003 this attribute.
2004
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002005 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002006 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01002007 name. If the domain begins with a dot, the browser is allowed to
2008 use it for any host ending with that name. It is also possible to
2009 specify several domain names by invoking this option multiple
2010 times. Some browsers might have small limits on the number of
2011 domains, so be careful when doing that. For the record, sending
2012 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002013
Willy Tarreau996a92c2010-10-13 19:30:47 +02002014 maxidle This option allows inserted cookies to be ignored after some idle
2015 time. It only works with insert-mode cookies. When a cookie is
2016 sent to the client, the date this cookie was emitted is sent too.
2017 Upon further presentations of this cookie, if the date is older
2018 than the delay indicated by the parameter (in seconds), it will
2019 be ignored. Otherwise, it will be refreshed if needed when the
2020 response is sent to the client. This is particularly useful to
2021 prevent users who never close their browsers from remaining for
2022 too long on the same server (eg: after a farm size change). When
2023 this option is set and a cookie has no date, it is always
2024 accepted, but gets refreshed in the response. This maintains the
2025 ability for admins to access their sites. Cookies that have a
2026 date in the future further than 24 hours are ignored. Doing so
2027 lets admins fix timezone issues without risking kicking users off
2028 the site.
2029
2030 maxlife This option allows inserted cookies to be ignored after some life
2031 time, whether they're in use or not. It only works with insert
2032 mode cookies. When a cookie is first sent to the client, the date
2033 this cookie was emitted is sent too. Upon further presentations
2034 of this cookie, if the date is older than the delay indicated by
2035 the parameter (in seconds), it will be ignored. If the cookie in
2036 the request has no date, it is accepted and a date will be set.
2037 Cookies that have a date in the future further than 24 hours are
2038 ignored. Doing so lets admins fix timezone issues without risking
2039 kicking users off the site. Contrary to maxidle, this value is
2040 not refreshed, only the first visit date counts. Both maxidle and
2041 maxlife may be used at the time. This is particularly useful to
2042 prevent users who never close their browsers from remaining for
2043 too long on the same server (eg: after a farm size change). This
2044 is stronger than the maxidle method in that it forces a
2045 redispatch after some absolute delay.
2046
Willy Tarreau0ba27502007-12-24 16:55:16 +01002047 There can be only one persistence cookie per HTTP backend, and it can be
2048 declared in a defaults section. The value of the cookie will be the value
2049 indicated after the "cookie" keyword in a "server" statement. If no cookie
2050 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002051
Willy Tarreau0ba27502007-12-24 16:55:16 +01002052 Examples :
2053 cookie JSESSIONID prefix
2054 cookie SRV insert indirect nocache
2055 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002056 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002057
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002058 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002059 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002060
Willy Tarreau983e01e2010-01-11 18:42:06 +01002061
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002062default-server [param*]
2063 Change default options for a server in a backend
2064 May be used in sections : defaults | frontend | listen | backend
2065 yes | no | yes | yes
2066 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002067 <param*> is a list of parameters for this server. The "default-server"
2068 keyword accepts an important number of options and has a complete
2069 section dedicated to it. Please refer to section 5 for more
2070 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002071
Willy Tarreau983e01e2010-01-11 18:42:06 +01002072 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002073 default-server inter 1000 weight 13
2074
2075 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002076
Willy Tarreau983e01e2010-01-11 18:42:06 +01002077
Willy Tarreau0ba27502007-12-24 16:55:16 +01002078default_backend <backend>
2079 Specify the backend to use when no "use_backend" rule has been matched.
2080 May be used in sections : defaults | frontend | listen | backend
2081 yes | yes | yes | no
2082 Arguments :
2083 <backend> is the name of the backend to use.
2084
2085 When doing content-switching between frontend and backends using the
2086 "use_backend" keyword, it is often useful to indicate which backend will be
2087 used when no rule has matched. It generally is the dynamic backend which
2088 will catch all undetermined requests.
2089
Willy Tarreau0ba27502007-12-24 16:55:16 +01002090 Example :
2091
2092 use_backend dynamic if url_dyn
2093 use_backend static if url_css url_img extension_img
2094 default_backend dynamic
2095
Willy Tarreau2769aa02007-12-27 18:26:09 +01002096 See also : "use_backend", "reqsetbe", "reqisetbe"
2097
Willy Tarreau0ba27502007-12-24 16:55:16 +01002098
2099disabled
2100 Disable a proxy, frontend or backend.
2101 May be used in sections : defaults | frontend | listen | backend
2102 yes | yes | yes | yes
2103 Arguments : none
2104
2105 The "disabled" keyword is used to disable an instance, mainly in order to
2106 liberate a listening port or to temporarily disable a service. The instance
2107 will still be created and its configuration will be checked, but it will be
2108 created in the "stopped" state and will appear as such in the statistics. It
2109 will not receive any traffic nor will it send any health-checks or logs. It
2110 is possible to disable many instances at once by adding the "disabled"
2111 keyword in a "defaults" section.
2112
2113 See also : "enabled"
2114
2115
Willy Tarreau5ce94572010-06-07 14:35:41 +02002116dispatch <address>:<port>
2117 Set a default server address
2118 May be used in sections : defaults | frontend | listen | backend
2119 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002120 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002121
2122 <address> is the IPv4 address of the default server. Alternatively, a
2123 resolvable hostname is supported, but this name will be resolved
2124 during start-up.
2125
2126 <ports> is a mandatory port specification. All connections will be sent
2127 to this port, and it is not permitted to use port offsets as is
2128 possible with normal servers.
2129
Willy Tarreau787aed52011-04-15 06:45:37 +02002130 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002131 server can take the connection. In the past it was used to forward non
2132 persistent connections to an auxiliary load balancer. Due to its simple
2133 syntax, it has also been used for simple TCP relays. It is recommended not to
2134 use it for more clarity, and to use the "server" directive instead.
2135
2136 See also : "server"
2137
2138
Willy Tarreau0ba27502007-12-24 16:55:16 +01002139enabled
2140 Enable a proxy, frontend or backend.
2141 May be used in sections : defaults | frontend | listen | backend
2142 yes | yes | yes | yes
2143 Arguments : none
2144
2145 The "enabled" keyword is used to explicitly enable an instance, when the
2146 defaults has been set to "disabled". This is very rarely used.
2147
2148 See also : "disabled"
2149
2150
2151errorfile <code> <file>
2152 Return a file contents instead of errors generated by HAProxy
2153 May be used in sections : defaults | frontend | listen | backend
2154 yes | yes | yes | yes
2155 Arguments :
2156 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002157 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002158
2159 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002160 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002161 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002162 error pages, and to use absolute paths, since files are read
2163 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002164
2165 It is important to understand that this keyword is not meant to rewrite
2166 errors returned by the server, but errors detected and returned by HAProxy.
2167 This is why the list of supported errors is limited to a small set.
2168
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002169 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2170
Willy Tarreau0ba27502007-12-24 16:55:16 +01002171 The files are returned verbatim on the TCP socket. This allows any trick such
2172 as redirections to another URL or site, as well as tricks to clean cookies,
2173 force enable or disable caching, etc... The package provides default error
2174 files returning the same contents as default errors.
2175
Willy Tarreau59140a22009-02-22 12:02:30 +01002176 The files should not exceed the configured buffer size (BUFSIZE), which
2177 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2178 not to put any reference to local contents (eg: images) in order to avoid
2179 loops between the client and HAProxy when all servers are down, causing an
2180 error to be returned instead of an image. For better HTTP compliance, it is
2181 recommended that all header lines end with CR-LF and not LF alone.
2182
Willy Tarreau0ba27502007-12-24 16:55:16 +01002183 The files are read at the same time as the configuration and kept in memory.
2184 For this reason, the errors continue to be returned even when the process is
2185 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002186 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002187 403 status code and interrogating a blocked URL.
2188
2189 See also : "errorloc", "errorloc302", "errorloc303"
2190
Willy Tarreau59140a22009-02-22 12:02:30 +01002191 Example :
2192 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
2193 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2194 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2195
Willy Tarreau2769aa02007-12-27 18:26:09 +01002196
2197errorloc <code> <url>
2198errorloc302 <code> <url>
2199 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2200 May be used in sections : defaults | frontend | listen | backend
2201 yes | yes | yes | yes
2202 Arguments :
2203 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002204 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002205
2206 <url> it is the exact contents of the "Location" header. It may contain
2207 either a relative URI to an error page hosted on the same site,
2208 or an absolute URI designating an error page on another site.
2209 Special care should be given to relative URIs to avoid redirect
2210 loops if the URI itself may generate the same error (eg: 500).
2211
2212 It is important to understand that this keyword is not meant to rewrite
2213 errors returned by the server, but errors detected and returned by HAProxy.
2214 This is why the list of supported errors is limited to a small set.
2215
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002216 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2217
Willy Tarreau2769aa02007-12-27 18:26:09 +01002218 Note that both keyword return the HTTP 302 status code, which tells the
2219 client to fetch the designated URL using the same HTTP method. This can be
2220 quite problematic in case of non-GET methods such as POST, because the URL
2221 sent to the client might not be allowed for something other than GET. To
2222 workaround this problem, please use "errorloc303" which send the HTTP 303
2223 status code, indicating to the client that the URL must be fetched with a GET
2224 request.
2225
2226 See also : "errorfile", "errorloc303"
2227
2228
2229errorloc303 <code> <url>
2230 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2231 May be used in sections : defaults | frontend | listen | backend
2232 yes | yes | yes | yes
2233 Arguments :
2234 <code> is the HTTP status code. Currently, HAProxy is capable of
2235 generating codes 400, 403, 408, 500, 502, 503, and 504.
2236
2237 <url> it is the exact contents of the "Location" header. It may contain
2238 either a relative URI to an error page hosted on the same site,
2239 or an absolute URI designating an error page on another site.
2240 Special care should be given to relative URIs to avoid redirect
2241 loops if the URI itself may generate the same error (eg: 500).
2242
2243 It is important to understand that this keyword is not meant to rewrite
2244 errors returned by the server, but errors detected and returned by HAProxy.
2245 This is why the list of supported errors is limited to a small set.
2246
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002247 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2248
Willy Tarreau2769aa02007-12-27 18:26:09 +01002249 Note that both keyword return the HTTP 303 status code, which tells the
2250 client to fetch the designated URL using the same HTTP GET method. This
2251 solves the usual problems associated with "errorloc" and the 302 code. It is
2252 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002253 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002254
2255 See also : "errorfile", "errorloc", "errorloc302"
2256
2257
Willy Tarreau4de91492010-01-22 19:10:05 +01002258force-persist { if | unless } <condition>
2259 Declare a condition to force persistence on down servers
2260 May be used in sections: defaults | frontend | listen | backend
2261 no | yes | yes | yes
2262
2263 By default, requests are not dispatched to down servers. It is possible to
2264 force this using "option persist", but it is unconditional and redispatches
2265 to a valid server if "option redispatch" is set. That leaves with very little
2266 possibilities to force some requests to reach a server which is artificially
2267 marked down for maintenance operations.
2268
2269 The "force-persist" statement allows one to declare various ACL-based
2270 conditions which, when met, will cause a request to ignore the down status of
2271 a server and still try to connect to it. That makes it possible to start a
2272 server, still replying an error to the health checks, and run a specially
2273 configured browser to test the service. Among the handy methods, one could
2274 use a specific source IP address, or a specific cookie. The cookie also has
2275 the advantage that it can easily be added/removed on the browser from a test
2276 page. Once the service is validated, it is then possible to open the service
2277 to the world by returning a valid response to health checks.
2278
2279 The forced persistence is enabled when an "if" condition is met, or unless an
2280 "unless" condition is met. The final redispatch is always disabled when this
2281 is used.
2282
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002283 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002284 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002285
2286
Willy Tarreau2769aa02007-12-27 18:26:09 +01002287fullconn <conns>
2288 Specify at what backend load the servers will reach their maxconn
2289 May be used in sections : defaults | frontend | listen | backend
2290 yes | no | yes | yes
2291 Arguments :
2292 <conns> is the number of connections on the backend which will make the
2293 servers use the maximal number of connections.
2294
Willy Tarreau198a7442008-01-17 12:05:32 +01002295 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002296 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002297 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002298 load. The server will then always accept at least <minconn> connections,
2299 never more than <maxconn>, and the limit will be on the ramp between both
2300 values when the backend has less than <conns> concurrent connections. This
2301 makes it possible to limit the load on the servers during normal loads, but
2302 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002303 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002304
Willy Tarreaufbb78422011-06-05 15:38:35 +02002305 Since it's hard to get this value right, haproxy automatically sets it to
2306 10% of the sum of the maxconns of all frontends that may branch to this
2307 backend. That way it's safe to leave it unset.
2308
Willy Tarreau2769aa02007-12-27 18:26:09 +01002309 Example :
2310 # The servers will accept between 100 and 1000 concurrent connections each
2311 # and the maximum of 1000 will be reached when the backend reaches 10000
2312 # connections.
2313 backend dynamic
2314 fullconn 10000
2315 server srv1 dyn1:80 minconn 100 maxconn 1000
2316 server srv2 dyn2:80 minconn 100 maxconn 1000
2317
2318 See also : "maxconn", "server"
2319
2320
2321grace <time>
2322 Maintain a proxy operational for some time after a soft stop
2323 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002324 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002325 Arguments :
2326 <time> is the time (by default in milliseconds) for which the instance
2327 will remain operational with the frontend sockets still listening
2328 when a soft-stop is received via the SIGUSR1 signal.
2329
2330 This may be used to ensure that the services disappear in a certain order.
2331 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002332 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002333 needed by the equipment to detect the failure.
2334
2335 Note that currently, there is very little benefit in using this parameter,
2336 and it may in fact complicate the soft-reconfiguration process more than
2337 simplify it.
2338
Willy Tarreau0ba27502007-12-24 16:55:16 +01002339
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002340hash-type <method>
2341 Specify a method to use for mapping hashes to servers
2342 May be used in sections : defaults | frontend | listen | backend
2343 yes | no | yes | yes
2344 Arguments :
2345 map-based the hash table is a static array containing all alive servers.
2346 The hashes will be very smooth, will consider weights, but will
2347 be static in that weight changes while a server is up will be
2348 ignored. This means that there will be no slow start. Also,
2349 since a server is selected by its position in the array, most
2350 mappings are changed when the server count changes. This means
2351 that when a server goes up or down, or when a server is added
2352 to a farm, most connections will be redistributed to different
2353 servers. This can be inconvenient with caches for instance.
2354
Willy Tarreau798a39c2010-11-24 15:04:29 +01002355 avalanche this mechanism uses the default map-based hashing described
2356 above but applies a full avalanche hash before performing the
2357 mapping. The result is a slightly less smooth hash for most
2358 situations, but the hash becomes better than pure map-based
2359 hashes when the number of servers is a multiple of the size of
2360 the input set. When using URI hash with a number of servers
2361 multiple of 64, it's desirable to change the hash type to
2362 this value.
2363
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002364 consistent the hash table is a tree filled with many occurrences of each
2365 server. The hash key is looked up in the tree and the closest
2366 server is chosen. This hash is dynamic, it supports changing
2367 weights while the servers are up, so it is compatible with the
2368 slow start feature. It has the advantage that when a server
2369 goes up or down, only its associations are moved. When a server
2370 is added to the farm, only a few part of the mappings are
2371 redistributed, making it an ideal algorithm for caches.
2372 However, due to its principle, the algorithm will never be very
2373 smooth and it may sometimes be necessary to adjust a server's
2374 weight or its ID to get a more balanced distribution. In order
2375 to get the same distribution on multiple load balancers, it is
2376 important that all servers have the same IDs.
2377
2378 The default hash type is "map-based" and is recommended for most usages.
2379
2380 See also : "balance", "server"
2381
2382
Willy Tarreau0ba27502007-12-24 16:55:16 +01002383http-check disable-on-404
2384 Enable a maintenance mode upon HTTP/404 response to health-checks
2385 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002386 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002387 Arguments : none
2388
2389 When this option is set, a server which returns an HTTP code 404 will be
2390 excluded from further load-balancing, but will still receive persistent
2391 connections. This provides a very convenient method for Web administrators
2392 to perform a graceful shutdown of their servers. It is also important to note
2393 that a server which is detected as failed while it was in this mode will not
2394 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2395 will immediately be reinserted into the farm. The status on the stats page
2396 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002397 option only works in conjunction with the "httpchk" option. If this option
2398 is used with "http-check expect", then it has precedence over it so that 404
2399 responses will still be considered as soft-stop.
2400
2401 See also : "option httpchk", "http-check expect"
2402
2403
2404http-check expect [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002405 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01002406 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02002407 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01002408 Arguments :
2409 <match> is a keyword indicating how to look for a specific pattern in the
2410 response. The keyword may be one of "status", "rstatus",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002411 "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01002412 exclamation mark ("!") to negate the match. Spaces are allowed
2413 between the exclamation mark and the keyword. See below for more
2414 details on the supported keywords.
2415
2416 <pattern> is the pattern to look for. It may be a string or a regular
2417 expression. If the pattern contains spaces, they must be escaped
2418 with the usual backslash ('\').
2419
2420 By default, "option httpchk" considers that response statuses 2xx and 3xx
2421 are valid, and that others are invalid. When "http-check expect" is used,
2422 it defines what is considered valid or invalid. Only one "http-check"
2423 statement is supported in a backend. If a server fails to respond or times
2424 out, the check obviously fails. The available matches are :
2425
2426 status <string> : test the exact string match for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002427 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002428 response's status code is exactly this string. If the
2429 "status" keyword is prefixed with "!", then the response
2430 will be considered invalid if the status code matches.
2431
2432 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002433 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002434 response's status code matches the expression. If the
2435 "rstatus" keyword is prefixed with "!", then the response
2436 will be considered invalid if the status code matches.
2437 This is mostly used to check for multiple codes.
2438
2439 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002440 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002441 response's body contains this exact string. If the
2442 "string" keyword is prefixed with "!", then the response
2443 will be considered invalid if the body contains this
2444 string. This can be used to look for a mandatory word at
2445 the end of a dynamic page, or to detect a failure when a
2446 specific error appears on the check page (eg: a stack
2447 trace).
2448
2449 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002450 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002451 response's body matches this expression. If the "rstring"
2452 keyword is prefixed with "!", then the response will be
2453 considered invalid if the body matches the expression.
2454 This can be used to look for a mandatory word at the end
2455 of a dynamic page, or to detect a failure when a specific
2456 error appears on the check page (eg: a stack trace).
2457
2458 It is important to note that the responses will be limited to a certain size
2459 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2460 Thus, too large responses may not contain the mandatory pattern when using
2461 "string" or "rstring". If a large response is absolutely required, it is
2462 possible to change the default max size by setting the global variable.
2463 However, it is worth keeping in mind that parsing very large responses can
2464 waste some CPU cycles, especially when regular expressions are used, and that
2465 it is always better to focus the checks on smaller resources.
2466
2467 Last, if "http-check expect" is combined with "http-check disable-on-404",
2468 then this last one has precedence when the server responds with 404.
2469
2470 Examples :
2471 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002472 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01002473
2474 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002475 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01002476
2477 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002478 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01002479
2480 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002481 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002482
Willy Tarreaubd741542010-03-16 18:46:54 +01002483 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002484
2485
Willy Tarreauef781042010-01-27 11:53:01 +01002486http-check send-state
2487 Enable emission of a state header with HTTP health checks
2488 May be used in sections : defaults | frontend | listen | backend
2489 yes | no | yes | yes
2490 Arguments : none
2491
2492 When this option is set, haproxy will systematically send a special header
2493 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2494 how they are seen by haproxy. This can be used for instance when a server is
2495 manipulated without access to haproxy and the operator needs to know whether
2496 haproxy still sees it up or not, or if the server is the last one in a farm.
2497
2498 The header is composed of fields delimited by semi-colons, the first of which
2499 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2500 checks on the total number before transition, just as appears in the stats
2501 interface. Next headers are in the form "<variable>=<value>", indicating in
2502 no specific order some values available in the stats interface :
2503 - a variable "name", containing the name of the backend followed by a slash
2504 ("/") then the name of the server. This can be used when a server is
2505 checked in multiple backends.
2506
2507 - a variable "node" containing the name of the haproxy node, as set in the
2508 global "node" variable, otherwise the system's hostname if unspecified.
2509
2510 - a variable "weight" indicating the weight of the server, a slash ("/")
2511 and the total weight of the farm (just counting usable servers). This
2512 helps to know if other servers are available to handle the load when this
2513 one fails.
2514
2515 - a variable "scur" indicating the current number of concurrent connections
2516 on the server, followed by a slash ("/") then the total number of
2517 connections on all servers of the same backend.
2518
2519 - a variable "qcur" indicating the current number of requests in the
2520 server's queue.
2521
2522 Example of a header received by the application server :
2523 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2524 scur=13/22; qcur=0
2525
2526 See also : "option httpchk", "http-check disable-on-404"
2527
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002528http-request { allow | deny | auth [realm <realm>] }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002529 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002530 Access control for Layer 7 requests
2531
2532 May be used in sections: defaults | frontend | listen | backend
2533 no | yes | yes | yes
2534
2535 These set of options allow to fine control access to a
2536 frontend/listen/backend. Each option may be followed by if/unless and acl.
2537 First option with matched condition (or option without condition) is final.
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002538 For "deny" a 403 error will be returned, for "allow" normal processing is
2539 performed, for "auth" a 401/407 error code is returned so the client
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002540 should be asked to enter a username and password.
2541
2542 There is no fixed limit to the number of http-request statements per
2543 instance.
2544
2545 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002546 acl nagios src 192.168.129.3
2547 acl local_net src 192.168.0.0/16
2548 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002549
Cyril Bonté78caf842010-03-10 22:41:43 +01002550 http-request allow if nagios
2551 http-request allow if local_net auth_ok
2552 http-request auth realm Gimme if local_net auth_ok
2553 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002554
Cyril Bonté78caf842010-03-10 22:41:43 +01002555 Example:
2556 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002557
Cyril Bonté78caf842010-03-10 22:41:43 +01002558 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002559
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002560 See also : "stats http-request", section 3.4 about userlists and section 7
2561 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002562
Mark Lamourinec2247f02012-01-04 13:02:01 -05002563http-send-name-header [<header>]
2564 Add the server name to a request. Use the header string given by <header>
2565
2566 May be used in sections: defaults | frontend | listen | backend
2567 yes | no | yes | yes
2568
2569 Arguments :
2570
2571 <header> The header string to use to send the server name
2572
2573 The "http-send-name-header" statement causes the name of the target
2574 server to be added to the headers of an HTTP request. The name
2575 is added with the header string proved.
2576
2577 See also : "server"
2578
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002579id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002580 Set a persistent ID to a proxy.
2581 May be used in sections : defaults | frontend | listen | backend
2582 no | yes | yes | yes
2583 Arguments : none
2584
2585 Set a persistent ID for the proxy. This ID must be unique and positive.
2586 An unused ID will automatically be assigned if unset. The first assigned
2587 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002588
2589
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002590ignore-persist { if | unless } <condition>
2591 Declare a condition to ignore persistence
2592 May be used in sections: defaults | frontend | listen | backend
2593 no | yes | yes | yes
2594
2595 By default, when cookie persistence is enabled, every requests containing
2596 the cookie are unconditionally persistent (assuming the target server is up
2597 and running).
2598
2599 The "ignore-persist" statement allows one to declare various ACL-based
2600 conditions which, when met, will cause a request to ignore persistence.
2601 This is sometimes useful to load balance requests for static files, which
2602 oftenly don't require persistence. This can also be used to fully disable
2603 persistence for a specific User-Agent (for example, some web crawler bots).
2604
2605 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2606 the appsession table won't grow if persistence is ignored.
2607
2608 The persistence is ignored when an "if" condition is met, or unless an
2609 "unless" condition is met.
2610
2611 See also : "force-persist", "cookie", and section 7 about ACL usage.
2612
2613
Willy Tarreau2769aa02007-12-27 18:26:09 +01002614log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002615log <address> <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02002616no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01002617 Enable per-instance logging of events and traffic.
2618 May be used in sections : defaults | frontend | listen | backend
2619 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02002620
2621 Prefix :
2622 no should be used when the logger list must be flushed. For example,
2623 if you don't want to inherit from the default logger list. This
2624 prefix does not allow arguments.
2625
Willy Tarreau2769aa02007-12-27 18:26:09 +01002626 Arguments :
2627 global should be used when the instance's logging parameters are the
2628 same as the global ones. This is the most common usage. "global"
2629 replaces <address>, <facility> and <level> with those of the log
2630 entries found in the "global" section. Only one "log global"
2631 statement may be used per instance, and this form takes no other
2632 parameter.
2633
2634 <address> indicates where to send the logs. It takes the same format as
2635 for the "global" section's logs, and can be one of :
2636
2637 - An IPv4 address optionally followed by a colon (':') and a UDP
2638 port. If no port is specified, 514 is used by default (the
2639 standard syslog port).
2640
David du Colombier24bb5f52011-03-17 10:40:23 +01002641 - An IPv6 address followed by a colon (':') and optionally a UDP
2642 port. If no port is specified, 514 is used by default (the
2643 standard syslog port).
2644
Willy Tarreau2769aa02007-12-27 18:26:09 +01002645 - A filesystem path to a UNIX domain socket, keeping in mind
2646 considerations for chroot (be sure the path is accessible
2647 inside the chroot) and uid/gid (be sure the path is
2648 appropriately writeable).
2649
2650 <facility> must be one of the 24 standard syslog facilities :
2651
2652 kern user mail daemon auth syslog lpr news
2653 uucp cron auth2 ftp ntp audit alert cron2
2654 local0 local1 local2 local3 local4 local5 local6 local7
2655
2656 <level> is optional and can be specified to filter outgoing messages. By
2657 default, all messages are sent. If a level is specified, only
2658 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002659 will be sent. An optional minimum level can be specified. If it
2660 is set, logs emitted with a more severe level than this one will
2661 be capped to this level. This is used to avoid sending "emerg"
2662 messages on all terminals on some default syslog configurations.
2663 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002664
2665 emerg alert crit err warning notice info debug
2666
William Lallemand0f99e342011-10-12 17:50:54 +02002667 It is important to keep in mind that it is the frontend which decides what to
2668 log from a connection, and that in case of content switching, the log entries
2669 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002670
2671 However, backend log declaration define how and where servers status changes
2672 will be logged. Level "notice" will be used to indicate a server going up,
2673 "warning" will be used for termination signals and definitive service
2674 termination, and "alert" will be used for when a server goes down.
2675
2676 Note : According to RFC3164, messages are truncated to 1024 bytes before
2677 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002678
2679 Example :
2680 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002681 log 127.0.0.1:514 local0 notice # only send important events
2682 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002683
William Lallemand48940402012-01-30 16:47:22 +01002684log-format <string>
2685 Allows you to custom a log line.
2686
2687 See also : Custom Log Format (8.2.4)
2688
Willy Tarreau2769aa02007-12-27 18:26:09 +01002689
2690maxconn <conns>
2691 Fix the maximum number of concurrent connections on a frontend
2692 May be used in sections : defaults | frontend | listen | backend
2693 yes | yes | yes | no
2694 Arguments :
2695 <conns> is the maximum number of concurrent connections the frontend will
2696 accept to serve. Excess connections will be queued by the system
2697 in the socket's listen queue and will be served once a connection
2698 closes.
2699
2700 If the system supports it, it can be useful on big sites to raise this limit
2701 very high so that haproxy manages connection queues, instead of leaving the
2702 clients with unanswered connection attempts. This value should not exceed the
2703 global maxconn. Also, keep in mind that a connection contains two buffers
2704 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2705 consumed per established connection. That means that a medium system equipped
2706 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2707 properly tuned.
2708
2709 Also, when <conns> is set to large values, it is possible that the servers
2710 are not sized to accept such loads, and for this reason it is generally wise
2711 to assign them some reasonable connection limits.
2712
Vincent Bernat6341be52012-06-27 17:18:30 +02002713 By default, this value is set to 2000.
2714
Willy Tarreau2769aa02007-12-27 18:26:09 +01002715 See also : "server", global section's "maxconn", "fullconn"
2716
2717
2718mode { tcp|http|health }
2719 Set the running mode or protocol of the instance
2720 May be used in sections : defaults | frontend | listen | backend
2721 yes | yes | yes | yes
2722 Arguments :
2723 tcp The instance will work in pure TCP mode. A full-duplex connection
2724 will be established between clients and servers, and no layer 7
2725 examination will be performed. This is the default mode. It
2726 should be used for SSL, SSH, SMTP, ...
2727
2728 http The instance will work in HTTP mode. The client request will be
2729 analyzed in depth before connecting to any server. Any request
2730 which is not RFC-compliant will be rejected. Layer 7 filtering,
2731 processing and switching will be possible. This is the mode which
2732 brings HAProxy most of its value.
2733
2734 health The instance will work in "health" mode. It will just reply "OK"
2735 to incoming connections and close the connection. Nothing will be
2736 logged. This mode is used to reply to external components health
2737 checks. This mode is deprecated and should not be used anymore as
2738 it is possible to do the same and even better by combining TCP or
2739 HTTP modes with the "monitor" keyword.
2740
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002741 When doing content switching, it is mandatory that the frontend and the
2742 backend are in the same mode (generally HTTP), otherwise the configuration
2743 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002744
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002745 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002746 defaults http_instances
2747 mode http
2748
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002749 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002750
Willy Tarreau0ba27502007-12-24 16:55:16 +01002751
Cyril Bontéf0c60612010-02-06 14:44:47 +01002752monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002753 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002754 May be used in sections : defaults | frontend | listen | backend
2755 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002756 Arguments :
2757 if <cond> the monitor request will fail if the condition is satisfied,
2758 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002759 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002760 are met, for instance a low number of servers both in a
2761 backend and its backup.
2762
2763 unless <cond> the monitor request will succeed only if the condition is
2764 satisfied, and will fail otherwise. Such a condition may be
2765 based on a test on the presence of a minimum number of active
2766 servers in a list of backends.
2767
2768 This statement adds a condition which can force the response to a monitor
2769 request to report a failure. By default, when an external component queries
2770 the URI dedicated to monitoring, a 200 response is returned. When one of the
2771 conditions above is met, haproxy will return 503 instead of 200. This is
2772 very useful to report a site failure to an external component which may base
2773 routing advertisements between multiple sites on the availability reported by
2774 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002775 criterion. Note that "monitor fail" only works in HTTP mode. Both status
2776 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002777
2778 Example:
2779 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002780 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002781 acl site_dead nbsrv(dynamic) lt 2
2782 acl site_dead nbsrv(static) lt 2
2783 monitor-uri /site_alive
2784 monitor fail if site_dead
2785
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002786 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002787
2788
2789monitor-net <source>
2790 Declare a source network which is limited to monitor requests
2791 May be used in sections : defaults | frontend | listen | backend
2792 yes | yes | yes | no
2793 Arguments :
2794 <source> is the source IPv4 address or network which will only be able to
2795 get monitor responses to any request. It can be either an IPv4
2796 address, a host name, or an address followed by a slash ('/')
2797 followed by a mask.
2798
2799 In TCP mode, any connection coming from a source matching <source> will cause
2800 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002801 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002802 forwarding the connection to a remote server.
2803
2804 In HTTP mode, a connection coming from a source matching <source> will be
2805 accepted, the following response will be sent without waiting for a request,
2806 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2807 enough for any front-end HTTP probe to detect that the service is UP and
2808 running without forwarding the request to a backend server.
2809
2810 Monitor requests are processed very early. It is not possible to block nor
2811 divert them using ACLs. They cannot be logged either, and it is the intended
2812 purpose. They are only used to report HAProxy's health to an upper component,
2813 nothing more. Right now, it is not possible to set failure conditions on
2814 requests caught by "monitor-net".
2815
Willy Tarreau95cd2832010-03-04 23:36:33 +01002816 Last, please note that only one "monitor-net" statement can be specified in
2817 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002818
Willy Tarreau2769aa02007-12-27 18:26:09 +01002819 Example :
2820 # addresses .252 and .253 are just probing us.
2821 frontend www
2822 monitor-net 192.168.0.252/31
2823
2824 See also : "monitor fail", "monitor-uri"
2825
2826
2827monitor-uri <uri>
2828 Intercept a URI used by external components' monitor requests
2829 May be used in sections : defaults | frontend | listen | backend
2830 yes | yes | yes | no
2831 Arguments :
2832 <uri> is the exact URI which we want to intercept to return HAProxy's
2833 health status instead of forwarding the request.
2834
2835 When an HTTP request referencing <uri> will be received on a frontend,
2836 HAProxy will not forward it nor log it, but instead will return either
2837 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2838 conditions defined with "monitor fail". This is normally enough for any
2839 front-end HTTP probe to detect that the service is UP and running without
2840 forwarding the request to a backend server. Note that the HTTP method, the
2841 version and all headers are ignored, but the request must at least be valid
2842 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2843
2844 Monitor requests are processed very early. It is not possible to block nor
2845 divert them using ACLs. They cannot be logged either, and it is the intended
2846 purpose. They are only used to report HAProxy's health to an upper component,
2847 nothing more. However, it is possible to add any number of conditions using
2848 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2849 can be imagined (most often the number of available servers in a backend).
2850
2851 Example :
2852 # Use /haproxy_test to report haproxy's status
2853 frontend www
2854 mode http
2855 monitor-uri /haproxy_test
2856
2857 See also : "monitor fail", "monitor-net"
2858
Willy Tarreau0ba27502007-12-24 16:55:16 +01002859
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002860option abortonclose
2861no option abortonclose
2862 Enable or disable early dropping of aborted requests pending in queues.
2863 May be used in sections : defaults | frontend | listen | backend
2864 yes | no | yes | yes
2865 Arguments : none
2866
2867 In presence of very high loads, the servers will take some time to respond.
2868 The per-instance connection queue will inflate, and the response time will
2869 increase respective to the size of the queue times the average per-session
2870 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002871 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002872 the queue, and slowing down other users, and the servers as well, because the
2873 request will eventually be served, then aborted at the first error
2874 encountered while delivering the response.
2875
2876 As there is no way to distinguish between a full STOP and a simple output
2877 close on the client side, HTTP agents should be conservative and consider
2878 that the client might only have closed its output channel while waiting for
2879 the response. However, this introduces risks of congestion when lots of users
2880 do the same, and is completely useless nowadays because probably no client at
2881 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002882 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002883 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002884 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002885 of being the single component to break rare but valid traffic is extremely
2886 low, which adds to the temptation to be able to abort a session early while
2887 still not served and not pollute the servers.
2888
2889 In HAProxy, the user can choose the desired behaviour using the option
2890 "abortonclose". By default (without the option) the behaviour is HTTP
2891 compliant and aborted requests will be served. But when the option is
2892 specified, a session with an incoming channel closed will be aborted while
2893 it is still possible, either pending in the queue for a connection slot, or
2894 during the connection establishment if the server has not yet acknowledged
2895 the connection request. This considerably reduces the queue size and the load
2896 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002897 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002898
2899 If this option has been enabled in a "defaults" section, it can be disabled
2900 in a specific instance by prepending the "no" keyword before it.
2901
2902 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2903
2904
Willy Tarreau4076a152009-04-02 15:18:36 +02002905option accept-invalid-http-request
2906no option accept-invalid-http-request
2907 Enable or disable relaxing of HTTP request parsing
2908 May be used in sections : defaults | frontend | listen | backend
2909 yes | yes | yes | no
2910 Arguments : none
2911
2912 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2913 means that invalid characters in header names are not permitted and cause an
2914 error to be returned to the client. This is the desired behaviour as such
2915 forbidden characters are essentially used to build attacks exploiting server
2916 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2917 server will emit invalid header names for whatever reason (configuration,
2918 implementation) and the issue will not be immediately fixed. In such a case,
2919 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01002920 even if that does not make sense, by specifying this option. Similarly, the
2921 list of characters allowed to appear in a URI is well defined by RFC3986, and
2922 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
2923 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
2924 not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
2925 remaining ones are blocked by default unless this option is enabled.
Willy Tarreau4076a152009-04-02 15:18:36 +02002926
2927 This option should never be enabled by default as it hides application bugs
2928 and open security breaches. It should only be deployed after a problem has
2929 been confirmed.
2930
2931 When this option is enabled, erroneous header names will still be accepted in
2932 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01002933 analysis using the "show errors" request on the UNIX stats socket. Similarly,
2934 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02002935 also helps confirming that the issue has been solved.
2936
2937 If this option has been enabled in a "defaults" section, it can be disabled
2938 in a specific instance by prepending the "no" keyword before it.
2939
2940 See also : "option accept-invalid-http-response" and "show errors" on the
2941 stats socket.
2942
2943
2944option accept-invalid-http-response
2945no option accept-invalid-http-response
2946 Enable or disable relaxing of HTTP response parsing
2947 May be used in sections : defaults | frontend | listen | backend
2948 yes | no | yes | yes
2949 Arguments : none
2950
2951 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2952 means that invalid characters in header names are not permitted and cause an
2953 error to be returned to the client. This is the desired behaviour as such
2954 forbidden characters are essentially used to build attacks exploiting server
2955 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2956 server will emit invalid header names for whatever reason (configuration,
2957 implementation) and the issue will not be immediately fixed. In such a case,
2958 it is possible to relax HAProxy's header name parser to accept any character
2959 even if that does not make sense, by specifying this option.
2960
2961 This option should never be enabled by default as it hides application bugs
2962 and open security breaches. It should only be deployed after a problem has
2963 been confirmed.
2964
2965 When this option is enabled, erroneous header names will still be accepted in
2966 responses, but the complete response will be captured in order to permit
2967 later analysis using the "show errors" request on the UNIX stats socket.
2968 Doing this also helps confirming that the issue has been solved.
2969
2970 If this option has been enabled in a "defaults" section, it can be disabled
2971 in a specific instance by prepending the "no" keyword before it.
2972
2973 See also : "option accept-invalid-http-request" and "show errors" on the
2974 stats socket.
2975
2976
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002977option allbackups
2978no option allbackups
2979 Use either all backup servers at a time or only the first one
2980 May be used in sections : defaults | frontend | listen | backend
2981 yes | no | yes | yes
2982 Arguments : none
2983
2984 By default, the first operational backup server gets all traffic when normal
2985 servers are all down. Sometimes, it may be preferred to use multiple backups
2986 at once, because one will not be enough. When "option allbackups" is enabled,
2987 the load balancing will be performed among all backup servers when all normal
2988 ones are unavailable. The same load balancing algorithm will be used and the
2989 servers' weights will be respected. Thus, there will not be any priority
2990 order between the backup servers anymore.
2991
2992 This option is mostly used with static server farms dedicated to return a
2993 "sorry" page when an application is completely offline.
2994
2995 If this option has been enabled in a "defaults" section, it can be disabled
2996 in a specific instance by prepending the "no" keyword before it.
2997
2998
2999option checkcache
3000no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003001 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003002 May be used in sections : defaults | frontend | listen | backend
3003 yes | no | yes | yes
3004 Arguments : none
3005
3006 Some high-level frameworks set application cookies everywhere and do not
3007 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003008 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003009 high risk of session crossing or stealing between users traversing the same
3010 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02003011 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003012
3013 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003014 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01003015 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003016 response to check if there's a risk of caching a cookie on a client-side
3017 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01003018 to the client are :
3019 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003020 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01003021 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003022 - all those that come from a POST request, provided that the server has not
3023 set a 'Cache-Control: public' header ;
3024 - those with a 'Pragma: no-cache' header
3025 - those with a 'Cache-control: private' header
3026 - those with a 'Cache-control: no-store' header
3027 - those with a 'Cache-control: max-age=0' header
3028 - those with a 'Cache-control: s-maxage=0' header
3029 - those with a 'Cache-control: no-cache' header
3030 - those with a 'Cache-control: no-cache="set-cookie"' header
3031 - those with a 'Cache-control: no-cache="set-cookie,' header
3032 (allowing other fields after set-cookie)
3033
3034 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01003035 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003036 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003037 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003038 that admins are informed that there's something to be fixed.
3039
3040 Due to the high impact on the application, the application should be tested
3041 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003042 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003043 production, as it will report potentially dangerous application behaviours.
3044
3045 If this option has been enabled in a "defaults" section, it can be disabled
3046 in a specific instance by prepending the "no" keyword before it.
3047
3048
3049option clitcpka
3050no option clitcpka
3051 Enable or disable the sending of TCP keepalive packets on the client side
3052 May be used in sections : defaults | frontend | listen | backend
3053 yes | yes | yes | no
3054 Arguments : none
3055
3056 When there is a firewall or any session-aware component between a client and
3057 a server, and when the protocol involves very long sessions with long idle
3058 periods (eg: remote desktops), there is a risk that one of the intermediate
3059 components decides to expire a session which has remained idle for too long.
3060
3061 Enabling socket-level TCP keep-alives makes the system regularly send packets
3062 to the other end of the connection, leaving it active. The delay between
3063 keep-alive probes is controlled by the system only and depends both on the
3064 operating system and its tuning parameters.
3065
3066 It is important to understand that keep-alive packets are neither emitted nor
3067 received at the application level. It is only the network stacks which sees
3068 them. For this reason, even if one side of the proxy already uses keep-alives
3069 to maintain its connection alive, those keep-alive packets will not be
3070 forwarded to the other side of the proxy.
3071
3072 Please note that this has nothing to do with HTTP keep-alive.
3073
3074 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
3075 client side of a connection, which should help when session expirations are
3076 noticed between HAProxy and a client.
3077
3078 If this option has been enabled in a "defaults" section, it can be disabled
3079 in a specific instance by prepending the "no" keyword before it.
3080
3081 See also : "option srvtcpka", "option tcpka"
3082
3083
Willy Tarreau0ba27502007-12-24 16:55:16 +01003084option contstats
3085 Enable continuous traffic statistics updates
3086 May be used in sections : defaults | frontend | listen | backend
3087 yes | yes | yes | no
3088 Arguments : none
3089
3090 By default, counters used for statistics calculation are incremented
3091 only when a session finishes. It works quite well when serving small
3092 objects, but with big ones (for example large images or archives) or
3093 with A/V streaming, a graph generated from haproxy counters looks like
3094 a hedgehog. With this option enabled counters get incremented continuously,
3095 during a whole session. Recounting touches a hotpath directly so
3096 it is not enabled by default, as it has small performance impact (~0.5%).
3097
3098
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003099option dontlog-normal
3100no option dontlog-normal
3101 Enable or disable logging of normal, successful connections
3102 May be used in sections : defaults | frontend | listen | backend
3103 yes | yes | yes | no
3104 Arguments : none
3105
3106 There are large sites dealing with several thousand connections per second
3107 and for which logging is a major pain. Some of them are even forced to turn
3108 logs off and cannot debug production issues. Setting this option ensures that
3109 normal connections, those which experience no error, no timeout, no retry nor
3110 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
3111 mode, the response status code is checked and return codes 5xx will still be
3112 logged.
3113
3114 It is strongly discouraged to use this option as most of the time, the key to
3115 complex issues is in the normal logs which will not be logged here. If you
3116 need to separate logs, see the "log-separate-errors" option instead.
3117
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003118 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003119 logging.
3120
3121
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003122option dontlognull
3123no option dontlognull
3124 Enable or disable logging of null connections
3125 May be used in sections : defaults | frontend | listen | backend
3126 yes | yes | yes | no
3127 Arguments : none
3128
3129 In certain environments, there are components which will regularly connect to
3130 various systems to ensure that they are still alive. It can be the case from
3131 another load balancer as well as from monitoring systems. By default, even a
3132 simple port probe or scan will produce a log. If those connections pollute
3133 the logs too much, it is possible to enable option "dontlognull" to indicate
3134 that a connection on which no data has been transferred will not be logged,
3135 which typically corresponds to those probes.
