blob: a1a743f0b9ad0d5f825b87339593afc37de5af1c [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
Willy Tarreau8317b282014-04-23 01:49:41 +02002 HAProxy
Willy Tarreau6a06a402007-07-15 20:15:28 +02003 Configuration Manual
4 ----------------------
Willy Tarreau33205c22020-07-07 16:35:28 +02005 version 2.3
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreaub7ffe192020-10-10 10:45:13 +02007 2020/10/10
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
Davor Ocelice9ed2812017-12-25 17:49:28 +010011specified above. It does not provide any hints, examples, or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Davor Ocelice9ed2812017-12-25 17:49:28 +010013The summary below is meant to help you find sections by name and navigate
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
Davor Ocelice9ed2812017-12-25 17:49:28 +010022 sometimes useful to prefix all output lines (logs, console outputs) with 3
23 closing angle brackets ('>>>') in order to emphasize the difference between
24 inputs and outputs when they may be ambiguous. If you add sections,
Willy Tarreau62a36c42010-08-17 15:53:10 +020025 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
Davor Ocelice9ed2812017-12-25 17:49:28 +0100341.2.1. The request line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200351.2.2. The request headers
361.3. HTTP response
Davor Ocelice9ed2812017-12-25 17:49:28 +0100371.3.1. The response line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
William Lallemandf9873ba2015-05-05 17:37:14 +0200422.2. Quoting and escaping
William Lallemandb2f07452015-05-12 14:27:13 +0200432.3. Environment variables
442.4. Time format
452.5. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020046
473. Global parameters
483.1. Process management and security
493.2. Performance tuning
503.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100513.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200523.5. Peers
Cyril Bonté307ee1e2015-09-28 23:16:06 +0200533.6. Mailers
William Lallemandc9515522019-06-12 16:32:11 +0200543.7. Programs
Christopher Faulet76edc0f2020-01-13 15:52:01 +0100553.8. HTTP-errors
Emeric Brun99c453d2020-05-25 15:01:04 +0200563.9. Rings
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057
584. Proxies
594.1. Proxy keywords matrix
604.2. Alphabetically sorted keywords reference
61
Davor Ocelice9ed2812017-12-25 17:49:28 +0100625. Bind and server options
Willy Tarreau086fbf52012-09-24 20:34:51 +0200635.1. Bind options
645.2. Server and default-server options
Baptiste Assmann1fa66662015-04-14 00:28:47 +0200655.3. Server DNS resolution
665.3.1. Global overview
675.3.2. The resolvers section
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068
Julien Pivotto6ccee412019-11-27 15:49:54 +0100696. Cache
706.1. Limitation
716.2. Setup
726.2.1. Cache section
736.2.2. Proxy section
74
Willy Tarreau74ca5042013-06-11 23:12:07 +0200757. Using ACLs and fetching samples
767.1. ACL basics
777.1.1. Matching booleans
787.1.2. Matching integers
797.1.3. Matching strings
807.1.4. Matching regular expressions (regexes)
817.1.5. Matching arbitrary data blocks
827.1.6. Matching IPv4 and IPv6 addresses
837.2. Using ACLs to form conditions
847.3. Fetching samples
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200857.3.1. Converters
867.3.2. Fetching samples from internal states
877.3.3. Fetching samples at Layer 4
887.3.4. Fetching samples at Layer 5
897.3.5. Fetching samples from buffer contents (Layer 6)
907.3.6. Fetching HTTP samples (Layer 7)
Christopher Faulete596d182020-05-05 17:46:34 +0200917.3.7. Fetching samples for developers
Willy Tarreau74ca5042013-06-11 23:12:07 +0200927.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020093
948. Logging
958.1. Log levels
968.2. Log formats
978.2.1. Default log format
988.2.2. TCP log format
998.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +01001008.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +01001018.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001028.3. Advanced logging options
1038.3.1. Disabling logging of external tests
1048.3.2. Logging before waiting for the session to terminate
1058.3.3. Raising log level upon errors
1068.3.4. Disabling logging of successful connections
1078.4. Timing events
1088.5. Session state at disconnection
1098.6. Non-printable characters
1108.7. Capturing HTTP cookies
1118.8. Capturing HTTP headers
1128.9. Examples of logs
113
Christopher Fauletc3fe5332016-04-07 15:30:10 +02001149. Supported filters
1159.1. Trace
1169.2. HTTP compression
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +02001179.3. Stream Processing Offload Engine (SPOE)
Christopher Faulet99a17a22018-12-11 09:18:27 +01001189.4. Cache
Christopher Fauletb30b3102019-09-12 23:03:09 +02001199.5. fcgi-app
Christopher Fauletc3fe5332016-04-07 15:30:10 +0200120
Christopher Fauletb30b3102019-09-12 23:03:09 +020012110. FastCGI applications
12210.1. Setup
12310.1.1. Fcgi-app section
12410.1.2. Proxy section
12510.1.3. Example
12610.2. Default parameters
12710.3. Limitations
128
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200129
1301. Quick reminder about HTTP
131----------------------------
132
Davor Ocelice9ed2812017-12-25 17:49:28 +0100133When HAProxy is running in HTTP mode, both the request and the response are
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200134fully analyzed and indexed, thus it becomes possible to build matching criteria
135on almost anything found in the contents.
136
137However, it is important to understand how HTTP requests and responses are
138formed, and how HAProxy decomposes them. It will then become easier to write
139correct rules and to debug existing configurations.
140
141
1421.1. The HTTP transaction model
143-------------------------------
144
145The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100146to one and only one response. Traditionally, a TCP connection is established
Davor Ocelice9ed2812017-12-25 17:49:28 +0100147from the client to the server, a request is sent by the client through the
148connection, the server responds, and the connection is closed. A new request
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200149will involve a new connection :
150
151 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
152
153In this mode, called the "HTTP close" mode, there are as many connection
154establishments as there are HTTP transactions. Since the connection is closed
155by the server after the response, the client does not need to know the content
156length.
157
158Due to the transactional nature of the protocol, it was possible to improve it
159to avoid closing a connection between two subsequent transactions. In this mode
160however, it is mandatory that the server indicates the content length for each
161response so that the client does not wait indefinitely. For this, a special
162header is used: "Content-length". This mode is called the "keep-alive" mode :
163
164 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
165
166Its advantages are a reduced latency between transactions, and less processing
167power required on the server side. It is generally better than the close mode,
168but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200169a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200170
Willy Tarreau95c4e142017-11-26 12:18:55 +0100171Another improvement in the communications is the pipelining mode. It still uses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200172keep-alive, but the client does not wait for the first response to send the
173second request. This is useful for fetching large number of images composing a
174page :
175
176 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
177
178This can obviously have a tremendous benefit on performance because the network
179latency is eliminated between subsequent requests. Many HTTP agents do not
180correctly support pipelining since there is no way to associate a response with
181the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100182server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200183
Willy Tarreau95c4e142017-11-26 12:18:55 +0100184The next improvement is the multiplexed mode, as implemented in HTTP/2. This
185time, each transaction is assigned a single stream identifier, and all streams
186are multiplexed over an existing connection. Many requests can be sent in
187parallel by the client, and responses can arrive in any order since they also
188carry the stream identifier.
189
Willy Tarreau70dffda2014-01-30 03:07:23 +0100190By default HAProxy operates in keep-alive mode with regards to persistent
191connections: for each connection it processes each request and response, and
192leaves the connection idle on both sides between the end of a response and the
Willy Tarreau95c4e142017-11-26 12:18:55 +0100193start of a new request. When it receives HTTP/2 connections from a client, it
194processes all the requests in parallel and leaves the connection idling,
195waiting for new requests, just as if it was a keep-alive HTTP connection.
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200196
Christopher Faulet315b39c2018-09-21 16:26:19 +0200197HAProxy supports 4 connection modes :
Willy Tarreau70dffda2014-01-30 03:07:23 +0100198 - keep alive : all requests and responses are processed (default)
199 - tunnel : only the first request and response are processed,
Christopher Faulet6c9bbb22019-03-26 21:37:23 +0100200 everything else is forwarded with no analysis (deprecated).
Willy Tarreau70dffda2014-01-30 03:07:23 +0100201 - server close : the server-facing connection is closed after the response.
Christopher Faulet315b39c2018-09-21 16:26:19 +0200202 - close : the connection is actively closed after end of response.
Willy Tarreau70dffda2014-01-30 03:07:23 +0100203
Willy Tarreau95c4e142017-11-26 12:18:55 +0100204
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200205
2061.2. HTTP request
207-----------------
208
209First, let's consider this HTTP request :
210
211 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100212 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200213 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
214 2 Host: www.mydomain.com
215 3 User-agent: my small browser
216 4 Accept: image/jpeg, image/gif
217 5 Accept: image/png
218
219
2201.2.1. The Request line
221-----------------------
222
223Line 1 is the "request line". It is always composed of 3 fields :
224
225 - a METHOD : GET
226 - a URI : /serv/login.php?lang=en&profile=2
227 - a version tag : HTTP/1.1
228
229All of them are delimited by what the standard calls LWS (linear white spaces),
230which are commonly spaces, but can also be tabs or line feeds/carriage returns
231followed by spaces/tabs. The method itself cannot contain any colon (':') and
232is limited to alphabetic letters. All those various combinations make it
233desirable that HAProxy performs the splitting itself rather than leaving it to
234the user to write a complex or inaccurate regular expression.
235
236The URI itself can have several forms :
237
238 - A "relative URI" :
239
240 /serv/login.php?lang=en&profile=2
241
242 It is a complete URL without the host part. This is generally what is
243 received by servers, reverse proxies and transparent proxies.
244
245 - An "absolute URI", also called a "URL" :
246
247 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
248
249 It is composed of a "scheme" (the protocol name followed by '://'), a host
250 name or address, optionally a colon (':') followed by a port number, then
251 a relative URI beginning at the first slash ('/') after the address part.
252 This is generally what proxies receive, but a server supporting HTTP/1.1
253 must accept this form too.
254
255 - a star ('*') : this form is only accepted in association with the OPTIONS
256 method and is not relayable. It is used to inquiry a next hop's
257 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100258
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200259 - an address:port combination : 192.168.0.12:80
260 This is used with the CONNECT method, which is used to establish TCP
261 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
262 other protocols too.
263
264In a relative URI, two sub-parts are identified. The part before the question
265mark is called the "path". It is typically the relative path to static objects
266on the server. The part after the question mark is called the "query string".
267It is mostly used with GET requests sent to dynamic scripts and is very
268specific to the language, framework or application in use.
269
Willy Tarreau95c4e142017-11-26 12:18:55 +0100270HTTP/2 doesn't convey a version information with the request, so the version is
Davor Ocelice9ed2812017-12-25 17:49:28 +0100271assumed to be the same as the one of the underlying protocol (i.e. "HTTP/2").
Willy Tarreau95c4e142017-11-26 12:18:55 +0100272
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200273
2741.2.2. The request headers
275--------------------------
276
277The headers start at the second line. They are composed of a name at the
278beginning of the line, immediately followed by a colon (':'). Traditionally,
279an LWS is added after the colon but that's not required. Then come the values.
280Multiple identical headers may be folded into one single line, delimiting the
281values with commas, provided that their order is respected. This is commonly
282encountered in the "Cookie:" field. A header may span over multiple lines if
283the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
284define a total of 3 values for the "Accept:" header.
285
Davor Ocelice9ed2812017-12-25 17:49:28 +0100286Contrary to a common misconception, header names are not case-sensitive, and
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200287their values are not either if they refer to other header names (such as the
Willy Tarreau95c4e142017-11-26 12:18:55 +0100288"Connection:" header). In HTTP/2, header names are always sent in lower case,
Willy Tarreau253c2512020-07-07 15:55:23 +0200289as can be seen when running in debug mode. Internally, all header names are
290normalized to lower case so that HTTP/1.x and HTTP/2 use the exact same
291representation, and they are sent as-is on the other side. This explains why an
292HTTP/1.x request typed with camel case is delivered in lower case.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200293
294The end of the headers is indicated by the first empty line. People often say
295that it's a double line feed, which is not exact, even if a double line feed
296is one valid form of empty line.
297
298Fortunately, HAProxy takes care of all these complex combinations when indexing
299headers, checking values and counting them, so there is no reason to worry
300about the way they could be written, but it is important not to accuse an
301application of being buggy if it does unusual, valid things.
302
303Important note:
Lukas Tribus23953682017-04-28 13:24:30 +0000304 As suggested by RFC7231, HAProxy normalizes headers by replacing line breaks
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200305 in the middle of headers by LWS in order to join multi-line headers. This
306 is necessary for proper analysis and helps less capable HTTP parsers to work
307 correctly and not to be fooled by such complex constructs.
308
309
3101.3. HTTP response
311------------------
312
313An HTTP response looks very much like an HTTP request. Both are called HTTP
314messages. Let's consider this HTTP response :
315
316 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100317 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200318 1 HTTP/1.1 200 OK
319 2 Content-length: 350
320 3 Content-Type: text/html
321
Willy Tarreau816b9792009-09-15 21:25:21 +0200322As a special case, HTTP supports so called "Informational responses" as status
323codes 1xx. These messages are special in that they don't convey any part of the
324response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100325continue to post its request for instance. In the case of a status 100 response
326the requested information will be carried by the next non-100 response message
327following the informational one. This implies that multiple responses may be
328sent to a single request, and that this only works when keep-alive is enabled
329(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
330correctly forward and skip them, and only process the next non-100 response. As
331such, these messages are neither logged nor transformed, unless explicitly
332state otherwise. Status 101 messages indicate that the protocol is changing
333over the same connection and that haproxy must switch to tunnel mode, just as
334if a CONNECT had occurred. Then the Upgrade header would contain additional
335information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200336
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200337
Davor Ocelice9ed2812017-12-25 17:49:28 +01003381.3.1. The response line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200339------------------------
340
341Line 1 is the "response line". It is always composed of 3 fields :
342
343 - a version tag : HTTP/1.1
344 - a status code : 200
345 - a reason : OK
346
347The status code is always 3-digit. The first digit indicates a general status :
Davor Ocelice9ed2812017-12-25 17:49:28 +0100348 - 1xx = informational message to be skipped (e.g. 100, 101)
349 - 2xx = OK, content is following (e.g. 200, 206)
350 - 3xx = OK, no content following (e.g. 302, 304)
351 - 4xx = error caused by the client (e.g. 401, 403, 404)
352 - 5xx = error caused by the server (e.g. 500, 502, 503)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200353
Lukas Tribus23953682017-04-28 13:24:30 +0000354Please refer to RFC7231 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100355"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200356found there, but it's a common practice to respect the well-established
357messages. It can be composed of one or multiple words, such as "OK", "Found",
358or "Authentication Required".
359
Davor Ocelice9ed2812017-12-25 17:49:28 +0100360HAProxy may emit the following status codes by itself :
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200361
362 Code When / reason
363 200 access to stats page, and when replying to monitoring requests
364 301 when performing a redirection, depending on the configured code
365 302 when performing a redirection, depending on the configured code
366 303 when performing a redirection, depending on the configured code
Willy Tarreaub67fdc42013-03-29 19:28:11 +0100367 307 when performing a redirection, depending on the configured code
368 308 when performing a redirection, depending on the configured code
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200369 400 for an invalid or too large request
370 401 when an authentication is required to perform the action (when
371 accessing the stats page)
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200372 403 when a request is forbidden by a "http-request deny" rule
Florian Tham9205fea2020-01-08 13:35:30 +0100373 404 when the requested resource could not be found
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200374 408 when the request timeout strikes before the request is complete
Florian Tham272e29b2020-01-08 10:19:05 +0100375 410 when the requested resource is no longer available and will not
376 be available again
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200377 500 when haproxy encounters an unrecoverable internal error, such as a
378 memory allocation failure, which should never happen
379 502 when the server returns an empty, invalid or incomplete response, or
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200380 when an "http-response deny" rule blocks the response.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200381 503 when no server was available to handle the request, or in response to
382 monitoring requests which match the "monitor fail" condition
383 504 when the response timeout strikes before the server responds
384
385The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3864.2).
387
388
3891.3.2. The response headers
390---------------------------
391
392Response headers work exactly like request headers, and as such, HAProxy uses
393the same parsing function for both. Please refer to paragraph 1.2.2 for more
394details.
395
396
3972. Configuring HAProxy
398----------------------
399
4002.1. Configuration file format
401------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200402
403HAProxy's configuration process involves 3 major sources of parameters :
404
405 - the arguments from the command-line, which always take precedence
406 - the "global" section, which sets process-wide parameters
407 - the proxies sections which can take form of "defaults", "listen",
408 "frontend" and "backend".
409
Willy Tarreau0ba27502007-12-24 16:55:16 +0100410The configuration file syntax consists in lines beginning with a keyword
411referenced in this manual, optionally followed by one or several parameters
William Lallemandf9873ba2015-05-05 17:37:14 +0200412delimited by spaces.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100413
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200414
William Lallemandf9873ba2015-05-05 17:37:14 +02004152.2. Quoting and escaping
416-------------------------
417
418HAProxy's configuration introduces a quoting and escaping system similar to
419many programming languages. The configuration file supports 3 types: escaping
420with a backslash, weak quoting with double quotes, and strong quoting with
421single quotes.
422
423If spaces have to be entered in strings, then they must be escaped by preceding
424them by a backslash ('\') or by quoting them. Backslashes also have to be
425escaped by doubling or strong quoting them.
426
427Escaping is achieved by preceding a special character by a backslash ('\'):
428
429 \ to mark a space and differentiate it from a delimiter
430 \# to mark a hash and differentiate it from a comment
431 \\ to use a backslash
432 \' to use a single quote and differentiate it from strong quoting
433 \" to use a double quote and differentiate it from weak quoting
434
435Weak quoting is achieved by using double quotes (""). Weak quoting prevents
436the interpretation of:
437
438 space as a parameter separator
439 ' single quote as a strong quoting delimiter
440 # hash as a comment start
441
William Lallemandb2f07452015-05-12 14:27:13 +0200442Weak quoting permits the interpretation of variables, if you want to use a non
443-interpreted dollar within a double quoted string, you should escape it with a
444backslash ("\$"), it does not work outside weak quoting.
445
446Interpretation of escaping and special characters are not prevented by weak
William Lallemandf9873ba2015-05-05 17:37:14 +0200447quoting.
448
449Strong quoting is achieved by using single quotes (''). Inside single quotes,
450nothing is interpreted, it's the efficient way to quote regexes.
451
452Quoted and escaped strings are replaced in memory by their interpreted
453equivalent, it allows you to perform concatenation.
454
455 Example:
456 # those are equivalents:
457 log-format %{+Q}o\ %t\ %s\ %{-Q}r
458 log-format "%{+Q}o %t %s %{-Q}r"
459 log-format '%{+Q}o %t %s %{-Q}r'
460 log-format "%{+Q}o %t"' %s %{-Q}r'
461 log-format "%{+Q}o %t"' %s'\ %{-Q}r
462
463 # those are equivalents:
464 reqrep "^([^\ :]*)\ /static/(.*)" \1\ /\2
465 reqrep "^([^ :]*)\ /static/(.*)" '\1 /\2'
466 reqrep "^([^ :]*)\ /static/(.*)" "\1 /\2"
467 reqrep "^([^ :]*)\ /static/(.*)" "\1\ /\2"
468
469
William Lallemandb2f07452015-05-12 14:27:13 +02004702.3. Environment variables
471--------------------------
472
473HAProxy's configuration supports environment variables. Those variables are
474interpreted only within double quotes. Variables are expanded during the
475configuration parsing. Variable names must be preceded by a dollar ("$") and
476optionally enclosed with braces ("{}") similarly to what is done in Bourne
477shell. Variable names can contain alphanumerical characters or the character
Amaury Denoyellefa41cb62020-10-01 14:32:35 +0200478underscore ("_") but should not start with a digit. If the variable contains a
479list of several values separated by spaces, it can be expanded as individual
480arguments by enclosing the variable with braces and appending the suffix '[*]'
481before the closing brace.
William Lallemandb2f07452015-05-12 14:27:13 +0200482
483 Example:
484
485 bind "fd@${FD_APP1}"
486
487 log "${LOCAL_SYSLOG}:514" local0 notice # send to local server
488
489 user "$HAPROXY_USER"
490
William Lallemand4d03e432019-06-14 15:35:37 +0200491Some variables are defined by HAProxy, they can be used in the configuration
492file, or could be inherited by a program (See 3.7. Programs):
William Lallemanddaf4cd22018-04-17 16:46:13 +0200493
William Lallemand4d03e432019-06-14 15:35:37 +0200494* HAPROXY_LOCALPEER: defined at the startup of the process which contains the
495 name of the local peer. (See "-L" in the management guide.)
496
497* HAPROXY_CFGFILES: list of the configuration files loaded by HAProxy,
498 separated by semicolons. Can be useful in the case you specified a
499 directory.
500
501* HAPROXY_MWORKER: In master-worker mode, this variable is set to 1.
502
John Roeslerfb2fce12019-07-10 15:45:51 -0500503* HAPROXY_CLI: configured listeners addresses of the stats socket for every
William Lallemand4d03e432019-06-14 15:35:37 +0200504 processes, separated by semicolons.
505
John Roeslerfb2fce12019-07-10 15:45:51 -0500506* HAPROXY_MASTER_CLI: In master-worker mode, listeners addresses of the master
William Lallemand4d03e432019-06-14 15:35:37 +0200507 CLI, separated by semicolons.
508
509See also "external-check command" for other variables.
William Lallemandb2f07452015-05-12 14:27:13 +0200510
5112.4. Time format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200512----------------
513
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100514Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100515values are generally expressed in milliseconds (unless explicitly stated
516otherwise) but may be expressed in any other unit by suffixing the unit to the
517numeric value. It is important to consider this because it will not be repeated
518for every keyword. Supported units are :
519
520 - us : microseconds. 1 microsecond = 1/1000000 second
521 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
522 - s : seconds. 1s = 1000ms
523 - m : minutes. 1m = 60s = 60000ms
524 - h : hours. 1h = 60m = 3600s = 3600000ms
525 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
526
527
Lukas Tribusaa83a312017-03-21 09:25:09 +00005282.5. Examples
Patrick Mezard35da19c2010-06-12 17:02:47 +0200529-------------
530
531 # Simple configuration for an HTTP proxy listening on port 80 on all
532 # interfaces and forwarding requests to a single backend "servers" with a
533 # single server "server1" listening on 127.0.0.1:8000
534 global
535 daemon
536 maxconn 256
537
538 defaults
539 mode http
540 timeout connect 5000ms
541 timeout client 50000ms
542 timeout server 50000ms
543
544 frontend http-in
545 bind *:80
546 default_backend servers
547
548 backend servers
549 server server1 127.0.0.1:8000 maxconn 32
550
551
552 # The same configuration defined with a single listen block. Shorter but
553 # less expressive, especially in HTTP mode.
554 global
555 daemon
556 maxconn 256
557
558 defaults
559 mode http
560 timeout connect 5000ms
561 timeout client 50000ms
562 timeout server 50000ms
563
564 listen http-in
565 bind *:80
566 server server1 127.0.0.1:8000 maxconn 32
567
568
569Assuming haproxy is in $PATH, test these configurations in a shell with:
570
Willy Tarreauccb289d2010-12-11 20:19:38 +0100571 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200572
573
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005743. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200575--------------------
576
577Parameters in the "global" section are process-wide and often OS-specific. They
578are generally set once for all and do not need being changed once correct. Some
579of them have command-line equivalents.
580
581The following keywords are supported in the "global" section :
582
583 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200584 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200585 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200586 - crt-base
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200587 - cpu-map
Willy Tarreau6a06a402007-07-15 20:15:28 +0200588 - daemon
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200589 - description
590 - deviceatlas-json-file
591 - deviceatlas-log-level
592 - deviceatlas-separator
593 - deviceatlas-properties-cookie
Simon Horman98637e52014-06-20 12:30:16 +0900594 - external-check
Willy Tarreau6a06a402007-07-15 20:15:28 +0200595 - gid
596 - group
Cyril Bonté203ec5a2017-03-23 22:44:13 +0100597 - hard-stop-after
Christopher Faulet98fbe952019-07-22 16:18:24 +0200598 - h1-case-adjust
599 - h1-case-adjust-file
Willy Tarreaud96f1122019-12-03 07:07:36 +0100600 - insecure-fork-wanted
Willy Tarreaua45a8b52019-12-06 16:31:45 +0100601 - insecure-setuid-wanted
Emmanuel Hocdet70df7bf2019-01-04 11:08:20 +0100602 - issuers-chain-path
Dragan Dosen13cd54c2020-06-18 18:24:05 +0200603 - localpeer
Willy Tarreau6a06a402007-07-15 20:15:28 +0200604 - log
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200605 - log-tag
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100606 - log-send-hostname
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200607 - lua-load
Tim Duesterhusdd74b5f2020-01-12 13:55:40 +0100608 - lua-prepend-path
William Lallemand27edc4b2019-05-07 17:49:33 +0200609 - mworker-max-reloads
Willy Tarreau6a06a402007-07-15 20:15:28 +0200610 - nbproc
Christopher Fauletbe0faa22017-08-29 15:37:10 +0200611 - nbthread
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200612 - node
Willy Tarreau6a06a402007-07-15 20:15:28 +0200613 - pidfile
Willy Tarreau119e50e2020-05-22 13:53:29 +0200614 - pp2-never-send-local
Willy Tarreau1d549722016-02-16 12:41:57 +0100615 - presetenv
616 - resetenv
Willy Tarreau6a06a402007-07-15 20:15:28 +0200617 - uid
618 - ulimit-n
619 - user
Willy Tarreau636848a2019-04-15 19:38:50 +0200620 - set-dumpable
Willy Tarreau1d549722016-02-16 12:41:57 +0100621 - setenv
Willy Tarreaufbee7132007-10-18 13:53:22 +0200622 - stats
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200623 - ssl-default-bind-ciphers
Dirkjan Bussink415150f2018-09-14 11:14:21 +0200624 - ssl-default-bind-ciphersuites
Jerome Magninb203ff62020-04-03 15:28:22 +0200625 - ssl-default-bind-curves
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200626 - ssl-default-bind-options
627 - ssl-default-server-ciphers
Dirkjan Bussink415150f2018-09-14 11:14:21 +0200628 - ssl-default-server-ciphersuites
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200629 - ssl-default-server-options
630 - ssl-dh-param-file
Emeric Brun850efd52014-01-29 12:24:34 +0100631 - ssl-server-verify
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +0200632 - ssl-skip-self-issued-ca
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100633 - unix-bind
Willy Tarreau1d549722016-02-16 12:41:57 +0100634 - unsetenv
Thomas Holmesdb04f192015-05-18 13:21:39 +0100635 - 51degrees-data-file
636 - 51degrees-property-name-list
Dragan Dosen93b38d92015-06-29 16:43:25 +0200637 - 51degrees-property-separator
Dragan Dosenae6d39a2015-06-29 16:43:27 +0200638 - 51degrees-cache-size
Willy Tarreaub3cc9f22019-04-19 16:03:32 +0200639 - wurfl-data-file
640 - wurfl-information-list
641 - wurfl-information-list-separator
Willy Tarreaub3cc9f22019-04-19 16:03:32 +0200642 - wurfl-cache-size
William Dauchy0fec3ab2019-10-27 20:08:11 +0100643 - strict-limits
Willy Tarreaud72758d2010-01-12 10:42:19 +0100644
Willy Tarreau6a06a402007-07-15 20:15:28 +0200645 * Performance tuning
William Dauchy0a8824f2019-10-27 20:08:09 +0100646 - busy-polling
Willy Tarreau1746eec2014-04-25 10:46:47 +0200647 - max-spread-checks
Willy Tarreau6a06a402007-07-15 20:15:28 +0200648 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200649 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +0100650 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +0100651 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100652 - maxpipes
Willy Tarreau93e7c002013-10-07 18:51:07 +0200653 - maxsessrate
Willy Tarreau403edff2012-09-06 11:58:37 +0200654 - maxsslconn
Willy Tarreaue43d5322013-10-07 20:01:52 +0200655 - maxsslrate
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200656 - maxzlibmem
Willy Tarreau6a06a402007-07-15 20:15:28 +0200657 - noepoll
658 - nokqueue
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +0000659 - noevports
Willy Tarreau6a06a402007-07-15 20:15:28 +0200660 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100661 - nosplice
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300662 - nogetaddrinfo
Lukas Tribusa0bcbdc2016-09-12 21:42:20 +0000663 - noreuseport
Willy Tarreau75c62c22018-11-22 11:02:09 +0100664 - profiling.tasks
Willy Tarreaufe255b72007-10-14 23:09:26 +0200665 - spread-checks
Baptiste Assmann5626f482015-08-23 10:00:10 +0200666 - server-state-base
Baptiste Assmannef1f0fc2015-08-23 10:06:39 +0200667 - server-state-file
Grant Zhang872f9c22017-01-21 01:10:18 +0000668 - ssl-engine
Grant Zhangfa6c7ee2017-01-14 01:42:15 +0000669 - ssl-mode-async
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200670 - tune.buffers.limit
671 - tune.buffers.reserve
Willy Tarreau27a674e2009-08-17 07:23:33 +0200672 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200673 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +0100674 - tune.comp.maxlevel
Willy Tarreaubc52bec2020-06-18 08:58:47 +0200675 - tune.fd.edge-triggered
Willy Tarreaufe20e5b2017-07-27 11:42:14 +0200676 - tune.h2.header-table-size
Willy Tarreaue6baec02017-07-27 11:45:11 +0200677 - tune.h2.initial-window-size
Willy Tarreau5242ef82017-07-27 11:47:28 +0200678 - tune.h2.max-concurrent-streams
Willy Tarreau193b8c62012-11-22 00:17:38 +0100679 - tune.http.cookielen
Stéphane Cottin23e9e932017-05-18 08:58:41 +0200680 - tune.http.logurilen
Willy Tarreauac1932d2011-10-24 19:14:41 +0200681 - tune.http.maxhdr
Willy Tarreau76cc6992020-07-01 18:49:24 +0200682 - tune.idle-pool.shared
Willy Tarreau7e312732014-02-12 16:35:14 +0100683 - tune.idletimer
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100684 - tune.lua.forced-yield
Willy Tarreau32f61e22015-03-18 17:54:59 +0100685 - tune.lua.maxmem
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100686 - tune.lua.session-timeout
687 - tune.lua.task-timeout
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +0200688 - tune.lua.service-timeout
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100689 - tune.maxaccept
690 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200691 - tune.maxrewrite
Willy Tarreauf3045d22015-04-29 16:24:50 +0200692 - tune.pattern.cache-size
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200693 - tune.pipesize
Willy Tarreaua8e2d972020-07-01 18:27:16 +0200694 - tune.pool-high-fd-ratio
695 - tune.pool-low-fd-ratio
Willy Tarreaue803de22010-01-21 17:43:04 +0100696 - tune.rcvbuf.client
697 - tune.rcvbuf.server
Willy Tarreaub22fc302015-12-14 12:04:35 +0100698 - tune.recv_enough
Olivier Houchard1599b802018-05-24 18:59:04 +0200699 - tune.runqueue-depth
Willy Tarreaue7723bd2020-06-24 11:11:02 +0200700 - tune.sched.low-latency
Willy Tarreaue803de22010-01-21 17:43:04 +0100701 - tune.sndbuf.client
702 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100703 - tune.ssl.cachesize
William Lallemand7d42ef52020-07-06 11:41:30 +0200704 - tune.ssl.keylog
Willy Tarreaubfd59462013-02-21 07:46:09 +0100705 - tune.ssl.lifetime
Emeric Brun8dc60392014-05-09 13:52:00 +0200706 - tune.ssl.force-private-cache
Willy Tarreaubfd59462013-02-21 07:46:09 +0100707 - tune.ssl.maxrecord
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200708 - tune.ssl.default-dh-param
Christopher Faulet31af49d2015-06-09 17:29:50 +0200709 - tune.ssl.ssl-ctx-cache-size
Thierry FOURNIER5bf77322017-02-25 12:45:22 +0100710 - tune.ssl.capture-cipherlist-size
Thierry FOURNIER4834bc72015-06-06 19:29:07 +0200711 - tune.vars.global-max-size
Christopher Fauletff2613e2016-11-09 11:36:17 +0100712 - tune.vars.proc-max-size
Thierry FOURNIER4834bc72015-06-06 19:29:07 +0200713 - tune.vars.reqres-max-size
714 - tune.vars.sess-max-size
715 - tune.vars.txn-max-size
William Lallemanda509e4c2012-11-07 16:54:34 +0100716 - tune.zlib.memlevel
717 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +0100718
Willy Tarreau6a06a402007-07-15 20:15:28 +0200719 * Debugging
Willy Tarreau6a06a402007-07-15 20:15:28 +0200720 - quiet
Willy Tarreau3eb10b82020-04-15 16:42:39 +0200721 - zero-warning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200722
723
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007243.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200725------------------------------------
726
Emeric Brunc8e8d122012-10-02 18:42:10 +0200727ca-base <dir>
728 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emmanuel Hocdet842e94e2019-12-16 16:39:17 +0100729 relative path is used with "ca-file", "ca-verify-file" or "crl-file"
730 directives. Absolute locations specified in "ca-file", "ca-verify-file" and
731 "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200732
Willy Tarreau6a06a402007-07-15 20:15:28 +0200733chroot <jail dir>
734 Changes current directory to <jail dir> and performs a chroot() there before
735 dropping privileges. This increases the security level in case an unknown
736 vulnerability would be exploited, since it would make it very hard for the
737 attacker to exploit the system. This only works when the process is started
738 with superuser privileges. It is important to ensure that <jail_dir> is both
Davor Ocelice9ed2812017-12-25 17:49:28 +0100739 empty and non-writable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100740
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100741cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
742 On Linux 2.6 and above, it is possible to bind a process or a thread to a
743 specific CPU set. This means that the process or the thread will never run on
744 other CPUs. The "cpu-map" directive specifies CPU sets for process or thread
745 sets. The first argument is a process set, eventually followed by a thread
746 set. These sets have the format
747
748 all | odd | even | number[-[number]]
749
750 <number>> must be a number between 1 and 32 or 64, depending on the machine's
Davor Ocelice9ed2812017-12-25 17:49:28 +0100751 word size. Any process IDs above nbproc and any thread IDs above nbthread are
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100752 ignored. It is possible to specify a range with two such number delimited by
753 a dash ('-'). It also is possible to specify all processes at once using
Christopher Faulet1dcb9cb2017-11-22 10:24:40 +0100754 "all", only odd numbers using "odd" or even numbers using "even", just like
755 with the "bind-process" directive. The second and forthcoming arguments are
Davor Ocelice9ed2812017-12-25 17:49:28 +0100756 CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a
Christopher Faulet1dcb9cb2017-11-22 10:24:40 +0100757 range with two such numbers delimited by a dash ('-'). Multiple CPU numbers
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100758 or ranges may be specified, and the processes or threads will be allowed to
Davor Ocelice9ed2812017-12-25 17:49:28 +0100759 bind to all of them. Obviously, multiple "cpu-map" directives may be
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100760 specified. Each "cpu-map" directive will replace the previous ones when they
761 overlap. A thread will be bound on the intersection of its mapping and the
762 one of the process on which it is attached. If the intersection is null, no
763 specific binding will be set for the thread.
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100764
Christopher Fauletff4121f2017-11-22 16:38:49 +0100765 Ranges can be partially defined. The higher bound can be omitted. In such
766 case, it is replaced by the corresponding maximum value, 32 or 64 depending
767 on the machine's word size.
768
Christopher Faulet26028f62017-11-22 15:01:51 +0100769 The prefix "auto:" can be added before the process set to let HAProxy
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100770 automatically bind a process or a thread to a CPU by incrementing
771 process/thread and CPU sets. To be valid, both sets must have the same
772 size. No matter the declaration order of the CPU sets, it will be bound from
773 the lowest to the highest bound. Having a process and a thread range with the
774 "auto:" prefix is not supported. Only one range is supported, the other one
775 must be a fixed number.
Christopher Faulet26028f62017-11-22 15:01:51 +0100776
777 Examples:
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100778 cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs
779
780 cpu-map 1/all 0-3 # bind all threads of the first process on the
781 # first 4 CPUs
782
783 cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63"
784 # or "cpu-map 1-32 0-31" depending on the machine's
785 # word size.
786
Christopher Faulet26028f62017-11-22 15:01:51 +0100787 # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100788 # and so on.
Christopher Faulet26028f62017-11-22 15:01:51 +0100789 cpu-map auto:1-4 0-3
790 cpu-map auto:1-4 0-1 2-3
791 cpu-map auto:1-4 3 2 1 0
792
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100793 # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1
794 # and so on.
795 cpu-map auto:1/1-4 0-3
796 cpu-map auto:1/1-4 0-1 2-3
797 cpu-map auto:1/1-4 3 2 1 0
798
Davor Ocelice9ed2812017-12-25 17:49:28 +0100799 # bind each process to exactly one CPU using all/odd/even keyword
Christopher Faulet26028f62017-11-22 15:01:51 +0100800 cpu-map auto:all 0-63
801 cpu-map auto:even 0-31
802 cpu-map auto:odd 32-63
803
804 # invalid cpu-map because process and CPU sets have different sizes.
805 cpu-map auto:1-4 0 # invalid
806 cpu-map auto:1 0-3 # invalid
807
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100808 # invalid cpu-map because automatic binding is used with a process range
809 # and a thread range.
810 cpu-map auto:all/all 0 # invalid
811 cpu-map auto:all/1-4 0 # invalid
812 cpu-map auto:1-4/all 0 # invalid
813
Emeric Brunc8e8d122012-10-02 18:42:10 +0200814crt-base <dir>
815 Assigns a default directory to fetch SSL certificates from when a relative
William Dauchy238ea3b2020-01-11 13:09:12 +0100816 path is used with "crtfile" or "crt" directives. Absolute locations specified
817 prevail and ignore "crt-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200818
Willy Tarreau6a06a402007-07-15 20:15:28 +0200819daemon
820 Makes the process fork into background. This is the recommended mode of
821 operation. It is equivalent to the command line "-D" argument. It can be
Lukas Tribusf46bf952017-11-21 12:39:34 +0100822 disabled by the command line "-db" argument. This option is ignored in
823 systemd mode.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200824
David Carlier8167f302015-06-01 13:50:06 +0200825deviceatlas-json-file <path>
826 Sets the path of the DeviceAtlas JSON data file to be loaded by the API.
Davor Ocelice9ed2812017-12-25 17:49:28 +0100827 The path must be a valid JSON data file and accessible by HAProxy process.
David Carlier8167f302015-06-01 13:50:06 +0200828
829deviceatlas-log-level <value>
Davor Ocelice9ed2812017-12-25 17:49:28 +0100830 Sets the level of information returned by the API. This directive is
David Carlier8167f302015-06-01 13:50:06 +0200831 optional and set to 0 by default if not set.
832
833deviceatlas-separator <char>
834 Sets the character separator for the API properties results. This directive
835 is optional and set to | by default if not set.
836
Cyril Bonté0306c4a2015-10-26 22:37:38 +0100837deviceatlas-properties-cookie <name>
Cyril Bonté307ee1e2015-09-28 23:16:06 +0200838 Sets the client cookie's name used for the detection if the DeviceAtlas
839 Client-side component was used during the request. This directive is optional
840 and set to DAPROPS by default if not set.
David Carlier29b3ca32015-09-25 14:09:21 +0100841
Simon Horman98637e52014-06-20 12:30:16 +0900842external-check
Willy Tarreaud96f1122019-12-03 07:07:36 +0100843 Allows the use of an external agent to perform health checks. This is
844 disabled by default as a security precaution, and even when enabled, checks
Willy Tarreaua45a8b52019-12-06 16:31:45 +0100845 may still fail unless "insecure-fork-wanted" is enabled as well. If the
846 program launched makes use of a setuid executable (it should really not),
847 you may also need to set "insecure-setuid-wanted" in the global section.
848 See "option external-check", and "insecure-fork-wanted", and
849 "insecure-setuid-wanted".
Simon Horman98637e52014-06-20 12:30:16 +0900850
Willy Tarreau6a06a402007-07-15 20:15:28 +0200851gid <number>
852 Changes the process' group ID to <number>. It is recommended that the group
853 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
854 be started with a user belonging to this group, or with superuser privileges.
Michael Schererab012dd2013-01-12 18:35:19 +0100855 Note that if haproxy is started from a user having supplementary groups, it
856 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200857 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100858
Willy Tarreau11770ce2019-12-03 08:29:22 +0100859group <group name>
860 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
861 See also "gid" and "user".
862
Cyril Bonté203ec5a2017-03-23 22:44:13 +0100863hard-stop-after <time>
864 Defines the maximum time allowed to perform a clean soft-stop.
865
866 Arguments :
867 <time> is the maximum time (by default in milliseconds) for which the
868 instance will remain alive when a soft-stop is received via the
869 SIGUSR1 signal.
870
871 This may be used to ensure that the instance will quit even if connections
872 remain opened during a soft-stop (for example with long timeouts for a proxy
873 in tcp mode). It applies both in TCP and HTTP mode.
874
875 Example:
876 global
877 hard-stop-after 30s
878
Christopher Faulet98fbe952019-07-22 16:18:24 +0200879h1-case-adjust <from> <to>
880 Defines the case adjustment to apply, when enabled, to the header name
881 <from>, to change it to <to> before sending it to HTTP/1 clients or
882 servers. <from> must be in lower case, and <from> and <to> must not differ
883 except for their case. It may be repeated if several header names need to be
Ilya Shipitsin8525fd92020-02-29 12:34:59 +0500884 adjusted. Duplicate entries are not allowed. If a lot of header names have to
Christopher Faulet98fbe952019-07-22 16:18:24 +0200885 be adjusted, it might be more convenient to use "h1-case-adjust-file".
886 Please note that no transformation will be applied unless "option
887 h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is
888 specified in a proxy.
889
890 There is no standard case for header names because, as stated in RFC7230,
891 they are case-insensitive. So applications must handle them in a case-
892 insensitive manner. But some bogus applications violate the standards and
893 erroneously rely on the cases most commonly used by browsers. This problem
894 becomes critical with HTTP/2 because all header names must be exchanged in
895 lower case, and HAProxy follows the same convention. All header names are
896 sent in lower case to clients and servers, regardless of the HTTP version.