3136
3137 It is generally recommended not to use this option in uncontrolled
3138 environments (eg: internet), otherwise scans and other malicious activities
3139 would not be logged.
3140
3141 If this option has been enabled in a "defaults" section, it can be disabled
3142 in a specific instance by prepending the "no" keyword before it.
3143
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003144 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003145
3146
3147option forceclose
3148no option forceclose
3149 Enable or disable active connection closing after response is transferred.
3150 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01003151 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003152 Arguments : none
3153
3154 Some HTTP servers do not necessarily close the connections when they receive
3155 the "Connection: close" set by "option httpclose", and if the client does not
3156 close either, then the connection remains open till the timeout expires. This
3157 causes high number of simultaneous connections on the servers and shows high
3158 global session times in the logs.
3159
3160 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01003161 actively close the outgoing server channel as soon as the server has finished
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003162 to respond. This option implicitly enables the "httpclose" option. Note that
3163 this option also enables the parsing of the full request and response, which
3164 means we can close the connection to the server very quickly, releasing some
3165 resources earlier than with httpclose.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003166
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003167 This option may also be combined with "option http-pretend-keepalive", which
3168 will disable sending of the "Connection: close" header, but will still cause
3169 the connection to be closed once the whole response is received.
3170
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003171 If this option has been enabled in a "defaults" section, it can be disabled
3172 in a specific instance by prepending the "no" keyword before it.
3173
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003174 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003175
3176
Willy Tarreau87cf5142011-08-19 22:57:24 +02003177option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003178 Enable insertion of the X-Forwarded-For header to requests sent to servers
3179 May be used in sections : defaults | frontend | listen | backend
3180 yes | yes | yes | yes
3181 Arguments :
3182 <network> is an optional argument used to disable this option for sources
3183 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02003184 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01003185 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003186
3187 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
3188 their client address. This is sometimes annoying when the client's IP address
3189 is expected in server logs. To solve this problem, the well-known HTTP header
3190 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
3191 This header contains a value representing the client's IP address. Since this
3192 header is always appended at the end of the existing header list, the server
3193 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02003194 the server's manual to find how to enable use of this standard header. Note
3195 that only the last occurrence of the header must be used, since it is really
3196 possible that the client has already brought one.
3197
Willy Tarreaud72758d2010-01-12 10:42:19 +01003198 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02003199 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01003200 have a "X-Forwarded-For" header from a different application (eg: stunnel),
3201 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02003202 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
3203 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01003204
3205 Sometimes, a same HAProxy instance may be shared between a direct client
3206 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3207 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3208 header for a known source address or network by adding the "except" keyword
3209 followed by the network address. In this case, any source IP matching the
3210 network will not cause an addition of this header. Most common uses are with
3211 private networks or 127.0.0.1.
3212
Willy Tarreau87cf5142011-08-19 22:57:24 +02003213 Alternatively, the keyword "if-none" states that the header will only be
3214 added if it is not present. This should only be used in perfectly trusted
3215 environment, as this might cause a security issue if headers reaching haproxy
3216 are under the control of the end-user.
3217
Willy Tarreauc27debf2008-01-06 08:57:02 +01003218 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02003219 least one of them uses it, the header will be added. Note that the backend's
3220 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02003221 both are defined. In the case of the "if-none" argument, if at least one of
3222 the frontend or the backend does not specify it, it wants the addition to be
3223 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003224
Willy Tarreau87cf5142011-08-19 22:57:24 +02003225 It is important to note that by default, HAProxy works in tunnel mode and
3226 only inspects the first request of a connection, meaning that only the first
3227 request will have the header appended, which is certainly not what you want.
3228 In order to fix this, ensure that any of the "httpclose", "forceclose" or
3229 "http-server-close" options is set when using this option.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003230
Ross Westaf72a1d2008-08-03 10:51:45 +02003231 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01003232 # Public HTTP address also used by stunnel on the same machine
3233 frontend www
3234 mode http
3235 option forwardfor except 127.0.0.1 # stunnel already adds the header
3236
Ross Westaf72a1d2008-08-03 10:51:45 +02003237 # Those servers want the IP Address in X-Client
3238 backend www
3239 mode http
3240 option forwardfor header X-Client
3241
Willy Tarreau87cf5142011-08-19 22:57:24 +02003242 See also : "option httpclose", "option http-server-close",
3243 "option forceclose"
Willy Tarreauc27debf2008-01-06 08:57:02 +01003244
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003245
Willy Tarreau96e31212011-05-30 18:10:30 +02003246option http-no-delay
3247no option http-no-delay
3248 Instruct the system to favor low interactive delays over performance in HTTP
3249 May be used in sections : defaults | frontend | listen | backend
3250 yes | yes | yes | yes
3251 Arguments : none
3252
3253 In HTTP, each payload is unidirectional and has no notion of interactivity.
3254 Any agent is expected to queue data somewhat for a reasonably low delay.
3255 There are some very rare server-to-server applications that abuse the HTTP
3256 protocol and expect the payload phase to be highly interactive, with many
3257 interleaved data chunks in both directions within a single request. This is
3258 absolutely not supported by the HTTP specification and will not work across
3259 most proxies or servers. When such applications attempt to do this through
3260 haproxy, it works but they will experience high delays due to the network
3261 optimizations which favor performance by instructing the system to wait for
3262 enough data to be available in order to only send full packets. Typical
3263 delays are around 200 ms per round trip. Note that this only happens with
3264 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
3265 affected.
3266
3267 When "option http-no-delay" is present in either the frontend or the backend
3268 used by a connection, all such optimizations will be disabled in order to
3269 make the exchanges as fast as possible. Of course this offers no guarantee on
3270 the functionality, as it may break at any other place. But if it works via
3271 HAProxy, it will work as fast as possible. This option should never be used
3272 by default, and should never be used at all unless such a buggy application
3273 is discovered. The impact of using this option is an increase of bandwidth
3274 usage and CPU usage, which may significantly lower performance in high
3275 latency environments.
3276
3277
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003278option http-pretend-keepalive
3279no option http-pretend-keepalive
3280 Define whether haproxy will announce keepalive to the server or not
3281 May be used in sections : defaults | frontend | listen | backend
3282 yes | yes | yes | yes
3283 Arguments : none
3284
3285 When running with "option http-server-close" or "option forceclose", haproxy
3286 adds a "Connection: close" header to the request forwarded to the server.
3287 Unfortunately, when some servers see this header, they automatically refrain
3288 from using the chunked encoding for responses of unknown length, while this
3289 is totally unrelated. The immediate effect is that this prevents haproxy from
3290 maintaining the client connection alive. A second effect is that a client or
3291 a cache could receive an incomplete response without being aware of it, and
3292 consider the response complete.
3293
3294 By setting "option http-pretend-keepalive", haproxy will make the server
3295 believe it will keep the connection alive. The server will then not fall back
3296 to the abnormal undesired above. When haproxy gets the whole response, it
3297 will close the connection with the server just as it would do with the
3298 "forceclose" option. That way the client gets a normal response and the
3299 connection is correctly closed on the server side.
3300
3301 It is recommended not to enable this option by default, because most servers
3302 will more efficiently close the connection themselves after the last packet,
3303 and release its buffers slightly earlier. Also, the added packet on the
3304 network could slightly reduce the overall peak performance. However it is
3305 worth noting that when this option is enabled, haproxy will have slightly
3306 less work to do. So if haproxy is the bottleneck on the whole architecture,
3307 enabling this option might save a few CPU cycles.
3308
3309 This option may be set both in a frontend and in a backend. It is enabled if
3310 at least one of the frontend or backend holding a connection has it enabled.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003311 This option may be combined with "option httpclose", which will cause
Willy Tarreau22a95342010-09-29 14:31:41 +02003312 keepalive to be announced to the server and close to be announced to the
3313 client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003314
3315 If this option has been enabled in a "defaults" section, it can be disabled
3316 in a specific instance by prepending the "no" keyword before it.
3317
3318 See also : "option forceclose" and "option http-server-close"
3319
Willy Tarreauc27debf2008-01-06 08:57:02 +01003320
Willy Tarreaub608feb2010-01-02 22:47:18 +01003321option http-server-close
3322no option http-server-close
3323 Enable or disable HTTP connection closing on the server side
3324 May be used in sections : defaults | frontend | listen | backend
3325 yes | yes | yes | yes
3326 Arguments : none
3327
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003328 By default, when a client communicates with a server, HAProxy will only
3329 analyze, log, and process the first request of each connection. Setting
3330 "option http-server-close" enables HTTP connection-close mode on the server
3331 side while keeping the ability to support HTTP keep-alive and pipelining on
3332 the client side. This provides the lowest latency on the client side (slow
3333 network) and the fastest session reuse on the server side to save server
3334 resources, similarly to "option forceclose". It also permits non-keepalive
3335 capable servers to be served in keep-alive mode to the clients if they
3336 conform to the requirements of RFC2616. Please note that some servers do not
3337 always conform to those requirements when they see "Connection: close" in the
3338 request. The effect will be that keep-alive will never be used. A workaround
3339 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003340
3341 At the moment, logs will not indicate whether requests came from the same
3342 session or not. The accept date reported in the logs corresponds to the end
3343 of the previous request, and the request time corresponds to the time spent
3344 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01003345 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
3346 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01003347
3348 This option may be set both in a frontend and in a backend. It is enabled if
3349 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003350 It is worth noting that "option forceclose" has precedence over "option
3351 http-server-close" and that combining "http-server-close" with "httpclose"
3352 basically achieve the same result as "forceclose".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003353
3354 If this option has been enabled in a "defaults" section, it can be disabled
3355 in a specific instance by prepending the "no" keyword before it.
3356
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003357 See also : "option forceclose", "option http-pretend-keepalive",
3358 "option httpclose" and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003359
3360
Willy Tarreau88d349d2010-01-25 12:15:43 +01003361option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01003362no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01003363 Make use of non-standard Proxy-Connection header instead of Connection
3364 May be used in sections : defaults | frontend | listen | backend
3365 yes | yes | yes | no
3366 Arguments : none
3367
3368 While RFC2616 explicitly states that HTTP/1.1 agents must use the
3369 Connection header to indicate their wish of persistent or non-persistent
3370 connections, both browsers and proxies ignore this header for proxied
3371 connections and make use of the undocumented, non-standard Proxy-Connection
3372 header instead. The issue begins when trying to put a load balancer between
3373 browsers and such proxies, because there will be a difference between what
3374 haproxy understands and what the client and the proxy agree on.
3375
3376 By setting this option in a frontend, haproxy can automatically switch to use
3377 that non-standard header if it sees proxied requests. A proxied request is
3378 defined here as one where the URI begins with neither a '/' nor a '*'. The
3379 choice of header only affects requests passing through proxies making use of
3380 one of the "httpclose", "forceclose" and "http-server-close" options. Note
3381 that this option can only be specified in a frontend and will affect the
3382 request along its whole life.
3383
Willy Tarreau844a7e72010-01-31 21:46:18 +01003384 Also, when this option is set, a request which requires authentication will
3385 automatically switch to use proxy authentication headers if it is itself a
3386 proxied request. That makes it possible to check or enforce authentication in
3387 front of an existing proxy.
3388
Willy Tarreau88d349d2010-01-25 12:15:43 +01003389 This option should normally never be used, except in front of a proxy.
3390
3391 See also : "option httpclose", "option forceclose" and "option
3392 http-server-close".
3393
3394
Willy Tarreaud63335a2010-02-26 12:56:52 +01003395option httpchk
3396option httpchk <uri>
3397option httpchk <method> <uri>
3398option httpchk <method> <uri> <version>
3399 Enable HTTP protocol to check on the servers health
3400 May be used in sections : defaults | frontend | listen | backend
3401 yes | no | yes | yes
3402 Arguments :
3403 <method> is the optional HTTP method used with the requests. When not set,
3404 the "OPTIONS" method is used, as it generally requires low server
3405 processing and is easy to filter out from the logs. Any method
3406 may be used, though it is not recommended to invent non-standard
3407 ones.
3408
3409 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
3410 which is accessible by default on almost any server, but may be
3411 changed to any other URI. Query strings are permitted.
3412
3413 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
3414 but some servers might behave incorrectly in HTTP 1.0, so turning
3415 it to HTTP/1.1 may sometimes help. Note that the Host field is
3416 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
3417 after "\r\n" following the version string.
3418
3419 By default, server health checks only consist in trying to establish a TCP
3420 connection. When "option httpchk" is specified, a complete HTTP request is
3421 sent once the TCP connection is established, and responses 2xx and 3xx are
3422 considered valid, while all other ones indicate a server failure, including
3423 the lack of any response.
3424
3425 The port and interval are specified in the server configuration.
3426
3427 This option does not necessarily require an HTTP backend, it also works with
3428 plain TCP backends. This is particularly useful to check simple scripts bound
3429 to some dedicated ports using the inetd daemon.
3430
3431 Examples :
3432 # Relay HTTPS traffic to Apache instance and check service availability
3433 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
3434 backend https_relay
3435 mode tcp
3436 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
3437 server apache1 192.168.1.1:443 check port 80
3438
3439 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003440 "option pgsql-check", "http-check" and the "check", "port" and
3441 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01003442
3443
Willy Tarreauc27debf2008-01-06 08:57:02 +01003444option httpclose
3445no option httpclose
3446 Enable or disable passive HTTP connection closing
3447 May be used in sections : defaults | frontend | listen | backend
3448 yes | yes | yes | yes
3449 Arguments : none
3450
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003451 By default, when a client communicates with a server, HAProxy will only
3452 analyze, log, and process the first request of each connection. If "option
3453 httpclose" is set, it will check if a "Connection: close" header is already
3454 set in each direction, and will add one if missing. Each end should react to
3455 this by actively closing the TCP connection after each transfer, thus
3456 resulting in a switch to the HTTP close mode. Any "Connection" header
3457 different from "close" will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003458
3459 It seldom happens that some servers incorrectly ignore this header and do not
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003460 close the connection even though they reply "Connection: close". For this
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003461 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
3462 it is possible to use the "option forceclose" which actively closes the
3463 request connection once the server responds. Option "forceclose" also
3464 releases the server connection earlier because it does not have to wait for
3465 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003466
3467 This option may be set both in a frontend and in a backend. It is enabled if
3468 at least one of the frontend or backend holding a connection has it enabled.
3469 If "option forceclose" is specified too, it has precedence over "httpclose".
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003470 If "option http-server-close" is enabled at the same time as "httpclose", it
3471 basically achieves the same result as "option forceclose".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003472
3473 If this option has been enabled in a "defaults" section, it can be disabled
3474 in a specific instance by prepending the "no" keyword before it.
3475
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003476 See also : "option forceclose", "option http-server-close" and
3477 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003478
3479
Emeric Brun3a058f32009-06-30 18:26:00 +02003480option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003481 Enable logging of HTTP request, session state and timers
3482 May be used in sections : defaults | frontend | listen | backend
3483 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02003484 Arguments :
3485 clf if the "clf" argument is added, then the output format will be
3486 the CLF format instead of HAProxy's default HTTP format. You can
3487 use this when you need to feed HAProxy's logs through a specific
3488 log analyser which only support the CLF format and which is not
3489 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003490
3491 By default, the log output format is very poor, as it only contains the
3492 source and destination addresses, and the instance name. By specifying
3493 "option httplog", each log line turns into a much richer format including,
3494 but not limited to, the HTTP request, the connection timers, the session
3495 status, the connections numbers, the captured headers and cookies, the
3496 frontend, backend and server name, and of course the source address and
3497 ports.
3498
3499 This option may be set either in the frontend or the backend.
3500
Emeric Brun3a058f32009-06-30 18:26:00 +02003501 If this option has been enabled in a "defaults" section, it can be disabled
3502 in a specific instance by prepending the "no" keyword before it. Specifying
3503 only "option httplog" will automatically clear the 'clf' mode if it was set
3504 by default.
3505
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003506 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003507
Willy Tarreau55165fe2009-05-10 12:02:55 +02003508
3509option http_proxy
3510no option http_proxy
3511 Enable or disable plain HTTP proxy mode
3512 May be used in sections : defaults | frontend | listen | backend
3513 yes | yes | yes | yes
3514 Arguments : none
3515
3516 It sometimes happens that people need a pure HTTP proxy which understands
3517 basic proxy requests without caching nor any fancy feature. In this case,
3518 it may be worth setting up an HAProxy instance with the "option http_proxy"
3519 set. In this mode, no server is declared, and the connection is forwarded to
3520 the IP address and port found in the URL after the "http://" scheme.
3521
3522 No host address resolution is performed, so this only works when pure IP
3523 addresses are passed. Since this option's usage perimeter is rather limited,
3524 it will probably be used only by experts who know they need exactly it. Last,
3525 if the clients are susceptible of sending keep-alive requests, it will be
Cyril Bonté2409e682010-12-14 22:47:51 +01003526 needed to add "option httpclose" to ensure that all requests will correctly
Willy Tarreau55165fe2009-05-10 12:02:55 +02003527 be analyzed.
3528
3529 If this option has been enabled in a "defaults" section, it can be disabled
3530 in a specific instance by prepending the "no" keyword before it.
3531
3532 Example :
3533 # this backend understands HTTP proxy requests and forwards them directly.
3534 backend direct_forward
3535 option httpclose
3536 option http_proxy
3537
3538 See also : "option httpclose"
3539
Willy Tarreau211ad242009-10-03 21:45:07 +02003540
Jamie Gloudon801a0a32012-08-25 00:18:33 -04003541option independent-streams
3542no option independent-streams
3543 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003544 May be used in sections : defaults | frontend | listen | backend
3545 yes | yes | yes | yes
3546 Arguments : none
3547
3548 By default, when data is sent over a socket, both the write timeout and the
3549 read timeout for that socket are refreshed, because we consider that there is
3550 activity on that socket, and we have no other means of guessing if we should
3551 receive data or not.
3552
3553 While this default behaviour is desirable for almost all applications, there
3554 exists a situation where it is desirable to disable it, and only refresh the
3555 read timeout if there are incoming data. This happens on sessions with large
3556 timeouts and low amounts of exchanged data such as telnet session. If the
3557 server suddenly disappears, the output data accumulates in the system's
3558 socket buffers, both timeouts are correctly refreshed, and there is no way
3559 to know the server does not receive them, so we don't timeout. However, when
3560 the underlying protocol always echoes sent data, it would be enough by itself
3561 to detect the issue using the read timeout. Note that this problem does not
3562 happen with more verbose protocols because data won't accumulate long in the
3563 socket buffers.
3564
3565 When this option is set on the frontend, it will disable read timeout updates
3566 on data sent to the client. There probably is little use of this case. When
3567 the option is set on the backend, it will disable read timeout updates on
3568 data sent to the server. Doing so will typically break large HTTP posts from
3569 slow lines, so use it with caution.
3570
Jamie Gloudon801a0a32012-08-25 00:18:33 -04003571 Note: older versions used to call this setting "option independant-streams"
3572 with a spelling mistake. This spelling is still supported but
3573 deprecated.
3574
Willy Tarreauce887fd2012-05-12 12:50:00 +02003575 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003576
3577
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02003578option ldap-check
3579 Use LDAPv3 health checks for server testing
3580 May be used in sections : defaults | frontend | listen | backend
3581 yes | no | yes | yes
3582 Arguments : none
3583
3584 It is possible to test that the server correctly talks LDAPv3 instead of just
3585 testing that it accepts the TCP connection. When this option is set, an
3586 LDAPv3 anonymous simple bind message is sent to the server, and the response
3587 is analyzed to find an LDAPv3 bind response message.
3588
3589 The server is considered valid only when the LDAP response contains success
3590 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
3591
3592 Logging of bind requests is server dependent see your documentation how to
3593 configure it.
3594
3595 Example :
3596 option ldap-check
3597
3598 See also : "option httpchk"
3599
3600
Willy Tarreau211ad242009-10-03 21:45:07 +02003601option log-health-checks
3602no option log-health-checks
3603 Enable or disable logging of health checks
3604 May be used in sections : defaults | frontend | listen | backend
3605 yes | no | yes | yes
3606 Arguments : none
3607
3608 Enable health checks logging so it possible to check for example what
3609 was happening before a server crash. Failed health check are logged if
3610 server is UP and succeeded health checks if server is DOWN, so the amount
3611 of additional information is limited.
3612
3613 If health check logging is enabled no health check status is printed
3614 when servers is set up UP/DOWN/ENABLED/DISABLED.
3615
3616 See also: "log" and section 8 about logging.
3617
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003618
3619option log-separate-errors
3620no option log-separate-errors
3621 Change log level for non-completely successful connections
3622 May be used in sections : defaults | frontend | listen | backend
3623 yes | yes | yes | no
3624 Arguments : none
3625
3626 Sometimes looking for errors in logs is not easy. This option makes haproxy
3627 raise the level of logs containing potentially interesting information such
3628 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
3629 level changes from "info" to "err". This makes it possible to log them
3630 separately to a different file with most syslog daemons. Be careful not to
3631 remove them from the original file, otherwise you would lose ordering which
3632 provides very important information.
3633
3634 Using this option, large sites dealing with several thousand connections per
3635 second may log normal traffic to a rotating buffer and only archive smaller
3636 error logs.
3637
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003638 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003639 logging.
3640
Willy Tarreauc27debf2008-01-06 08:57:02 +01003641
3642option logasap
3643no option logasap
3644 Enable or disable early logging of HTTP requests
3645 May be used in sections : defaults | frontend | listen | backend
3646 yes | yes | yes | no
3647 Arguments : none
3648
3649 By default, HTTP requests are logged upon termination so that the total
3650 transfer time and the number of bytes appear in the logs. When large objects
3651 are being transferred, it may take a while before the request appears in the
3652 logs. Using "option logasap", the request gets logged as soon as the server
3653 sends the complete headers. The only missing information in the logs will be
3654 the total number of bytes which will indicate everything except the amount
3655 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003656 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01003657 "Content-Length" response header so that the logs at least indicate how many
3658 bytes are expected to be transferred.
3659
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003660 Examples :
3661 listen http_proxy 0.0.0.0:80
3662 mode http
3663 option httplog
3664 option logasap
3665 log 192.168.2.200 local3
3666
3667 >>> Feb 6 12:14:14 localhost \
3668 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
3669 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
3670 "GET /image.iso HTTP/1.0"
3671
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003672 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01003673 logging.
3674
3675
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003676option mysql-check [ user <username> ]
3677 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003678 May be used in sections : defaults | frontend | listen | backend
3679 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003680 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003681 <username> This is the username which will be used when connecting to MySQL
3682 server.
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003683
3684 If you specify a username, the check consists of sending two MySQL packet,
3685 one Client Authentication packet, and one QUIT packet, to correctly close
3686 MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
3687 Error packet. It is a basic but useful test which does not produce error nor
3688 aborted connect on the server. However, it requires adding an authorization
3689 in the MySQL table, like this :
3690
3691 USE mysql;
3692 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
3693 FLUSH PRIVILEGES;
3694
3695 If you don't specify a username (it is deprecated and not recommended), the
3696 check only consists in parsing the Mysql Handshake Initialisation packet or
3697 Error packet, we don't send anything in this mode. It was reported that it
3698 can generate lockout if check is too frequent and/or if there is not enough
3699 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
3700 value as if a connection is established successfully within fewer than MySQL
3701 "max_connect_errors" attempts after a previous connection was interrupted,
3702 the error count for the host is cleared to zero. If HAProxy's server get
3703 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
3704
3705 Remember that this does not check database presence nor database consistency.
3706 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003707
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02003708 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003709
3710 Most often, an incoming MySQL server needs to see the client's IP address for
3711 various purposes, including IP privilege matching and connection logging.
3712 When possible, it is often wise to masquerade the client's IP address when
3713 connecting to the server using the "usesrc" argument of the "source" keyword,
3714 which requires the cttproxy feature to be compiled in, and the MySQL server
3715 to route the client via the machine hosting haproxy.
3716
3717 See also: "option httpchk"
3718
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003719option pgsql-check [ user <username> ]
3720 Use PostgreSQL health checks for server testing
3721 May be used in sections : defaults | frontend | listen | backend
3722 yes | no | yes | yes
3723 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003724 <username> This is the username which will be used when connecting to
3725 PostgreSQL server.
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003726
3727 The check sends a PostgreSQL StartupMessage and waits for either
3728 Authentication request or ErrorResponse message. It is a basic but useful
3729 test which does not produce error nor aborted connect on the server.
3730 This check is identical with the "mysql-check".
3731
3732 See also: "option httpchk"
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003733
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003734option nolinger
3735no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003736 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003737 May be used in sections: defaults | frontend | listen | backend
3738 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003739 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003740
3741 When clients or servers abort connections in a dirty way (eg: they are
3742 physically disconnected), the session timeouts triggers and the session is
3743 closed. But it will remain in FIN_WAIT1 state for some time in the system,
3744 using some resources and possibly limiting the ability to establish newer
3745 connections.
3746
3747 When this happens, it is possible to activate "option nolinger" which forces
3748 the system to immediately remove any socket's pending data on close. Thus,
3749 the session is instantly purged from the system's tables. This usually has
3750 side effects such as increased number of TCP resets due to old retransmits
3751 getting immediately rejected. Some firewalls may sometimes complain about
3752 this too.
3753
3754 For this reason, it is not recommended to use this option when not absolutely
3755 needed. You know that you need it when you have thousands of FIN_WAIT1
3756 sessions on your system (TIME_WAIT ones do not count).
3757
3758 This option may be used both on frontends and backends, depending on the side
3759 where it is required. Use it on the frontend for clients, and on the backend
3760 for servers.
3761
3762 If this option has been enabled in a "defaults" section, it can be disabled
3763 in a specific instance by prepending the "no" keyword before it.
3764
3765
Willy Tarreau55165fe2009-05-10 12:02:55 +02003766option originalto [ except <network> ] [ header <name> ]
3767 Enable insertion of the X-Original-To header to requests sent to servers
3768 May be used in sections : defaults | frontend | listen | backend
3769 yes | yes | yes | yes
3770 Arguments :
3771 <network> is an optional argument used to disable this option for sources
3772 matching <network>
3773 <name> an optional argument to specify a different "X-Original-To"
3774 header name.
3775
3776 Since HAProxy can work in transparent mode, every request from a client can
3777 be redirected to the proxy and HAProxy itself can proxy every request to a
3778 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
3779 be lost. This is annoying when you want access rules based on destination ip
3780 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
3781 added by HAProxy to all requests sent to the server. This header contains a
3782 value representing the original destination IP address. Since this must be
3783 configured to always use the last occurrence of this header only. Note that
3784 only the last occurrence of the header must be used, since it is really
3785 possible that the client has already brought one.
3786
3787 The keyword "header" may be used to supply a different header name to replace
3788 the default "X-Original-To". This can be useful where you might already
3789 have a "X-Original-To" header from a different application, and you need
3790 preserve it. Also if your backend server doesn't use the "X-Original-To"
3791 header and requires different one.
3792
3793 Sometimes, a same HAProxy instance may be shared between a direct client
3794 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3795 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3796 header for a known source address or network by adding the "except" keyword
3797 followed by the network address. In this case, any source IP matching the
3798 network will not cause an addition of this header. Most common uses are with
3799 private networks or 127.0.0.1.
3800
3801 This option may be specified either in the frontend or in the backend. If at
3802 least one of them uses it, the header will be added. Note that the backend's
3803 setting of the header subargument takes precedence over the frontend's if
3804 both are defined.
3805
Willy Tarreau87cf5142011-08-19 22:57:24 +02003806 It is important to note that by default, HAProxy works in tunnel mode and
3807 only inspects the first request of a connection, meaning that only the first
3808 request will have the header appended, which is certainly not what you want.
3809 In order to fix this, ensure that any of the "httpclose", "forceclose" or
3810 "http-server-close" options is set when using this option.
Willy Tarreau55165fe2009-05-10 12:02:55 +02003811
3812 Examples :
3813 # Original Destination address
3814 frontend www
3815 mode http
3816 option originalto except 127.0.0.1
3817
3818 # Those servers want the IP Address in X-Client-Dst
3819 backend www
3820 mode http
3821 option originalto header X-Client-Dst
3822
Willy Tarreau87cf5142011-08-19 22:57:24 +02003823 See also : "option httpclose", "option http-server-close",
3824 "option forceclose"
Willy Tarreau55165fe2009-05-10 12:02:55 +02003825
3826
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003827option persist
3828no option persist
3829 Enable or disable forced persistence on down servers
3830 May be used in sections: defaults | frontend | listen | backend
3831 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003832 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003833
3834 When an HTTP request reaches a backend with a cookie which references a dead
3835 server, by default it is redispatched to another server. It is possible to
3836 force the request to be sent to the dead server first using "option persist"
3837 if absolutely needed. A common use case is when servers are under extreme
3838 load and spend their time flapping. In this case, the users would still be
3839 directed to the server they opened the session on, in the hope they would be
3840 correctly served. It is recommended to use "option redispatch" in conjunction
3841 with this option so that in the event it would not be possible to connect to
3842 the server at all (server definitely dead), the client would finally be
3843 redirected to another valid server.
3844
3845 If this option has been enabled in a "defaults" section, it can be disabled
3846 in a specific instance by prepending the "no" keyword before it.
3847
Willy Tarreau4de91492010-01-22 19:10:05 +01003848 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003849
3850
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003851option redispatch
3852no option redispatch
3853 Enable or disable session redistribution in case of connection failure
3854 May be used in sections: defaults | frontend | listen | backend
3855 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003856 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003857
3858 In HTTP mode, if a server designated by a cookie is down, clients may
3859 definitely stick to it because they cannot flush the cookie, so they will not
3860 be able to access the service anymore.
3861
3862 Specifying "option redispatch" will allow the proxy to break their
3863 persistence and redistribute them to a working server.
3864
3865 It also allows to retry last connection to another server in case of multiple
3866 connection failures. Of course, it requires having "retries" set to a nonzero
3867 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003868
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003869 This form is the preferred form, which replaces both the "redispatch" and
3870 "redisp" keywords.
3871
3872 If this option has been enabled in a "defaults" section, it can be disabled
3873 in a specific instance by prepending the "no" keyword before it.
3874
Willy Tarreau4de91492010-01-22 19:10:05 +01003875 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003876
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003877
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02003878option redis-check
3879 Use redis health checks for server testing
3880 May be used in sections : defaults | frontend | listen | backend
3881 yes | no | yes | yes
3882 Arguments : none
3883
3884 It is possible to test that the server correctly talks REDIS protocol instead
3885 of just testing that it accepts the TCP connection. When this option is set,
3886 a PING redis command is sent to the server, and the response is analyzed to
3887 find the "+PONG" response message.
3888
3889 Example :
3890 option redis-check
3891
3892 See also : "option httpchk"
3893
3894
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003895option smtpchk
3896option smtpchk <hello> <domain>
3897 Use SMTP health checks for server testing
3898 May be used in sections : defaults | frontend | listen | backend
3899 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01003900 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003901 <hello> is an optional argument. It is the "hello" command to use. It can
3902 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
3903 values will be turned into the default command ("HELO").
3904
3905 <domain> is the domain name to present to the server. It may only be
3906 specified (and is mandatory) if the hello command has been
3907 specified. By default, "localhost" is used.
3908
3909 When "option smtpchk" is set, the health checks will consist in TCP
3910 connections followed by an SMTP command. By default, this command is
3911 "HELO localhost". The server's return code is analyzed and only return codes
3912 starting with a "2" will be considered as valid. All other responses,
3913 including a lack of response will constitute an error and will indicate a
3914 dead server.
3915
3916 This test is meant to be used with SMTP servers or relays. Depending on the
3917 request, it is possible that some servers do not log each connection attempt,
3918 so you may want to experiment to improve the behaviour. Using telnet on port
3919 25 is often easier than adjusting the configuration.
3920
3921 Most often, an incoming SMTP server needs to see the client's IP address for
3922 various purposes, including spam filtering, anti-spoofing and logging. When
3923 possible, it is often wise to masquerade the client's IP address when
3924 connecting to the server using the "usesrc" argument of the "source" keyword,
3925 which requires the cttproxy feature to be compiled in.
3926
3927 Example :
3928 option smtpchk HELO mydomain.org
3929
3930 See also : "option httpchk", "source"
3931
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003932
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02003933option socket-stats
3934no option socket-stats
3935
3936 Enable or disable collecting & providing separate statistics for each socket.
3937 May be used in sections : defaults | frontend | listen | backend
3938 yes | yes | yes | no
3939
3940 Arguments : none
3941
3942
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003943option splice-auto
3944no option splice-auto
3945 Enable or disable automatic kernel acceleration on sockets in both directions
3946 May be used in sections : defaults | frontend | listen | backend
3947 yes | yes | yes | yes
3948 Arguments : none
3949
3950 When this option is enabled either on a frontend or on a backend, haproxy
3951 will automatically evaluate the opportunity to use kernel tcp splicing to
3952 forward data between the client and the server, in either direction. Haproxy
3953 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003954 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003955 are not much aggressive in order to limit excessive use of splicing. This
3956 option requires splicing to be enabled at compile time, and may be globally
3957 disabled with the global option "nosplice". Since splice uses pipes, using it
3958 requires that there are enough spare pipes.
3959
3960 Important note: kernel-based TCP splicing is a Linux-specific feature which
3961 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
3962 transfer data between sockets without copying these data to user-space, thus
3963 providing noticeable performance gains and CPU cycles savings. Since many
3964 early implementations are buggy, corrupt data and/or are inefficient, this
3965 feature is not enabled by default, and it should be used with extreme care.
3966 While it is not possible to detect the correctness of an implementation,
3967 2.6.29 is the first version offering a properly working implementation. In
3968 case of doubt, splicing may be globally disabled using the global "nosplice"
3969 keyword.
3970
3971 Example :
3972 option splice-auto
3973
3974 If this option has been enabled in a "defaults" section, it can be disabled
3975 in a specific instance by prepending the "no" keyword before it.
3976
3977 See also : "option splice-request", "option splice-response", and global
3978 options "nosplice" and "maxpipes"
3979
3980
3981option splice-request
3982no option splice-request
3983 Enable or disable automatic kernel acceleration on sockets for requests
3984 May be used in sections : defaults | frontend | listen | backend
3985 yes | yes | yes | yes
3986 Arguments : none
3987
3988 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003989 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003990 the client to the server. It might still use the recv/send scheme if there
3991 are no spare pipes left. This option requires splicing to be enabled at
3992 compile time, and may be globally disabled with the global option "nosplice".
3993 Since splice uses pipes, using it requires that there are enough spare pipes.
3994
3995 Important note: see "option splice-auto" for usage limitations.
3996
3997 Example :
3998 option splice-request
3999
4000 If this option has been enabled in a "defaults" section, it can be disabled
4001 in a specific instance by prepending the "no" keyword before it.
4002
4003 See also : "option splice-auto", "option splice-response", and global options
4004 "nosplice" and "maxpipes"
4005
4006
4007option splice-response
4008no option splice-response
4009 Enable or disable automatic kernel acceleration on sockets for responses
4010 May be used in sections : defaults | frontend | listen | backend
4011 yes | yes | yes | yes
4012 Arguments : none
4013
4014 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004015 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01004016 the server to the client. It might still use the recv/send scheme if there
4017 are no spare pipes left. This option requires splicing to be enabled at
4018 compile time, and may be globally disabled with the global option "nosplice".
4019 Since splice uses pipes, using it requires that there are enough spare pipes.
4020
4021 Important note: see "option splice-auto" for usage limitations.
4022
4023 Example :
4024 option splice-response
4025
4026 If this option has been enabled in a "defaults" section, it can be disabled
4027 in a specific instance by prepending the "no" keyword before it.
4028
4029 See also : "option splice-auto", "option splice-request", and global options
4030 "nosplice" and "maxpipes"
4031
4032
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004033option srvtcpka
4034no option srvtcpka
4035 Enable or disable the sending of TCP keepalive packets on the server side
4036 May be used in sections : defaults | frontend | listen | backend
4037 yes | no | yes | yes
4038 Arguments : none
4039
4040 When there is a firewall or any session-aware component between a client and
4041 a server, and when the protocol involves very long sessions with long idle
4042 periods (eg: remote desktops), there is a risk that one of the intermediate
4043 components decides to expire a session which has remained idle for too long.
4044
4045 Enabling socket-level TCP keep-alives makes the system regularly send packets
4046 to the other end of the connection, leaving it active. The delay between
4047 keep-alive probes is controlled by the system only and depends both on the
4048 operating system and its tuning parameters.
4049
4050 It is important to understand that keep-alive packets are neither emitted nor
4051 received at the application level. It is only the network stacks which sees
4052 them. For this reason, even if one side of the proxy already uses keep-alives
4053 to maintain its connection alive, those keep-alive packets will not be
4054 forwarded to the other side of the proxy.
4055
4056 Please note that this has nothing to do with HTTP keep-alive.
4057
4058 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
4059 server side of a connection, which should help when session expirations are
4060 noticed between HAProxy and a server.
4061
4062 If this option has been enabled in a "defaults" section, it can be disabled
4063 in a specific instance by prepending the "no" keyword before it.
4064
4065 See also : "option clitcpka", "option tcpka"
4066
4067
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004068option ssl-hello-chk
4069 Use SSLv3 client hello health checks for server testing
4070 May be used in sections : defaults | frontend | listen | backend
4071 yes | no | yes | yes
4072 Arguments : none
4073
4074 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
4075 possible to test that the server correctly talks SSL instead of just testing
4076 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
4077 SSLv3 client hello messages are sent once the connection is established to
4078 the server, and the response is analyzed to find an SSL server hello message.
4079 The server is considered valid only when the response contains this server
4080 hello message.
4081
4082 All servers tested till there correctly reply to SSLv3 client hello messages,
4083 and most servers tested do not even log the requests containing only hello
4084 messages, which is appreciable.
4085
4086 See also: "option httpchk"
4087
4088
Willy Tarreau9ea05a72009-06-14 12:07:01 +02004089option tcp-smart-accept
4090no option tcp-smart-accept
4091 Enable or disable the saving of one ACK packet during the accept sequence
4092 May be used in sections : defaults | frontend | listen | backend
4093 yes | yes | yes | no
4094 Arguments : none
4095
4096 When an HTTP connection request comes in, the system acknowledges it on
4097 behalf of HAProxy, then the client immediately sends its request, and the
4098 system acknowledges it too while it is notifying HAProxy about the new
4099 connection. HAProxy then reads the request and responds. This means that we
4100 have one TCP ACK sent by the system for nothing, because the request could
4101 very well be acknowledged by HAProxy when it sends its response.
4102
4103 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
4104 sending this useless ACK on platforms which support it (currently at least
4105 Linux). It must not cause any problem, because the system will send it anyway
4106 after 40 ms if the response takes more time than expected to come.
4107
4108 During complex network debugging sessions, it may be desirable to disable
4109 this optimization because delayed ACKs can make troubleshooting more complex
4110 when trying to identify where packets are delayed. It is then possible to
4111 fall back to normal behaviour by specifying "no option tcp-smart-accept".
4112
4113 It is also possible to force it for non-HTTP proxies by simply specifying
4114 "option tcp-smart-accept". For instance, it can make sense with some services
4115 such as SMTP where the server speaks first.
4116
4117 It is recommended to avoid forcing this option in a defaults section. In case
4118 of doubt, consider setting it back to automatic values by prepending the
4119 "default" keyword before it, or disabling it using the "no" keyword.
4120
Willy Tarreaud88edf22009-06-14 15:48:17 +02004121 See also : "option tcp-smart-connect"
4122
4123
4124option tcp-smart-connect
4125no option tcp-smart-connect
4126 Enable or disable the saving of one ACK packet during the connect sequence
4127 May be used in sections : defaults | frontend | listen | backend
4128 yes | no | yes | yes
4129 Arguments : none
4130
4131 On certain systems (at least Linux), HAProxy can ask the kernel not to
4132 immediately send an empty ACK upon a connection request, but to directly
4133 send the buffer request instead. This saves one packet on the network and
4134 thus boosts performance. It can also be useful for some servers, because they
4135 immediately get the request along with the incoming connection.
4136
4137 This feature is enabled when "option tcp-smart-connect" is set in a backend.
4138 It is not enabled by default because it makes network troubleshooting more
4139 complex.
4140
4141 It only makes sense to enable it with protocols where the client speaks first
4142 such as HTTP. In other situations, if there is no data to send in place of
4143 the ACK, a normal ACK is sent.
4144
4145 If this option has been enabled in a "defaults" section, it can be disabled
4146 in a specific instance by prepending the "no" keyword before it.
4147
4148 See also : "option tcp-smart-accept"
4149
Willy Tarreau9ea05a72009-06-14 12:07:01 +02004150
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004151option tcpka
4152 Enable or disable the sending of TCP keepalive packets on both sides
4153 May be used in sections : defaults | frontend | listen | backend
4154 yes | yes | yes | yes
4155 Arguments : none
4156
4157 When there is a firewall or any session-aware component between a client and
4158 a server, and when the protocol involves very long sessions with long idle
4159 periods (eg: remote desktops), there is a risk that one of the intermediate
4160 components decides to expire a session which has remained idle for too long.
4161
4162 Enabling socket-level TCP keep-alives makes the system regularly send packets
4163 to the other end of the connection, leaving it active. The delay between
4164 keep-alive probes is controlled by the system only and depends both on the
4165 operating system and its tuning parameters.
4166
4167 It is important to understand that keep-alive packets are neither emitted nor
4168 received at the application level. It is only the network stacks which sees
4169 them. For this reason, even if one side of the proxy already uses keep-alives
4170 to maintain its connection alive, those keep-alive packets will not be
4171 forwarded to the other side of the proxy.
4172
4173 Please note that this has nothing to do with HTTP keep-alive.
4174
4175 Using option "tcpka" enables the emission of TCP keep-alive probes on both
4176 the client and server sides of a connection. Note that this is meaningful
4177 only in "defaults" or "listen" sections. If this option is used in a
4178 frontend, only the client side will get keep-alives, and if this option is
4179 used in a backend, only the server side will get keep-alives. For this
4180 reason, it is strongly recommended to explicitly use "option clitcpka" and
4181 "option srvtcpka" when the configuration is split between frontends and
4182 backends.
4183
4184 See also : "option clitcpka", "option srvtcpka"
4185
Willy Tarreau844e3c52008-01-11 16:28:18 +01004186
4187option tcplog
4188 Enable advanced logging of TCP connections with session state and timers
4189 May be used in sections : defaults | frontend | listen | backend
4190 yes | yes | yes | yes
4191 Arguments : none
4192
4193 By default, the log output format is very poor, as it only contains the
4194 source and destination addresses, and the instance name. By specifying
4195 "option tcplog", each log line turns into a much richer format including, but
4196 not limited to, the connection timers, the session status, the connections
4197 numbers, the frontend, backend and server name, and of course the source
4198 address and ports. This option is useful for pure TCP proxies in order to
4199 find which of the client or server disconnects or times out. For normal HTTP
4200 proxies, it's better to use "option httplog" which is even more complete.
4201
4202 This option may be set either in the frontend or the backend.
4203
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004204 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004205
4206
Willy Tarreau844e3c52008-01-11 16:28:18 +01004207option transparent
4208no option transparent
4209 Enable client-side transparent proxying
4210 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01004211 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01004212 Arguments : none
4213
4214 This option was introduced in order to provide layer 7 persistence to layer 3
4215 load balancers. The idea is to use the OS's ability to redirect an incoming
4216 connection for a remote address to a local process (here HAProxy), and let
4217 this process know what address was initially requested. When this option is
4218 used, sessions without cookies will be forwarded to the original destination
4219 IP address of the incoming request (which should match that of another
4220 equipment), while requests with cookies will still be forwarded to the
4221 appropriate server.
4222
4223 Note that contrary to a common belief, this option does NOT make HAProxy
4224 present the client's IP to the server when establishing the connection.
4225
Willy Tarreaua1146052011-03-01 09:51:54 +01004226 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004227 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004228
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004229
Emeric Brun647caf12009-06-30 17:57:00 +02004230persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02004231persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02004232 Enable RDP cookie-based persistence
4233 May be used in sections : defaults | frontend | listen | backend
4234 yes | no | yes | yes
4235 Arguments :
4236 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02004237 default cookie name "msts" will be used. There currently is no
4238 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02004239
4240 This statement enables persistence based on an RDP cookie. The RDP cookie
4241 contains all information required to find the server in the list of known
4242 servers. So when this option is set in the backend, the request is analysed
4243 and if an RDP cookie is found, it is decoded. If it matches a known server
4244 which is still UP (or if "option persist" is set), then the connection is
4245 forwarded to this server.
4246
4247 Note that this only makes sense in a TCP backend, but for this to work, the
4248 frontend must have waited long enough to ensure that an RDP cookie is present
4249 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004250 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02004251 a single "listen" section.
4252
Willy Tarreau61e28f22010-05-16 22:31:05 +02004253 Also, it is important to understand that the terminal server will emit this
4254 RDP cookie only if it is configured for "token redirection mode", which means
4255 that the "IP address redirection" option is disabled.
4256
Emeric Brun647caf12009-06-30 17:57:00 +02004257 Example :
4258 listen tse-farm
4259 bind :3389
4260 # wait up to 5s for an RDP cookie in the request
4261 tcp-request inspect-delay 5s
4262 tcp-request content accept if RDP_COOKIE
4263 # apply RDP cookie persistence
4264 persist rdp-cookie
4265 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02004266 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02004267 balance rdp-cookie
4268 server srv1 1.1.1.1:3389
4269 server srv2 1.1.1.2:3389
4270
Simon Hormanab814e02011-06-24 14:50:20 +09004271 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
4272 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02004273
4274
Willy Tarreau3a7d2072009-03-05 23:48:25 +01004275rate-limit sessions <rate>
4276 Set a limit on the number of new sessions accepted per second on a frontend
4277 May be used in sections : defaults | frontend | listen | backend
4278 yes | yes | yes | no
4279 Arguments :
4280 <rate> The <rate> parameter is an integer designating the maximum number
4281 of new sessions per second to accept on the frontend.
4282
4283 When the frontend reaches the specified number of new sessions per second, it
4284 stops accepting new connections until the rate drops below the limit again.
4285 During this time, the pending sessions will be kept in the socket's backlog
4286 (in system buffers) and haproxy will not even be aware that sessions are
4287 pending. When applying very low limit on a highly loaded service, it may make
4288 sense to increase the socket's backlog using the "backlog" keyword.
4289
4290 This feature is particularly efficient at blocking connection-based attacks
4291 or service abuse on fragile servers. Since the session rate is measured every
4292 millisecond, it is extremely accurate. Also, the limit applies immediately,
4293 no delay is needed at all to detect the threshold.
4294
4295 Example : limit the connection rate on SMTP to 10 per second max
4296 listen smtp
4297 mode tcp
4298 bind :25
4299 rate-limit sessions 10
4300 server 127.0.0.1:1025
4301
Willy Tarreaua17c2d92011-07-25 08:16:20 +02004302 Note : when the maximum rate is reached, the frontend's status is not changed
4303 but its sockets appear as "WAITING" in the statistics if the
4304 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01004305
4306 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
4307
4308
Willy Tarreauf285f542010-01-03 20:03:03 +01004309redirect location <to> [code <code>] <option> [{if | unless} <condition>]
4310redirect prefix <to> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004311 Return an HTTP redirection if/unless a condition is matched
4312 May be used in sections : defaults | frontend | listen | backend
4313 no | yes | yes | yes
4314
4315 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01004316 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004317
Willy Tarreau0140f252008-11-19 21:07:09 +01004318 Arguments :
4319 <to> With "redirect location", the exact value in <to> is placed into
4320 the HTTP "Location" header. In case of "redirect prefix", the
4321 "Location" header is built from the concatenation of <to> and the
4322 complete URI, including the query string, unless the "drop-query"
Willy Tarreaufe651a52008-11-19 21:15:17 +01004323 option is specified (see below). As a special case, if <to>
4324 equals exactly "/" in prefix mode, then nothing is inserted
4325 before the original URI. It allows one to redirect to the same
4326 URL.
Willy Tarreau0140f252008-11-19 21:07:09 +01004327
4328 <code> The code is optional. It indicates which type of HTTP redirection
4329 is desired. Only codes 301, 302 and 303 are supported, and 302 is
4330 used if no code is specified. 301 means "Moved permanently", and
4331 a browser may cache the Location. 302 means "Moved permanently"
4332 and means that the browser should not cache the redirection. 303
4333 is equivalent to 302 except that the browser will fetch the
4334 location with a GET method.
4335
4336 <option> There are several options which can be specified to adjust the
4337 expected behaviour of a redirection :
4338
4339 - "drop-query"
4340 When this keyword is used in a prefix-based redirection, then the
4341 location will be set without any possible query-string, which is useful
4342 for directing users to a non-secure page for instance. It has no effect
4343 with a location-type redirect.
4344
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01004345 - "append-slash"
4346 This keyword may be used in conjunction with "drop-query" to redirect
4347 users who use a URL not ending with a '/' to the same one with the '/'.
4348 It can be useful to ensure that search engines will only see one URL.
4349 For this, a return code 301 is preferred.
4350
Willy Tarreau0140f252008-11-19 21:07:09 +01004351 - "set-cookie NAME[=value]"
4352 A "Set-Cookie" header will be added with NAME (and optionally "=value")
4353 to the response. This is sometimes used to indicate that a user has
4354 been seen, for instance to protect against some types of DoS. No other
4355 cookie option is added, so the cookie will be a session cookie. Note
4356 that for a browser, a sole cookie name without an equal sign is
4357 different from a cookie with an equal sign.
4358
4359 - "clear-cookie NAME[=]"
4360 A "Set-Cookie" header will be added with NAME (and optionally "="), but
4361 with the "Max-Age" attribute set to zero. This will tell the browser to
4362 delete this cookie. It is useful for instance on logout pages. It is
4363 important to note that clearing the cookie "NAME" will not remove a
4364 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
4365 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004366
4367 Example: move the login URL only to HTTPS.
4368 acl clear dst_port 80
4369 acl secure dst_port 8080
4370 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01004371 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01004372 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01004373 acl cookie_set hdr_sub(cookie) SEEN=1
4374
4375 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01004376 redirect prefix https://mysite.com if login_page !secure
4377 redirect prefix http://mysite.com drop-query if login_page !uid_given
4378 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01004379 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004380
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01004381 Example: send redirects for request for articles without a '/'.
4382 acl missing_slash path_reg ^/article/[^/]*$
4383 redirect code 301 prefix / drop-query append-slash if missing_slash
4384
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004385 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004386
4387
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004388redisp (deprecated)
4389redispatch (deprecated)
4390 Enable or disable session redistribution in case of connection failure
4391 May be used in sections: defaults | frontend | listen | backend
4392 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004393 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004394
4395 In HTTP mode, if a server designated by a cookie is down, clients may
4396 definitely stick to it because they cannot flush the cookie, so they will not
4397 be able to access the service anymore.
4398
4399 Specifying "redispatch" will allow the proxy to break their persistence and
4400 redistribute them to a working server.
4401
4402 It also allows to retry last connection to another server in case of multiple
4403 connection failures. Of course, it requires having "retries" set to a nonzero
4404 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01004405
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004406 This form is deprecated, do not use it in any new configuration, use the new
4407 "option redispatch" instead.
4408
4409 See also : "option redispatch"
4410
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004411
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004412reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004413 Add a header at the end of the HTTP request
4414 May be used in sections : defaults | frontend | listen | backend
4415 no | yes | yes | yes
4416 Arguments :
4417 <string> is the complete line to be added. Any space or known delimiter
4418 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004419 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004420
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004421 <cond> is an optional matching condition built from ACLs. It makes it
4422 possible to ignore this rule when other conditions are not met.
4423
Willy Tarreau303c0352008-01-17 19:01:39 +01004424 A new line consisting in <string> followed by a line feed will be added after
4425 the last header of an HTTP request.
4426
4427 Header transformations only apply to traffic which passes through HAProxy,
4428 and not to traffic generated by HAProxy, such as health-checks or error
4429 responses.
4430
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004431 Example : add "X-Proto: SSL" to requests coming via port 81
4432 acl is-ssl dst_port 81
4433 reqadd X-Proto:\ SSL if is-ssl
4434
4435 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
4436 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004437
4438
Willy Tarreau5321c422010-01-28 20:35:13 +01004439reqallow <search> [{if | unless} <cond>]
4440reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004441 Definitely allow an HTTP request if a line matches a regular expression
4442 May be used in sections : defaults | frontend | listen | backend
4443 no | yes | yes | yes
4444 Arguments :
4445 <search> is the regular expression applied to HTTP headers and to the
4446 request line. This is an extended regular expression. Parenthesis
4447 grouping is supported and no preliminary backslash is required.
4448 Any space or known delimiter must be escaped using a backslash
4449 ('\'). The pattern applies to a full line at a time. The
4450 "reqallow" keyword strictly matches case while "reqiallow"
4451 ignores case.
4452
Willy Tarreau5321c422010-01-28 20:35:13 +01004453 <cond> is an optional matching condition built from ACLs. It makes it
4454 possible to ignore this rule when other conditions are not met.
4455
Willy Tarreau303c0352008-01-17 19:01:39 +01004456 A request containing any line which matches extended regular expression
4457 <search> will mark the request as allowed, even if any later test would
4458 result in a deny. The test applies both to the request line and to request
4459 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01004460 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01004461
4462 It is easier, faster and more powerful to use ACLs to write access policies.
4463 Reqdeny, reqallow and reqpass should be avoided in new designs.
4464
4465 Example :
4466 # allow www.* but refuse *.local
4467 reqiallow ^Host:\ www\.
4468 reqideny ^Host:\ .*\.local
4469
Willy Tarreau5321c422010-01-28 20:35:13 +01004470 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
4471 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004472
4473
Willy Tarreau5321c422010-01-28 20:35:13 +01004474reqdel <search> [{if | unless} <cond>]
4475reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004476 Delete all headers matching a regular expression in an HTTP request
4477 May be used in sections : defaults | frontend | listen | backend
4478 no | yes | yes | yes
4479 Arguments :
4480 <search> is the regular expression applied to HTTP headers and to the
4481 request line. This is an extended regular expression. Parenthesis
4482 grouping is supported and no preliminary backslash is required.
4483 Any space or known delimiter must be escaped using a backslash
4484 ('\'). The pattern applies to a full line at a time. The "reqdel"
4485 keyword strictly matches case while "reqidel" ignores case.
4486
Willy Tarreau5321c422010-01-28 20:35:13 +01004487 <cond> is an optional matching condition built from ACLs. It makes it
4488 possible to ignore this rule when other conditions are not met.
4489
Willy Tarreau303c0352008-01-17 19:01:39 +01004490 Any header line matching extended regular expression <search> in the request
4491 will be completely deleted. Most common use of this is to remove unwanted
4492 and/or dangerous headers or cookies from a request before passing it to the
4493 next servers.
4494
4495 Header transformations only apply to traffic which passes through HAProxy,
4496 and not to traffic generated by HAProxy, such as health-checks or error
4497 responses. Keep in mind that header names are not case-sensitive.
4498
4499 Example :
4500 # remove X-Forwarded-For header and SERVER cookie
4501 reqidel ^X-Forwarded-For:.*
4502 reqidel ^Cookie:.*SERVER=
4503
Willy Tarreau5321c422010-01-28 20:35:13 +01004504 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
4505 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004506
4507
Willy Tarreau5321c422010-01-28 20:35:13 +01004508reqdeny <search> [{if | unless} <cond>]
4509reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004510 Deny an HTTP request if a line matches a regular expression
4511 May be used in sections : defaults | frontend | listen | backend
4512 no | yes | yes | yes
4513 Arguments :
4514 <search> is the regular expression applied to HTTP headers and to the
4515 request line. This is an extended regular expression. Parenthesis
4516 grouping is supported and no preliminary backslash is required.
4517 Any space or known delimiter must be escaped using a backslash
4518 ('\'). The pattern applies to a full line at a time. The
4519 "reqdeny" keyword strictly matches case while "reqideny" ignores
4520 case.
4521
Willy Tarreau5321c422010-01-28 20:35:13 +01004522 <cond> is an optional matching condition built from ACLs. It makes it
4523 possible to ignore this rule when other conditions are not met.
4524
Willy Tarreau303c0352008-01-17 19:01:39 +01004525 A request containing any line which matches extended regular expression
4526 <search> will mark the request as denied, even if any later test would
4527 result in an allow. The test applies both to the request line and to request
4528 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01004529 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01004530
Willy Tarreauced27012008-01-17 20:35:34 +01004531 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004532 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01004533 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01004534
Willy Tarreau303c0352008-01-17 19:01:39 +01004535 It is easier, faster and more powerful to use ACLs to write access policies.
4536 Reqdeny, reqallow and reqpass should be avoided in new designs.
4537
4538 Example :
4539 # refuse *.local, then allow www.*
4540 reqideny ^Host:\ .*\.local
4541 reqiallow ^Host:\ www\.
4542
Willy Tarreau5321c422010-01-28 20:35:13 +01004543 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
4544 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004545
4546
Willy Tarreau5321c422010-01-28 20:35:13 +01004547reqpass <search> [{if | unless} <cond>]
4548reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004549 Ignore any HTTP request line matching a regular expression in next rules
4550 May be used in sections : defaults | frontend | listen | backend
4551 no | yes | yes | yes
4552 Arguments :
4553 <search> is the regular expression applied to HTTP headers and to the
4554 request line. This is an extended regular expression. Parenthesis
4555 grouping is supported and no preliminary backslash is required.
4556 Any space or known delimiter must be escaped using a backslash
4557 ('\'). The pattern applies to a full line at a time. The
4558 "reqpass" keyword strictly matches case while "reqipass" ignores
4559 case.
4560
Willy Tarreau5321c422010-01-28 20:35:13 +01004561 <cond> is an optional matching condition built from ACLs. It makes it
4562 possible to ignore this rule when other conditions are not met.
4563
Willy Tarreau303c0352008-01-17 19:01:39 +01004564 A request containing any line which matches extended regular expression
4565 <search> will skip next rules, without assigning any deny or allow verdict.
4566 The test applies both to the request line and to request headers. Keep in
4567 mind that URLs in request line are case-sensitive while header names are not.
4568
4569 It is easier, faster and more powerful to use ACLs to write access policies.
4570 Reqdeny, reqallow and reqpass should be avoided in new designs.
4571
4572 Example :
4573 # refuse *.local, then allow www.*, but ignore "www.private.local"
4574 reqipass ^Host:\ www.private\.local
4575 reqideny ^Host:\ .*\.local
4576 reqiallow ^Host:\ www\.
4577
Willy Tarreau5321c422010-01-28 20:35:13 +01004578 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
4579 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004580
4581
Willy Tarreau5321c422010-01-28 20:35:13 +01004582reqrep <search> <string> [{if | unless} <cond>]
4583reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004584 Replace a regular expression with a string in an HTTP request line
4585 May be used in sections : defaults | frontend | listen | backend
4586 no | yes | yes | yes
4587 Arguments :
4588 <search> is the regular expression applied to HTTP headers and to the
4589 request line. This is an extended regular expression. Parenthesis
4590 grouping is supported and no preliminary backslash is required.
4591 Any space or known delimiter must be escaped using a backslash
4592 ('\'). The pattern applies to a full line at a time. The "reqrep"
4593 keyword strictly matches case while "reqirep" ignores case.
4594
4595 <string> is the complete line to be added. Any space or known delimiter
4596 must be escaped using a backslash ('\'). References to matched
4597 pattern groups are possible using the common \N form, with N
4598 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004599 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004600
Willy Tarreau5321c422010-01-28 20:35:13 +01004601 <cond> is an optional matching condition built from ACLs. It makes it
4602 possible to ignore this rule when other conditions are not met.
4603
Willy Tarreau303c0352008-01-17 19:01:39 +01004604 Any line matching extended regular expression <search> in the request (both
4605 the request line and header lines) will be completely replaced with <string>.
4606 Most common use of this is to rewrite URLs or domain names in "Host" headers.
4607
4608 Header transformations only apply to traffic which passes through HAProxy,
4609 and not to traffic generated by HAProxy, such as health-checks or error
4610 responses. Note that for increased readability, it is suggested to add enough
4611 spaces between the request and the response. Keep in mind that URLs in
4612 request line are case-sensitive while header names are not.
4613
4614 Example :
4615 # replace "/static/" with "/" at the beginning of any request path.
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04004616 reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2
Willy Tarreau303c0352008-01-17 19:01:39 +01004617 # replace "www.mydomain.com" with "www" in the host name.
4618 reqirep ^Host:\ www.mydomain.com Host:\ www
4619
Willy Tarreau5321c422010-01-28 20:35:13 +01004620 See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
4621 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004622
4623
Willy Tarreau5321c422010-01-28 20:35:13 +01004624reqtarpit <search> [{if | unless} <cond>]
4625reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004626 Tarpit an HTTP request containing a line matching a regular expression
4627 May be used in sections : defaults | frontend | listen | backend
4628 no | yes | yes | yes
4629 Arguments :
4630 <search> is the regular expression applied to HTTP headers and to the
4631 request line. This is an extended regular expression. Parenthesis
4632 grouping is supported and no preliminary backslash is required.
4633 Any space or known delimiter must be escaped using a backslash
4634 ('\'). The pattern applies to a full line at a time. The
4635 "reqtarpit" keyword strictly matches case while "reqitarpit"
4636 ignores case.
4637
Willy Tarreau5321c422010-01-28 20:35:13 +01004638 <cond> is an optional matching condition built from ACLs. It makes it
4639 possible to ignore this rule when other conditions are not met.
4640
Willy Tarreau303c0352008-01-17 19:01:39 +01004641 A request containing any line which matches extended regular expression
4642 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01004643 be kept open for a pre-defined time, then will return an HTTP error 500 so
4644 that the attacker does not suspect it has been tarpitted. The status 500 will
4645 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01004646 delay is defined by "timeout tarpit", or "timeout connect" if the former is
4647 not set.
4648
4649 The goal of the tarpit is to slow down robots attacking servers with
4650 identifiable requests. Many robots limit their outgoing number of connections
4651 and stay connected waiting for a reply which can take several minutes to
4652 come. Depending on the environment and attack, it may be particularly
4653 efficient at reducing the load on the network and firewalls.
4654
Willy Tarreau5321c422010-01-28 20:35:13 +01004655 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01004656 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
4657 # block all others.
4658 reqipass ^User-Agent:\.*(Mozilla|MSIE)
4659 reqitarpit ^User-Agent:
4660
Willy Tarreau5321c422010-01-28 20:35:13 +01004661 # block bad guys
4662 acl badguys src 10.1.0.3 172.16.13.20/28
4663 reqitarpit . if badguys
4664
4665 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
4666 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004667
4668
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02004669retries <value>
4670 Set the number of retries to perform on a server after a connection failure
4671 May be used in sections: defaults | frontend | listen | backend
4672 yes | no | yes | yes
4673 Arguments :
4674 <value> is the number of times a connection attempt should be retried on
4675 a server when a connection either is refused or times out. The
4676 default value is 3.
4677
4678 It is important to understand that this value applies to the number of
4679 connection attempts, not full requests. When a connection has effectively
4680 been established to a server, there will be no more retry.
4681
4682 In order to avoid immediate reconnections to a server which is restarting,
4683 a turn-around timer of 1 second is applied before a retry occurs.
4684
4685 When "option redispatch" is set, the last retry may be performed on another
4686 server even if a cookie references a different server.
4687
4688 See also : "option redispatch"
4689
4690
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004691rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004692 Add a header at the end of the HTTP response
4693 May be used in sections : defaults | frontend | listen | backend
4694 no | yes | yes | yes
4695 Arguments :
4696 <string> is the complete line to be added. Any space or known delimiter
4697 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004698 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004699
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004700 <cond> is an optional matching condition built from ACLs. It makes it
4701 possible to ignore this rule when other conditions are not met.
4702
Willy Tarreau303c0352008-01-17 19:01:39 +01004703 A new line consisting in <string> followed by a line feed will be added after
4704 the last header of an HTTP response.
4705
4706 Header transformations only apply to traffic which passes through HAProxy,
4707 and not to traffic generated by HAProxy, such as health-checks or error
4708 responses.
4709
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004710 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
4711 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004712
4713
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004714rspdel <search> [{if | unless} <cond>]
4715rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004716 Delete all headers matching a regular expression in an HTTP response
4717 May be used in sections : defaults | frontend | listen | backend
4718 no | yes | yes | yes
4719 Arguments :
4720 <search> is the regular expression applied to HTTP headers and to the
4721 response line. This is an extended regular expression, so
4722 parenthesis grouping is supported and no preliminary backslash
4723 is required. Any space or known delimiter must be escaped using
4724 a backslash ('\'). The pattern applies to a full line at a time.
4725 The "rspdel" keyword strictly matches case while "rspidel"
4726 ignores case.
4727
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004728 <cond> is an optional matching condition built from ACLs. It makes it
4729 possible to ignore this rule when other conditions are not met.
4730
Willy Tarreau303c0352008-01-17 19:01:39 +01004731 Any header line matching extended regular expression <search> in the response
4732 will be completely deleted. Most common use of this is to remove unwanted
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02004733 and/or sensitive headers or cookies from a response before passing it to the
Willy Tarreau303c0352008-01-17 19:01:39 +01004734 client.
4735
4736 Header transformations only apply to traffic which passes through HAProxy,
4737 and not to traffic generated by HAProxy, such as health-checks or error
4738 responses. Keep in mind that header names are not case-sensitive.
4739
4740 Example :
4741 # remove the Server header from responses
4742 reqidel ^Server:.*
4743
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004744 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
4745 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004746
4747
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004748rspdeny <search> [{if | unless} <cond>]
4749rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004750 Block an HTTP response if a line matches a regular expression
4751 May be used in sections : defaults | frontend | listen | backend
4752 no | yes | yes | yes
4753 Arguments :
4754 <search> is the regular expression applied to HTTP headers and to the
4755 response line. This is an extended regular expression, so
4756 parenthesis grouping is supported and no preliminary backslash
4757 is required. Any space or known delimiter must be escaped using
4758 a backslash ('\'). The pattern applies to a full line at a time.
4759 The "rspdeny" keyword strictly matches case while "rspideny"
4760 ignores case.
4761
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004762 <cond> is an optional matching condition built from ACLs. It makes it
4763 possible to ignore this rule when other conditions are not met.
4764
Willy Tarreau303c0352008-01-17 19:01:39 +01004765 A response containing any line which matches extended regular expression
4766 <search> will mark the request as denied. The test applies both to the
4767 response line and to response headers. Keep in mind that header names are not
4768 case-sensitive.
4769
4770 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01004771 block the response before it reaches the client. If a response is denied, it
4772 will be replaced with an HTTP 502 error so that the client never retrieves
4773 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01004774
4775 It is easier, faster and more powerful to use ACLs to write access policies.
4776 Rspdeny should be avoided in new designs.
4777
4778 Example :
4779 # Ensure that no content type matching ms-word will leak
4780 rspideny ^Content-type:\.*/ms-word
4781
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004782 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
4783 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004784
4785
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004786rsprep <search> <string> [{if | unless} <cond>]
4787rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004788 Replace a regular expression with a string in an HTTP response line
4789 May be used in sections : defaults | frontend | listen | backend
4790 no | yes | yes | yes
4791 Arguments :
4792 <search> is the regular expression applied to HTTP headers and to the
4793 response line. This is an extended regular expression, so
4794 parenthesis grouping is supported and no preliminary backslash
4795 is required. Any space or known delimiter must be escaped using
4796 a backslash ('\'). The pattern applies to a full line at a time.
4797 The "rsprep" keyword strictly matches case while "rspirep"
4798 ignores case.
4799
4800 <string> is the complete line to be added. Any space or known delimiter
4801 must be escaped using a backslash ('\'). References to matched
4802 pattern groups are possible using the common \N form, with N
4803 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004804 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004805
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004806 <cond> is an optional matching condition built from ACLs. It makes it
4807 possible to ignore this rule when other conditions are not met.
4808
Willy Tarreau303c0352008-01-17 19:01:39 +01004809 Any line matching extended regular expression <search> in the response (both
4810 the response line and header lines) will be completely replaced with
4811 <string>. Most common use of this is to rewrite Location headers.
4812
4813 Header transformations only apply to traffic which passes through HAProxy,
4814 and not to traffic generated by HAProxy, such as health-checks or error
4815 responses. Note that for increased readability, it is suggested to add enough
4816 spaces between the request and the response. Keep in mind that header names
4817 are not case-sensitive.
4818
4819 Example :
4820 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
4821 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
4822
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004823 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
4824 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004825
4826
David du Colombier486df472011-03-17 10:40:26 +01004827server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004828 Declare a server in a backend
4829 May be used in sections : defaults | frontend | listen | backend
4830 no | no | yes | yes
4831 Arguments :
4832 <name> is the internal name assigned to this server. This name will
Mark Lamourinec2247f02012-01-04 13:02:01 -05004833 appear in logs and alerts. If "http-send-server-name" is
4834 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004835
David du Colombier486df472011-03-17 10:40:26 +01004836 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
4837 resolvable hostname is supported, but this name will be resolved
4838 during start-up. Address "0.0.0.0" or "*" has a special meaning.
4839 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02004840 address as the one from the client connection. This is useful in
4841 transparent proxy architectures where the client's connection is
4842 intercepted and haproxy must forward to the original destination
4843 address. This is more or less what the "transparent" keyword does
4844 except that with a server it's possible to limit concurrency and
4845 to report statistics.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004846
4847 <ports> is an optional port specification. If set, all connections will
4848 be sent to this port. If unset, the same port the client
4849 connected to will be used. The port may also be prefixed by a "+"
4850 or a "-". In this case, the server's port will be determined by
4851 adding this value to the client's port.
4852
4853 <param*> is a list of parameters for this server. The "server" keywords
4854 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004855 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004856
4857 Examples :
4858 server first 10.1.1.1:1080 cookie first check inter 1000
4859 server second 10.1.1.2:1080 cookie second check inter 1000
4860
Mark Lamourinec2247f02012-01-04 13:02:01 -05004861 See also: "default-server", "http-send-name-header" and section 5 about
4862 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004863
4864
4865source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02004866source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004867source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004868 Set the source address for outgoing connections
4869 May be used in sections : defaults | frontend | listen | backend
4870 yes | no | yes | yes
4871 Arguments :
4872 <addr> is the IPv4 address HAProxy will bind to before connecting to a
4873 server. This address is also used as a source for health checks.
4874 The default value of 0.0.0.0 means that the system will select
4875 the most appropriate address to reach its destination.
4876
4877 <port> is an optional port. It is normally not needed but may be useful
4878 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004879 the system will select a free port. Note that port ranges are not
4880 supported in the backend. If you want to force port ranges, you
4881 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004882
4883 <addr2> is the IP address to present to the server when connections are
4884 forwarded in full transparent proxy mode. This is currently only
4885 supported on some patched Linux kernels. When this address is
4886 specified, clients connecting to the server will be presented
4887 with this address, while health checks will still use the address
4888 <addr>.
4889
4890 <port2> is the optional port to present to the server when connections
4891 are forwarded in full transparent proxy mode (see <addr2> above).
4892 The default value of zero means the system will select a free
4893 port.
4894
Willy Tarreaubce70882009-09-07 11:51:47 +02004895 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
4896 This is the name of a comma-separated header list which can
4897 contain multiple IP addresses. By default, the last occurrence is
4898 used. This is designed to work with the X-Forwarded-For header
4899 and to automatically bind to the the client's IP address as seen
4900 by previous proxy, typically Stunnel. In order to use another
4901 occurrence from the last one, please see the <occ> parameter
4902 below. When the header (or occurrence) is not found, no binding
4903 is performed so that the proxy's default IP address is used. Also
4904 keep in mind that the header name is case insensitive, as for any
4905 HTTP header.
4906
4907 <occ> is the occurrence number of a value to be used in a multi-value
4908 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004909 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +02004910 address. Positive values indicate a position from the first
4911 occurrence, 1 being the first one. Negative values indicate
4912 positions relative to the last one, -1 being the last one. This
4913 is helpful for situations where an X-Forwarded-For header is set
4914 at the entry point of an infrastructure and must be used several
4915 proxy layers away. When this value is not specified, -1 is
4916 assumed. Passing a zero here disables the feature.
4917
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004918 <name> is an optional interface name to which to bind to for outgoing
4919 traffic. On systems supporting this features (currently, only
4920 Linux), this allows one to bind all traffic to the server to
4921 this interface even if it is not the one the system would select
4922 based on routing tables. This should be used with extreme care.
4923 Note that using this option requires root privileges.
4924
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004925 The "source" keyword is useful in complex environments where a specific
4926 address only is allowed to connect to the servers. It may be needed when a
4927 private address must be used through a public gateway for instance, and it is
4928 known that the system cannot determine the adequate source address by itself.
4929
4930 An extension which is available on certain patched Linux kernels may be used
4931 through the "usesrc" optional keyword. It makes it possible to connect to the
4932 servers with an IP address which does not belong to the system itself. This
4933 is called "full transparent proxy mode". For this to work, the destination
4934 servers have to route their traffic back to this address through the machine
4935 running HAProxy, and IP forwarding must generally be enabled on this machine.
4936
4937 In this "full transparent proxy" mode, it is possible to force a specific IP
4938 address to be presented to the servers. This is not much used in fact. A more
4939 common use is to tell HAProxy to present the client's IP address. For this,
4940 there are two methods :
4941
4942 - present the client's IP and port addresses. This is the most transparent
4943 mode, but it can cause problems when IP connection tracking is enabled on
4944 the machine, because a same connection may be seen twice with different
4945 states. However, this solution presents the huge advantage of not
4946 limiting the system to the 64k outgoing address+port couples, because all
4947 of the client ranges may be used.
4948
4949 - present only the client's IP address and select a spare port. This
4950 solution is still quite elegant but slightly less transparent (downstream
4951 firewalls logs will not match upstream's). It also presents the downside
4952 of limiting the number of concurrent connections to the usual 64k ports.
4953 However, since the upstream and downstream ports are different, local IP
4954 connection tracking on the machine will not be upset by the reuse of the
4955 same session.
4956
4957 Note that depending on the transparent proxy technology used, it may be
4958 required to force the source address. In fact, cttproxy version 2 requires an
4959 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
4960 IP address because it creates NAT entries which much match the exact outgoing
4961 address. Tproxy version 4 and some other kernel patches which work in pure
4962 forwarding mode generally will not have this limitation.
4963
4964 This option sets the default source for all servers in the backend. It may
4965 also be specified in a "defaults" section. Finer source address specification
4966 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004967 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004968
4969 Examples :
4970 backend private
4971 # Connect to the servers using our 192.168.1.200 source address
4972 source 192.168.1.200
4973
4974 backend transparent_ssl1
4975 # Connect to the SSL farm from the client's source address
4976 source 192.168.1.200 usesrc clientip
4977
4978 backend transparent_ssl2
4979 # Connect to the SSL farm from the client's source address and port
4980 # not recommended if IP conntrack is present on the local machine.
4981 source 192.168.1.200 usesrc client
4982
4983 backend transparent_ssl3
4984 # Connect to the SSL farm from the client's source address. It
4985 # is more conntrack-friendly.
4986 source 192.168.1.200 usesrc clientip
4987
4988 backend transparent_smtp
4989 # Connect to the SMTP farm from the client's source address/port
4990 # with Tproxy version 4.
4991 source 0.0.0.0 usesrc clientip
4992
Willy Tarreaubce70882009-09-07 11:51:47 +02004993 backend transparent_http
4994 # Connect to the servers using the client's IP as seen by previous
4995 # proxy.
4996 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
4997
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004998 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004999 the Linux kernel on www.balabit.com, the "bind" keyword.
5000
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005001
Willy Tarreau844e3c52008-01-11 16:28:18 +01005002srvtimeout <timeout> (deprecated)
5003 Set the maximum inactivity time on the server side.
5004 May be used in sections : defaults | frontend | listen | backend
5005 yes | no | yes | yes
5006 Arguments :
5007 <timeout> is the timeout value specified in milliseconds by default, but
5008 can be in any other unit if the number is suffixed by the unit,
5009 as explained at the top of this document.
5010
5011 The inactivity timeout applies when the server is expected to acknowledge or
5012 send data. In HTTP mode, this timeout is particularly important to consider
5013 during the first phase of the server's response, when it has to send the
5014 headers, as it directly represents the server's processing time for the
5015 request. To find out what value to put there, it's often good to start with
5016 what would be considered as unacceptable response times, then check the logs
5017 to observe the response time distribution, and adjust the value accordingly.
5018
5019 The value is specified in milliseconds by default, but can be in any other
5020 unit if the number is suffixed by the unit, as specified at the top of this
5021 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
5022 recommended that the client timeout remains equal to the server timeout in
5023 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005024 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01005025 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01005026 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01005027
5028 This parameter is specific to backends, but can be specified once for all in
5029 "defaults" sections. This is in fact one of the easiest solutions not to
5030 forget about it. An unspecified timeout results in an infinite timeout, which
5031 is not recommended. Such a usage is accepted and works but reports a warning
5032 during startup because it may results in accumulation of expired sessions in
5033 the system if the system's timeouts are not configured either.
5034
5035 This parameter is provided for compatibility but is currently deprecated.
5036 Please use "timeout server" instead.
5037
Willy Tarreauce887fd2012-05-12 12:50:00 +02005038 See also : "timeout server", "timeout tunnel", "timeout client" and
5039 "clitimeout".
Willy Tarreau844e3c52008-01-11 16:28:18 +01005040
5041
Cyril Bonté66c327d2010-10-12 00:14:37 +02005042stats admin { if | unless } <cond>
5043 Enable statistics admin level if/unless a condition is matched
5044 May be used in sections : defaults | frontend | listen | backend
5045 no | no | yes | yes
5046
5047 This statement enables the statistics admin level if/unless a condition is
5048 matched.
5049
5050 The admin level allows to enable/disable servers from the web interface. By
5051 default, statistics page is read-only for security reasons.
5052
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005053 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5054 unless you know what you do : memory is not shared between the
5055 processes, which can result in random behaviours.
5056
Cyril Bonté23b39d92011-02-10 22:54:44 +01005057 Currently, the POST request is limited to the buffer size minus the reserved
5058 buffer space, which means that if the list of servers is too long, the
5059 request won't be processed. It is recommended to alter few servers at a
5060 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02005061
5062 Example :
5063 # statistics admin level only for localhost
5064 backend stats_localhost
5065 stats enable
5066 stats admin if LOCALHOST
5067
5068 Example :
5069 # statistics admin level always enabled because of the authentication
5070 backend stats_auth
5071 stats enable
5072 stats auth admin:AdMiN123
5073 stats admin if TRUE
5074
5075 Example :
5076 # statistics admin level depends on the authenticated user
5077 userlist stats-auth
5078 group admin users admin
5079 user admin insecure-password AdMiN123
5080 group readonly users haproxy
5081 user haproxy insecure-password haproxy
5082
5083 backend stats_auth
5084 stats enable
5085 acl AUTH http_auth(stats-auth)
5086 acl AUTH_ADMIN http_auth_group(stats-auth) admin
5087 stats http-request auth unless AUTH
5088 stats admin if AUTH_ADMIN
5089
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005090 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
5091 "bind-process", section 3.4 about userlists and section 7 about
5092 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02005093
5094
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005095stats auth <user>:<passwd>
5096 Enable statistics with authentication and grant access to an account
5097 May be used in sections : defaults | frontend | listen | backend
5098 yes | no | yes | yes
5099 Arguments :
5100 <user> is a user name to grant access to
5101
5102 <passwd> is the cleartext password associated to this user
5103
5104 This statement enables statistics with default settings, and restricts access
5105 to declared users only. It may be repeated as many times as necessary to
5106 allow as many users as desired. When a user tries to access the statistics
5107 without a valid account, a "401 Forbidden" response will be returned so that
5108 the browser asks the user to provide a valid user and password. The real
5109 which will be returned to the browser is configurable using "stats realm".
5110
5111 Since the authentication method is HTTP Basic Authentication, the passwords
5112 circulate in cleartext on the network. Thus, it was decided that the
5113 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02005114 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005115
5116 It is also possible to reduce the scope of the proxies which appear in the
5117 report using "stats scope".
5118
5119 Though this statement alone is enough to enable statistics reporting, it is
5120 recommended to set all other settings in order to avoid relying on default
5121 unobvious parameters.
5122
5123 Example :
5124 # public access (limited to this backend only)
5125 backend public_www
5126 server srv1 192.168.0.1:80
5127 stats enable
5128 stats hide-version
5129 stats scope .
5130 stats uri /admin?stats
5131 stats realm Haproxy\ Statistics
5132 stats auth admin1:AdMiN123
5133 stats auth admin2:AdMiN321
5134
5135 # internal monitoring access (unlimited)
5136 backend private_monitoring
5137 stats enable
5138 stats uri /admin?stats
5139 stats refresh 5s
5140
5141 See also : "stats enable", "stats realm", "stats scope", "stats uri"
5142
5143
5144stats enable
5145 Enable statistics reporting with default settings
5146 May be used in sections : defaults | frontend | listen | backend
5147 yes | no | yes | yes
5148 Arguments : none
5149
5150 This statement enables statistics reporting with default settings defined
5151 at build time. Unless stated otherwise, these settings are used :
5152 - stats uri : /haproxy?stats
5153 - stats realm : "HAProxy Statistics"
5154 - stats auth : no authentication
5155 - stats scope : no restriction
5156
5157 Though this statement alone is enough to enable statistics reporting, it is
5158 recommended to set all other settings in order to avoid relying on default
5159 unobvious parameters.
5160
5161 Example :
5162 # public access (limited to this backend only)
5163 backend public_www
5164 server srv1 192.168.0.1:80
5165 stats enable
5166 stats hide-version
5167 stats scope .
5168 stats uri /admin?stats
5169 stats realm Haproxy\ Statistics
5170 stats auth admin1:AdMiN123
5171 stats auth admin2:AdMiN321
5172
5173 # internal monitoring access (unlimited)
5174 backend private_monitoring
5175 stats enable
5176 stats uri /admin?stats
5177 stats refresh 5s
5178
5179 See also : "stats auth", "stats realm", "stats uri"
5180
5181
Willy Tarreaud63335a2010-02-26 12:56:52 +01005182stats hide-version
5183 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005184 May be used in sections : defaults | frontend | listen | backend
5185 yes | no | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01005186 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005187
Willy Tarreaud63335a2010-02-26 12:56:52 +01005188 By default, the stats page reports some useful status information along with
5189 the statistics. Among them is HAProxy's version. However, it is generally
5190 considered dangerous to report precise version to anyone, as it can help them
5191 target known weaknesses with specific attacks. The "stats hide-version"
5192 statement removes the version from the statistics report. This is recommended
5193 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005194
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02005195 Though this statement alone is enough to enable statistics reporting, it is
5196 recommended to set all other settings in order to avoid relying on default
5197 unobvious parameters.
5198
Willy Tarreaud63335a2010-02-26 12:56:52 +01005199 Example :
5200 # public access (limited to this backend only)
5201 backend public_www
5202 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02005203 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01005204 stats hide-version
5205 stats scope .
5206 stats uri /admin?stats
5207 stats realm Haproxy\ Statistics
5208 stats auth admin1:AdMiN123
5209 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005210
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005211 # internal monitoring access (unlimited)
5212 backend private_monitoring
5213 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01005214 stats uri /admin?stats
5215 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01005216
Willy Tarreaud63335a2010-02-26 12:56:52 +01005217 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005218
Willy Tarreau983e01e2010-01-11 18:42:06 +01005219
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02005220stats http-request { allow | deny | auth [realm <realm>] }
5221 [ { if | unless } <condition> ]
5222 Access control for statistics
5223
5224 May be used in sections: defaults | frontend | listen | backend
5225 no | no | yes | yes
5226
5227 As "http-request", these set of options allow to fine control access to
5228 statistics. Each option may be followed by if/unless and acl.
5229 First option with matched condition (or option without condition) is final.
5230 For "deny" a 403 error will be returned, for "allow" normal processing is
5231 performed, for "auth" a 401/407 error code is returned so the client
5232 should be asked to enter a username and password.
5233
5234 There is no fixed limit to the number of http-request statements per
5235 instance.
5236
5237 See also : "http-request", section 3.4 about userlists and section 7
5238 about ACL usage.
5239
5240
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005241stats realm <realm>
5242 Enable statistics and set authentication realm
5243 May be used in sections : defaults | frontend | listen | backend
5244 yes | no | yes | yes
5245 Arguments :
5246 <realm> is the name of the HTTP Basic Authentication realm reported to
5247 the browser. The browser uses it to display it in the pop-up
5248 inviting the user to enter a valid username and password.
5249
5250 The realm is read as a single word, so any spaces in it should be escaped
5251 using a backslash ('\').
5252
5253 This statement is useful only in conjunction with "stats auth" since it is
5254 only related to authentication.
5255
5256 Though this statement alone is enough to enable statistics reporting, it is
5257 recommended to set all other settings in order to avoid relying on default
5258 unobvious parameters.
5259
5260 Example :
5261 # public access (limited to this backend only)
5262 backend public_www
5263 server srv1 192.168.0.1:80
5264 stats enable
5265 stats hide-version
5266 stats scope .
5267 stats uri /admin?stats
5268 stats realm Haproxy\ Statistics
5269 stats auth admin1:AdMiN123
5270 stats auth admin2:AdMiN321
5271
5272 # internal monitoring access (unlimited)
5273 backend private_monitoring
5274 stats enable
5275 stats uri /admin?stats
5276 stats refresh 5s
5277
5278 See also : "stats auth", "stats enable", "stats uri"
5279
5280
5281stats refresh <delay>
5282 Enable statistics with automatic refresh
5283 May be used in sections : defaults | frontend | listen | backend
5284 yes | no | yes | yes
5285 Arguments :
5286 <delay> is the suggested refresh delay, specified in seconds, which will
5287 be returned to the browser consulting the report page. While the
5288 browser is free to apply any delay, it will generally respect it
5289 and refresh the page this every seconds. The refresh interval may
5290 be specified in any other non-default time unit, by suffixing the
5291 unit after the value, as explained at the top of this document.
5292
5293 This statement is useful on monitoring displays with a permanent page
5294 reporting the load balancer's activity. When set, the HTML report page will
5295 include a link "refresh"/"stop refresh" so that the user can select whether
5296 he wants automatic refresh of the page or not.
5297
5298 Though this statement alone is enough to enable statistics reporting, it is
5299 recommended to set all other settings in order to avoid relying on default
5300 unobvious parameters.
5301
5302 Example :
5303 # public access (limited to this backend only)
5304 backend public_www
5305 server srv1 192.168.0.1:80
5306 stats enable
5307 stats hide-version
5308 stats scope .
5309 stats uri /admin?stats
5310 stats realm Haproxy\ Statistics
5311 stats auth admin1:AdMiN123
5312 stats auth admin2:AdMiN321
5313
5314 # internal monitoring access (unlimited)
5315 backend private_monitoring
5316 stats enable
5317 stats uri /admin?stats
5318 stats refresh 5s
5319
5320 See also : "stats auth", "stats enable", "stats realm", "stats uri"
5321
5322
5323stats scope { <name> | "." }
5324 Enable statistics and limit access scope
5325 May be used in sections : defaults | frontend | listen | backend
5326 yes | no | yes | yes
5327 Arguments :
5328 <name> is the name of a listen, frontend or backend section to be
5329 reported. The special name "." (a single dot) designates the
5330 section in which the statement appears.