897
898 Applications which fail to properly process requests or responses may require
899 to temporarily use such workarounds to adjust header names sent to them for
900 the time it takes the application to be fixed. Please note that an
901 application which requires such workarounds might be vulnerable to content
902 smuggling attacks and must absolutely be fixed.
903
904 Example:
905 global
906 h1-case-adjust content-length Content-Length
907
908 See "h1-case-adjust-file", "option h1-case-adjust-bogus-client" and
909 "option h1-case-adjust-bogus-server".
910
911h1-case-adjust-file <hdrs-file>
912 Defines a file containing a list of key/value pairs used to adjust the case
913 of some header names before sending them to HTTP/1 clients or servers. The
914 file <hdrs-file> must contain 2 header names per line. The first one must be
915 in lower case and both must not differ except for their case. Lines which
916 start with '#' are ignored, just like empty lines. Leading and trailing tabs
917 and spaces are stripped. Duplicate entries are not allowed. Please note that
918 no transformation will be applied unless "option h1-case-adjust-bogus-client"
919 or "option h1-case-adjust-bogus-server" is specified in a proxy.
920
921 If this directive is repeated, only the last one will be processed. It is an
922 alternative to the directive "h1-case-adjust" if a lot of header names need
923 to be adjusted. Please read the risks associated with using this.
924
925 See "h1-case-adjust", "option h1-case-adjust-bogus-client" and
926 "option h1-case-adjust-bogus-server".
927
Willy Tarreaud96f1122019-12-03 07:07:36 +0100928insecure-fork-wanted
929 By default haproxy tries hard to prevent any thread and process creation
930 after it starts. Doing so is particularly important when using Lua files of
931 uncertain origin, and when experimenting with development versions which may
932 still contain bugs whose exploitability is uncertain. And generally speaking
933 it's good hygiene to make sure that no unexpected background activity can be
934 triggered by traffic. But this prevents external checks from working, and may
935 break some very specific Lua scripts which actively rely on the ability to
936 fork. This option is there to disable this protection. Note that it is a bad
937 idea to disable it, as a vulnerability in a library or within haproxy itself
938 will be easier to exploit once disabled. In addition, forking from Lua or
939 anywhere else is not reliable as the forked process may randomly embed a lock
940 set by another thread and never manage to finish an operation. As such it is
941 highly recommended that this option is never used and that any workload
942 requiring such a fork be reconsidered and moved to a safer solution (such as
943 agents instead of external checks). This option supports the "no" prefix to
944 disable it.
945
Willy Tarreaua45a8b52019-12-06 16:31:45 +0100946insecure-setuid-wanted
947 HAProxy doesn't need to call executables at run time (except when using
948 external checks which are strongly recommended against), and is even expected
949 to isolate itself into an empty chroot. As such, there basically is no valid
950 reason to allow a setuid executable to be called without the user being fully
951 aware of the risks. In a situation where haproxy would need to call external
952 checks and/or disable chroot, exploiting a vulnerability in a library or in
953 haproxy itself could lead to the execution of an external program. On Linux
954 it is possible to lock the process so that any setuid bit present on such an
955 executable is ignored. This significantly reduces the risk of privilege
956 escalation in such a situation. This is what haproxy does by default. In case
957 this causes a problem to an external check (for example one which would need
958 the "ping" command), then it is possible to disable this protection by
959 explicitly adding this directive in the global section. If enabled, it is
960 possible to turn it back off by prefixing it with the "no" keyword.
961
Emmanuel Hocdet70df7bf2019-01-04 11:08:20 +0100962issuers-chain-path <dir>
963 Assigns a directory to load certificate chain for issuer completion. All
964 files must be in PEM format. For certificates loaded with "crt" or "crt-list",
965 if certificate chain is not included in PEM (also commonly known as
966 intermediate certificate), haproxy will complete chain if the issuer of the
967 certificate corresponds to the first certificate of the chain loaded with
968 "issuers-chain-path".
969 A "crt" file with PrivateKey+Certificate+IntermediateCA2+IntermediateCA1
970 could be replaced with PrivateKey+Certificate. HAProxy will complete the
971 chain if a file with IntermediateCA2+IntermediateCA1 is present in
972 "issuers-chain-path" directory. All other certificates with the same issuer
973 will share the chain in memory.
974
Dragan Dosen13cd54c2020-06-18 18:24:05 +0200975localpeer <name>
976 Sets the local instance's peer name. It will be ignored if the "-L"
977 command line argument is specified or if used after "peers" section
978 definitions. In such cases, a warning message will be emitted during
979 the configuration parsing.
980
981 This option will also set the HAPROXY_LOCALPEER environment variable.
982 See also "-L" in the management guide and "peers" section below.
983
Frédéric Lécailled690dfa2019-04-25 10:52:17 +0200984log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>]
985 <facility> [max level [min level]]
Cyril Bonté3e954872018-03-20 23:30:27 +0100986 Adds a global syslog server. Several global servers can be defined. They
Davor Ocelice9ed2812017-12-25 17:49:28 +0100987 will receive logs for starts and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100988 configured with "log global".
989
990 <address> can be one of:
991
Willy Tarreau2769aa02007-12-27 18:26:09 +0100992 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100993 no port is specified, 514 is used by default (the standard syslog
994 port).
995
David du Colombier24bb5f52011-03-17 10:40:23 +0100996 - An IPv6 address followed by a colon and optionally a UDP port. If
997 no port is specified, 514 is used by default (the standard syslog
998 port).
999
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01001000 - A filesystem path to a datagram UNIX domain socket, keeping in mind
Robert Tsai81ae1952007-12-05 10:47:29 +01001001 considerations for chroot (be sure the path is accessible inside
1002 the chroot) and uid/gid (be sure the path is appropriately
Davor Ocelice9ed2812017-12-25 17:49:28 +01001003 writable).
Robert Tsai81ae1952007-12-05 10:47:29 +01001004
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01001005 - A file descriptor number in the form "fd@<number>", which may point
1006 to a pipe, terminal, or socket. In this case unbuffered logs are used
1007 and one writev() call per log is performed. This is a bit expensive
1008 but acceptable for most workloads. Messages sent this way will not be
1009 truncated but may be dropped, in which case the DroppedLogs counter
1010 will be incremented. The writev() call is atomic even on pipes for
1011 messages up to PIPE_BUF size, which POSIX recommends to be at least
1012 512 and which is 4096 bytes on most modern operating systems. Any
1013 larger message may be interleaved with messages from other processes.
1014 Exceptionally for debugging purposes the file descriptor may also be
1015 directed to a file, but doing so will significantly slow haproxy down
1016 as non-blocking calls will be ignored. Also there will be no way to
1017 purge nor rotate this file without restarting the process. Note that
1018 the configured syslog format is preserved, so the output is suitable
Willy Tarreauc1b06452018-11-12 11:57:56 +01001019 for use with a TCP syslog server. See also the "short" and "raw"
1020 format below.
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01001021
1022 - "stdout" / "stderr", which are respectively aliases for "fd@1" and
1023 "fd@2", see above.
1024
Willy Tarreauc046d162019-08-30 15:24:59 +02001025 - A ring buffer in the form "ring@<name>", which will correspond to an
1026 in-memory ring buffer accessible over the CLI using the "show events"
1027 command, which will also list existing rings and their sizes. Such
1028 buffers are lost on reload or restart but when used as a complement
1029 this can help troubleshooting by having the logs instantly available.
1030
William Lallemandb2f07452015-05-12 14:27:13 +02001031 You may want to reference some environment variables in the address
1032 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01001033
Willy Tarreau18324f52014-06-27 18:10:07 +02001034 <length> is an optional maximum line length. Log lines larger than this value
1035 will be truncated before being sent. The reason is that syslog
1036 servers act differently on log line length. All servers support the
1037 default value of 1024, but some servers simply drop larger lines
1038 while others do log them. If a server supports long lines, it may
1039 make sense to set this value here in order to avoid truncating long
1040 lines. Similarly, if a server drops long lines, it is preferable to
1041 truncate them before sending them. Accepted values are 80 to 65535
1042 inclusive. The default value of 1024 is generally fine for all
1043 standard usages. Some specific cases of long captures or
Davor Ocelice9ed2812017-12-25 17:49:28 +01001044 JSON-formatted logs may require larger values. You may also need to
1045 increase "tune.http.logurilen" if your request URIs are truncated.
Willy Tarreau18324f52014-06-27 18:10:07 +02001046
Dragan Dosen7ad31542015-09-28 17:16:47 +02001047 <format> is the log format used when generating syslog messages. It may be
1048 one of the following :
1049
1050 rfc3164 The RFC3164 syslog message format. This is the default.
1051 (https://tools.ietf.org/html/rfc3164)
1052
1053 rfc5424 The RFC5424 syslog message format.
1054 (https://tools.ietf.org/html/rfc5424)
1055
Emeric Brun54648852020-07-06 15:54:06 +02001056 priority A message containing only a level plus syslog facility between
1057 angle brackets such as '<63>', followed by the text. The PID,
1058 date, time, process name and system name are omitted. This is
1059 designed to be used with a local log server.
1060
Willy Tarreaue8746a02018-11-12 08:45:00 +01001061 short A message containing only a level between angle brackets such as
1062 '<3>', followed by the text. The PID, date, time, process name
1063 and system name are omitted. This is designed to be used with a
1064 local log server. This format is compatible with what the systemd
1065 logger consumes.
1066
Emeric Brun54648852020-07-06 15:54:06 +02001067 timed A message containing only a level between angle brackets such as
1068 '<3>', followed by ISO date and by the text. The PID, process
1069 name and system name are omitted. This is designed to be
1070 used with a local log server.
1071
1072 iso A message containing only the ISO date, followed by the text.
1073 The PID, process name and system name are omitted. This is
1074 designed to be used with a local log server.
1075
Willy Tarreauc1b06452018-11-12 11:57:56 +01001076 raw A message containing only the text. The level, PID, date, time,
1077 process name and system name are omitted. This is designed to be
1078 used in containers or during development, where the severity only
1079 depends on the file descriptor used (stdout/stderr).
1080
Frédéric Lécailled690dfa2019-04-25 10:52:17 +02001081 <ranges> A list of comma-separated ranges to identify the logs to sample.
1082 This is used to balance the load of the logs to send to the log
1083 server. The limits of the ranges cannot be null. They are numbered
1084 from 1. The size or period (in number of logs) of the sample must be
1085 set with <sample_size> parameter.
1086
1087 <sample_size>
1088 The size of the sample in number of logs to consider when balancing
1089 their logging loads. It is used to balance the load of the logs to
1090 send to the syslog server. This size must be greater or equal to the
1091 maximum of the high limits of the ranges.
1092 (see also <ranges> parameter).
1093
Robert Tsai81ae1952007-12-05 10:47:29 +01001094 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +02001095
Willy Tarreaue8746a02018-11-12 08:45:00 +01001096 kern user mail daemon auth syslog lpr news
1097 uucp cron auth2 ftp ntp audit alert cron2
1098 local0 local1 local2 local3 local4 local5 local6 local7
1099
Willy Tarreauc1b06452018-11-12 11:57:56 +01001100 Note that the facility is ignored for the "short" and "raw"
1101 formats, but still required as a positional field. It is
1102 recommended to use "daemon" in this case to make it clear that
1103 it's only supposed to be used locally.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001104
1105 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +02001106 all messages are sent. If a maximum level is specified, only messages with a
1107 severity at least as important as this level will be sent. An optional minimum
1108 level can be specified. If it is set, logs emitted with a more severe level
1109 than this one will be capped to this level. This is used to avoid sending
1110 "emerg" messages on all terminals on some default syslog configurations.
1111 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +02001112
Cyril Bontédc4d9032012-04-08 21:57:39 +02001113 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +02001114
Joe Williamsdf5b38f2010-12-29 17:05:48 +01001115log-send-hostname [<string>]
1116 Sets the hostname field in the syslog header. If optional "string" parameter
1117 is set the header is set to the string contents, otherwise uses the hostname
1118 of the system. Generally used if one is not relaying logs through an
1119 intermediate syslog server or for simply customizing the hostname printed in
1120 the logs.
1121
Kevinm48936af2010-12-22 16:08:21 +00001122log-tag <string>
1123 Sets the tag field in the syslog header to this string. It defaults to the
1124 program name as launched from the command line, which usually is "haproxy".
1125 Sometimes it can be useful to differentiate between multiple processes
Willy Tarreau094af4e2015-01-07 15:03:42 +01001126 running on the same host. See also the per-proxy "log-tag" directive.
Kevinm48936af2010-12-22 16:08:21 +00001127
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001128lua-load <file>
1129 This global directive loads and executes a Lua file. This directive can be
1130 used multiple times.
1131
Tim Duesterhusdd74b5f2020-01-12 13:55:40 +01001132lua-prepend-path <string> [<type>]
1133 Prepends the given string followed by a semicolon to Lua's package.<type>
1134 variable.
1135 <type> must either be "path" or "cpath". If <type> is not given it defaults
1136 to "path".
1137
1138 Lua's paths are semicolon delimited lists of patterns that specify how the
1139 `require` function attempts to find the source file of a library. Question
1140 marks (?) within a pattern will be replaced by module name. The path is
1141 evaluated left to right. This implies that paths that are prepended later
1142 will be checked earlier.
1143
1144 As an example by specifying the following path:
1145
1146 lua-prepend-path /usr/share/haproxy-lua/?/init.lua
1147 lua-prepend-path /usr/share/haproxy-lua/?.lua
1148
1149 When `require "example"` is being called Lua will first attempt to load the
1150 /usr/share/haproxy-lua/example.lua script, if that does not exist the
1151 /usr/share/haproxy-lua/example/init.lua will be attempted and the default
1152 paths if that does not exist either.
1153
1154 See https://www.lua.org/pil/8.1.html for the details within the Lua
1155 documentation.
1156
William Lallemand4cfede82017-11-24 22:02:34 +01001157master-worker [no-exit-on-failure]
William Lallemande202b1e2017-06-01 17:38:56 +02001158 Master-worker mode. It is equivalent to the command line "-W" argument.
1159 This mode will launch a "master" which will monitor the "workers". Using
1160 this mode, you can reload HAProxy directly by sending a SIGUSR2 signal to
Davor Ocelice9ed2812017-12-25 17:49:28 +01001161 the master. The master-worker mode is compatible either with the foreground
William Lallemande202b1e2017-06-01 17:38:56 +02001162 or daemon mode. It is recommended to use this mode with multiprocess and
1163 systemd.
William Lallemand4cfede82017-11-24 22:02:34 +01001164 By default, if a worker exits with a bad return code, in the case of a
1165 segfault for example, all workers will be killed, and the master will leave.
1166 It is convenient to combine this behavior with Restart=on-failure in a
1167 systemd unit file in order to relaunch the whole process. If you don't want
1168 this behavior, you must use the keyword "no-exit-on-failure".
William Lallemande202b1e2017-06-01 17:38:56 +02001169
William Lallemand4cfede82017-11-24 22:02:34 +01001170 See also "-W" in the management guide.
William Lallemande202b1e2017-06-01 17:38:56 +02001171
William Lallemand27edc4b2019-05-07 17:49:33 +02001172mworker-max-reloads <number>
1173 In master-worker mode, this option limits the number of time a worker can
John Roeslerfb2fce12019-07-10 15:45:51 -05001174 survive to a reload. If the worker did not leave after a reload, once its
William Lallemand27edc4b2019-05-07 17:49:33 +02001175 number of reloads is greater than this number, the worker will receive a
1176 SIGTERM. This option helps to keep under control the number of workers.
1177 See also "show proc" in the Management Guide.
1178
Willy Tarreau6a06a402007-07-15 20:15:28 +02001179nbproc <number>
1180 Creates <number> processes when going daemon. This requires the "daemon"
1181 mode. By default, only one process is created, which is the recommended mode
1182 of operation. For systems limited to small sets of file descriptors per
Willy Tarreau149ab772019-01-26 14:27:06 +01001183 process, it may be needed to fork multiple daemons. When set to a value
1184 larger than 1, threads are automatically disabled. USING MULTIPLE PROCESSES
Willy Tarreau1f672a82019-01-26 14:20:55 +01001185 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon" and
1186 "nbthread".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001187
Christopher Fauletbe0faa22017-08-29 15:37:10 +02001188nbthread <number>
1189 This setting is only available when support for threads was built in. It
Willy Tarreau26f6ae12019-02-02 12:56:15 +01001190 makes haproxy run on <number> threads. This is exclusive with "nbproc". While
1191 "nbproc" historically used to be the only way to use multiple processors, it
1192 also involved a number of shortcomings related to the lack of synchronization
1193 between processes (health-checks, peers, stick-tables, stats, ...) which do
1194 not affect threads. As such, any modern configuration is strongly encouraged
Willy Tarreau149ab772019-01-26 14:27:06 +01001195 to migrate away from "nbproc" to "nbthread". "nbthread" also works when
1196 HAProxy is started in foreground. On some platforms supporting CPU affinity,
1197 when nbproc is not used, the default "nbthread" value is automatically set to
1198 the number of CPUs the process is bound to upon startup. This means that the
1199 thread count can easily be adjusted from the calling process using commands
1200 like "taskset" or "cpuset". Otherwise, this value defaults to 1. The default
1201 value is reported in the output of "haproxy -vv". See also "nbproc".
Christopher Fauletbe0faa22017-08-29 15:37:10 +02001202
Willy Tarreau6a06a402007-07-15 20:15:28 +02001203pidfile <pidfile>
MIZUTA Takeshic32f3942020-08-26 13:46:19 +09001204 Writes PIDs of all daemons into file <pidfile> when daemon mode or writes PID
1205 of master process into file <pidfile> when master-worker mode. This option is
1206 equivalent to the "-p" command line argument. The file must be accessible to
1207 the user starting the process. See also "daemon" and "master-worker".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001208
Willy Tarreau119e50e2020-05-22 13:53:29 +02001209pp2-never-send-local
1210 A bug in the PROXY protocol v2 implementation was present in HAProxy up to
1211 version 2.1, causing it to emit a PROXY command instead of a LOCAL command
1212 for health checks. This is particularly minor but confuses some servers'
1213 logs. Sadly, the bug was discovered very late and revealed that some servers
1214 which possibly only tested their PROXY protocol implementation against
1215 HAProxy fail to properly handle the LOCAL command, and permanently remain in
1216 the "down" state when HAProxy checks them. When this happens, it is possible
1217 to enable this global option to revert to the older (bogus) behavior for the
1218 time it takes to contact the affected components' vendors and get them fixed.
1219 This option is disabled by default and acts on all servers having the
1220 "send-proxy-v2" statement.
1221
Willy Tarreau1d549722016-02-16 12:41:57 +01001222presetenv <name> <value>
1223 Sets environment variable <name> to value <value>. If the variable exists, it
1224 is NOT overwritten. The changes immediately take effect so that the next line
1225 in the configuration file sees the new value. See also "setenv", "resetenv",
1226 and "unsetenv".
1227
1228resetenv [<name> ...]
1229 Removes all environment variables except the ones specified in argument. It
1230 allows to use a clean controlled environment before setting new values with
1231 setenv or unsetenv. Please note that some internal functions may make use of
1232 some environment variables, such as time manipulation functions, but also
1233 OpenSSL or even external checks. This must be used with extreme care and only
1234 after complete validation. The changes immediately take effect so that the
1235 next line in the configuration file sees the new environment. See also
1236 "setenv", "presetenv", and "unsetenv".
1237
Christopher Fauletff4121f2017-11-22 16:38:49 +01001238stats bind-process [ all | odd | even | <process_num>[-[process_num>]] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +02001239 Limits the stats socket to a certain set of processes numbers. By default the
1240 stats socket is bound to all processes, causing a warning to be emitted when
1241 nbproc is greater than 1 because there is no way to select the target process
1242 when connecting. However, by using this setting, it becomes possible to pin
1243 the stats socket to a specific set of processes, typically the first one. The
1244 warning will automatically be disabled when this setting is used, whatever
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001245 the number of processes used. The maximum process ID depends on the machine's
Christopher Fauletff4121f2017-11-22 16:38:49 +01001246 word size (32 or 64). Ranges can be partially defined. The higher bound can
1247 be omitted. In such case, it is replaced by the corresponding maximum
1248 value. A better option consists in using the "process" setting of the "stats
1249 socket" line to force the process on each line.
Willy Tarreau35b7b162012-10-22 23:17:18 +02001250
Baptiste Assmann5626f482015-08-23 10:00:10 +02001251server-state-base <directory>
1252 Specifies the directory prefix to be prepended in front of all servers state
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02001253 file names which do not start with a '/'. See also "server-state-file",
1254 "load-server-state-from-file" and "server-state-file-name".
Baptiste Assmannef1f0fc2015-08-23 10:06:39 +02001255
1256server-state-file <file>
1257 Specifies the path to the file containing state of servers. If the path starts
1258 with a slash ('/'), it is considered absolute, otherwise it is considered
1259 relative to the directory specified using "server-state-base" (if set) or to
1260 the current directory. Before reloading HAProxy, it is possible to save the
1261 servers' current state using the stats command "show servers state". The
1262 output of this command must be written in the file pointed by <file>. When
1263 starting up, before handling traffic, HAProxy will read, load and apply state
1264 for each server found in the file and available in its current running
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02001265 configuration. See also "server-state-base" and "show servers state",
1266 "load-server-state-from-file" and "server-state-file-name"
Baptiste Assmann5626f482015-08-23 10:00:10 +02001267
Willy Tarreau1d549722016-02-16 12:41:57 +01001268setenv <name> <value>
1269 Sets environment variable <name> to value <value>. If the variable exists, it
1270 is overwritten. The changes immediately take effect so that the next line in
1271 the configuration file sees the new value. See also "presetenv", "resetenv",
1272 and "unsetenv".
1273
Willy Tarreau636848a2019-04-15 19:38:50 +02001274set-dumpable
1275 This option is better left disabled by default and enabled only upon a
William Dauchyec730982019-10-27 20:08:10 +01001276 developer's request. If it has been enabled, it may still be forcibly
1277 disabled by prefixing it with the "no" keyword. It has no impact on
1278 performance nor stability but will try hard to re-enable core dumps that were
1279 possibly disabled by file size limitations (ulimit -f), core size limitations
1280 (ulimit -c), or "dumpability" of a process after changing its UID/GID (such
1281 as /proc/sys/fs/suid_dumpable on Linux). Core dumps might still be limited by
1282 the current directory's permissions (check what directory the file is started
1283 from), the chroot directory's permission (it may be needed to temporarily
1284 disable the chroot directive or to move it to a dedicated writable location),
1285 or any other system-specific constraint. For example, some Linux flavours are
1286 notorious for replacing the default core file with a path to an executable
1287 not even installed on the system (check /proc/sys/kernel/core_pattern). Often,
1288 simply writing "core", "core.%p" or "/var/log/core/core.%p" addresses the
1289 issue. When trying to enable this option waiting for a rare issue to
1290 re-appear, it's often a good idea to first try to obtain such a dump by
1291 issuing, for example, "kill -11" to the haproxy process and verify that it
1292 leaves a core where expected when dying.
Willy Tarreau636848a2019-04-15 19:38:50 +02001293
Willy Tarreau610f04b2014-02-13 11:36:41 +01001294ssl-default-bind-ciphers <ciphers>
1295 This setting is only available when support for OpenSSL was built in. It sets
1296 the default string describing the list of cipher algorithms ("cipher suite")
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +00001297 that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001298 "bind" lines which do not explicitly define theirs. The format of the string
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001299 is defined in "man 1 ciphers" from OpenSSL man pages. For background
1300 information and recommendations see e.g.
1301 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
1302 (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
1303 cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
1304 Please check the "bind" keyword for more information.
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001305
1306ssl-default-bind-ciphersuites <ciphersuites>
1307 This setting is only available when support for OpenSSL was built in and
1308 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
1309 describing the list of cipher algorithms ("cipher suite") that are negotiated
1310 during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
1311 theirs. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001312 "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1313 cipher configuration for TLSv1.2 and earlier, please check the
1314 "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001315 information.
Willy Tarreau610f04b2014-02-13 11:36:41 +01001316
Jerome Magninb203ff62020-04-03 15:28:22 +02001317ssl-default-bind-curves <curves>
1318 This setting is only available when support for OpenSSL was built in. It sets
1319 the default string describing the list of elliptic curves algorithms ("curve
1320 suite") that are negotiated during the SSL/TLS handshake with ECDHE. The format
1321 of the string is a colon-delimited list of curve name.
1322 Please check the "bind" keyword for more information.
1323
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001324ssl-default-bind-options [<option>]...
1325 This setting is only available when support for OpenSSL was built in. It sets
1326 default ssl-options to force on all "bind" lines. Please check the "bind"
1327 keyword to see available options.
1328
1329 Example:
1330 global
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +02001331 ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001332
Willy Tarreau610f04b2014-02-13 11:36:41 +01001333ssl-default-server-ciphers <ciphers>
1334 This setting is only available when support for OpenSSL was built in. It
1335 sets the default string describing the list of cipher algorithms that are
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +00001336 negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001337 for all "server" lines which do not explicitly define theirs. The format of
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001338 the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
1339 information and recommendations see e.g.
1340 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
1341 (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
1342 For TLSv1.3 cipher configuration, please check the
1343 "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
1344 for more information.
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001345
1346ssl-default-server-ciphersuites <ciphersuites>
1347 This setting is only available when support for OpenSSL was built in and
1348 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
1349 string describing the list of cipher algorithms that are negotiated during
1350 the TLSv1.3 handshake with the server, for all "server" lines which do not
1351 explicitly define theirs. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001352 "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1353 cipher configuration for TLSv1.2 and earlier, please check the
1354 "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
1355 more information.
Willy Tarreau610f04b2014-02-13 11:36:41 +01001356
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001357ssl-default-server-options [<option>]...
1358 This setting is only available when support for OpenSSL was built in. It sets
1359 default ssl-options to force on all "server" lines. Please check the "server"
1360 keyword to see available options.
1361
Remi Gacogne47783ef2015-05-29 15:53:22 +02001362ssl-dh-param-file <file>
1363 This setting is only available when support for OpenSSL was built in. It sets
1364 the default DH parameters that are used during the SSL/TLS handshake when
1365 ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
Davor Ocelice9ed2812017-12-25 17:49:28 +01001366 which do not explicitly define theirs. It will be overridden by custom DH
Remi Gacogne47783ef2015-05-29 15:53:22 +02001367 parameters found in a bind certificate file if any. If custom DH parameters
Cyril Bonté307ee1e2015-09-28 23:16:06 +02001368 are not specified either by using ssl-dh-param-file or by setting them
1369 directly in the certificate file, pre-generated DH parameters of the size
1370 specified by tune.ssl.default-dh-param will be used. Custom parameters are
1371 known to be more secure and therefore their use is recommended.
Remi Gacogne47783ef2015-05-29 15:53:22 +02001372 Custom DH parameters may be generated by using the OpenSSL command
1373 "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
1374 parameters should not be considered secure anymore.
1375
William Lallemand4c5adbf2020-02-24 14:23:22 +01001376ssl-load-extra-files <none|all|bundle|sctl|ocsp|issuer|key>*
William Lallemand3af48e72020-02-03 17:15:52 +01001377 This setting alters the way HAProxy will look for unspecified files during
Jerome Magnin587be9c2020-09-07 11:55:57 +02001378 the loading of the SSL certificates associated to "bind" lines. It does not
1379 apply to certificates used for client authentication on "server" lines.
William Lallemand3af48e72020-02-03 17:15:52 +01001380
1381 By default, HAProxy discovers automatically a lot of files not specified in
1382 the configuration, and you may want to disable this behavior if you want to
1383 optimize the startup time.
1384
1385 "none": Only load the files specified in the configuration. Don't try to load
1386 a certificate bundle if the file does not exist. In the case of a directory,
1387 it won't try to bundle the certificates if they have the same basename.
1388
1389 "all": This is the default behavior, it will try to load everything,
William Lallemand4c5adbf2020-02-24 14:23:22 +01001390 bundles, sctl, ocsp, issuer, key.
William Lallemand3af48e72020-02-03 17:15:52 +01001391
1392 "bundle": When a file specified in the configuration does not exist, HAProxy
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001393 will try to load a "cert bundle".
1394
1395 Starting from HAProxy 2.3, the bundles are not loaded in the same OpenSSL
1396 certificate store, instead it will loads each certificate in a separate
1397 store which is equivalent to declaring multiple "crt". OpenSSL 1.1.1 is
1398 required to achieve this. Which means that bundles are now used only for
1399 backward compatibility and are not mandatory anymore to do an hybrid RSA/ECC
1400 bind configuration..
1401
1402 To associate these PEM files into a "cert bundle" that is recognized by
1403 haproxy, they must be named in the following way: All PEM files that are to
1404 be bundled must have the same base name, with a suffix indicating the key
1405 type. Currently, three suffixes are supported: rsa, dsa and ecdsa. For
1406 example, if www.example.com has two PEM files, an RSA file and an ECDSA
1407 file, they must be named: "example.pem.rsa" and "example.pem.ecdsa". The
1408 first part of the filename is arbitrary; only the suffix matters. To load
1409 this bundle into haproxy, specify the base name only:
1410
1411 Example : bind :8443 ssl crt example.pem
1412
1413 Note that the suffix is not given to haproxy; this tells haproxy to look for
1414 a cert bundle.
1415
1416 HAProxy will load all PEM files in the bundle as if they were configured
1417 separately in several "crt".
1418
1419 The bundle loading does not have an impact anymore on the directory loading
1420 since files are loading separately.
1421
1422 On the CLI, bundles are seen as separate files, and the bundle extension is
1423 required to commit them.
1424
William Dauchy57dd6f12020-10-06 15:22:37 +02001425 OCSP files (.ocsp), issuer files (.issuer), Certificate Transparency (.sctl)
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001426 as well as private keys (.key) are supported with multi-cert bundling.
William Lallemand3af48e72020-02-03 17:15:52 +01001427
1428 "sctl": Try to load "<basename>.sctl" for each crt keyword.
1429
1430 "ocsp": Try to load "<basename>.ocsp" for each crt keyword.
1431
1432 "issuer": Try to load "<basename>.issuer" if the issuer of the OCSP file is
1433 not provided in the PEM file.
1434
William Lallemand4c5adbf2020-02-24 14:23:22 +01001435 "key": If the private key was not provided by the PEM file, try to load a
1436 file "<basename>.key" containing a private key.
1437
William Lallemand3af48e72020-02-03 17:15:52 +01001438 The default behavior is "all".
1439
1440 Example:
1441 ssl-load-extra-files bundle sctl
1442 ssl-load-extra-files sctl ocsp issuer
1443 ssl-load-extra-files none
1444
1445 See also: "crt", section 5.1 about bind options.
1446
Emeric Brun850efd52014-01-29 12:24:34 +01001447ssl-server-verify [none|required]
1448 The default behavior for SSL verify on servers side. If specified to 'none',
1449 servers certificates are not verified. The default is 'required' except if
1450 forced using cmdline option '-dV'.
1451
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +02001452ssl-skip-self-issued-ca
Daniel Corbett67a82712020-07-06 23:01:19 -04001453 Self issued CA, aka x509 root CA, is the anchor for chain validation: as a
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +02001454 server is useless to send it, client must have it. Standard configuration
1455 need to not include such CA in PEM file. This option allows you to keep such
1456 CA in PEM file without sending it to the client. Use case is to provide
1457 issuer for ocsp without the need for '.issuer' file and be able to share it
1458 with 'issuers-chain-path'. This concerns all certificates without intermediate
1459 certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
William Lallemand9a1d8392020-08-10 17:28:23 +02001460 bits does not need it. Requires at least OpenSSL 1.0.2.
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +02001461
Willy Tarreauabb175f2012-09-24 12:43:26 +02001462stats socket [<address:port>|<path>] [param*]
1463 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
1464 Connections to this socket will return various statistics outputs and even
1465 allow some commands to be issued to change some runtime settings. Please
Willy Tarreau1af20c72017-06-23 16:01:14 +02001466 consult section 9.3 "Unix Socket commands" of Management Guide for more
Kevin Decherf949c7202015-10-13 23:26:44 +02001467 details.
Willy Tarreau6162db22009-10-10 17:13:00 +02001468
Willy Tarreauabb175f2012-09-24 12:43:26 +02001469 All parameters supported by "bind" lines are supported, for instance to
1470 restrict access to some users or their access rights. Please consult
1471 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +02001472
1473stats timeout <timeout, in milliseconds>
1474 The default timeout on the stats socket is set to 10 seconds. It is possible
1475 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +01001476 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +02001477
1478stats maxconn <connections>
1479 By default, the stats socket is limited to 10 concurrent connections. It is
1480 possible to change this value with "stats maxconn".
1481
Willy Tarreau6a06a402007-07-15 20:15:28 +02001482uid <number>
1483 Changes the process' user ID to <number>. It is recommended that the user ID
1484 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
1485 be started with superuser privileges in order to be able to switch to another
1486 one. See also "gid" and "user".
1487
1488ulimit-n <number>
1489 Sets the maximum number of per-process file-descriptors to <number>. By
1490 default, it is automatically computed, so it is recommended not to use this
1491 option.
1492
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001493unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
1494 [ group <group> ] [ gid <gid> ]
1495
1496 Fixes common settings to UNIX listening sockets declared in "bind" statements.
1497 This is mainly used to simplify declaration of those UNIX sockets and reduce
1498 the risk of errors, since those settings are most commonly required but are
1499 also process-specific. The <prefix> setting can be used to force all socket
1500 path to be relative to that directory. This might be needed to access another
1501 component's chroot. Note that those paths are resolved before haproxy chroots
1502 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
1503 all have the same meaning as their homonyms used by the "bind" statement. If
1504 both are specified, the "bind" statement has priority, meaning that the
1505 "unix-bind" settings may be seen as process-wide default settings.
1506
Willy Tarreau1d549722016-02-16 12:41:57 +01001507unsetenv [<name> ...]
1508 Removes environment variables specified in arguments. This can be useful to
1509 hide some sensitive information that are occasionally inherited from the
1510 user's environment during some operations. Variables which did not exist are
1511 silently ignored so that after the operation, it is certain that none of
1512 these variables remain. The changes immediately take effect so that the next
1513 line in the configuration file will not see these variables. See also
1514 "setenv", "presetenv", and "resetenv".
1515
Willy Tarreau6a06a402007-07-15 20:15:28 +02001516user <user name>
1517 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
1518 See also "uid" and "group".
1519
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02001520node <name>
1521 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
1522
1523 This statement is useful in HA configurations where two or more processes or
1524 servers share the same IP address. By setting a different node-name on all
1525 nodes, it becomes easy to immediately spot what server is handling the
1526 traffic.
1527
1528description <text>
1529 Add a text that describes the instance.
1530
1531 Please note that it is required to escape certain characters (# for example)
1532 and this text is inserted into a html page so you should avoid using
1533 "<" and ">" characters.
1534
Thomas Holmesdb04f192015-05-18 13:21:39 +0100153551degrees-data-file <file path>
1536 The path of the 51Degrees data file to provide device detection services. The
Davor Ocelice9ed2812017-12-25 17:49:28 +01001537 file should be unzipped and accessible by HAProxy with relevant permissions.
Thomas Holmesdb04f192015-05-18 13:21:39 +01001538
Dragan Dosenae6d39a2015-06-29 16:43:27 +02001539 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01001540 compiled with USE_51DEGREES.
1541
Ben Shillitof25e8e52016-12-02 14:25:37 +0000154251degrees-property-name-list [<string> ...]
Thomas Holmesdb04f192015-05-18 13:21:39 +01001543 A list of 51Degrees property names to be load from the dataset. A full list
1544 of names is available on the 51Degrees website:
1545 https://51degrees.com/resources/property-dictionary
1546
Dragan Dosenae6d39a2015-06-29 16:43:27 +02001547 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01001548 compiled with USE_51DEGREES.
1549
Dragan Dosen93b38d92015-06-29 16:43:25 +0200155051degrees-property-separator <char>
Thomas Holmesdb04f192015-05-18 13:21:39 +01001551 A char that will be appended to every property value in a response header
1552 containing 51Degrees results. If not set that will be set as ','.
1553
Dragan Dosenae6d39a2015-06-29 16:43:27 +02001554 Please note that this option is only available when haproxy has been
1555 compiled with USE_51DEGREES.
1556
155751degrees-cache-size <number>
1558 Sets the size of the 51Degrees converter cache to <number> entries. This
1559 is an LRU cache which reminds previous device detections and their results.
1560 By default, this cache is disabled.
1561
1562 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01001563 compiled with USE_51DEGREES.
1564
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001565wurfl-data-file <file path>
1566 The path of the WURFL data file to provide device detection services. The
1567 file should be accessible by HAProxy with relevant permissions.
1568
1569 Please note that this option is only available when haproxy has been compiled
1570 with USE_WURFL=1.
1571
1572wurfl-information-list [<capability>]*
1573 A space-delimited list of WURFL capabilities, virtual capabilities, property
1574 names we plan to use in injected headers. A full list of capability and
1575 virtual capability names is available on the Scientiamobile website :
1576
1577 https://www.scientiamobile.com/wurflCapability
1578
1579 Valid WURFL properties are:
1580 - wurfl_id Contains the device ID of the matched device.
1581
1582 - wurfl_root_id Contains the device root ID of the matched
1583 device.
1584
1585 - wurfl_isdevroot Tells if the matched device is a root device.
1586 Possible values are "TRUE" or "FALSE".
1587
1588 - wurfl_useragent The original useragent coming with this
1589 particular web request.
1590
1591 - wurfl_api_version Contains a string representing the currently
1592 used Libwurfl API version.
1593
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001594 - wurfl_info A string containing information on the parsed
1595 wurfl.xml and its full path.
1596
1597 - wurfl_last_load_time Contains the UNIX timestamp of the last time
1598 WURFL has been loaded successfully.
1599
1600 - wurfl_normalized_useragent The normalized useragent.
1601
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001602 Please note that this option is only available when haproxy has been compiled
1603 with USE_WURFL=1.
1604
1605wurfl-information-list-separator <char>
1606 A char that will be used to separate values in a response header containing
1607 WURFL results. If not set that a comma (',') will be used by default.
1608
1609 Please note that this option is only available when haproxy has been compiled
1610 with USE_WURFL=1.
1611
1612wurfl-patch-file [<file path>]
1613 A list of WURFL patch file paths. Note that patches are loaded during startup
1614 thus before the chroot.
1615
1616 Please note that this option is only available when haproxy has been compiled
1617 with USE_WURFL=1.
1618
paulborilebad132c2019-04-18 11:57:04 +02001619wurfl-cache-size <size>
1620 Sets the WURFL Useragent cache size. For faster lookups, already processed user
1621 agents are kept in a LRU cache :
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001622 - "0" : no cache is used.
paulborilebad132c2019-04-18 11:57:04 +02001623 - <size> : size of lru cache in elements.
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001624
1625 Please note that this option is only available when haproxy has been compiled
1626 with USE_WURFL=1.
1627
William Dauchy0fec3ab2019-10-27 20:08:11 +01001628strict-limits
William Dauchya5194602020-03-28 19:29:58 +01001629 Makes process fail at startup when a setrlimit fails. Haproxy tries to set the
1630 best setrlimit according to what has been calculated. If it fails, it will
1631 emit a warning. This option is here to guarantee an explicit failure of
1632 haproxy when those limits fail. It is enabled by default. It may still be
1633 forcibly disabled by prefixing it with the "no" keyword.
William Dauchy0fec3ab2019-10-27 20:08:11 +01001634
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016353.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +02001636-----------------------
1637
Willy Tarreaubeb859a2018-11-22 18:07:59 +01001638busy-polling
1639 In some situations, especially when dealing with low latency on processors
1640 supporting a variable frequency or when running inside virtual machines, each
1641 time the process waits for an I/O using the poller, the processor goes back
1642 to sleep or is offered to another VM for a long time, and it causes
1643 excessively high latencies. This option provides a solution preventing the
1644 processor from sleeping by always using a null timeout on the pollers. This
1645 results in a significant latency reduction (30 to 100 microseconds observed)
1646 at the expense of a risk to overheat the processor. It may even be used with
1647 threads, in which case improperly bound threads may heavily conflict,
1648 resulting in a worse performance and high values for the CPU stolen fields
1649 in "show info" output, indicating which threads are misconfigured. It is
1650 important not to let the process run on the same processor as the network
1651 interrupts when this option is used. It is also better to avoid using it on
1652 multiple CPU threads sharing the same core. This option is disabled by
1653 default. If it has been enabled, it may still be forcibly disabled by
1654 prefixing it with the "no" keyword. It is ignored by the "select" and
1655 "poll" pollers.
1656
William Dauchy3894d972019-12-28 15:36:02 +01001657 This option is automatically disabled on old processes in the context of
1658 seamless reload; it avoids too much cpu conflicts when multiple processes
1659 stay around for some time waiting for the end of their current connections.
1660
Willy Tarreau1746eec2014-04-25 10:46:47 +02001661max-spread-checks <delay in milliseconds>
1662 By default, haproxy tries to spread the start of health checks across the
1663 smallest health check interval of all the servers in a farm. The principle is
1664 to avoid hammering services running on the same server. But when using large
1665 check intervals (10 seconds or more), the last servers in the farm take some
1666 time before starting to be tested, which can be a problem. This parameter is
1667 used to enforce an upper bound on delay between the first and the last check,
1668 even if the servers' check intervals are larger. When servers run with
1669 shorter intervals, their intervals will be respected though.
1670
Willy Tarreau6a06a402007-07-15 20:15:28 +02001671maxconn <number>
1672 Sets the maximum per-process number of concurrent connections to <number>. It
1673 is equivalent to the command-line argument "-n". Proxies will stop accepting
1674 connections when this limit is reached. The "ulimit-n" parameter is
Willy Tarreau8274e102014-06-19 15:31:25 +02001675 automatically adjusted according to this value. See also "ulimit-n". Note:
1676 the "select" poller cannot reliably use more than 1024 file descriptors on
1677 some platforms. If your platform only supports select and reports "select
1678 FAILED" on startup, you need to reduce maxconn until it works (slightly
Willy Tarreaub28f3442019-03-04 08:13:43 +01001679 below 500 in general). If this value is not set, it will automatically be
1680 calculated based on the current file descriptors limit reported by the
1681 "ulimit -n" command, possibly reduced to a lower value if a memory limit
1682 is enforced, based on the buffer size, memory allocated to compression, SSL
1683 cache size, and use or not of SSL and the associated maxsslconn (which can
1684 also be automatic).