5331
5332 When this statement is specified, only the sections enumerated with this
5333 statement will appear in the report. All other ones will be hidden. This
5334 statement may appear as many times as needed if multiple sections need to be
5335 reported. Please note that the name checking is performed as simple string
5336 comparisons, and that it is never checked that a give section name really
5337 exists.
5338
5339 Though this statement alone is enough to enable statistics reporting, it is
5340 recommended to set all other settings in order to avoid relying on default
5341 unobvious parameters.
5342
5343 Example :
5344 # public access (limited to this backend only)
5345 backend public_www
5346 server srv1 192.168.0.1:80
5347 stats enable
5348 stats hide-version
5349 stats scope .
5350 stats uri /admin?stats
5351 stats realm Haproxy\ Statistics
5352 stats auth admin1:AdMiN123
5353 stats auth admin2:AdMiN321
5354
5355 # internal monitoring access (unlimited)
5356 backend private_monitoring
5357 stats enable
5358 stats uri /admin?stats
5359 stats refresh 5s
5360
5361 See also : "stats auth", "stats enable", "stats realm", "stats uri"
5362
Willy Tarreaud63335a2010-02-26 12:56:52 +01005363
Willy Tarreauc9705a12010-07-27 20:05:50 +02005364stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01005365 Enable reporting of a description on the statistics page.
5366 May be used in sections : defaults | frontend | listen | backend
5367 yes | no | yes | yes
5368
Willy Tarreauc9705a12010-07-27 20:05:50 +02005369 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01005370 description from global section is automatically used instead.
5371
5372 This statement is useful for users that offer shared services to their
5373 customers, where node or description should be different for each customer.
5374
5375 Though this statement alone is enough to enable statistics reporting, it is
5376 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005377 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +01005378
5379 Example :
5380 # internal monitoring access (unlimited)
5381 backend private_monitoring
5382 stats enable
5383 stats show-desc Master node for Europe, Asia, Africa
5384 stats uri /admin?stats
5385 stats refresh 5s
5386
5387 See also: "show-node", "stats enable", "stats uri" and "description" in
5388 global section.
5389
5390
5391stats show-legends
5392 Enable reporting additional informations on the statistics page :
5393 - cap: capabilities (proxy)
5394 - mode: one of tcp, http or health (proxy)
5395 - id: SNMP ID (proxy, socket, server)
5396 - IP (socket, server)
5397 - cookie (backend, server)
5398
5399 Though this statement alone is enough to enable statistics reporting, it is
5400 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005401 unobvious parameters. Default behaviour is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +01005402
5403 See also: "stats enable", "stats uri".
5404
5405
5406stats show-node [ <name> ]
5407 Enable reporting of a host name on the statistics page.
5408 May be used in sections : defaults | frontend | listen | backend
5409 yes | no | yes | yes
5410 Arguments:
5411 <name> is an optional name to be reported. If unspecified, the
5412 node name from global section is automatically used instead.
5413
5414 This statement is useful for users that offer shared services to their
5415 customers, where node or description might be different on a stats page
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005416 provided for each customer. Default behaviour is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +01005417
5418 Though this statement alone is enough to enable statistics reporting, it is
5419 recommended to set all other settings in order to avoid relying on default
5420 unobvious parameters.
5421
5422 Example:
5423 # internal monitoring access (unlimited)
5424 backend private_monitoring
5425 stats enable
5426 stats show-node Europe-1
5427 stats uri /admin?stats
5428 stats refresh 5s
5429
5430 See also: "show-desc", "stats enable", "stats uri", and "node" in global
5431 section.
5432
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005433
5434stats uri <prefix>
5435 Enable statistics and define the URI prefix to access them
5436 May be used in sections : defaults | frontend | listen | backend
5437 yes | no | yes | yes
5438 Arguments :
5439 <prefix> is the prefix of any URI which will be redirected to stats. This
5440 prefix may contain a question mark ('?') to indicate part of a
5441 query string.
5442
5443 The statistics URI is intercepted on the relayed traffic, so it appears as a
5444 page within the normal application. It is strongly advised to ensure that the
5445 selected URI will never appear in the application, otherwise it will never be
5446 possible to reach it in the application.
5447
5448 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005449 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005450 It is generally a good idea to include a question mark in the URI so that
5451 intermediate proxies refrain from caching the results. Also, since any string
5452 beginning with the prefix will be accepted as a stats request, the question
5453 mark helps ensuring that no valid URI will begin with the same words.
5454
5455 It is sometimes very convenient to use "/" as the URI prefix, and put that
5456 statement in a "listen" instance of its own. That makes it easy to dedicate
5457 an address or a port to statistics only.
5458
5459 Though this statement alone is enough to enable statistics reporting, it is
5460 recommended to set all other settings in order to avoid relying on default
5461 unobvious parameters.
5462
5463 Example :
5464 # public access (limited to this backend only)
5465 backend public_www
5466 server srv1 192.168.0.1:80
5467 stats enable
5468 stats hide-version
5469 stats scope .
5470 stats uri /admin?stats
5471 stats realm Haproxy\ Statistics
5472 stats auth admin1:AdMiN123
5473 stats auth admin2:AdMiN321
5474
5475 # internal monitoring access (unlimited)
5476 backend private_monitoring
5477 stats enable
5478 stats uri /admin?stats
5479 stats refresh 5s
5480
5481 See also : "stats auth", "stats enable", "stats realm"
5482
5483
Willy Tarreaud63335a2010-02-26 12:56:52 +01005484stick match <pattern> [table <table>] [{if | unless} <cond>]
5485 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005486 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01005487 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005488
5489 Arguments :
5490 <pattern> is a pattern extraction rule as described in section 7.8. It
5491 describes what elements of the incoming request or connection
5492 will be analysed in the hope to find a matching entry in a
5493 stickiness table. This rule is mandatory.
5494
5495 <table> is an optional stickiness table name. If unspecified, the same
5496 backend's table is used. A stickiness table is declared using
5497 the "stick-table" statement.
5498
5499 <cond> is an optional matching condition. It makes it possible to match
5500 on a certain criterion only when other conditions are met (or
5501 not met). For instance, it could be used to match on a source IP
5502 address except when a request passes through a known proxy, in
5503 which case we'd match on a header containing that IP address.
5504
5505 Some protocols or applications require complex stickiness rules and cannot
5506 always simply rely on cookies nor hashing. The "stick match" statement
5507 describes a rule to extract the stickiness criterion from an incoming request
5508 or connection. See section 7 for a complete list of possible patterns and
5509 transformation rules.
5510
5511 The table has to be declared using the "stick-table" statement. It must be of
5512 a type compatible with the pattern. By default it is the one which is present
5513 in the same backend. It is possible to share a table with other backends by
5514 referencing it using the "table" keyword. If another table is referenced,
5515 the server's ID inside the backends are used. By default, all server IDs
5516 start at 1 in each backend, so the server ordering is enough. But in case of
5517 doubt, it is highly recommended to force server IDs using their "id" setting.
5518
5519 It is possible to restrict the conditions where a "stick match" statement
5520 will apply, using "if" or "unless" followed by a condition. See section 7 for
5521 ACL based conditions.
5522
5523 There is no limit on the number of "stick match" statements. The first that
5524 applies and matches will cause the request to be directed to the same server
5525 as was used for the request which created the entry. That way, multiple
5526 matches can be used as fallbacks.
5527
5528 The stick rules are checked after the persistence cookies, so they will not
5529 affect stickiness if a cookie has already been used to select a server. That
5530 way, it becomes very easy to insert cookies and match on IP addresses in
5531 order to maintain stickiness between HTTP and HTTPS.
5532
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005533 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5534 unless you know what you do : memory is not shared between the
5535 processes, which can result in random behaviours.
5536
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005537 Example :
5538 # forward SMTP users to the same server they just used for POP in the
5539 # last 30 minutes
5540 backend pop
5541 mode tcp
5542 balance roundrobin
5543 stick store-request src
5544 stick-table type ip size 200k expire 30m
5545 server s1 192.168.1.1:110
5546 server s2 192.168.1.1:110
5547
5548 backend smtp
5549 mode tcp
5550 balance roundrobin
5551 stick match src table pop
5552 server s1 192.168.1.1:25
5553 server s2 192.168.1.1:25
5554
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005555 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
5556 about ACLs and pattern extraction.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005557
5558
5559stick on <pattern> [table <table>] [{if | unless} <condition>]
5560 Define a request pattern to associate a user to a server
5561 May be used in sections : defaults | frontend | listen | backend
5562 no | no | yes | yes
5563
5564 Note : This form is exactly equivalent to "stick match" followed by
5565 "stick store-request", all with the same arguments. Please refer
5566 to both keywords for details. It is only provided as a convenience
5567 for writing more maintainable configurations.
5568
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005569 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5570 unless you know what you do : memory is not shared between the
5571 processes, which can result in random behaviours.
5572
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005573 Examples :
5574 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01005575 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005576
5577 # ...is strictly equivalent to this one :
5578 stick match src table pop if !localhost
5579 stick store-request src table pop if !localhost
5580
5581
5582 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
5583 # well as HTTP without cookie. Share the same table between both accesses.
5584 backend http
5585 mode http
5586 balance roundrobin
5587 stick on src table https
5588 cookie SRV insert indirect nocache
5589 server s1 192.168.1.1:80 cookie s1
5590 server s2 192.168.1.1:80 cookie s2
5591
5592 backend https
5593 mode tcp
5594 balance roundrobin
5595 stick-table type ip size 200k expire 30m
5596 stick on src
5597 server s1 192.168.1.1:443
5598 server s2 192.168.1.1:443
5599
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005600 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005601
5602
5603stick store-request <pattern> [table <table>] [{if | unless} <condition>]
5604 Define a request pattern used to create an entry in a stickiness table
5605 May be used in sections : defaults | frontend | listen | backend
5606 no | no | yes | yes
5607
5608 Arguments :
5609 <pattern> is a pattern extraction rule as described in section 7.8. It
5610 describes what elements of the incoming request or connection
5611 will be analysed, extracted and stored in the table once a
5612 server is selected.
5613
5614 <table> is an optional stickiness table name. If unspecified, the same
5615 backend's table is used. A stickiness table is declared using
5616 the "stick-table" statement.
5617
5618 <cond> is an optional storage condition. It makes it possible to store
5619 certain criteria only when some conditions are met (or not met).
5620 For instance, it could be used to store the source IP address
5621 except when the request passes through a known proxy, in which
5622 case we'd store a converted form of a header containing that IP
5623 address.
5624
5625 Some protocols or applications require complex stickiness rules and cannot
5626 always simply rely on cookies nor hashing. The "stick store-request" statement
5627 describes a rule to decide what to extract from the request and when to do
5628 it, in order to store it into a stickiness table for further requests to
5629 match it using the "stick match" statement. Obviously the extracted part must
5630 make sense and have a chance to be matched in a further request. Storing a
5631 client's IP address for instance often makes sense. Storing an ID found in a
5632 URL parameter also makes sense. Storing a source port will almost never make
5633 any sense because it will be randomly matched. See section 7 for a complete
5634 list of possible patterns and transformation rules.
5635
5636 The table has to be declared using the "stick-table" statement. It must be of
5637 a type compatible with the pattern. By default it is the one which is present
5638 in the same backend. It is possible to share a table with other backends by
5639 referencing it using the "table" keyword. If another table is referenced,
5640 the server's ID inside the backends are used. By default, all server IDs
5641 start at 1 in each backend, so the server ordering is enough. But in case of
5642 doubt, it is highly recommended to force server IDs using their "id" setting.
5643
5644 It is possible to restrict the conditions where a "stick store-request"
5645 statement will apply, using "if" or "unless" followed by a condition. This
5646 condition will be evaluated while parsing the request, so any criteria can be
5647 used. See section 7 for ACL based conditions.
5648
5649 There is no limit on the number of "stick store-request" statements, but
5650 there is a limit of 8 simultaneous stores per request or response. This
5651 makes it possible to store up to 8 criteria, all extracted from either the
5652 request or the response, regardless of the number of rules. Only the 8 first
5653 ones which match will be kept. Using this, it is possible to feed multiple
5654 tables at once in the hope to increase the chance to recognize a user on
5655 another protocol or access method.
5656
5657 The "store-request" rules are evaluated once the server connection has been
5658 established, so that the table will contain the real server that processed
5659 the request.
5660
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005661 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5662 unless you know what you do : memory is not shared between the
5663 processes, which can result in random behaviours.
5664
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005665 Example :
5666 # forward SMTP users to the same server they just used for POP in the
5667 # last 30 minutes
5668 backend pop
5669 mode tcp
5670 balance roundrobin
5671 stick store-request src
5672 stick-table type ip size 200k expire 30m
5673 server s1 192.168.1.1:110
5674 server s2 192.168.1.1:110
5675
5676 backend smtp
5677 mode tcp
5678 balance roundrobin
5679 stick match src table pop
5680 server s1 192.168.1.1:25
5681 server s2 192.168.1.1:25
5682
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005683 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
5684 about ACLs and pattern extraction.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005685
5686
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005687stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +02005688 size <size> [expire <expire>] [nopurge] [peers <peersect>]
5689 [store <data_type>]*
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005690 Configure the stickiness table for the current backend
5691 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005692 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005693
5694 Arguments :
5695 ip a table declared with "type ip" will only store IPv4 addresses.
5696 This form is very compact (about 50 bytes per entry) and allows
5697 very fast entry lookup and stores with almost no overhead. This
5698 is mainly used to store client source IP addresses.
5699
David du Colombier9a6d3c92011-03-17 10:40:24 +01005700 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
5701 This form is very compact (about 60 bytes per entry) and allows
5702 very fast entry lookup and stores with almost no overhead. This
5703 is mainly used to store client source IP addresses.
5704
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005705 integer a table declared with "type integer" will store 32bit integers
5706 which can represent a client identifier found in a request for
5707 instance.
5708
5709 string a table declared with "type string" will store substrings of up
5710 to <len> characters. If the string provided by the pattern
5711 extractor is larger than <len>, it will be truncated before
5712 being stored. During matching, at most <len> characters will be
5713 compared between the string in the table and the extracted
5714 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005715 to 32 characters.
5716
5717 binary a table declared with "type binary" will store binary blocks
5718 of <len> bytes. If the block provided by the pattern
5719 extractor is larger than <len>, it will be truncated before
5720 being stored. If the block provided by the pattern extractor
5721 is shorter than <len>, it will be padded by 0. When not
5722 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005723
5724 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005725 "string" type table (See type "string" above). Or the number
5726 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005727 changing this parameter as memory usage will proportionally
5728 increase.
5729
5730 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01005731 value directly impacts memory usage. Count approximately
5732 50 bytes per entry, plus the size of a string if any. The size
5733 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005734
5735 [nopurge] indicates that we refuse to purge older entries when the table
5736 is full. When not specified and the table is full when haproxy
5737 wants to store an entry in it, it will flush a few of the oldest
5738 entries in order to release some space for the new ones. This is
5739 most often the desired behaviour. In some specific cases, it
5740 be desirable to refuse new entries instead of purging the older
5741 ones. That may be the case when the amount of data to store is
5742 far above the hardware limits and we prefer not to offer access
5743 to new clients than to reject the ones already connected. When
5744 using this parameter, be sure to properly set the "expire"
5745 parameter (see below).
5746
Emeric Brunf099e792010-09-27 12:05:28 +02005747 <peersect> is the name of the peers section to use for replication. Entries
5748 which associate keys to server IDs are kept synchronized with
5749 the remote peers declared in this section. All entries are also
5750 automatically learned from the local peer (old process) during a
5751 soft restart.
5752
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005753 NOTE : peers can't be used in multi-process mode.
5754
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005755 <expire> defines the maximum duration of an entry in the table since it
5756 was last created, refreshed or matched. The expiration delay is
5757 defined using the standard time format, similarly as the various
5758 timeouts. The maximum duration is slightly above 24 days. See
5759 section 2.2 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +02005760 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005761 be removed once full. Be sure not to use the "nopurge" parameter
5762 if not expiration delay is specified.
5763
Willy Tarreau08d5f982010-06-06 13:34:54 +02005764 <data_type> is used to store additional information in the stick-table. This
5765 may be used by ACLs in order to control various criteria related
5766 to the activity of the client matching the stick-table. For each
5767 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02005768 that the additional data can fit. Several data types may be
5769 stored with an entry. Multiple data types may be specified after
5770 the "store" keyword, as a comma-separated list. Alternatively,
5771 it is possible to repeat the "store" keyword followed by one or
5772 several data types. Except for the "server_id" type which is
5773 automatically detected and enabled, all data types must be
5774 explicitly declared to be stored. If an ACL references a data
5775 type which is not stored, the ACL will simply not match. Some
5776 data types require an argument which must be passed just after
5777 the type between parenthesis. See below for the supported data
5778 types and their arguments.
5779
5780 The data types that can be stored with an entry are the following :
5781 - server_id : this is an integer which holds the numeric ID of the server a
5782 request was assigned to. It is used by the "stick match", "stick store",
5783 and "stick on" rules. It is automatically enabled when referenced.
5784
5785 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
5786 integer which may be used for anything. Most of the time it will be used
5787 to put a special tag on some entries, for instance to note that a
5788 specific behaviour was detected and must be known for future matches.
5789
5790 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
5791 the absolute number of connections received from clients which matched
5792 this entry. It does not mean the connections were accepted, just that
5793 they were received.
5794
5795 - conn_cur : Current Connections. It is a positive 32-bit integer which
5796 stores the concurrent connection counts for the entry. It is incremented
5797 once an incoming connection matches the entry, and decremented once the
5798 connection leaves. That way it is possible to know at any time the exact
5799 number of concurrent connections for an entry.
5800
5801 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5802 integer parameter <period> which indicates in milliseconds the length
5803 of the period over which the average is measured. It reports the average
5804 incoming connection rate over that period, in connections per period. The
5805 result is an integer which can be matched using ACLs.
5806
5807 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
5808 the absolute number of sessions received from clients which matched this
5809 entry. A session is a connection that was accepted by the layer 4 rules.
5810
5811 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5812 integer parameter <period> which indicates in milliseconds the length
5813 of the period over which the average is measured. It reports the average
5814 incoming session rate over that period, in sessions per period. The
5815 result is an integer which can be matched using ACLs.
5816
5817 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
5818 counts the absolute number of HTTP requests received from clients which
5819 matched this entry. It does not matter whether they are valid requests or
5820 not. Note that this is different from sessions when keep-alive is used on
5821 the client side.
5822
5823 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5824 integer parameter <period> which indicates in milliseconds the length
5825 of the period over which the average is measured. It reports the average
5826 HTTP request rate over that period, in requests per period. The result is
5827 an integer which can be matched using ACLs. It does not matter whether
5828 they are valid requests or not. Note that this is different from sessions
5829 when keep-alive is used on the client side.
5830
5831 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
5832 counts the absolute number of HTTP requests errors induced by clients
5833 which matched this entry. Errors are counted on invalid and truncated
5834 requests, as well as on denied or tarpitted requests, and on failed
5835 authentications. If the server responds with 4xx, then the request is
5836 also counted as an error since it's an error triggered by the client
5837 (eg: vulnerability scan).
5838
5839 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5840 integer parameter <period> which indicates in milliseconds the length
5841 of the period over which the average is measured. It reports the average
5842 HTTP request error rate over that period, in requests per period (see
5843 http_err_cnt above for what is accounted as an error). The result is an
5844 integer which can be matched using ACLs.
5845
5846 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
5847 integer which counts the cumulated amount of bytes received from clients
5848 which matched this entry. Headers are included in the count. This may be
5849 used to limit abuse of upload features on photo or video servers.
5850
5851 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5852 integer parameter <period> which indicates in milliseconds the length
5853 of the period over which the average is measured. It reports the average
5854 incoming bytes rate over that period, in bytes per period. It may be used
5855 to detect users which upload too much and too fast. Warning: with large
5856 uploads, it is possible that the amount of uploaded data will be counted
5857 once upon termination, thus causing spikes in the average transfer speed
5858 instead of having a smooth one. This may partially be smoothed with
5859 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
5860 recommended for better fairness.
5861
5862 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
5863 integer which counts the cumulated amount of bytes sent to clients which
5864 matched this entry. Headers are included in the count. This may be used
5865 to limit abuse of bots sucking the whole site.
5866
5867 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
5868 an integer parameter <period> which indicates in milliseconds the length
5869 of the period over which the average is measured. It reports the average
5870 outgoing bytes rate over that period, in bytes per period. It may be used
5871 to detect users which download too much and too fast. Warning: with large
5872 transfers, it is possible that the amount of transferred data will be
5873 counted once upon termination, thus causing spikes in the average
5874 transfer speed instead of having a smooth one. This may partially be
5875 smoothed with "option contstats" though this is not perfect yet. Use of
5876 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02005877
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005878 There is only one stick-table per proxy. At the moment of writing this doc,
5879 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005880 to be required, simply create a dummy backend with a stick-table in it and
5881 reference it.
5882
5883 It is important to understand that stickiness based on learning information
5884 has some limitations, including the fact that all learned associations are
5885 lost upon restart. In general it can be good as a complement but not always
5886 as an exclusive stickiness.
5887
Willy Tarreauc9705a12010-07-27 20:05:50 +02005888 Last, memory requirements may be important when storing many data types.
5889 Indeed, storing all indicators above at once in each entry requires 116 bytes
5890 per entry, or 116 MB for a 1-million entries table. This is definitely not
5891 something that can be ignored.
5892
5893 Example:
5894 # Keep track of counters of up to 1 million IP addresses over 5 minutes
5895 # and store a general purpose counter and the average connection rate
5896 # computed over a sliding window of 30 seconds.
5897 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
5898
5899 See also : "stick match", "stick on", "stick store-request", section 2.2
David du Colombiera13d1b92011-03-17 10:40:22 +01005900 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005901
5902
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005903stick store-response <pattern> [table <table>] [{if | unless} <condition>]
5904 Define a request pattern used to create an entry in a stickiness table
5905 May be used in sections : defaults | frontend | listen | backend
5906 no | no | yes | yes
5907
5908 Arguments :
5909 <pattern> is a pattern extraction rule as described in section 7.8. It
5910 describes what elements of the response or connection will
5911 be analysed, extracted and stored in the table once a
5912 server is selected.
5913
5914 <table> is an optional stickiness table name. If unspecified, the same
5915 backend's table is used. A stickiness table is declared using
5916 the "stick-table" statement.
5917
5918 <cond> is an optional storage condition. It makes it possible to store
5919 certain criteria only when some conditions are met (or not met).
5920 For instance, it could be used to store the SSL session ID only
5921 when the response is a SSL server hello.
5922
5923 Some protocols or applications require complex stickiness rules and cannot
5924 always simply rely on cookies nor hashing. The "stick store-response"
5925 statement describes a rule to decide what to extract from the response and
5926 when to do it, in order to store it into a stickiness table for further
5927 requests to match it using the "stick match" statement. Obviously the
5928 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005929 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005930 See section 7 for a complete list of possible patterns and transformation
5931 rules.
5932
5933 The table has to be declared using the "stick-table" statement. It must be of
5934 a type compatible with the pattern. By default it is the one which is present
5935 in the same backend. It is possible to share a table with other backends by
5936 referencing it using the "table" keyword. If another table is referenced,
5937 the server's ID inside the backends are used. By default, all server IDs
5938 start at 1 in each backend, so the server ordering is enough. But in case of
5939 doubt, it is highly recommended to force server IDs using their "id" setting.
5940
5941 It is possible to restrict the conditions where a "stick store-response"
5942 statement will apply, using "if" or "unless" followed by a condition. This
5943 condition will be evaluated while parsing the response, so any criteria can
5944 be used. See section 7 for ACL based conditions.
5945
5946 There is no limit on the number of "stick store-response" statements, but
5947 there is a limit of 8 simultaneous stores per request or response. This
5948 makes it possible to store up to 8 criteria, all extracted from either the
5949 request or the response, regardless of the number of rules. Only the 8 first
5950 ones which match will be kept. Using this, it is possible to feed multiple
5951 tables at once in the hope to increase the chance to recognize a user on
5952 another protocol or access method.
5953
5954 The table will contain the real server that processed the request.
5955
5956 Example :
5957 # Learn SSL session ID from both request and response and create affinity.
5958 backend https
5959 mode tcp
5960 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +02005961 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005962 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005963
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005964 acl clienthello req_ssl_hello_type 1
5965 acl serverhello rep_ssl_hello_type 2
5966
5967 # use tcp content accepts to detects ssl client and server hello.
5968 tcp-request inspect-delay 5s
5969 tcp-request content accept if clienthello
5970
5971 # no timeout on response inspect delay by default.
5972 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005973
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005974 # SSL session ID (SSLID) may be present on a client or server hello.
5975 # Its length is coded on 1 byte at offset 43 and its value starts
5976 # at offset 44.
5977
5978 # Match and learn on request if client hello.
5979 stick on payload_lv(43,1) if clienthello
5980
5981 # Learn on response if server hello.
5982 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +02005983
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005984 server s1 192.168.1.1:443
5985 server s2 192.168.1.1:443
5986
5987 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
5988 extraction.
5989
5990
Willy Tarreaue9656522010-08-17 15:40:09 +02005991tcp-request connection <action> [{if | unless} <condition>]
5992 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02005993 May be used in sections : defaults | frontend | listen | backend
5994 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02005995 Arguments :
5996 <action> defines the action to perform if the condition applies. Valid
5997 actions include : "accept", "reject", "track-sc1", "track-sc2".
5998 See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02005999
Willy Tarreaue9656522010-08-17 15:40:09 +02006000 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006001
6002 Immediately after acceptance of a new incoming connection, it is possible to
6003 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02006004 or dropped or have its counters tracked. Those conditions cannot make use of
6005 any data contents because the connection has not been read from yet, and the
6006 buffers are not yet allocated. This is used to selectively and very quickly
6007 accept or drop connections from various sources with a very low overhead. If
6008 some contents need to be inspected in order to take the decision, the
6009 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006010
Willy Tarreaue9656522010-08-17 15:40:09 +02006011 The "tcp-request connection" rules are evaluated in their exact declaration
6012 order. If no rule matches or if there is no rule, the default action is to
6013 accept the incoming connection. There is no specific limit to the number of
6014 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006015
Willy Tarreaue9656522010-08-17 15:40:09 +02006016 Three types of actions are supported :
6017 - accept :
6018 accepts the connection if the condition is true (when used with "if")
6019 or false (when used with "unless"). The first such rule executed ends
6020 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006021
Willy Tarreaue9656522010-08-17 15:40:09 +02006022 - reject :
6023 rejects the connection if the condition is true (when used with "if")
6024 or false (when used with "unless"). The first such rule executed ends
6025 the rules evaluation. Rejected connections do not even become a
6026 session, which is why they are accounted separately for in the stats,
6027 as "denied connections". They are not considered for the session
6028 rate-limit and are not logged either. The reason is that these rules
6029 should only be used to filter extremely high connection rates such as
6030 the ones encountered during a massive DDoS attack. Under these extreme
6031 conditions, the simple action of logging each event would make the
6032 system collapse and would considerably lower the filtering capacity. If
6033 logging is absolutely desired, then "tcp-request content" rules should
6034 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006035
Willy Tarreaue9656522010-08-17 15:40:09 +02006036 - { track-sc1 | track-sc2 } <key> [table <table>] :
6037 enables tracking of sticky counters from current connection. These
6038 rules do not stop evaluation and do not change default action. Two sets
6039 of counters may be simultaneously tracked by the same connection. The
6040 first "track-sc1" rule executed enables tracking of the counters of the
6041 specified table as the first set. The first "track-sc2" rule executed
6042 enables tracking of the counters of the specified table as the second
6043 set. It is a recommended practice to use the first set of counters for
6044 the per-frontend counters and the second set for the per-backend ones.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006045
Willy Tarreaue9656522010-08-17 15:40:09 +02006046 These actions take one or two arguments :
6047 <key> is mandatory, and defines the criterion the tracking key will
6048 be derived from. At the moment, only "src" is supported. With
6049 it, the key will be the connection's source IPv4 address.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006050
Willy Tarreaue9656522010-08-17 15:40:09 +02006051 <table> is an optional table to be used instead of the default one,
6052 which is the stick-table declared in the current proxy. All
6053 the counters for the matches and updates for the key will
6054 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006055
Willy Tarreaue9656522010-08-17 15:40:09 +02006056 Once a "track-sc*" rule is executed, the key is looked up in the table
6057 and if it is not found, an entry is allocated for it. Then a pointer to
6058 that entry is kept during all the session's life, and this entry's
6059 counters are updated as often as possible, every time the session's
6060 counters are updated, and also systematically when the session ends.
6061 If the entry tracks concurrent connection counters, one connection is
6062 counted for as long as the entry is tracked, and the entry will not
6063 expire during that time. Tracking counters also provides a performance
6064 advantage over just checking the keys, because only one table lookup is
6065 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006066
Willy Tarreaue9656522010-08-17 15:40:09 +02006067 Note that the "if/unless" condition is optional. If no condition is set on
6068 the action, it is simply performed unconditionally. That can be useful for
6069 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006070
Willy Tarreaue9656522010-08-17 15:40:09 +02006071 Example: accept all connections from white-listed hosts, reject too fast
6072 connection without counting them, and track accepted connections.
6073 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006074
Willy Tarreaue9656522010-08-17 15:40:09 +02006075 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006076 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaue9656522010-08-17 15:40:09 +02006077 tcp-request connection track-sc1 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006078
Willy Tarreaue9656522010-08-17 15:40:09 +02006079 Example: accept all connections from white-listed hosts, count all other
6080 connections and reject too fast ones. This results in abusive ones
6081 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006082
Willy Tarreaue9656522010-08-17 15:40:09 +02006083 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
6084 tcp-request connection track-sc1 src
6085 tcp-request connection reject if { sc1_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006086
6087 See section 7 about ACL usage.
6088
Willy Tarreaue9656522010-08-17 15:40:09 +02006089 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006090
6091
Willy Tarreaue9656522010-08-17 15:40:09 +02006092tcp-request content <action> [{if | unless} <condition>]
6093 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02006094 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02006095 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02006096 Arguments :
6097 <action> defines the action to perform if the condition applies. Valid
6098 actions include : "accept", "reject", "track-sc1", "track-sc2".
6099 See "tcp-request connection" above for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02006100
Willy Tarreaue9656522010-08-17 15:40:09 +02006101 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02006102
Willy Tarreaue9656522010-08-17 15:40:09 +02006103 A request's contents can be analysed at an early stage of request processing
6104 called "TCP content inspection". During this stage, ACL-based rules are
6105 evaluated every time the request contents are updated, until either an
6106 "accept" or a "reject" rule matches, or the TCP request inspection delay
6107 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02006108
Willy Tarreaue9656522010-08-17 15:40:09 +02006109 The first difference between these rules and "tcp-request connection" rules
6110 is that "tcp-request content" rules can make use of contents to take a
6111 decision. Most often, these decisions will consider a protocol recognition or
6112 validity. The second difference is that content-based rules can be used in
6113 both frontends and backends. In frontends, they will be evaluated upon new
6114 connections. In backends, they will be evaluated once a session is assigned
6115 a backend. This means that a single frontend connection may be evaluated
6116 several times by one or multiple backends when a session gets reassigned
6117 (for instance after a client-side HTTP keep-alive request).
Willy Tarreau62644772008-07-16 18:36:06 +02006118
Willy Tarreaue9656522010-08-17 15:40:09 +02006119 Content-based rules are evaluated in their exact declaration order. If no
6120 rule matches or if there is no rule, the default action is to accept the
6121 contents. There is no specific limit to the number of rules which may be
6122 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02006123
Willy Tarreaue9656522010-08-17 15:40:09 +02006124 Three types of actions are supported :
6125 - accept :
6126 - reject :
6127 - { track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02006128
Willy Tarreaue9656522010-08-17 15:40:09 +02006129 They have the same meaning as their counter-parts in "tcp-request connection"
6130 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02006131
Willy Tarreaue9656522010-08-17 15:40:09 +02006132 Also, it is worth noting that if sticky counters are tracked from a rule
6133 defined in a backend, this tracking will automatically end when the session
6134 releases the backend. That allows per-backend counter tracking even in case
6135 of HTTP keep-alive requests when the backend changes. While there is nothing
6136 mandatory about it, it is recommended to use the track-sc1 pointer to track
6137 per-frontend counters and track-sc2 to track per-backend counters.
Willy Tarreau62644772008-07-16 18:36:06 +02006138
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006139 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02006140 the action, it is simply performed unconditionally. That can be useful for
6141 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02006142
Willy Tarreaue9656522010-08-17 15:40:09 +02006143 It is perfectly possible to match layer 7 contents with "tcp-request content"
Willy Tarreauc0239e02012-04-16 14:42:55 +02006144 rules, since HTTP-specific ACL matches are able to preliminarily parse the
6145 contents of a buffer before extracting the required data. If the buffered
6146 contents do not parse as a valid HTTP message, then the ACL does not match.
6147 The parser which is involved there is exactly the same as for all other HTTP
6148 processing, so there is no risk of parsing something differently.
Willy Tarreau62644772008-07-16 18:36:06 +02006149
6150 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02006151 # Accept HTTP requests containing a Host header saying "example.com"
6152 # and reject everything else.
6153 acl is_host_com hdr(Host) -i example.com
6154 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +02006155 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +02006156 tcp-request content reject
6157
6158 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02006159 # reject SMTP connection if client speaks first
6160 tcp-request inspect-delay 30s
6161 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006162 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02006163
6164 # Forward HTTPS connection only if client speaks
6165 tcp-request inspect-delay 30s
6166 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006167 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02006168 tcp-request content reject
6169
6170 Example: track per-frontend and per-backend counters, block abusers at the
6171 frontend when the backend detects abuse.
6172
6173 frontend http
6174 # Use General Purpose Couter 0 in SC1 as a global abuse counter
6175 # protecting all our sites
6176 stick-table type ip size 1m expire 5m store gpc0
6177 tcp-request connection track-sc1 src
6178 tcp-request connection reject if { sc1_get_gpc0 gt 0 }
6179 ...
6180 use_backend http_dynamic if { path_end .php }
6181
6182 backend http_dynamic
6183 # if a source makes too fast requests to this dynamic site (tracked
6184 # by SC2), block it globally in the frontend.
6185 stick-table type ip size 1m expire 5m store http_req_rate(10s)
6186 acl click_too_fast sc2_http_req_rate gt 10
6187 acl mark_as_abuser sc1_inc_gpc0
6188 tcp-request content track-sc2 src
6189 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02006190
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006191 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02006192
Willy Tarreaue9656522010-08-17 15:40:09 +02006193 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02006194
6195
6196tcp-request inspect-delay <timeout>
6197 Set the maximum allowed time to wait for data during content inspection
6198 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02006199 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02006200 Arguments :
6201 <timeout> is the timeout value specified in milliseconds by default, but
6202 can be in any other unit if the number is suffixed by the unit,
6203 as explained at the top of this document.
6204
6205 People using haproxy primarily as a TCP relay are often worried about the
6206 risk of passing any type of protocol to a server without any analysis. In
6207 order to be able to analyze the request contents, we must first withhold
6208 the data then analyze them. This statement simply enables withholding of
6209 data for at most the specified amount of time.
6210
Willy Tarreaufb356202010-08-03 14:02:05 +02006211 TCP content inspection applies very early when a connection reaches a
6212 frontend, then very early when the connection is forwarded to a backend. This
6213 means that a connection may experience a first delay in the frontend and a
6214 second delay in the backend if both have tcp-request rules.
6215
Willy Tarreau62644772008-07-16 18:36:06 +02006216 Note that when performing content inspection, haproxy will evaluate the whole
6217 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006218 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02006219 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01006220 contents are definitive. If no delay is set, haproxy will not wait at all
6221 and will immediately apply a verdict based on the available information.
6222 Obviously this is unlikely to be very useful and might even be racy, so such
6223 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02006224
6225 As soon as a rule matches, the request is released and continues as usual. If
6226 the timeout is reached and no rule matches, the default policy will be to let
6227 it pass through unaffected.
6228
6229 For most protocols, it is enough to set it to a few seconds, as most clients
6230 send the full request immediately upon connection. Add 3 or more seconds to
6231 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01006232 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02006233 before the server (eg: SMTP), or to wait for a client to talk before passing
6234 data to the server (eg: SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +02006235 least the inspection delay, otherwise it will expire first. If the client
6236 closes the connection or if the buffer is full, the delay immediately expires
6237 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +02006238
Willy Tarreau55165fe2009-05-10 12:02:55 +02006239 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02006240 "timeout client".
6241
6242
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006243tcp-response content <action> [{if | unless} <condition>]
6244 Perform an action on a session response depending on a layer 4-7 condition
6245 May be used in sections : defaults | frontend | listen | backend
6246 no | no | yes | yes
6247 Arguments :
6248 <action> defines the action to perform if the condition applies. Valid
6249 actions include : "accept", "reject".
6250 See "tcp-request connection" above for their signification.
6251
6252 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
6253
6254 Response contents can be analysed at an early stage of response processing
6255 called "TCP content inspection". During this stage, ACL-based rules are
6256 evaluated every time the response contents are updated, until either an
6257 "accept" or a "reject" rule matches, or a TCP response inspection delay is
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006258 set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006259
6260 Most often, these decisions will consider a protocol recognition or validity.
6261
6262 Content-based rules are evaluated in their exact declaration order. If no
6263 rule matches or if there is no rule, the default action is to accept the
6264 contents. There is no specific limit to the number of rules which may be
6265 inserted.
6266
6267 Two types of actions are supported :
6268 - accept :
6269 accepts the response if the condition is true (when used with "if")
6270 or false (when used with "unless"). The first such rule executed ends
6271 the rules evaluation.
6272
6273 - reject :
6274 rejects the response if the condition is true (when used with "if")
6275 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006276 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006277
6278 Note that the "if/unless" condition is optional. If no condition is set on
6279 the action, it is simply performed unconditionally. That can be useful for
6280 for changing the default action to a reject.
6281
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006282 It is perfectly possible to match layer 7 contents with "tcp-response
6283 content" rules, but then it is important to ensure that a full response has
6284 been buffered, otherwise no contents will match. In order to achieve this,
6285 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006286 period.
6287
6288 See section 7 about ACL usage.
6289
6290 See also : "tcp-request content", "tcp-response inspect-delay"
6291
6292
6293tcp-response inspect-delay <timeout>
6294 Set the maximum allowed time to wait for a response during content inspection
6295 May be used in sections : defaults | frontend | listen | backend
6296 no | no | yes | yes
6297 Arguments :
6298 <timeout> is the timeout value specified in milliseconds by default, but
6299 can be in any other unit if the number is suffixed by the unit,
6300 as explained at the top of this document.
6301
6302 See also : "tcp-response content", "tcp-request inspect-delay".
6303
6304
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006305timeout check <timeout>
6306 Set additional check timeout, but only after a connection has been already
6307 established.
6308
6309 May be used in sections: defaults | frontend | listen | backend
6310 yes | no | yes | yes
6311 Arguments:
6312 <timeout> is the timeout value specified in milliseconds by default, but
6313 can be in any other unit if the number is suffixed by the unit,
6314 as explained at the top of this document.
6315
6316 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
6317 for check and "timeout check" as an additional read timeout. The "min" is
6318 used so that people running with *very* long "timeout connect" (eg. those
6319 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01006320 (Please also note that there is no valid reason to have such long connect
6321 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
6322 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006323
6324 If "timeout check" is not set haproxy uses "inter" for complete check
6325 timeout (connect + read) exactly like all <1.3.15 version.
6326
6327 In most cases check request is much simpler and faster to handle than normal
6328 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01006329 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006330
6331 This parameter is specific to backends, but can be specified once for all in
6332 "defaults" sections. This is in fact one of the easiest solutions not to
6333 forget about it.
6334
Willy Tarreau41a340d2008-01-22 12:25:31 +01006335 See also: "timeout connect", "timeout queue", "timeout server",
6336 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006337
6338
Willy Tarreau0ba27502007-12-24 16:55:16 +01006339timeout client <timeout>
6340timeout clitimeout <timeout> (deprecated)
6341 Set the maximum inactivity time on the client side.
6342 May be used in sections : defaults | frontend | listen | backend
6343 yes | yes | yes | no
6344 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006345 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01006346 can be in any other unit if the number is suffixed by the unit,
6347 as explained at the top of this document.
6348
6349 The inactivity timeout applies when the client is expected to acknowledge or
6350 send data. In HTTP mode, this timeout is particularly important to consider
6351 during the first phase, when the client sends the request, and during the
6352 response while it is reading data sent by the server. The value is specified
6353 in milliseconds by default, but can be in any other unit if the number is
6354 suffixed by the unit, as specified at the top of this document. In TCP mode
6355 (and to a lesser extent, in HTTP mode), it is highly recommended that the
6356 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006357 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01006358 losses by specifying timeouts that are slightly above multiples of 3 seconds
Willy Tarreauce887fd2012-05-12 12:50:00 +02006359 (eg: 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
6360 sessions (eg: WebSocket and HTTP), it's worth considering "timeout tunnel",
6361 which overrides "timeout client" and "timeout server" for tunnels.
Willy Tarreau0ba27502007-12-24 16:55:16 +01006362
6363 This parameter is specific to frontends, but can be specified once for all in
6364 "defaults" sections. This is in fact one of the easiest solutions not to
6365 forget about it. An unspecified timeout results in an infinite timeout, which
6366 is not recommended. Such a usage is accepted and works but reports a warning
6367 during startup because it may results in accumulation of expired sessions in
6368 the system if the system's timeouts are not configured either.
6369
6370 This parameter replaces the old, deprecated "clitimeout". It is recommended
6371 to use it to write new configurations. The form "timeout clitimeout" is
6372 provided only by backwards compatibility but its use is strongly discouraged.
6373
Willy Tarreauce887fd2012-05-12 12:50:00 +02006374 See also : "clitimeout", "timeout server", "timeout tunnel".
Willy Tarreau0ba27502007-12-24 16:55:16 +01006375
6376
6377timeout connect <timeout>
6378timeout contimeout <timeout> (deprecated)
6379 Set the maximum time to wait for a connection attempt to a server to succeed.
6380 May be used in sections : defaults | frontend | listen | backend
6381 yes | no | yes | yes
6382 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006383 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01006384 can be in any other unit if the number is suffixed by the unit,
6385 as explained at the top of this document.
6386
6387 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006388 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01006389 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01006390 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006391 connect timeout also presets both queue and tarpit timeouts to the same value
6392 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01006393
6394 This parameter is specific to backends, but can be specified once for all in
6395 "defaults" sections. This is in fact one of the easiest solutions not to
6396 forget about it. An unspecified timeout results in an infinite timeout, which
6397 is not recommended. Such a usage is accepted and works but reports a warning
6398 during startup because it may results in accumulation of failed sessions in
6399 the system if the system's timeouts are not configured either.
6400
6401 This parameter replaces the old, deprecated "contimeout". It is recommended
6402 to use it to write new configurations. The form "timeout contimeout" is
6403 provided only by backwards compatibility but its use is strongly discouraged.
6404
Willy Tarreau41a340d2008-01-22 12:25:31 +01006405 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
6406 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01006407
6408
Willy Tarreaub16a5742010-01-10 14:46:16 +01006409timeout http-keep-alive <timeout>
6410 Set the maximum allowed time to wait for a new HTTP request to appear
6411 May be used in sections : defaults | frontend | listen | backend
6412 yes | yes | yes | yes
6413 Arguments :
6414 <timeout> is the timeout value specified in milliseconds by default, but
6415 can be in any other unit if the number is suffixed by the unit,
6416 as explained at the top of this document.