Willy Tarreau6a06a402007-07-15 20:15:28 +02001685
Willy Tarreau81c25d02011-09-07 15:17:21 +02001686maxconnrate <number>
1687 Sets the maximum per-process number of connections per second to <number>.
1688 Proxies will stop accepting connections when this limit is reached. It can be
1689 used to limit the global capacity regardless of each frontend capacity. It is
1690 important to note that this can only be used as a service protection measure,
1691 as there will not necessarily be a fair share between frontends when the
1692 limit is reached, so it's a good idea to also limit each frontend to some
1693 value close to its expected share. Also, lowering tune.maxaccept can improve
1694 fairness.
1695
William Lallemandd85f9172012-11-09 17:05:39 +01001696maxcomprate <number>
1697 Sets the maximum per-process input compression rate to <number> kilobytes
Davor Ocelice9ed2812017-12-25 17:49:28 +01001698 per second. For each session, if the maximum is reached, the compression
William Lallemandd85f9172012-11-09 17:05:39 +01001699 level will be decreased during the session. If the maximum is reached at the
1700 beginning of a session, the session will not compress at all. If the maximum
1701 is not reached, the compression level will be increased up to
Davor Ocelice9ed2812017-12-25 17:49:28 +01001702 tune.comp.maxlevel. A value of zero means there is no limit, this is the
William Lallemandd85f9172012-11-09 17:05:39 +01001703 default value.
1704
William Lallemand072a2bf2012-11-20 17:01:01 +01001705maxcompcpuusage <number>
1706 Sets the maximum CPU usage HAProxy can reach before stopping the compression
1707 for new requests or decreasing the compression level of current requests.
1708 It works like 'maxcomprate' but measures CPU usage instead of incoming data
1709 bandwidth. The value is expressed in percent of the CPU used by haproxy. In
1710 case of multiple processes (nbproc > 1), each process manages its individual
1711 usage. A value of 100 disable the limit. The default value is 100. Setting
1712 a lower value will prevent the compression work from slowing the whole
1713 process down and from introducing high latencies.
1714
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001715maxpipes <number>
1716 Sets the maximum per-process number of pipes to <number>. Currently, pipes
1717 are only used by kernel-based tcp splicing. Since a pipe contains two file
1718 descriptors, the "ulimit-n" value will be increased accordingly. The default
1719 value is maxconn/4, which seems to be more than enough for most heavy usages.
1720 The splice code dynamically allocates and releases pipes, and can fall back
1721 to standard copy, so setting this value too low may only impact performance.
1722
Willy Tarreau93e7c002013-10-07 18:51:07 +02001723maxsessrate <number>
1724 Sets the maximum per-process number of sessions per second to <number>.
1725 Proxies will stop accepting connections when this limit is reached. It can be
1726 used to limit the global capacity regardless of each frontend capacity. It is
1727 important to note that this can only be used as a service protection measure,
1728 as there will not necessarily be a fair share between frontends when the
1729 limit is reached, so it's a good idea to also limit each frontend to some
1730 value close to its expected share. Also, lowering tune.maxaccept can improve
1731 fairness.
1732
Willy Tarreau403edff2012-09-06 11:58:37 +02001733maxsslconn <number>
1734 Sets the maximum per-process number of concurrent SSL connections to
1735 <number>. By default there is no SSL-specific limit, which means that the
1736 global maxconn setting will apply to all connections. Setting this limit
1737 avoids having openssl use too much memory and crash when malloc returns NULL
1738 (since it unfortunately does not reliably check for such conditions). Note
1739 that the limit applies both to incoming and outgoing connections, so one
1740 connection which is deciphered then ciphered accounts for 2 SSL connections.
Willy Tarreaud0256482015-01-15 21:45:22 +01001741 If this value is not set, but a memory limit is enforced, this value will be
1742 automatically computed based on the memory limit, maxconn, the buffer size,
1743 memory allocated to compression, SSL cache size, and use of SSL in either
1744 frontends, backends or both. If neither maxconn nor maxsslconn are specified
1745 when there is a memory limit, haproxy will automatically adjust these values
1746 so that 100% of the connections can be made over SSL with no risk, and will
1747 consider the sides where it is enabled (frontend, backend, both).
Willy Tarreau403edff2012-09-06 11:58:37 +02001748
Willy Tarreaue43d5322013-10-07 20:01:52 +02001749maxsslrate <number>
1750 Sets the maximum per-process number of SSL sessions per second to <number>.
1751 SSL listeners will stop accepting connections when this limit is reached. It
1752 can be used to limit the global SSL CPU usage regardless of each frontend
1753 capacity. It is important to note that this can only be used as a service
1754 protection measure, as there will not necessarily be a fair share between
1755 frontends when the limit is reached, so it's a good idea to also limit each
1756 frontend to some value close to its expected share. It is also important to
1757 note that the sessions are accounted before they enter the SSL stack and not
1758 after, which also protects the stack against bad handshakes. Also, lowering
1759 tune.maxaccept can improve fairness.
1760
William Lallemand9d5f5482012-11-07 16:12:57 +01001761maxzlibmem <number>
1762 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
1763 When the maximum amount is reached, future sessions will not compress as long
1764 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +01001765 The default value is 0. The value is available in bytes on the UNIX socket
1766 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
1767 "ZlibMemUsage" in bytes.
1768
Willy Tarreau6a06a402007-07-15 20:15:28 +02001769noepoll
1770 Disables the use of the "epoll" event polling system on Linux. It is
1771 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +01001772 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001773
1774nokqueue
1775 Disables the use of the "kqueue" event polling system on BSD. It is
1776 equivalent to the command-line argument "-dk". The next polling system
1777 used will generally be "poll". See also "nopoll".
1778
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +00001779noevports
1780 Disables the use of the event ports event polling system on SunOS systems
1781 derived from Solaris 10 and later. It is equivalent to the command-line
1782 argument "-dv". The next polling system used will generally be "poll". See
1783 also "nopoll".
1784
Willy Tarreau6a06a402007-07-15 20:15:28 +02001785nopoll
1786 Disables the use of the "poll" event polling system. It is equivalent to the
1787 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001788 It should never be needed to disable "poll" since it's available on all
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +00001789 platforms supported by HAProxy. See also "nokqueue", "noepoll" and
1790 "noevports".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001791
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001792nosplice
1793 Disables the use of kernel tcp splicing between sockets on Linux. It is
Davor Ocelice9ed2812017-12-25 17:49:28 +01001794 equivalent to the command line argument "-dS". Data will then be copied
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001795 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001796 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001797 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
1798 be used. This option makes it easier to globally disable kernel splicing in
1799 case of doubt. See also "option splice-auto", "option splice-request" and
1800 "option splice-response".
1801
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001802nogetaddrinfo
1803 Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
1804 the command line argument "-dG". Deprecated gethostbyname(3) will be used.
1805
Lukas Tribusa0bcbdc2016-09-12 21:42:20 +00001806noreuseport
1807 Disables the use of SO_REUSEPORT - see socket(7). It is equivalent to the
1808 command line argument "-dR".
1809
Willy Tarreaud2d33482019-04-25 17:09:07 +02001810profiling.tasks { auto | on | off }
1811 Enables ('on') or disables ('off') per-task CPU profiling. When set to 'auto'
1812 the profiling automatically turns on a thread when it starts to suffer from
1813 an average latency of 1000 microseconds or higher as reported in the
1814 "avg_loop_us" activity field, and automatically turns off when the latency
John Roeslerfb2fce12019-07-10 15:45:51 -05001815 returns below 990 microseconds (this value is an average over the last 1024
Willy Tarreaud2d33482019-04-25 17:09:07 +02001816 loops so it does not vary quickly and tends to significantly smooth short
1817 spikes). It may also spontaneously trigger from time to time on overloaded
1818 systems, containers, or virtual machines, or when the system swaps (which
1819 must absolutely never happen on a load balancer).
1820
1821 CPU profiling per task can be very convenient to report where the time is
1822 spent and which requests have what effect on which other request. Enabling
1823 it will typically affect the overall's performance by less than 1%, thus it
1824 is recommended to leave it to the default 'auto' value so that it only
1825 operates when a problem is identified. This feature requires a system
Willy Tarreau75c62c22018-11-22 11:02:09 +01001826 supporting the clock_gettime(2) syscall with clock identifiers
1827 CLOCK_MONOTONIC and CLOCK_THREAD_CPUTIME_ID, otherwise the reported time will
1828 be zero. This option may be changed at run time using "set profiling" on the
1829 CLI.
1830
Willy Tarreaufe255b72007-10-14 23:09:26 +02001831spread-checks <0..50, in percent>
Simon Hormand60d6912013-11-25 10:46:36 +09001832 Sometimes it is desirable to avoid sending agent and health checks to
1833 servers at exact intervals, for instance when many logical servers are
1834 located on the same physical server. With the help of this parameter, it
1835 becomes possible to add some randomness in the check interval between 0
1836 and +/- 50%. A value between 2 and 5 seems to show good results. The
1837 default value remains at 0.
Willy Tarreaufe255b72007-10-14 23:09:26 +02001838
Davor Ocelice9ed2812017-12-25 17:49:28 +01001839ssl-engine <name> [algo <comma-separated list of algorithms>]
Grant Zhang872f9c22017-01-21 01:10:18 +00001840 Sets the OpenSSL engine to <name>. List of valid values for <name> may be
Davor Ocelice9ed2812017-12-25 17:49:28 +01001841 obtained using the command "openssl engine". This statement may be used
Grant Zhang872f9c22017-01-21 01:10:18 +00001842 multiple times, it will simply enable multiple crypto engines. Referencing an
1843 unsupported engine will prevent haproxy from starting. Note that many engines
1844 will lead to lower HTTPS performance than pure software with recent
1845 processors. The optional command "algo" sets the default algorithms an ENGINE
1846 will supply using the OPENSSL function ENGINE_set_default_string(). A value
Davor Ocelice9ed2812017-12-25 17:49:28 +01001847 of "ALL" uses the engine for all cryptographic operations. If no list of
1848 algo is specified then the value of "ALL" is used. A comma-separated list
Grant Zhang872f9c22017-01-21 01:10:18 +00001849 of different algorithms may be specified, including: RSA, DSA, DH, EC, RAND,
1850 CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. This is the same format that
1851 openssl configuration file uses:
1852 https://www.openssl.org/docs/man1.0.2/apps/config.html
1853
Grant Zhangfa6c7ee2017-01-14 01:42:15 +00001854ssl-mode-async
1855 Adds SSL_MODE_ASYNC mode to the SSL context. This enables asynchronous TLS
Emeric Brun3854e012017-05-17 20:42:48 +02001856 I/O operations if asynchronous capable SSL engines are used. The current
Emeric Brunb5e42a82017-06-06 12:35:14 +00001857 implementation supports a maximum of 32 engines. The Openssl ASYNC API
1858 doesn't support moving read/write buffers and is not compliant with
1859 haproxy's buffer management. So the asynchronous mode is disabled on
John Roeslerfb2fce12019-07-10 15:45:51 -05001860 read/write operations (it is only enabled during initial and renegotiation
Emeric Brunb5e42a82017-06-06 12:35:14 +00001861 handshakes).
Grant Zhangfa6c7ee2017-01-14 01:42:15 +00001862
Willy Tarreau33cb0652014-12-23 22:52:37 +01001863tune.buffers.limit <number>
1864 Sets a hard limit on the number of buffers which may be allocated per process.
1865 The default value is zero which means unlimited. The minimum non-zero value
1866 will always be greater than "tune.buffers.reserve" and should ideally always
1867 be about twice as large. Forcing this value can be particularly useful to
1868 limit the amount of memory a process may take, while retaining a sane
Davor Ocelice9ed2812017-12-25 17:49:28 +01001869 behavior. When this limit is reached, sessions which need a buffer wait for
Willy Tarreau33cb0652014-12-23 22:52:37 +01001870 another one to be released by another session. Since buffers are dynamically
1871 allocated and released, the waiting time is very short and not perceptible
1872 provided that limits remain reasonable. In fact sometimes reducing the limit
1873 may even increase performance by increasing the CPU cache's efficiency. Tests
1874 have shown good results on average HTTP traffic with a limit to 1/10 of the
1875 expected global maxconn setting, which also significantly reduces memory
1876 usage. The memory savings come from the fact that a number of connections
1877 will not allocate 2*tune.bufsize. It is best not to touch this value unless
1878 advised to do so by an haproxy core developer.
1879
Willy Tarreau1058ae72014-12-23 22:40:40 +01001880tune.buffers.reserve <number>
1881 Sets the number of buffers which are pre-allocated and reserved for use only
1882 during memory shortage conditions resulting in failed memory allocations. The
1883 minimum value is 2 and is also the default. There is no reason a user would
1884 want to change this value, it's mostly aimed at haproxy core developers.
1885
Willy Tarreau27a674e2009-08-17 07:23:33 +02001886tune.bufsize <number>
1887 Sets the buffer size to this size (in bytes). Lower values allow more
1888 sessions to coexist in the same amount of RAM, and higher values allow some
1889 applications with very large cookies to work. The default value is 16384 and
1890 can be changed at build time. It is strongly recommended not to change this
1891 from the default value, as very low values will break some services such as
1892 statistics, and values larger than default size will increase memory usage,
1893 possibly causing the system to run out of memory. At least the global maxconn
Willy Tarreau45a66cc2017-11-24 11:28:00 +01001894 parameter should be decreased by the same factor as this one is increased. In
1895 addition, use of HTTP/2 mandates that this value must be 16384 or more. If an
1896 HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04001897 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
Willy Tarreauc77d3642018-12-12 06:19:42 +01001898 than this size, haproxy will return HTTP 502 (Bad Gateway). Note that the
1899 value set using this parameter will automatically be rounded up to the next
1900 multiple of 8 on 32-bit machines and 16 on 64-bit machines.
Willy Tarreau27a674e2009-08-17 07:23:33 +02001901
Willy Tarreau43961d52010-10-04 20:39:20 +02001902tune.chksize <number>
1903 Sets the check buffer size to this size (in bytes). Higher values may help
1904 find string or regex patterns in very large pages, though doing so may imply
1905 more memory and CPU usage. The default value is 16384 and can be changed at
1906 build time. It is not recommended to change this value, but to use better
1907 checks whenever possible.
1908
William Lallemandf3747832012-11-09 12:33:10 +01001909tune.comp.maxlevel <number>
1910 Sets the maximum compression level. The compression level affects CPU
1911 usage during compression. This value affects CPU usage during compression.
1912 Each session using compression initializes the compression algorithm with
1913 this value. The default value is 1.
1914
Willy Tarreauc299e1e2019-02-27 11:35:12 +01001915tune.fail-alloc
1916 If compiled with DEBUG_FAIL_ALLOC, gives the percentage of chances an
1917 allocation attempt fails. Must be between 0 (no failure) and 100 (no
1918 success). This is useful to debug and make sure memory failures are handled
1919 gracefully.
1920
Willy Tarreaubc52bec2020-06-18 08:58:47 +02001921tune.fd.edge-triggered { on | off } [ EXPERIMENTAL ]
1922 Enables ('on') or disables ('off') the edge-triggered polling mode for FDs
1923 that support it. This is currently only support with epoll. It may noticeably
1924 reduce the number of epoll_ctl() calls and slightly improve performance in
1925 certain scenarios. This is still experimental, it may result in frozen
1926 connections if bugs are still present, and is disabled by default.
1927
Willy Tarreaufe20e5b2017-07-27 11:42:14 +02001928tune.h2.header-table-size <number>
1929 Sets the HTTP/2 dynamic header table size. It defaults to 4096 bytes and
1930 cannot be larger than 65536 bytes. A larger value may help certain clients
1931 send more compact requests, depending on their capabilities. This amount of
1932 memory is consumed for each HTTP/2 connection. It is recommended not to
1933 change it.
1934
Willy Tarreaue6baec02017-07-27 11:45:11 +02001935tune.h2.initial-window-size <number>
1936 Sets the HTTP/2 initial window size, which is the number of bytes the client
Davor Ocelice9ed2812017-12-25 17:49:28 +01001937 can upload before waiting for an acknowledgment from haproxy. This setting
1938 only affects payload contents (i.e. the body of POST requests), not headers.
Willy Tarreaue6baec02017-07-27 11:45:11 +02001939 The default value is 65535, which roughly allows up to 5 Mbps of upload
1940 bandwidth per client over a network showing a 100 ms ping time, or 500 Mbps
1941 over a 1-ms local network. It can make sense to increase this value to allow
1942 faster uploads, or to reduce it to increase fairness when dealing with many
1943 clients. It doesn't affect resource usage.
1944
Willy Tarreau5242ef82017-07-27 11:47:28 +02001945tune.h2.max-concurrent-streams <number>
1946 Sets the HTTP/2 maximum number of concurrent streams per connection (ie the
1947 number of outstanding requests on a single connection). The default value is
1948 100. A larger one may slightly improve page load time for complex sites when
1949 visited over high latency networks, but increases the amount of resources a
1950 single client may allocate. A value of zero disables the limit so a single
1951 client may create as many streams as allocatable by haproxy. It is highly
1952 recommended not to change this value.
1953
Willy Tarreaua24b35c2019-02-21 13:24:36 +01001954tune.h2.max-frame-size <number>
1955 Sets the HTTP/2 maximum frame size that haproxy announces it is willing to
1956 receive to its peers. The default value is the largest between 16384 and the
1957 buffer size (tune.bufsize). In any case, haproxy will not announce support
1958 for frame sizes larger than buffers. The main purpose of this setting is to
1959 allow to limit the maximum frame size setting when using large buffers. Too
1960 large frame sizes might have performance impact or cause some peers to
1961 misbehave. It is highly recommended not to change this value.
1962
Willy Tarreau193b8c62012-11-22 00:17:38 +01001963tune.http.cookielen <number>
1964 Sets the maximum length of captured cookies. This is the maximum value that
1965 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
1966 will automatically be truncated to this one. It is important not to set too
1967 high a value because all cookie captures still allocate this size whatever
1968 their configured value (they share a same pool). This value is per request
1969 per response, so the memory allocated is twice this value per connection.
1970 When not specified, the limit is set to 63 characters. It is recommended not
1971 to change this value.
1972
Stéphane Cottin23e9e932017-05-18 08:58:41 +02001973tune.http.logurilen <number>
Davor Ocelice9ed2812017-12-25 17:49:28 +01001974 Sets the maximum length of request URI in logs. This prevents truncating long
1975 request URIs with valuable query strings in log lines. This is not related
Stéphane Cottin23e9e932017-05-18 08:58:41 +02001976 to syslog limits. If you increase this limit, you may also increase the
Davor Ocelice9ed2812017-12-25 17:49:28 +01001977 'log ... len yyy' parameter. Your syslog daemon may also need specific
Stéphane Cottin23e9e932017-05-18 08:58:41 +02001978 configuration directives too.
1979 The default value is 1024.
1980
Willy Tarreauac1932d2011-10-24 19:14:41 +02001981tune.http.maxhdr <number>
1982 Sets the maximum number of headers in a request. When a request comes with a
1983 number of headers greater than this value (including the first line), it is
1984 rejected with a "400 Bad Request" status code. Similarly, too large responses
1985 are blocked with "502 Bad Gateway". The default value is 101, which is enough
1986 for all usages, considering that the widely deployed Apache server uses the
1987 same limit. It can be useful to push this limit further to temporarily allow
Christopher Faulet50174f32017-06-21 16:31:35 +02001988 a buggy application to work by the time it gets fixed. The accepted range is
1989 1..32767. Keep in mind that each new header consumes 32bits of memory for
1990 each session, so don't push this limit too high.
Willy Tarreauac1932d2011-10-24 19:14:41 +02001991
Willy Tarreau76cc6992020-07-01 18:49:24 +02001992tune.idle-pool.shared { on | off }
1993 Enables ('on') or disables ('off') sharing of idle connection pools between
1994 threads for a same server. The default is to share them between threads in
1995 order to minimize the number of persistent connections to a server, and to
1996 optimize the connection reuse rate. But to help with debugging or when
1997 suspecting a bug in HAProxy around connection reuse, it can be convenient to
1998 forcefully disable this idle pool sharing between multiple threads, and force
1999 this option to "off". The default is on.
2000
Willy Tarreau7e312732014-02-12 16:35:14 +01002001tune.idletimer <timeout>
2002 Sets the duration after which haproxy will consider that an empty buffer is
2003 probably associated with an idle stream. This is used to optimally adjust
2004 some packet sizes while forwarding large and small data alternatively. The
2005 decision to use splice() or to send large buffers in SSL is modulated by this
2006 parameter. The value is in milliseconds between 0 and 65535. A value of zero
2007 means that haproxy will not try to detect idle streams. The default is 1000,
Davor Ocelice9ed2812017-12-25 17:49:28 +01002008 which seems to correctly detect end user pauses (e.g. read a page before
John Roeslerfb2fce12019-07-10 15:45:51 -05002009 clicking). There should be no reason for changing this value. Please check
Willy Tarreau7e312732014-02-12 16:35:14 +01002010 tune.ssl.maxrecord below.
2011
Willy Tarreau7ac908b2019-02-27 12:02:18 +01002012tune.listener.multi-queue { on | off }
2013 Enables ('on') or disables ('off') the listener's multi-queue accept which
2014 spreads the incoming traffic to all threads a "bind" line is allowed to run
2015 on instead of taking them for itself. This provides a smoother traffic
2016 distribution and scales much better, especially in environments where threads
2017 may be unevenly loaded due to external activity (network interrupts colliding
2018 with one thread for example). This option is enabled by default, but it may
2019 be forcefully disabled for troubleshooting or for situations where it is
2020 estimated that the operating system already provides a good enough
2021 distribution and connections are extremely short-lived.
2022
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002023tune.lua.forced-yield <number>
2024 This directive forces the Lua engine to execute a yield each <number> of
Tim Düsterhus4896c442016-11-29 02:15:19 +01002025 instructions executed. This permits interrupting a long script and allows the
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002026 HAProxy scheduler to process other tasks like accepting connections or
2027 forwarding traffic. The default value is 10000 instructions. If HAProxy often
Davor Ocelice9ed2812017-12-25 17:49:28 +01002028 executes some Lua code but more responsiveness is required, this value can be
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002029 lowered. If the Lua code is quite long and its result is absolutely required
2030 to process the data, the <number> can be increased.
2031
Willy Tarreau32f61e22015-03-18 17:54:59 +01002032tune.lua.maxmem
2033 Sets the maximum amount of RAM in megabytes per process usable by Lua. By
2034 default it is zero which means unlimited. It is important to set a limit to
2035 ensure that a bug in a script will not result in the system running out of
2036 memory.
2037
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002038tune.lua.session-timeout <timeout>
2039 This is the execution timeout for the Lua sessions. This is useful for
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02002040 preventing infinite loops or spending too much time in Lua. This timeout
2041 counts only the pure Lua runtime. If the Lua does a sleep, the sleep is
Davor Ocelice9ed2812017-12-25 17:49:28 +01002042 not taken in account. The default timeout is 4s.
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002043
2044tune.lua.task-timeout <timeout>
2045 Purpose is the same as "tune.lua.session-timeout", but this timeout is
2046 dedicated to the tasks. By default, this timeout isn't set because a task may
2047 remain alive during of the lifetime of HAProxy. For example, a task used to
2048 check servers.
2049
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02002050tune.lua.service-timeout <timeout>
2051 This is the execution timeout for the Lua services. This is useful for
2052 preventing infinite loops or spending too much time in Lua. This timeout
2053 counts only the pure Lua runtime. If the Lua does a sleep, the sleep is
Davor Ocelice9ed2812017-12-25 17:49:28 +01002054 not taken in account. The default timeout is 4s.
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02002055
Willy Tarreaua0250ba2008-01-06 11:22:57 +01002056tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +01002057 Sets the maximum number of consecutive connections a process may accept in a
2058 row before switching to other work. In single process mode, higher numbers
2059 give better performance at high connection rates. However in multi-process
2060 modes, keeping a bit of fairness between processes generally is better to
2061 increase performance. This value applies individually to each listener, so
2062 that the number of processes a listener is bound to is taken into account.
2063 This value defaults to 64. In multi-process mode, it is divided by twice
2064 the number of processes the listener is bound to. Setting this value to -1
2065 completely disables the limitation. It should normally not be needed to tweak
2066 this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +01002067
2068tune.maxpollevents <number>
2069 Sets the maximum amount of events that can be processed at once in a call to
2070 the polling system. The default value is adapted to the operating system. It
2071 has been noticed that reducing it below 200 tends to slightly decrease
2072 latency at the expense of network bandwidth, and increasing it above 200
2073 tends to trade latency for slightly increased bandwidth.
2074
Willy Tarreau27a674e2009-08-17 07:23:33 +02002075tune.maxrewrite <number>
2076 Sets the reserved buffer space to this size in bytes. The reserved space is
2077 used for header rewriting or appending. The first reads on sockets will never
2078 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
2079 bufsize, though that does not make much sense since there are rarely large
2080 numbers of headers to add. Setting it too high prevents processing of large
2081 requests or responses. Setting it too low prevents addition of new headers
2082 to already large requests or to POST requests. It is generally wise to set it
2083 to about 1024. It is automatically readjusted to half of bufsize if it is
2084 larger than that. This means you don't have to worry about it when changing
2085 bufsize.
2086
Willy Tarreauf3045d22015-04-29 16:24:50 +02002087tune.pattern.cache-size <number>
2088 Sets the size of the pattern lookup cache to <number> entries. This is an LRU
2089 cache which reminds previous lookups and their results. It is used by ACLs
2090 and maps on slow pattern lookups, namely the ones using the "sub", "reg",
2091 "dir", "dom", "end", "bin" match methods as well as the case-insensitive
2092 strings. It applies to pattern expressions which means that it will be able
2093 to memorize the result of a lookup among all the patterns specified on a
2094 configuration line (including all those loaded from files). It automatically
2095 invalidates entries which are updated using HTTP actions or on the CLI. The
2096 default cache size is set to 10000 entries, which limits its footprint to
Willy Tarreau403bfbb2019-10-23 06:59:31 +02002097 about 5 MB per process/thread on 32-bit systems and 8 MB per process/thread
2098 on 64-bit systems, as caches are thread/process local. There is a very low
Willy Tarreauf3045d22015-04-29 16:24:50 +02002099 risk of collision in this cache, which is in the order of the size of the
2100 cache divided by 2^64. Typically, at 10000 requests per second with the
2101 default cache size of 10000 entries, there's 1% chance that a brute force
2102 attack could cause a single collision after 60 years, or 0.1% after 6 years.
2103 This is considered much lower than the risk of a memory corruption caused by
2104 aging components. If this is not acceptable, the cache can be disabled by
2105 setting this parameter to 0.
2106
Willy Tarreaubd9a0a72011-10-23 21:14:29 +02002107tune.pipesize <number>
2108 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
2109 are the default size for the system. But sometimes when using TCP splicing,
2110 it can improve performance to increase pipe sizes, especially if it is
2111 suspected that pipes are not filled and that many calls to splice() are
2112 performed. This has an impact on the kernel's memory footprint, so this must
2113 not be changed if impacts are not understood.
2114
Olivier Houchard88698d92019-04-16 19:07:22 +02002115tune.pool-high-fd-ratio <number>
2116 This setting sets the max number of file descriptors (in percentage) used by
2117 haproxy globally against the maximum number of file descriptors haproxy can
2118 use before we start killing idle connections when we can't reuse a connection
2119 and we have to create a new one. The default is 25 (one quarter of the file
2120 descriptor will mean that roughly half of the maximum front connections can
2121 keep an idle connection behind, anything beyond this probably doesn't make
John Roeslerfb2fce12019-07-10 15:45:51 -05002122 much sense in the general case when targeting connection reuse).
Olivier Houchard88698d92019-04-16 19:07:22 +02002123
Willy Tarreau83ca3052020-07-01 18:30:16 +02002124tune.pool-low-fd-ratio <number>
2125 This setting sets the max number of file descriptors (in percentage) used by
2126 haproxy globally against the maximum number of file descriptors haproxy can
2127 use before we stop putting connection into the idle pool for reuse. The
2128 default is 20.
2129
Willy Tarreaue803de22010-01-21 17:43:04 +01002130tune.rcvbuf.client <number>
2131tune.rcvbuf.server <number>
2132 Forces the kernel socket receive buffer size on the client or the server side
2133 to the specified value in bytes. This value applies to all TCP/HTTP frontends
2134 and backends. It should normally never be set, and the default size (0) lets
John Roeslerfb2fce12019-07-10 15:45:51 -05002135 the kernel auto-tune this value depending on the amount of available memory.
Davor Ocelice9ed2812017-12-25 17:49:28 +01002136 However it can sometimes help to set it to very low values (e.g. 4096) in
Willy Tarreaue803de22010-01-21 17:43:04 +01002137 order to save kernel memory by preventing it from buffering too large amounts
2138 of received data. Lower values will significantly increase CPU usage though.
2139
Willy Tarreaub22fc302015-12-14 12:04:35 +01002140tune.recv_enough <number>
Davor Ocelice9ed2812017-12-25 17:49:28 +01002141 HAProxy uses some hints to detect that a short read indicates the end of the
Willy Tarreaub22fc302015-12-14 12:04:35 +01002142 socket buffers. One of them is that a read returns more than <recv_enough>
2143 bytes, which defaults to 10136 (7 segments of 1448 each). This default value
2144 may be changed by this setting to better deal with workloads involving lots
2145 of short messages such as telnet or SSH sessions.
2146
Olivier Houchard1599b802018-05-24 18:59:04 +02002147tune.runqueue-depth <number>
John Roeslerfb2fce12019-07-10 15:45:51 -05002148 Sets the maximum amount of task that can be processed at once when running
Olivier Houchard1599b802018-05-24 18:59:04 +02002149 tasks. The default value is 200. Increasing it may incur latency when
Willy Tarreaue7723bd2020-06-24 11:11:02 +02002150 dealing with I/Os, making it too small can incur extra overhead. When
2151 experimenting with much larger values, it may be useful to also enable
2152 tune.sched.low-latency to limit the maximum latency to the lowest possible.
2153
2154tune.sched.low-latency { on | off }
2155 Enables ('on') or disables ('off') the low-latency task scheduler. By default
2156 haproxy processes tasks from several classes one class at a time as this is
2157 the most efficient. But when running with large values of tune.runqueue-depth
2158 this can have a measurable effect on request or connection latency. When this
2159 low-latency setting is enabled, tasks of lower priority classes will always
2160 be executed before other ones if they exist. This will permit to lower the
2161 maximum latency experienced by new requests or connections in the middle of
2162 massive traffic, at the expense of a higher impact on this large traffic.
2163 For regular usage it is better to leave this off. The default value is off.
Olivier Houchard1599b802018-05-24 18:59:04 +02002164
Willy Tarreaue803de22010-01-21 17:43:04 +01002165tune.sndbuf.client <number>
2166tune.sndbuf.server <number>
2167 Forces the kernel socket send buffer size on the client or the server side to
2168 the specified value in bytes. This value applies to all TCP/HTTP frontends
2169 and backends. It should normally never be set, and the default size (0) lets
John Roeslerfb2fce12019-07-10 15:45:51 -05002170 the kernel auto-tune this value depending on the amount of available memory.
Davor Ocelice9ed2812017-12-25 17:49:28 +01002171 However it can sometimes help to set it to very low values (e.g. 4096) in
Willy Tarreaue803de22010-01-21 17:43:04 +01002172 order to save kernel memory by preventing it from buffering too large amounts
2173 of received data. Lower values will significantly increase CPU usage though.
2174 Another use case is to prevent write timeouts with extremely slow clients due
2175 to the kernel waiting for a large part of the buffer to be read before
2176 notifying haproxy again.
2177
Willy Tarreau6ec58db2012-11-16 16:32:15 +01002178tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +01002179 Sets the size of the global SSL session cache, in a number of blocks. A block
2180 is large enough to contain an encoded session without peer certificate.
2181 An encoded session with peer certificate is stored in multiple blocks
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002182 depending on the size of the peer certificate. A block uses approximately
Emeric Brunaf9619d2012-11-28 18:47:52 +01002183 200 bytes of memory. The default value may be forced at build time, otherwise
Davor Ocelice9ed2812017-12-25 17:49:28 +01002184 defaults to 20000. When the cache is full, the most idle entries are purged
Emeric Brunaf9619d2012-11-28 18:47:52 +01002185 and reassigned. Higher values reduce the occurrence of such a purge, hence
2186 the number of CPU-intensive SSL handshakes by ensuring that all users keep
2187 their session as long as possible. All entries are pre-allocated upon startup
Emeric Brun22890a12012-12-28 14:41:32 +01002188 and are shared between all processes if "nbproc" is greater than 1. Setting
2189 this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +01002190
Emeric Brun8dc60392014-05-09 13:52:00 +02002191tune.ssl.force-private-cache
Lukas Tribus27935782018-10-01 02:00:16 +02002192 This option disables SSL session cache sharing between all processes. It
Emeric Brun8dc60392014-05-09 13:52:00 +02002193 should normally not be used since it will force many renegotiations due to
2194 clients hitting a random process. But it may be required on some operating
2195 systems where none of the SSL cache synchronization method may be used. In
2196 this case, adding a first layer of hash-based load balancing before the SSL
2197 layer might limit the impact of the lack of session sharing.
2198
William Lallemand7d42ef52020-07-06 11:41:30 +02002199tune.ssl.keylog { on | off }
2200 This option activates the logging of the TLS keys. It should be used with
2201 care as it will consume more memory per SSL session and could decrease
2202 performances. This is disabled by default.
2203
2204 These sample fetches should be used to generate the SSLKEYLOGFILE that is
2205 required to decipher traffic with wireshark.
2206
2207 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
2208
2209 The SSLKEYLOG is a series of lines which are formatted this way:
2210
2211 <Label> <space> <ClientRandom> <space> <Secret>
2212
2213 The ClientRandom is provided by the %[ssl_fc_client_random,hex] sample
2214 fetch, the secret and the Label could be find in the array below. You need
2215 to generate a SSLKEYLOGFILE with all the labels in this array.
2216
2217 The following sample fetches are hexadecimal strings and does not need to be
2218 converted.
2219
2220 SSLKEYLOGFILE Label | Sample fetches for the Secrets
2221 --------------------------------|-----------------------------------------
2222 CLIENT_EARLY_TRAFFIC_SECRET | %[ssl_fc_client_early_traffic_secret]
2223 CLIENT_HANDSHAKE_TRAFFIC_SECRET | %[ssl_fc_client_handshake_traffic_secret]
2224 SERVER_HANDSHAKE_TRAFFIC_SECRET | %[ssl_fc_server_handshake_traffic_secret]
2225 CLIENT_TRAFFIC_SECRET_0 | %[ssl_fc_client_traffic_secret_0]
2226 SERVER_TRAFFIC_SECRET_0 | %[ssl_fc_server_traffic_secret_0]
William Lallemandd742b6c2020-07-07 10:14:56 +02002227 EXPORTER_SECRET | %[ssl_fc_exporter_secret]
2228 EARLY_EXPORTER_SECRET | %[ssl_fc_early_exporter_secret]
William Lallemand7d42ef52020-07-06 11:41:30 +02002229
2230 This is only available with OpenSSL 1.1.1, and useful with TLS1.3 session.
2231
2232 If you want to generate the content of a SSLKEYLOGFILE with TLS < 1.3, you
2233 only need this line:
2234
2235 "CLIENT_RANDOM %[ssl_fc_client_random,hex] %[ssl_fc_session_key,hex]"
2236
Emeric Brun4f65bff2012-11-16 15:11:00 +01002237tune.ssl.lifetime <timeout>
2238 Sets how long a cached SSL session may remain valid. This time is expressed
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002239 in seconds and defaults to 300 (5 min). It is important to understand that it
Emeric Brun4f65bff2012-11-16 15:11:00 +01002240 does not guarantee that sessions will last that long, because if the cache is
2241 full, the longest idle sessions will be purged despite their configured
2242 lifetime. The real usefulness of this setting is to prevent sessions from
2243 being used for too long.
2244
Willy Tarreaubfd59462013-02-21 07:46:09 +01002245tune.ssl.maxrecord <number>
2246 Sets the maximum amount of bytes passed to SSL_write() at a time. Default
2247 value 0 means there is no limit. Over SSL/TLS, the client can decipher the
2248 data only once it has received a full record. With large records, it means
2249 that clients might have to download up to 16kB of data before starting to
2250 process them. Limiting the value can improve page load times on browsers
2251 located over high latency or low bandwidth networks. It is suggested to find
2252 optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over
2253 Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled),
2254 keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and
2255 2859 gave good results during tests. Use "strace -e trace=write" to find the
Davor Ocelice9ed2812017-12-25 17:49:28 +01002256 best value. HAProxy will automatically switch to this setting after an idle
Willy Tarreau7e312732014-02-12 16:35:14 +01002257 stream has been detected (see tune.idletimer above).
Willy Tarreaubfd59462013-02-21 07:46:09 +01002258
Remi Gacognef46cd6e2014-06-12 14:58:40 +02002259tune.ssl.default-dh-param <number>
2260 Sets the maximum size of the Diffie-Hellman parameters used for generating
2261 the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
2262 final size will try to match the size of the server's RSA (or DSA) key (e.g,
2263 a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
Willy Tarreau3ba77d22020-05-08 09:31:18 +02002264 this maximum value. Default value if 2048. Only 1024 or higher values are
Remi Gacognef46cd6e2014-06-12 14:58:40 +02002265 allowed. Higher values will increase the CPU load, and values greater than
2266 1024 bits are not supported by Java 7 and earlier clients. This value is not
Remi Gacogne47783ef2015-05-29 15:53:22 +02002267 used if static Diffie-Hellman parameters are supplied either directly
2268 in the certificate file or by using the ssl-dh-param-file parameter.
Remi Gacognef46cd6e2014-06-12 14:58:40 +02002269
Christopher Faulet31af49d2015-06-09 17:29:50 +02002270tune.ssl.ssl-ctx-cache-size <number>
2271 Sets the size of the cache used to store generated certificates to <number>
2272 entries. This is a LRU cache. Because generating a SSL certificate
2273 dynamically is expensive, they are cached. The default cache size is set to
2274 1000 entries.
2275
Thierry FOURNIER5bf77322017-02-25 12:45:22 +01002276tune.ssl.capture-cipherlist-size <number>
2277 Sets the maximum size of the buffer used for capturing client-hello cipher
2278 list. If the value is 0 (default value) the capture is disabled, otherwise
2279 a buffer is allocated for each SSL/TLS connection.
2280
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002281tune.vars.global-max-size <size>
Christopher Fauletff2613e2016-11-09 11:36:17 +01002282tune.vars.proc-max-size <size>
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002283tune.vars.reqres-max-size <size>
2284tune.vars.sess-max-size <size>
2285tune.vars.txn-max-size <size>
Christopher Fauletff2613e2016-11-09 11:36:17 +01002286 These five tunes help to manage the maximum amount of memory used by the
2287 variables system. "global" limits the overall amount of memory available for
2288 all scopes. "proc" limits the memory for the process scope, "sess" limits the
2289 memory for the session scope, "txn" for the transaction scope, and "reqres"
2290 limits the memory for each request or response processing.
2291 Memory accounting is hierarchical, meaning more coarse grained limits include
2292 the finer grained ones: "proc" includes "sess", "sess" includes "txn", and
2293 "txn" includes "reqres".
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002294
Daniel Schneller0b547052016-03-21 20:46:57 +01002295 For example, when "tune.vars.sess-max-size" is limited to 100,
2296 "tune.vars.txn-max-size" and "tune.vars.reqres-max-size" cannot exceed
2297 100 either. If we create a variable "txn.var" that contains 100 bytes,
2298 all available space is consumed.
2299 Notice that exceeding the limits at runtime will not result in an error
2300 message, but values might be cut off or corrupted. So make sure to accurately
2301 plan for the amount of space needed to store all your variables.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002302
William Lallemanda509e4c2012-11-07 16:54:34 +01002303tune.zlib.memlevel <number>
2304 Sets the memLevel parameter in zlib initialization for each session. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002305 defines how much memory should be allocated for the internal compression
William Lallemanda509e4c2012-11-07 16:54:34 +01002306 state. A value of 1 uses minimum memory but is slow and reduces compression
Davor Ocelice9ed2812017-12-25 17:49:28 +01002307 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
William Lallemanda509e4c2012-11-07 16:54:34 +01002308 between 1 and 9. The default value is 8.
2309
2310tune.zlib.windowsize <number>
2311 Sets the window size (the size of the history buffer) as a parameter of the
2312 zlib initialization for each session. Larger values of this parameter result
Davor Ocelice9ed2812017-12-25 17:49:28 +01002313 in better compression at the expense of memory usage. Can be a value between
2314 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002315
Willy Tarreauc57f0e22009-05-10 13:12:33 +020023163.3. Debugging
2317--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02002318
Willy Tarreau6a06a402007-07-15 20:15:28 +02002319quiet
2320 Do not display any message during startup. It is equivalent to the command-
2321 line argument "-q".
2322
Willy Tarreau3eb10b82020-04-15 16:42:39 +02002323zero-warning
2324 When this option is set, haproxy will refuse to start if any warning was
2325 emitted while processing the configuration. It is highly recommended to set
2326 this option on configurations that are not changed often, as it helps detect
2327 subtle mistakes and keep the configuration clean and forward-compatible. Note
2328 that "haproxy -c" will also report errors in such a case. This option is
2329 equivalent to command line argument "-dW".
2330
Emeric Brunf099e792010-09-27 12:05:28 +02002331
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010023323.4. Userlists
2333--------------
2334It is possible to control access to frontend/backend/listen sections or to
2335http stats by allowing only authenticated and authorized users. To do this,
2336it is required to create at least one userlist and to define users.
2337
2338userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +01002339 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002340 used to store authentication & authorization data for independent customers.
2341
2342group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +01002343 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002344 attach users to this group by using a comma separated list of names
2345 proceeded by "users" keyword.
2346
Cyril Bontéf0c60612010-02-06 14:44:47 +01002347user <username> [password|insecure-password <password>]
2348 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002349 Adds user <username> to the current userlist. Both secure (encrypted) and
2350 insecure (unencrypted) passwords can be used. Encrypted passwords are
Daniel Schnellerd06f31c2017-11-06 16:51:04 +01002351 evaluated using the crypt(3) function, so depending on the system's
2352 capabilities, different algorithms are supported. For example, modern Glibc
2353 based Linux systems support MD5, SHA-256, SHA-512, and, of course, the
2354 classic DES-based method of encrypting passwords.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002355
Daniel Schnellerd06f31c2017-11-06 16:51:04 +01002356 Attention: Be aware that using encrypted passwords might cause significantly
2357 increased CPU usage, depending on the number of requests, and the algorithm
2358 used. For any of the hashed variants, the password for each request must
2359 be processed through the chosen algorithm, before it can be compared to the
2360 value specified in the config file. Most current algorithms are deliberately
2361 designed to be expensive to compute to achieve resistance against brute
2362 force attacks. They do not simply salt/hash the clear text password once,
2363 but thousands of times. This can quickly become a major factor in haproxy's
2364 overall CPU consumption!
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002365
2366 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +01002367 userlist L1
2368 group G1 users tiger,scott
2369 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002370
Cyril Bontéf0c60612010-02-06 14:44:47 +01002371 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
2372 user scott insecure-password elgato
2373 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002374
Cyril Bontéf0c60612010-02-06 14:44:47 +01002375 userlist L2
2376 group G1
2377 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002378
Cyril Bontéf0c60612010-02-06 14:44:47 +01002379 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
2380 user scott insecure-password elgato groups G1,G2
2381 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002382
2383 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002384
Emeric Brunf099e792010-09-27 12:05:28 +02002385
23863.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +02002387----------
Emeric Brun94900952015-06-11 18:25:54 +02002388It is possible to propagate entries of any data-types in stick-tables between
2389several haproxy instances over TCP connections in a multi-master fashion. Each
2390instance pushes its local updates and insertions to remote peers. The pushed
2391values overwrite remote ones without aggregation. Interrupted exchanges are
2392automatically detected and recovered from the last known point.
2393In addition, during a soft restart, the old process connects to the new one
2394using such a TCP connection to push all its entries before the new process
2395tries to connect to other peers. That ensures very fast replication during a
2396reload, it typically takes a fraction of a second even for large tables.
2397Note that Server IDs are used to identify servers remotely, so it is important
2398that configurations look similar or at least that the same IDs are forced on
2399each server on all participants.
Emeric Brunf099e792010-09-27 12:05:28 +02002400
2401peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -04002402 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +02002403 which is referenced by one or more stick-tables.
2404
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002405bind [<address>]:<port_range> [, ...] [param*]
2406 Defines the binding parameters of the local peer of this "peers" section.
2407 Such lines are not supported with "peer" line in the same "peers" section.
2408
Willy Tarreau77e4bd12015-05-01 20:02:17 +02002409disabled
2410 Disables a peers section. It disables both listening and any synchronization
2411 related to this section. This is provided to disable synchronization of stick
2412 tables without having to comment out all "peers" references.
2413
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002414default-bind [param*]
2415 Defines the binding parameters for the local peer, excepted its address.
2416
2417default-server [param*]
2418 Change default options for a server in a "peers" section.
2419
2420 Arguments:
2421 <param*> is a list of parameters for this server. The "default-server"
2422 keyword accepts an important number of options and has a complete
2423 section dedicated to it. Please refer to section 5 for more
2424 details.
2425
2426
2427 See also: "server" and section 5 about server options
2428
Willy Tarreau77e4bd12015-05-01 20:02:17 +02002429enable
2430 This re-enables a disabled peers section which was previously disabled.
2431
Frédéric Lécailleb6f759b2019-11-05 09:57:45 +01002432log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>]
2433 <facility> [<level> [<minlevel>]]
2434 "peers" sections support the same "log" keyword as for the proxies to
2435 log information about the "peers" listener. See "log" option for proxies for
2436 more details.
2437
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002438peer <peername> <ip>:<port> [param*]
Emeric Brunf099e792010-09-27 12:05:28 +02002439 Defines a peer inside a peers section.
2440 If <peername> is set to the local peer name (by default hostname, or forced
Dragan Dosen13cd54c2020-06-18 18:24:05 +02002441 using "-L" command line option or "localpeer" global configuration setting),
2442 haproxy will listen for incoming remote peer connection on <ip>:<port>.
2443 Otherwise, <ip>:<port> defines where to connect to in order to join the
2444 remote peer, and <peername> is used at the protocol level to identify and
2445 validate the remote peer on the server side.
Emeric Brunf099e792010-09-27 12:05:28 +02002446
2447 During a soft restart, local peer <ip>:<port> is used by the old instance to
2448 connect the new one and initiate a complete replication (teaching process).
2449
2450 It is strongly recommended to have the exact same peers declaration on all
Dragan Dosen13cd54c2020-06-18 18:24:05 +02002451 peers and to only rely on the "-L" command line argument or the "localpeer"
2452 global configuration setting to change the local peer name. This makes it
2453 easier to maintain coherent configuration files across all peers.
Emeric Brunf099e792010-09-27 12:05:28 +02002454
William Lallemandb2f07452015-05-12 14:27:13 +02002455 You may want to reference some environment variables in the address
2456 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01002457
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002458 Note: "peer" keyword may transparently be replaced by "server" keyword (see
2459 "server" keyword explanation below).
2460
2461server <peername> [<ip>:<port>] [param*]
Michael Prokop4438c602019-05-24 10:25:45 +02002462 As previously mentioned, "peer" keyword may be replaced by "server" keyword
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002463 with a support for all "server" parameters found in 5.2 paragraph.
2464 If the underlying peer is local, <ip>:<port> parameters must not be present.
2465 These parameters must be provided on a "bind" line (see "bind" keyword
2466 of this "peers" section).
2467 Some of these parameters are irrelevant for "peers" sections.
2468
2469
Cyril Bontédc4d9032012-04-08 21:57:39 +02002470 Example:
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002471 # The old way.
Emeric Brunf099e792010-09-27 12:05:28 +02002472 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01002473 peer haproxy1 192.168.0.1:1024
2474 peer haproxy2 192.168.0.2:1024
2475 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02002476
2477 backend mybackend
2478 mode tcp
2479 balance roundrobin
2480 stick-table type ip size 20k peers mypeers
2481 stick on src
2482
Willy Tarreauf7b30a92010-12-06 22:59:17 +01002483 server srv1 192.168.0.30:80
2484 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02002485
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002486 Example:
2487 peers mypeers
2488 bind 127.0.0.11:10001 ssl crt mycerts/pem
2489 default-server ssl verify none
2490 server hostA 127.0.0.10:10000
2491 server hostB #local peer
Emeric Brunf099e792010-09-27 12:05:28 +02002492
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01002493
2494table <tablename> type {ip | integer | string [len <length>] | binary [len <length>]}
2495 size <size> [expire <expire>] [nopurge] [store <data_type>]*
2496
2497 Configure a stickiness table for the current section. This line is parsed
2498 exactly the same way as the "stick-table" keyword in others section, except
John Roeslerfb2fce12019-07-10 15:45:51 -05002499 for the "peers" argument which is not required here and with an additional
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01002500 mandatory first parameter to designate the stick-table. Contrary to others
2501 sections, there may be several "table" lines in "peers" sections (see also
2502 "stick-table" keyword).
2503
2504 Also be aware of the fact that "peers" sections have their own stick-table
2505 namespaces to avoid collisions between stick-table names identical in
2506 different "peers" section. This is internally handled prepending the "peers"
2507 sections names to the name of the stick-tables followed by a '/' character.
2508 If somewhere else in the configuration file you have to refer to such
2509 stick-tables declared in "peers" sections you must use the prefixed version
2510 of the stick-table name as follows:
2511
2512 peers mypeers
2513 peer A ...
2514 peer B ...
2515 table t1 ...
2516
2517 frontend fe1
2518 tcp-request content track-sc0 src table mypeers/t1
2519
2520 This is also this prefixed version of the stick-table names which must be
2521 used to refer to stick-tables through the CLI.
2522
2523 About "peers" protocol, as only "peers" belonging to the same section may
2524 communicate with each others, there is no need to do such a distinction.
2525 Several "peers" sections may declare stick-tables with the same name.
2526 This is shorter version of the stick-table name which is sent over the network.
2527 There is only a '/' character as prefix to avoid stick-table name collisions between
2528 stick-tables declared as backends and stick-table declared in "peers" sections
2529 as follows in this weird but supported configuration:
2530
2531 peers mypeers
2532 peer A ...
2533 peer B ...
2534 table t1 type string size 10m store gpc0
2535
2536 backend t1
2537 stick-table type string size 10m store gpc0 peers mypeers
2538
Daniel Corbett67a82712020-07-06 23:01:19 -04002539 Here "t1" table declared in "mypeers" section has "mypeers/t1" as global name.
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01002540 "t1" table declared as a backend as "t1" as global name. But at peer protocol
2541 level the former table is named "/t1", the latter is again named "t1".
2542
Simon Horman51a1cf62015-02-03 13:00:44 +090025433.6. Mailers
2544------------
2545It is possible to send email alerts when the state of servers changes.
2546If configured email alerts are sent to each mailer that is configured
2547in a mailers section. Email is sent to mailers using SMTP.
2548
Pieter Baauw386a1272015-08-16 15:26:24 +02002549mailers <mailersect>
Simon Horman51a1cf62015-02-03 13:00:44 +09002550 Creates a new mailer list with the name <mailersect>. It is an
2551 independent section which is referenced by one or more proxies.
2552
2553mailer <mailername> <ip>:<port>
2554 Defines a mailer inside a mailers section.
2555
2556 Example:
2557 mailers mymailers
2558 mailer smtp1 192.168.0.1:587
2559 mailer smtp2 192.168.0.2:587
2560
2561 backend mybackend
2562 mode tcp
2563 balance roundrobin
2564
2565 email-alert mailers mymailers
2566 email-alert from test1@horms.org
2567 email-alert to test2@horms.org
2568
2569 server srv1 192.168.0.30:80
2570 server srv2 192.168.0.31:80
2571
Pieter Baauw235fcfc2016-02-13 15:33:40 +01002572timeout mail <time>
2573 Defines the time available for a mail/connection to be made and send to
2574 the mail-server. If not defined the default value is 10 seconds. To allow
2575 for at least two SYN-ACK packets to be send during initial TCP handshake it
2576 is advised to keep this value above 4 seconds.
2577
2578 Example:
2579 mailers mymailers
2580 timeout mail 20s
2581 mailer smtp1 192.168.0.1:587
Simon Horman51a1cf62015-02-03 13:00:44 +09002582
William Lallemandc9515522019-06-12 16:32:11 +020025833.7. Programs
2584-------------
2585In master-worker mode, it is possible to launch external binaries with the
2586master, these processes are called programs. These programs are launched and
2587managed the same way as the workers.
2588
2589During a reload of HAProxy, those processes are dealing with the same
2590sequence as a worker:
2591
2592 - the master is re-executed
2593 - the master sends a SIGUSR1 signal to the program
2594 - if "option start-on-reload" is not disabled, the master launches a new
2595 instance of the program
2596
2597During a stop, or restart, a SIGTERM is sent to the programs.
2598
2599program <name>
2600 This is a new program section, this section will create an instance <name>
2601 which is visible in "show proc" on the master CLI. (See "9.4. Master CLI" in
2602 the management guide).
2603
2604command <command> [arguments*]
2605 Define the command to start with optional arguments. The command is looked
2606 up in the current PATH if it does not include an absolute path. This is a
2607 mandatory option of the program section. Arguments containing spaces must
2608 be enclosed in quotes or double quotes or be prefixed by a backslash.
2609
Andrew Heberle97236962019-07-12 11:50:26 +08002610user <user name>
2611 Changes the executed command user ID to the <user name> from /etc/passwd.
2612 See also "group".
2613
2614group <group name>
2615 Changes the executed command group ID to the <group name> from /etc/group.
2616 See also "user".
2617
William Lallemandc9515522019-06-12 16:32:11 +02002618option start-on-reload
2619no option start-on-reload
2620 Start (or not) a new instance of the program upon a reload of the master.
2621 The default is to start a new instance. This option may only be used in a
2622 program section.
2623
2624
Christopher Faulet76edc0f2020-01-13 15:52:01 +010026253.8. HTTP-errors
2626----------------
2627
2628It is possible to globally declare several groups of HTTP errors, to be
2629imported afterwards in any proxy section. Same group may be referenced at
2630several places and can be fully or partially imported.
2631
2632http-errors <name>
2633 Create a new http-errors group with the name <name>. It is an independent
2634 section that may be referenced by one or more proxies using its name.
2635
2636errorfile <code> <file>
2637 Associate a file contents to an HTTP error code
2638
2639 Arguments :
2640 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02002641 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
2642 425, 429, 500, 502, 503, and 504.
Christopher Faulet76edc0f2020-01-13 15:52:01 +01002643
2644 <file> designates a file containing the full HTTP response. It is
2645 recommended to follow the common practice of appending ".http" to
2646 the filename so that people do not confuse the response with HTML
2647 error pages, and to use absolute paths, since files are read
2648 before any chroot is performed.
2649
2650 Please referrers to "errorfile" keyword in section 4 for details.
2651
2652 Example:
2653 http-errors website-1
2654 errorfile 400 /etc/haproxy/errorfiles/site1/400.http
2655 errorfile 404 /etc/haproxy/errorfiles/site1/404.http
2656 errorfile 408 /dev/null # work around Chrome pre-connect bug
2657
2658 http-errors website-2
2659 errorfile 400 /etc/haproxy/errorfiles/site2/400.http
2660 errorfile 404 /etc/haproxy/errorfiles/site2/404.http
2661 errorfile 408 /dev/null # work around Chrome pre-connect bug
2662
Emeric Brun99c453d2020-05-25 15:01:04 +020026633.9. Rings
2664----------
2665
2666It is possible to globally declare ring-buffers, to be used as target for log
2667servers or traces.
2668
2669ring <ringname>
2670 Creates a new ring-buffer with name <ringname>.
2671
2672description <text>
Daniel Corbett67a82712020-07-06 23:01:19 -04002673 The description is an optional description string of the ring. It will
Emeric Brun99c453d2020-05-25 15:01:04 +02002674 appear on CLI. By default, <name> is reused to fill this field.
2675
2676format <format>
2677 Format used to store events into the ring buffer.
2678
2679 Arguments:
2680 <format> is the log format used when generating syslog messages. It may be
2681 one of the following :
2682
2683 iso A message containing only the ISO date, followed by the text.
2684 The PID, process name and system name are omitted. This is
2685 designed to be used with a local log server.
2686
2687 raw A message containing only the text. The level, PID, date, time,
2688 process name and system name are omitted. This is designed to be
2689 used in containers or during development, where the severity
2690 only depends on the file descriptor used (stdout/stderr). This
2691 is the default.
2692
2693 rfc3164 The RFC3164 syslog message format. This is the default.
2694 (https://tools.ietf.org/html/rfc3164)
2695
2696 rfc5424 The RFC5424 syslog message format.
2697 (https://tools.ietf.org/html/rfc5424)
2698
2699 short A message containing only a level between angle brackets such as
2700 '<3>', followed by the text. The PID, date, time, process name
2701 and system name are omitted. This is designed to be used with a
2702 local log server. This format is compatible with what the systemd
2703 logger consumes.
2704
Emeric Brun54648852020-07-06 15:54:06 +02002705 priority A message containing only a level plus syslog facility between angle
2706 brackets such as '<63>', followed by the text. The PID, date, time,
2707 process name and system name are omitted. This is designed to be used
2708 with a local log server.
2709
Emeric Brun99c453d2020-05-25 15:01:04 +02002710 timed A message containing only a level between angle brackets such as
2711 '<3>', followed by ISO date and by the text. The PID, process
2712 name and system name are omitted. This is designed to be
2713 used with a local log server.
2714
2715maxlen <length>
2716 The maximum length of an event message stored into the ring,
2717 including formatted header. If an event message is longer than
2718 <length>, it will be truncated to this length.
2719
Emeric Brun494c5052020-05-28 11:13:15 +02002720server <name> <address> [param*]
2721 Used to configure a syslog tcp server to forward messages from ring buffer.
2722 This supports for all "server" parameters found in 5.2 paragraph. Some of
2723 these parameters are irrelevant for "ring" sections. Important point: there
2724 is little reason to add more than one server to a ring, because all servers
2725 will receive the exact same copy of the ring contents, and as such the ring
2726 will progress at the speed of the slowest server. If one server does not
2727 respond, it will prevent old messages from being purged and may block new
2728 messages from being inserted into the ring. The proper way to send messages
2729 to multiple servers is to use one distinct ring per log server, not to
Emeric Brun97556472020-05-30 01:42:45 +02002730 attach multiple servers to the same ring. Note that specific server directive
2731 "log-proto" is used to set the protocol used to send messages.
Emeric Brun494c5052020-05-28 11:13:15 +02002732
Emeric Brun99c453d2020-05-25 15:01:04 +02002733size <size>
2734 This is the optional size in bytes for the ring-buffer. Default value is
2735 set to BUFSIZE.
2736
Emeric Brun494c5052020-05-28 11:13:15 +02002737timeout connect <timeout>
2738 Set the maximum time to wait for a connection attempt to a server to succeed.
2739
2740 Arguments :
2741 <timeout> is the timeout value specified in milliseconds by default, but
2742 can be in any other unit if the number is suffixed by the unit,
2743 as explained at the top of this document.
2744
2745timeout server <timeout>
2746 Set the maximum time for pending data staying into output buffer.
2747
2748 Arguments :
2749 <timeout> is the timeout value specified in milliseconds by default, but
2750 can be in any other unit if the number is suffixed by the unit,
2751 as explained at the top of this document.
2752
Emeric Brun99c453d2020-05-25 15:01:04 +02002753 Example:
2754 global
2755 log ring@myring local7
2756
2757 ring myring
2758 description "My local buffer"
2759 format rfc3164
2760 maxlen 1200
2761 size 32764
Emeric Brun494c5052020-05-28 11:13:15 +02002762 timeout connect 5s
2763 timeout server 10s
Emeric Brun97556472020-05-30 01:42:45 +02002764 server mysyslogsrv 127.0.0.1:6514 log-proto octet-count
Emeric Brun99c453d2020-05-25 15:01:04 +02002765
Emeric Brun12941c82020-07-07 14:19:42 +020027663.10. Log forwarding
2767-------------------
2768
2769It is possible to declare one or multiple log forwarding section,
2770haproxy will forward all received log messages to a log servers list.
2771
2772log-forward <name>
2773 Creates a new log forwarder proxy identified as <name>.
2774
Emeric Bruncbb7bf72020-10-05 14:39:35 +02002775backlog <conns>
2776 Give hints to the system about the approximate listen backlog desired size
2777 on connections accept.
2778
2779bind <addr> [param*]
2780 Used to configure a stream log listener to receive messages to forward.
Emeric Brunda46c1c2020-10-08 08:39:02 +02002781 This supports the "bind" parameters found in 5.1 paragraph including
2782 those about ssl but some statements such as "alpn" may be irrelevant for
2783 syslog protocol over TCP.
2784 Those listeners support both "Octet Counting" and "Non-Transparent-Framing"
Emeric Bruncbb7bf72020-10-05 14:39:35 +02002785 modes as defined in rfc-6587.
2786
Willy Tarreau76aaa7f2020-09-16 15:07:22 +02002787dgram-bind <addr> [param*]
Emeric Bruncbb7bf72020-10-05 14:39:35 +02002788 Used to configure a datagram log listener to receive messages to forward.
2789 Addresses must be in IPv4 or IPv6 form,followed by a port. This supports
2790 for some of the "bind" parameters found in 5.1 paragraph among which
2791 "interface", "namespace" or "transparent", the other ones being
Willy Tarreau26ff5da2020-09-16 15:22:19 +02002792 silently ignored as irrelevant for UDP/syslog case.
Emeric Brun12941c82020-07-07 14:19:42 +02002793
2794log global
2795log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>]
2796 <facility> [<level> [<minlevel>]]
2797 Used to configure target log servers. See more details on proxies
2798 documentation.
2799 If no format specified, haproxy tries to keep the incoming log format.
2800 Configured facility is ignored, except if incoming message does not
2801 present a facility but one is mandatory on the outgoing format.
2802 If there is no timestamp available in the input format, but the field
2803 exists in output format, haproxy will use the local date.
2804
2805 Example:
2806 global
2807 log stderr format iso local7
2808
2809 ring myring
2810 description "My local buffer"
2811 format rfc5424
2812 maxlen 1200
2813 size 32764
2814 timeout connect 5s
2815 timeout server 10s
2816 # syslog tcp server
2817 server mysyslogsrv 127.0.0.1:514 log-proto octet-count
2818
2819 log-forward sylog-loadb
Emeric Bruncbb7bf72020-10-05 14:39:35 +02002820 dgram-bind 127.0.0.1:1514
2821 bind 127.0.0.1:1514
Emeric Brun12941c82020-07-07 14:19:42 +02002822 # all messages on stderr
2823 log global
2824 # all messages on local tcp syslog server
2825 log ring@myring local0
2826 # load balance messages on 4 udp syslog servers
2827 log 127.0.0.1:10001 sample 1:4 local0
2828 log 127.0.0.1:10002 sample 2:4 local0
2829 log 127.0.0.1:10003 sample 3:4 local0
2830 log 127.0.0.1:10004 sample 4:4 local0
Christopher Faulet76edc0f2020-01-13 15:52:01 +01002831
Emeric Bruncbb7bf72020-10-05 14:39:35 +02002832maxconn <conns>
2833 Fix the maximum number of concurrent connections on a log forwarder.
2834 10 is the default.
2835
2836timeout client <timeout>
2837 Set the maximum inactivity time on the client side.
2838
Willy Tarreauc57f0e22009-05-10 13:12:33 +020028394. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02002840----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01002841
Willy Tarreau6a06a402007-07-15 20:15:28 +02002842Proxy configuration can be located in a set of sections :
William Lallemand6e62fb62015-04-28 16:55:23 +02002843 - defaults [<name>]
Willy Tarreau6a06a402007-07-15 20:15:28 +02002844 - frontend <name>
2845 - backend <name>
2846 - listen <name>
2847
2848A "defaults" section sets default parameters for all other sections following
2849its declaration. Those default parameters are reset by the next "defaults"
2850section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +01002851section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002852
2853A "frontend" section describes a set of listening sockets accepting client
2854connections.
2855
2856A "backend" section describes a set of servers to which the proxy will connect
2857to forward incoming connections.
2858
2859A "listen" section defines a complete proxy with its frontend and backend
2860parts combined in one section. It is generally useful for TCP-only traffic.
2861
Willy Tarreau0ba27502007-12-24 16:55:16 +01002862All proxy names must be formed from upper and lower case letters, digits,
2863'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
2864case-sensitive, which means that "www" and "WWW" are two different proxies.
2865
2866Historically, all proxy names could overlap, it just caused troubles in the
2867logs. Since the introduction of content switching, it is mandatory that two
2868proxies with overlapping capabilities (frontend/backend) have different names.
2869However, it is still permitted that a frontend and a backend share the same
2870name, as this configuration seems to be commonly encountered.
2871
2872Right now, two major proxy modes are supported : "tcp", also known as layer 4,
2873and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002874bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002875protocol, and can interact with it by allowing, blocking, switching, adding,
2876modifying, or removing arbitrary contents in requests or responses, based on
2877arbitrary criteria.
2878
Willy Tarreau70dffda2014-01-30 03:07:23 +01002879In HTTP mode, the processing applied to requests and responses flowing over
2880a connection depends in the combination of the frontend's HTTP options and
Julien Pivotto21ad3152019-12-10 13:11:17 +01002881the backend's. HAProxy supports 3 connection modes :
Willy Tarreau70dffda2014-01-30 03:07:23 +01002882
2883 - KAL : keep alive ("option http-keep-alive") which is the default mode : all
2884 requests and responses are processed, and connections remain open but idle
2885 between responses and new requests.
2886
Willy Tarreau70dffda2014-01-30 03:07:23 +01002887 - SCL: server close ("option http-server-close") : the server-facing
2888 connection is closed after the end of the response is received, but the
2889 client-facing connection remains open.
2890
Christopher Faulet315b39c2018-09-21 16:26:19 +02002891 - CLO: close ("option httpclose"): the connection is closed after the end of
2892 the response and "Connection: close" appended in both directions.
Willy Tarreau70dffda2014-01-30 03:07:23 +01002893
2894The effective mode that will be applied to a connection passing through a
2895frontend and a backend can be determined by both proxy modes according to the
2896following matrix, but in short, the modes are symmetric, keep-alive is the
Christopher Faulet315b39c2018-09-21 16:26:19 +02002897weakest option and close is the strongest.
Willy Tarreau70dffda2014-01-30 03:07:23 +01002898
Christopher Faulet315b39c2018-09-21 16:26:19 +02002899 Backend mode
Willy Tarreau70dffda2014-01-30 03:07:23 +01002900
Christopher Faulet315b39c2018-09-21 16:26:19 +02002901 | KAL | SCL | CLO
2902 ----+-----+-----+----
2903 KAL | KAL | SCL | CLO
2904 ----+-----+-----+----
Christopher Faulet315b39c2018-09-21 16:26:19 +02002905 mode SCL | SCL | SCL | CLO
2906 ----+-----+-----+----
2907 CLO | CLO | CLO | CLO
Willy Tarreau70dffda2014-01-30 03:07:23 +01002908
Willy Tarreau0ba27502007-12-24 16:55:16 +01002909
Willy Tarreau70dffda2014-01-30 03:07:23 +01002910
Willy Tarreauc57f0e22009-05-10 13:12:33 +020029114.1. Proxy keywords matrix
2912--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01002913
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002914The following list of keywords is supported. Most of them may only be used in a
2915limited set of section types. Some of them are marked as "deprecated" because
2916they are inherited from an old syntax which may be confusing or functionally
2917limited, and there are new recommended keywords to replace them. Keywords
Davor Ocelice9ed2812017-12-25 17:49:28 +01002918marked with "(*)" can be optionally inverted using the "no" prefix, e.g. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002919option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02002920and must be disabled for a specific instance. Such options may also be prefixed
2921with "default" in order to restore default settings regardless of what has been
2922specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002923
Willy Tarreau6a06a402007-07-15 20:15:28 +02002924
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002925 keyword defaults frontend listen backend
2926------------------------------------+----------+----------+---------+---------
2927acl - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002928backlog X X X -
2929balance X - X X
2930bind - X X -
2931bind-process X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002932capture cookie - X X -
2933capture request header - X X -
2934capture response header - X X -
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09002935clitcpka-cnt X X X -
2936clitcpka-idle X X X -
2937clitcpka-intvl X X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02002938compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002939cookie X - X X
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02002940declare capture - X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002941default-server X - X X
2942default_backend X X X -
2943description - X X X
2944disabled X X X X
2945dispatch - - X X
Simon Horman51a1cf62015-02-03 13:00:44 +09002946email-alert from X X X X
Simon Horman64e34162015-02-06 11:11:57 +09002947email-alert level X X X X
Simon Horman51a1cf62015-02-03 13:00:44 +09002948email-alert mailers X X X X
2949email-alert myhostname X X X X
2950email-alert to X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002951enabled X X X X
2952errorfile X X X X
Christopher Faulet76edc0f2020-01-13 15:52:01 +01002953errorfiles X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002954errorloc X X X X
2955errorloc302 X X X X
2956-- keyword -------------------------- defaults - frontend - listen -- backend -
2957errorloc303 X X X X
Cyril Bonté4288c5a2018-03-12 22:02:59 +01002958force-persist - - X X
Christopher Fauletc3fe5332016-04-07 15:30:10 +02002959filter - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002960fullconn X - X X
2961grace X X X X
2962hash-type X - X X
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01002963http-after-response - X X X
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02002964http-check comment X - X X
Christopher Faulete5870d82020-04-15 11:32:03 +02002965http-check connect X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002966http-check disable-on-404 X - X X
Christopher Faulete5870d82020-04-15 11:32:03 +02002967http-check expect X - X X
Peter Gervai8912ae62020-06-11 18:26:36 +02002968http-check send X - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02002969http-check send-state X - X X
Christopher Faulete5870d82020-04-15 11:32:03 +02002970http-check set-var X - X X
2971http-check unset-var X - X X
Christopher Faulet3b967c12020-05-15 15:47:44 +02002972http-error X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002973http-request - X X X
Willy Tarreaue365c0b2013-06-11 16:06:12 +02002974http-response - X X X
Willy Tarreau30631952015-08-06 15:05:24 +02002975http-reuse X - X X
Baptiste Assmann2c42ef52013-10-09 21:57:02 +02002976http-send-name-header - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002977id - X X X
Cyril Bonté4288c5a2018-03-12 22:02:59 +01002978ignore-persist - - X X
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02002979load-server-state-from-file X - X X
William Lallemand0f99e342011-10-12 17:50:54 +02002980log (*) X X X X
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01002981log-format X X X -
Dragan Dosen7ad31542015-09-28 17:16:47 +02002982log-format-sd X X X -
Willy Tarreau094af4e2015-01-07 15:03:42 +01002983log-tag X X X X
Willy Tarreauc35362a2014-04-25 13:58:37 +02002984max-keep-alive-queue X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002985maxconn X X X -
2986mode X X X X
2987monitor fail - X X -
2988monitor-net X X X -
2989monitor-uri X X X -
2990option abortonclose (*) X - X X
2991option accept-invalid-http-request (*) X X X -
2992option accept-invalid-http-response (*) X - X X
2993option allbackups (*) X - X X
2994option checkcache (*) X - X X
2995option clitcpka (*) X X X -
2996option contstats (*) X X X -
Christopher Faulet89aed322020-06-02 17:33:56 +02002997option disable-h2-upgrade (*) X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002998option dontlog-normal (*) X X X -
2999option dontlognull (*) X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003000-- keyword -------------------------- defaults - frontend - listen -- backend -
3001option forwardfor X X X X
Christopher Faulet98fbe952019-07-22 16:18:24 +02003002option h1-case-adjust-bogus-client (*) X X X -
3003option h1-case-adjust-bogus-server (*) X - X X
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02003004option http-buffer-request (*) X X X X
Willy Tarreau82649f92015-05-01 22:40:51 +02003005option http-ignore-probes (*) X X X -
Willy Tarreau16bfb022010-01-16 19:48:41 +01003006option http-keep-alive (*) X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02003007option http-no-delay (*) X X X X
Christopher Faulet98db9762018-09-21 10:25:19 +02003008option http-pretend-keepalive (*) X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003009option http-server-close (*) X X X X
3010option http-use-proxy-header (*) X X X -
3011option httpchk X - X X
3012option httpclose (*) X X X X
Freddy Spierenburge88b7732019-03-25 14:35:17 +01003013option httplog X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003014option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04003015option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02003016option ldap-check X - X X
Simon Horman98637e52014-06-20 12:30:16 +09003017option external-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003018option log-health-checks (*) X - X X
3019option log-separate-errors (*) X X X -
3020option logasap (*) X X X -
3021option mysql-check X - X X
3022option nolinger (*) X X X X
3023option originalto X X X X
3024option persist (*) X - X X
Baptiste Assmann809e22a2015-10-12 20:22:55 +02003025option pgsql-check X - X X
3026option prefer-last-server (*) X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003027option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02003028option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003029option smtpchk X - X X
3030option socket-stats (*) X X X -
3031option splice-auto (*) X X X X
3032option splice-request (*) X X X X
3033option splice-response (*) X X X X
Christopher Fauletba7bc162016-11-07 21:07:38 +01003034option spop-check - - - X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003035option srvtcpka (*) X - X X
3036option ssl-hello-chk X - X X
3037-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreaued179852013-12-16 01:07:00 +01003038option tcp-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003039option tcp-smart-accept (*) X X X -
3040option tcp-smart-connect (*) X - X X
3041option tcpka X X X X
3042option tcplog X X X X
3043option transparent (*) X - X X
Simon Horman98637e52014-06-20 12:30:16 +09003044external-check command X - X X
3045external-check path X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003046persist rdp-cookie X - X X
3047rate-limit sessions X X X -
3048redirect - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003049-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003050retries X - X X
Olivier Houcharda254a372019-04-05 15:30:12 +02003051retry-on X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003052server - - X X
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02003053server-state-file-name X - X X
Frédéric Lécaillecb4502e2017-04-20 13:36:25 +02003054server-template - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003055source X - X X
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09003056srvtcpka-cnt X - X X
3057srvtcpka-idle X - X X
3058srvtcpka-intvl X - X X
Baptiste Assmann5a549212015-10-12 20:30:24 +02003059stats admin - X X X
3060stats auth X X X X
3061stats enable X X X X
3062stats hide-version X X X X
3063stats http-request - X X X
3064stats realm X X X X
3065stats refresh X X X X
3066stats scope X X X X
3067stats show-desc X X X X
3068stats show-legends X X X X
3069stats show-node X X X X
3070stats uri X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003071-- keyword -------------------------- defaults - frontend - listen -- backend -
3072stick match - - X X
3073stick on - - X X
3074stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02003075stick store-response - - X X
Adam Spiers68af3c12017-04-06 16:31:39 +01003076stick-table - X X X
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02003077tcp-check comment X - X X
Christopher Faulet404f9192020-04-09 23:13:54 +02003078tcp-check connect X - X X
3079tcp-check expect X - X X
3080tcp-check send X - X X
Christopher Fauletb50b3e62020-05-05 18:43:43 +02003081tcp-check send-lf X - X X
Christopher Faulet404f9192020-04-09 23:13:54 +02003082tcp-check send-binary X - X X
Christopher Fauletb50b3e62020-05-05 18:43:43 +02003083tcp-check send-binary-lf X - X X
Christopher Faulet404f9192020-04-09 23:13:54 +02003084tcp-check set-var X - X X
3085tcp-check unset-var X - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02003086tcp-request connection - X X -
3087tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02003088tcp-request inspect-delay - X X X
Willy Tarreau4f614292016-10-21 17:49:36 +02003089tcp-request session - X X -
Emeric Brun0a3b67f2010-09-24 15:34:53 +02003090tcp-response content - - X X
3091tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003092timeout check X - X X
3093timeout client X X X -
Willy Tarreau05cdd962014-05-10 14:30:07 +02003094timeout client-fin X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003095timeout connect X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003096timeout http-keep-alive X X X X
3097timeout http-request X X X X
3098timeout queue X - X X
3099timeout server X - X X
Willy Tarreau05cdd962014-05-10 14:30:07 +02003100timeout server-fin X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003101timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02003102timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003103transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01003104unique-id-format X X X -
3105unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003106use_backend - X X -
Christopher Fauletb30b3102019-09-12 23:03:09 +02003107use-fcgi-app - - X X
Willy Tarreau4a5cade2012-04-05 21:09:48 +02003108use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003109------------------------------------+----------+----------+---------+---------
3110 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02003111
Willy Tarreau0ba27502007-12-24 16:55:16 +01003112
Willy Tarreauc57f0e22009-05-10 13:12:33 +020031134.2. Alphabetically sorted keywords reference
3114---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01003115
3116This section provides a description of each keyword and its usage.
3117
3118
3119acl <aclname> <criterion> [flags] [operator] <value> ...
3120 Declare or complete an access list.
3121 May be used in sections : defaults | frontend | listen | backend
3122 no | yes | yes | yes
3123 Example:
3124 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
3125 acl invalid_src src_port 0:1023
3126 acl local_dst hdr(host) -i localhost
3127
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003128 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003129
3130
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01003131backlog <conns>
3132 Give hints to the system about the approximate listen backlog desired size
3133 May be used in sections : defaults | frontend | listen | backend
3134 yes | yes | yes | no
3135 Arguments :
3136 <conns> is the number of pending connections. Depending on the operating
3137 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02003138 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01003139
3140 In order to protect against SYN flood attacks, one solution is to increase
3141 the system's SYN backlog size. Depending on the system, sometimes it is just
3142 tunable via a system parameter, sometimes it is not adjustable at all, and
3143 sometimes the system relies on hints given by the application at the time of
3144 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
3145 to the listen() syscall. On systems which can make use of this value, it can
3146 sometimes be useful to be able to specify a different value, hence this
3147 backlog parameter.
3148
3149 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
3150 used as a hint and the system accepts up to the smallest greater power of
3151 two, and never more than some limits (usually 32768).
3152
3153 See also : "maxconn" and the target operating system's tuning guide.
3154
3155
Willy Tarreau0ba27502007-12-24 16:55:16 +01003156balance <algorithm> [ <arguments> ]
Willy Tarreau226071e2014-04-10 11:55:45 +02003157balance url_param <param> [check_post]
Willy Tarreau0ba27502007-12-24 16:55:16 +01003158 Define the load balancing algorithm to be used in a backend.
3159 May be used in sections : defaults | frontend | listen | backend
3160 yes | no | yes | yes
3161 Arguments :
3162 <algorithm> is the algorithm used to select a server when doing load
3163 balancing. This only applies when no persistence information
3164 is available, or when a connection is redispatched to another
3165 server. <algorithm> may be one of the following :
3166
3167 roundrobin Each server is used in turns, according to their weights.
3168 This is the smoothest and fairest algorithm when the server's
3169 processing time remains equally distributed. This algorithm
3170 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02003171 on the fly for slow starts for instance. It is limited by
Godbacha34bdc02013-07-22 07:44:53 +08003172 design to 4095 active servers per backend. Note that in some
Willy Tarreau9757a382009-10-03 12:56:50 +02003173 large farms, when a server becomes up after having been down
3174 for a very short time, it may sometimes take a few hundreds
3175 requests for it to be re-integrated into the farm and start
3176 receiving traffic. This is normal, though very rare. It is
3177 indicated here in case you would have the chance to observe
3178 it, so that you don't worry.
3179
3180 static-rr Each server is used in turns, according to their weights.
3181 This algorithm is as similar to roundrobin except that it is
3182 static, which means that changing a server's weight on the
3183 fly will have no effect. On the other hand, it has no design
3184 limitation on the number of servers, and when a server goes
3185 up, it is always immediately reintroduced into the farm, once
3186 the full map is recomputed. It also uses slightly less CPU to
3187 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01003188
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01003189 leastconn The server with the lowest number of connections receives the
3190 connection. Round-robin is performed within groups of servers
3191 of the same load to ensure that all servers will be used. Use
3192 of this algorithm is recommended where very long sessions are
3193 expected, such as LDAP, SQL, TSE, etc... but is not very well
3194 suited for protocols using short sessions such as HTTP. This
3195 algorithm is dynamic, which means that server weights may be
3196 adjusted on the fly for slow starts for instance.
3197
Willy Tarreauf09c6602012-02-13 17:12:08 +01003198 first The first server with available connection slots receives the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003199 connection. The servers are chosen from the lowest numeric
Willy Tarreauf09c6602012-02-13 17:12:08 +01003200 identifier to the highest (see server parameter "id"), which
3201 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02003202 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01003203 not make sense to use this algorithm without setting maxconn.
3204 The purpose of this algorithm is to always use the smallest
3205 number of servers so that extra servers can be powered off
3206 during non-intensive hours. This algorithm ignores the server
3207 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02003208 or IMAP than HTTP, though it can be useful there too. In
3209 order to use this algorithm efficiently, it is recommended
3210 that a cloud controller regularly checks server usage to turn
3211 them off when unused, and regularly checks backend queue to
3212 turn new servers on when the queue inflates. Alternatively,
3213 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01003214
Willy Tarreau0ba27502007-12-24 16:55:16 +01003215 source The source IP address is hashed and divided by the total
3216 weight of the running servers to designate which server will
3217 receive the request. This ensures that the same client IP
3218 address will always reach the same server as long as no
3219 server goes down or up. If the hash result changes due to the
3220 number of running servers changing, many clients will be
3221 directed to a different server. This algorithm is generally
3222 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003223 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01003224 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003225 static by default, which means that changing a server's
3226 weight on the fly will have no effect, but this can be
3227 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003228
Oskar Stolc8dc41842012-05-19 10:19:54 +01003229 uri This algorithm hashes either the left part of the URI (before
3230 the question mark) or the whole URI (if the "whole" parameter
3231 is present) and divides the hash value by the total weight of
3232 the running servers. The result designates which server will
3233 receive the request. This ensures that the same URI will
3234 always be directed to the same server as long as no server
3235 goes up or down. This is used with proxy caches and
3236 anti-virus proxies in order to maximize the cache hit rate.
3237 Note that this algorithm may only be used in an HTTP backend.
3238 This algorithm is static by default, which means that
3239 changing a server's weight on the fly will have no effect,
3240 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003241
Oskar Stolc8dc41842012-05-19 10:19:54 +01003242 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02003243 "depth", both followed by a positive integer number. These
3244 options may be helpful when it is needed to balance servers
3245 based on the beginning of the URI only. The "len" parameter
3246 indicates that the algorithm should only consider that many
3247 characters at the beginning of the URI to compute the hash.
3248 Note that having "len" set to 1 rarely makes sense since most
3249 URIs start with a leading "/".
3250
3251 The "depth" parameter indicates the maximum directory depth
3252 to be used to compute the hash. One level is counted for each
3253 slash in the request. If both parameters are specified, the
3254 evaluation stops when either is reached.
3255
Willy Tarreau57a37412020-09-23 08:56:29 +02003256 A "path-only" parameter indicates that the hashing key starts
3257 at the first '/' of the path. This can be used to ignore the
3258 authority part of absolute URIs, and to make sure that HTTP/1
3259 and HTTP/2 URIs will provide the same hash.
3260
Willy Tarreau0ba27502007-12-24 16:55:16 +01003261 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003262 the query string of each HTTP GET request.
3263
3264 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02003265 request entity will be searched for the parameter argument,
3266 when it is not found in a query string after a question mark
Willy Tarreau226071e2014-04-10 11:55:45 +02003267 ('?') in the URL. The message body will only start to be
3268 analyzed once either the advertised amount of data has been
3269 received or the request buffer is full. In the unlikely event
3270 that chunked encoding is used, only the first chunk is
Cyril Bontédc4d9032012-04-08 21:57:39 +02003271 scanned. Parameter values separated by a chunk boundary, may
Willy Tarreau226071e2014-04-10 11:55:45 +02003272 be randomly balanced if at all. This keyword used to support
3273 an optional <max_wait> parameter which is now ignored.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003274
3275 If the parameter is found followed by an equal sign ('=') and
3276 a value, then the value is hashed and divided by the total
3277 weight of the running servers. The result designates which
3278 server will receive the request.