6417
6418 By default, the time to wait for a new request in case of keep-alive is set
6419 by "timeout http-request". However this is not always convenient because some
6420 people want very short keep-alive timeouts in order to release connections
6421 faster, and others prefer to have larger ones but still have short timeouts
6422 once the request has started to present itself.
6423
6424 The "http-keep-alive" timeout covers these needs. It will define how long to
6425 wait for a new HTTP request to start coming after a response was sent. Once
6426 the first byte of request has been seen, the "http-request" timeout is used
6427 to wait for the complete request to come. Note that empty lines prior to a
6428 new request do not refresh the timeout and are not counted as a new request.
6429
6430 There is also another difference between the two timeouts : when a connection
6431 expires during timeout http-keep-alive, no error is returned, the connection
6432 just closes. If the connection expires in "http-request" while waiting for a
6433 connection to complete, a HTTP 408 error is returned.
6434
6435 In general it is optimal to set this value to a few tens to hundreds of
6436 milliseconds, to allow users to fetch all objects of a page at once but
6437 without waiting for further clicks. Also, if set to a very small value (eg:
6438 1 millisecond) it will probably only accept pipelined requests but not the
6439 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02006440 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01006441
6442 If this parameter is not set, the "http-request" timeout applies, and if both
6443 are not set, "timeout client" still applies at the lower level. It should be
6444 set in the frontend to take effect, unless the frontend is in TCP mode, in
6445 which case the HTTP backend's timeout will be used.
6446
6447 See also : "timeout http-request", "timeout client".
6448
6449
Willy Tarreau036fae02008-01-06 13:24:40 +01006450timeout http-request <timeout>
6451 Set the maximum allowed time to wait for a complete HTTP request
6452 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02006453 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01006454 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006455 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01006456 can be in any other unit if the number is suffixed by the unit,
6457 as explained at the top of this document.
6458
6459 In order to offer DoS protection, it may be required to lower the maximum
6460 accepted time to receive a complete HTTP request without affecting the client
6461 timeout. This helps protecting against established connections on which
6462 nothing is sent. The client timeout cannot offer a good protection against
6463 this abuse because it is an inactivity timeout, which means that if the
6464 attacker sends one character every now and then, the timeout will not
6465 trigger. With the HTTP request timeout, no matter what speed the client
6466 types, the request will be aborted if it does not complete in time.
6467
6468 Note that this timeout only applies to the header part of the request, and
6469 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01006470 used anymore. It is used again on keep-alive connections to wait for a second
6471 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01006472
6473 Generally it is enough to set it to a few seconds, as most clients send the
6474 full request immediately upon connection. Add 3 or more seconds to cover TCP
6475 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
6476 generally work on local networks as long as there are no packet losses. This
6477 will prevent people from sending bare HTTP requests using telnet.
6478
6479 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02006480 chunk of the incoming request. It should be set in the frontend to take
6481 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
6482 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01006483
Willy Tarreaub16a5742010-01-10 14:46:16 +01006484 See also : "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01006485
Willy Tarreau844e3c52008-01-11 16:28:18 +01006486
6487timeout queue <timeout>
6488 Set the maximum time to wait in the queue for a connection slot to be free
6489 May be used in sections : defaults | frontend | listen | backend
6490 yes | no | yes | yes
6491 Arguments :
6492 <timeout> is the timeout value specified in milliseconds by default, but
6493 can be in any other unit if the number is suffixed by the unit,
6494 as explained at the top of this document.
6495
6496 When a server's maxconn is reached, connections are left pending in a queue
6497 which may be server-specific or global to the backend. In order not to wait
6498 indefinitely, a timeout is applied to requests pending in the queue. If the
6499 timeout is reached, it is considered that the request will almost never be
6500 served, so it is dropped and a 503 error is returned to the client.
6501
6502 The "timeout queue" statement allows to fix the maximum time for a request to
6503 be left pending in a queue. If unspecified, the same value as the backend's
6504 connection timeout ("timeout connect") is used, for backwards compatibility
6505 with older versions with no "timeout queue" parameter.
6506
6507 See also : "timeout connect", "contimeout".
6508
6509
6510timeout server <timeout>
6511timeout srvtimeout <timeout> (deprecated)
6512 Set the maximum inactivity time on the server side.
6513 May be used in sections : defaults | frontend | listen | backend
6514 yes | no | yes | yes
6515 Arguments :
6516 <timeout> is the timeout value specified in milliseconds by default, but
6517 can be in any other unit if the number is suffixed by the unit,
6518 as explained at the top of this document.
6519
6520 The inactivity timeout applies when the server is expected to acknowledge or
6521 send data. In HTTP mode, this timeout is particularly important to consider
6522 during the first phase of the server's response, when it has to send the
6523 headers, as it directly represents the server's processing time for the
6524 request. To find out what value to put there, it's often good to start with
6525 what would be considered as unacceptable response times, then check the logs
6526 to observe the response time distribution, and adjust the value accordingly.
6527
6528 The value is specified in milliseconds by default, but can be in any other
6529 unit if the number is suffixed by the unit, as specified at the top of this
6530 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
6531 recommended that the client timeout remains equal to the server timeout in
6532 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006533 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01006534 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreauce887fd2012-05-12 12:50:00 +02006535 seconds (eg: 4 or 5 seconds minimum). If some long-lived sessions are mixed
6536 with short-lived sessions (eg: WebSocket and HTTP), it's worth considering
6537 "timeout tunnel", which overrides "timeout client" and "timeout server" for
6538 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006539
6540 This parameter is specific to backends, but can be specified once for all in
6541 "defaults" sections. This is in fact one of the easiest solutions not to
6542 forget about it. An unspecified timeout results in an infinite timeout, which
6543 is not recommended. Such a usage is accepted and works but reports a warning
6544 during startup because it may results in accumulation of expired sessions in
6545 the system if the system's timeouts are not configured either.
6546
6547 This parameter replaces the old, deprecated "srvtimeout". It is recommended
6548 to use it to write new configurations. The form "timeout srvtimeout" is
6549 provided only by backwards compatibility but its use is strongly discouraged.
6550
Willy Tarreauce887fd2012-05-12 12:50:00 +02006551 See also : "srvtimeout", "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +01006552
6553
6554timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01006555 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01006556 May be used in sections : defaults | frontend | listen | backend
6557 yes | yes | yes | yes
6558 Arguments :
6559 <timeout> is the tarpit duration specified in milliseconds by default, but
6560 can be in any other unit if the number is suffixed by the unit,
6561 as explained at the top of this document.
6562
6563 When a connection is tarpitted using "reqtarpit", it is maintained open with
6564 no activity for a certain amount of time, then closed. "timeout tarpit"
6565 defines how long it will be maintained open.
6566
6567 The value is specified in milliseconds by default, but can be in any other
6568 unit if the number is suffixed by the unit, as specified at the top of this
6569 document. If unspecified, the same value as the backend's connection timeout
6570 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01006571 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006572
6573 See also : "timeout connect", "contimeout".
6574
6575
Willy Tarreauce887fd2012-05-12 12:50:00 +02006576timeout tunnel <timeout>
6577 Set the maximum inactivity time on the client and server side for tunnels.
6578 May be used in sections : defaults | frontend | listen | backend
6579 yes | no | yes | yes
6580 Arguments :
6581 <timeout> is the timeout value specified in milliseconds by default, but
6582 can be in any other unit if the number is suffixed by the unit,
6583 as explained at the top of this document.
6584
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006585 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +02006586 between a client and a server, and the connection remains inactive in both
6587 directions. This timeout supersedes both the client and server timeouts once
6588 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
6589 analyser remains attached to either connection (eg: tcp content rules are
6590 accepted). In HTTP, this timeout is used when a connection is upgraded (eg:
6591 when switching to the WebSocket protocol, or forwarding a CONNECT request
6592 to a proxy), or after the first response when no keepalive/close option is
6593 specified.
6594
6595 The value is specified in milliseconds by default, but can be in any other
6596 unit if the number is suffixed by the unit, as specified at the top of this
6597 document. Whatever the expected normal idle time, it is a good practice to
6598 cover at least one or several TCP packet losses by specifying timeouts that
6599 are slightly above multiples of 3 seconds (eg: 4 or 5 seconds minimum).
6600
6601 This parameter is specific to backends, but can be specified once for all in
6602 "defaults" sections. This is in fact one of the easiest solutions not to
6603 forget about it.
6604
6605 Example :
6606 defaults http
6607 option http-server-close
6608 timeout connect 5s
6609 timeout client 30s
6610 timeout client 30s
6611 timeout server 30s
6612 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
6613
6614 See also : "timeout client", "timeout server".
6615
6616
Willy Tarreau844e3c52008-01-11 16:28:18 +01006617transparent (deprecated)
6618 Enable client-side transparent proxying
6619 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01006620 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01006621 Arguments : none
6622
6623 This keyword was introduced in order to provide layer 7 persistence to layer
6624 3 load balancers. The idea is to use the OS's ability to redirect an incoming
6625 connection for a remote address to a local process (here HAProxy), and let
6626 this process know what address was initially requested. When this option is
6627 used, sessions without cookies will be forwarded to the original destination
6628 IP address of the incoming request (which should match that of another
6629 equipment), while requests with cookies will still be forwarded to the
6630 appropriate server.
6631
6632 The "transparent" keyword is deprecated, use "option transparent" instead.
6633
6634 Note that contrary to a common belief, this option does NOT make HAProxy
6635 present the client's IP to the server when establishing the connection.
6636
Willy Tarreau844e3c52008-01-11 16:28:18 +01006637 See also: "option transparent"
6638
William Lallemanda73203e2012-03-12 12:48:57 +01006639unique-id-format <string>
6640 Generate a unique ID for each request.
6641 May be used in sections : defaults | frontend | listen | backend
6642 yes | yes | yes | no
6643 Arguments :
6644 <string> is a log-format string.
6645
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006646 This keyword creates a ID for each request using the custom log format. A
6647 unique ID is useful to trace a request passing through many components of
6648 a complex infrastructure. The newly created ID may also be logged using the
6649 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +01006650
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006651 The format should be composed from elements that are guaranteed to be
6652 unique when combined together. For instance, if multiple haproxy instances
6653 are involved, it might be important to include the node name. It is often
6654 needed to log the incoming connection's source and destination addresses
6655 and ports. Note that since multiple requests may be performed over the same
6656 connection, including a request counter may help differentiate them.
6657 Similarly, a timestamp may protect against a rollover of the counter.
6658 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +01006659
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006660 It is recommended to use hexadecimal notation for many fields since it
6661 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +01006662
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006663 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01006664
6665 unique-id-format %{+X}o\ %Ci:%Cp_%Fi:%Fp_%Ts_%rt:%pid
6666
6667 will generate:
6668
6669 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
6670
6671 See also: "unique-id-header"
6672
6673unique-id-header <name>
6674 Add a unique ID header in the HTTP request.
6675 May be used in sections : defaults | frontend | listen | backend
6676 yes | yes | yes | no
6677 Arguments :
6678 <name> is the name of the header.
6679
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006680 Add a unique-id header in the HTTP request sent to the server, using the
6681 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +01006682
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006683 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01006684
6685 unique-id-format %{+X}o\ %Ci:%Cp_%Fi:%Fp_%Ts_%rt:%pid
6686 unique-id-header X-Unique-ID
6687
6688 will generate:
6689
6690 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
6691
6692 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +01006693
6694use_backend <backend> if <condition>
6695use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006696 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006697 May be used in sections : defaults | frontend | listen | backend
6698 no | yes | yes | no
6699 Arguments :
6700 <backend> is the name of a valid backend or "listen" section.
6701
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006702 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006703
6704 When doing content-switching, connections arrive on a frontend and are then
6705 dispatched to various backends depending on a number of conditions. The
6706 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006707 "use_backend" keyword. While it is normally used with HTTP processing, it can
6708 also be used in pure TCP, either without content using stateless ACLs (eg:
6709 source address validation) or combined with a "tcp-request" rule to wait for
6710 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006711
6712 There may be as many "use_backend" rules as desired. All of these rules are
6713 evaluated in their declaration order, and the first one which matches will
6714 assign the backend.
6715
6716 In the first form, the backend will be used if the condition is met. In the
6717 second form, the backend will be used if the condition is not met. If no
6718 condition is valid, the backend defined with "default_backend" will be used.
6719 If no default backend is defined, either the servers in the same section are
6720 used (in case of a "listen" section) or, in case of a frontend, no server is
6721 used and a 503 service unavailable response is returned.
6722
Willy Tarreau51aecc72009-07-12 09:47:04 +02006723 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006724 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02006725 and backend processing will immediately follow, or the backend will wait for
6726 a complete HTTP request to get in. This feature is useful when a frontend
6727 must decode several protocols on a unique port, one of them being HTTP.
6728
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006729 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01006730
Willy Tarreau036fae02008-01-06 13:24:40 +01006731
Willy Tarreau4a5cade2012-04-05 21:09:48 +02006732use-server <server> if <condition>
6733use-server <server> unless <condition>
6734 Only use a specific server if/unless an ACL-based condition is matched.
6735 May be used in sections : defaults | frontend | listen | backend
6736 no | no | yes | yes
6737 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006738 <server> is the name of a valid server in the same backend section.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02006739
6740 <condition> is a condition composed of ACLs, as described in section 7.
6741
6742 By default, connections which arrive to a backend are load-balanced across
6743 the available servers according to the configured algorithm, unless a
6744 persistence mechanism such as a cookie is used and found in the request.
6745
6746 Sometimes it is desirable to forward a particular request to a specific
6747 server without having to declare a dedicated backend for this server. This
6748 can be achieved using the "use-server" rules. These rules are evaluated after
6749 the "redirect" rules and before evaluating cookies, and they have precedence
6750 on them. There may be as many "use-server" rules as desired. All of these
6751 rules are evaluated in their declaration order, and the first one which
6752 matches will assign the server.
6753
6754 If a rule designates a server which is down, and "option persist" is not used
6755 and no force-persist rule was validated, it is ignored and evaluation goes on
6756 with the next rules until one matches.
6757
6758 In the first form, the server will be used if the condition is met. In the
6759 second form, the server will be used if the condition is not met. If no
6760 condition is valid, the processing continues and the server will be assigned
6761 according to other persistence mechanisms.
6762
6763 Note that even if a rule is matched, cookie processing is still performed but
6764 does not assign the server. This allows prefixed cookies to have their prefix
6765 stripped.
6766
6767 The "use-server" statement works both in HTTP and TCP mode. This makes it
6768 suitable for use with content-based inspection. For instance, a server could
6769 be selected in a farm according to the TLS SNI field. And if these servers
6770 have their weight set to zero, they will not be used for other traffic.
6771
6772 Example :
6773 # intercept incoming TLS requests based on the SNI field
6774 use-server www if { req_ssl_sni -i www.example.com }
6775 server www 192.168.0.1:443 weight 0
6776 use-server mail if { req_ssl_sni -i mail.example.com }
6777 server mail 192.168.0.1:587 weight 0
6778 use-server imap if { req_ssl_sni -i imap.example.com }
6779 server mail 192.168.0.1:993 weight 0
6780 # all the rest is forwarded to this server
6781 server default 192.168.0.2:443 check
6782
6783 See also: "use_backend", serction 5 about server and section 7 about ACLs.
6784
6785
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010067865. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01006787------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006788
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01006789The "server" and "default-server" keywords support a certain number of settings
6790which are all passed as arguments on the server line. The order in which those
6791arguments appear does not count, and they are all optional. Some of those
6792settings are single words (booleans) while others expect one or several values
6793after them. In this case, the values must immediately follow the setting name.
6794Except default-server, all those settings must be specified after the server's
6795address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02006796
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006797 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01006798 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02006799
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006800The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01006801
Willy Tarreauceb4ac92012-04-28 00:41:46 +02006802addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006803 Using the "addr" parameter, it becomes possible to use a different IP address
6804 to send health-checks. On some servers, it may be desirable to dedicate an IP
6805 address to specific component able to perform complex tests which are more
6806 suitable to health-checks than the application. This parameter is ignored if
6807 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006808
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006809 Supported in default-server: No
6810
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006811backup
6812 When "backup" is present on a server line, the server is only used in load
6813 balancing when all other non-backup servers are unavailable. Requests coming
6814 with a persistence cookie referencing the server will always be served
6815 though. By default, only the first operational backup server is used, unless
6816 the "allbackups" option is set in the backend. See also the "allbackups"
6817 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006818
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006819 Supported in default-server: No
6820
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006821check
6822 This option enables health checks on the server. By default, a server is
Patrick Mézardb7aeec62012-01-22 16:01:22 +01006823 always considered available. If "check" is set, the server is available when
6824 accepting periodic TCP connections, to ensure that it is really able to serve
6825 requests. The default address and port to send the tests to are those of the
6826 server, and the default source is the same as the one defined in the
6827 backend. It is possible to change the address using the "addr" parameter, the
6828 port using the "port" parameter, the source address using the "source"
6829 address, and the interval and timers using the "inter", "rise" and "fall"
6830 parameters. The request method is define in the backend using the "httpchk",
6831 "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
6832 refer to those options and parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006833
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006834 Supported in default-server: No
6835
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006836cookie <value>
6837 The "cookie" parameter sets the cookie value assigned to the server to
6838 <value>. This value will be checked in incoming requests, and the first
6839 operational server possessing the same value will be selected. In return, in
6840 cookie insertion or rewrite modes, this value will be assigned to the cookie
6841 sent to the client. There is nothing wrong in having several servers sharing
6842 the same cookie value, and it is in fact somewhat common between normal and
6843 backup servers. See also the "cookie" keyword in backend section.
6844
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006845 Supported in default-server: No
6846
Willy Tarreau96839092010-03-29 10:02:24 +02006847disabled
6848 The "disabled" keyword starts the server in the "disabled" state. That means
6849 that it is marked down in maintenance mode, and no connection other than the
6850 ones allowed by persist mode will reach it. It is very well suited to setup
6851 new servers, because normal traffic will never reach them, while it is still
6852 possible to test the service by making use of the force-persist mechanism.
6853
6854 Supported in default-server: No
6855
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006856error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01006857 If health observing is enabled, the "error-limit" parameter specifies the
6858 number of consecutive errors that triggers event selected by the "on-error"
6859 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006860
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006861 Supported in default-server: Yes
6862
6863 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006864
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006865fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006866 The "fall" parameter states that a server will be considered as dead after
6867 <count> consecutive unsuccessful health checks. This value defaults to 3 if
6868 unspecified. See also the "check", "inter" and "rise" parameters.
6869
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006870 Supported in default-server: Yes
6871
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006872id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02006873 Set a persistent ID for the server. This ID must be positive and unique for
6874 the proxy. An unused ID will automatically be assigned if unset. The first
6875 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006876
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006877 Supported in default-server: No
6878
6879inter <delay>
6880fastinter <delay>
6881downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006882 The "inter" parameter sets the interval between two consecutive health checks
6883 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
6884 It is also possible to use "fastinter" and "downinter" to optimize delays
6885 between checks depending on the server state :
6886
6887 Server state | Interval used
6888 ---------------------------------+-----------------------------------------
6889 UP 100% (non-transitional) | "inter"
6890 ---------------------------------+-----------------------------------------
6891 Transitionally UP (going down), |
6892 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
6893 or yet unchecked. |
6894 ---------------------------------+-----------------------------------------
6895 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
6896 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01006897
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006898 Just as with every other time-based parameter, they can be entered in any
6899 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
6900 serves as a timeout for health checks sent to servers if "timeout check" is
6901 not set. In order to reduce "resonance" effects when multiple servers are
6902 hosted on the same hardware, the health-checks of all servers are started
6903 with a small time offset between them. It is also possible to add some random
6904 noise in the health checks interval using the global "spread-checks"
6905 keyword. This makes sense for instance when a lot of backends use the same
6906 servers.
6907
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006908 Supported in default-server: Yes
6909
6910maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006911 The "maxconn" parameter specifies the maximal number of concurrent
6912 connections that will be sent to this server. If the number of incoming
6913 concurrent requests goes higher than this value, they will be queued, waiting
6914 for a connection to be released. This parameter is very important as it can
6915 save fragile servers from going down under extreme loads. If a "minconn"
6916 parameter is specified, the limit becomes dynamic. The default value is "0"
6917 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
6918 the backend's "fullconn" keyword.
6919
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006920 Supported in default-server: Yes
6921
6922maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006923 The "maxqueue" parameter specifies the maximal number of connections which
6924 will wait in the queue for this server. If this limit is reached, next
6925 requests will be redispatched to other servers instead of indefinitely
6926 waiting to be served. This will break persistence but may allow people to
6927 quickly re-log in when the server they try to connect to is dying. The
6928 default value is "0" which means the queue is unlimited. See also the
6929 "maxconn" and "minconn" parameters.
6930
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006931 Supported in default-server: Yes
6932
6933minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006934 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
6935 limit following the backend's load. The server will always accept at least
6936 <minconn> connections, never more than <maxconn>, and the limit will be on
6937 the ramp between both values when the backend has less than <fullconn>
6938 concurrent connections. This makes it possible to limit the load on the
6939 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006940 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006941 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006942
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006943 Supported in default-server: Yes
6944
Simon Hormanfa461682011-06-25 09:39:49 +09006945non-stick
6946 Never add connections allocated to this sever to a stick-table.
6947 This may be used in conjunction with backup to ensure that
6948 stick-table persistence is disabled for backup servers.
6949
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006950observe <mode>
6951 This option enables health adjusting based on observing communication with
6952 the server. By default this functionality is disabled and enabling it also
6953 requires to enable health checks. There are two supported modes: "layer4" and
6954 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
6955 significant. In layer7, which is only allowed for http proxies, responses
6956 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +01006957 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006958
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006959 Supported in default-server: No
6960
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006961 See also the "check", "on-error" and "error-limit".
6962
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006963on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006964 Select what should happen when enough consecutive errors are detected.
6965 Currently, four modes are available:
6966 - fastinter: force fastinter
6967 - fail-check: simulate a failed check, also forces fastinter (default)
6968 - sudden-death: simulate a pre-fatal failed health check, one more failed
6969 check will mark a server down, forces fastinter
6970 - mark-down: mark the server immediately down and force fastinter
6971
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006972 Supported in default-server: Yes
6973
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006974 See also the "check", "observe" and "error-limit".
6975
Simon Hormane0d1bfb2011-06-21 14:34:58 +09006976on-marked-down <action>
6977 Modify what occurs when a server is marked down.
6978 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07006979 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
6980 all connections to the server are immediately terminated when the server
6981 goes down. It might be used if the health check detects more complex cases
6982 than a simple connection status, and long timeouts would cause the service
6983 to remain unresponsive for too long a time. For instance, a health check
6984 might detect that a database is stuck and that there's no chance to reuse
6985 existing connections anymore. Connections killed this way are logged with
6986 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +09006987
6988 Actions are disabled by default
6989
6990 Supported in default-server: Yes
6991
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07006992on-marked-up <action>
6993 Modify what occurs when a server is marked up.
6994 Currently one action is available:
6995 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
6996 done only if the server is not in backup state and if it is not disabled
6997 (it must have an effective weight > 0). This can be used sometimes to force
6998 an active server to take all the traffic back after recovery when dealing
6999 with long sessions (eg: LDAP, SQL, ...). Doing this can cause more trouble
7000 than it tries to solve (eg: incomplete transactions), so use this feature
7001 with extreme care. Sessions killed because a server comes up are logged
7002 with an 'U' termination code (for "Up").
7003
7004 Actions are disabled by default
7005
7006 Supported in default-server: Yes
7007
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007008port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007009 Using the "port" parameter, it becomes possible to use a different port to
7010 send health-checks. On some servers, it may be desirable to dedicate a port
7011 to a specific component able to perform complex tests which are more suitable
7012 to health-checks than the application. It is common to run a simple script in
7013 inetd for instance. This parameter is ignored if the "check" parameter is not
7014 set. See also the "addr" parameter.
7015
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007016 Supported in default-server: Yes
7017
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007018redir <prefix>
7019 The "redir" parameter enables the redirection mode for all GET and HEAD
7020 requests addressing this server. This means that instead of having HAProxy
7021 forward the request to the server, it will send an "HTTP 302" response with
7022 the "Location" header composed of this prefix immediately followed by the
7023 requested URI beginning at the leading '/' of the path component. That means
7024 that no trailing slash should be used after <prefix>. All invalid requests
7025 will be rejected, and all non-GET or HEAD requests will be normally served by
7026 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007027 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007028 requests are still analysed, making this solution completely usable to direct
7029 users to a remote location in case of local disaster. Main use consists in
7030 increasing bandwidth for static servers by having the clients directly
7031 connect to them. Note: never use a relative location here, it would cause a
7032 loop between the client and HAProxy!
7033
7034 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
7035
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007036 Supported in default-server: No
7037
7038rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007039 The "rise" parameter states that a server will be considered as operational
7040 after <count> consecutive successful health checks. This value defaults to 2
7041 if unspecified. See also the "check", "inter" and "fall" parameters.
7042
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007043 Supported in default-server: Yes
7044
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01007045send-proxy
7046 The "send-proxy" parameter enforces use of the PROXY protocol over any
7047 connection established to this server. The PROXY protocol informs the other
7048 end about the layer 3/4 addresses of the incoming connection, so that it can
7049 know the client's address or the public address it accessed to, whatever the
7050 upper layer protocol. For connections accepted by an "accept-proxy" listener,
7051 the advertised address will be used. Only TCPv4 and TCPv6 address families
7052 are supported. Other families such as Unix sockets, will report an UNKNOWN
7053 family. Servers using this option can fully be chained to another instance of
7054 haproxy listening with an "accept-proxy" setting. This setting must not be
7055 used if the server isn't aware of the protocol. See also the "accept-proxy"
7056 option of the "bind" keyword.
7057
7058 Supported in default-server: No
7059
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007060slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007061 The "slowstart" parameter for a server accepts a value in milliseconds which
7062 indicates after how long a server which has just come back up will run at
7063 full speed. Just as with every other time-based parameter, it can be entered
7064 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
7065 linearly from 0 to 100% during this time. The limitation applies to two
7066 parameters :
7067
7068 - maxconn: the number of connections accepted by the server will grow from 1
7069 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
7070
7071 - weight: when the backend uses a dynamic weighted algorithm, the weight
7072 grows linearly from 1 to 100%. In this case, the weight is updated at every
7073 health-check. For this reason, it is important that the "inter" parameter
7074 is smaller than the "slowstart", in order to maximize the number of steps.
7075
7076 The slowstart never applies when haproxy starts, otherwise it would cause
7077 trouble to running servers. It only applies when a server has been previously
7078 seen as failed.
7079
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007080 Supported in default-server: Yes
7081
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02007082source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02007083source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02007084source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007085 The "source" parameter sets the source address which will be used when
7086 connecting to the server. It follows the exact same parameters and principle
7087 as the backend "source" keyword, except that it only applies to the server
7088 referencing it. Please consult the "source" keyword for details.
7089
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02007090 Additionally, the "source" statement on a server line allows one to specify a
7091 source port range by indicating the lower and higher bounds delimited by a
7092 dash ('-'). Some operating systems might require a valid IP address when a
7093 source port range is specified. It is permitted to have the same IP/range for
7094 several servers. Doing so makes it possible to bypass the maximum of 64k
7095 total concurrent connections. The limit will then reach 64k connections per
7096 server.
7097
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007098 Supported in default-server: No
7099
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007100track [<proxy>/]<server>
7101 This option enables ability to set the current state of the server by
7102 tracking another one. Only a server with checks enabled can be tracked
7103 so it is not possible for example to track a server that tracks another
7104 one. If <proxy> is omitted the current one is used. If disable-on-404 is
7105 used, it has to be enabled on both proxies.
7106
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007107 Supported in default-server: No
7108
7109weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007110 The "weight" parameter is used to adjust the server's weight relative to
7111 other servers. All servers will receive a load proportional to their weight
7112 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02007113 load. The default weight is 1, and the maximal value is 256. A value of 0
7114 means the server will not participate in load-balancing but will still accept
7115 persistent connections. If this parameter is used to distribute the load
7116 according to server's capacity, it is recommended to start with values which
7117 can both grow and shrink, for instance between 10 and 100 to leave enough
7118 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007119
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007120 Supported in default-server: Yes
7121
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007122
71236. HTTP header manipulation
7124---------------------------
7125
7126In HTTP mode, it is possible to rewrite, add or delete some of the request and
7127response headers based on regular expressions. It is also possible to block a
7128request or a response if a particular header matches a regular expression,
7129which is enough to stop most elementary protocol attacks, and to protect
7130against information leak from the internal network. But there is a limitation
7131to this : since HAProxy's HTTP engine does not support keep-alive, only headers
7132passed during the first request of a TCP session will be seen. All subsequent
7133headers will be considered data only and not analyzed. Furthermore, HAProxy
7134never touches data contents, it stops analysis at the end of headers.
7135
Willy Tarreau816b9792009-09-15 21:25:21 +02007136There is an exception though. If HAProxy encounters an "Informational Response"
7137(status code 1xx), it is able to process all rsp* rules which can allow, deny,
7138rewrite or delete a header, but it will refuse to add a header to any such
7139messages as this is not HTTP-compliant. The reason for still processing headers
7140in such responses is to stop and/or fix any possible information leak which may
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007141happen, for instance because another downstream equipment would unconditionally
Willy Tarreau816b9792009-09-15 21:25:21 +02007142add a header, or if a server name appears there. When such messages are seen,
7143normal processing still occurs on the next non-informational messages.
7144
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007145This section covers common usage of the following keywords, described in detail
7146in section 4.2 :
7147
7148 - reqadd <string>
7149 - reqallow <search>
7150 - reqiallow <search>
7151 - reqdel <search>
7152 - reqidel <search>
7153 - reqdeny <search>
7154 - reqideny <search>
7155 - reqpass <search>
7156 - reqipass <search>
7157 - reqrep <search> <replace>
7158 - reqirep <search> <replace>
7159 - reqtarpit <search>
7160 - reqitarpit <search>
7161 - rspadd <string>
7162 - rspdel <search>
7163 - rspidel <search>
7164 - rspdeny <search>
7165 - rspideny <search>
7166 - rsprep <search> <replace>
7167 - rspirep <search> <replace>
7168
7169With all these keywords, the same conventions are used. The <search> parameter
7170is a POSIX extended regular expression (regex) which supports grouping through
7171parenthesis (without the backslash). Spaces and other delimiters must be
7172prefixed with a backslash ('\') to avoid confusion with a field delimiter.
7173Other characters may be prefixed with a backslash to change their meaning :
7174
7175 \t for a tab
7176 \r for a carriage return (CR)
7177 \n for a new line (LF)
7178 \ to mark a space and differentiate it from a delimiter
7179 \# to mark a sharp and differentiate it from a comment
7180 \\ to use a backslash in a regex
7181 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
7182 \xXX to write the ASCII hex code XX as in the C language
7183
7184The <replace> parameter contains the string to be used to replace the largest
7185portion of text matching the regex. It can make use of the special characters
7186above, and can reference a substring which is delimited by parenthesis in the
7187regex, by writing a backslash ('\') immediately followed by one digit from 0 to
71889 indicating the group position (0 designating the entire line). This practice
7189is very common to users of the "sed" program.
7190
7191The <string> parameter represents the string which will systematically be added
7192after the last header line. It can also use special character sequences above.
7193
7194Notes related to these keywords :
7195---------------------------------
7196 - these keywords are not always convenient to allow/deny based on header
7197 contents. It is strongly recommended to use ACLs with the "block" keyword
7198 instead, resulting in far more flexible and manageable rules.
7199
7200 - lines are always considered as a whole. It is not possible to reference
7201 a header name only or a value only. This is important because of the way
7202 headers are written (notably the number of spaces after the colon).
7203
7204 - the first line is always considered as a header, which makes it possible to
7205 rewrite or filter HTTP requests URIs or response codes, but in turn makes
7206 it harder to distinguish between headers and request line. The regex prefix
7207 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
7208 ^[^ \t:]*: matches any header name followed by a colon.
7209
7210 - for performances reasons, the number of characters added to a request or to
7211 a response is limited at build time to values between 1 and 4 kB. This
7212 should normally be far more than enough for most usages. If it is too short
7213 on occasional usages, it is possible to gain some space by removing some
7214 useless headers before adding new ones.
7215
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007216 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007217 without the 'i' letter except that they ignore case when matching patterns.
7218
7219 - when a request passes through a frontend then a backend, all req* rules
7220 from the frontend will be evaluated, then all req* rules from the backend
7221 will be evaluated. The reverse path is applied to responses.
7222
7223 - req* statements are applied after "block" statements, so that "block" is
7224 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01007225 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007226
7227
Willy Tarreaub937b7e2010-01-12 15:27:54 +010072287. Using ACLs and pattern extraction
7229------------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007230
7231The use of Access Control Lists (ACL) provides a flexible solution to perform
7232content switching and generally to take decisions based on content extracted
7233from the request, the response or any environmental status. The principle is
7234simple :
7235
7236 - define test criteria with sets of values
7237 - perform actions only if a set of tests is valid
7238
7239The actions generally consist in blocking the request, or selecting a backend.
7240
7241In order to define a test, the "acl" keyword is used. The syntax is :
7242
7243 acl <aclname> <criterion> [flags] [operator] <value> ...
7244
7245This creates a new ACL <aclname> or completes an existing one with new tests.
7246Those tests apply to the portion of request/response specified in <criterion>
7247and may be adjusted with optional flags [flags]. Some criteria also support
7248an operator which may be specified before the set of values. The values are
7249of the type supported by the criterion, and are separated by spaces.
7250
7251ACL names must be formed from upper and lower case letters, digits, '-' (dash),
7252'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
7253which means that "my_acl" and "My_Acl" are two different ACLs.
7254
7255There is no enforced limit to the number of ACLs. The unused ones do not affect
7256performance, they just consume a small amount of memory.
7257
7258The following ACL flags are currently supported :
7259
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007260 -i : ignore case during matching of all subsequent patterns.
7261 -f : load patterns from a file.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007262 -- : force end of flags. Useful when a string looks like one of the flags.
7263
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007264The "-f" flag is special as it loads all of the lines it finds in the file
7265specified in argument and loads all of them before continuing. It is even
7266possible to pass multiple "-f" arguments if the patterns are to be loaded from
Willy Tarreau58215a02010-05-13 22:07:43 +02007267multiple files. Empty lines as well as lines beginning with a sharp ('#') will
7268be ignored. All leading spaces and tabs will be stripped. If it is absolutely
7269needed to insert a valid pattern beginning with a sharp, just prefix it with a
7270space so that it is not taken for a comment. Depending on the data type and
7271match method, haproxy may load the lines into a binary tree, allowing very fast
7272lookups. This is true for IPv4 and exact string matching. In this case,
7273duplicates will automatically be removed. Also, note that the "-i" flag applies
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007274to subsequent entries and not to entries loaded from files preceding it. For
Willy Tarreau58215a02010-05-13 22:07:43 +02007275instance :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007276
7277 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
7278
7279In this example, each line of "exact-ua.lst" will be exactly matched against
7280the "user-agent" header of the request. Then each line of "generic-ua" will be
7281case-insensitively matched. Then the word "test" will be insensitively matched
7282too.
7283
7284Note that right now it is difficult for the ACL parsers to report errors, so if
7285a file is unreadable or unparsable, the most you'll get is a parse error in the
7286ACL. Thus, file-based ACLs should only be produced by reliable processes.
7287
Willy Tarreau6a06a402007-07-15 20:15:28 +02007288Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01007289
Willy Tarreau6a06a402007-07-15 20:15:28 +02007290 - integers or integer ranges
7291 - strings
7292 - regular expressions
7293 - IP addresses and networks
7294
7295
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072967.1. Matching integers
7297----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007298
7299Matching integers is special in that ranges and operators are permitted. Note
7300that integer matching only applies to positive values. A range is a value
7301expressed with a lower and an upper bound separated with a colon, both of which
7302may be omitted.
7303
7304For instance, "1024:65535" is a valid range to represent a range of
7305unprivileged ports, and "1024:" would also work. "0:1023" is a valid
7306representation of privileged ports, and ":1023" would also work.
7307
Willy Tarreau62644772008-07-16 18:36:06 +02007308As a special case, some ACL functions support decimal numbers which are in fact
7309two integers separated by a dot. This is used with some version checks for
7310instance. All integer properties apply to those decimal numbers, including
7311ranges and operators.
7312
Willy Tarreau6a06a402007-07-15 20:15:28 +02007313For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01007314operators with ranges does not make much sense and is strongly discouraged.
7315Similarly, it does not make much sense to perform order comparisons with a set
7316of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007317
Willy Tarreau0ba27502007-12-24 16:55:16 +01007318Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02007319
7320 eq : true if the tested value equals at least one value
7321 ge : true if the tested value is greater than or equal to at least one value
7322 gt : true if the tested value is greater than at least one value
7323 le : true if the tested value is less than or equal to at least one value
7324 lt : true if the tested value is less than at least one value
7325
Willy Tarreau0ba27502007-12-24 16:55:16 +01007326For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02007327
7328 acl negative-length hdr_val(content-length) lt 0
7329
Willy Tarreau62644772008-07-16 18:36:06 +02007330This one matches SSL versions between 3.0 and 3.1 (inclusive) :
7331
7332 acl sslv3 req_ssl_ver 3:3.1
7333
Willy Tarreau6a06a402007-07-15 20:15:28 +02007334
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073357.2. Matching strings
7336---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007337
7338String matching applies to verbatim strings as they are passed, with the
7339exception of the backslash ("\") which makes it possible to escape some
7340characters such as the space. If the "-i" flag is passed before the first
7341string, then the matching will be performed ignoring the case. In order
7342to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01007343before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02007344
7345
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073467.3. Matching regular expressions (regexes)
7347-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007348
7349Just like with string matching, regex matching applies to verbatim strings as
7350they are passed, with the exception of the backslash ("\") which makes it
7351possible to escape some characters such as the space. If the "-i" flag is
7352passed before the first regex, then the matching will be performed ignoring
7353the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01007354the "--" flag before the first string. Same principle applies of course to
7355match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02007356
7357
Willy Tarreauceb4ac92012-04-28 00:41:46 +020073587.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007359----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007360
7361IPv4 addresses values can be specified either as plain addresses or with a
7362netmask appended, in which case the IPv4 address matches whenever it is
7363within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007364host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01007365difficult to read and debug configurations. If hostnames are used, you should
7366at least ensure that they are present in /etc/hosts so that the configuration
7367does not depend on any random DNS match at the moment the configuration is
7368parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007369
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007370IPv6 may be entered in their usual form, with or without a netmask appended.
7371Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
7372trouble with randomly resolved IP addresses, host names are never allowed in
7373IPv6 patterns.
7374
7375HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
7376following situations :
7377 - tested address is IPv4, pattern address is IPv4, the match applies
7378 in IPv4 using the supplied mask if any.
7379 - tested address is IPv6, pattern address is IPv6, the match applies
7380 in IPv6 using the supplied mask if any.
7381 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
7382 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
7383 ::IPV4 or ::ffff:IPV4, otherwise it fails.
7384 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
7385 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
7386 applied in IPv6 using the supplied IPv6 mask.
7387
Willy Tarreau6a06a402007-07-15 20:15:28 +02007388
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073897.5. Available matching criteria
7390--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007391
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073927.5.1. Matching at Layer 4 and below
7393------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01007394
7395A first set of criteria applies to information which does not require any
7396analysis of the request or response contents. Those generally include TCP/IP
Jamie Gloudon801a0a32012-08-25 00:18:33 -04007397addresses and ports, as well as internal values independent on the stream.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007398
Willy Tarreau6a06a402007-07-15 20:15:28 +02007399always_false
7400 This one never matches. All values and flags are ignored. It may be used as
7401 a temporary replacement for another one when adjusting configurations.
7402
7403always_true
7404 This one always matches. All values and flags are ignored. It may be used as
7405 a temporary replacement for another one when adjusting configurations.
7406
Willy Tarreaud63335a2010-02-26 12:56:52 +01007407avg_queue <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007408avg_queue(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007409 Returns the total number of queued connections of the designated backend
7410 divided by the number of active servers. This is very similar to "queue"
7411 except that the size of the farm is considered, in order to give a more
7412 accurate measurement of the time it may take for a new connection to be
7413 processed. The main usage is to return a sorry page to new users when it
7414 becomes certain they will get a degraded service. Note that in the event
7415 there would not be any active server anymore, we would consider twice the
7416 number of queued connections as the measured value. This is a fair estimate,
7417 as we expect one server to get back soon anyway, but we still prefer to send
7418 new traffic to another backend if in better shape. See also the "queue",
7419 "be_conn", and "be_sess_rate" criteria.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +01007420
Willy Tarreaua36af912009-10-10 12:02:45 +02007421be_conn <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007422be_conn(<backend>) <integer>
Willy Tarreaua36af912009-10-10 12:02:45 +02007423 Applies to the number of currently established connections on the backend,
7424 possibly including the connection being evaluated. If no backend name is
7425 specified, the current one is used. But it is also possible to check another
7426 backend. It can be used to use a specific farm when the nominal one is full.
7427 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007428
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +01007429be_id <integer>
7430 Applies to the backend's id. Can be used in frontends to check from which
7431 backend it was called.
7432
Willy Tarreaud63335a2010-02-26 12:56:52 +01007433be_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007434be_sess_rate(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007435 Returns true when the sessions creation rate on the backend matches the
7436 specified values or ranges, in number of new sessions per second. This is
7437 used to switch to an alternate backend when an expensive or fragile one
7438 reaches too high a session rate, or to limit abuse of service (eg. prevent
7439 sucking of an online dictionary).
7440
7441 Example :
7442 # Redirect to an error page if the dictionary is requested too often
7443 backend dynamic
7444 mode http
7445 acl being_scanned be_sess_rate gt 100
7446 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +01007447
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007448connslots <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007449connslots(<backend>) <integer>
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007450 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02007451 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007452 usage; see "use_backend" keyword) can be redirected to a different backend.
7453
Willy Tarreau55165fe2009-05-10 12:02:55 +02007454 'connslots' = number of available server connection slots, + number of
7455 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007456
Willy Tarreaua36af912009-10-10 12:02:45 +02007457 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +02007458 useful when you have a case of traffic going to one single ip, splitting into
7459 multiple backends (perhaps using acls to do name-based load balancing) and
7460 you want to be able to differentiate between different backends, and their
7461 available "connslots". Also, whereas "nbsrv" only measures servers that are
7462 actually *down*, this acl is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +02007463 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007464
Willy Tarreau55165fe2009-05-10 12:02:55 +02007465 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
7466 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
7467 then this acl clearly does not make sense, in which case the value returned
7468 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007469
Willy Tarreaud63335a2010-02-26 12:56:52 +01007470dst <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007471 Applies to the local IPv4 or IPv6 address the client connected to. It can be
7472 used to switch to a different backend for some alternative addresses.
Willy Tarreaua36af912009-10-10 12:02:45 +02007473
Willy Tarreaud63335a2010-02-26 12:56:52 +01007474dst_conn <integer>
7475 Applies to the number of currently established connections on the same socket
7476 including the one being evaluated. It can be used to either return a sorry
7477 page before hard-blocking, or to use a specific backend to drain new requests
7478 when the socket is considered saturated. This offers the ability to assign
7479 different limits to different listening ports or addresses. See also the
7480 "fe_conn" and "be_conn" criteria.
7481
7482dst_port <integer>
7483 Applies to the local port the client connected to. It can be used to switch
7484 to a different backend for some alternative ports.