3279
3280 This is used to track user identifiers in requests and ensure
3281 that a same user ID will always be sent to the same server as
3282 long as no server goes up or down. If no value is found or if
3283 the parameter is not found, then a round robin algorithm is
3284 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003285 backend. This algorithm is static by default, which means
3286 that changing a server's weight on the fly will have no
3287 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003288
Cyril Bontédc4d9032012-04-08 21:57:39 +02003289 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
3290 request. Just as with the equivalent ACL 'hdr()' function,
3291 the header name in parenthesis is not case sensitive. If the
3292 header is absent or if it does not contain any value, the
3293 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01003294
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003295 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01003296 reducing the hash algorithm to the main domain part with some
3297 specific headers such as 'Host'. For instance, in the Host
3298 value "haproxy.1wt.eu", only "1wt" will be considered.
3299
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003300 This algorithm is static by default, which means that
3301 changing a server's weight on the fly will have no effect,
3302 but this can be changed using "hash-type".
3303
Willy Tarreau21c741a2019-01-14 18:14:27 +01003304 random
3305 random(<draws>)
3306 A random number will be used as the key for the consistent
Willy Tarreau760e81d2018-05-03 07:20:40 +02003307 hashing function. This means that the servers' weights are
3308 respected, dynamic weight changes immediately take effect, as
3309 well as new server additions. Random load balancing can be
3310 useful with large farms or when servers are frequently added
Willy Tarreau21c741a2019-01-14 18:14:27 +01003311 or removed as it may avoid the hammering effect that could
3312 result from roundrobin or leastconn in this situation. The
3313 hash-balance-factor directive can be used to further improve
3314 fairness of the load balancing, especially in situations
3315 where servers show highly variable response times. When an
3316 argument <draws> is present, it must be an integer value one
3317 or greater, indicating the number of draws before selecting
3318 the least loaded of these servers. It was indeed demonstrated
3319 that picking the least loaded of two servers is enough to
3320 significantly improve the fairness of the algorithm, by
3321 always avoiding to pick the most loaded server within a farm
3322 and getting rid of any bias that could be induced by the
3323 unfair distribution of the consistent list. Higher values N
3324 will take away N-1 of the highest loaded servers at the
3325 expense of performance. With very high values, the algorithm
3326 will converge towards the leastconn's result but much slower.
3327 The default value is 2, which generally shows very good
3328 distribution and performance. This algorithm is also known as
3329 the Power of Two Random Choices and is described here :
3330 http://www.eecs.harvard.edu/~michaelm/postscripts/handbook2001.pdf
Willy Tarreau760e81d2018-05-03 07:20:40 +02003331
Emeric Brun736aa232009-06-30 17:56:00 +02003332 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02003333 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02003334 The RDP cookie <name> (or "mstshash" if omitted) will be
3335 looked up and hashed for each incoming TCP request. Just as
3336 with the equivalent ACL 'req_rdp_cookie()' function, the name
3337 is not case-sensitive. This mechanism is useful as a degraded
3338 persistence mode, as it makes it possible to always send the
3339 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003340 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02003341 used instead.
3342
3343 Note that for this to work, the frontend must ensure that an
3344 RDP cookie is already present in the request buffer. For this
3345 you must use 'tcp-request content accept' rule combined with
3346 a 'req_rdp_cookie_cnt' ACL.
3347
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003348 This algorithm is static by default, which means that
3349 changing a server's weight on the fly will have no effect,
3350 but this can be changed using "hash-type".
3351
Cyril Bontédc4d9032012-04-08 21:57:39 +02003352 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09003353
Willy Tarreau0ba27502007-12-24 16:55:16 +01003354 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02003355 algorithms. Right now, only "url_param" and "uri" support an
3356 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003357
Willy Tarreau3cd9af22009-03-15 14:06:41 +01003358 The load balancing algorithm of a backend is set to roundrobin when no other
3359 algorithm, mode nor option have been set. The algorithm may only be set once
3360 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003361
Lukas Tribus80512b12018-10-27 20:07:40 +02003362 With authentication schemes that require the same connection like NTLM, URI
John Roeslerfb2fce12019-07-10 15:45:51 -05003363 based algorithms must not be used, as they would cause subsequent requests
Lukas Tribus80512b12018-10-27 20:07:40 +02003364 to be routed to different backend servers, breaking the invalid assumptions
3365 NTLM relies on.
3366
Willy Tarreau0ba27502007-12-24 16:55:16 +01003367 Examples :
3368 balance roundrobin
3369 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003370 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01003371 balance hdr(User-Agent)
3372 balance hdr(host)
3373 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003374
3375 Note: the following caveats and limitations on using the "check_post"
3376 extension with "url_param" must be considered :
3377
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003378 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003379 to determine if the parameters will be found in the body or entity which
3380 may contain binary data. Therefore another method may be required to
3381 restrict consideration of POST requests that have no URL parameters in
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02003382 the body. (see acl http_end)
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003383
3384 - using a <max_wait> value larger than the request buffer size does not
3385 make sense and is useless. The buffer size is set at build time, and
3386 defaults to 16 kB.
3387
3388 - Content-Encoding is not supported, the parameter search will probably
3389 fail; and load balancing will fall back to Round Robin.
3390
3391 - Expect: 100-continue is not supported, load balancing will fall back to
3392 Round Robin.
3393
Lukas Tribus23953682017-04-28 13:24:30 +00003394 - Transfer-Encoding (RFC7230 3.3.1) is only supported in the first chunk.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003395 If the entire parameter value is not present in the first chunk, the
3396 selection of server is undefined (actually, defined by how little
3397 actually appeared in the first chunk).
3398
3399 - This feature does not support generation of a 100, 411 or 501 response.
3400
3401 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003402 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003403 white space or control characters are found, indicating the end of what
3404 might be a URL parameter list. This is probably not a concern with SGML
3405 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003406
Willy Tarreau294d0f02015-08-10 19:40:12 +02003407 See also : "dispatch", "cookie", "transparent", "hash-type" and "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003408
3409
Willy Tarreaub6205fd2012-09-24 12:27:33 +02003410bind [<address>]:<port_range> [, ...] [param*]
3411bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01003412 Define one or several listening addresses and/or ports in a frontend.
3413 May be used in sections : defaults | frontend | listen | backend
3414 no | yes | yes | no
3415 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01003416 <address> is optional and can be a host name, an IPv4 address, an IPv6
3417 address, or '*'. It designates the address the frontend will
3418 listen on. If unset, all IPv4 addresses of the system will be
3419 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01003420 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreau24709282013-03-10 21:32:12 +01003421 Optionally, an address family prefix may be used before the
3422 address to force the family regardless of the address format,
3423 which can be useful to specify a path to a unix socket with
3424 no slash ('/'). Currently supported prefixes are :
3425 - 'ipv4@' -> address is always IPv4
3426 - 'ipv6@' -> address is always IPv6
Emeric Brun3835c0d2020-07-07 09:46:09 +02003427 - 'udp@' -> address is resolved as IPv4 or IPv6 and
Emeric Brun12941c82020-07-07 14:19:42 +02003428 protocol UDP is used. Currently those listeners are
3429 supported only in log-forward sections.
Emeric Brun3835c0d2020-07-07 09:46:09 +02003430 - 'udp4@' -> address is always IPv4 and protocol UDP
Emeric Brun12941c82020-07-07 14:19:42 +02003431 is used. Currently those listeners are supported
3432 only in log-forward sections.
Emeric Brun3835c0d2020-07-07 09:46:09 +02003433 - 'udp6@' -> address is always IPv6 and protocol UDP
Emeric Brun12941c82020-07-07 14:19:42 +02003434 is used. Currently those listeners are supported
3435 only in log-forward sections.
Willy Tarreau24709282013-03-10 21:32:12 +01003436 - 'unix@' -> address is a path to a local unix socket
Willy Tarreau70f72e02014-07-08 00:37:50 +02003437 - 'abns@' -> address is in abstract namespace (Linux only).
3438 Note: since abstract sockets are not "rebindable", they
3439 do not cope well with multi-process mode during
3440 soft-restart, so it is better to avoid them if
3441 nbproc is greater than 1. The effect is that if the
3442 new process fails to start, only one of the old ones
3443 will be able to rebind to the socket.
Willy Tarreau40aa0702013-03-10 23:51:38 +01003444 - 'fd@<n>' -> use file descriptor <n> inherited from the
3445 parent. The fd must be bound and may or may not already
3446 be listening.
William Lallemand2fe7dd02018-09-11 16:51:29 +02003447 - 'sockpair@<n>'-> like fd@ but you must use the fd of a
3448 connected unix socket or of a socketpair. The bind waits
3449 to receive a FD over the unix socket and uses it as if it
3450 was the FD of an accept(). Should be used carefully.
William Lallemandb2f07452015-05-12 14:27:13 +02003451 You may want to reference some environment variables in the
3452 address parameter, see section 2.3 about environment
3453 variables.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01003454
Willy Tarreauc5011ca2010-03-22 11:53:56 +01003455 <port_range> is either a unique TCP port, or a port range for which the
3456 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01003457 above. The port is mandatory for TCP listeners. Note that in
3458 the case of an IPv6 address, the port is always the number
3459 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01003460 - a numerical port (ex: '80')
3461 - a dash-delimited ports range explicitly stating the lower
3462 and upper bounds (ex: '2000-2100') which are included in
3463 the range.
3464
3465 Particular care must be taken against port ranges, because
3466 every <address:port> couple consumes one socket (= a file
3467 descriptor), so it's easy to consume lots of descriptors
3468 with a simple range, and to run out of sockets. Also, each
3469 <address:port> couple must be used only once among all
3470 instances running on a same system. Please note that binding
3471 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04003472 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01003473 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003474
Willy Tarreauceb24bc2010-11-09 12:46:41 +01003475 <path> is a UNIX socket path beginning with a slash ('/'). This is
Davor Ocelice9ed2812017-12-25 17:49:28 +01003476 alternative to the TCP listening port. HAProxy will then
Willy Tarreauceb24bc2010-11-09 12:46:41 +01003477 receive UNIX connections on the socket located at this place.
3478 The path must begin with a slash and by default is absolute.
3479 It can be relative to the prefix defined by "unix-bind" in
3480 the global section. Note that the total length of the prefix
3481 followed by the socket path cannot exceed some system limits
3482 for UNIX sockets, which commonly are set to 107 characters.
3483
Willy Tarreaub6205fd2012-09-24 12:27:33 +02003484 <param*> is a list of parameters common to all sockets declared on the
3485 same line. These numerous parameters depend on OS and build
3486 options and have a complete section dedicated to them. Please
3487 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02003488
Willy Tarreau0ba27502007-12-24 16:55:16 +01003489 It is possible to specify a list of address:port combinations delimited by
3490 commas. The frontend will then listen on all of these addresses. There is no
3491 fixed limit to the number of addresses and ports which can be listened on in
3492 a frontend, as well as there is no limit to the number of "bind" statements
3493 in a frontend.
3494
3495 Example :
3496 listen http_proxy
3497 bind :80,:443
3498 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01003499 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01003500
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02003501 listen http_https_proxy
3502 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02003503 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02003504
Willy Tarreau24709282013-03-10 21:32:12 +01003505 listen http_https_proxy_explicit
3506 bind ipv6@:80
3507 bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem
3508 bind unix@ssl-frontend.sock user root mode 600 accept-proxy
3509
Willy Tarreaudad36a32013-03-11 01:20:04 +01003510 listen external_bind_app1
William Lallemandb2f07452015-05-12 14:27:13 +02003511 bind "fd@${FD_APP1}"
Willy Tarreaudad36a32013-03-11 01:20:04 +01003512
Willy Tarreau55dcaf62015-09-27 15:03:15 +02003513 Note: regarding Linux's abstract namespace sockets, HAProxy uses the whole
3514 sun_path length is used for the address length. Some other programs
3515 such as socat use the string length only by default. Pass the option
3516 ",unix-tightsocklen=0" to any abstract socket definition in socat to
3517 make it compatible with HAProxy's.
3518
Willy Tarreauceb24bc2010-11-09 12:46:41 +01003519 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02003520 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003521
3522
Christopher Fauletff4121f2017-11-22 16:38:49 +01003523bind-process [ all | odd | even | <process_num>[-[<process_num>]] ] ...
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003524 Limit visibility of an instance to a certain set of processes numbers.
3525 May be used in sections : defaults | frontend | listen | backend
3526 yes | yes | yes | yes
3527 Arguments :
3528 all All process will see this instance. This is the default. It
3529 may be used to override a default value.
3530
Willy Tarreaua9db57e2013-01-18 11:29:29 +01003531 odd This instance will be enabled on processes 1,3,5,...63. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003532 option may be combined with other numbers.
3533
Willy Tarreaua9db57e2013-01-18 11:29:29 +01003534 even This instance will be enabled on processes 2,4,6,...64. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003535 option may be combined with other numbers. Do not use it
3536 with less than 2 processes otherwise some instances might be
3537 missing from all processes.
3538
Christopher Fauletff4121f2017-11-22 16:38:49 +01003539 process_num The instance will be enabled on this process number or range,
Willy Tarreaua9db57e2013-01-18 11:29:29 +01003540 whose values must all be between 1 and 32 or 64 depending on
Christopher Fauletff4121f2017-11-22 16:38:49 +01003541 the machine's word size. Ranges can be partially defined. The
3542 higher bound can be omitted. In such case, it is replaced by
3543 the corresponding maximum value. If a proxy is bound to
3544 process numbers greater than the configured global.nbproc, it
3545 will either be forced to process #1 if a single process was
Willy Tarreau102df612014-05-07 23:56:38 +02003546 specified, or to all processes otherwise.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003547
3548 This keyword limits binding of certain instances to certain processes. This
3549 is useful in order not to have too many processes listening to the same
3550 ports. For instance, on a dual-core machine, it might make sense to set
3551 'nbproc 2' in the global section, then distributes the listeners among 'odd'
3552 and 'even' instances.
3553
Willy Tarreaua9db57e2013-01-18 11:29:29 +01003554 At the moment, it is not possible to reference more than 32 or 64 processes
3555 using this keyword, but this should be more than enough for most setups.
3556 Please note that 'all' really means all processes regardless of the machine's
3557 word size, and is not limited to the first 32 or 64.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003558
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02003559 Each "bind" line may further be limited to a subset of the proxy's processes,
3560 please consult the "process" bind keyword in section 5.1.
3561
Willy Tarreaub369a042014-09-16 13:21:03 +02003562 When a frontend has no explicit "bind-process" line, it tries to bind to all
3563 the processes referenced by its "bind" lines. That means that frontends can
3564 easily adapt to their listeners' processes.
3565
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003566 If some backends are referenced by frontends bound to other processes, the
3567 backend automatically inherits the frontend's processes.
3568
3569 Example :
3570 listen app_ip1
3571 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02003572 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003573
3574 listen app_ip2
3575 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02003576 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003577
3578 listen management
3579 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02003580 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003581
Willy Tarreau110ecc12012-11-15 17:50:01 +01003582 listen management
3583 bind 10.0.0.4:80
3584 bind-process 1-4
3585
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02003586 See also : "nbproc" in global section, and "process" in section 5.1.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01003587
3588
Willy Tarreau0ba27502007-12-24 16:55:16 +01003589capture cookie <name> len <length>
3590 Capture and log a cookie in the request and in the response.
3591 May be used in sections : defaults | frontend | listen | backend
3592 no | yes | yes | no
3593 Arguments :
3594 <name> is the beginning of the name of the cookie to capture. In order
3595 to match the exact name, simply suffix the name with an equal
3596 sign ('='). The full name will appear in the logs, which is
3597 useful with application servers which adjust both the cookie name
Davor Ocelice9ed2812017-12-25 17:49:28 +01003598 and value (e.g. ASPSESSIONXXX).
Willy Tarreau0ba27502007-12-24 16:55:16 +01003599
3600 <length> is the maximum number of characters to report in the logs, which
3601 include the cookie name, the equal sign and the value, all in the
3602 standard "name=value" form. The string will be truncated on the
3603 right if it exceeds <length>.
3604
3605 Only the first cookie is captured. Both the "cookie" request headers and the
3606 "set-cookie" response headers are monitored. This is particularly useful to
3607 check for application bugs causing session crossing or stealing between
3608 users, because generally the user's cookies can only change on a login page.
3609
3610 When the cookie was not presented by the client, the associated log column
3611 will report "-". When a request does not cause a cookie to be assigned by the
3612 server, a "-" is reported in the response column.
3613
3614 The capture is performed in the frontend only because it is necessary that
3615 the log format does not change for a given frontend depending on the
3616 backends. This may change in the future. Note that there can be only one
Willy Tarreau193b8c62012-11-22 00:17:38 +01003617 "capture cookie" statement in a frontend. The maximum capture length is set
3618 by the global "tune.http.cookielen" setting and defaults to 63 characters. It
3619 is not possible to specify a capture in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003620
3621 Example:
3622 capture cookie ASPSESSION len 32
3623
3624 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003625 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003626
3627
3628capture request header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01003629 Capture and log the last occurrence of the specified request header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003630 May be used in sections : defaults | frontend | listen | backend
3631 no | yes | yes | no
3632 Arguments :
3633 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003634 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01003635 appear in the requests, with the first letter of each word in
3636 upper case. The header name will not appear in the logs, only the
3637 value is reported, but the position in the logs is respected.
3638
3639 <length> is the maximum number of characters to extract from the value and
3640 report in the logs. The string will be truncated on the right if
3641 it exceeds <length>.
3642
Willy Tarreau4460d032012-11-21 23:37:37 +01003643 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01003644 value will be added to the logs between braces ('{}'). If multiple headers
3645 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003646 in the same order they were declared in the configuration. Non-existent
3647 headers will be logged just as an empty string. Common uses for request
3648 header captures include the "Host" field in virtual hosting environments, the
3649 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003650 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003651 environments to find where the request came from.
3652
3653 Note that when capturing headers such as "User-agent", some spaces may be
3654 logged, making the log analysis more difficult. Thus be careful about what
3655 you log if you know your log parser is not smart enough to rely on the
3656 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003657
Willy Tarreau0900abb2012-11-22 00:21:46 +01003658 There is no limit to the number of captured request headers nor to their
3659 length, though it is wise to keep them low to limit memory usage per session.
3660 In order to keep log format consistent for a same frontend, header captures
3661 can only be declared in a frontend. It is not possible to specify a capture
3662 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003663
3664 Example:
3665 capture request header Host len 15
3666 capture request header X-Forwarded-For len 15
Cyril Bontéd1b0f7c2015-10-26 22:37:39 +01003667 capture request header Referer len 15
Willy Tarreau0ba27502007-12-24 16:55:16 +01003668
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003669 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01003670 about logging.
3671
3672
3673capture response header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01003674 Capture and log the last occurrence of the specified response header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003675 May be used in sections : defaults | frontend | listen | backend
3676 no | yes | yes | no
3677 Arguments :
3678 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003679 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01003680 appear in the response, with the first letter of each word in
3681 upper case. The header name will not appear in the logs, only the
3682 value is reported, but the position in the logs is respected.
3683
3684 <length> is the maximum number of characters to extract from the value and
3685 report in the logs. The string will be truncated on the right if
3686 it exceeds <length>.
3687
Willy Tarreau4460d032012-11-21 23:37:37 +01003688 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01003689 result will be added to the logs between braces ('{}') after the captured
3690 request headers. If multiple headers are captured, they will be delimited by
3691 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003692 the configuration. Non-existent headers will be logged just as an empty
3693 string. Common uses for response header captures include the "Content-length"
3694 header which indicates how many bytes are expected to be returned, the
3695 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003696
Willy Tarreau0900abb2012-11-22 00:21:46 +01003697 There is no limit to the number of captured response headers nor to their
3698 length, though it is wise to keep them low to limit memory usage per session.
3699 In order to keep log format consistent for a same frontend, header captures
3700 can only be declared in a frontend. It is not possible to specify a capture
3701 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003702
3703 Example:
3704 capture response header Content-length len 9
3705 capture response header Location len 15
3706
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003707 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01003708 about logging.
3709
3710
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09003711clitcpka-cnt <count>
3712 Sets the maximum number of keepalive probes TCP should send before dropping
3713 the connection on the client side.
3714 May be used in sections : defaults | frontend | listen | backend
3715 yes | yes | yes | no
3716 Arguments :
3717 <count> is the maximum number of keepalive probes.
3718
3719 This keyword corresponds to the socket option TCP_KEEPCNT. If this keyword
3720 is not specified, system-wide TCP parameter (tcp_keepalive_probes) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02003721 The availability of this setting depends on the operating system. It is
3722 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09003723
3724 See also : "option clitcpka", "clitcpka-idle", "clitcpka-intvl".
3725
3726
3727clitcpka-idle <timeout>
3728 Sets the time the connection needs to remain idle before TCP starts sending
3729 keepalive probes, if enabled the sending of TCP keepalive packets on the
3730 client side.
3731 May be used in sections : defaults | frontend | listen | backend
3732 yes | yes | yes | no
3733 Arguments :
3734 <timeout> is the time the connection needs to remain idle before TCP starts
3735 sending keepalive probes. It is specified in seconds by default,
3736 but can be in any other unit if the number is suffixed by the
3737 unit, as explained at the top of this document.
3738
3739 This keyword corresponds to the socket option TCP_KEEPIDLE. If this keyword
3740 is not specified, system-wide TCP parameter (tcp_keepalive_time) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02003741 The availability of this setting depends on the operating system. It is
3742 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09003743
3744 See also : "option clitcpka", "clitcpka-cnt", "clitcpka-intvl".
3745
3746
3747clitcpka-intvl <timeout>
3748 Sets the time between individual keepalive probes on the client side.
3749 May be used in sections : defaults | frontend | listen | backend
3750 yes | yes | yes | no
3751 Arguments :
3752 <timeout> is the time between individual keepalive probes. It is specified
3753 in seconds by default, but can be in any other unit if the number
3754 is suffixed by the unit, as explained at the top of this
3755 document.
3756
3757 This keyword corresponds to the socket option TCP_KEEPINTVL. If this keyword
3758 is not specified, system-wide TCP parameter (tcp_keepalive_intvl) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02003759 The availability of this setting depends on the operating system. It is
3760 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09003761
3762 See also : "option clitcpka", "clitcpka-cnt", "clitcpka-idle".
3763
3764
Cyril Bonté316a8cf2012-11-11 13:38:27 +01003765compression algo <algorithm> ...
3766compression type <mime type> ...
Willy Tarreau70737d12012-10-27 00:34:28 +02003767compression offload
William Lallemand82fe75c2012-10-23 10:25:10 +02003768 Enable HTTP compression.
3769 May be used in sections : defaults | frontend | listen | backend
3770 yes | yes | yes | yes
3771 Arguments :
Cyril Bonté316a8cf2012-11-11 13:38:27 +01003772 algo is followed by the list of supported compression algorithms.
3773 type is followed by the list of MIME types that will be compressed.
3774 offload makes haproxy work as a compression offloader only (see notes).
3775
3776 The currently supported algorithms are :
Willy Tarreauc91840a2015-03-28 17:00:39 +01003777 identity this is mostly for debugging, and it was useful for developing
3778 the compression feature. Identity does not apply any change on
3779 data.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01003780
Willy Tarreauc91840a2015-03-28 17:00:39 +01003781 gzip applies gzip compression. This setting is only available when
Baptiste Assmannf085d632015-12-21 17:57:32 +01003782 support for zlib or libslz was built in.
Willy Tarreauc91840a2015-03-28 17:00:39 +01003783
3784 deflate same as "gzip", but with deflate algorithm and zlib format.
3785 Note that this algorithm has ambiguous support on many
3786 browsers and no support at all from recent ones. It is
3787 strongly recommended not to use it for anything else than
3788 experimentation. This setting is only available when support
Baptiste Assmannf085d632015-12-21 17:57:32 +01003789 for zlib or libslz was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01003790
Willy Tarreauc91840a2015-03-28 17:00:39 +01003791 raw-deflate same as "deflate" without the zlib wrapper, and used as an
3792 alternative when the browser wants "deflate". All major
3793 browsers understand it and despite violating the standards,
3794 it is known to work better than "deflate", at least on MSIE
3795 and some versions of Safari. Do not use it in conjunction
3796 with "deflate", use either one or the other since both react
3797 to the same Accept-Encoding token. This setting is only
Baptiste Assmannf085d632015-12-21 17:57:32 +01003798 available when support for zlib or libslz was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01003799
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04003800 Compression will be activated depending on the Accept-Encoding request
Cyril Bonté316a8cf2012-11-11 13:38:27 +01003801 header. With identity, it does not take care of that header.
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04003802 If backend servers support HTTP compression, these directives
3803 will be no-op: haproxy will see the compressed response and will not
3804 compress again. If backend servers do not support HTTP compression and
3805 there is Accept-Encoding header in request, haproxy will compress the
3806 matching response.
Willy Tarreau70737d12012-10-27 00:34:28 +02003807
3808 The "offload" setting makes haproxy remove the Accept-Encoding header to
3809 prevent backend servers from compressing responses. It is strongly
3810 recommended not to do this because this means that all the compression work
3811 will be done on the single point where haproxy is located. However in some
3812 deployment scenarios, haproxy may be installed in front of a buggy gateway
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04003813 with broken HTTP compression implementation which can't be turned off.
3814 In that case haproxy can be used to prevent that gateway from emitting
3815 invalid payloads. In this case, simply removing the header in the
3816 configuration does not work because it applies before the header is parsed,
3817 so that prevents haproxy from compressing. The "offload" setting should
Willy Tarreauffea9fd2014-07-12 16:37:02 +02003818 then be used for such scenarios. Note: for now, the "offload" setting is
3819 ignored when set in a defaults section.
William Lallemand82fe75c2012-10-23 10:25:10 +02003820
William Lallemand05097442012-11-20 12:14:28 +01003821 Compression is disabled when:
Baptiste Assmann650d53d2013-01-05 15:44:44 +01003822 * the request does not advertise a supported compression algorithm in the
3823 "Accept-Encoding" header
3824 * the response message is not HTTP/1.1
Tim Duesterhusbb48c9a2019-01-30 23:46:04 +01003825 * HTTP status code is not one of 200, 201, 202, or 203
Baptiste Assmann650d53d2013-01-05 15:44:44 +01003826 * response contain neither a "Content-Length" header nor a
3827 "Transfer-Encoding" whose last value is "chunked"
3828 * response contains a "Content-Type" header whose first value starts with
3829 "multipart"
3830 * the response contains the "no-transform" value in the "Cache-control"
3831 header
3832 * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7
3833 and later
3834 * The response contains a "Content-Encoding" header, indicating that the
3835 response is already compressed (see compression offload)
Tim Duesterhusbb48c9a2019-01-30 23:46:04 +01003836 * The response contains an invalid "ETag" header or multiple ETag headers
William Lallemand05097442012-11-20 12:14:28 +01003837
Tim Duesterhusb229f012019-01-29 16:38:56 +01003838 Note: The compression does not emit the Warning header.
William Lallemand05097442012-11-20 12:14:28 +01003839
William Lallemand82fe75c2012-10-23 10:25:10 +02003840 Examples :
3841 compression algo gzip
3842 compression type text/html text/plain
Willy Tarreau0ba27502007-12-24 16:55:16 +01003843
Christopher Fauletc3fe5332016-04-07 15:30:10 +02003844
Willy Tarreau55165fe2009-05-10 12:02:55 +02003845cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02003846 [ postonly ] [ preserve ] [ httponly ] [ secure ]
3847 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Christopher Faulet2f533902020-01-21 11:06:48 +01003848 [ dynamic ] [ attr <value> ]*
Willy Tarreau0ba27502007-12-24 16:55:16 +01003849 Enable cookie-based persistence in a backend.
3850 May be used in sections : defaults | frontend | listen | backend
3851 yes | no | yes | yes
3852 Arguments :
3853 <name> is the name of the cookie which will be monitored, modified or
3854 inserted in order to bring persistence. This cookie is sent to
3855 the client via a "Set-Cookie" header in the response, and is
3856 brought back by the client in a "Cookie" header in all requests.
3857 Special care should be taken to choose a name which does not
3858 conflict with any likely application cookie. Also, if the same
Davor Ocelice9ed2812017-12-25 17:49:28 +01003859 backends are subject to be used by the same clients (e.g.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003860 HTTP/HTTPS), care should be taken to use different cookie names
3861 between all backends if persistence between them is not desired.
3862
3863 rewrite This keyword indicates that the cookie will be provided by the
3864 server and that haproxy will have to modify its value to set the
3865 server's identifier in it. This mode is handy when the management
3866 of complex combinations of "Set-cookie" and "Cache-control"
3867 headers is left to the application. The application can then
3868 decide whether or not it is appropriate to emit a persistence
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01003869 cookie. Since all responses should be monitored, this mode
3870 doesn't work in HTTP tunnel mode. Unless the application
Davor Ocelice9ed2812017-12-25 17:49:28 +01003871 behavior is very complex and/or broken, it is advised not to
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01003872 start with this mode for new deployments. This keyword is
3873 incompatible with "insert" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003874
3875 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02003876 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02003877
Willy Tarreaua79094d2010-08-31 22:54:15 +02003878 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02003879 server. When used without the "preserve" option, if the server
Michael Prokop4438c602019-05-24 10:25:45 +02003880 emits a cookie with the same name, it will be removed before
Davor Ocelice9ed2812017-12-25 17:49:28 +01003881 processing. For this reason, this mode can be used to upgrade
Willy Tarreauba4c5be2010-10-23 12:46:42 +02003882 existing configurations running in the "rewrite" mode. The cookie
3883 will only be a session cookie and will not be stored on the
3884 client's disk. By default, unless the "indirect" option is added,
3885 the server will see the cookies emitted by the client. Due to
3886 caching effects, it is generally wise to add the "nocache" or
3887 "postonly" keywords (see below). The "insert" keyword is not
3888 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003889
3890 prefix This keyword indicates that instead of relying on a dedicated
3891 cookie for the persistence, an existing one will be completed.
3892 This may be needed in some specific environments where the client
3893 does not support more than one single cookie and the application
3894 already needs it. In this case, whenever the server sets a cookie
3895 named <name>, it will be prefixed with the server's identifier
3896 and a delimiter. The prefix will be removed from all client
3897 requests so that the server still finds the cookie it emitted.
3898 Since all requests and responses are subject to being modified,
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01003899 this mode doesn't work with tunnel mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02003900 not compatible with "rewrite" and "insert". Note: it is highly
3901 recommended not to use "indirect" with "prefix", otherwise server
3902 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003903
Willy Tarreaua79094d2010-08-31 22:54:15 +02003904 indirect When this option is specified, no cookie will be emitted to a
3905 client which already has a valid one for the server which has
3906 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02003907 it will be removed, unless the "preserve" option is also set. In
3908 "insert" mode, this will additionally remove cookies from the
3909 requests transmitted to the server, making the persistence
3910 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02003911 Note: it is highly recommended not to use "indirect" with
3912 "prefix", otherwise server cookie updates would not be sent to
3913 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003914
3915 nocache This option is recommended in conjunction with the insert mode
3916 when there is a cache between the client and HAProxy, as it
3917 ensures that a cacheable response will be tagged non-cacheable if
3918 a cookie needs to be inserted. This is important because if all
3919 persistence cookies are added on a cacheable home page for
3920 instance, then all customers will then fetch the page from an
3921 outer cache and will all share the same persistence cookie,
3922 leading to one server receiving much more traffic than others.
3923 See also the "insert" and "postonly" options.
3924
3925 postonly This option ensures that cookie insertion will only be performed
3926 on responses to POST requests. It is an alternative to the
3927 "nocache" option, because POST responses are not cacheable, so
3928 this ensures that the persistence cookie will never get cached.
3929 Since most sites do not need any sort of persistence before the
3930 first POST which generally is a login request, this is a very
3931 efficient method to optimize caching without risking to find a
3932 persistence cookie in the cache.
3933 See also the "insert" and "nocache" options.
3934
Willy Tarreauba4c5be2010-10-23 12:46:42 +02003935 preserve This option may only be used with "insert" and/or "indirect". It
3936 allows the server to emit the persistence cookie itself. In this
3937 case, if a cookie is found in the response, haproxy will leave it
3938 untouched. This is useful in order to end persistence after a
3939 logout request for instance. For this, the server just has to
Davor Ocelice9ed2812017-12-25 17:49:28 +01003940 emit a cookie with an invalid value (e.g. empty) or with a date in
Willy Tarreauba4c5be2010-10-23 12:46:42 +02003941 the past. By combining this mechanism with the "disable-on-404"
3942 check option, it is possible to perform a completely graceful
3943 shutdown because users will definitely leave the server after
3944 they logout.
3945
Willy Tarreau4992dd22012-05-31 21:02:17 +02003946 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
3947 when a cookie is inserted. This attribute is used so that a
3948 user agent doesn't share the cookie with non-HTTP components.
3949 Please check RFC6265 for more information on this attribute.
3950
3951 secure This option tells haproxy to add a "Secure" cookie attribute when
3952 a cookie is inserted. This attribute is used so that a user agent
3953 never emits this cookie over non-secure channels, which means
3954 that a cookie learned with this flag will be presented only over
3955 SSL/TLS connections. Please check RFC6265 for more information on
3956 this attribute.
3957
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02003958 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003959 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01003960 name. If the domain begins with a dot, the browser is allowed to
3961 use it for any host ending with that name. It is also possible to
3962 specify several domain names by invoking this option multiple
3963 times. Some browsers might have small limits on the number of
3964 domains, so be careful when doing that. For the record, sending
3965 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02003966
Willy Tarreau996a92c2010-10-13 19:30:47 +02003967 maxidle This option allows inserted cookies to be ignored after some idle
3968 time. It only works with insert-mode cookies. When a cookie is
3969 sent to the client, the date this cookie was emitted is sent too.
3970 Upon further presentations of this cookie, if the date is older
3971 than the delay indicated by the parameter (in seconds), it will
3972 be ignored. Otherwise, it will be refreshed if needed when the
3973 response is sent to the client. This is particularly useful to
3974 prevent users who never close their browsers from remaining for
Davor Ocelice9ed2812017-12-25 17:49:28 +01003975 too long on the same server (e.g. after a farm size change). When
Willy Tarreau996a92c2010-10-13 19:30:47 +02003976 this option is set and a cookie has no date, it is always
3977 accepted, but gets refreshed in the response. This maintains the
3978 ability for admins to access their sites. Cookies that have a
3979 date in the future further than 24 hours are ignored. Doing so
3980 lets admins fix timezone issues without risking kicking users off
3981 the site.
3982
3983 maxlife This option allows inserted cookies to be ignored after some life
3984 time, whether they're in use or not. It only works with insert
3985 mode cookies. When a cookie is first sent to the client, the date
3986 this cookie was emitted is sent too. Upon further presentations
3987 of this cookie, if the date is older than the delay indicated by
3988 the parameter (in seconds), it will be ignored. If the cookie in
3989 the request has no date, it is accepted and a date will be set.
3990 Cookies that have a date in the future further than 24 hours are
3991 ignored. Doing so lets admins fix timezone issues without risking
3992 kicking users off the site. Contrary to maxidle, this value is
3993 not refreshed, only the first visit date counts. Both maxidle and
3994 maxlife may be used at the time. This is particularly useful to
3995 prevent users who never close their browsers from remaining for
Davor Ocelice9ed2812017-12-25 17:49:28 +01003996 too long on the same server (e.g. after a farm size change). This
Willy Tarreau996a92c2010-10-13 19:30:47 +02003997 is stronger than the maxidle method in that it forces a
3998 redispatch after some absolute delay.
3999
Olivier Houchard4e694042017-03-14 20:01:29 +01004000 dynamic Activate dynamic cookies. When used, a session cookie is
4001 dynamically created for each server, based on the IP and port
4002 of the server, and a secret key, specified in the
4003 "dynamic-cookie-key" backend directive.
4004 The cookie will be regenerated each time the IP address change,
4005 and is only generated for IPv4/IPv6.
4006
Christopher Faulet2f533902020-01-21 11:06:48 +01004007 attr This option tells haproxy to add an extra attribute when a
4008 cookie is inserted. The attribute value can contain any
4009 characters except control ones or ";". This option may be
4010 repeated.
4011
Willy Tarreau0ba27502007-12-24 16:55:16 +01004012 There can be only one persistence cookie per HTTP backend, and it can be
4013 declared in a defaults section. The value of the cookie will be the value
4014 indicated after the "cookie" keyword in a "server" statement. If no cookie
4015 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02004016
Willy Tarreau0ba27502007-12-24 16:55:16 +01004017 Examples :
4018 cookie JSESSIONID prefix
4019 cookie SRV insert indirect nocache
4020 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02004021 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01004022
Willy Tarreau294d0f02015-08-10 19:40:12 +02004023 See also : "balance source", "capture cookie", "server" and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01004024
Willy Tarreau983e01e2010-01-11 18:42:06 +01004025
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02004026declare capture [ request | response ] len <length>
4027 Declares a capture slot.
4028 May be used in sections : defaults | frontend | listen | backend
4029 no | yes | yes | no
4030 Arguments:
4031 <length> is the length allowed for the capture.
4032
4033 This declaration is only available in the frontend or listen section, but the
4034 reserved slot can be used in the backends. The "request" keyword allocates a
4035 capture slot for use in the request, and "response" allocates a capture slot
4036 for use in the response.
4037
4038 See also: "capture-req", "capture-res" (sample converters),
Baptiste Assmann5ac425c2015-10-21 23:13:46 +02004039 "capture.req.hdr", "capture.res.hdr" (sample fetches),
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02004040 "http-request capture" and "http-response capture".
4041
4042
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004043default-server [param*]
4044 Change default options for a server in a backend
4045 May be used in sections : defaults | frontend | listen | backend
4046 yes | no | yes | yes
4047 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01004048 <param*> is a list of parameters for this server. The "default-server"
4049 keyword accepts an important number of options and has a complete
4050 section dedicated to it. Please refer to section 5 for more
4051 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004052
Willy Tarreau983e01e2010-01-11 18:42:06 +01004053 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004054 default-server inter 1000 weight 13
4055
4056 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01004057
Willy Tarreau983e01e2010-01-11 18:42:06 +01004058
Willy Tarreau0ba27502007-12-24 16:55:16 +01004059default_backend <backend>
4060 Specify the backend to use when no "use_backend" rule has been matched.
4061 May be used in sections : defaults | frontend | listen | backend
4062 yes | yes | yes | no
4063 Arguments :
4064 <backend> is the name of the backend to use.
4065
4066 When doing content-switching between frontend and backends using the
4067 "use_backend" keyword, it is often useful to indicate which backend will be
4068 used when no rule has matched. It generally is the dynamic backend which
4069 will catch all undetermined requests.
4070
Willy Tarreau0ba27502007-12-24 16:55:16 +01004071 Example :
4072
4073 use_backend dynamic if url_dyn
4074 use_backend static if url_css url_img extension_img
4075 default_backend dynamic
4076
Willy Tarreau98d04852015-05-26 12:18:29 +02004077 See also : "use_backend"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004078
Willy Tarreau0ba27502007-12-24 16:55:16 +01004079
Baptiste Assmann27f51342013-10-09 06:51:49 +02004080description <string>
4081 Describe a listen, frontend or backend.
4082 May be used in sections : defaults | frontend | listen | backend
4083 no | yes | yes | yes
4084 Arguments : string
4085
4086 Allows to add a sentence to describe the related object in the HAProxy HTML
4087 stats page. The description will be printed on the right of the object name
4088 it describes.
4089 No need to backslash spaces in the <string> arguments.
4090
4091
Willy Tarreau0ba27502007-12-24 16:55:16 +01004092disabled
4093 Disable a proxy, frontend or backend.
4094 May be used in sections : defaults | frontend | listen | backend
4095 yes | yes | yes | yes
4096 Arguments : none
4097
4098 The "disabled" keyword is used to disable an instance, mainly in order to
4099 liberate a listening port or to temporarily disable a service. The instance
4100 will still be created and its configuration will be checked, but it will be
4101 created in the "stopped" state and will appear as such in the statistics. It
4102 will not receive any traffic nor will it send any health-checks or logs. It
4103 is possible to disable many instances at once by adding the "disabled"
4104 keyword in a "defaults" section.
4105
4106 See also : "enabled"
4107
4108
Willy Tarreau5ce94572010-06-07 14:35:41 +02004109dispatch <address>:<port>
4110 Set a default server address
4111 May be used in sections : defaults | frontend | listen | backend
4112 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004113 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02004114
4115 <address> is the IPv4 address of the default server. Alternatively, a
4116 resolvable hostname is supported, but this name will be resolved
4117 during start-up.
4118
4119 <ports> is a mandatory port specification. All connections will be sent
4120 to this port, and it is not permitted to use port offsets as is
4121 possible with normal servers.
4122
Willy Tarreau787aed52011-04-15 06:45:37 +02004123 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02004124 server can take the connection. In the past it was used to forward non
4125 persistent connections to an auxiliary load balancer. Due to its simple
4126 syntax, it has also been used for simple TCP relays. It is recommended not to
4127 use it for more clarity, and to use the "server" directive instead.
4128
4129 See also : "server"
4130
Olivier Houchard4e694042017-03-14 20:01:29 +01004131
4132dynamic-cookie-key <string>
4133 Set the dynamic cookie secret key for a backend.
4134 May be used in sections : defaults | frontend | listen | backend
4135 yes | no | yes | yes
4136 Arguments : The secret key to be used.
4137
4138 When dynamic cookies are enabled (see the "dynamic" directive for cookie),
Davor Ocelice9ed2812017-12-25 17:49:28 +01004139 a dynamic cookie is created for each server (unless one is explicitly
Olivier Houchard4e694042017-03-14 20:01:29 +01004140 specified on the "server" line), using a hash of the IP address of the
4141 server, the TCP port, and the secret key.
Davor Ocelice9ed2812017-12-25 17:49:28 +01004142 That way, we can ensure session persistence across multiple load-balancers,
Olivier Houchard4e694042017-03-14 20:01:29 +01004143 even if servers are dynamically added or removed.
Willy Tarreau5ce94572010-06-07 14:35:41 +02004144
Willy Tarreau0ba27502007-12-24 16:55:16 +01004145enabled
4146 Enable a proxy, frontend or backend.
4147 May be used in sections : defaults | frontend | listen | backend
4148 yes | yes | yes | yes
4149 Arguments : none
4150
4151 The "enabled" keyword is used to explicitly enable an instance, when the
4152 defaults has been set to "disabled". This is very rarely used.
4153
4154 See also : "disabled"
4155
4156
4157errorfile <code> <file>
4158 Return a file contents instead of errors generated by HAProxy
4159 May be used in sections : defaults | frontend | listen | backend
4160 yes | yes | yes | yes
4161 Arguments :
4162 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004163 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02004164 413, 425, 429, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004165
4166 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004167 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01004168 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01004169 error pages, and to use absolute paths, since files are read
4170 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004171
4172 It is important to understand that this keyword is not meant to rewrite
4173 errors returned by the server, but errors detected and returned by HAProxy.
4174 This is why the list of supported errors is limited to a small set.
4175
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004176 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
4177
Christopher Faulet70170672020-05-18 17:42:48 +02004178 The files are parsed when HAProxy starts and must be valid according to the
4179 HTTP specification. They should not exceed the configured buffer size
4180 (BUFSIZE), which generally is 16 kB, otherwise an internal error will be
4181 returned. It is also wise not to put any reference to local contents
4182 (e.g. images) in order to avoid loops between the client and HAProxy when all
4183 servers are down, causing an error to be returned instead of an
4184 image. Finally, The response cannot exceed (tune.bufsize - tune.maxrewrite)
4185 so that "http-after-response" rules still have room to operate (see
4186 "tune.maxrewrite").
Willy Tarreau59140a22009-02-22 12:02:30 +01004187
Willy Tarreau0ba27502007-12-24 16:55:16 +01004188 The files are read at the same time as the configuration and kept in memory.
4189 For this reason, the errors continue to be returned even when the process is
4190 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01004191 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01004192 403 status code and interrogating a blocked URL.
4193
Christopher Faulet3b967c12020-05-15 15:47:44 +02004194 See also : "http-error", "errorloc", "errorloc302", "errorloc303"
Willy Tarreau0ba27502007-12-24 16:55:16 +01004195
Willy Tarreau59140a22009-02-22 12:02:30 +01004196 Example :
4197 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
Willy Tarreau989222a2016-01-15 10:26:26 +01004198 errorfile 408 /dev/null # work around Chrome pre-connect bug
Willy Tarreau59140a22009-02-22 12:02:30 +01004199 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
4200 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
4201
Willy Tarreau2769aa02007-12-27 18:26:09 +01004202
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004203errorfiles <name> [<code> ...]
4204 Import, fully or partially, the error files defined in the <name> http-errors
4205 section.
4206 May be used in sections : defaults | frontend | listen | backend
4207 yes | yes | yes | yes
4208 Arguments :
4209 <name> is the name of an existing http-errors section.
4210
4211 <code> is a HTTP status code. Several status code may be listed.
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004212 Currently, HAProxy is capable of generating codes 200, 400, 401,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02004213 403, 404, 405, 407, 408, 410, 413, 425, 429, 500, 502, 503, and 504.
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004214
4215 Errors defined in the http-errors section with the name <name> are imported
4216 in the current proxy. If no status code is specified, all error files of the
4217 http-errors section are imported. Otherwise, only error files associated to
4218 the listed status code are imported. Those error files override the already
4219 defined custom errors for the proxy. And they may be overridden by following
Daniel Corbett67a82712020-07-06 23:01:19 -04004220 ones. Functionally, it is exactly the same as declaring all error files by
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004221 hand using "errorfile" directives.
4222
Christopher Faulet3b967c12020-05-15 15:47:44 +02004223 See also : "http-error", "errorfile", "errorloc", "errorloc302" ,
4224 "errorloc303" and section 3.8 about http-errors.
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004225
4226 Example :
4227 errorfiles generic
4228 errorfiles site-1 403 404
4229
4230
Willy Tarreau2769aa02007-12-27 18:26:09 +01004231errorloc <code> <url>
4232errorloc302 <code> <url>
4233 Return an HTTP redirection to a URL instead of errors generated by HAProxy
4234 May be used in sections : defaults | frontend | listen | backend
4235 yes | yes | yes | yes
4236 Arguments :
4237 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004238 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02004239 413, 425, 429, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004240
4241 <url> it is the exact contents of the "Location" header. It may contain
4242 either a relative URI to an error page hosted on the same site,
4243 or an absolute URI designating an error page on another site.
4244 Special care should be given to relative URIs to avoid redirect
Davor Ocelice9ed2812017-12-25 17:49:28 +01004245 loops if the URI itself may generate the same error (e.g. 500).
Willy Tarreau2769aa02007-12-27 18:26:09 +01004246
4247 It is important to understand that this keyword is not meant to rewrite
4248 errors returned by the server, but errors detected and returned by HAProxy.
4249 This is why the list of supported errors is limited to a small set.
4250
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004251 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
4252
Willy Tarreau2769aa02007-12-27 18:26:09 +01004253 Note that both keyword return the HTTP 302 status code, which tells the
4254 client to fetch the designated URL using the same HTTP method. This can be
4255 quite problematic in case of non-GET methods such as POST, because the URL
4256 sent to the client might not be allowed for something other than GET. To
Willy Tarreau989222a2016-01-15 10:26:26 +01004257 work around this problem, please use "errorloc303" which send the HTTP 303
Willy Tarreau2769aa02007-12-27 18:26:09 +01004258 status code, indicating to the client that the URL must be fetched with a GET
4259 request.
4260
Christopher Faulet3b967c12020-05-15 15:47:44 +02004261 See also : "http-error", "errorfile", "errorloc303"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004262
4263
4264errorloc303 <code> <url>
4265 Return an HTTP redirection to a URL instead of errors generated by HAProxy
4266 May be used in sections : defaults | frontend | listen | backend
4267 yes | yes | yes | yes
4268 Arguments :
4269 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004270 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02004271 413, 425, 429, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004272
4273 <url> it is the exact contents of the "Location" header. It may contain
4274 either a relative URI to an error page hosted on the same site,
4275 or an absolute URI designating an error page on another site.
4276 Special care should be given to relative URIs to avoid redirect
Davor Ocelice9ed2812017-12-25 17:49:28 +01004277 loops if the URI itself may generate the same error (e.g. 500).
Willy Tarreau2769aa02007-12-27 18:26:09 +01004278
4279 It is important to understand that this keyword is not meant to rewrite
4280 errors returned by the server, but errors detected and returned by HAProxy.
4281 This is why the list of supported errors is limited to a small set.
4282
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004283 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
4284
Willy Tarreau2769aa02007-12-27 18:26:09 +01004285 Note that both keyword return the HTTP 303 status code, which tells the
4286 client to fetch the designated URL using the same HTTP GET method. This
4287 solves the usual problems associated with "errorloc" and the 302 code. It is
4288 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004289 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004290
Christopher Faulet3b967c12020-05-15 15:47:44 +02004291 See also : "http-error", "errorfile", "errorloc", "errorloc302"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004292
4293
Simon Horman51a1cf62015-02-03 13:00:44 +09004294email-alert from <emailaddr>
4295 Declare the from email address to be used in both the envelope and header
Davor Ocelice9ed2812017-12-25 17:49:28 +01004296 of email alerts. This is the address that email alerts are sent from.
Simon Horman51a1cf62015-02-03 13:00:44 +09004297 May be used in sections: defaults | frontend | listen | backend
4298 yes | yes | yes | yes
4299
4300 Arguments :
4301
4302 <emailaddr> is the from email address to use when sending email alerts
4303
4304 Also requires "email-alert mailers" and "email-alert to" to be set
4305 and if so sending email alerts is enabled for the proxy.
4306
Simon Horman64e34162015-02-06 11:11:57 +09004307 See also : "email-alert level", "email-alert mailers",
Cyril Bonté307ee1e2015-09-28 23:16:06 +02004308 "email-alert myhostname", "email-alert to", section 3.6 about
4309 mailers.
Simon Horman64e34162015-02-06 11:11:57 +09004310
4311
4312email-alert level <level>
4313 Declare the maximum log level of messages for which email alerts will be
4314 sent. This acts as a filter on the sending of email alerts.
4315 May be used in sections: defaults | frontend | listen | backend
4316 yes | yes | yes | yes
4317
4318 Arguments :
4319
4320 <level> One of the 8 syslog levels:
4321 emerg alert crit err warning notice info debug
4322 The above syslog levels are ordered from lowest to highest.
4323
4324 By default level is alert
4325
4326 Also requires "email-alert from", "email-alert mailers" and
4327 "email-alert to" to be set and if so sending email alerts is enabled
4328 for the proxy.
4329
Simon Horman1421e212015-04-30 13:10:35 +09004330 Alerts are sent when :
4331
4332 * An un-paused server is marked as down and <level> is alert or lower
4333 * A paused server is marked as down and <level> is notice or lower
4334 * A server is marked as up or enters the drain state and <level>
4335 is notice or lower
4336 * "option log-health-checks" is enabled, <level> is info or lower,
4337 and a health check status update occurs
4338
Simon Horman64e34162015-02-06 11:11:57 +09004339 See also : "email-alert from", "email-alert mailers",
4340 "email-alert myhostname", "email-alert to",
Simon Horman51a1cf62015-02-03 13:00:44 +09004341 section 3.6 about mailers.
4342
4343
4344email-alert mailers <mailersect>
4345 Declare the mailers to be used when sending email alerts
4346 May be used in sections: defaults | frontend | listen | backend
4347 yes | yes | yes | yes
4348
4349 Arguments :
4350
4351 <mailersect> is the name of the mailers section to send email alerts.
4352
4353 Also requires "email-alert from" and "email-alert to" to be set
4354 and if so sending email alerts is enabled for the proxy.
4355
Simon Horman64e34162015-02-06 11:11:57 +09004356 See also : "email-alert from", "email-alert level", "email-alert myhostname",
4357 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09004358
4359
4360email-alert myhostname <hostname>
4361 Declare the to hostname address to be used when communicating with
4362 mailers.
4363 May be used in sections: defaults | frontend | listen | backend
4364 yes | yes | yes | yes
4365
4366 Arguments :
4367
Baptiste Assmann738bad92015-12-21 15:27:53 +01004368 <hostname> is the hostname to use when communicating with mailers
Simon Horman51a1cf62015-02-03 13:00:44 +09004369
4370 By default the systems hostname is used.
4371
4372 Also requires "email-alert from", "email-alert mailers" and
4373 "email-alert to" to be set and if so sending email alerts is enabled
4374 for the proxy.
4375
Simon Horman64e34162015-02-06 11:11:57 +09004376 See also : "email-alert from", "email-alert level", "email-alert mailers",
4377 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09004378
4379
4380email-alert to <emailaddr>
Davor Ocelice9ed2812017-12-25 17:49:28 +01004381 Declare both the recipient address in the envelope and to address in the
Simon Horman51a1cf62015-02-03 13:00:44 +09004382 header of email alerts. This is the address that email alerts are sent to.
4383 May be used in sections: defaults | frontend | listen | backend
4384 yes | yes | yes | yes
4385
4386 Arguments :
4387
4388 <emailaddr> is the to email address to use when sending email alerts
4389
4390 Also requires "email-alert mailers" and "email-alert to" to be set
4391 and if so sending email alerts is enabled for the proxy.
4392
Simon Horman64e34162015-02-06 11:11:57 +09004393 See also : "email-alert from", "email-alert level", "email-alert mailers",
Simon Horman51a1cf62015-02-03 13:00:44 +09004394 "email-alert myhostname", section 3.6 about mailers.
4395
4396
Willy Tarreau4de91492010-01-22 19:10:05 +01004397force-persist { if | unless } <condition>
4398 Declare a condition to force persistence on down servers
4399 May be used in sections: defaults | frontend | listen | backend
Cyril Bonté4288c5a2018-03-12 22:02:59 +01004400 no | no | yes | yes
Willy Tarreau4de91492010-01-22 19:10:05 +01004401
4402 By default, requests are not dispatched to down servers. It is possible to
4403 force this using "option persist", but it is unconditional and redispatches
4404 to a valid server if "option redispatch" is set. That leaves with very little
4405 possibilities to force some requests to reach a server which is artificially
4406 marked down for maintenance operations.
4407
4408 The "force-persist" statement allows one to declare various ACL-based
4409 conditions which, when met, will cause a request to ignore the down status of
4410 a server and still try to connect to it. That makes it possible to start a
4411 server, still replying an error to the health checks, and run a specially
4412 configured browser to test the service. Among the handy methods, one could
4413 use a specific source IP address, or a specific cookie. The cookie also has
4414 the advantage that it can easily be added/removed on the browser from a test
4415 page. Once the service is validated, it is then possible to open the service
4416 to the world by returning a valid response to health checks.
4417
4418 The forced persistence is enabled when an "if" condition is met, or unless an
4419 "unless" condition is met. The final redispatch is always disabled when this
4420 is used.
4421
Cyril Bonté0d4bf012010-04-25 23:21:46 +02004422 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02004423 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01004424
Christopher Fauletc3fe5332016-04-07 15:30:10 +02004425
4426filter <name> [param*]
4427 Add the filter <name> in the filter list attached to the proxy.
4428 May be used in sections : defaults | frontend | listen | backend
4429 no | yes | yes | yes
4430 Arguments :
4431 <name> is the name of the filter. Officially supported filters are
4432 referenced in section 9.
4433
Tim Düsterhus4896c442016-11-29 02:15:19 +01004434 <param*> is a list of parameters accepted by the filter <name>. The
Christopher Fauletc3fe5332016-04-07 15:30:10 +02004435 parsing of these parameters are the responsibility of the
Tim Düsterhus4896c442016-11-29 02:15:19 +01004436 filter. Please refer to the documentation of the corresponding
4437 filter (section 9) for all details on the supported parameters.
Christopher Fauletc3fe5332016-04-07 15:30:10 +02004438
4439 Multiple occurrences of the filter line can be used for the same proxy. The
4440 same filter can be referenced many times if needed.
4441
4442 Example:
4443 listen
4444 bind *:80
4445
4446 filter trace name BEFORE-HTTP-COMP
4447 filter compression
4448 filter trace name AFTER-HTTP-COMP
4449
4450 compression algo gzip
4451 compression offload
4452
4453 server srv1 192.168.0.1:80
4454
4455 See also : section 9.
4456
Willy Tarreau4de91492010-01-22 19:10:05 +01004457
Willy Tarreau2769aa02007-12-27 18:26:09 +01004458fullconn <conns>
4459 Specify at what backend load the servers will reach their maxconn
4460 May be used in sections : defaults | frontend | listen | backend
4461 yes | no | yes | yes
4462 Arguments :
4463 <conns> is the number of connections on the backend which will make the
4464 servers use the maximal number of connections.
4465
Willy Tarreau198a7442008-01-17 12:05:32 +01004466 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01004467 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01004468 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01004469 load. The server will then always accept at least <minconn> connections,
4470 never more than <maxconn>, and the limit will be on the ramp between both
4471 values when the backend has less than <conns> concurrent connections. This
4472 makes it possible to limit the load on the servers during normal loads, but
4473 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004474 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004475
Willy Tarreaufbb78422011-06-05 15:38:35 +02004476 Since it's hard to get this value right, haproxy automatically sets it to
4477 10% of the sum of the maxconns of all frontends that may branch to this
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01004478 backend (based on "use_backend" and "default_backend" rules). That way it's
4479 safe to leave it unset. However, "use_backend" involving dynamic names are
4480 not counted since there is no way to know if they could match or not.
Willy Tarreaufbb78422011-06-05 15:38:35 +02004481
Willy Tarreau2769aa02007-12-27 18:26:09 +01004482 Example :
4483 # The servers will accept between 100 and 1000 concurrent connections each
4484 # and the maximum of 1000 will be reached when the backend reaches 10000
4485 # connections.
4486 backend dynamic
4487 fullconn 10000
4488 server srv1 dyn1:80 minconn 100 maxconn 1000
4489 server srv2 dyn2:80 minconn 100 maxconn 1000
4490
4491 See also : "maxconn", "server"
4492
4493
Willy Tarreauab0a5192020-10-09 19:07:01 +02004494grace <time> (deprecated)
Willy Tarreau2769aa02007-12-27 18:26:09 +01004495 Maintain a proxy operational for some time after a soft stop
4496 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01004497 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01004498 Arguments :
4499 <time> is the time (by default in milliseconds) for which the instance
4500 will remain operational with the frontend sockets still listening
4501 when a soft-stop is received via the SIGUSR1 signal.
4502
4503 This may be used to ensure that the services disappear in a certain order.
4504 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004505 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01004506 needed by the equipment to detect the failure.
4507
4508 Note that currently, there is very little benefit in using this parameter,
4509 and it may in fact complicate the soft-reconfiguration process more than
4510 simplify it.
4511
Willy Tarreau0ba27502007-12-24 16:55:16 +01004512
Andrew Rodland17be45e2016-10-25 17:04:12 -04004513hash-balance-factor <factor>
4514 Specify the balancing factor for bounded-load consistent hashing
4515 May be used in sections : defaults | frontend | listen | backend
4516 yes | no | no | yes
4517 Arguments :
4518 <factor> is the control for the maximum number of concurrent requests to
4519 send to a server, expressed as a percentage of the average number
Frédéric Lécaille93d33162019-03-06 09:35:59 +01004520 of concurrent requests across all of the active servers.
Andrew Rodland17be45e2016-10-25 17:04:12 -04004521
4522 Specifying a "hash-balance-factor" for a server with "hash-type consistent"
4523 enables an algorithm that prevents any one server from getting too many
4524 requests at once, even if some hash buckets receive many more requests than
4525 others. Setting <factor> to 0 (the default) disables the feature. Otherwise,
4526 <factor> is a percentage greater than 100. For example, if <factor> is 150,
4527 then no server will be allowed to have a load more than 1.5 times the average.
4528 If server weights are used, they will be respected.
4529
4530 If the first-choice server is disqualified, the algorithm will choose another
4531 server based on the request hash, until a server with additional capacity is
4532 found. A higher <factor> allows more imbalance between the servers, while a
4533 lower <factor> means that more servers will be checked on average, affecting
4534 performance. Reasonable values are from 125 to 200.
4535
Willy Tarreau760e81d2018-05-03 07:20:40 +02004536 This setting is also used by "balance random" which internally relies on the
4537 consistent hashing mechanism.
4538
Andrew Rodland17be45e2016-10-25 17:04:12 -04004539 See also : "balance" and "hash-type".
4540
4541
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05004542hash-type <method> <function> <modifier>
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02004543 Specify a method to use for mapping hashes to servers
4544 May be used in sections : defaults | frontend | listen | backend
4545 yes | no | yes | yes
4546 Arguments :
Bhaskar98634f02013-10-29 23:30:51 -04004547 <method> is the method used to select a server from the hash computed by
4548 the <function> :
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02004549
Bhaskar98634f02013-10-29 23:30:51 -04004550 map-based the hash table is a static array containing all alive servers.
4551 The hashes will be very smooth, will consider weights, but
4552 will be static in that weight changes while a server is up
4553 will be ignored. This means that there will be no slow start.
4554 Also, since a server is selected by its position in the array,
4555 most mappings are changed when the server count changes. This
4556 means that when a server goes up or down, or when a server is
4557 added to a farm, most connections will be redistributed to
4558 different servers. This can be inconvenient with caches for
4559 instance.
Willy Tarreau798a39c2010-11-24 15:04:29 +01004560
Bhaskar98634f02013-10-29 23:30:51 -04004561 consistent the hash table is a tree filled with many occurrences of each
4562 server. The hash key is looked up in the tree and the closest
4563 server is chosen. This hash is dynamic, it supports changing
4564 weights while the servers are up, so it is compatible with the
4565 slow start feature. It has the advantage that when a server
4566 goes up or down, only its associations are moved. When a
4567 server is added to the farm, only a few part of the mappings
4568 are redistributed, making it an ideal method for caches.
4569 However, due to its principle, the distribution will never be
4570 very smooth and it may sometimes be necessary to adjust a
4571 server's weight or its ID to get a more balanced distribution.
4572 In order to get the same distribution on multiple load
4573 balancers, it is important that all servers have the exact
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05004574 same IDs. Note: consistent hash uses sdbm and avalanche if no
4575 hash function is specified.
Bhaskar98634f02013-10-29 23:30:51 -04004576
4577 <function> is the hash function to be used :
4578
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004579 sdbm this function was created initially for sdbm (a public-domain
Bhaskar98634f02013-10-29 23:30:51 -04004580 reimplementation of ndbm) database library. It was found to do
4581 well in scrambling bits, causing better distribution of the keys
4582 and fewer splits. It also happens to be a good general hashing
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05004583 function with good distribution, unless the total server weight
4584 is a multiple of 64, in which case applying the avalanche
4585 modifier may help.
Bhaskar98634f02013-10-29 23:30:51 -04004586
4587 djb2 this function was first proposed by Dan Bernstein many years ago
4588 on comp.lang.c. Studies have shown that for certain workload this
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05004589 function provides a better distribution than sdbm. It generally
4590 works well with text-based inputs though it can perform extremely
4591 poorly with numeric-only input or when the total server weight is
4592 a multiple of 33, unless the avalanche modifier is also used.
4593
Willy Tarreaua0f42712013-11-14 14:30:35 +01004594 wt6 this function was designed for haproxy while testing other
4595 functions in the past. It is not as smooth as the other ones, but
4596 is much less sensible to the input data set or to the number of
4597 servers. It can make sense as an alternative to sdbm+avalanche or
4598 djb2+avalanche for consistent hashing or when hashing on numeric
4599 data such as a source IP address or a visitor identifier in a URL
4600 parameter.
4601
Willy Tarreau324f07f2015-01-20 19:44:50 +01004602 crc32 this is the most common CRC32 implementation as used in Ethernet,
4603 gzip, PNG, etc. It is slower than the other ones but may provide
4604 a better distribution or less predictable results especially when
4605 used on strings.
4606
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05004607 <modifier> indicates an optional method applied after hashing the key :
4608
4609 avalanche This directive indicates that the result from the hash
4610 function above should not be used in its raw form but that
4611 a 4-byte full avalanche hash must be applied first. The
4612 purpose of this step is to mix the resulting bits from the
4613 previous hash in order to avoid any undesired effect when
4614 the input contains some limited values or when the number of
4615 servers is a multiple of one of the hash's components (64
4616 for SDBM, 33 for DJB2). Enabling avalanche tends to make the
4617 result less predictable, but it's also not as smooth as when
4618 using the original function. Some testing might be needed
4619 with some workloads. This hash is one of the many proposed
4620 by Bob Jenkins.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02004621
Bhaskar98634f02013-10-29 23:30:51 -04004622 The default hash type is "map-based" and is recommended for most usages. The
4623 default function is "sdbm", the selection of a function should be based on
4624 the range of the values being hashed.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02004625
Andrew Rodland17be45e2016-10-25 17:04:12 -04004626 See also : "balance", "hash-balance-factor", "server"
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02004627
4628
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01004629http-after-response <action> <options...> [ { if | unless } <condition> ]
4630 Access control for all Layer 7 responses (server, applet/service and internal
4631 ones).
4632
4633 May be used in sections: defaults | frontend | listen | backend
4634 no | yes | yes | yes
4635
4636 The http-after-response statement defines a set of rules which apply to layer
4637 7 processing. The rules are evaluated in their declaration order when they
4638 are met in a frontend, listen or backend section. Any rule may optionally be
4639 followed by an ACL-based condition, in which case it will only be evaluated
4640 if the condition is true. Since these rules apply on responses, the backend
4641 rules are applied first, followed by the frontend's rules.
4642
4643 Unlike http-response rules, these ones are applied on all responses, the
4644 server ones but also to all responses generated by HAProxy. These rules are
4645 evaluated at the end of the responses analysis, before the data forwarding.
4646
4647 The first keyword is the rule's action. The supported actions are described
4648 below.
4649
4650 There is no limit to the number of http-after-response statements per
4651 instance.
4652
4653 Example:
4654 http-after-response set-header Strict-Transport-Security "max-age=31536000"
4655 http-after-response set-header Cache-Control "no-store,no-cache,private"
4656 http-after-response set-header Pragma "no-cache"
4657
4658http-after-response add-header <name> <fmt> [ { if | unless } <condition> ]
4659
4660 This appends an HTTP header field whose name is specified in <name> and whose
4661 value is defined by <fmt> which follows the log-format rules (see Custom Log
4662 Format in section 8.2.4). This may be used to send a cookie to a client for
4663 example, or to pass some internal information.
4664 This rule is not final, so it is possible to add other similar rules.
4665 Note that header addition is performed immediately, so one rule might reuse
4666 the resulting header from a previous rule.
4667
4668http-after-response allow [ { if | unless } <condition> ]
4669
4670 This stops the evaluation of the rules and lets the response pass the check.
4671 No further "http-after-response" rules are evaluated.
4672
4673http-after-response del-header <name> [ { if | unless } <condition> ]
4674
4675 This removes all HTTP header fields whose name is specified in <name>.
4676
4677http-after-response replace-header <name> <regex-match> <replace-fmt>
4678 [ { if | unless } <condition> ]
4679
4680 This works like "http-response replace-header".
4681
4682 Example:
4683 http-after-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
4684
4685 # applied to:
4686 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
4687
4688 # outputs:
4689 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
4690
4691 # assuming the backend IP is 192.168.1.20.
4692
4693http-after-response replace-value <name> <regex-match> <replace-fmt>
4694 [ { if | unless } <condition> ]
4695
4696 This works like "http-response replace-value".
4697
4698 Example:
4699 http-after-response replace-value Cache-control ^public$ private
4700
4701 # applied to:
4702 Cache-Control: max-age=3600, public
4703
4704 # outputs:
4705 Cache-Control: max-age=3600, private
4706
4707http-after-response set-header <name> <fmt> [ { if | unless } <condition> ]
4708
4709 This does the same as "add-header" except that the header name is first
4710 removed if it existed. This is useful when passing security information to
4711 the server, where the header must not be manipulated by external users.
4712
4713http-after-response set-status <status> [reason <str>]
4714 [ { if | unless } <condition> ]
4715
4716 This replaces the response status code with <status> which must be an integer
4717 between 100 and 999. Optionally, a custom reason text can be provided defined
4718 by <str>, or the default reason for the specified code will be used as a
4719 fallback.
4720
4721 Example:
4722 # return "431 Request Header Fields Too Large"
4723 http-response set-status 431
4724 # return "503 Slow Down", custom reason
4725 http-response set-status 503 reason "Slow Down"
4726
4727http-after-response set-var(<var-name>) <expr> [ { if | unless } <condition> ]
4728
4729 This is used to set the contents of a variable. The variable is declared
4730 inline.
4731
4732 Arguments:
4733 <var-name> The name of the variable starts with an indication about its
4734 scope. The scopes allowed are:
4735 "proc" : the variable is shared with the whole process
4736 "sess" : the variable is shared with the whole session
4737 "txn" : the variable is shared with the transaction
4738 (request and response)
4739 "req" : the variable is shared only during request
4740 processing
4741 "res" : the variable is shared only during response
4742 processing
4743 This prefix is followed by a name. The separator is a '.'.
4744 The name may only contain characters 'a-z', 'A-Z', '0-9', '.'
4745 and '_'.
4746
4747 <expr> Is a standard HAProxy expression formed by a sample-fetch
4748 followed by some converters.
4749
4750 Example:
4751 http-after-response set-var(sess.last_redir) res.hdr(location)
4752
4753http-after-response strict-mode { on | off }
4754
4755 This enables or disables the strict rewriting mode for following rules. It
4756 does not affect rules declared before it and it is only applicable on rules
4757 performing a rewrite on the responses. When the strict mode is enabled, any
4758 rewrite failure triggers an internal error. Otherwise, such errors are
4759 silently ignored. The purpose of the strict rewriting mode is to make some
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05004760 rewrites optional while others must be performed to continue the response
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01004761 processing.
4762
4763 By default, the strict rewriting mode is enabled. Its value is also reset
4764 when a ruleset evaluation ends. So, for instance, if you change the mode on
Daniel Corbett67a82712020-07-06 23:01:19 -04004765 the backend, the default mode is restored when HAProxy starts the frontend
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01004766 rules evaluation.
4767
4768http-after-response unset-var(<var-name>) [ { if | unless } <condition> ]
4769
4770 This is used to unset a variable. See "http-after-response set-var" for
4771 details about <var-name>.
4772
4773 Example:
4774 http-after-response unset-var(sess.last_redir)
4775
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02004776
4777http-check comment <string>
4778 Defines a comment for the following the http-check rule, reported in logs if
4779 it fails.
4780 May be used in sections : defaults | frontend | listen | backend
4781 yes | no | yes | yes
4782
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02004783 Arguments :
4784 <string> is the comment message to add in logs if the following http-check
4785 rule fails.
4786
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02004787 It only works for connect, send and expect rules. It is useful to make
4788 user-friendly error reporting.
4789
Daniel Corbett67a82712020-07-06 23:01:19 -04004790 See also : "option httpchk", "http-check connect", "http-check send" and
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02004791 "http-check expect".
4792
4793
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02004794http-check connect [default] [port <expr>] [addr <ip>] [send-proxy]
4795 [via-socks4] [ssl] [sni <sni>] [alpn <alpn>] [linger]
Christopher Fauletedc6ed92020-04-23 16:27:59 +02004796 [proto <name>] [comment <msg>]
Christopher Faulete5870d82020-04-15 11:32:03 +02004797 Opens a new connection to perform an HTTP health check
4798 May be used in sections : defaults | frontend | listen | backend
4799 yes | no | yes | yes
4800
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02004801 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02004802 comment <msg> defines a message to report if the rule evaluation fails.
4803
Christopher Faulete5870d82020-04-15 11:32:03 +02004804 default Use default options of the server line to do the health
Daniel Corbett67a82712020-07-06 23:01:19 -04004805 checks. The server options are used only if not redefined.
Christopher Faulete5870d82020-04-15 11:32:03 +02004806
4807 port <expr> if not set, check port or server port is used.
4808 It tells HAProxy where to open the connection to.
4809 <port> must be a valid TCP port source integer, from 1 to
4810 65535 or an sample-fetch expression.
4811
4812 addr <ip> defines the IP address to do the health check.
4813
4814 send-proxy send a PROXY protocol string
4815
4816 via-socks4 enables outgoing health checks using upstream socks4 proxy.
4817
4818 ssl opens a ciphered connection
4819
4820 sni <sni> specifies the SNI to use to do health checks over SSL.
4821
4822 alpn <alpn> defines which protocols to advertise with ALPN. The protocol
4823 list consists in a comma-delimited list of protocol names,
4824 for instance: "h2,http/1.1". If it is not set, the server ALPN
4825 is used.
4826
Christopher Fauletedc6ed92020-04-23 16:27:59 +02004827 proto <name> forces the multiplexer's protocol to use for this connection.
4828 It must be an HTTP mux protocol and it must be usable on the
4829 backend side. The list of available protocols is reported in
4830 haproxy -vv.
4831
Christopher Faulete5870d82020-04-15 11:32:03 +02004832 linger cleanly close the connection instead of using a single RST.
4833
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02004834 Just like tcp-check health checks, it is possible to configure the connection
4835 to use to perform HTTP health check. This directive should also be used to
4836 describe a scenario involving several request/response exchanges, possibly on
4837 different ports or with different servers.
4838
4839 When there are no TCP port configured on the server line neither server port
4840 directive, then the first step of the http-check sequence must be to specify
4841 the port with a "http-check connect".
4842
4843 In an http-check ruleset a 'connect' is required, it is also mandatory to start
4844 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
4845 do.
4846
4847 When a connect must start the ruleset, if may still be preceded by set-var,
4848 unset-var or comment rules.
4849
4850 Examples :
Christopher Faulete5870d82020-04-15 11:32:03 +02004851 # check HTTP and HTTPs services on a server.
4852 # first open port 80 thanks to server line port directive, then
4853 # tcp-check opens port 443, ciphered and run a request on it:
4854 option httpchk
4855
4856 http-check connect
Christopher Fauleta5c14ef2020-04-29 14:19:13 +02004857 http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
Christopher Faulet8021a5f2020-04-24 13:53:12 +02004858 http-check expect status 200-399
Christopher Faulete5870d82020-04-15 11:32:03 +02004859 http-check connect port 443 ssl sni haproxy.1wt.eu
Christopher Fauleta5c14ef2020-04-29 14:19:13 +02004860 http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
Christopher Faulet8021a5f2020-04-24 13:53:12 +02004861 http-check expect status 200-399
Christopher Faulete5870d82020-04-15 11:32:03 +02004862
4863 server www 10.0.0.1 check port 80
4864
4865 See also : "option httpchk", "http-check send", "http-check expect"
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01004866
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02004867
Willy Tarreau0ba27502007-12-24 16:55:16 +01004868http-check disable-on-404
4869 Enable a maintenance mode upon HTTP/404 response to health-checks
4870 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01004871 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01004872 Arguments : none
4873
4874 When this option is set, a server which returns an HTTP code 404 will be
4875 excluded from further load-balancing, but will still receive persistent
4876 connections. This provides a very convenient method for Web administrators
4877 to perform a graceful shutdown of their servers. It is also important to note
4878 that a server which is detected as failed while it was in this mode will not
4879 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
4880 will immediately be reinserted into the farm. The status on the stats page
4881 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01004882 option only works in conjunction with the "httpchk" option. If this option
4883 is used with "http-check expect", then it has precedence over it so that 404
4884 responses will still be considered as soft-stop.
4885
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02004886 See also : "option httpchk" and "http-check expect".
Willy Tarreaubd741542010-03-16 18:46:54 +01004887
4888
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02004889http-check expect [min-recv <int>] [comment <msg>]
Christopher Faulete5870d82020-04-15 11:32:03 +02004890 [ok-status <st>] [error-status <st>] [tout-status <st>]
4891 [on-success <fmt>] [on-error <fmt>] [status-code <expr>]
4892 [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004893 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01004894 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02004895 yes | no | yes | yes
Christopher Faulete5870d82020-04-15 11:32:03 +02004896
Willy Tarreaubd741542010-03-16 18:46:54 +01004897 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02004898 comment <msg> defines a message to report if the rule evaluation fails.
4899
Christopher Faulete5870d82020-04-15 11:32:03 +02004900 min-recv is optional and can define the minimum amount of data required to
4901 evaluate the current expect rule. If the number of received bytes
4902 is under this limit, the check will wait for more data. This
4903 option can be used to resolve some ambiguous matching rules or to
4904 avoid executing costly regex matches on content known to be still
4905 incomplete. If an exact string is used, the minimum between the
4906 string length and this parameter is used. This parameter is
4907 ignored if it is set to -1. If the expect rule does not match,
4908 the check will wait for more data. If set to 0, the evaluation
4909 result is always conclusive.
4910
4911 ok-status <st> is optional and can be used to set the check status if
4912 the expect rule is successfully evaluated and if it is
4913 the last rule in the tcp-check ruleset. "L7OK", "L7OKC",
Christopher Fauletd888f0f2020-05-07 07:40:17 +02004914 "L6OK" and "L4OK" are supported :
4915 - L7OK : check passed on layer 7
4916 - L7OKC : check conditionally passed on layer 7, for
4917 example 404 with disable-on-404
4918 - L6OK : check passed on layer 6
4919 - L4OK : check passed on layer 4
4920 By default "L7OK" is used.
Christopher Faulete5870d82020-04-15 11:32:03 +02004921
4922 error-status <st> is optional and can be used to set the check status if
4923 an error occurred during the expect rule evaluation.
Christopher Fauletd888f0f2020-05-07 07:40:17 +02004924 "L7RSP", "L7STS", "L6RSP" and "L4CON" are supported :
4925 - L7RSP : layer 7 invalid response - protocol error
4926 - L7STS : layer 7 response error, for example HTTP 5xx
4927 - L6RSP : layer 6 invalid response - protocol error
4928 - L4CON : layer 1-4 connection problem
4929 By default "L7RSP" is used.
Christopher Faulete5870d82020-04-15 11:32:03 +02004930
4931 tout-status <st> is optional and can be used to set the check status if
4932 a timeout occurred during the expect rule evaluation.
Christopher Fauletd888f0f2020-05-07 07:40:17 +02004933 "L7TOUT", "L6TOUT", and "L4TOUT" are supported :
4934 - L7TOUT : layer 7 (HTTP/SMTP) timeout
4935 - L6TOUT : layer 6 (SSL) timeout
4936 - L4TOUT : layer 1-4 timeout
Christopher Faulete5870d82020-04-15 11:32:03 +02004937 By default "L7TOUT" is used.
4938
4939 on-success <fmt> is optional and can be used to customize the
4940 informational message reported in logs if the expect
4941 rule is successfully evaluated and if it is the last rule
4942 in the tcp-check ruleset. <fmt> is a log-format string.
4943
4944 on-error <fmt> is optional and can be used to customize the
4945 informational message reported in logs if an error
4946 occurred during the expect rule evaluation. <fmt> is a
4947 log-format string.
4948
Willy Tarreaubd741542010-03-16 18:46:54 +01004949 <match> is a keyword indicating how to look for a specific pattern in the
Christopher Fauletb5594262020-05-05 20:23:13 +02004950 response. The keyword may be one of "status", "rstatus", "hdr",
4951 "fhdr", "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01004952 exclamation mark ("!") to negate the match. Spaces are allowed
4953 between the exclamation mark and the keyword. See below for more
4954 details on the supported keywords.
4955
Christopher Faulet39708192020-05-05 10:47:36 +02004956 <pattern> is the pattern to look for. It may be a string, a regular
4957 expression or a more complex pattern with several arguments. If
4958 the string pattern contains spaces, they must be escaped with the
4959 usual backslash ('\').
Willy Tarreaubd741542010-03-16 18:46:54 +01004960
4961 By default, "option httpchk" considers that response statuses 2xx and 3xx
4962 are valid, and that others are invalid. When "http-check expect" is used,
4963 it defines what is considered valid or invalid. Only one "http-check"
4964 statement is supported in a backend. If a server fails to respond or times
4965 out, the check obviously fails. The available matches are :
4966
Christopher Faulet8021a5f2020-04-24 13:53:12 +02004967 status <codes> : test the status codes found parsing <codes> string. it
4968 must be a comma-separated list of status codes or range
4969 codes. A health check response will be considered as
4970 valid if the response's status code matches any status
4971 code or is inside any range of the list. If the "status"
4972 keyword is prefixed with "!", then the response will be
4973 considered invalid if the status code matches.
Willy Tarreaubd741542010-03-16 18:46:54 +01004974
4975 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004976 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01004977 response's status code matches the expression. If the
4978 "rstatus" keyword is prefixed with "!", then the response
4979 will be considered invalid if the status code matches.
4980 This is mostly used to check for multiple codes.
4981
Christopher Fauletb5594262020-05-05 20:23:13 +02004982 hdr { name | name-lf } [ -m <meth> ] <name>
4983 [ { value | value-lf } [ -m <meth> ] <value> :
Christopher Faulet39708192020-05-05 10:47:36 +02004984 test the specified header pattern on the HTTP response
4985 headers. The name pattern is mandatory but the value
4986 pattern is optional. If not specified, only the header
4987 presence is verified. <meth> is the matching method,
4988 applied on the header name or the header value. Supported
4989 matching methods are "str" (exact match), "beg" (prefix
4990 match), "end" (suffix match), "sub" (substring match) or
4991 "reg" (regex match). If not specified, exact matching
Christopher Fauletb5594262020-05-05 20:23:13 +02004992 method is used. If the "name-lf" parameter is used,
4993 <name> is evaluated as a log-format string. If "value-lf"
4994 parameter is used, <value> is evaluated as a log-format
4995 string. These parameters cannot be used with the regex
4996 matching method. Finally, the header value is considered
4997 as comma-separated list. Note that matchings are case
4998 insensitive on the header names.
4999
5000 fhdr { name | name-lf } [ -m <meth> ] <name>
5001 [ { value | value-lf } [ -m <meth> ] <value> :
5002 test the specified full header pattern on the HTTP
5003 response headers. It does exactly the same than "hdr"
5004 keyword, except the full header value is tested, commas
5005 are not considered as delimiters.
Christopher Faulet39708192020-05-05 10:47:36 +02005006
Willy Tarreaubd741542010-03-16 18:46:54 +01005007 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005008 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01005009 response's body contains this exact string. If the
5010 "string" keyword is prefixed with "!", then the response
5011 will be considered invalid if the body contains this
5012 string. This can be used to look for a mandatory word at
5013 the end of a dynamic page, or to detect a failure when a
Davor Ocelice9ed2812017-12-25 17:49:28 +01005014 specific error appears on the check page (e.g. a stack
Willy Tarreaubd741542010-03-16 18:46:54 +01005015 trace).
5016
5017 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005018 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01005019 response's body matches this expression. If the "rstring"
5020 keyword is prefixed with "!", then the response will be
5021 considered invalid if the body matches the expression.
5022 This can be used to look for a mandatory word at the end
5023 of a dynamic page, or to detect a failure when a specific
Davor Ocelice9ed2812017-12-25 17:49:28 +01005024 error appears on the check page (e.g. a stack trace).
Willy Tarreaubd741542010-03-16 18:46:54 +01005025
Christopher Fauletaaab0832020-05-05 15:54:22 +02005026 string-lf <fmt> : test a log-format string match in the HTTP response body.
5027 A health check response will be considered valid if the
5028 response's body contains the string resulting of the
5029 evaluation of <fmt>, which follows the log-format rules.
5030 If prefixed with "!", then the response will be
5031 considered invalid if the body contains the string.
5032
Willy Tarreaubd741542010-03-16 18:46:54 +01005033 It is important to note that the responses will be limited to a certain size
5034 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
5035 Thus, too large responses may not contain the mandatory pattern when using
5036 "string" or "rstring". If a large response is absolutely required, it is
5037 possible to change the default max size by setting the global variable.
5038 However, it is worth keeping in mind that parsing very large responses can
5039 waste some CPU cycles, especially when regular expressions are used, and that
5040 it is always better to focus the checks on smaller resources.
5041
Christopher Faulete5870d82020-04-15 11:32:03 +02005042 In an http-check ruleset, the last expect rule may be implicit. If no expect
5043 rule is specified after the last "http-check send", an implicit expect rule
5044 is defined to match on 2xx or 3xx status codes. It means this rule is also
5045 defined if there is no "http-check" rule at all, when only "option httpchk"
5046 is set.
Cyril Bonté32602d22015-01-30 00:07:07 +01005047
Willy Tarreaubd741542010-03-16 18:46:54 +01005048 Last, if "http-check expect" is combined with "http-check disable-on-404",
5049 then this last one has precedence when the server responds with 404.