7485
7486fe_conn <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007487fe_conn(<frontend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007488 Applies to the number of currently established connections on the frontend,
7489 possibly including the connection being evaluated. If no frontend name is
7490 specified, the current one is used. But it is also possible to check another
7491 frontend. It can be used to either return a sorry page before hard-blocking,
7492 or to use a specific backend to drain new requests when the farm is
7493 considered saturated. See also the "dst_conn", "be_conn" and "fe_sess_rate"
7494 criteria.
7495
7496fe_id <integer>
Cyril Bonté78caf842010-03-10 22:41:43 +01007497 Applies to the frontend's id. Can be used in backends to check from which
Willy Tarreaud63335a2010-02-26 12:56:52 +01007498 frontend it was called.
Willy Tarreaua36af912009-10-10 12:02:45 +02007499
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007500fe_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007501fe_sess_rate(<frontend>) <integer>
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007502 Returns true when the session creation rate on the current or the named
7503 frontend matches the specified values or ranges, expressed in new sessions
7504 per second. This is used to limit the connection rate to acceptable ranges in
7505 order to prevent abuse of service at the earliest moment. This can be
7506 combined with layer 4 ACLs in order to force the clients to wait a bit for
7507 the rate to go down below the limit.
7508
7509 Example :
7510 # This frontend limits incoming mails to 10/s with a max of 100
7511 # concurrent connections. We accept any connection below 10/s, and
7512 # force excess clients to wait for 100 ms. Since clients are limited to
7513 # 100 max, there cannot be more than 10 incoming mails per second.
7514 frontend mail
7515 bind :25
7516 mode tcp
7517 maxconn 100
7518 acl too_fast fe_sess_rate ge 10
7519 tcp-request inspect-delay 100ms
7520 tcp-request content accept if ! too_fast
7521 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +01007522
Willy Tarreaud63335a2010-02-26 12:56:52 +01007523nbsrv <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007524nbsrv(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007525 Returns true when the number of usable servers of either the current backend
7526 or the named backend matches the values or ranges specified. This is used to
7527 switch to an alternate backend when the number of servers is too low to
7528 to handle some load. It is useful to report a failure when combined with
7529 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007530
Willy Tarreaud63335a2010-02-26 12:56:52 +01007531queue <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007532queue(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007533 Returns the total number of queued connections of the designated backend,
7534 including all the connections in server queues. If no backend name is
7535 specified, the current one is used, but it is also possible to check another
7536 one. This can be used to take actions when queuing goes above a known level,
7537 generally indicating a surge of traffic or a massive slowdown on the servers.
7538 One possible action could be to reject new users but still accept old ones.
7539 See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
7540
Willy Tarreaue9656522010-08-17 15:40:09 +02007541sc1_bytes_in_rate
7542sc2_bytes_in_rate
7543 Returns the average client-to-server bytes rate from the currently tracked
7544 counters, measured in amount of bytes over the period configured in the
7545 table. See also src_bytes_in_rate.
7546
7547sc1_bytes_out_rate
7548sc2_bytes_out_rate
7549 Returns the average server-to-client bytes rate from the currently tracked
7550 counters, measured in amount of bytes over the period configured in the
7551 table. See also src_bytes_out_rate.
7552
Willy Tarreauf73cd112011-08-13 01:45:16 +02007553sc1_clr_gpc0
7554sc2_clr_gpc0
7555 Clears the first General Purpose Counter associated to the currently tracked
7556 counters, and returns its previous value. Before the first invocation, the
7557 stored value is zero, so first invocation will always return zero. The test
7558 can also be used alone and always returns true. This is typically used as a
7559 second ACL in an expression in order to mark a connection when a first ACL
7560 was verified :
7561
7562 # block if 5 consecutive requests continue to come faster than 10 sess
7563 # per second, and reset the counter as soon as the traffic slows down.
7564 acl abuse sc1_http_req_rate gt 10
7565 acl kill sc1_inc_gpc0 gt 5
7566 acl save sc1_clr_gpc0
7567 tcp-request connection accept if !abuse save
7568 tcp-request connection reject if abuse kill
7569
Willy Tarreaue9656522010-08-17 15:40:09 +02007570sc1_conn_cnt
7571sc2_conn_cnt
7572 Returns the cumulated number of incoming connections from currently tracked
7573 counters. See also src_conn_cnt.
7574
7575sc1_conn_cur
7576sc2_conn_cur
7577 Returns the current amount of concurrent connections tracking the same
7578 tracked counters. This number is automatically incremented when tracking
7579 begins and decremented when tracking stops. See also src_conn_cur.
7580
7581sc1_conn_rate
7582sc2_conn_rate
7583 Returns the average connection rate from the currently tracked counters,
7584 measured in amount of connections over the period configured in the table.
7585 See also src_conn_rate.
7586
7587sc1_get_gpc0
7588sc2_get_gpc0
7589 Returns the value of the first General Purpose Counter associated to the
7590 currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0.
7591
7592sc1_http_err_cnt
7593sc2_http_err_cnt
7594 Returns the cumulated number of HTTP errors from the currently tracked
7595 counters. This includes the both request errors and 4xx error responses.
7596 See also src_http_err_cnt.
7597
7598sc1_http_err_rate
7599sc2_http_err_rate
7600 Returns the average rate of HTTP errors from the currently tracked counters,
7601 measured in amount of errors over the period configured in the table. This
7602 includes the both request errors and 4xx error responses. See also
7603 src_http_err_rate.
7604
7605sc1_http_req_cnt
7606sc2_http_req_cnt
7607 Returns the cumulated number of HTTP requests from the currently tracked
7608 counters. This includes every started request, valid or not. See also
7609 src_http_req_cnt.
7610
7611sc1_http_req_rate
7612sc2_http_req_rate
7613 Returns the average rate of HTTP requests from the currently tracked
7614 counters, measured in amount of requests over the period configured in
7615 the table. This includes every started request, valid or not. See also
7616 src_http_req_rate.
7617
7618sc1_inc_gpc0
7619sc2_inc_gpc0
7620 Increments the first General Purpose Counter associated to the currently
7621 tracked counters, and returns its value. Before the first invocation, the
7622 stored value is zero, so first invocation will increase it to 1 and will
7623 return 1. The test can also be used alone and always returns true. This is
7624 typically used as a second ACL in an expression in order to mark a connection
7625 when a first ACL was verified :
7626
7627 acl abuse sc1_http_req_rate gt 10
7628 acl kill sc1_inc_gpc0
7629 tcp-request connection reject if abuse kill
7630
7631sc1_kbytes_in
7632sc2_kbytes_in
7633 Returns the amount of client-to-server data from the currently tracked
7634 counters, measured in kilobytes over the period configured in the table. The
7635 test is currently performed on 32-bit integers, which limits values to 4
7636 terabytes. See also src_kbytes_in.
7637
7638sc1_kbytes_out
7639sc2_kbytes_out
7640 Returns the amount of server-to-client data from the currently tracked
7641 counters, measured in kilobytes over the period configured in the table. The
7642 test is currently performed on 32-bit integers, which limits values to 4
7643 terabytes. See also src_kbytes_out.
7644
7645sc1_sess_cnt
7646sc2_sess_cnt
7647 Returns the cumulated number of incoming connections that were transformed
7648 into sessions, which means that they were accepted by a "tcp-request
7649 connection" rule, from the currently tracked counters. A backend may count
7650 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007651 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +02007652 with the client. See also src_sess_cnt.
7653
7654sc1_sess_rate
7655sc2_sess_rate
7656 Returns the average session rate from the currently tracked counters,
7657 measured in amount of sessions over the period configured in the table. A
7658 session is a connection that got past the early "tcp-request connection"
7659 rules. A backend may count more sessions than connections because each
7660 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007661 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +02007662
Willy Tarreaud63335a2010-02-26 12:56:52 +01007663so_id <integer>
7664 Applies to the socket's id. Useful in frontends with many bind keywords.
7665
7666src <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007667 Applies to the client's IPv4 or IPv6 address. It is usually used to limit
7668 access to certain resources such as statistics. Note that it is the TCP-level
7669 source address which is used, and not the address of a client behind a proxy.
Willy Tarreaud63335a2010-02-26 12:56:52 +01007670
Willy Tarreauc9705a12010-07-27 20:05:50 +02007671src_bytes_in_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007672src_bytes_in_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007673 Returns the average bytes rate from the connection's source IPv4 address in
7674 the current proxy's stick-table or in the designated stick-table, measured in
7675 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02007676 not found, zero is returned. See also sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007677
7678src_bytes_out_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007679src_bytes_out_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007680 Returns the average bytes rate to the connection's source IPv4 address in the
7681 current proxy's stick-table or in the designated stick-table, measured in
7682 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02007683 not found, zero is returned. See also sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007684
Willy Tarreauf73cd112011-08-13 01:45:16 +02007685src_clr_gpc0 <integer>
7686src_clr_gpc0(<table>) <integer>
7687 Clears the first General Purpose Counter associated to the connection's
7688 source IPv4 address in the current proxy's stick-table or in the designated
7689 stick-table, and returns its previous value. If the address is not found, an
7690 entry is created and 0 is returned. The test can also be used alone and
7691 always returns true. This is typically used as a second ACL in an expression
7692 in order to mark a connection when a first ACL was verified :
7693
7694 # block if 5 consecutive requests continue to come faster than 10 sess
7695 # per second, and reset the counter as soon as the traffic slows down.
7696 acl abuse src_http_req_rate gt 10
7697 acl kill src_inc_gpc0 gt 5
7698 acl save src_clr_gpc0
7699 tcp-request connection accept if !abuse save
7700 tcp-request connection reject if abuse kill
7701
Willy Tarreauc9705a12010-07-27 20:05:50 +02007702src_conn_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007703src_conn_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007704 Returns the cumulated number of connections initiated from the current
7705 connection's source IPv4 address in the current proxy's stick-table or in
7706 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02007707 See also sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007708
7709src_conn_cur <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007710src_conn_cur(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007711 Returns the current amount of concurrent connections initiated from the
7712 current connection's source IPv4 address in the current proxy's stick-table
7713 or in the designated stick-table. If the address is not found, zero is
Willy Tarreaue9656522010-08-17 15:40:09 +02007714 returned. See also sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007715
7716src_conn_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007717src_conn_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007718 Returns the average connection rate from the connection's source IPv4 address
7719 in the current proxy's stick-table or in the designated stick-table, measured
7720 in amount of connections over the period configured in the table. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02007721 address is not found, zero is returned. See also sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007722
7723src_get_gpc0 <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007724src_get_gpc0(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007725 Returns the value of the first General Purpose Counter associated to the
7726 connection's source IPv4 address in the current proxy's stick-table or in
7727 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02007728 See also sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007729
7730src_http_err_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007731src_http_err_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007732 Returns the cumulated number of HTTP errors from the current connection's
7733 source IPv4 address in the current proxy's stick-table or in the designated
7734 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreaue9656522010-08-17 15:40:09 +02007735 If the address is not found, zero is returned. See also sc1/sc2_http_err_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007736
7737src_http_err_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007738src_http_err_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007739 Returns the average rate of HTTP errors from the current connection's source
7740 IPv4 address in the current proxy's stick-table or in the designated stick-
7741 table, measured in amount of errors over the period configured in the table.
7742 This includes the both request errors and 4xx error responses. If the address
Willy Tarreaue9656522010-08-17 15:40:09 +02007743 is not found, zero is returned. See also sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007744
7745src_http_req_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007746src_http_req_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007747 Returns the cumulated number of HTTP requests from the current connection's
7748 source IPv4 address in the current proxy's stick-table or in the designated
7749 stick-table. This includes every started request, valid or not. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02007750 address is not found, zero is returned. See also sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007751
7752src_http_req_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007753src_http_req_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007754 Returns the average rate of HTTP requests from the current connection's
7755 source IPv4 address in the current proxy's stick-table or in the designated
7756 stick-table, measured in amount of requests over the period configured in the
7757 table. This includes every started request, valid or not. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02007758 not found, zero is returned. See also sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007759
7760src_inc_gpc0 <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007761src_inc_gpc0(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007762 Increments the first General Purpose Counter associated to the connection's
7763 source IPv4 address in the current proxy's stick-table or in the designated
7764 stick-table, and returns its value. If the address is not found, an entry is
7765 created and 1 is returned. The test can also be used alone and always returns
7766 true. This is typically used as a second ACL in an expression in order to
7767 mark a connection when a first ACL was verified :
7768
7769 acl abuse src_http_req_rate gt 10
7770 acl kill src_inc_gpc0
Willy Tarreaue9656522010-08-17 15:40:09 +02007771 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +02007772
7773src_kbytes_in <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007774src_kbytes_in(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007775 Returns the amount of data received from the connection's source IPv4 address
7776 in the current proxy's stick-table or in the designated stick-table, measured
7777 in kilobytes over the period configured in the table. If the address is not
7778 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02007779 which limits values to 4 terabytes. See also sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007780
7781src_kbytes_out <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007782src_kbytes_out(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007783 Returns the amount of data sent to the connection's source IPv4 address in
7784 the current proxy's stick-table or in the designated stick-table, measured
7785 in kilobytes over the period configured in the table. If the address is not
7786 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02007787 which limits values to 4 terabytes. See also sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007788
Willy Tarreaud63335a2010-02-26 12:56:52 +01007789src_port <integer>
7790 Applies to the client's TCP source port. This has a very limited usage.
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007791
Willy Tarreauc9705a12010-07-27 20:05:50 +02007792src_sess_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007793src_sess_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007794 Returns the cumulated number of connections initiated from the current
7795 connection's source IPv4 address in the current proxy's stick-table or in the
7796 designated stick-table, that were transformed into sessions, which means that
7797 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreaue9656522010-08-17 15:40:09 +02007798 is returned. See also sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007799
7800src_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007801src_sess_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007802 Returns the average session rate from the connection's source IPv4 address in
7803 the current proxy's stick-table or in the designated stick-table, measured in
7804 amount of sessions over the period configured in the table. A session is a
7805 connection that got past the early "tcp-request" rules. If the address is not
Willy Tarreaue9656522010-08-17 15:40:09 +02007806 found, zero is returned. See also sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007807
7808src_updt_conn_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007809src_updt_conn_cnt(<table>) <integer>
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007810 Creates or updates the entry associated to the source IPv4 address in the
Willy Tarreauc9705a12010-07-27 20:05:50 +02007811 current proxy's stick-table or in the designated stick-table. This table
7812 must be configured to store the "conn_cnt" data type, otherwise the match
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007813 will be ignored. The current count is incremented by one, and the expiration
7814 timer refreshed. The updated count is returned, so this match can't return
7815 zero. This is used to reject service abusers based on their source address.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007816 Note: it is recommended to use the more complete "track-counters" instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007817
7818 Example :
7819 # This frontend limits incoming SSH connections to 3 per 10 second for
7820 # each source address, and rejects excess connections until a 10 second
7821 # silence is observed. At most 20 addresses are tracked.
7822 listen ssh
7823 bind :22
7824 mode tcp
7825 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +02007826 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007827 tcp-request content reject if { src_update_count gt 3 }
7828 server local 127.0.0.1:22
7829
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007830srv_conn(<backend>/<server>) <integer>
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +02007831 Applies to the number of currently established connections on the server,
7832 possibly including the connection being evaluated.
7833 It can be used to use a specific farm when one server is full.
7834 See also the "fe_conn", "be_conn" and "queue" criteria.
7835
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +01007836srv_id <integer>
7837 Applies to the server's id. Can be used in frontends or backends.
7838
Willy Tarreau0b1cd942010-05-16 22:18:27 +02007839srv_is_up(<server>)
7840srv_is_up(<backend>/<server>)
7841 Returns true when the designated server is UP, and false when it is either
7842 DOWN or in maintenance mode. If <backend> is omitted, then the server is
7843 looked up in the current backend. The function takes no arguments since it
7844 is used as a boolean. It is mainly used to take action based on an external
7845 status reported via a health check (eg: a geographical site's availability).
7846 Another possible use which is more of a hack consists in using dummy servers
7847 as boolean variables that can be enabled or disabled from the CLI, so that
7848 rules depending on those ACLs can be tweaked in realtime.
7849
Willy Tarreauc735a072011-03-29 00:57:02 +02007850table_avl <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007851table_avl(<table>) <integer>
Willy Tarreauc735a072011-03-29 00:57:02 +02007852 Returns the total number of available entries in the current proxy's
7853 stick-table or in the designated stick-table. See also table_cnt.
7854
7855table_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007856table_cnt(<table>) <integer>
Willy Tarreauc735a072011-03-29 00:57:02 +02007857 Returns the total number of entries currently in use in the current proxy's
7858 stick-table or in the designated stick-table. See also src_conn_cnt and
7859 table_avl for other entry counting methods.
7860
Willy Tarreau0ba27502007-12-24 16:55:16 +01007861
Willy Tarreaue9656522010-08-17 15:40:09 +020078627.5.2. Matching contents at Layer 4 (also called Layer 6)
7863---------------------------------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02007864
7865A second set of criteria depends on data found in buffers, but which can change
7866during analysis. This requires that some data has been buffered, for instance
Willy Tarreaue9656522010-08-17 15:40:09 +02007867through TCP request content inspection. Please see the "tcp-request content"
7868keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +02007869
Willy Tarreaub6672b52011-12-12 17:23:41 +01007870rep_ssl_hello_type <integer>
7871 Returns true when data in the response buffer looks like a complete SSL (v3
7872 or superior) hello message and handshake type is equal to <integer>.
7873 This test was designed to be used with TCP response content inspection: a
7874 SSL session ID may be fetched.
7875
Willy Tarreau62644772008-07-16 18:36:06 +02007876req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02007877 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02007878 specified range. It is important to understand that this test does not
7879 return false as long as the buffer is changing. This means that a check with
7880 equality to zero will almost always immediately match at the beginning of the
7881 session, while a test for more data will wait for that data to come in and
7882 return false only when haproxy is certain that no more data will come in.
7883 This test was designed to be used with TCP request content inspection.
7884
Willy Tarreau2492d5b2009-07-11 00:06:00 +02007885req_proto_http
7886 Returns true when data in the request buffer look like HTTP and correctly
7887 parses as such. It is the same parser as the common HTTP request parser which
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007888 is used so there should be no surprises. This test can be used for instance
Willy Tarreau2492d5b2009-07-11 00:06:00 +02007889 to direct HTTP traffic to a given port and HTTPS traffic to another one
7890 using TCP request content inspection rules.
7891
Emeric Brunbede3d02009-06-30 17:54:00 +02007892req_rdp_cookie <string>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007893req_rdp_cookie(<name>) <string>
Emeric Brunbede3d02009-06-30 17:54:00 +02007894 Returns true when data in the request buffer look like the RDP protocol, and
7895 a cookie is present and equal to <string>. By default, any cookie name is
7896 checked, but a specific cookie name can be specified in parenthesis. The
7897 parser only checks for the first cookie, as illustrated in the RDP protocol
7898 specification. The cookie name is case insensitive. This ACL can be useful
7899 with the "MSTS" cookie, as it can contain the user name of the client
7900 connecting to the server if properly configured on the client. This can be
7901 used to restrict access to certain servers to certain users.
7902
7903req_rdp_cookie_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007904req_rdp_cookie_cnt(<name>) <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02007905 Returns true when the data in the request buffer look like the RDP protocol
7906 and the number of RDP cookies matches the specified range (typically zero or
7907 one). Optionally a specific cookie name can be checked. This is a simple way
7908 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
7909 cookies.
7910
Willy Tarreaub6672b52011-12-12 17:23:41 +01007911req_ssl_hello_type <integer>
7912 Returns true when data in the request buffer looks like a complete SSL (v3
7913 or superior) hello message and handshake type is equal to <integer>.
7914 This test was designed to be used with TCP request content inspection: an
7915 SSL session ID may be fetched.
7916
7917req_ssl_sni <string>
7918 Returns true when data in the request buffer looks like a complete SSL (v3
7919 or superior) client hello message with a Server Name Indication TLS extension
7920 (SNI) matching <string>. SNI normally contains the name of the host the
7921 client tries to connect to (for recent browsers). SNI is useful for allowing
7922 or denying access to certain hosts when SSL/TLS is used by the client. This
7923 test was designed to be used with TCP request content inspection. If content
7924 switching is needed, it is recommended to first wait for a complete client
7925 hello (type 1), like in the example below.
7926
7927 Examples :
7928 # Wait for a client hello for at most 5 seconds
7929 tcp-request inspect-delay 5s
7930 tcp-request content accept if { req_ssl_hello_type 1 }
7931 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
7932 default_backend bk_sorry_page
7933
Willy Tarreau62644772008-07-16 18:36:06 +02007934req_ssl_ver <decimal>
7935 Returns true when data in the request buffer look like SSL, with a protocol
7936 version matching the specified range. Both SSLv2 hello messages and SSLv3
7937 messages are supported. The test tries to be strict enough to avoid being
7938 easily fooled. In particular, it waits for as many bytes as announced in the
7939 message header if this header looks valid (bound to the buffer size). Note
7940 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
7941 with TCP request content inspection.
7942
Willy Tarreaub6fb4202008-07-20 11:18:28 +02007943wait_end
7944 Waits for the end of the analysis period to return true. This may be used in
7945 conjunction with content analysis to avoid returning a wrong verdict early.
7946 It may also be used to delay some actions, such as a delayed reject for some
7947 special addresses. Since it either stops the rules evaluation or immediately
7948 returns true, it is recommended to use this acl as the last one in a rule.
7949 Please note that the default ACL "WAIT_END" is always usable without prior
7950 declaration. This test was designed to be used with TCP request content
7951 inspection.
7952
7953 Examples :
7954 # delay every incoming request by 2 seconds
7955 tcp-request inspect-delay 2s
7956 tcp-request content accept if WAIT_END
7957
7958 # don't immediately tell bad guys they are rejected
7959 tcp-request inspect-delay 10s
7960 acl goodguys src 10.0.0.0/24
7961 acl badguys src 10.0.1.0/24
7962 tcp-request content accept if goodguys
7963 tcp-request content reject if badguys WAIT_END
7964 tcp-request content reject
7965
Willy Tarreau62644772008-07-16 18:36:06 +02007966
Willy Tarreauc57f0e22009-05-10 13:12:33 +020079677.5.3. Matching at Layer 7
7968--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01007969
Willy Tarreau62644772008-07-16 18:36:06 +02007970A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01007971application layer (layer 7). Those require that a full HTTP request has been
7972read, and are only evaluated then. They may require slightly more CPU resources
7973than the layer 4 ones, but not much since the request and response are indexed.
7974
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02007975base <string>
7976 Returns true when the concatenation of the first Host header and the path
7977 part of the request, which starts at the first slash and ends before the
7978 question mark, equals one of the strings. It may be used to match known
7979 files in virtual hosting environments, such as "www.example.com/favicon.ico".
7980 See also "path" and "uri".
7981
7982base_beg <string>
7983 Returns true when the base (see above) begins with one of the strings. This
7984 can be used to send certain directory names to alternative backends. See also
7985 "path_beg".
7986
7987base_dir <string>
7988 Returns true when one of the strings is found isolated or delimited with
7989 slashes in the base (see above). Probably of little use, see "url_dir" and
7990 "path_dir" instead.
7991
7992base_dom <string>
7993 Returns true when one of the strings is found isolated or delimited with dots
7994 in the base (see above). Probably of little use, see "path_dom" and "url_dom"
7995 instead.
7996
7997base_end <string>
7998 Returns true when the base (see above) ends with one of the strings. This may
7999 be used to control file name extension, though "path_end" is cheaper.
8000
8001base_len <integer>
8002 Returns true when the base (see above) length matches the values or ranges
8003 specified. This may be used to detect abusive requests for instance.
8004
8005base_reg <regex>
8006 Returns true when the base (see above) matches one of the regular
8007 expressions. It can be used any time, but it is important to remember that
8008 regex matching is slower than other methods. See also "path_reg", "url_reg"
8009 and all "base_" criteria.
8010
8011base_sub <string>
8012 Returns true when the base (see above) contains one of the strings. It can be
8013 used to detect particular patterns in paths, such as "../" for example. See
8014 also "base_dir".
8015
Willy Tarreau04aa6a92012-04-06 18:57:55 +02008016cook(<name>) <string>
8017 All "cook*" matching criteria inspect all "Cookie" headers to find a cookie
8018 with the name between parenthesis. If multiple occurrences of the cookie are
8019 found in the request, they will all be evaluated. Spaces around the name and
8020 the value are ignored as requested by the Cookie specification (RFC6265). The
8021 cookie name is case-sensitive. Use the scook() variant for response cookies
8022 sent by the server.
8023
8024 The "cook" criteria returns true if any of the request cookies <name> match
8025 any of the strings. This can be used to check exact for values. For instance,
8026 checking that the "profile" cookie is set to either "silver" or "gold" :
8027
8028 cook(profile) silver gold
8029
8030cook_beg(<name>) <string>
8031 Returns true if any of the request cookies <name> begins with one of the
8032 strings. See "cook" for more information on cookie matching. Use the
8033 scook_beg() variant for response cookies sent by the server.
8034
8035cook_cnt(<name>) <integer>
8036 Returns true when the number of occurrences of the specified cookie matches
8037 the values or ranges specified. This is used to detect presence, absence or
8038 abuse of a specific cookie. See "cook" for more information on header
8039 matching. Use the scook_cnt() variant for response cookies sent by the
8040 server.
8041
8042cook_dir(<name>) <string>
8043 Returns true if any of the request cookies <name> contains one of the strings
8044 either isolated or delimited by slashes. This is used to perform filename or
8045 directory name matching, though it generally is of limited use with cookies.
8046 See "cook" for more information on cookie matching. Use the scook_dir()
8047 variant for response cookies sent by the server.
8048
8049cook_dom(<name>) <string>
8050 Returns true if any of the request cookies <name> contains one of the strings
8051 either isolated or delimited by dots. This is used to perform domain name
8052 matching. See "cook" for more information on cookie matching. Use the
8053 scook_dom() variant for response cookies sent by the server.
8054
8055cook_end(<name>) <string>
8056 Returns true if any of the request cookies <name> ends with one of the
8057 strings. See "cook" for more information on cookie matching. Use the
8058 scook_end() variant for response cookies sent by the server.
8059
8060cook_len(<name>) <integer>
8061 Returns true if any of the request cookies <name> has a length which matches
8062 the values or ranges specified. This may be used to detect empty or too large
8063 cookie values. Note that an absent cookie does not match a zero-length test.
8064 See "cook" for more information on cookie matching. Use the scook_len()
8065 variant for response cookies sent by the server.
8066
8067cook_reg(<name>) <regex>
8068 Returns true if any of the request cookies <name> matches any of the regular
8069 expressions. It can be used at any time, but it is important to remember that
8070 regex matching is slower than other methods. See also other "cook_" criteria,
8071 as well as "cook" for more information on cookie matching. Use the
8072 scook_reg() variant for response cookies sent by the server.
8073
8074cook_sub(<name>) <string>
8075 Returns true if any of the request cookies <name> contains at least one of
8076 the strings. See "cook" for more information on cookie matching. Use the
8077 scook_sub() variant for response cookies sent by the server.
8078
Willy Tarreau51539362012-05-08 12:46:28 +02008079cook_val(<name>) <integer>
8080 Returns true if any of the request cookies <name> starts with a number which
8081 matches the values or ranges specified. This may be used to select a server
8082 based on application-specific cookies. Note that an absent cookie does not
8083 match any value. See "cook" for more information on cookie matching. Use the
8084 scook_val() variant for response cookies sent by the server.
8085
Willy Tarreaud63335a2010-02-26 12:56:52 +01008086hdr <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008087hdr(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008088 Note: all the "hdr*" matching criteria either apply to all headers, or to a
8089 particular header whose name is passed between parenthesis and without any
8090 space. The header name is not case-sensitive. The header matching complies
8091 with RFC2616, and treats as separate headers all values delimited by commas.
Willy Tarreau185b5c42012-04-26 15:11:51 +02008092 If an occurrence number is specified as the optional second argument, only
8093 this occurrence will be considered. Positive values indicate a position from
8094 the first occurrence, 1 being the first one. Negative values indicate
8095 positions relative to the last one, -1 being the last one. Use the shdr()
8096 variant for response headers sent by the server.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008097
8098 The "hdr" criteria returns true if any of the headers matching the criteria
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008099 match any of the strings. This can be used to check for exact values. For
Willy Tarreaud63335a2010-02-26 12:56:52 +01008100 instance, checking that "connection: close" is set :
8101
8102 hdr(Connection) -i close
8103
8104hdr_beg <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008105hdr_beg(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008106 Returns true when one of the headers begins with one of the strings. See
8107 "hdr" for more information on header matching. Use the shdr_beg() variant for
8108 response headers sent by the server.
8109
8110hdr_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008111hdr_cnt(<header>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008112 Returns true when the number of occurrence of the specified header matches
8113 the values or ranges specified. It is important to remember that one header
8114 line may count as several headers if it has several values. This is used to
8115 detect presence, absence or abuse of a specific header, as well as to block
8116 request smuggling attacks by rejecting requests which contain more than one
8117 of certain headers. See "hdr" for more information on header matching. Use
8118 the shdr_cnt() variant for response headers sent by the server.
8119
8120hdr_dir <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008121hdr_dir(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008122 Returns true when one of the headers contains one of the strings either
8123 isolated or delimited by slashes. This is used to perform filename or
8124 directory name matching, and may be used with Referer. See "hdr" for more
8125 information on header matching. Use the shdr_dir() variant for response
8126 headers sent by the server.
8127
8128hdr_dom <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008129hdr_dom(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008130 Returns true when one of the headers contains one of the strings either
8131 isolated or delimited by dots. This is used to perform domain name matching,
8132 and may be used with the Host header. See "hdr" for more information on
8133 header matching. Use the shdr_dom() variant for response headers sent by the
8134 server.
8135
8136hdr_end <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008137hdr_end(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008138 Returns true when one of the headers ends with one of the strings. See "hdr"
8139 for more information on header matching. Use the shdr_end() variant for
8140 response headers sent by the server.
8141
8142hdr_ip <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008143hdr_ip(<header>[,<occ>]) <address>
8144 Returns true when one of the headers' values contains an IPv4 or IPv6 address
8145 matching <address>. This is mainly used with headers such as X-Forwarded-For
8146 or X-Client-IP. See "hdr" for more information on header matching. Use the
Willy Tarreaud63335a2010-02-26 12:56:52 +01008147 shdr_ip() variant for response headers sent by the server.
8148
Willy Tarreau0e698542011-09-16 08:32:32 +02008149hdr_len <integer>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008150hdr_len(<header>[,<occ>]) <integer>
Willy Tarreau0e698542011-09-16 08:32:32 +02008151 Returns true when at least one of the headers has a length which matches the
8152 values or ranges specified. This may be used to detect empty or too large
8153 headers. See "hdr" for more information on header matching. Use the
8154 shdr_len() variant for response headers sent by the server.
8155
Willy Tarreaud63335a2010-02-26 12:56:52 +01008156hdr_reg <regex>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008157hdr_reg(<header>[,<occ>]) <regex>
Willy Tarreau04aa6a92012-04-06 18:57:55 +02008158 Returns true it one of the headers matches one of the regular expressions. It
Willy Tarreaud63335a2010-02-26 12:56:52 +01008159 can be used at any time, but it is important to remember that regex matching
8160 is slower than other methods. See also other "hdr_" criteria, as well as
8161 "hdr" for more information on header matching. Use the shdr_reg() variant for
8162 response headers sent by the server.
8163
8164hdr_sub <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008165hdr_sub(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008166 Returns true when one of the headers contains one of the strings. See "hdr"
8167 for more information on header matching. Use the shdr_sub() variant for
8168 response headers sent by the server.
8169
8170hdr_val <integer>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008171hdr_val(<header>[,<occ>]) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008172 Returns true when one of the headers starts with a number which matches the
8173 values or ranges specified. This may be used to limit content-length to
8174 acceptable values for example. See "hdr" for more information on header
8175 matching. Use the shdr_val() variant for response headers sent by the server.
8176
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008177http_auth(<userlist>)
8178http_auth_group(<userlist>) <group> [<group>]*
Willy Tarreaud63335a2010-02-26 12:56:52 +01008179 Returns true when authentication data received from the client matches
8180 username & password stored on the userlist. It is also possible to
8181 use http_auth_group to check if the user is assigned to at least one
8182 of specified groups.
8183
8184 Currently only http basic auth is supported.
8185
Willy Tarreau85c27da2011-09-16 07:53:52 +02008186http_first_req
Willy Tarreau7f18e522010-10-22 20:04:13 +02008187 Returns true when the request being processed is the first one of the
8188 connection. This can be used to add or remove headers that may be missing
8189 from some requests when a request is not the first one, or even to perform
8190 some specific ACL checks only on the first request.
8191
Willy Tarreau6a06a402007-07-15 20:15:28 +02008192method <string>
8193 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
8194 already check for most common methods.
8195
Willy Tarreau6a06a402007-07-15 20:15:28 +02008196path <string>
8197 Returns true when the path part of the request, which starts at the first
8198 slash and ends before the question mark, equals one of the strings. It may be
8199 used to match known files, such as /favicon.ico.
8200
8201path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01008202 Returns true when the path begins with one of the strings. This can be used
8203 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008204
Willy Tarreau6a06a402007-07-15 20:15:28 +02008205path_dir <string>
8206 Returns true when one of the strings is found isolated or delimited with
8207 slashes in the path. This is used to perform filename or directory name
8208 matching without the risk of wrong match due to colliding prefixes. See also
8209 "url_dir" and "path_sub".
8210
8211path_dom <string>
8212 Returns true when one of the strings is found isolated or delimited with dots
8213 in the path. This may be used to perform domain name matching in proxy
8214 requests. See also "path_sub" and "url_dom".
8215
Willy Tarreaud63335a2010-02-26 12:56:52 +01008216path_end <string>
8217 Returns true when the path ends with one of the strings. This may be used to
8218 control file name extension.
8219
Willy Tarreau0e698542011-09-16 08:32:32 +02008220path_len <integer>
8221 Returns true when the path length matches the values or ranges specified.
8222 This may be used to detect abusive requests for instance.
8223
Willy Tarreau6a06a402007-07-15 20:15:28 +02008224path_reg <regex>
8225 Returns true when the path matches one of the regular expressions. It can be
8226 used any time, but it is important to remember that regex matching is slower
8227 than other methods. See also "url_reg" and all "path_" criteria.
8228
Willy Tarreaud63335a2010-02-26 12:56:52 +01008229path_sub <string>
8230 Returns true when the path contains one of the strings. It can be used to
8231 detect particular patterns in paths, such as "../" for example. See also
8232 "path_dir".
8233
Willy Tarreau0ce3aa02012-04-25 18:46:33 +02008234payload(<offset>,<length>) <string>
8235 Returns true if the block of <length> bytes, starting at byte <offset> in the
8236 request or response buffer (depending on the rule) exactly matches one of the
8237 strings.
8238
8239payload_lv(<offset1>,<length>[,<offset2>])
8240 Returns true if the block whose size is specified at <offset1> for <length>
8241 bytes, and which starts at <offset2> if specified or just after the length in
8242 the request or response buffer (depending on the rule) exactly matches one of
8243 the strings. The <offset2> parameter also supports relative offsets if
8244 prepended with a '+' or '-' sign.
8245
Willy Tarreaud63335a2010-02-26 12:56:52 +01008246req_ver <string>
8247 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
8248 ACL already check for versions 1.0 and 1.1.
8249
8250status <integer>
8251 Applies to the HTTP status code in the HTTP response, eg: "302". It can be
8252 used to act on responses depending on status ranges, for instance, remove
8253 any Location header if the response is not a 3xx.
8254
Willy Tarreau6a06a402007-07-15 20:15:28 +02008255url <string>
8256 Applies to the whole URL passed in the request. The only real use is to match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008257 "*", for which there already is a predefined ACL. See also "base".
Willy Tarreau6a06a402007-07-15 20:15:28 +02008258
8259url_beg <string>
8260 Returns true when the URL begins with one of the strings. This can be used to
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008261 check whether a URL begins with a slash or with a protocol scheme. See also
8262 "base_beg".
Willy Tarreau6a06a402007-07-15 20:15:28 +02008263
Willy Tarreau6a06a402007-07-15 20:15:28 +02008264url_dir <string>
8265 Returns true when one of the strings is found isolated or delimited with
8266 slashes in the URL. This is used to perform filename or directory name
8267 matching without the risk of wrong match due to colliding prefixes. See also
8268 "path_dir" and "url_sub".
8269
8270url_dom <string>
8271 Returns true when one of the strings is found isolated or delimited with dots
8272 in the URL. This is used to perform domain name matching without the risk of
8273 wrong match due to colliding prefixes. See also "url_sub".
8274
Willy Tarreaud63335a2010-02-26 12:56:52 +01008275url_end <string>
8276 Returns true when the URL ends with one of the strings. It has very limited
8277 use. "path_end" should be used instead for filename matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008278
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008279url_ip <address>
8280 Applies to the IPv4 or IPv6 address specified in the absolute URI in an HTTP
8281 request. It can be used to prevent access to certain resources such as local
8282 network. It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008283
Willy Tarreau0e698542011-09-16 08:32:32 +02008284url_len <integer>
8285 Returns true when the url length matches the values or ranges specified. This
8286 may be used to detect abusive requests for instance.
8287
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008288url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01008289 Applies to the port specified in the absolute URI in an HTTP request. It can
8290 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01008291 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01008292 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008293
Willy Tarreaud63335a2010-02-26 12:56:52 +01008294url_reg <regex>
8295 Returns true when the URL matches one of the regular expressions. It can be
8296 used any time, but it is important to remember that regex matching is slower
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008297 than other methods. See also "base_reg", "path_reg" and all "url_" criteria.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008298
Willy Tarreaud63335a2010-02-26 12:56:52 +01008299url_sub <string>
8300 Returns true when the URL contains one of the strings. It can be used to
8301 detect particular patterns in query strings for example. See also "path_sub".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008302
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008303urlp(<name>) <string>
8304 Note: all "urlp*" matching criteria apply to the first occurrence of the
8305 parameter <name> in the query string. The parameter name is case-sensitive.
8306
8307 The "urlp" matching criteria returns true if the designated URL parameter
8308 matches any of the strings. This can be used to check for exact values.
8309
8310urlp_beg(<name>) <string>
8311 Returns true when the URL parameter "<name>" begins with one of the strings.
8312 This can be used to check whether a URL begins with a slash or with a
8313 protocol scheme.
8314
8315urlp_dir(<name>) <string>
8316 Returns true when the URL parameter "<name>" contains one of the strings
8317 either isolated or delimited with slashes. This is used to perform filename
8318 or directory name matching in a specific URL parameter without the risk of
8319 wrong match due to colliding prefixes. See also "path_dir" and "urlp_sub".
8320
8321urlp_dom(<name>) <string>
8322 Returns true when one of the strings is found isolated or delimited with dots
8323 in the URL parameter "<name>". This is used to perform domain name matching
8324 in a specific URL parameter without the risk of wrong match due to colliding
8325 prefixes. See also "urlp_sub".
8326
8327urlp_end(<name>) <string>
8328 Returns true when the URL parameter "<name>" ends with one of the strings.
8329
8330urlp_ip(<name>) <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008331 Returns true when the URL parameter "<name>" contains an IPv4 or IPv6 address
8332 which matches one of the specified addresses.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008333
8334urlp_len(<name>) <integer>
8335 Returns true when the URL parameter "<name>" has a length matching the values
8336 or ranges specified. This is used to detect abusive requests for instance.
8337
8338urlp_reg(<name>) <regex>
8339 Returns true when the URL parameter "<name>" matches one of the regular
8340 expressions. It can be used any time, but it is important to remember that
8341 regex matching is slower than other methods. See also "path_reg" and all
8342 "urlp_" criteria.
8343
8344urlp_sub(<name>) <string>
8345 Returns true when the URL parameter "<name>" contains one of the strings. It
8346 can be used to detect particular patterns in query strings for example. See
8347 also "path_sub" and other "urlp_" criteria.
8348
Willy Tarreaua9fddca2012-07-31 07:51:48 +02008349urlp_val(<name>) <integer>
8350 Returns true when the URL parameter "<name>" starts with a number matching
8351 the values or ranges specified. Note that the absence of the parameter does
8352 not match anything. Integers are unsigned so it is not possible to match
8353 negative data.
8354
Willy Tarreau198a7442008-01-17 12:05:32 +01008355
Willy Tarreauc57f0e22009-05-10 13:12:33 +020083567.6. Pre-defined ACLs
8357---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008358
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008359Some predefined ACLs are hard-coded so that they do not have to be declared in
8360every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +02008361order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +01008362
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008363ACL name Equivalent to Usage
8364---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008365FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +02008366HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008367HTTP_1.0 req_ver 1.0 match HTTP version 1.0
8368HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +01008369HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
8370HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
8371HTTP_URL_SLASH url_beg / match URL beginning with "/"
8372HTTP_URL_STAR url * match URL equal to "*"
8373LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008374METH_CONNECT method CONNECT match HTTP CONNECT method
8375METH_GET method GET HEAD match HTTP GET or HEAD method
8376METH_HEAD method HEAD match HTTP HEAD method
8377METH_OPTIONS method OPTIONS match HTTP OPTIONS method
8378METH_POST method POST match HTTP POST method
8379METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +02008380RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008381REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +01008382TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008383WAIT_END wait_end wait for end of content analysis
8384---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008385
Willy Tarreauced27012008-01-17 20:35:34 +01008386
Willy Tarreauc57f0e22009-05-10 13:12:33 +020083877.7. Using ACLs to form conditions
8388----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008389
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008390Some actions are only performed upon a valid condition. A condition is a
8391combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01008392
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008393 - AND (implicit)
8394 - OR (explicit with the "or" keyword or the "||" operator)
8395 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01008396
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008397A condition is formed as a disjunctive form:
Willy Tarreauced27012008-01-17 20:35:34 +01008398
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008399 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01008400
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008401Such conditions are generally used after an "if" or "unless" statement,
8402indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01008403
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008404For instance, to block HTTP requests to the "*" URL with methods other than
8405"OPTIONS", as well as POST requests without content-length, and GET or HEAD
8406requests with a content-length greater than 0, and finally every request which
8407is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01008408
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008409 acl missing_cl hdr_cnt(Content-length) eq 0
8410 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
8411 block if METH_GET HTTP_CONTENT
8412 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01008413
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008414To select a different backend for requests to static contents on the "www" site
8415and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01008416
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008417 acl url_static path_beg /static /images /img /css
8418 acl url_static path_end .gif .png .jpg .css .js
8419 acl host_www hdr_beg(host) -i www
8420 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01008421
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008422 # now use backend "static" for all static-only hosts, and for static urls
8423 # of host "www". Use backend "www" for the rest.
8424 use_backend static if host_static or host_www url_static
8425 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01008426
Willy Tarreau95fa4692010-02-01 13:05:50 +01008427It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
8428expressions that are built on the fly without needing to be declared. They must
8429be enclosed between braces, with a space before and after each brace (because
Jamie Gloudon801a0a32012-08-25 00:18:33 -04008430the braces must be seen as independent words). Example :
Willy Tarreau95fa4692010-02-01 13:05:50 +01008431
8432 The following rule :
8433
8434 acl missing_cl hdr_cnt(Content-length) eq 0
8435 block if METH_POST missing_cl
8436
8437 Can also be written that way :
8438
8439 block if METH_POST { hdr_cnt(Content-length) eq 0 }
8440
8441It is generally not recommended to use this construct because it's a lot easier
8442to leave errors in the configuration when written that way. However, for very
8443simple rules matching only one source IP address for instance, it can make more
8444sense to use them than to declare ACLs with random names. Another example of
8445good use is the following :
8446
8447 With named ACLs :
8448
8449 acl site_dead nbsrv(dynamic) lt 2
8450 acl site_dead nbsrv(static) lt 2
8451 monitor fail if site_dead
8452
8453 With anonymous ACLs :
8454
8455 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
8456
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008457See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01008458
Willy Tarreau5764b382007-11-30 17:46:49 +01008459
Willy Tarreaub937b7e2010-01-12 15:27:54 +010084607.8. Pattern extraction
8461-----------------------
8462
8463The stickiness features relies on pattern extraction in the request and
8464response. Sometimes the data needs to be converted first before being stored,
8465for instance converted from ASCII to IP or upper case to lower case.