5050
5051 Examples :
5052 # only accept status 200 as valid
Christopher Faulet8021a5f2020-04-24 13:53:12 +02005053 http-check expect status 200,201,300-310
Willy Tarreaubd741542010-03-16 18:46:54 +01005054
Christopher Faulet39708192020-05-05 10:47:36 +02005055 # be sure a sessid coookie is set
5056 http-check expect header name "set-cookie" value -m beg "sessid="
5057
Willy Tarreaubd741542010-03-16 18:46:54 +01005058 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01005059 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01005060
5061 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01005062 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01005063
5064 # check that we have a correct hexadecimal tag before /html
Jarno Huuskonene5ae7022017-04-03 14:36:21 +03005065 http-check expect rstring <!--tag:[0-9a-f]*--></html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01005066
Christopher Faulete5870d82020-04-15 11:32:03 +02005067 See also : "option httpchk", "http-check connect", "http-check disable-on-404"
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005068 and "http-check send".
Willy Tarreau2769aa02007-12-27 18:26:09 +01005069
5070
Christopher Faulet7c95f5f2020-05-06 15:06:34 +02005071http-check send [meth <method>] [{ uri <uri> | uri-lf <fmt> }>] [ver <version>]
Christopher Faulet574e7bd2020-05-06 15:38:58 +02005072 [hdr <name> <fmt>]* [{ body <string> | body-lf <fmt> }]
5073 [comment <msg>]
Christopher Faulet8acb1282020-04-09 08:44:06 +02005074 Add a possible list of headers and/or a body to the request sent during HTTP
5075 health checks.
5076 May be used in sections : defaults | frontend | listen | backend
5077 yes | no | yes | yes
5078 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005079 comment <msg> defines a message to report if the rule evaluation fails.
5080
Christopher Faulete5870d82020-04-15 11:32:03 +02005081 meth <method> is the optional HTTP method used with the requests. When not
5082 set, the "OPTIONS" method is used, as it generally requires
5083 low server processing and is easy to filter out from the
5084 logs. Any method may be used, though it is not recommended
5085 to invent non-standard ones.
5086
Christopher Faulet7c95f5f2020-05-06 15:06:34 +02005087 uri <uri> is optional and set the URI referenced in the HTTP requests
5088 to the string <uri>. It defaults to "/" which is accessible
5089 by default on almost any server, but may be changed to any
5090 other URI. Query strings are permitted.
5091
5092 uri-lf <fmt> is optional and set the URI referenced in the HTTP requests
5093 using the log-format string <fmt>. It defaults to "/" which
5094 is accessible by default on almost any server, but may be
5095 changed to any other URI. Query strings are permitted.
Christopher Faulet8acb1282020-04-09 08:44:06 +02005096
Christopher Faulet907701b2020-04-28 09:37:00 +02005097 ver <version> is the optional HTTP version string. It defaults to
Christopher Faulete5870d82020-04-15 11:32:03 +02005098 "HTTP/1.0" but some servers might behave incorrectly in HTTP
Daniel Corbett67a82712020-07-06 23:01:19 -04005099 1.0, so turning it to HTTP/1.1 may sometimes help. Note that
Christopher Faulete5870d82020-04-15 11:32:03 +02005100 the Host field is mandatory in HTTP/1.1, use "hdr" argument
5101 to add it.
5102
5103 hdr <name> <fmt> adds the HTTP header field whose name is specified in
5104 <name> and whose value is defined by <fmt>, which follows
5105 to the log-format rules.
5106
5107 body <string> add the body defined by <string> to the request sent during
5108 HTTP health checks. If defined, the "Content-Length" header
5109 is thus automatically added to the request.
Christopher Faulet8acb1282020-04-09 08:44:06 +02005110
Christopher Faulet574e7bd2020-05-06 15:38:58 +02005111 body-lf <fmt> add the body defined by the log-format string <fmt> to the
5112 request sent during HTTP health checks. If defined, the
5113 "Content-Length" header is thus automatically added to the
5114 request.
5115
Christopher Faulet8acb1282020-04-09 08:44:06 +02005116 In addition to the request line defined by the "option httpchk" directive,
5117 this one is the valid way to add some headers and optionally a body to the
5118 request sent during HTTP health checks. If a body is defined, the associate
Christopher Faulet9df910c2020-04-29 14:20:47 +02005119 "Content-Length" header is automatically added. Thus, this header or
5120 "Transfer-encoding" header should not be present in the request provided by
5121 "http-check send". If so, it will be ignored. The old trick consisting to add
5122 headers after the version string on the "option httpchk" line is now
Christopher Faulet8acb1282020-04-09 08:44:06 +02005123 deprecated. Note also the "Connection: close" header is still added if a
Daniel Corbett67a82712020-07-06 23:01:19 -04005124 "http-check expect" directive is defined independently of this directive, just
Christopher Faulet8acb1282020-04-09 08:44:06 +02005125 like the state header if the directive "http-check send-state" is defined.
5126
Christopher Faulete5870d82020-04-15 11:32:03 +02005127 Also "http-check send" doesn't support HTTP keep-alive. Keep in mind that it
5128 will automatically append a "Connection: close" header, meaning that this
Christopher Faulet9df910c2020-04-29 14:20:47 +02005129 header should not be present in the request provided by "http-check send". If
5130 so, it will be ignored.
5131
5132 Note that the Host header and the request authority, when both defined, are
5133 automatically synchronized. It means when the HTTP request is sent, when a
5134 Host is inserted in the request, the request authority is accordingly
5135 updated. Thus, don't be surprised if the Host header value overwrites the
5136 configured request authority.
5137
5138 Note also for now, no Host header is automatically added in HTTP/1.1 or above
5139 requests. You should add it explicitly.
Christopher Faulete5870d82020-04-15 11:32:03 +02005140
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005141 See also : "option httpchk", "http-check send-state" and "http-check expect".
Christopher Faulet8acb1282020-04-09 08:44:06 +02005142
5143
Willy Tarreauef781042010-01-27 11:53:01 +01005144http-check send-state
5145 Enable emission of a state header with HTTP health checks
5146 May be used in sections : defaults | frontend | listen | backend
5147 yes | no | yes | yes
5148 Arguments : none
5149
5150 When this option is set, haproxy will systematically send a special header
5151 "X-Haproxy-Server-State" with a list of parameters indicating to each server
5152 how they are seen by haproxy. This can be used for instance when a server is
5153 manipulated without access to haproxy and the operator needs to know whether
5154 haproxy still sees it up or not, or if the server is the last one in a farm.
5155
5156 The header is composed of fields delimited by semi-colons, the first of which
5157 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
5158 checks on the total number before transition, just as appears in the stats
5159 interface. Next headers are in the form "<variable>=<value>", indicating in
5160 no specific order some values available in the stats interface :
Joseph Lynch514061c2015-01-15 17:52:59 -08005161 - a variable "address", containing the address of the backend server.
5162 This corresponds to the <address> field in the server declaration. For
5163 unix domain sockets, it will read "unix".
5164
5165 - a variable "port", containing the port of the backend server. This
5166 corresponds to the <port> field in the server declaration. For unix
5167 domain sockets, it will read "unix".
5168
Willy Tarreauef781042010-01-27 11:53:01 +01005169 - a variable "name", containing the name of the backend followed by a slash
5170 ("/") then the name of the server. This can be used when a server is
5171 checked in multiple backends.
5172
5173 - a variable "node" containing the name of the haproxy node, as set in the
5174 global "node" variable, otherwise the system's hostname if unspecified.
5175
5176 - a variable "weight" indicating the weight of the server, a slash ("/")
5177 and the total weight of the farm (just counting usable servers). This
5178 helps to know if other servers are available to handle the load when this
5179 one fails.
5180
5181 - a variable "scur" indicating the current number of concurrent connections
5182 on the server, followed by a slash ("/") then the total number of
5183 connections on all servers of the same backend.
5184
5185 - a variable "qcur" indicating the current number of requests in the
5186 server's queue.
5187
5188 Example of a header received by the application server :
5189 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
5190 scur=13/22; qcur=0
5191
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005192 See also : "option httpchk", "http-check disable-on-404" and
5193 "http-check send".
Willy Tarreauef781042010-01-27 11:53:01 +01005194
Christopher Faulete5870d82020-04-15 11:32:03 +02005195
5196http-check set-var(<var-name>) <expr>
Christopher Faulete5870d82020-04-15 11:32:03 +02005197 This operation sets the content of a variable. The variable is declared inline.
Christopher Faulete5870d82020-04-15 11:32:03 +02005198 May be used in sections: defaults | frontend | listen | backend
5199 yes | no | yes | yes
5200
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005201 Arguments :
Christopher Faulete5870d82020-04-15 11:32:03 +02005202 <var-name> The name of the variable starts with an indication about its
5203 scope. The scopes allowed for http-check are:
5204 "proc" : the variable is shared with the whole process.
5205 "sess" : the variable is shared with the tcp-check session.
5206 "check": the variable is declared for the lifetime of the tcp-check.
5207 This prefix is followed by a name. The separator is a '.'.
5208 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
5209 and '-'.
5210
5211 <expr> Is a sample-fetch expression potentially followed by converters.
5212
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005213 Examples :
5214 http-check set-var(check.port) int(1234)
Christopher Faulete5870d82020-04-15 11:32:03 +02005215
5216
5217http-check unset-var(<var-name>)
Christopher Faulete5870d82020-04-15 11:32:03 +02005218 Free a reference to a variable within its scope.
Christopher Faulete5870d82020-04-15 11:32:03 +02005219 May be used in sections: defaults | frontend | listen | backend
5220 yes | no | yes | yes
5221
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005222 Arguments :
Christopher Faulete5870d82020-04-15 11:32:03 +02005223 <var-name> The name of the variable starts with an indication about its
5224 scope. The scopes allowed for http-check are:
5225 "proc" : the variable is shared with the whole process.
5226 "sess" : the variable is shared with the tcp-check session.
5227 "check": the variable is declared for the lifetime of the tcp-check.
5228 This prefix is followed by a name. The separator is a '.'.
5229 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
5230 and '-'.
5231
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005232 Examples :
5233 http-check unset-var(check.port)
Christopher Faulete5870d82020-04-15 11:32:03 +02005234
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005235
Christopher Faulet3b967c12020-05-15 15:47:44 +02005236http-error status <code> [content-type <type>]
5237 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
5238 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
5239 [ hdr <name> <fmt> ]*
5240 Defines a custom error message to use instead of errors generated by HAProxy.
5241 May be used in sections : defaults | frontend | listen | backend
5242 yes | yes | yes | yes
5243 Arguments :
Ilya Shipitsin11057a32020-06-21 21:18:27 +05005244 status <code> is the HTTP status code. It must be specified.
Christopher Faulet3b967c12020-05-15 15:47:44 +02005245 Currently, HAProxy is capable of generating codes
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02005246 200, 400, 401, 403, 404, 405, 407, 408, 410, 413, 425,
5247 429, 500, 502, 503, and 504.
Christopher Faulet3b967c12020-05-15 15:47:44 +02005248
5249 content-type <type> is the response content type, for instance
5250 "text/plain". This parameter is ignored and should be
5251 omitted when an errorfile is configured or when the
5252 payload is empty. Otherwise, it must be defined.
5253
5254 default-errorfiles Reset the previously defined error message for current
5255 proxy for the status <code>. If used on a backend, the
5256 frontend error message is used, if defined. If used on
5257 a frontend, the default error message is used.
5258
5259 errorfile <file> designates a file containing the full HTTP response.
5260 It is recommended to follow the common practice of
5261 appending ".http" to the filename so that people do
5262 not confuse the response with HTML error pages, and to
5263 use absolute paths, since files are read before any
5264 chroot is performed.
5265
5266 errorfiles <name> designates the http-errors section to use to import
5267 the error message with the status code <code>. If no
5268 such message is found, the proxy's error messages are
5269 considered.
5270
5271 file <file> specifies the file to use as response payload. If the
5272 file is not empty, its content-type must be set as
5273 argument to "content-type", otherwise, any
5274 "content-type" argument is ignored. <file> is
5275 considered as a raw string.
5276
5277 string <str> specifies the raw string to use as response payload.
5278 The content-type must always be set as argument to
5279 "content-type".
5280
5281 lf-file <file> specifies the file to use as response payload. If the
5282 file is not empty, its content-type must be set as
5283 argument to "content-type", otherwise, any
5284 "content-type" argument is ignored. <file> is
5285 evaluated as a log-format string.
5286
5287 lf-string <str> specifies the log-format string to use as response
5288 payload. The content-type must always be set as
5289 argument to "content-type".
5290
5291 hdr <name> <fmt> adds to the response the HTTP header field whose name
5292 is specified in <name> and whose value is defined by
5293 <fmt>, which follows to the log-format rules.
5294 This parameter is ignored if an errorfile is used.
5295
5296 This directive may be used instead of "errorfile", to define a custom error
5297 message. As "errorfile" directive, it is used for errors detected and
5298 returned by HAProxy. If an errorfile is defined, it is parsed when HAProxy
5299 starts and must be valid according to the HTTP standards. The generated
5300 response must not exceed the configured buffer size (BUFFSIZE), otherwise an
5301 internal error will be returned. Finally, if you consider to use some
5302 http-after-response rules to rewrite these errors, the reserved buffer space
5303 should be available (see "tune.maxrewrite").
5304
5305 The files are read at the same time as the configuration and kept in memory.
5306 For this reason, the errors continue to be returned even when the process is
5307 chrooted, and no file change is considered while the process is running.
5308
5309 See also : "errorfile", "errorfiles", "errorloc", "errorloc302",
5310 "errorloc303" and section 3.8 about http-errors.
5311
5312
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005313http-request <action> [options...] [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005314 Access control for Layer 7 requests
5315
5316 May be used in sections: defaults | frontend | listen | backend
5317 no | yes | yes | yes
5318
Willy Tarreau20b0de52012-12-24 15:45:22 +01005319 The http-request statement defines a set of rules which apply to layer 7
5320 processing. The rules are evaluated in their declaration order when they are
5321 met in a frontend, listen or backend section. Any rule may optionally be
5322 followed by an ACL-based condition, in which case it will only be evaluated
5323 if the condition is true.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005324
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005325 The first keyword is the rule's action. The supported actions are described
5326 below.
Willy Tarreau20b0de52012-12-24 15:45:22 +01005327
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005328 There is no limit to the number of http-request statements per instance.
Willy Tarreau20b0de52012-12-24 15:45:22 +01005329
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005330 Example:
5331 acl nagios src 192.168.129.3
5332 acl local_net src 192.168.0.0/16
5333 acl auth_ok http_auth(L1)
Willy Tarreau20b0de52012-12-24 15:45:22 +01005334
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005335 http-request allow if nagios
5336 http-request allow if local_net auth_ok
5337 http-request auth realm Gimme if local_net auth_ok
5338 http-request deny
Willy Tarreau81499eb2012-12-27 12:19:02 +01005339
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005340 Example:
5341 acl key req.hdr(X-Add-Acl-Key) -m found
5342 acl add path /addacl
5343 acl del path /delacl
Willy Tarreau20b0de52012-12-24 15:45:22 +01005344
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005345 acl myhost hdr(Host) -f myhost.lst
Willy Tarreau20b0de52012-12-24 15:45:22 +01005346
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005347 http-request add-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key add
5348 http-request del-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key del
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02005349
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005350 Example:
5351 acl value req.hdr(X-Value) -m found
5352 acl setmap path /setmap
5353 acl delmap path /delmap
Sasha Pachev218f0642014-06-16 12:05:59 -06005354
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005355 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
Sasha Pachev218f0642014-06-16 12:05:59 -06005356
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005357 http-request set-map(map.lst) %[src] %[req.hdr(X-Value)] if setmap value
5358 http-request del-map(map.lst) %[src] if delmap
Sasha Pachev218f0642014-06-16 12:05:59 -06005359
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005360 See also : "stats http-request", section 3.4 about userlists and section 7
5361 about ACL usage.
Sasha Pachev218f0642014-06-16 12:05:59 -06005362
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005363http-request add-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06005364
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005365 This is used to add a new entry into an ACL. The ACL must be loaded from a
5366 file (even a dummy empty file). The file name of the ACL to be updated is
5367 passed between parentheses. It takes one argument: <key fmt>, which follows
5368 log-format rules, to collect content of the new entry. It performs a lookup
5369 in the ACL before insertion, to avoid duplicated (or more) values. This
5370 lookup is done by a linear search and can be expensive with large lists!
5371 It is the equivalent of the "add acl" command from the stats socket, but can
5372 be triggered by an HTTP request.
Sasha Pachev218f0642014-06-16 12:05:59 -06005373
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005374http-request add-header <name> <fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06005375
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005376 This appends an HTTP header field whose name is specified in <name> and
5377 whose value is defined by <fmt> which follows the log-format rules (see
5378 Custom Log Format in section 8.2.4). This is particularly useful to pass
5379 connection-specific information to the server (e.g. the client's SSL
5380 certificate), or to combine several headers into one. This rule is not
5381 final, so it is possible to add other similar rules. Note that header
5382 addition is performed immediately, so one rule might reuse the resulting
5383 header from a previous rule.
Sasha Pachev218f0642014-06-16 12:05:59 -06005384
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005385http-request allow [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06005386
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005387 This stops the evaluation of the rules and lets the request pass the check.
5388 No further "http-request" rules are evaluated.
Sasha Pachev218f0642014-06-16 12:05:59 -06005389
Sasha Pachev218f0642014-06-16 12:05:59 -06005390
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005391http-request auth [realm <realm>] [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06005392
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005393 This stops the evaluation of the rules and immediately responds with an
5394 HTTP 401 or 407 error code to invite the user to present a valid user name
5395 and password. No further "http-request" rules are evaluated. An optional
5396 "realm" parameter is supported, it sets the authentication realm that is
5397 returned with the response (typically the application's name).
Sasha Pachev218f0642014-06-16 12:05:59 -06005398
Christopher Faulet612f2ea2020-05-27 09:57:28 +02005399 The corresponding proxy's error message is used. It may be customized using
5400 an "errorfile" or an "http-error" directive. For 401 responses, all
5401 occurrences of the WWW-Authenticate header are removed and replaced by a new
5402 one with a basic authentication challenge for realm "<realm>". For 407
5403 responses, the same is done on the Proxy-Authenticate header. If the error
5404 message must not be altered, consider to use "http-request return" rule
5405 instead.
5406
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005407 Example:
5408 acl auth_ok http_auth_group(L1) G1
5409 http-request auth unless auth_ok
Sasha Pachev218f0642014-06-16 12:05:59 -06005410
Jarno Huuskonen251a6b72019-01-04 14:05:02 +02005411http-request cache-use <name> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06005412
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02005413 See section 6.2 about cache setup.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01005414
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005415http-request capture <sample> [ len <length> | id <id> ]
5416 [ { if | unless } <condition> ]
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01005417
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005418 This captures sample expression <sample> from the request buffer, and
5419 converts it to a string of at most <len> characters. The resulting string is
5420 stored into the next request "capture" slot, so it will possibly appear next
5421 to some captured HTTP headers. It will then automatically appear in the logs,
5422 and it will be possible to extract it using sample fetch rules to feed it
5423 into headers or anything. The length should be limited given that this size
5424 will be allocated for each capture during the whole session life.
5425 Please check section 7.3 (Fetching samples) and "capture request header" for
5426 more information.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01005427
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005428 If the keyword "id" is used instead of "len", the action tries to store the
5429 captured string in a previously declared capture slot. This is useful to run
5430 captures in backends. The slot id can be declared by a previous directive
Baptiste Assmann19a69b32020-01-16 14:34:22 +01005431 "http-request capture" or with the "declare capture" keyword.
5432
5433 When using this action in a backend, double check that the relevant
5434 frontend(s) have the required capture slots otherwise, this rule will be
5435 ignored at run time. This can't be detected at configuration parsing time
5436 due to HAProxy's ability to dynamically resolve backend name at runtime.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01005437
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005438http-request del-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01005439
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005440 This is used to delete an entry from an ACL. The ACL must be loaded from a
5441 file (even a dummy empty file). The file name of the ACL to be updated is
5442 passed between parentheses. It takes one argument: <key fmt>, which follows
5443 log-format rules, to collect content of the entry to delete.
5444 It is the equivalent of the "del acl" command from the stats socket, but can
5445 be triggered by an HTTP request.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01005446
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005447http-request del-header <name> [ { if | unless } <condition> ]
Willy Tarreauf4c43c12013-06-11 17:01:13 +02005448
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005449 This removes all HTTP header fields whose name is specified in <name>.
Willy Tarreau9a355ec2013-06-11 17:45:46 +02005450
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005451http-request del-map(<file-name>) <key fmt> [ { if | unless } <condition> ]
Willy Tarreau42cf39e2013-06-11 18:51:32 +02005452
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005453 This is used to delete an entry from a MAP. The MAP must be loaded from a
5454 file (even a dummy empty file). The file name of the MAP to be updated is
5455 passed between parentheses. It takes one argument: <key fmt>, which follows
5456 log-format rules, to collect content of the entry to delete.
5457 It takes one argument: "file name" It is the equivalent of the "del map"
5458 command from the stats socket, but can be triggered by an HTTP request.
Willy Tarreau51347ed2013-06-11 19:34:13 +02005459
Christopher Faulet5cb513a2020-05-13 17:56:56 +02005460http-request deny [deny_status <status>] [ { if | unless } <condition> ]
5461http-request deny [ { status | deny_status } <code>] [content-type <type>]
5462 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
5463 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
5464 [ hdr <name> <fmt> ]*
5465 [ { if | unless } <condition> ]
Patrick Hemmer268a7072018-05-11 12:52:31 -04005466
Christopher Faulet5cb513a2020-05-13 17:56:56 +02005467 This stops the evaluation of the rules and immediately rejects the request.
5468 By default an HTTP 403 error is returned. But the response may be customized
5469 using same syntax than "http-request return" rules. Thus, see "http-request
Ilya Shipitsin11057a32020-06-21 21:18:27 +05005470 return" for details. For compatibility purpose, when no argument is defined,
Christopher Faulet5cb513a2020-05-13 17:56:56 +02005471 or only "deny_status", the argument "default-errorfiles" is implied. It means
5472 "http-request deny [deny_status <status>]" is an alias of
5473 "http-request deny [status <status>] default-errorfiles".
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005474 No further "http-request" rules are evaluated.
Christopher Faulet5cb513a2020-05-13 17:56:56 +02005475 See also "http-request return".
Patrick Hemmer268a7072018-05-11 12:52:31 -04005476
Olivier Houchard602bf7d2019-05-10 13:59:15 +02005477http-request disable-l7-retry [ { if | unless } <condition> ]
5478 This disables any attempt to retry the request if it fails for any other
5479 reason than a connection failure. This can be useful for example to make
5480 sure POST requests aren't retried on failure.
5481
Baptiste Assmann333939c2019-01-21 08:34:50 +01005482http-request do-resolve(<var>,<resolvers>,[ipv4,ipv6]) <expr> :
5483
5484 This action performs a DNS resolution of the output of <expr> and stores
5485 the result in the variable <var>. It uses the DNS resolvers section
5486 pointed by <resolvers>.
5487 It is possible to choose a resolution preference using the optional
5488 arguments 'ipv4' or 'ipv6'.
5489 When performing the DNS resolution, the client side connection is on
5490 pause waiting till the end of the resolution.
5491 If an IP address can be found, it is stored into <var>. If any kind of
5492 error occurs, then <var> is not set.
5493 One can use this action to discover a server IP address at run time and
5494 based on information found in the request (IE a Host header).
5495 If this action is used to find the server's IP address (using the
5496 "set-dst" action), then the server IP address in the backend must be set
5497 to 0.0.0.0.
5498
5499 Example:
5500 resolvers mydns
5501 nameserver local 127.0.0.53:53
5502 nameserver google 8.8.8.8:53
5503 timeout retry 1s
5504 hold valid 10s
5505 hold nx 3s
5506 hold other 3s
5507 hold obsolete 0s
5508 accepted_payload_size 8192
5509
5510 frontend fe
5511 bind 10.42.0.1:80
5512 http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower
5513 http-request capture var(txn.myip) len 40
5514
5515 # return 503 when the variable is not set,
5516 # which mean DNS resolution error
5517 use_backend b_503 unless { var(txn.myip) -m found }
5518
5519 default_backend be
5520
5521 backend b_503
5522 # dummy backend used to return 503.
5523 # one can use the errorfile directive to send a nice
5524 # 503 error page to end users
5525
5526 backend be
5527 # rule to prevent HAProxy from reconnecting to services
5528 # on the local network (forged DNS name used to scan the network)
5529 http-request deny if { var(txn.myip) -m ip 127.0.0.0/8 10.0.0.0/8 }
5530 http-request set-dst var(txn.myip)
5531 server clear 0.0.0.0:0
5532
5533 NOTE: Don't forget to set the "protection" rules to ensure HAProxy won't
5534 be used to scan the network or worst won't loop over itself...
5535
Frédéric Lécaille06f5b642018-11-12 11:01:10 +01005536http-request early-hint <name> <fmt> [ { if | unless } <condition> ]
5537
5538 This is used to build an HTTP 103 Early Hints response prior to any other one.
5539 This appends an HTTP header field to this response whose name is specified in
5540 <name> and whose value is defined by <fmt> which follows the log-format rules
5541 (see Custom Log Format in section 8.2.4). This is particularly useful to pass
Frédéric Lécaille3aac1062018-11-13 09:42:13 +01005542 to the client some Link headers to preload resources required to render the
5543 HTML documents.
Frédéric Lécaille06f5b642018-11-12 11:01:10 +01005544
5545 See RFC 8297 for more information.
5546
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005547http-request redirect <rule> [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02005548
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005549 This performs an HTTP redirection based on a redirect rule. This is exactly
5550 the same as the "redirect" statement except that it inserts a redirect rule
5551 which can be processed in the middle of other "http-request" rules and that
5552 these rules use the "log-format" strings. See the "redirect" keyword for the
5553 rule's syntax.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02005554
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005555http-request reject [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02005556
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005557 This stops the evaluation of the rules and immediately closes the connection
5558 without sending any response. It acts similarly to the
5559 "tcp-request content reject" rules. It can be useful to force an immediate
5560 connection closure on HTTP/2 connections.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02005561
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005562http-request replace-header <name> <match-regex> <replace-fmt>
5563 [ { if | unless } <condition> ]
Willy Tarreaua9083d02015-05-08 15:27:59 +02005564
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05005565 This matches the value of all occurrences of header field <name> against
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005566 <match-regex>. Matching is performed case-sensitively. Matching values are
5567 completely replaced by <replace-fmt>. Format characters are allowed in
5568 <replace-fmt> and work like <fmt> arguments in "http-request add-header".
5569 Standard back-references using the backslash ('\') followed by a number are
5570 supported.
Thierry FOURNIER82bf70d2015-05-26 17:58:29 +02005571
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005572 This action acts on whole header lines, regardless of the number of values
5573 they may contain. Thus it is well-suited to process headers naturally
5574 containing commas in their value, such as If-Modified-Since. Headers that
5575 contain a comma-separated list of values, such as Accept, should be processed
5576 using "http-request replace-value".
William Lallemand86d0df02017-11-24 21:36:45 +01005577
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005578 Example:
5579 http-request replace-header Cookie foo=([^;]*);(.*) foo=\1;ip=%bi;\2
5580
5581 # applied to:
5582 Cookie: foo=foobar; expires=Tue, 14-Jun-2016 01:40:45 GMT;
5583
5584 # outputs:
5585 Cookie: foo=foobar;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT;
5586
5587 # assuming the backend IP is 192.168.1.20
Willy Tarreau09448f72014-06-25 18:12:15 +02005588
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005589 http-request replace-header User-Agent curl foo
5590
5591 # applied to:
5592 User-Agent: curl/7.47.0
Willy Tarreau09448f72014-06-25 18:12:15 +02005593
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005594 # outputs:
5595 User-Agent: foo
Willy Tarreau09448f72014-06-25 18:12:15 +02005596
Willy Tarreau262c3f12019-12-17 06:52:51 +01005597http-request replace-path <match-regex> <replace-fmt>
5598 [ { if | unless } <condition> ]
5599
5600 This works like "replace-header" except that it works on the request's path
5601 component instead of a header. The path component starts at the first '/'
Christopher Faulet82c83322020-09-02 14:16:59 +02005602 after an optional scheme+authority and ends before the question mark. Thus,
5603 the replacement does not modify the scheme, the authority and the
5604 query-string.
Willy Tarreau262c3f12019-12-17 06:52:51 +01005605
5606 It is worth noting that regular expressions may be more expensive to evaluate
5607 than certain ACLs, so rare replacements may benefit from a condition to avoid
5608 performing the evaluation at all if it does not match.
5609
5610 Example:
5611 # prefix /foo : turn /bar?q=1 into /foo/bar?q=1 :
5612 http-request replace-path (.*) /foo\1
5613
Willy Tarreau262c3f12019-12-17 06:52:51 +01005614 # strip /foo : turn /foo/bar?q=1 into /bar?q=1
5615 http-request replace-path /foo/(.*) /\1
5616 # or more efficient if only some requests match :
5617 http-request replace-path /foo/(.*) /\1 if { url_beg /foo/ }
5618
Christopher Faulet312294f2020-09-02 17:17:44 +02005619http-request replace-pathq <match-regex> <replace-fmt>
5620 [ { if | unless } <condition> ]
5621
5622 This does the same as "http-request replace-path" except that the path
5623 contains the query-string if any is present. Thus, the path and the
5624 query-string are replaced.
5625
5626 Example:
5627 # suffix /foo : turn /bar?q=1 into /bar/foo?q=1 :
5628 http-request replace-pathq ([^?]*)(\?(.*))? \1/foo\2
5629
Willy Tarreau33810222019-06-12 17:44:02 +02005630http-request replace-uri <match-regex> <replace-fmt>
5631 [ { if | unless } <condition> ]
5632
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005633 This works like "replace-header" except that it works on the request's URI part
5634 instead of a header. The URI part may contain an optional scheme, authority or
5635 query string. These are considered to be part of the value that is matched
5636 against.
5637
5638 It is worth noting that regular expressions may be more expensive to evaluate
5639 than certain ACLs, so rare replacements may benefit from a condition to avoid
5640 performing the evaluation at all if it does not match.
Willy Tarreau33810222019-06-12 17:44:02 +02005641
Willy Tarreau62b59132019-12-17 06:51:20 +01005642 IMPORTANT NOTE: historically in HTTP/1.x, the vast majority of requests sent
5643 by browsers use the "origin form", which differs from the "absolute form" in
5644 that they do not contain a scheme nor authority in the URI portion. Mostly
5645 only requests sent to proxies, those forged by hand and some emitted by
5646 certain applications use the absolute form. As such, "replace-uri" usually
5647 works fine most of the time in HTTP/1.x with rules starting with a "/". But
5648 with HTTP/2, clients are encouraged to send absolute URIs only, which look
5649 like the ones HTTP/1 clients use to talk to proxies. Such partial replace-uri
5650 rules may then fail in HTTP/2 when they work in HTTP/1. Either the rules need
Willy Tarreau262c3f12019-12-17 06:52:51 +01005651 to be adapted to optionally match a scheme and authority, or replace-path
5652 should be used.
Willy Tarreau33810222019-06-12 17:44:02 +02005653
Willy Tarreau62b59132019-12-17 06:51:20 +01005654 Example:
5655 # rewrite all "http" absolute requests to "https":
5656 http-request replace-uri ^http://(.*) https://\1
Willy Tarreau33810222019-06-12 17:44:02 +02005657
Willy Tarreau62b59132019-12-17 06:51:20 +01005658 # prefix /foo : turn /bar?q=1 into /foo/bar?q=1 :
5659 http-request replace-uri ([^/:]*://[^/]*)?(.*) \1/foo\2
Willy Tarreau33810222019-06-12 17:44:02 +02005660
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005661http-request replace-value <name> <match-regex> <replace-fmt>
5662 [ { if | unless } <condition> ]
Willy Tarreau09448f72014-06-25 18:12:15 +02005663
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005664 This works like "replace-header" except that it matches the regex against
5665 every comma-delimited value of the header field <name> instead of the
5666 entire header. This is suited for all headers which are allowed to carry
5667 more than one value. An example could be the Accept header.
Willy Tarreau09448f72014-06-25 18:12:15 +02005668
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005669 Example:
5670 http-request replace-value X-Forwarded-For ^192\.168\.(.*)$ 172.16.\1
Thierry FOURNIER236657b2015-08-19 08:25:14 +02005671
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005672 # applied to:
5673 X-Forwarded-For: 192.168.10.1, 192.168.13.24, 10.0.0.37
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02005674
Tim Duesterhus2252beb2019-10-29 00:05:13 +01005675 # outputs:
5676 X-Forwarded-For: 172.16.10.1, 172.16.13.24, 10.0.0.37
Frédéric Lécaille6778b272018-01-29 15:22:53 +01005677
Christopher Faulet24231ab2020-01-24 17:44:23 +01005678http-request return [status <code>] [content-type <type>]
5679 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
5680 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
Christopher Faulet4a2c1422020-01-31 17:36:01 +01005681 [ hdr <name> <fmt> ]*
Christopher Faulet24231ab2020-01-24 17:44:23 +01005682 [ { if | unless } <condition> ]
5683
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05005684 This stops the evaluation of the rules and immediately returns a response. The
Christopher Faulet24231ab2020-01-24 17:44:23 +01005685 default status code used for the response is 200. It can be optionally
5686 specified as an arguments to "status". The response content-type may also be
Daniel Corbett67a82712020-07-06 23:01:19 -04005687 specified as an argument to "content-type". Finally the response itself may
Sébastien Grossab877122020-10-08 10:06:03 +02005688 be defined. It can be a full HTTP response specifying the errorfile to use,
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05005689 or the response payload specifying the file or the string to use. These rules
Christopher Faulet24231ab2020-01-24 17:44:23 +01005690 are followed to create the response :
5691
5692 * If neither the errorfile nor the payload to use is defined, a dummy
5693 response is returned. Only the "status" argument is considered. It can be
5694 any code in the range [200, 599]. The "content-type" argument, if any, is
5695 ignored.
5696
5697 * If "default-errorfiles" argument is set, the proxy's errorfiles are
5698 considered. If the "status" argument is defined, it must be one of the
Daniel Corbett67a82712020-07-06 23:01:19 -04005699 status code handled by haproxy (200, 400, 403, 404, 405, 408, 410, 413,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02005700 425, 429, 500, 502, 503, and 504). The "content-type" argument, if any,
5701 is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01005702
5703 * If a specific errorfile is defined, with an "errorfile" argument, the
5704 corresponding file, containing a full HTTP response, is returned. Only the
5705 "status" argument is considered. It must be one of the status code handled
Daniel Corbett67a82712020-07-06 23:01:19 -04005706 by haproxy (200, 400, 403, 404, 405, 408, 410, 413, 425, 429, 500, 502, 503,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02005707 and 504). The "content-type" argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01005708
5709 * If an http-errors section is defined, with an "errorfiles" argument, the
5710 corresponding file in the specified http-errors section, containing a full
5711 HTTP response, is returned. Only the "status" argument is considered. It
Daniel Corbett67a82712020-07-06 23:01:19 -04005712 must be one of the status code handled by haproxy (200, 400, 403, 404, 405,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02005713 408, 410, 413, 425, 429, 500, 502, 503, and 504). The "content-type"
5714 argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01005715
5716 * If a "file" or a "lf-file" argument is specified, the file's content is
5717 used as the response payload. If the file is not empty, its content-type
5718 must be set as argument to "content-type". Otherwise, any "content-type"
5719 argument is ignored. With a "lf-file" argument, the file's content is
5720 evaluated as a log-format string. With a "file" argument, it is considered
5721 as a raw content.
5722
5723 * If a "string" or "lf-string" argument is specified, the defined string is
5724 used as the response payload. The content-type must always be set as
5725 argument to "content-type". With a "lf-string" argument, the string is
5726 evaluated as a log-format string. With a "string" argument, it is
5727 considered as a raw string.
5728
Sébastien Grossab877122020-10-08 10:06:03 +02005729 When the response is not based on an errorfile, it is possible to append HTTP
Christopher Faulet4a2c1422020-01-31 17:36:01 +01005730 header fields to the response using "hdr" arguments. Otherwise, all "hdr"
5731 arguments are ignored. For each one, the header name is specified in <name>
5732 and its value is defined by <fmt> which follows the log-format rules.
5733
Christopher Faulet24231ab2020-01-24 17:44:23 +01005734 Note that the generated response must be smaller than a buffer. And to avoid
5735 any warning, when an errorfile or a raw file is loaded, the buffer space
Sébastien Grossab877122020-10-08 10:06:03 +02005736 reserved for the headers rewriting should also be free.
Christopher Faulet24231ab2020-01-24 17:44:23 +01005737
5738 No further "http-request" rules are evaluated.
5739
5740 Example:
Daniel Corbett67a82712020-07-06 23:01:19 -04005741 http-request return errorfile /etc/haproxy/errorfiles/200.http \
Christopher Faulet24231ab2020-01-24 17:44:23 +01005742 if { path /ping }
5743
5744 http-request return content-type image/x-icon file /var/www/favicon.ico \
5745 if { path /favicon.ico }
5746
5747 http-request return status 403 content-type text/plain \
5748 lf-string "Access denied. IP %[src] is blacklisted." \
5749 if { src -f /etc/haproxy/blacklist.lst }
5750
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005751http-request sc-inc-gpc0(<sc-id>) [ { if | unless } <condition> ]
5752http-request sc-inc-gpc1(<sc-id>) [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02005753
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005754 This actions increments the GPC0 or GPC1 counter according with the sticky
5755 counter designated by <sc-id>. If an error occurs, this action silently fails
5756 and the actions evaluation continues.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02005757
Cédric Dufour0d7712d2019-11-06 18:38:53 +01005758http-request sc-set-gpt0(<sc-id>) { <int> | <expr> }
5759 [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02005760
Cédric Dufour0d7712d2019-11-06 18:38:53 +01005761 This action sets the 32-bit unsigned GPT0 tag according to the sticky counter
5762 designated by <sc-id> and the value of <int>/<expr>. The expected result is a
5763 boolean. If an error occurs, this action silently fails and the actions
5764 evaluation continues.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02005765
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005766http-request set-dst <expr> [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02005767
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005768 This is used to set the destination IP address to the value of specified
5769 expression. Useful when a proxy in front of HAProxy rewrites destination IP,
5770 but provides the correct IP in a HTTP header; or you want to mask the IP for
5771 privacy. If you want to connect to the new address/port, use '0.0.0.0:0' as a
5772 server address in the backend.
Christopher Faulet85d79c92016-11-09 16:54:56 +01005773
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005774 Arguments:
5775 <expr> Is a standard HAProxy expression formed by a sample-fetch followed
5776 by some converters.
Christopher Faulet85d79c92016-11-09 16:54:56 +01005777
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005778 Example:
5779 http-request set-dst hdr(x-dst)
5780 http-request set-dst dst,ipmask(24)
Christopher Faulet85d79c92016-11-09 16:54:56 +01005781
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005782 When possible, set-dst preserves the original destination port as long as the
5783 address family allows it, otherwise the destination port is set to 0.
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02005784
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005785http-request set-dst-port <expr> [ { if | unless } <condition> ]
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02005786
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005787 This is used to set the destination port address to the value of specified
5788 expression. If you want to connect to the new address/port, use '0.0.0.0:0'
5789 as a server address in the backend.
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02005790
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005791 Arguments:
5792 <expr> Is a standard HAProxy expression formed by a sample-fetch
5793 followed by some converters.
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02005794
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005795 Example:
5796 http-request set-dst-port hdr(x-port)
5797 http-request set-dst-port int(4000)
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02005798
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005799 When possible, set-dst-port preserves the original destination address as
5800 long as the address family supports a port, otherwise it forces the
5801 destination address to IPv4 "0.0.0.0" before rewriting the port.
William Lallemand44be6402016-05-25 01:51:35 +02005802
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005803http-request set-header <name> <fmt> [ { if | unless } <condition> ]
William Lallemand44be6402016-05-25 01:51:35 +02005804
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005805 This does the same as "http-request add-header" except that the header name
5806 is first removed if it existed. This is useful when passing security
5807 information to the server, where the header must not be manipulated by
5808 external users. Note that the new value is computed before the removal so it
5809 is possible to concatenate a value to an existing header.
William Lallemand44be6402016-05-25 01:51:35 +02005810
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005811 Example:
5812 http-request set-header X-Haproxy-Current-Date %T
5813 http-request set-header X-SSL %[ssl_fc]
5814 http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
5815 http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
5816 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
5817 http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
5818 http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
5819 http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
5820 http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
William Lallemand44be6402016-05-25 01:51:35 +02005821
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005822http-request set-log-level <level> [ { if | unless } <condition> ]
William Lallemand44be6402016-05-25 01:51:35 +02005823
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005824 This is used to change the log level of the current request when a certain
5825 condition is met. Valid levels are the 8 syslog levels (see the "log"
5826 keyword) plus the special level "silent" which disables logging for this
5827 request. This rule is not final so the last matching rule wins. This rule
5828 can be useful to disable health checks coming from another equipment.
William Lallemand13e9b0c2016-05-25 02:34:07 +02005829
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005830http-request set-map(<file-name>) <key fmt> <value fmt>
5831 [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02005832
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005833 This is used to add a new entry into a MAP. The MAP must be loaded from a
5834 file (even a dummy empty file). The file name of the MAP to be updated is
5835 passed between parentheses. It takes 2 arguments: <key fmt>, which follows
5836 log-format rules, used to collect MAP key, and <value fmt>, which follows
5837 log-format rules, used to collect content for the new entry.
5838 It performs a lookup in the MAP before insertion, to avoid duplicated (or
5839 more) values. This lookup is done by a linear search and can be expensive
5840 with large lists! It is the equivalent of the "set map" command from the
5841 stats socket, but can be triggered by an HTTP request.
William Lallemand13e9b0c2016-05-25 02:34:07 +02005842
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005843http-request set-mark <mark> [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02005844
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005845 This is used to set the Netfilter MARK on all packets sent to the client to
5846 the value passed in <mark> on platforms which support it. This value is an
5847 unsigned 32 bit value which can be matched by netfilter and by the routing
5848 table. It can be expressed both in decimal or hexadecimal format (prefixed by
5849 "0x"). This can be useful to force certain packets to take a different route
5850 (for example a cheaper network path for bulk downloads). This works on Linux
5851 kernels 2.6.32 and above and requires admin privileges.