8466
8467All these operations of data extraction and conversion are defined as
8468"pattern extraction rules". A pattern rule always has the same format. It
8469begins with a single pattern fetch word, potentially followed by a list of
8470arguments within parenthesis then an optional list of transformations. As
8471much as possible, the pattern fetch functions use the same name as their
8472equivalent used in ACLs.
8473
8474The list of currently supported pattern fetch functions is the following :
8475
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008476 base This returns the concatenation of the first Host header and the
8477 path part of the request, which starts at the first slash and
8478 ends before the question mark. It can be useful in virtual
8479 hosted environments to detect URL abuses as well as to improve
8480 shared caches efficiency. Using this with a limited size stick
8481 table also allows one to collect statistics about most commonly
8482 requested objects by host/path.
8483
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008484 src This is the source IPv4 address of the client of the session.
David du Colombier9a6d3c92011-03-17 10:40:24 +01008485 It is of type IPv4 and works on both IPv4 and IPv6 tables.
8486 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent,
8487 according to RFC 4291.
8488
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008489 dst This is the destination IPv4 address of the session on the
8490 client side, which is the address the client connected to.
8491 It can be useful when running in transparent mode. It is of
David du Colombier9a6d3c92011-03-17 10:40:24 +01008492 type IPv4 and works on both IPv4 and IPv6 tables.
8493 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent,
8494 according to RFC 4291.
8495
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008496 dst_port This is the destination TCP port of the session on the client
8497 side, which is the port the client connected to. This might be
8498 used when running in transparent mode or when assigning dynamic
8499 ports to some clients for a whole application session. It is of
8500 type integer and only works with such tables.
8501
Willy Tarreau185b5c42012-04-26 15:11:51 +02008502 hdr(<name>[,<occ>])
8503 This extracts the last occurrence of header <name> in an HTTP
8504 request. Optionally, a specific occurrence might be specified as
8505 a position number. Positive values indicate a position from the
8506 first occurrence, with 1 being the first one. Negative values
8507 indicate positions relative to the last one, with -1 being the
8508 last one. A typical use is with the X-Forwarded-For header once
Willy Tarreaue428fb72011-12-16 21:50:30 +01008509 converted to IP, associated with an IP stick-table.
Willy Tarreau4a568972010-05-12 08:08:50 +02008510
Willy Tarreau6812bcf2012-04-29 09:28:50 +02008511 path This extracts the request's URL path (without the host part). A
8512 typical use is with prefetch-capable caches, and with portals
8513 which need to aggregate multiple information from databases and
8514 keep them in caches. Note that with outgoing caches, it would be
8515 wiser to use "url" instead.
8516
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008517 payload(<offset>,<length>)
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008518 This extracts a binary block of <length> bytes, and starting
8519 at bytes <offset> in the buffer of request or response (request
8520 on "stick on" or "stick match" or response in on "stick store
8521 response").
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008522
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008523 payload_lv(<offset1>,<length>[,<offset2>])
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008524 This extracts a binary block. In a first step the size of the
8525 block is read from response or request buffer at <offset>
8526 bytes and considered coded on <length> bytes. In a second step
8527 data of the block are read from buffer at <offset2> bytes
8528 (by default <lengthoffset> + <lengthsize>).
8529 If <offset2> is prefixed by '+' or '-', it is relative to
8530 <lengthoffset> + <lengthsize> else it is absolute.
8531 Ex: see SSL session id example in "stick table" chapter.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008532
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008533 src_port This is the source TCP port of the session on the client side,
8534 which is the port the client connected from. It is very unlikely
8535 that this function will be useful but it's available at no cost.
8536 It is of type integer and only works with such tables.
8537
Willy Tarreau6812bcf2012-04-29 09:28:50 +02008538 url This extracts the request's URL as presented in the request. A
8539 typical use is with prefetch-capable caches, and with portals
8540 which need to aggregate multiple information from databases and
8541 keep them in caches. See also "path".
8542
8543 url_ip This extracts the IP address from the request's URL when the
8544 host part is presented as an IP address. Its use is very
8545 limited. For instance, a monitoring system might use this field
8546 as an alternative for the source IP in order to test what path a
8547 given source address would follow, or to force an entry in a
8548 table for a given source address.
8549
8550 url_port This extracts the port part from the request's URL. It probably
8551 is totally useless but it was available at no cost.
8552
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008553 url_param(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02008554 This extracts the first occurrence of the parameter <name> in
8555 the query string of the request and uses the corresponding value
8556 to match. A typical use is to get sticky session through url
8557 (e.g. http://example.com/foo?JESSIONID=some_id with
8558 url_param(JSESSIONID)), for cases where cookies cannot be used.
David Cournapeau16023ee2010-12-23 20:55:41 +09008559
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008560 rdp_cookie(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02008561 This extracts the value of the rdp cookie <name> as a string
8562 and uses this value to match. This enables implementation of
8563 persistence based on the mstshash cookie. This is typically
8564 done if there is no msts cookie present.
Simon Hormanab814e02011-06-24 14:50:20 +09008565
Cyril Bontédc4d9032012-04-08 21:57:39 +02008566 This differs from "balance rdp-cookie" in that any balancing
8567 algorithm may be used and thus the distribution of clients
8568 to backend servers is not linked to a hash of the RDP
8569 cookie. It is envisaged that using a balancing algorithm
8570 such as "balance roundrobin" or "balance leastconnect" will
8571 lead to a more even distribution of clients to backend
8572 servers than the hash used by "balance rdp-cookie".
Simon Hormanab814e02011-06-24 14:50:20 +09008573
Cyril Bontédc4d9032012-04-08 21:57:39 +02008574 Example :
8575 listen tse-farm
8576 bind 0.0.0.0:3389
8577 # wait up to 5s for an RDP cookie in the request
8578 tcp-request inspect-delay 5s
8579 tcp-request content accept if RDP_COOKIE
8580 # apply RDP cookie persistence
8581 persist rdp-cookie
8582 # Persist based on the mstshash cookie
8583 # This is only useful makes sense if
8584 # balance rdp-cookie is not used
8585 stick-table type string size 204800
8586 stick on rdp_cookie(mstshash)
8587 server srv1 1.1.1.1:3389
8588 server srv1 1.1.1.2:3389
Simon Hormanab814e02011-06-24 14:50:20 +09008589
Cyril Bontédc4d9032012-04-08 21:57:39 +02008590 See also : "balance rdp-cookie", "persist rdp-cookie",
8591 "tcp-request" and the "req_rdp_cookie" ACL.
Simon Hormanab814e02011-06-24 14:50:20 +09008592
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008593 cookie(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02008594 This extracts the last occurrence of the cookie name <name> on a
Willy Tarreau28376d62012-04-26 21:26:10 +02008595 "Cookie" header line from the request, or a "Set-Cookie" header
8596 from the response, and uses the corresponding value to match. A
8597 typical use is to get multiple clients sharing a same profile
8598 use the same server. This can be similar to what "appsession"
8599 does with the "request-learn" statement, but with support for
8600 multi-peer synchronization and state keeping across restarts.
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008601
Cyril Bontédc4d9032012-04-08 21:57:39 +02008602 See also : "appsession"
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008603
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008604 set-cookie(<name>)
Willy Tarreau28376d62012-04-26 21:26:10 +02008605 This fetch function is deprecated and has been superseded by the
8606 "cookie" fetch which is capable of handling both requests and
8607 responses. This keyword will disappear soon.
8608
Cyril Bontédc4d9032012-04-08 21:57:39 +02008609 This extracts the last occurrence of the cookie name <name> on a
8610 "Set-Cookie" header line from the response and uses the
8611 corresponding value to match. This can be comparable to what
8612 "appsession" does with default options, but with support for
8613 multi-peer synchronization and state keeping across restarts.
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008614
Cyril Bontédc4d9032012-04-08 21:57:39 +02008615 See also : "appsession"
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008616
Simon Hormanab814e02011-06-24 14:50:20 +09008617
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008618The currently available list of transformations include :
8619
8620 lower Convert a string pattern to lower case. This can only be placed
8621 after a string pattern fetch function or after a conversion
8622 function returning a string type. The result is of type string.
8623
8624 upper Convert a string pattern to upper case. This can only be placed
8625 after a string pattern fetch function or after a conversion
8626 function returning a string type. The result is of type string.
8627
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008628 ipmask(<mask>) Apply a mask to an IPv4 address, and use the result for lookups
Willy Tarreaud31d6eb2010-01-26 18:01:41 +01008629 and storage. This can be used to make all hosts within a
8630 certain mask to share the same table entries and as such use
8631 the same server. The mask can be passed in dotted form (eg:
8632 255.255.255.0) or in CIDR form (eg: 24).
8633
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008634
Willy Tarreauc57f0e22009-05-10 13:12:33 +020086358. Logging
8636----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01008637
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008638One of HAProxy's strong points certainly lies is its precise logs. It probably
8639provides the finest level of information available for such a product, which is
8640very important for troubleshooting complex environments. Standard information
8641provided in logs include client ports, TCP/HTTP state timers, precise session
8642state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008643to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008644headers.
8645
8646In order to improve administrators reactivity, it offers a great transparency
8647about encountered problems, both internal and external, and it is possible to
8648send logs to different sources at the same time with different level filters :
8649
8650 - global process-level logs (system errors, start/stop, etc..)
8651 - per-instance system and internal errors (lack of resource, bugs, ...)
8652 - per-instance external troubles (servers up/down, max connections)
8653 - per-instance activity (client connections), either at the establishment or
8654 at the termination.
8655
8656The ability to distribute different levels of logs to different log servers
8657allow several production teams to interact and to fix their problems as soon
8658as possible. For example, the system team might monitor system-wide errors,
8659while the application team might be monitoring the up/down for their servers in
8660real time, and the security team might analyze the activity logs with one hour
8661delay.
8662
8663
Willy Tarreauc57f0e22009-05-10 13:12:33 +020086648.1. Log levels
8665---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008666
Simon Hormandf791f52011-05-29 15:01:10 +09008667TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008668source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +09008669HTTP request, HTTP return code, number of bytes transmitted, conditions
8670in which the session ended, and even exchanged cookies values. For example
8671track a particular user's problems. All messages may be sent to up to two
8672syslog servers. Check the "log" keyword in section 4.2 for more information
8673about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008674
8675
Willy Tarreauc57f0e22009-05-10 13:12:33 +020086768.2. Log formats
8677----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008678
William Lallemand48940402012-01-30 16:47:22 +01008679HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +09008680and will be detailed in the following sections. A few of them may vary
8681slightly with the configuration, due to indicators specific to certain
8682options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008683
8684 - the default format, which is very basic and very rarely used. It only
8685 provides very basic information about the incoming connection at the moment
8686 it is accepted : source IP:port, destination IP:port, and frontend-name.
8687 This mode will eventually disappear so it will not be described to great
8688 extents.
8689
8690 - the TCP format, which is more advanced. This format is enabled when "option
8691 tcplog" is set on the frontend. HAProxy will then usually wait for the
8692 connection to terminate before logging. This format provides much richer
8693 information, such as timers, connection counts, queue size, etc... This
8694 format is recommended for pure TCP proxies.
8695
8696 - the HTTP format, which is the most advanced for HTTP proxying. This format
8697 is enabled when "option httplog" is set on the frontend. It provides the
8698 same information as the TCP format with some HTTP-specific fields such as
8699 the request, the status code, and captures of headers and cookies. This
8700 format is recommended for HTTP proxies.
8701
Emeric Brun3a058f32009-06-30 18:26:00 +02008702 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
8703 fields arranged in the same order as the CLF format. In this mode, all
8704 timers, captures, flags, etc... appear one per field after the end of the
8705 common fields, in the same order they appear in the standard HTTP format.
8706
William Lallemand48940402012-01-30 16:47:22 +01008707 - the custom log format, allows you to make your own log line.
8708
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008709Next sections will go deeper into details for each of these formats. Format
8710specification will be performed on a "field" basis. Unless stated otherwise, a
8711field is a portion of text delimited by any number of spaces. Since syslog
8712servers are susceptible of inserting fields at the beginning of a line, it is
8713always assumed that the first field is the one containing the process name and
8714identifier.
8715
8716Note : Since log lines may be quite long, the log examples in sections below
8717 might be broken into multiple lines. The example log lines will be
8718 prefixed with 3 closing angle brackets ('>>>') and each time a log is
8719 broken into multiple lines, each non-final line will end with a
8720 backslash ('\') and the next line will start indented by two characters.
8721
8722
Willy Tarreauc57f0e22009-05-10 13:12:33 +020087238.2.1. Default log format
8724-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008725
8726This format is used when no specific option is set. The log is emitted as soon
8727as the connection is accepted. One should note that this currently is the only
8728format which logs the request's destination IP and ports.
8729
8730 Example :
8731 listen www
8732 mode http
8733 log global
8734 server srv1 127.0.0.1:8000
8735
8736 >>> Feb 6 12:12:09 localhost \
8737 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
8738 (www/HTTP)
8739
8740 Field Format Extract from the example above
8741 1 process_name '[' pid ']:' haproxy[14385]:
8742 2 'Connect from' Connect from
8743 3 source_ip ':' source_port 10.0.1.2:33312
8744 4 'to' to
8745 5 destination_ip ':' destination_port 10.0.3.31:8012
8746 6 '(' frontend_name '/' mode ')' (www/HTTP)
8747
8748Detailed fields description :
8749 - "source_ip" is the IP address of the client which initiated the connection.
8750 - "source_port" is the TCP port of the client which initiated the connection.
8751 - "destination_ip" is the IP address the client connected to.
8752 - "destination_port" is the TCP port the client connected to.
8753 - "frontend_name" is the name of the frontend (or listener) which received
8754 and processed the connection.
8755 - "mode is the mode the frontend is operating (TCP or HTTP).
8756
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008757In case of a UNIX socket, the source and destination addresses are marked as
8758"unix:" and the ports reflect the internal ID of the socket which accepted the
8759connection (the same ID as reported in the stats).
8760
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008761It is advised not to use this deprecated format for newer installations as it
8762will eventually disappear.
8763
8764
Willy Tarreauc57f0e22009-05-10 13:12:33 +020087658.2.2. TCP log format
8766---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008767
8768The TCP format is used when "option tcplog" is specified in the frontend, and
8769is the recommended format for pure TCP proxies. It provides a lot of precious
8770information for troubleshooting. Since this format includes timers and byte
8771counts, the log is normally emitted at the end of the session. It can be
8772emitted earlier if "option logasap" is specified, which makes sense in most
8773environments with long sessions such as remote terminals. Sessions which match
8774the "monitor" rules are never logged. It is also possible not to emit logs for
8775sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008776specifying "option dontlognull" in the frontend. Successful connections will
8777not be logged if "option dontlog-normal" is specified in the frontend. A few
8778fields may slightly vary depending on some configuration options, those are
8779marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008780
8781 Example :
8782 frontend fnt
8783 mode tcp
8784 option tcplog
8785 log global
8786 default_backend bck
8787
8788 backend bck
8789 server srv1 127.0.0.1:8000
8790
8791 >>> Feb 6 12:12:56 localhost \
8792 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
8793 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
8794
8795 Field Format Extract from the example above
8796 1 process_name '[' pid ']:' haproxy[14387]:
8797 2 client_ip ':' client_port 10.0.1.2:33313
8798 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
8799 4 frontend_name fnt
8800 5 backend_name '/' server_name bck/srv1
8801 6 Tw '/' Tc '/' Tt* 0/0/5007
8802 7 bytes_read* 212
8803 8 termination_state --
8804 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
8805 10 srv_queue '/' backend_queue 0/0
8806
8807Detailed fields description :
8808 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008809 connection to haproxy. If the connection was accepted on a UNIX socket
8810 instead, the IP address would be replaced with the word "unix". Note that
8811 when the connection is accepted on a socket configured with "accept-proxy"
8812 and the PROXY protocol is correctly used, then the logs will reflect the
8813 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008814
8815 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008816 If the connection was accepted on a UNIX socket instead, the port would be
8817 replaced with the ID of the accepting socket, which is also reported in the
8818 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008819
8820 - "accept_date" is the exact date when the connection was received by haproxy
8821 (which might be very slightly different from the date observed on the
8822 network if there was some queuing in the system's backlog). This is usually
8823 the same date which may appear in any upstream firewall's log.
8824
8825 - "frontend_name" is the name of the frontend (or listener) which received
8826 and processed the connection.
8827
8828 - "backend_name" is the name of the backend (or listener) which was selected
8829 to manage the connection to the server. This will be the same as the
8830 frontend if no switching rule has been applied, which is common for TCP
8831 applications.
8832
8833 - "server_name" is the name of the last server to which the connection was
8834 sent, which might differ from the first one if there were connection errors
8835 and a redispatch occurred. Note that this server belongs to the backend
8836 which processed the request. If the connection was aborted before reaching
8837 a server, "<NOSRV>" is indicated instead of a server name.
8838
8839 - "Tw" is the total time in milliseconds spent waiting in the various queues.
8840 It can be "-1" if the connection was aborted before reaching the queue.
8841 See "Timers" below for more details.
8842
8843 - "Tc" is the total time in milliseconds spent waiting for the connection to
8844 establish to the final server, including retries. It can be "-1" if the
8845 connection was aborted before a connection could be established. See
8846 "Timers" below for more details.
8847
8848 - "Tt" is the total time in milliseconds elapsed between the accept and the
8849 last close. It covers all possible processings. There is one exception, if
8850 "option logasap" was specified, then the time counting stops at the moment
8851 the log is emitted. In this case, a '+' sign is prepended before the value,
8852 indicating that the final one will be larger. See "Timers" below for more
8853 details.
8854
8855 - "bytes_read" is the total number of bytes transmitted from the server to
8856 the client when the log is emitted. If "option logasap" is specified, the
8857 this value will be prefixed with a '+' sign indicating that the final one
8858 may be larger. Please note that this value is a 64-bit counter, so log
8859 analysis tools must be able to handle it without overflowing.
8860
8861 - "termination_state" is the condition the session was in when the session
8862 ended. This indicates the session state, which side caused the end of
8863 session to happen, and for what reason (timeout, error, ...). The normal
8864 flags should be "--", indicating the session was closed by either end with
8865 no data remaining in buffers. See below "Session state at disconnection"
8866 for more details.
8867
8868 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008869 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008870 limits have been reached. For instance, if actconn is close to 512 when
8871 multiple connection errors occur, chances are high that the system limits
8872 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008873 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008874
8875 - "feconn" is the total number of concurrent connections on the frontend when
8876 the session was logged. It is useful to estimate the amount of resource
8877 required to sustain high loads, and to detect when the frontend's "maxconn"
8878 has been reached. Most often when this value increases by huge jumps, it is
8879 because there is congestion on the backend servers, but sometimes it can be
8880 caused by a denial of service attack.
8881
8882 - "beconn" is the total number of concurrent connections handled by the
8883 backend when the session was logged. It includes the total number of
8884 concurrent connections active on servers as well as the number of
8885 connections pending in queues. It is useful to estimate the amount of
8886 additional servers needed to support high loads for a given application.
8887 Most often when this value increases by huge jumps, it is because there is
8888 congestion on the backend servers, but sometimes it can be caused by a
8889 denial of service attack.
8890
8891 - "srv_conn" is the total number of concurrent connections still active on
8892 the server when the session was logged. It can never exceed the server's
8893 configured "maxconn" parameter. If this value is very often close or equal
8894 to the server's "maxconn", it means that traffic regulation is involved a
8895 lot, meaning that either the server's maxconn value is too low, or that
8896 there aren't enough servers to process the load with an optimal response
8897 time. When only one of the server's "srv_conn" is high, it usually means
8898 that this server has some trouble causing the connections to take longer to
8899 be processed than on other servers.
8900
8901 - "retries" is the number of connection retries experienced by this session
8902 when trying to connect to the server. It must normally be zero, unless a
8903 server is being stopped at the same moment the connection was attempted.
8904 Frequent retries generally indicate either a network problem between
8905 haproxy and the server, or a misconfigured system backlog on the server
8906 preventing new connections from being queued. This field may optionally be
8907 prefixed with a '+' sign, indicating that the session has experienced a
8908 redispatch after the maximal retry count has been reached on the initial
8909 server. In this case, the server name appearing in the log is the one the
8910 connection was redispatched to, and not the first one, though both may
8911 sometimes be the same in case of hashing for instance. So as a general rule
8912 of thumb, when a '+' is present in front of the retry count, this count
8913 should not be attributed to the logged server.
8914
8915 - "srv_queue" is the total number of requests which were processed before
8916 this one in the server queue. It is zero when the request has not gone
8917 through the server queue. It makes it possible to estimate the approximate
8918 server's response time by dividing the time spent in queue by the number of
8919 requests in the queue. It is worth noting that if a session experiences a
8920 redispatch and passes through two server queues, their positions will be
8921 cumulated. A request should not pass through both the server queue and the
8922 backend queue unless a redispatch occurs.
8923
8924 - "backend_queue" is the total number of requests which were processed before
8925 this one in the backend's global queue. It is zero when the request has not
8926 gone through the global queue. It makes it possible to estimate the average
8927 queue length, which easily translates into a number of missing servers when
8928 divided by a server's "maxconn" parameter. It is worth noting that if a
8929 session experiences a redispatch, it may pass twice in the backend's queue,
8930 and then both positions will be cumulated. A request should not pass
8931 through both the server queue and the backend queue unless a redispatch
8932 occurs.
8933
8934
Willy Tarreauc57f0e22009-05-10 13:12:33 +020089358.2.3. HTTP log format
8936----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008937
8938The HTTP format is the most complete and the best suited for HTTP proxies. It
8939is enabled by when "option httplog" is specified in the frontend. It provides
8940the same level of information as the TCP format with additional features which
8941are specific to the HTTP protocol. Just like the TCP format, the log is usually
8942emitted at the end of the session, unless "option logasap" is specified, which
8943generally only makes sense for download sites. A session which matches the
8944"monitor" rules will never logged. It is also possible not to log sessions for
8945which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008946frontend. Successful connections will not be logged if "option dontlog-normal"
8947is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008948
8949Most fields are shared with the TCP log, some being different. A few fields may
8950slightly vary depending on some configuration options. Those ones are marked
8951with a star ('*') after the field name below.
8952
8953 Example :
8954 frontend http-in
8955 mode http
8956 option httplog
8957 log global
8958 default_backend bck
8959
8960 backend static
8961 server srv1 127.0.0.1:8000
8962
8963 >>> Feb 6 12:14:14 localhost \
8964 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
8965 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008966 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008967
8968 Field Format Extract from the example above
8969 1 process_name '[' pid ']:' haproxy[14389]:
8970 2 client_ip ':' client_port 10.0.1.2:33317
8971 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
8972 4 frontend_name http-in
8973 5 backend_name '/' server_name static/srv1
8974 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
8975 7 status_code 200
8976 8 bytes_read* 2750
8977 9 captured_request_cookie -
8978 10 captured_response_cookie -
8979 11 termination_state ----
8980 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
8981 13 srv_queue '/' backend_queue 0/0
8982 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
8983 15 '{' captured_response_headers* '}' {}
8984 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +01008985
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008986
8987Detailed fields description :
8988 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008989 connection to haproxy. If the connection was accepted on a UNIX socket
8990 instead, the IP address would be replaced with the word "unix". Note that
8991 when the connection is accepted on a socket configured with "accept-proxy"
8992 and the PROXY protocol is correctly used, then the logs will reflect the
8993 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008994
8995 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008996 If the connection was accepted on a UNIX socket instead, the port would be
8997 replaced with the ID of the accepting socket, which is also reported in the
8998 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008999
9000 - "accept_date" is the exact date when the TCP connection was received by
9001 haproxy (which might be very slightly different from the date observed on
9002 the network if there was some queuing in the system's backlog). This is
9003 usually the same date which may appear in any upstream firewall's log. This
9004 does not depend on the fact that the client has sent the request or not.
9005
9006 - "frontend_name" is the name of the frontend (or listener) which received
9007 and processed the connection.
9008
9009 - "backend_name" is the name of the backend (or listener) which was selected
9010 to manage the connection to the server. This will be the same as the
9011 frontend if no switching rule has been applied.
9012
9013 - "server_name" is the name of the last server to which the connection was
9014 sent, which might differ from the first one if there were connection errors
9015 and a redispatch occurred. Note that this server belongs to the backend
9016 which processed the request. If the request was aborted before reaching a
9017 server, "<NOSRV>" is indicated instead of a server name. If the request was
9018 intercepted by the stats subsystem, "<STATS>" is indicated instead.
9019
9020 - "Tq" is the total time in milliseconds spent waiting for the client to send
9021 a full HTTP request, not counting data. It can be "-1" if the connection
9022 was aborted before a complete request could be received. It should always
9023 be very small because a request generally fits in one single packet. Large
9024 times here generally indicate network trouble between the client and
9025 haproxy. See "Timers" below for more details.
9026
9027 - "Tw" is the total time in milliseconds spent waiting in the various queues.
9028 It can be "-1" if the connection was aborted before reaching the queue.
9029 See "Timers" below for more details.
9030
9031 - "Tc" is the total time in milliseconds spent waiting for the connection to
9032 establish to the final server, including retries. It can be "-1" if the
9033 request was aborted before a connection could be established. See "Timers"
9034 below for more details.
9035
9036 - "Tr" is the total time in milliseconds spent waiting for the server to send
9037 a full HTTP response, not counting data. It can be "-1" if the request was
9038 aborted before a complete response could be received. It generally matches
9039 the server's processing time for the request, though it may be altered by
9040 the amount of data sent by the client to the server. Large times here on
9041 "GET" requests generally indicate an overloaded server. See "Timers" below
9042 for more details.
9043
9044 - "Tt" is the total time in milliseconds elapsed between the accept and the
9045 last close. It covers all possible processings. There is one exception, if
9046 "option logasap" was specified, then the time counting stops at the moment
9047 the log is emitted. In this case, a '+' sign is prepended before the value,
9048 indicating that the final one will be larger. See "Timers" below for more
9049 details.
9050
9051 - "status_code" is the HTTP status code returned to the client. This status
9052 is generally set by the server, but it might also be set by haproxy when
9053 the server cannot be reached or when its response is blocked by haproxy.
9054
9055 - "bytes_read" is the total number of bytes transmitted to the client when
9056 the log is emitted. This does include HTTP headers. If "option logasap" is
9057 specified, the this value will be prefixed with a '+' sign indicating that
9058 the final one may be larger. Please note that this value is a 64-bit
9059 counter, so log analysis tools must be able to handle it without
9060 overflowing.
9061
9062 - "captured_request_cookie" is an optional "name=value" entry indicating that
9063 the client had this cookie in the request. The cookie name and its maximum
9064 length are defined by the "capture cookie" statement in the frontend
9065 configuration. The field is a single dash ('-') when the option is not
9066 set. Only one cookie may be captured, it is generally used to track session
9067 ID exchanges between a client and a server to detect session crossing
9068 between clients due to application bugs. For more details, please consult
9069 the section "Capturing HTTP headers and cookies" below.
9070
9071 - "captured_response_cookie" is an optional "name=value" entry indicating
9072 that the server has returned a cookie with its response. The cookie name
9073 and its maximum length are defined by the "capture cookie" statement in the
9074 frontend configuration. The field is a single dash ('-') when the option is
9075 not set. Only one cookie may be captured, it is generally used to track
9076 session ID exchanges between a client and a server to detect session
9077 crossing between clients due to application bugs. For more details, please
9078 consult the section "Capturing HTTP headers and cookies" below.
9079
9080 - "termination_state" is the condition the session was in when the session
9081 ended. This indicates the session state, which side caused the end of
9082 session to happen, for what reason (timeout, error, ...), just like in TCP
9083 logs, and information about persistence operations on cookies in the last
9084 two characters. The normal flags should begin with "--", indicating the
9085 session was closed by either end with no data remaining in buffers. See
9086 below "Session state at disconnection" for more details.
9087
9088 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009089 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009090 limits have been reached. For instance, if actconn is close to 512 or 1024
9091 when multiple connection errors occur, chances are high that the system
9092 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009093 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009094 system.
9095
9096 - "feconn" is the total number of concurrent connections on the frontend when
9097 the session was logged. It is useful to estimate the amount of resource
9098 required to sustain high loads, and to detect when the frontend's "maxconn"
9099 has been reached. Most often when this value increases by huge jumps, it is
9100 because there is congestion on the backend servers, but sometimes it can be
9101 caused by a denial of service attack.
9102
9103 - "beconn" is the total number of concurrent connections handled by the
9104 backend when the session was logged. It includes the total number of
9105 concurrent connections active on servers as well as the number of
9106 connections pending in queues. It is useful to estimate the amount of
9107 additional servers needed to support high loads for a given application.
9108 Most often when this value increases by huge jumps, it is because there is
9109 congestion on the backend servers, but sometimes it can be caused by a
9110 denial of service attack.
9111
9112 - "srv_conn" is the total number of concurrent connections still active on
9113 the server when the session was logged. It can never exceed the server's
9114 configured "maxconn" parameter. If this value is very often close or equal
9115 to the server's "maxconn", it means that traffic regulation is involved a
9116 lot, meaning that either the server's maxconn value is too low, or that
9117 there aren't enough servers to process the load with an optimal response
9118 time. When only one of the server's "srv_conn" is high, it usually means
9119 that this server has some trouble causing the requests to take longer to be
9120 processed than on other servers.
9121
9122 - "retries" is the number of connection retries experienced by this session
9123 when trying to connect to the server. It must normally be zero, unless a
9124 server is being stopped at the same moment the connection was attempted.
9125 Frequent retries generally indicate either a network problem between
9126 haproxy and the server, or a misconfigured system backlog on the server
9127 preventing new connections from being queued. This field may optionally be
9128 prefixed with a '+' sign, indicating that the session has experienced a
9129 redispatch after the maximal retry count has been reached on the initial
9130 server. In this case, the server name appearing in the log is the one the
9131 connection was redispatched to, and not the first one, though both may
9132 sometimes be the same in case of hashing for instance. So as a general rule
9133 of thumb, when a '+' is present in front of the retry count, this count
9134 should not be attributed to the logged server.
9135
9136 - "srv_queue" is the total number of requests which were processed before
9137 this one in the server queue. It is zero when the request has not gone
9138 through the server queue. It makes it possible to estimate the approximate
9139 server's response time by dividing the time spent in queue by the number of
9140 requests in the queue. It is worth noting that if a session experiences a
9141 redispatch and passes through two server queues, their positions will be
9142 cumulated. A request should not pass through both the server queue and the
9143 backend queue unless a redispatch occurs.
9144
9145 - "backend_queue" is the total number of requests which were processed before
9146 this one in the backend's global queue. It is zero when the request has not
9147 gone through the global queue. It makes it possible to estimate the average
9148 queue length, which easily translates into a number of missing servers when
9149 divided by a server's "maxconn" parameter. It is worth noting that if a
9150 session experiences a redispatch, it may pass twice in the backend's queue,
9151 and then both positions will be cumulated. A request should not pass
9152 through both the server queue and the backend queue unless a redispatch
9153 occurs.
9154
9155 - "captured_request_headers" is a list of headers captured in the request due
9156 to the presence of the "capture request header" statement in the frontend.
9157 Multiple headers can be captured, they will be delimited by a vertical bar
9158 ('|'). When no capture is enabled, the braces do not appear, causing a
9159 shift of remaining fields. It is important to note that this field may
9160 contain spaces, and that using it requires a smarter log parser than when
9161 it's not used. Please consult the section "Capturing HTTP headers and
9162 cookies" below for more details.
9163
9164 - "captured_response_headers" is a list of headers captured in the response
9165 due to the presence of the "capture response header" statement in the
9166 frontend. Multiple headers can be captured, they will be delimited by a
9167 vertical bar ('|'). When no capture is enabled, the braces do not appear,
9168 causing a shift of remaining fields. It is important to note that this
9169 field may contain spaces, and that using it requires a smarter log parser
9170 than when it's not used. Please consult the section "Capturing HTTP headers
9171 and cookies" below for more details.
9172
9173 - "http_request" is the complete HTTP request line, including the method,
9174 request and HTTP version string. Non-printable characters are encoded (see
9175 below the section "Non-printable characters"). This is always the last
9176 field, and it is always delimited by quotes and is the only one which can
9177 contain quotes. If new fields are added to the log format, they will be
9178 added before this field. This field might be truncated if the request is
9179 huge and does not fit in the standard syslog buffer (1024 characters). This
9180 is the reason why this field must always remain the last one.
9181
9182
Cyril Bontédc4d9032012-04-08 21:57:39 +020091838.2.4. Custom log format
9184------------------------
William Lallemand48940402012-01-30 16:47:22 +01009185
William Lallemandbddd4fd2012-02-27 11:23:10 +01009186The directive log-format allows you to custom the logs in http mode and tcp
9187mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +01009188
9189HAproxy understands some log format variables. % precedes log format variables.
9190Variables can take arguments using braces ('{}'), and multiple arguments are
9191separated by commas within the braces. Flags may be added or removed by
9192prefixing them with a '+' or '-' sign.
9193
9194Special variable "%o" may be used to propagate its flags to all other
9195variables on the same format string. This is particularly handy with quoted
9196string formats ("Q").
9197
9198Note: spaces must be escaped. A space character is considered as a separator.
9199HAproxy will automatically merge consecutive separators.
9200
9201Flags are :
9202 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009203 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
William Lallemand48940402012-01-30 16:47:22 +01009204
9205 Example:
9206
9207 log-format %T\ %t\ Some\ Text
9208 log-format %{+Q}o\ %t\ %s\ %{-Q}r
9209
9210At the moment, the default HTTP format is defined this way :
9211
9212 log-format %Ci:%Cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \
Willy Tarreau6580c062012-03-12 15:09:42 +01009213 %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
William Lallemand48940402012-01-30 16:47:22 +01009214
William Lallemandbddd4fd2012-02-27 11:23:10 +01009215the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +01009216
9217 log-format %{+Q}o\ %{-Q}Ci\ -\ -\ [%T]\ %r\ %st\ %B\ \"\"\ \"\"\ %Cp\ \
Willy Tarreau6580c062012-03-12 15:09:42 +01009218 %ms\ %f\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \
William Lallemand48940402012-01-30 16:47:22 +01009219 %bc\ %sc\ %rc\ %sq\ %bq\ %cc\ %cs\ \%hrl\ %hsl
9220
William Lallemandbddd4fd2012-02-27 11:23:10 +01009221and the default TCP format is defined this way :
9222
9223 log-format %Ci:%Cp\ [%t]\ %f\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ \
9224 %ac/%fc/%bc/%sc/%rc\ %sq/%bq
9225
William Lallemand48940402012-01-30 16:47:22 +01009226Please refer to the table below for currently defined variables :
9227
William Lallemandbddd4fd2012-02-27 11:23:10 +01009228 +---+------+-----------------------------------------------+-------------+
9229 | H | var | field name (8.2.2 and 8.2.3 for description) | type |
9230 +---+------+-----------------------------------------------+-------------+
9231 | | %o | special variable, apply flags on all next var | |
9232 +---+------+-----------------------------------------------+-------------+
9233 | | %B | bytes_read | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009234 | | %Ci | client_ip | IP |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009235 | | %Cp | client_port | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009236 | | %Bi | backend_source_ip | IP |
William Lallemandb7ff6a32012-03-02 14:35:21 +01009237 | | %Bp | backend_source_port | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009238 | | %Fi | frontend_ip | IP |
9239 | | %Fp | frontend_port | numeric |
9240 | | %H | hostname | string |
William Lallemanda73203e2012-03-12 12:48:57 +01009241 | | %ID | unique-id | string |
William Lallemand5f232402012-04-05 18:02:55 +02009242 | | %Si | server_IP | IP |
9243 | | %Sp | server_port | numeric |
9244 | | %T | gmt_date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009245 | | %Tc | Tc | numeric |
9246 | * | %Tq | Tq | numeric |
9247 | * | %Tr | Tr | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009248 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009249 | | %Tt | Tt | numeric |
9250 | | %Tw | Tw | numeric |
9251 | | %ac | actconn | numeric |
9252 | | %b | backend_name | string |
9253 | | %bc | beconn | numeric |
9254 | | %bq | backend_queue | numeric |
9255 | * | %cc | captured_request_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +02009256 | * | %rt | http_request_counter | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009257 | * | %cs | captured_response_cookie | string |
9258 | | %f | frontend_name | string |
9259 | | %fc | feconn | numeric |
9260 | * | %hr | captured_request_headers default style | string |
9261 | * | %hrl | captured_request_headers CLF style | string list |
9262 | * | %hs | captured_response_headers default style | string |
9263 | * | %hsl | captured_response_headers CLF style | string list |
9264 | | %ms | accept date milliseconds | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009265 | | %pid | PID | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009266 | * | %r | http_request | string |
9267 | | %rc | retries | numeric |
9268 | | %s | server_name | string |
9269 | | %sc | srv_conn | numeric |
9270 | | %sq | srv_queue | numeric |
9271 | * | %st | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009272 | | %t | date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009273 | | %ts | termination_state | string |
Willy Tarreau6580c062012-03-12 15:09:42 +01009274 | * | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009275 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +01009276
William Lallemand5f232402012-04-05 18:02:55 +02009277*: mode http only
William Lallemand48940402012-01-30 16:47:22 +01009278
Willy Tarreauc57f0e22009-05-10 13:12:33 +020092798.3. Advanced logging options
9280-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009281
9282Some advanced logging options are often looked for but are not easy to find out
9283just by looking at the various options. Here is an entry point for the few
9284options which can enable better logging. Please refer to the keywords reference
9285for more information about their usage.
9286
9287
Willy Tarreauc57f0e22009-05-10 13:12:33 +020092888.3.1. Disabling logging of external tests
9289------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009290
9291It is quite common to have some monitoring tools perform health checks on
9292haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
9293commercial load-balancer, and sometimes it will simply be a more complete
9294monitoring system such as Nagios. When the tests are very frequent, users often
9295ask how to disable logging for those checks. There are three possibilities :
9296
9297 - if connections come from everywhere and are just TCP probes, it is often
9298 desired to simply disable logging of connections without data exchange, by
9299 setting "option dontlognull" in the frontend. It also disables logging of
9300 port scans, which may or may not be desired.
9301
9302 - if the connection come from a known source network, use "monitor-net" to
9303 declare this network as monitoring only. Any host in this network will then
9304 only be able to perform health checks, and their requests will not be
9305 logged. This is generally appropriate to designate a list of equipments
9306 such as other load-balancers.
9307
9308 - if the tests are performed on a known URI, use "monitor-uri" to declare
9309 this URI as dedicated to monitoring. Any host sending this request will
9310 only get the result of a health-check, and the request will not be logged.
9311
9312
Willy Tarreauc57f0e22009-05-10 13:12:33 +020093138.3.2. Logging before waiting for the session to terminate
9314----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009315
9316The problem with logging at end of connection is that you have no clue about
9317what is happening during very long sessions, such as remote terminal sessions
9318or large file downloads. This problem can be worked around by specifying
9319"option logasap" in the frontend. Haproxy will then log as soon as possible,
9320just before data transfer begins. This means that in case of TCP, it will still
9321log the connection status to the server, and in case of HTTP, it will log just
9322after processing the server headers. In this case, the number of bytes reported
9323is the number of header bytes sent to the client. In order to avoid confusion
9324with normal logs, the total time field and the number of bytes are prefixed
9325with a '+' sign which means that real numbers are certainly larger.
9326
9327
Willy Tarreauc57f0e22009-05-10 13:12:33 +020093288.3.3. Raising log level upon errors
9329------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009330
9331Sometimes it is more convenient to separate normal traffic from errors logs,
9332for instance in order to ease error monitoring from log files. When the option
9333"log-separate-errors" is used, connections which experience errors, timeouts,
9334retries, redispatches or HTTP status codes 5xx will see their syslog level
9335raised from "info" to "err". This will help a syslog daemon store the log in
9336a separate file. It is very important to keep the errors in the normal traffic
9337file too, so that log ordering is not altered. You should also be careful if
9338you already have configured your syslog daemon to store all logs higher than
9339"notice" in an "admin" file, because the "err" level is higher than "notice".
9340
9341
Willy Tarreauc57f0e22009-05-10 13:12:33 +020093428.3.4. Disabling logging of successful connections
9343--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009344
9345Although this may sound strange at first, some large sites have to deal with
9346multiple thousands of logs per second and are experiencing difficulties keeping
9347them intact for a long time or detecting errors within them. If the option
9348"dontlog-normal" is set on the frontend, all normal connections will not be
9349logged. In this regard, a normal connection is defined as one without any
9350error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
9351and a response with a status 5xx is not considered normal and will be logged
9352too. Of course, doing is is really discouraged as it will remove most of the
9353useful information from the logs. Do this only if you have no other
9354alternative.
9355
9356
Willy Tarreauc57f0e22009-05-10 13:12:33 +020093578.4. Timing events
9358------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009359
9360Timers provide a great help in troubleshooting network problems. All values are
9361reported in milliseconds (ms). These timers should be used in conjunction with
9362the session termination flags. In TCP mode with "option tcplog" set on the
9363frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
9364mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
9365
9366 - Tq: total time to get the client request (HTTP mode only). It's the time
9367 elapsed between the moment the client connection was accepted and the
9368 moment the proxy received the last HTTP header. The value "-1" indicates
9369 that the end of headers (empty line) has never been seen. This happens when
9370 the client closes prematurely or times out.
9371
9372 - Tw: total time spent in the queues waiting for a connection slot. It
9373 accounts for backend queue as well as the server queues, and depends on the
9374 queue size, and the time needed for the server to complete previous
9375 requests. The value "-1" means that the request was killed before reaching
9376 the queue, which is generally what happens with invalid or denied requests.
9377
9378 - Tc: total time to establish the TCP connection to the server. It's the time
9379 elapsed between the moment the proxy sent the connection request, and the
9380 moment it was acknowledged by the server, or between the TCP SYN packet and
9381 the matching SYN/ACK packet in return. The value "-1" means that the
9382 connection never established.
9383
9384 - Tr: server response time (HTTP mode only). It's the time elapsed between
9385 the moment the TCP connection was established to the server and the moment
9386 the server sent its complete response headers. It purely shows its request
9387 processing time, without the network overhead due to the data transmission.
9388 It is worth noting that when the client has data to send to the server, for
9389 instance during a POST request, the time already runs, and this can distort
9390 apparent response time. For this reason, it's generally wise not to trust
9391 too much this field for POST requests initiated from clients behind an
9392 untrusted network. A value of "-1" here means that the last the response
9393 header (empty line) was never seen, most likely because the server timeout
9394 stroke before the server managed to process the request.
9395
9396 - Tt: total session duration time, between the moment the proxy accepted it
9397 and the moment both ends were closed. The exception is when the "logasap"
9398 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
9399 prefixed with a '+' sign. From this field, we can deduce "Td", the data
9400 transmission time, by substracting other timers when valid :
9401
9402 Td = Tt - (Tq + Tw + Tc + Tr)
9403
9404 Timers with "-1" values have to be excluded from this equation. In TCP
9405 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
9406 negative.
9407
9408These timers provide precious indications on trouble causes. Since the TCP
9409protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
9410that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009411due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009412close to a timeout value specified in the configuration, it often means that a
9413session has been aborted on timeout.
9414
9415Most common cases :
9416
9417 - If "Tq" is close to 3000, a packet has probably been lost between the
9418 client and the proxy. This is very rare on local networks but might happen
9419 when clients are on far remote networks and send large requests. It may
9420 happen that values larger than usual appear here without any network cause.
9421 Sometimes, during an attack or just after a resource starvation has ended,
9422 haproxy may accept thousands of connections in a few milliseconds. The time
9423 spent accepting these connections will inevitably slightly delay processing
9424 of other connections, and it can happen that request times in the order of
9425 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +02009426 connections have been accepted at once. Setting "option http-server-close"
9427 may display larger request times since "Tq" also measures the time spent
9428 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009429
9430 - If "Tc" is close to 3000, a packet has probably been lost between the
9431 server and the proxy during the server connection phase. This value should
9432 always be very low, such as 1 ms on local networks and less than a few tens
9433 of ms on remote networks.
9434
Willy Tarreau55165fe2009-05-10 12:02:55 +02009435 - If "Tr" is nearly always lower than 3000 except some rare values which seem
9436 to be the average majored by 3000, there are probably some packets lost
9437 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009438
9439 - If "Tt" is large even for small byte counts, it generally is because
9440 neither the client nor the server decides to close the connection, for
9441 instance because both have agreed on a keep-alive connection mode. In order
9442 to solve this issue, it will be needed to specify "option httpclose" on
9443 either the frontend or the backend. If the problem persists, it means that
9444 the server ignores the "close" connection mode and expects the client to
9445 close. Then it will be required to use "option forceclose". Having the
9446 smallest possible 'Tt' is important when connection regulation is used with
9447 the "maxconn" option on the servers, since no new connection will be sent
9448 to the server until another one is released.
9449
9450Other noticeable HTTP log cases ('xx' means any value to be ignored) :
9451
9452 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
9453 was emitted before the data phase. All the timers are valid
9454 except "Tt" which is shorter than reality.
9455
9456 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
9457 or it aborted too early. Check the session termination flags
9458 then "timeout http-request" and "timeout client" settings.
9459
9460 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
9461 servers were out of order, because the request was invalid
9462 or forbidden by ACL rules. Check the session termination
9463 flags.
9464
9465 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
9466 actively refused it or it timed out after Tt-(Tq+Tw) ms.
9467 Check the session termination flags, then check the
9468 "timeout connect" setting. Note that the tarpit action might
9469 return similar-looking patterns, with "Tw" equal to the time
9470 the client connection was maintained open.
9471
9472 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
9473 a complete response in time, or it closed its connexion
9474 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
9475 termination flags, then check the "timeout server" setting.
9476
9477
Willy Tarreauc57f0e22009-05-10 13:12:33 +020094788.5. Session state at disconnection
9479-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009480
9481TCP and HTTP logs provide a session termination indicator in the
9482"termination_state" field, just before the number of active connections. It is
94832-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
9484each of which has a special meaning :
9485
9486 - On the first character, a code reporting the first event which caused the
9487 session to terminate :
9488
9489 C : the TCP session was unexpectedly aborted by the client.
9490
9491 S : the TCP session was unexpectedly aborted by the server, or the
9492 server explicitly refused it.
9493
9494 P : the session was prematurely aborted by the proxy, because of a
9495 connection limit enforcement, because a DENY filter was matched,
9496 because of a security check which detected and blocked a dangerous
9497 error in server response which might have caused information leak
9498 (eg: cacheable cookie), or because the response was processed by
9499 the proxy (redirect, stats, etc...).
9500
9501 R : a resource on the proxy has been exhausted (memory, sockets, source
9502 ports, ...). Usually, this appears during the connection phase, and
9503 system logs should contain a copy of the precise error. If this
9504 happens, it must be considered as a very serious anomaly which
9505 should be fixed as soon as possible by any means.
9506
9507 I : an internal error was identified by the proxy during a self-check.
9508 This should NEVER happen, and you are encouraged to report any log
9509 containing this, because this would almost certainly be a bug. It
9510 would be wise to preventively restart the process after such an
9511 event too, in case it would be caused by memory corruption.
9512
Simon Horman752dc4a2011-06-21 14:34:59 +09009513 D : the session was killed by haproxy because the server was detected
9514 as down and was configured to kill all connections when going down.
9515
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07009516 U : the session was killed by haproxy on this backup server because an
9517 active server was detected as up and was configured to kill all
9518 backup connections when going up.
9519
Willy Tarreaua2a64e92011-09-07 23:01:56 +02009520 K : the session was actively killed by an admin operating on haproxy.
9521
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009522 c : the client-side timeout expired while waiting for the client to
9523 send or receive data.
9524
9525 s : the server-side timeout expired while waiting for the server to
9526 send or receive data.
9527
9528 - : normal session completion, both the client and the server closed
9529 with nothing left in the buffers.
9530
9531 - on the second character, the TCP or HTTP session state when it was closed :
9532
Willy Tarreauf7b30a92010-12-06 22:59:17 +01009533 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009534 (HTTP mode only). Nothing was sent to any server.
9535
9536 Q : the proxy was waiting in the QUEUE for a connection slot. This can
9537 only happen when servers have a 'maxconn' parameter set. It can
9538 also happen in the global queue after a redispatch consecutive to
9539 a failed attempt to connect to a dying server. If no redispatch is
9540 reported, then no connection attempt was made to any server.
9541
9542 C : the proxy was waiting for the CONNECTION to establish on the
9543 server. The server might at most have noticed a connection attempt.
9544
9545 H : the proxy was waiting for complete, valid response HEADERS from the
9546 server (HTTP only).
9547
9548 D : the session was in the DATA phase.
9549
9550 L : the proxy was still transmitting LAST data to the client while the
9551 server had already finished. This one is very rare as it can only
9552 happen when the client dies while receiving the last packets.
9553
9554 T : the request was tarpitted. It has been held open with the client
9555 during the whole "timeout tarpit" duration or until the client
9556 closed, both of which will be reported in the "Tw" timer.
9557
9558 - : normal session completion after end of data transfer.
9559
9560 - the third character tells whether the persistence cookie was provided by
9561 the client (only in HTTP mode) :
9562
9563 N : the client provided NO cookie. This is usually the case for new
9564 visitors, so counting the number of occurrences of this flag in the
9565 logs generally indicate a valid trend for the site frequentation.
9566
9567 I : the client provided an INVALID cookie matching no known server.
9568 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02009569 cookies between HTTP/HTTPS sites, persistence conditionally
9570 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009571
9572 D : the client provided a cookie designating a server which was DOWN,
9573 so either "option persist" was used and the client was sent to
9574 this server, or it was not set and the client was redispatched to
9575 another server.
9576
Willy Tarreau996a92c2010-10-13 19:30:47 +02009577 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009578 server.
9579
Willy Tarreau996a92c2010-10-13 19:30:47 +02009580 E : the client provided a valid cookie, but with a last date which was
9581 older than what is allowed by the "maxidle" cookie parameter, so
9582 the cookie is consider EXPIRED and is ignored. The request will be
9583 redispatched just as if there was no cookie.
9584
9585 O : the client provided a valid cookie, but with a first date which was
9586 older than what is allowed by the "maxlife" cookie parameter, so
9587 the cookie is consider too OLD and is ignored. The request will be
9588 redispatched just as if there was no cookie.
9589
Willy Tarreauc89ccb62012-04-05 21:18:22 +02009590 U : a cookie was present but was not used to select the server because
9591 some other server selection mechanism was used instead (typically a
9592 "use-server" rule).
9593
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009594 - : does not apply (no cookie set in configuration).
9595
9596 - the last character reports what operations were performed on the persistence
9597 cookie returned by the server (only in HTTP mode) :
9598
9599 N : NO cookie was provided by the server, and none was inserted either.
9600
9601 I : no cookie was provided by the server, and the proxy INSERTED one.
9602 Note that in "cookie insert" mode, if the server provides a cookie,
9603 it will still be overwritten and reported as "I" here.
9604
Willy Tarreau996a92c2010-10-13 19:30:47 +02009605 U : the proxy UPDATED the last date in the cookie that was presented by
9606 the client. This can only happen in insert mode with "maxidle". It
9607 happens everytime there is activity at a different date than the
9608 date indicated in the cookie. If any other change happens, such as
9609 a redispatch, then the cookie will be marked as inserted instead.
9610
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009611 P : a cookie was PROVIDED by the server and transmitted as-is.
9612
9613 R : the cookie provided by the server was REWRITTEN by the proxy, which
9614 happens in "cookie rewrite" or "cookie prefix" modes.
9615
9616 D : the cookie provided by the server was DELETED by the proxy.
9617
9618 - : does not apply (no cookie set in configuration).
9619
Willy Tarreau996a92c2010-10-13 19:30:47 +02009620The combination of the two first flags gives a lot of information about what
9621was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009622helpful to detect server saturation, network troubles, local system resource
9623starvation, attacks, etc...
9624
9625The most common termination flags combinations are indicated below. They are
9626alphabetically sorted, with the lowercase set just after the upper case for
9627easier finding and understanding.
9628
9629 Flags Reason
9630
9631 -- Normal termination.
9632
9633 CC The client aborted before the connection could be established to the
9634 server. This can happen when haproxy tries to connect to a recently
9635 dead (or unchecked) server, and the client aborts while haproxy is
9636 waiting for the server to respond or for "timeout connect" to expire.
9637
9638 CD The client unexpectedly aborted during data transfer. This can be
9639 caused by a browser crash, by an intermediate equipment between the
9640 client and haproxy which decided to actively break the connection,
9641 by network routing issues between the client and haproxy, or by a
9642 keep-alive session between the server and the client terminated first
9643 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +01009644
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009645 cD The client did not send nor acknowledge any data for as long as the
9646 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +02009647 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009648
9649 CH The client aborted while waiting for the server to start responding.
9650 It might be the server taking too long to respond or the client
9651 clicking the 'Stop' button too fast.
9652
9653 cH The "timeout client" stroke while waiting for client data during a
9654 POST request. This is sometimes caused by too large TCP MSS values
9655 for PPPoE networks which cannot transport full-sized packets. It can
9656 also happen when client timeout is smaller than server timeout and
9657 the server takes too long to respond.
9658
9659 CQ The client aborted while its session was queued, waiting for a server
9660 with enough empty slots to accept it. It might be that either all the
9661 servers were saturated or that the assigned server was taking too
9662 long a time to respond.
9663
9664 CR The client aborted before sending a full HTTP request. Most likely
9665 the request was typed by hand using a telnet client, and aborted
9666 too early. The HTTP status code is likely a 400 here. Sometimes this
9667 might also be caused by an IDS killing the connection between haproxy
9668 and the client.
9669
9670 cR The "timeout http-request" stroke before the client sent a full HTTP
9671 request. This is sometimes caused by too large TCP MSS values on the
9672 client side for PPPoE networks which cannot transport full-sized
9673 packets, or by clients sending requests by hand and not typing fast
9674 enough, or forgetting to enter the empty line at the end of the
9675 request. The HTTP status code is likely a 408 here.
9676
9677 CT The client aborted while its session was tarpitted. It is important to
9678 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +02009679 wrong tarpit rules have been written. If a lot of them happen, it
9680 might make sense to lower the "timeout tarpit" value to something
9681 closer to the average reported "Tw" timer, in order not to consume
9682 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009683
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009684 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009685 the TCP connection (the proxy received a TCP RST or an ICMP message
9686 in return). Under some circumstances, it can also be the network
9687 stack telling the proxy that the server is unreachable (eg: no route,
9688 or no ARP response on local network). When this happens in HTTP mode,
9689 the status code is likely a 502 or 503 here.
9690
9691 sC The "timeout connect" stroke before a connection to the server could
9692 complete. When this happens in HTTP mode, the status code is likely a
9693 503 or 504 here.
9694
9695 SD The connection to the server died with an error during the data
9696 transfer. This usually means that haproxy has received an RST from
9697 the server or an ICMP message from an intermediate equipment while
9698 exchanging data with the server. This can be caused by a server crash
9699 or by a network issue on an intermediate equipment.
9700
9701 sD The server did not send nor acknowledge any data for as long as the
9702 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009703 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009704 load-balancers, ...), as well as keep-alive sessions maintained
9705 between the client and the server expiring first on haproxy.
9706
9707 SH The server aborted before sending its full HTTP response headers, or
9708 it crashed while processing the request. Since a server aborting at
9709 this moment is very rare, it would be wise to inspect its logs to
9710 control whether it crashed and why. The logged request may indicate a
9711 small set of faulty requests, demonstrating bugs in the application.
9712 Sometimes this might also be caused by an IDS killing the connection
9713 between haproxy and the server.
9714
9715 sH The "timeout server" stroke before the server could return its
9716 response headers. This is the most common anomaly, indicating too
9717 long transactions, probably caused by server or database saturation.
9718 The immediate workaround consists in increasing the "timeout server"
9719 setting, but it is important to keep in mind that the user experience
9720 will suffer from these long response times. The only long term
9721 solution is to fix the application.
9722
9723 sQ The session spent too much time in queue and has been expired. See
9724 the "timeout queue" and "timeout connect" settings to find out how to
9725 fix this if it happens too often. If it often happens massively in
9726 short periods, it may indicate general problems on the affected
9727 servers due to I/O or database congestion, or saturation caused by
9728 external attacks.
9729
9730 PC The proxy refused to establish a connection to the server because the
9731 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +02009732 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009733 so that it does not happen anymore. This status is very rare and
9734 might happen when the global "ulimit-n" parameter is forced by hand.
9735
Willy Tarreaued2fd2d2010-12-29 11:23:27 +01009736 PD The proxy blocked an incorrectly formatted chunked encoded message in
9737 a request or a response, after the server has emitted its headers. In
9738 most cases, this will indicate an invalid message from the server to
9739 the client.
9740
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009741 PH The proxy blocked the server's response, because it was invalid,
9742 incomplete, dangerous (cache control), or matched a security filter.
9743 In any case, an HTTP 502 error is sent to the client. One possible
9744 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +01009745 containing unauthorized characters. It is also possible but quite
9746 rare, that the proxy blocked a chunked-encoding request from the
9747 client due to an invalid syntax, before the server responded. In this
9748 case, an HTTP 400 error is sent to the client and reported in the
9749 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009750
9751 PR The proxy blocked the client's HTTP request, either because of an
9752 invalid HTTP syntax, in which case it returned an HTTP 400 error to
9753 the client, or because a deny filter matched, in which case it
9754 returned an HTTP 403 error.
9755
9756 PT The proxy blocked the client's request and has tarpitted its
9757 connection before returning it a 500 server error. Nothing was sent
9758 to the server. The connection was maintained open for as long as
9759 reported by the "Tw" timer field.
9760
9761 RC A local resource has been exhausted (memory, sockets, source ports)
9762 preventing the connection to the server from establishing. The error
9763 logs will tell precisely what was missing. This is very rare and can
9764 only be solved by proper system tuning.
9765
Willy Tarreau996a92c2010-10-13 19:30:47 +02009766The combination of the two last flags gives a lot of information about how
9767persistence was handled by the client, the server and by haproxy. This is very
9768important to troubleshoot disconnections, when users complain they have to
9769re-authenticate. The commonly encountered flags are :
9770
9771 -- Persistence cookie is not enabled.
9772
9773 NN No cookie was provided by the client, none was inserted in the
9774 response. For instance, this can be in insert mode with "postonly"
9775 set on a GET request.
9776
9777 II A cookie designating an invalid server was provided by the client,
9778 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009779 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +02009780 value can be presented by a client when no other server knows it.
9781
9782 NI No cookie was provided by the client, one was inserted in the
9783 response. This typically happens for first requests from every user
9784 in "insert" mode, which makes it an easy way to count real users.
9785
9786 VN A cookie was provided by the client, none was inserted in the
9787 response. This happens for most responses for which the client has
9788 already got a cookie.
9789
9790 VU A cookie was provided by the client, with a last visit date which is
9791 not completely up-to-date, so an updated cookie was provided in
9792 response. This can also happen if there was no date at all, or if
9793 there was a date but the "maxidle" parameter was not set, so that the
9794 cookie can be switched to unlimited time.
9795
9796 EI A cookie was provided by the client, with a last visit date which is
9797 too old for the "maxidle" parameter, so the cookie was ignored and a
9798 new cookie was inserted in the response.
9799
9800 OI A cookie was provided by the client, with a first visit date which is
9801 too old for the "maxlife" parameter, so the cookie was ignored and a
9802 new cookie was inserted in the response.
9803
9804 DI The server designated by the cookie was down, a new server was
9805 selected and a new cookie was emitted in the response.
9806
9807 VI The server designated by the cookie was not marked dead but could not
9808 be reached. A redispatch happened and selected another one, which was
9809 then advertised in the response.
9810
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009811
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098128.6. Non-printable characters
9813-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009814
9815In order not to cause trouble to log analysis tools or terminals during log
9816consulting, non-printable characters are not sent as-is into log files, but are
9817converted to the two-digits hexadecimal representation of their ASCII code,
9818prefixed by the character '#'. The only characters that can be logged without
9819being escaped are comprised between 32 and 126 (inclusive). Obviously, the
9820escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
9821is the same for the character '"' which becomes "#22", as well as '{', '|' and
9822'}' when logging headers.
9823
9824Note that the space character (' ') is not encoded in headers, which can cause
9825issues for tools relying on space count to locate fields. A typical header
9826containing spaces is "User-Agent".
9827
9828Last, it has been observed that some syslog daemons such as syslog-ng escape
9829the quote ('"') with a backslash ('\'). The reverse operation can safely be
9830performed since no quote may appear anywhere else in the logs.
9831
9832
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098338.7. Capturing HTTP cookies
9834---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009835
9836Cookie capture simplifies the tracking a complete user session. This can be
9837achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009838section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009839cookie will simultaneously be checked in the request ("Cookie:" header) and in
9840the response ("Set-Cookie:" header). The respective values will be reported in
9841the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009842locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009843not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
9844user switches to a new session for example, because the server will reassign it
9845a new cookie. It is also possible to detect if a server unexpectedly sets a
9846wrong cookie to a client, leading to session crossing.
9847
9848 Examples :
9849 # capture the first cookie whose name starts with "ASPSESSION"
9850 capture cookie ASPSESSION len 32
9851
9852 # capture the first cookie whose name is exactly "vgnvisitor"
9853 capture cookie vgnvisitor= len 32
9854
9855
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098568.8. Capturing HTTP headers
9857---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009858
9859Header captures are useful to track unique request identifiers set by an upper
9860proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
9861the response, one can search for information about the response length, how the
9862server asked the cache to behave, or an object location during a redirection.
9863
9864Header captures are performed using the "capture request header" and "capture
9865response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009866section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009867
9868It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009869time. Non-existent headers are logged as empty strings, and if one header
9870appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009871are grouped within braces '{' and '}' in the same order as they were declared,
9872and delimited with a vertical bar '|' without any space. Response headers
9873follow the same representation, but are displayed after a space following the
9874request headers block. These blocks are displayed just before the HTTP request
9875in the logs.
9876
9877 Example :
9878 # This instance chains to the outgoing proxy
9879 listen proxy-out
9880 mode http
9881 option httplog
9882 option logasap
9883 log global
9884 server cache1 192.168.1.1:3128
9885
9886 # log the name of the virtual server
9887 capture request header Host len 20
9888
9889 # log the amount of data uploaded during a POST
9890 capture request header Content-Length len 10
9891
9892 # log the beginning of the referrer
9893 capture request header Referer len 20
9894
9895 # server name (useful for outgoing proxies only)
9896 capture response header Server len 20
9897
9898 # logging the content-length is useful with "option logasap"
9899 capture response header Content-Length len 10
9900
9901 # log the expected cache behaviour on the response
9902 capture response header Cache-Control len 8
9903
9904 # the Via header will report the next proxy's name
9905 capture response header Via len 20
9906
9907 # log the URL location during a redirection
9908 capture response header Location len 20
9909
9910 >>> Aug 9 20:26:09 localhost \
9911 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
9912 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
9913 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
9914 "GET http://fr.adserver.yahoo.com/"
9915
9916 >>> Aug 9 20:30:46 localhost \
9917 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
9918 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
9919 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009920 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009921
9922 >>> Aug 9 20:30:46 localhost \
9923 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
9924 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
9925 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
9926 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009927 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009928
9929
Willy Tarreauc57f0e22009-05-10 13:12:33 +020099308.9. Examples of logs
9931---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009932
9933These are real-world examples of logs accompanied with an explanation. Some of
9934them have been made up by hand. The syslog part has been removed for better
9935reading. Their sole purpose is to explain how to decipher them.
9936
9937 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
9938 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
9939 "HEAD / HTTP/1.0"
9940
9941 => long request (6.5s) entered by hand through 'telnet'. The server replied
9942 in 147 ms, and the session ended normally ('----')
9943
9944 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
9945 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
9946 0/9 "HEAD / HTTP/1.0"
9947
9948 => Idem, but the request was queued in the global queue behind 9 other
9949 requests, and waited there for 1230 ms.
9950
9951 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
9952 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
9953 "GET /image.iso HTTP/1.0"
9954
9955 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009956 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009957 14 ms, 243 bytes of headers were sent to the client, and total time from
9958 accept to first data byte is 30 ms.
9959
9960 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
9961 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
9962 "GET /cgi-bin/bug.cgi? HTTP/1.0"
9963
9964 => the proxy blocked a server response either because of an "rspdeny" or
9965 "rspideny" filter, or because the response was improperly formatted and
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02009966 not HTTP-compliant, or because it blocked sensitive information which
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009967 risked being cached. In this case, the response is replaced with a "502
9968 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
9969 to return the 502 and not the server.
9970
9971 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009972 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009973
9974 => the client never completed its request and aborted itself ("C---") after
9975 8.5s, while the proxy was waiting for the request headers ("-R--").
9976 Nothing was sent to any server.
9977
9978 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
9979 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
9980
9981 => The client never completed its request, which was aborted by the
9982 time-out ("c---") after 50s, while the proxy was waiting for the request
9983 headers ("-R--"). Nothing was sent to any server, but the proxy could
9984 send a 408 return code to the client.
9985
9986 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
9987 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
9988
9989 => This log was produced with "option tcplog". The client timed out after
9990 5 seconds ("c----").
9991
9992 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
9993 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009994 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009995
9996 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009997 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009998 (config says 'retries 3'), and no redispatch (otherwise we would have
9999 seen "/+3"). Status code 503 was returned to the client. There were 115
10000 connections on this server, 202 connections on this proxy, and 205 on
10001 the global process. It is possible that the server refused the
10002 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010010003
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010004
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200100059. Statistics and monitoring
10006----------------------------
10007
10008It is possible to query HAProxy about its status. The most commonly used
10009mechanism is the HTTP statistics page. This page also exposes an alternative
10010CSV output format for monitoring tools. The same format is provided on the
10011Unix socket.
10012
10013
100149.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010015---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010016
Willy Tarreau7f062c42009-03-05 18:43:00 +010010017The statistics may be consulted either from the unix socket or from the HTTP
10018page. Both means provide a CSV format whose fields follow.
10019
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010020 0. pxname: proxy name
10021 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
10022 for server)
10023 2. qcur: current queued requests
10024 3. qmax: max queued requests
10025 4. scur: current sessions
10026 5. smax: max sessions
10027 6. slim: sessions limit
10028 7. stot: total sessions
10029 8. bin: bytes in
10030 9. bout: bytes out
10031 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010032 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010033 12. ereq: request errors
10034 13. econ: connection errors
Willy Tarreauae526782010-03-04 20:34:23 +010010035 14. eresp: response errors (among which srv_abrt)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010036 15. wretr: retries (warning)
10037 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +010010038 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010039 18. weight: server weight (server), total weight (backend)
10040 19. act: server is active (server), number of active servers (backend)
10041 20. bck: server is backup (server), number of backup servers (backend)
10042 21. chkfail: number of failed checks
10043 22. chkdown: number of UP->DOWN transitions
10044 23. lastchg: last status change (in seconds)
10045 24. downtime: total downtime (in seconds)
10046 25. qlimit: queue limit
10047 26. pid: process id (0 for first instance, 1 for second, ...)
10048 27. iid: unique proxy id
10049 28. sid: service id (unique inside a proxy)
10050 29. throttle: warm up status
10051 30. lbtot: total number of times a server was selected
10052 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +020010053 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +020010054 33. rate: number of sessions per second over last elapsed second
10055 34. rate_lim: limit on new sessions per second
10056 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +020010057 36. check_status: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +010010058 UNK -> unknown
10059 INI -> initializing
10060 SOCKERR -> socket error
10061 L4OK -> check passed on layer 4, no upper layers testing enabled
10062 L4TMOUT -> layer 1-4 timeout
10063 L4CON -> layer 1-4 connection problem, for example
10064 "Connection refused" (tcp rst) or "No route to host" (icmp)
10065 L6OK -> check passed on layer 6
10066 L6TOUT -> layer 6 (SSL) timeout
10067 L6RSP -> layer 6 invalid response - protocol error
10068 L7OK -> check passed on layer 7
10069 L7OKC -> check conditionally passed on layer 7, for example 404 with
10070 disable-on-404
10071 L7TOUT -> layer 7 (HTTP/SMTP) timeout
10072 L7RSP -> layer 7 invalid response - protocol error
10073 L7STS -> layer 7 response error, for example HTTP 5xx
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +020010074 37. check_code: layer5-7 code, if available
10075 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010076 39. hrsp_1xx: http responses with 1xx code
10077 40. hrsp_2xx: http responses with 2xx code
10078 41. hrsp_3xx: http responses with 3xx code
10079 42. hrsp_4xx: http responses with 4xx code
10080 43. hrsp_5xx: http responses with 5xx code
10081 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreaud63335a2010-02-26 12:56:52 +010010082 45. hanafail: failed health checks details
10083 46. req_rate: HTTP requests per second over last elapsed second
10084 47. req_rate_max: max number of HTTP requests per second observed
10085 48. req_tot: total number of HTTP requests received
Willy Tarreauae526782010-03-04 20:34:23 +010010086 49. cli_abrt: number of data transfers aborted by the client
10087 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
Willy Tarreau844e3c52008-01-11 16:28:18 +010010088
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010089
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200100909.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010091-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010092
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010093The following commands are supported on the UNIX stats socket ; all of them
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010094must be terminated by a line feed. The socket supports pipelining, so that it
10095is possible to chain multiple commands at once provided they are delimited by
10096a semi-colon or a line feed, although the former is more reliable as it has no
10097risk of being truncated over the network. The responses themselves will each be
10098followed by an empty line, so it will be easy for an external script to match a
10099given response with a given request. By default one command line is processed
10100then the connection closes, but there is an interactive allowing multiple lines
10101to be issued one at a time.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010102
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010103It is important to understand that when multiple haproxy processes are started
10104on the same sockets, any process may pick up the request and will output its
10105own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010106
Willy Tarreaud63335a2010-02-26 12:56:52 +010010107clear counters
10108 Clear the max values of the statistics counters in each proxy (frontend &
10109 backend) and in each server. The cumulated counters are not affected. This
10110 can be used to get clean counters after an incident, without having to
10111 restart nor to clear traffic counters. This command is restricted and can
10112 only be issued on sockets configured for levels "operator" or "admin".
10113
10114clear counters all
10115 Clear all statistics counters in each proxy (frontend & backend) and in each
10116 server. This has the same effect as restarting. This command is restricted
10117 and can only be issued on sockets configured for level "admin".
10118
Simon Hormanc88b8872011-06-15 15:18:49 +090010119clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
10120 Remove entries from the stick-table <table>.
10121
10122 This is typically used to unblock some users complaining they have been
10123 abusively denied access to a service, but this can also be used to clear some
10124 stickiness entries matching a server that is going to be replaced (see "show
10125 table" below for details). Note that sometimes, removal of an entry will be
10126 refused because it is currently tracked by a session. Retrying a few seconds
10127 later after the session ends is usual enough.
10128
10129 In the case where no options arguments are given all entries will be removed.
10130
10131 When the "data." form is used entries matching a filter applied using the
10132 stored data (see "stick-table" in section 4.2) are removed. A stored data
10133 type must be specified in <type>, and this data type must be stored in the
10134 table otherwise an error is reported. The data is compared according to
10135 <operator> with the 64-bit integer <value>. Operators are the same as with
10136 the ACLs :
10137
10138 - eq : match entries whose data is equal to this value
10139 - ne : match entries whose data is not equal to this value
10140 - le : match entries whose data is less than or equal to this value
10141 - ge : match entries whose data is greater than or equal to this value
10142 - lt : match entries whose data is less than this value
10143 - gt : match entries whose data is greater than this value
10144
10145 When the key form is used the entry <key> is removed. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090010146 same type as the table, which currently is limited to IPv4, IPv6, integer and
10147 string.
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010148
10149 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010150 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010151 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010152 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
10153 bytes_out_rate(60000)=187
10154 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10155 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010156
10157 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
10158
10159 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010160 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau62a36c42010-08-17 15:53:10 +020010161 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10162 bytes_out_rate(60000)=191
Simon Hormanc88b8872011-06-15 15:18:49 +090010163 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
10164 $ echo "show table http_proxy" | socat stdio /tmp/sock1
10165 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010166
Willy Tarreau532a4502011-09-07 22:37:44 +020010167disable frontend <frontend>
10168 Mark the frontend as temporarily stopped. This corresponds to the mode which
10169 is used during a soft restart : the frontend releases the port but can be
10170 enabled again if needed. This should be used with care as some non-Linux OSes
10171 are unable to enable it back. This is intended to be used in environments
10172 where stopping a proxy is not even imaginable but a misconfigured proxy must
10173 be fixed. That way it's possible to release the port and bind it into another
10174 process to restore operations. The frontend will appear with status "STOP"
10175 on the stats page.
10176
10177 The frontend may be specified either by its name or by its numeric ID,
10178 prefixed with a sharp ('#').
10179
10180 This command is restricted and can only be issued on sockets configured for
10181 level "admin".
10182
Willy Tarreaud63335a2010-02-26 12:56:52 +010010183disable server <backend>/<server>
10184 Mark the server DOWN for maintenance. In this mode, no more checks will be
10185 performed on the server until it leaves maintenance.
10186 If the server is tracked by other servers, those servers will be set to DOWN
10187 during the maintenance.
10188
10189 In the statistics page, a server DOWN for maintenance will appear with a
10190 "MAINT" status, its tracking servers with the "MAINT(via)" one.
10191
10192 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020010193 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010194
10195 This command is restricted and can only be issued on sockets configured for
10196 level "admin".
10197
Willy Tarreau532a4502011-09-07 22:37:44 +020010198enable frontend <frontend>
10199 Resume a frontend which was temporarily stopped. It is possible that some of
10200 the listening ports won't be able to bind anymore (eg: if another process
10201 took them since the 'disable frontend' operation). If this happens, an error
10202 is displayed. Some operating systems might not be able to resume a frontend
10203 which was disabled.
10204
10205 The frontend may be specified either by its name or by its numeric ID,
10206 prefixed with a sharp ('#').
10207
10208 This command is restricted and can only be issued on sockets configured for
10209 level "admin".
10210
Willy Tarreaud63335a2010-02-26 12:56:52 +010010211enable server <backend>/<server>
10212 If the server was previously marked as DOWN for maintenance, this marks the
10213 server UP and checks are re-enabled.
10214
10215 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020010216 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010217
10218 This command is restricted and can only be issued on sockets configured for
10219 level "admin".
10220
10221get weight <backend>/<server>
10222 Report the current weight and the initial weight of server <server> in
10223 backend <backend> or an error if either doesn't exist. The initial weight is
10224 the one that appears in the configuration file. Both are normally equal
10225 unless the current weight has been changed. Both the backend and the server
10226 may be specified either by their name or by their numeric ID, prefixed with a
Willy Tarreauf5f31922011-08-02 11:32:07 +020010227 sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010228
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010229help
10230 Print the list of known keywords and their basic usage. The same help screen
10231 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010232
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010233prompt
10234 Toggle the prompt at the beginning of the line and enter or leave interactive
10235 mode. In interactive mode, the connection is not closed after a command
10236 completes. Instead, the prompt will appear again, indicating the user that
10237 the interpreter is waiting for a new command. The prompt consists in a right
10238 angle bracket followed by a space "> ". This mode is particularly convenient
10239 when one wants to periodically check information such as stats or errors.
10240 It is also a good idea to enter interactive mode before issuing a "help"
10241 command.
10242
10243quit
10244 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010245
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020010246set maxconn frontend <frontend> <value>
10247 Dynamically change the specified frontend's maxconn setting. Any non-null
10248 positive value is allowed, but setting values larger than the global maxconn
10249 does not make much sense. If the limit is increased and connections were
10250 pending, they will immediately be accepted. If it is lowered to a value below
10251 the current number of connections, new connections acceptation will be
10252 delayed until the threshold is reached. The frontend might be specified by
10253 either its name or its numeric ID prefixed with a sharp ('#').
10254
Willy Tarreau91886b62011-09-07 14:38:31 +020010255set maxconn global <maxconn>
10256 Dynamically change the global maxconn setting within the range defined by the
10257 initial global maxconn setting. If it is increased and connections were
10258 pending, they will immediately be accepted. If it is lowered to a value below
10259 the current number of connections, new connections acceptation will be
10260 delayed until the threshold is reached. A value of zero restores the initial
10261 setting.
10262
Willy Tarreauf5b22872011-09-07 16:13:44 +020010263set rate-limit connections global <value>
10264 Change the process-wide connection rate limit, which is set by the global
10265 'maxconnrate' setting. A value of zero disables the limitation. This limit
10266 applies to all frontends and the change has an immediate effect. The value
10267 is passed in number of connections per second.
10268
Willy Tarreau654694e2012-06-07 01:03:16 +020010269set table <table> key <key> data.<data_type> <value>
10270 Create or update a stick-table entry in the table. If the key is not present,
10271 an entry is inserted. See stick-table in section 4.2 to find all possible
10272 values for <data_type>. The most likely use consists in dynamically entering
10273 entries for source IP addresses, with a flag in gpc0 to dynamically block an
10274 IP address or affect its quality of service.
10275
Willy Tarreaud63335a2010-02-26 12:56:52 +010010276set timeout cli <delay>
10277 Change the CLI interface timeout for current connection. This can be useful
10278 during long debugging sessions where the user needs to constantly inspect
10279 some indicators without being disconnected. The delay is passed in seconds.
10280
10281set weight <backend>/<server> <weight>[%]
10282 Change a server's weight to the value passed in argument. If the value ends
10283 with the '%' sign, then the new weight will be relative to the initially
10284 configured weight. Relative weights are only permitted between 0 and 100%,
10285 and absolute weights are permitted between 0 and 256. Servers which are part
10286 of a farm running a static load-balancing algorithm have stricter limitations
10287 because the weight cannot change once set. Thus for these servers, the only
10288 accepted values are 0 and 100% (or 0 and the initial weight). Changes take
10289 effect immediately, though certain LB algorithms require a certain amount of
10290 requests to consider changes. A typical usage of this command is to disable
10291 a server during an update by setting its weight to zero, then to enable it
10292 again after the update by setting it back to 100%. This command is restricted
10293 and can only be issued on sockets configured for level "admin". Both the
10294 backend and the server may be specified either by their name or by their
Willy Tarreauf5f31922011-08-02 11:32:07 +020010295 numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010296
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010297show errors [<iid>]
10298 Dump last known request and response errors collected by frontends and
10299 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +020010300 either frontend or backend whose ID is <iid>. This command is restricted
10301 and can only be issued on sockets configured for levels "operator" or
10302 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010303
10304 The errors which may be collected are the last request and response errors
10305 caused by protocol violations, often due to invalid characters in header
10306 names. The report precisely indicates what exact character violated the
10307 protocol. Other important information such as the exact date the error was
10308 detected, frontend and backend names, the server name (when known), the
10309 internal session ID and the source address which has initiated the session
10310 are reported too.
10311
10312 All characters are returned, and non-printable characters are encoded. The
10313 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
10314 letter following a backslash. The backslash itself is encoded as '\\' to
10315 avoid confusion. Other non-printable characters are encoded '\xNN' where
10316 NN is the two-digits hexadecimal representation of the character's ASCII
10317 code.
10318
10319 Lines are prefixed with the position of their first character, starting at 0
10320 for the beginning of the buffer. At most one input line is printed per line,
10321 and large lines will be broken into multiple consecutive output lines so that
10322 the output never goes beyond 79 characters wide. It is easy to detect if a
10323 line was broken, because it will not end with '\n' and the next line's offset
10324 will be followed by a '+' sign, indicating it is a continuation of previous
10325 line.
10326
10327 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010328 $ echo "show errors" | socat stdio /tmp/sock1
10329 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010330 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
10331 response length 213 bytes, error at position 23:
10332
10333 00000 HTTP/1.0 200 OK\r\n
10334 00017 header/bizarre:blah\r\n
10335 00038 Location: blah\r\n
10336 00054 Long-line: this is a very long line which should b
10337 00104+ e broken into multiple lines on the output buffer,
10338 00154+ otherwise it would be too large to print in a ter
10339 00204+ minal\r\n
10340 00211 \r\n
10341
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010342 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010343 ID 2 has blocked an invalid response from its server s2 which has internal
10344 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
10345 received by frontend fe-eth0 whose ID is 1. The total response length was
10346 213 bytes when the error was detected, and the error was at byte 23. This
10347 is the slash ('/') in header name "header/bizarre", which is not a valid
10348 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010349
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010350show info
10351 Dump info about haproxy status on current process.
10352
10353show sess
10354 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +020010355 be huge. This command is restricted and can only be issued on sockets
10356 configured for levels "operator" or "admin".
10357
Willy Tarreau66dc20a2010-03-05 17:53:32 +010010358show sess <id>
10359 Display a lot of internal information about the specified session identifier.
10360 This identifier is the first field at the beginning of the lines in the dumps
10361 of "show sess" (it corresponds to the session pointer). Those information are
10362 useless to most users but may be used by haproxy developers to troubleshoot a
10363 complex bug. The output format is intentionally not documented so that it can
10364 freely evolve depending on demands.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010365
10366show stat [<iid> <type> <sid>]
10367 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
10368 possible to dump only selected items :
10369 - <iid> is a proxy ID, -1 to dump everything
10370 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
10371 backends, 4 for servers, -1 for everything. These values can be ORed,
10372 for example:
10373 1 + 2 = 3 -> frontend + backend.
10374 1 + 2 + 4 = 7 -> frontend + backend + server.
10375 - <sid> is a server ID, -1 to dump everything from the selected proxy.
10376
10377 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010378 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
10379 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010380 Version: 1.4-dev2-49
10381 Release_date: 2009/09/23
10382 Nbproc: 1
10383 Process_num: 1
10384 (...)
10385
10386 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
10387 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
10388 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
10389 (...)
10390 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
10391
10392 $
10393
10394 Here, two commands have been issued at once. That way it's easy to find
10395 which process the stats apply to in multi-process mode. Notice the empty
10396 line after the information output which marks the end of the first block.
10397 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010398 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010399
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010400show table
10401 Dump general information on all known stick-tables. Their name is returned
10402 (the name of the proxy which holds them), their type (currently zero, always
10403 IP), their size in maximum possible number of entries, and the number of
10404 entries currently in use.
10405
10406 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010407 $ echo "show table" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010408 >>> # table: front_pub, type: ip, size:204800, used:171454
10409 >>> # table: back_rdp, type: ip, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010410
Simon Horman17bce342011-06-15 15:18:47 +090010411show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010412 Dump contents of stick-table <name>. In this mode, a first line of generic
10413 information about the table is reported as with "show table", then all
10414 entries are dumped. Since this can be quite heavy, it is possible to specify
Simon Horman17bce342011-06-15 15:18:47 +090010415 a filter in order to specify what entries to display.
10416
10417 When the "data." form is used the filter applies to the stored data (see
10418 "stick-table" in section 4.2). A stored data type must be specified
10419 in <type>, and this data type must be stored in the table otherwise an
10420 error is reported. The data is compared according to <operator> with the
10421 64-bit integer <value>. Operators are the same as with the ACLs :
10422
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010423 - eq : match entries whose data is equal to this value
10424 - ne : match entries whose data is not equal to this value
10425 - le : match entries whose data is less than or equal to this value
10426 - ge : match entries whose data is greater than or equal to this value
10427 - lt : match entries whose data is less than this value
10428 - gt : match entries whose data is greater than this value
10429
Simon Hormanc88b8872011-06-15 15:18:49 +090010430
10431 When the key form is used the entry <key> is shown. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090010432 same type as the table, which currently is limited to IPv4, IPv6, integer,
10433 and string.
Simon Horman17bce342011-06-15 15:18:47 +090010434
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010435 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010436 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010437 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010438 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
10439 bytes_out_rate(60000)=187
10440 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10441 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010442
Willy Tarreau62a36c42010-08-17 15:53:10 +020010443 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010444 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010445 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10446 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010447
Willy Tarreau62a36c42010-08-17 15:53:10 +020010448 $ echo "show table http_proxy data.conn_rate gt 5" | \
10449 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010450 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010451 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10452 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010453
Simon Horman17bce342011-06-15 15:18:47 +090010454 $ echo "show table http_proxy key 127.0.0.2" | \
10455 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010456 >>> # table: http_proxy, type: ip, size:204800, used:2
Simon Horman17bce342011-06-15 15:18:47 +090010457 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10458 bytes_out_rate(60000)=191
10459
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010460 When the data criterion applies to a dynamic value dependent on time such as
10461 a bytes rate, the value is dynamically computed during the evaluation of the
10462 entry in order to decide whether it has to be dumped or not. This means that
10463 such a filter could match for some time then not match anymore because as
10464 time goes, the average event rate drops.
10465
10466 It is possible to use this to extract lists of IP addresses abusing the
10467 service, in order to monitor them or even blacklist them in a firewall.
10468 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010469 $ echo "show table http_proxy data.gpc0 gt 0" \
10470 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010471 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
10472 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +020010473
Willy Tarreau532a4502011-09-07 22:37:44 +020010474shutdown frontend <frontend>
10475 Completely delete the specified frontend. All the ports it was bound to will
10476 be released. It will not be possible to enable the frontend anymore after
10477 this operation. This is intended to be used in environments where stopping a
10478 proxy is not even imaginable but a misconfigured proxy must be fixed. That
10479 way it's possible to release the port and bind it into another process to
10480 restore operations. The frontend will not appear at all on the stats page
10481 once it is terminated.
10482
10483 The frontend may be specified either by its name or by its numeric ID,
10484 prefixed with a sharp ('#').
10485
10486 This command is restricted and can only be issued on sockets configured for
10487 level "admin".
10488
Willy Tarreaua295edc2011-09-07 23:21:03 +020010489shutdown session <id>
10490 Immediately terminate the session matching the specified session identifier.
10491 This identifier is the first field at the beginning of the lines in the dumps
10492 of "show sess" (it corresponds to the session pointer). This can be used to
10493 terminate a long-running session without waiting for a timeout or when an
10494 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
10495 flag in the logs.
10496
Willy Tarreau52b2d222011-09-07 23:48:48 +020010497shutdown sessions <backend>/<server>
10498 Immediately terminate all the sessions attached to the specified server. This
10499 can be used to terminate long-running sessions after a server is put into
10500 maintenance mode, for instance. Such terminated sessions are reported with a
10501 'K' flag in the logs.
10502
Willy Tarreau0ba27502007-12-24 16:55:16 +010010503/*
10504 * Local variables:
10505 * fill-column: 79
10506 * End:
10507 */