Willy Tarreau00005ce2016-10-21 15:07:45 +02005852
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005853http-request set-method <fmt> [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02005854
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005855 This rewrites the request method with the result of the evaluation of format
5856 string <fmt>. There should be very few valid reasons for having to do so as
5857 this is more likely to break something than to fix it.
William Lallemand13e9b0c2016-05-25 02:34:07 +02005858
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005859http-request set-nice <nice> [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02005860
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005861 This sets the "nice" factor of the current request being processed. It only
5862 has effect against the other requests being processed at the same time.
5863 The default value is 0, unless altered by the "nice" setting on the "bind"
5864 line. The accepted range is -1024..1024. The higher the value, the nicest
5865 the request will be. Lower values will make the request more important than
5866 other ones. This can be useful to improve the speed of some requests, or
5867 lower the priority of non-important requests. Using this setting without
5868 prior experimentation can cause some major slowdown.
William Lallemand13e9b0c2016-05-25 02:34:07 +02005869
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005870http-request set-path <fmt> [ { if | unless } <condition> ]
Willy Tarreau00005ce2016-10-21 15:07:45 +02005871
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005872 This rewrites the request path with the result of the evaluation of format
5873 string <fmt>. The query string, if any, is left intact. If a scheme and
5874 authority is found before the path, they are left intact as well. If the
5875 request doesn't have a path ("*"), this one is replaced with the format.
5876 This can be used to prepend a directory component in front of a path for
5877 example. See also "http-request set-query" and "http-request set-uri".
Willy Tarreau2d392c22015-08-24 01:43:45 +02005878
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005879 Example :
5880 # prepend the host name before the path
5881 http-request set-path /%[hdr(host)]%[path]
Christopher Faulet76c09ef2017-09-21 11:03:52 +02005882
Christopher Faulet312294f2020-09-02 17:17:44 +02005883http-request set-pathq <fmt> [ { if | unless } <condition> ]
5884
5885 This does the same as "http-request set-path" except that the query-string is
5886 also rewritten. It may be used to remove the query-string, including the
5887 question mark (it is not possible using "http-request set-query").
5888
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005889http-request set-priority-class <expr> [ { if | unless } <condition> ]
Olivier Houchardccaa7de2017-10-02 11:51:03 +02005890
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005891 This is used to set the queue priority class of the current request.
5892 The value must be a sample expression which converts to an integer in the
5893 range -2047..2047. Results outside this range will be truncated.
5894 The priority class determines the order in which queued requests are
5895 processed. Lower values have higher priority.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02005896
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005897http-request set-priority-offset <expr> [ { if | unless } <condition> ]
Christopher Faulet76c09ef2017-09-21 11:03:52 +02005898
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005899 This is used to set the queue priority timestamp offset of the current
5900 request. The value must be a sample expression which converts to an integer
5901 in the range -524287..524287. Results outside this range will be truncated.
5902 When a request is queued, it is ordered first by the priority class, then by
5903 the current timestamp adjusted by the given offset in milliseconds. Lower
5904 values have higher priority.
5905 Note that the resulting timestamp is is only tracked with enough precision
5906 for 524,287ms (8m44s287ms). If the request is queued long enough to where the
5907 adjusted timestamp exceeds this value, it will be misidentified as highest
5908 priority. Thus it is important to set "timeout queue" to a value, where when
5909 combined with the offset, does not exceed this limit.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02005910
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005911http-request set-query <fmt> [ { if | unless } <condition> ]
Willy Tarreau20b0de52012-12-24 15:45:22 +01005912
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005913 This rewrites the request's query string which appears after the first
5914 question mark ("?") with the result of the evaluation of format string <fmt>.
5915 The part prior to the question mark is left intact. If the request doesn't
5916 contain a question mark and the new value is not empty, then one is added at
5917 the end of the URI, followed by the new value. If a question mark was
5918 present, it will never be removed even if the value is empty. This can be
5919 used to add or remove parameters from the query string.
Ruoshan Huangeb5a3632015-12-08 21:00:23 +08005920
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005921 See also "http-request set-query" and "http-request set-uri".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005922
5923 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005924 # replace "%3D" with "=" in the query string
5925 http-request set-query %[query,regsub(%3D,=,g)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005926
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005927http-request set-src <expr> [ { if | unless } <condition> ]
5928 This is used to set the source IP address to the value of specified
5929 expression. Useful when a proxy in front of HAProxy rewrites source IP, but
5930 provides the correct IP in a HTTP header; or you want to mask source IP for
Olivier Doucet56e31202020-04-21 09:32:56 +02005931 privacy. All subsequent calls to "src" fetch will return this value
5932 (see example).
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005933
5934 Arguments :
5935 <expr> Is a standard HAProxy expression formed by a sample-fetch followed
5936 by some converters.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005937
Olivier Doucet56e31202020-04-21 09:32:56 +02005938 See also "option forwardfor".
5939
Cyril Bonté78caf842010-03-10 22:41:43 +01005940 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005941 http-request set-src hdr(x-forwarded-for)
5942 http-request set-src src,ipmask(24)
5943
Olivier Doucet56e31202020-04-21 09:32:56 +02005944 # After the masking this will track connections
5945 # based on the IP address with the last byte zeroed out.
5946 http-request track-sc0 src
5947
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005948 When possible, set-src preserves the original source port as long as the
5949 address family allows it, otherwise the source port is set to 0.
5950
5951http-request set-src-port <expr> [ { if | unless } <condition> ]
5952
5953 This is used to set the source port address to the value of specified
5954 expression.
5955
5956 Arguments:
5957 <expr> Is a standard HAProxy expression formed by a sample-fetch followed
5958 by some converters.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005959
Willy Tarreau20b0de52012-12-24 15:45:22 +01005960 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005961 http-request set-src-port hdr(x-port)
5962 http-request set-src-port int(4000)
5963
5964 When possible, set-src-port preserves the original source address as long as
5965 the address family supports a port, otherwise it forces the source address to
5966 IPv4 "0.0.0.0" before rewriting the port.
5967
5968http-request set-tos <tos> [ { if | unless } <condition> ]
5969
5970 This is used to set the TOS or DSCP field value of packets sent to the client
5971 to the value passed in <tos> on platforms which support this. This value
5972 represents the whole 8 bits of the IP TOS field, and can be expressed both in
5973 decimal or hexadecimal format (prefixed by "0x"). Note that only the 6 higher
5974 bits are used in DSCP or TOS, and the two lower bits are always 0. This can
5975 be used to adjust some routing behavior on border routers based on some
5976 information from the request.
5977
5978 See RFC 2474, 2597, 3260 and 4594 for more information.
5979
5980http-request set-uri <fmt> [ { if | unless } <condition> ]
5981
5982 This rewrites the request URI with the result of the evaluation of format
5983 string <fmt>. The scheme, authority, path and query string are all replaced
5984 at once. This can be used to rewrite hosts in front of proxies, or to
5985 perform complex modifications to the URI such as moving parts between the
5986 path and the query string.
5987 See also "http-request set-path" and "http-request set-query".
5988
5989http-request set-var(<var-name>) <expr> [ { if | unless } <condition> ]
5990
5991 This is used to set the contents of a variable. The variable is declared
5992 inline.
5993
5994 Arguments:
5995 <var-name> The name of the variable starts with an indication about its
5996 scope. The scopes allowed are:
5997 "proc" : the variable is shared with the whole process
5998 "sess" : the variable is shared with the whole session
5999 "txn" : the variable is shared with the transaction
6000 (request and response)
6001 "req" : the variable is shared only during request
6002 processing
6003 "res" : the variable is shared only during response
6004 processing
6005 This prefix is followed by a name. The separator is a '.'.
6006 The name may only contain characters 'a-z', 'A-Z', '0-9'
6007 and '_'.
6008
6009 <expr> Is a standard HAProxy expression formed by a sample-fetch
6010 followed by some converters.
Willy Tarreau20b0de52012-12-24 15:45:22 +01006011
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006012 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006013 http-request set-var(req.my_var) req.fhdr(user-agent),lower
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006014
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006015http-request send-spoe-group <engine-name> <group-name>
6016 [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006017
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006018 This action is used to trigger sending of a group of SPOE messages. To do so,
6019 the SPOE engine used to send messages must be defined, as well as the SPOE
6020 group to send. Of course, the SPOE engine must refer to an existing SPOE
6021 filter. If not engine name is provided on the SPOE filter line, the SPOE
6022 agent name must be used.
6023
6024 Arguments:
6025 <engine-name> The SPOE engine name.
6026
6027 <group-name> The SPOE group name as specified in the engine
6028 configuration.
6029
6030http-request silent-drop [ { if | unless } <condition> ]
6031
6032 This stops the evaluation of the rules and makes the client-facing connection
6033 suddenly disappear using a system-dependent way that tries to prevent the
6034 client from being notified. The effect it then that the client still sees an
6035 established connection while there's none on HAProxy. The purpose is to
6036 achieve a comparable effect to "tarpit" except that it doesn't use any local
6037 resource at all on the machine running HAProxy. It can resist much higher
6038 loads than "tarpit", and slow down stronger attackers. It is important to
6039 understand the impact of using this mechanism. All stateful equipment placed
6040 between the client and HAProxy (firewalls, proxies, load balancers) will also
6041 keep the established connection for a long time and may suffer from this
6042 action.
6043 On modern Linux systems running with enough privileges, the TCP_REPAIR socket
6044 option is used to block the emission of a TCP reset. On other systems, the
6045 socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first
6046 router, though it's still delivered to local networks. Do not use it unless
6047 you fully understand how it works.
6048
Christopher Faulet46f95542019-12-20 10:07:22 +01006049http-request strict-mode { on | off }
6050
6051 This enables or disables the strict rewriting mode for following rules. It
6052 does not affect rules declared before it and it is only applicable on rules
6053 performing a rewrite on the requests. When the strict mode is enabled, any
6054 rewrite failure triggers an internal error. Otherwise, such errors are
6055 silently ignored. The purpose of the strict rewriting mode is to make some
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006056 rewrites optional while others must be performed to continue the request
Christopher Faulet46f95542019-12-20 10:07:22 +01006057 processing.
6058
Christopher Faulet1aea50e2020-01-17 16:03:53 +01006059 By default, the strict rewriting mode is enabled. Its value is also reset
Christopher Faulet46f95542019-12-20 10:07:22 +01006060 when a ruleset evaluation ends. So, for instance, if you change the mode on
6061 the frontend, the default mode is restored when HAProxy starts the backend
6062 rules evaluation.
6063
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006064http-request tarpit [deny_status <status>] [ { if | unless } <condition> ]
6065http-request tarpit [ { status | deny_status } <code>] [content-type <type>]
6066 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
6067 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
6068 [ hdr <name> <fmt> ]*
6069 [ { if | unless } <condition> ]
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006070
6071 This stops the evaluation of the rules and immediately blocks the request
6072 without responding for a delay specified by "timeout tarpit" or
6073 "timeout connect" if the former is not set. After that delay, if the client
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006074 is still connected, a response is returned so that the client does not
6075 suspect it has been tarpitted. Logs will report the flags "PT". The goal of
6076 the tarpit rule is to slow down robots during an attack when they're limited
6077 on the number of concurrent requests. It can be very efficient against very
6078 dumb robots, and will significantly reduce the load on firewalls compared to
6079 a "deny" rule. But when facing "correctly" developed robots, it can make
6080 things worse by forcing haproxy and the front firewall to support insane
6081 number of concurrent connections. By default an HTTP error 500 is returned.
6082 But the response may be customized using same syntax than
6083 "http-request return" rules. Thus, see "http-request return" for details.
Ilya Shipitsin11057a32020-06-21 21:18:27 +05006084 For compatibility purpose, when no argument is defined, or only "deny_status",
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006085 the argument "default-errorfiles" is implied. It means
6086 "http-request tarpit [deny_status <status>]" is an alias of
6087 "http-request tarpit [status <status>] default-errorfiles".
6088 No further "http-request" rules are evaluated.
6089 See also "http-request return" and "http-request silent-drop".
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006090
6091http-request track-sc0 <key> [table <table>] [ { if | unless } <condition> ]
6092http-request track-sc1 <key> [table <table>] [ { if | unless } <condition> ]
6093http-request track-sc2 <key> [table <table>] [ { if | unless } <condition> ]
6094
6095 This enables tracking of sticky counters from current request. These rules do
6096 not stop evaluation and do not change default action. The number of counters
6097 that may be simultaneously tracked by the same connection is set in
6098 MAX_SESS_STKCTR at build time (reported in haproxy -vv) which defaults to 3,
6099 so the track-sc number is between 0 and (MAX_SESS_STCKTR-1). The first
6100 "track-sc0" rule executed enables tracking of the counters of the specified
6101 table as the first set. The first "track-sc1" rule executed enables tracking
6102 of the counters of the specified table as the second set. The first
6103 "track-sc2" rule executed enables tracking of the counters of the specified
6104 table as the third set. It is a recommended practice to use the first set of
6105 counters for the per-frontend counters and the second set for the per-backend
6106 ones. But this is just a guideline, all may be used everywhere.
6107
6108 Arguments :
6109 <key> is mandatory, and is a sample expression rule as described in
6110 section 7.3. It describes what elements of the incoming request or
6111 connection will be analyzed, extracted, combined, and used to
6112 select which table entry to update the counters.
6113
6114 <table> is an optional table to be used instead of the default one, which
6115 is the stick-table declared in the current proxy. All the counters
6116 for the matches and updates for the key will then be performed in
6117 that table until the session ends.
6118
6119 Once a "track-sc*" rule is executed, the key is looked up in the table and if
6120 it is not found, an entry is allocated for it. Then a pointer to that entry
6121 is kept during all the session's life, and this entry's counters are updated
6122 as often as possible, every time the session's counters are updated, and also
6123 systematically when the session ends. Counters are only updated for events
6124 that happen after the tracking has been started. As an exception, connection
6125 counters and request counters are systematically updated so that they reflect
6126 useful information.
6127
6128 If the entry tracks concurrent connection counters, one connection is counted
6129 for as long as the entry is tracked, and the entry will not expire during
6130 that time. Tracking counters also provides a performance advantage over just
6131 checking the keys, because only one table lookup is performed for all ACL
6132 checks that make use of it.
6133
6134http-request unset-var(<var-name>) [ { if | unless } <condition> ]
6135
6136 This is used to unset a variable. See above for details about <var-name>.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006137
6138 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006139 http-request unset-var(req.my_var)
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006140
Christopher Faulet579d83b2019-11-22 15:34:17 +01006141http-request use-service <service-name> [ { if | unless } <condition> ]
6142
6143 This directive executes the configured HTTP service to reply to the request
6144 and stops the evaluation of the rules. An HTTP service may choose to reply by
6145 sending any valid HTTP response or it may immediately close the connection
6146 without sending any response. Outside natives services, for instance the
6147 Prometheus exporter, it is possible to write your own services in Lua. No
6148 further "http-request" rules are evaluated.
6149
6150 Arguments :
6151 <service-name> is mandatory. It is the service to call
6152
6153 Example:
6154 http-request use-service prometheus-exporter if { path /metrics }
6155
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006156http-request wait-for-handshake [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006157
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006158 This will delay the processing of the request until the SSL handshake
6159 happened. This is mostly useful to delay processing early data until we're
6160 sure they are valid.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006161
Willy Tarreauef781042010-01-27 11:53:01 +01006162
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006163http-response <action> <options...> [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006164 Access control for Layer 7 responses
6165
6166 May be used in sections: defaults | frontend | listen | backend
6167 no | yes | yes | yes
6168
6169 The http-response statement defines a set of rules which apply to layer 7
6170 processing. The rules are evaluated in their declaration order when they are
6171 met in a frontend, listen or backend section. Any rule may optionally be
6172 followed by an ACL-based condition, in which case it will only be evaluated
6173 if the condition is true. Since these rules apply on responses, the backend
6174 rules are applied first, followed by the frontend's rules.
6175
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006176 The first keyword is the rule's action. The supported actions are described
6177 below.
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006178
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006179 There is no limit to the number of http-response statements per instance.
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006180
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006181 Example:
6182 acl key_acl res.hdr(X-Acl-Key) -m found
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02006183
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006184 acl myhost hdr(Host) -f myhost.lst
Sasha Pachev218f0642014-06-16 12:05:59 -06006185
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006186 http-response add-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
6187 http-response del-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
Sasha Pachev218f0642014-06-16 12:05:59 -06006188
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006189 Example:
6190 acl value res.hdr(X-Value) -m found
Sasha Pachev218f0642014-06-16 12:05:59 -06006191
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006192 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
Sasha Pachev218f0642014-06-16 12:05:59 -06006193
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006194 http-response set-map(map.lst) %[src] %[res.hdr(X-Value)] if value
6195 http-response del-map(map.lst) %[src] if ! value
Sasha Pachev218f0642014-06-16 12:05:59 -06006196
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006197 See also : "http-request", section 3.4 about userlists and section 7 about
6198 ACL usage.
Sasha Pachev218f0642014-06-16 12:05:59 -06006199
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006200http-response add-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006201
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006202 This is used to add a new entry into an ACL. The ACL must be loaded from a
6203 file (even a dummy empty file). The file name of the ACL to be updated is
6204 passed between parentheses. It takes one argument: <key fmt>, which follows
6205 log-format rules, to collect content of the new entry. It performs a lookup
6206 in the ACL before insertion, to avoid duplicated (or more) values.
6207 This lookup is done by a linear search and can be expensive with large lists!
6208 It is the equivalent of the "add acl" command from the stats socket, but can
6209 be triggered by an HTTP response.
Sasha Pachev218f0642014-06-16 12:05:59 -06006210
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006211http-response add-header <name> <fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006212
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006213 This appends an HTTP header field whose name is specified in <name> and whose
6214 value is defined by <fmt> which follows the log-format rules (see Custom Log
6215 Format in section 8.2.4). This may be used to send a cookie to a client for
6216 example, or to pass some internal information.
6217 This rule is not final, so it is possible to add other similar rules.
6218 Note that header addition is performed immediately, so one rule might reuse
6219 the resulting header from a previous rule.
Sasha Pachev218f0642014-06-16 12:05:59 -06006220
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006221http-response allow [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006222
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006223 This stops the evaluation of the rules and lets the response pass the check.
6224 No further "http-response" rules are evaluated for the current section.
Sasha Pachev218f0642014-06-16 12:05:59 -06006225
Jarno Huuskonen251a6b72019-01-04 14:05:02 +02006226http-response cache-store <name> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006227
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02006228 See section 6.2 about cache setup.
Sasha Pachev218f0642014-06-16 12:05:59 -06006229
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006230http-response capture <sample> id <id> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006231
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006232 This captures sample expression <sample> from the response buffer, and
6233 converts it to a string. The resulting string is stored into the next request
6234 "capture" slot, so it will possibly appear next to some captured HTTP
6235 headers. It will then automatically appear in the logs, and it will be
6236 possible to extract it using sample fetch rules to feed it into headers or
6237 anything. Please check section 7.3 (Fetching samples) and
6238 "capture response header" for more information.
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02006239
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006240 The keyword "id" is the id of the capture slot which is used for storing the
6241 string. The capture slot must be defined in an associated frontend.
6242 This is useful to run captures in backends. The slot id can be declared by a
6243 previous directive "http-response capture" or with the "declare capture"
6244 keyword.
Baptiste Assmann19a69b32020-01-16 14:34:22 +01006245
6246 When using this action in a backend, double check that the relevant
6247 frontend(s) have the required capture slots otherwise, this rule will be
6248 ignored at run time. This can't be detected at configuration parsing time
6249 due to HAProxy's ability to dynamically resolve backend name at runtime.
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02006250
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006251http-response del-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02006252
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006253 This is used to delete an entry from an ACL. The ACL must be loaded from a
6254 file (even a dummy empty file). The file name of the ACL to be updated is
6255 passed between parentheses. It takes one argument: <key fmt>, which follows
6256 log-format rules, to collect content of the entry to delete.
6257 It is the equivalent of the "del acl" command from the stats socket, but can
6258 be triggered by an HTTP response.
Willy Tarreauf4c43c12013-06-11 17:01:13 +02006259
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006260http-response del-header <name> [ { if | unless } <condition> ]
Willy Tarreau9a355ec2013-06-11 17:45:46 +02006261
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006262 This removes all HTTP header fields whose name is specified in <name>.
Willy Tarreau42cf39e2013-06-11 18:51:32 +02006263
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006264http-response del-map(<file-name>) <key fmt> [ { if | unless } <condition> ]
Willy Tarreau51347ed2013-06-11 19:34:13 +02006265
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006266 This is used to delete an entry from a MAP. The MAP must be loaded from a
6267 file (even a dummy empty file). The file name of the MAP to be updated is
6268 passed between parentheses. It takes one argument: <key fmt>, which follows
6269 log-format rules, to collect content of the entry to delete.
6270 It takes one argument: "file name" It is the equivalent of the "del map"
6271 command from the stats socket, but can be triggered by an HTTP response.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006272
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006273http-response deny [deny_status <status>] [ { if | unless } <condition> ]
6274http-response deny [ { status | deny_status } <code>] [content-type <type>]
6275 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
6276 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
6277 [ hdr <name> <fmt> ]*
6278 [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006279
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006280 This stops the evaluation of the rules and immediately rejects the response.
6281 By default an HTTP 502 error is returned. But the response may be customized
6282 using same syntax than "http-response return" rules. Thus, see
Ilya Shipitsin11057a32020-06-21 21:18:27 +05006283 "http-response return" for details. For compatibility purpose, when no
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006284 argument is defined, or only "deny_status", the argument "default-errorfiles"
6285 is implied. It means "http-response deny [deny_status <status>]" is an alias
6286 of "http-response deny [status <status>] default-errorfiles".
Christopher Faulet040c8cd2020-01-13 16:43:45 +01006287 No further "http-response" rules are evaluated.
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006288 See also "http-response return".
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006289
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006290http-response redirect <rule> [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006291
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006292 This performs an HTTP redirection based on a redirect rule.
6293 This supports a format string similarly to "http-request redirect" rules,
6294 with the exception that only the "location" type of redirect is possible on
6295 the response. See the "redirect" keyword for the rule's syntax. When a
6296 redirect rule is applied during a response, connections to the server are
6297 closed so that no data can be forwarded from the server to the client.
Thierry FOURNIERe80fada2015-05-26 18:06:31 +02006298
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006299http-response replace-header <name> <regex-match> <replace-fmt>
6300 [ { if | unless } <condition> ]
Thierry FOURNIERe80fada2015-05-26 18:06:31 +02006301
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006302 This works like "http-request replace-header" except that it works on the
6303 server's response instead of the client's request.
William Lallemand86d0df02017-11-24 21:36:45 +01006304
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006305 Example:
6306 http-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
Willy Tarreau51d861a2015-05-22 17:30:48 +02006307
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006308 # applied to:
6309 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006310
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006311 # outputs:
6312 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006313
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006314 # assuming the backend IP is 192.168.1.20.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006315
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006316http-response replace-value <name> <regex-match> <replace-fmt>
6317 [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006318
Tim Duesterhus6bd909b2020-01-17 15:53:18 +01006319 This works like "http-request replace-value" except that it works on the
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006320 server's response instead of the client's request.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006321
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006322 Example:
6323 http-response replace-value Cache-control ^public$ private
Christopher Faulet85d79c92016-11-09 16:54:56 +01006324
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006325 # applied to:
6326 Cache-Control: max-age=3600, public
Christopher Faulet85d79c92016-11-09 16:54:56 +01006327
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006328 # outputs:
6329 Cache-Control: max-age=3600, private
Christopher Faulet85d79c92016-11-09 16:54:56 +01006330
Christopher Faulet24231ab2020-01-24 17:44:23 +01006331http-response return [status <code>] [content-type <type>]
6332 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
6333 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
Christopher Faulet4a2c1422020-01-31 17:36:01 +01006334 [ hdr <name> <value> ]*
Christopher Faulet24231ab2020-01-24 17:44:23 +01006335 [ { if | unless } <condition> ]
6336
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006337 This stops the evaluation of the rules and immediately returns a response. The
Christopher Faulet24231ab2020-01-24 17:44:23 +01006338 default status code used for the response is 200. It can be optionally
6339 specified as an arguments to "status". The response content-type may also be
Daniel Corbett67a82712020-07-06 23:01:19 -04006340 specified as an argument to "content-type". Finally the response itself may
Christopher Faulet24231ab2020-01-24 17:44:23 +01006341 be defined. If can be a full HTTP response specifying the errorfile to use,
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006342 or the response payload specifying the file or the string to use. These rules
Christopher Faulet24231ab2020-01-24 17:44:23 +01006343 are followed to create the response :
6344
6345 * If neither the errorfile nor the payload to use is defined, a dummy
6346 response is returned. Only the "status" argument is considered. It can be
6347 any code in the range [200, 599]. The "content-type" argument, if any, is
6348 ignored.
6349
6350 * If "default-errorfiles" argument is set, the proxy's errorfiles are
6351 considered. If the "status" argument is defined, it must be one of the
Daniel Corbett67a82712020-07-06 23:01:19 -04006352 status code handled by haproxy (200, 400, 403, 404, 405, 408, 410, 413,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02006353 425, 429, 500, 502, 503, and 504). The "content-type" argument, if any,
6354 is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006355
6356 * If a specific errorfile is defined, with an "errorfile" argument, the
6357 corresponding file, containing a full HTTP response, is returned. Only the
6358 "status" argument is considered. It must be one of the status code handled
Daniel Corbett67a82712020-07-06 23:01:19 -04006359 by haproxy (200, 400, 403, 404, 405, 408, 410, 413, 425, 429, 500, 502, 503,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02006360 and 504). The "content-type" argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006361
6362 * If an http-errors section is defined, with an "errorfiles" argument, the
6363 corresponding file in the specified http-errors section, containing a full
6364 HTTP response, is returned. Only the "status" argument is considered. It
Daniel Corbett67a82712020-07-06 23:01:19 -04006365 must be one of the status code handled by haproxy (200, 400, 403, 404, 405,
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02006366 408, 410, 413, 425, 429, 500, 502, 503, and 504). The "content-type"
6367 argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006368
6369 * If a "file" or a "lf-file" argument is specified, the file's content is
6370 used as the response payload. If the file is not empty, its content-type
6371 must be set as argument to "content-type". Otherwise, any "content-type"
6372 argument is ignored. With a "lf-file" argument, the file's content is
6373 evaluated as a log-format string. With a "file" argument, it is considered
6374 as a raw content.
6375
6376 * If a "string" or "lf-string" argument is specified, the defined string is
6377 used as the response payload. The content-type must always be set as
6378 argument to "content-type". With a "lf-string" argument, the string is
6379 evaluated as a log-format string. With a "string" argument, it is
6380 considered as a raw string.
6381
Christopher Faulet4a2c1422020-01-31 17:36:01 +01006382 When the response is not based an errorfile, it is possible to appends HTTP
6383 header fields to the response using "hdr" arguments. Otherwise, all "hdr"
6384 arguments are ignored. For each one, the header name is specified in <name>
6385 and its value is defined by <fmt> which follows the log-format rules.
6386
Christopher Faulet24231ab2020-01-24 17:44:23 +01006387 Note that the generated response must be smaller than a buffer. And to avoid
6388 any warning, when an errorfile or a raw file is loaded, the buffer space
Ilya Shipitsin11057a32020-06-21 21:18:27 +05006389 reserved to the headers rewriting should also be free.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006390
6391 No further "http-response" rules are evaluated.
6392
6393 Example:
Daniel Corbett67a82712020-07-06 23:01:19 -04006394 http-response return errorfile /etc/haproxy/errorfiles/200.http \
Christopher Faulet24231ab2020-01-24 17:44:23 +01006395 if { status eq 404 }
6396
6397 http-response return content-type text/plain \
6398 string "This is the end !" \
6399 if { status eq 500 }
6400
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006401http-response sc-inc-gpc0(<sc-id>) [ { if | unless } <condition> ]
6402http-response sc-inc-gpc1(<sc-id>) [ { if | unless } <condition> ]
Ruoshan Huange4edc6b2016-07-14 15:07:45 +08006403
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006404 This action increments the GPC0 or GPC1 counter according with the sticky
6405 counter designated by <sc-id>. If an error occurs, this action silently fails
6406 and the actions evaluation continues.
Thierry FOURNIER236657b2015-08-19 08:25:14 +02006407
Cédric Dufour0d7712d2019-11-06 18:38:53 +01006408http-response sc-set-gpt0(<sc-id>) { <int> | <expr> }
6409 [ { if | unless } <condition> ]
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02006410
Cédric Dufour0d7712d2019-11-06 18:38:53 +01006411 This action sets the 32-bit unsigned GPT0 tag according to the sticky counter
6412 designated by <sc-id> and the value of <int>/<expr>. The expected result is a
6413 boolean. If an error occurs, this action silently fails and the actions
6414 evaluation continues.
Frédéric Lécaille6778b272018-01-29 15:22:53 +01006415
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006416http-response send-spoe-group [ { if | unless } <condition> ]
Willy Tarreau2d392c22015-08-24 01:43:45 +02006417
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006418 This action is used to trigger sending of a group of SPOE messages. To do so,
6419 the SPOE engine used to send messages must be defined, as well as the SPOE
6420 group to send. Of course, the SPOE engine must refer to an existing SPOE
6421 filter. If not engine name is provided on the SPOE filter line, the SPOE
6422 agent name must be used.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02006423
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006424 Arguments:
6425 <engine-name> The SPOE engine name.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02006426
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006427 <group-name> The SPOE group name as specified in the engine
6428 configuration.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02006429
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006430http-response set-header <name> <fmt> [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006431
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006432 This does the same as "add-header" except that the header name is first
6433 removed if it existed. This is useful when passing security information to
6434 the server, where the header must not be manipulated by external users.
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006435
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006436http-response set-log-level <level> [ { if | unless } <condition> ]
6437
6438 This is used to change the log level of the current request when a certain
6439 condition is met. Valid levels are the 8 syslog levels (see the "log"
6440 keyword) plus the special level "silent" which disables logging for this
6441 request. This rule is not final so the last matching rule wins. This rule can
6442 be useful to disable health checks coming from another equipment.
6443
6444http-response set-map(<file-name>) <key fmt> <value fmt>
6445
6446 This is used to add a new entry into a MAP. The MAP must be loaded from a
6447 file (even a dummy empty file). The file name of the MAP to be updated is
6448 passed between parentheses. It takes 2 arguments: <key fmt>, which follows
6449 log-format rules, used to collect MAP key, and <value fmt>, which follows
6450 log-format rules, used to collect content for the new entry. It performs a
6451 lookup in the MAP before insertion, to avoid duplicated (or more) values.
6452 This lookup is done by a linear search and can be expensive with large lists!
6453 It is the equivalent of the "set map" command from the stats socket, but can
6454 be triggered by an HTTP response.
6455
6456http-response set-mark <mark> [ { if | unless } <condition> ]
6457
6458 This is used to set the Netfilter MARK on all packets sent to the client to
6459 the value passed in <mark> on platforms which support it. This value is an
6460 unsigned 32 bit value which can be matched by netfilter and by the routing
6461 table. It can be expressed both in decimal or hexadecimal format (prefixed
6462 by "0x"). This can be useful to force certain packets to take a different
6463 route (for example a cheaper network path for bulk downloads). This works on
6464 Linux kernels 2.6.32 and above and requires admin privileges.
6465
6466http-response set-nice <nice> [ { if | unless } <condition> ]
6467
6468 This sets the "nice" factor of the current request being processed.
6469 It only has effect against the other requests being processed at the same
6470 time. The default value is 0, unless altered by the "nice" setting on the
6471 "bind" line. The accepted range is -1024..1024. The higher the value, the
6472 nicest the request will be. Lower values will make the request more important
6473 than other ones. This can be useful to improve the speed of some requests, or
6474 lower the priority of non-important requests. Using this setting without
6475 prior experimentation can cause some major slowdown.
6476
6477http-response set-status <status> [reason <str>]
6478 [ { if | unless } <condition> ]
6479
6480 This replaces the response status code with <status> which must be an integer
6481 between 100 and 999. Optionally, a custom reason text can be provided defined
6482 by <str>, or the default reason for the specified code will be used as a
6483 fallback.
Ruoshan Huangeb5a3632015-12-08 21:00:23 +08006484
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006485 Example:
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006486 # return "431 Request Header Fields Too Large"
6487 http-response set-status 431
6488 # return "503 Slow Down", custom reason
6489 http-response set-status 503 reason "Slow Down".
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006490
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006491http-response set-tos <tos> [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006492
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006493 This is used to set the TOS or DSCP field value of packets sent to the client
6494 to the value passed in <tos> on platforms which support this.
6495 This value represents the whole 8 bits of the IP TOS field, and can be
6496 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note that
6497 only the 6 higher bits are used in DSCP or TOS, and the two lower bits are
6498 always 0. This can be used to adjust some routing behavior on border routers
6499 based on some information from the request.
6500
6501 See RFC 2474, 2597, 3260 and 4594 for more information.
6502
6503http-response set-var(<var-name>) <expr> [ { if | unless } <condition> ]
6504
6505 This is used to set the contents of a variable. The variable is declared
6506 inline.
6507
6508 Arguments:
6509 <var-name> The name of the variable starts with an indication about its
6510 scope. The scopes allowed are:
6511 "proc" : the variable is shared with the whole process
6512 "sess" : the variable is shared with the whole session
6513 "txn" : the variable is shared with the transaction
6514 (request and response)
6515 "req" : the variable is shared only during request
6516 processing
6517 "res" : the variable is shared only during response
6518 processing
6519 This prefix is followed by a name. The separator is a '.'.
6520 The name may only contain characters 'a-z', 'A-Z', '0-9', '.'
6521 and '_'.
6522
6523 <expr> Is a standard HAProxy expression formed by a sample-fetch
6524 followed by some converters.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006525
6526 Example:
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006527 http-response set-var(sess.last_redir) res.hdr(location)
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006528
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006529http-response silent-drop [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006530
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006531 This stops the evaluation of the rules and makes the client-facing connection
6532 suddenly disappear using a system-dependent way that tries to prevent the
6533 client from being notified. The effect it then that the client still sees an
6534 established connection while there's none on HAProxy. The purpose is to
6535 achieve a comparable effect to "tarpit" except that it doesn't use any local
6536 resource at all on the machine running HAProxy. It can resist much higher
6537 loads than "tarpit", and slow down stronger attackers. It is important to
6538 understand the impact of using this mechanism. All stateful equipment placed
6539 between the client and HAProxy (firewalls, proxies, load balancers) will also
6540 keep the established connection for a long time and may suffer from this
6541 action.
6542 On modern Linux systems running with enough privileges, the TCP_REPAIR socket
6543 option is used to block the emission of a TCP reset. On other systems, the
6544 socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first
6545 router, though it's still delivered to local networks. Do not use it unless
6546 you fully understand how it works.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006547
Christopher Faulet46f95542019-12-20 10:07:22 +01006548http-response strict-mode { on | off }
6549
6550 This enables or disables the strict rewriting mode for following rules. It
6551 does not affect rules declared before it and it is only applicable on rules
6552 performing a rewrite on the responses. When the strict mode is enabled, any
6553 rewrite failure triggers an internal error. Otherwise, such errors are
6554 silently ignored. The purpose of the strict rewriting mode is to make some
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006555 rewrites optional while others must be performed to continue the response
Christopher Faulet46f95542019-12-20 10:07:22 +01006556 processing.
6557
Christopher Faulet1aea50e2020-01-17 16:03:53 +01006558 By default, the strict rewriting mode is enabled. Its value is also reset
Christopher Faulet46f95542019-12-20 10:07:22 +01006559 when a ruleset evaluation ends. So, for instance, if you change the mode on
Daniel Corbett67a82712020-07-06 23:01:19 -04006560 the backend, the default mode is restored when HAProxy starts the frontend
Christopher Faulet46f95542019-12-20 10:07:22 +01006561 rules evaluation.
6562
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006563http-response track-sc0 <key> [table <table>] [ { if | unless } <condition> ]
6564http-response track-sc1 <key> [table <table>] [ { if | unless } <condition> ]
6565http-response track-sc2 <key> [table <table>] [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006566
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006567 This enables tracking of sticky counters from current response. Please refer
6568 to "http-request track-sc" for a complete description. The only difference
6569 from "http-request track-sc" is the <key> sample expression can only make use
6570 of samples in response (e.g. res.*, status etc.) and samples below Layer 6
6571 (e.g. SSL-related samples, see section 7.3.4). If the sample is not
6572 supported, haproxy will fail and warn while parsing the config.
6573
6574http-response unset-var(<var-name>) [ { if | unless } <condition> ]
6575
6576 This is used to unset a variable. See "http-response set-var" for details
6577 about <var-name>.
6578
6579 Example:
6580 http-response unset-var(sess.last_redir)
6581
Baptiste Assmann5ecb77f2013-10-06 23:24:13 +02006582
Willy Tarreau30631952015-08-06 15:05:24 +02006583http-reuse { never | safe | aggressive | always }
6584 Declare how idle HTTP connections may be shared between requests
6585
6586 May be used in sections: defaults | frontend | listen | backend
6587 yes | no | yes | yes
6588
6589 By default, a connection established between haproxy and the backend server
Olivier Houchard86006a52018-12-14 19:37:49 +01006590 which is considered safe for reuse is moved back to the server's idle
6591 connections pool so that any other request can make use of it. This is the
6592 "safe" strategy below.
Willy Tarreau30631952015-08-06 15:05:24 +02006593
6594 The argument indicates the desired connection reuse strategy :
6595
Olivier Houchard86006a52018-12-14 19:37:49 +01006596 - "never" : idle connections are never shared between sessions. This mode
6597 may be enforced to cancel a different strategy inherited from
6598 a defaults section or for troubleshooting. For example, if an
6599 old bogus application considers that multiple requests over
6600 the same connection come from the same client and it is not
6601 possible to fix the application, it may be desirable to
6602 disable connection sharing in a single backend. An example of
6603 such an application could be an old haproxy using cookie
6604 insertion in tunnel mode and not checking any request past the
6605 first one.
Willy Tarreau30631952015-08-06 15:05:24 +02006606
Olivier Houchard86006a52018-12-14 19:37:49 +01006607 - "safe" : this is the default and the recommended strategy. The first
6608 request of a session is always sent over its own connection,
6609 and only subsequent requests may be dispatched over other
6610 existing connections. This ensures that in case the server
6611 closes the connection when the request is being sent, the
6612 browser can decide to silently retry it. Since it is exactly
6613 equivalent to regular keep-alive, there should be no side
Amaury Denoyelle27179652020-10-14 18:17:12 +02006614 effects. There is also a special handling for the connections
6615 using protocols subject to Head-of-line blocking (backend with
6616 h2 or fcgi). In this case, when at least one stream is
6617 processed, the used connection is reserved to handle streams
6618 of the same session. When no more streams are processed, the
6619 connection is released and can be reused.
Willy Tarreau30631952015-08-06 15:05:24 +02006620
6621 - "aggressive" : this mode may be useful in webservices environments where
6622 all servers are not necessarily known and where it would be
6623 appreciable to deliver most first requests over existing
6624 connections. In this case, first requests are only delivered
6625 over existing connections that have been reused at least once,
6626 proving that the server correctly supports connection reuse.
6627 It should only be used when it's sure that the client can
6628 retry a failed request once in a while and where the benefit
Michael Prokop4438c602019-05-24 10:25:45 +02006629 of aggressive connection reuse significantly outweighs the
Willy Tarreau30631952015-08-06 15:05:24 +02006630 downsides of rare connection failures.
6631
6632 - "always" : this mode is only recommended when the path to the server is
6633 known for never breaking existing connections quickly after
6634 releasing them. It allows the first request of a session to be
6635 sent to an existing connection. This can provide a significant
6636 performance increase over the "safe" strategy when the backend
6637 is a cache farm, since such components tend to show a
Davor Ocelice9ed2812017-12-25 17:49:28 +01006638 consistent behavior and will benefit from the connection
Willy Tarreau30631952015-08-06 15:05:24 +02006639 sharing. It is recommended that the "http-keep-alive" timeout
6640 remains low in this mode so that no dead connections remain
6641 usable. In most cases, this will lead to the same performance
6642 gains as "aggressive" but with more risks. It should only be
6643 used when it improves the situation over "aggressive".
6644
6645 When http connection sharing is enabled, a great care is taken to respect the
Davor Ocelice9ed2812017-12-25 17:49:28 +01006646 connection properties and compatibility. Specifically :
6647 - connections made with "usesrc" followed by a client-dependent value
6648 ("client", "clientip", "hdr_ip") are marked private and never shared;
Willy Tarreau30631952015-08-06 15:05:24 +02006649
6650 - connections sent to a server with a TLS SNI extension are marked private
Davor Ocelice9ed2812017-12-25 17:49:28 +01006651 and are never shared;
Willy Tarreau30631952015-08-06 15:05:24 +02006652
Lukas Tribusfd9b68c2018-10-27 20:06:59 +02006653 - connections with certain bogus authentication schemes (relying on the
6654 connection) like NTLM are detected, marked private and are never shared;
Willy Tarreau30631952015-08-06 15:05:24 +02006655
Lukas Tribuse8adfeb2019-11-06 11:50:25 +01006656 A connection pool is involved and configurable with "pool-max-conn".
Willy Tarreau30631952015-08-06 15:05:24 +02006657
6658 Note: connection reuse improves the accuracy of the "server maxconn" setting,
6659 because almost no new connection will be established while idle connections
6660 remain available. This is particularly true with the "always" strategy.
6661
6662 See also : "option http-keep-alive", "server maxconn"
6663
6664
Mark Lamourinec2247f02012-01-04 13:02:01 -05006665http-send-name-header [<header>]
6666 Add the server name to a request. Use the header string given by <header>
Mark Lamourinec2247f02012-01-04 13:02:01 -05006667 May be used in sections: defaults | frontend | listen | backend
6668 yes | no | yes | yes
Mark Lamourinec2247f02012-01-04 13:02:01 -05006669 Arguments :
Mark Lamourinec2247f02012-01-04 13:02:01 -05006670 <header> The header string to use to send the server name
6671
Willy Tarreau81bef7e2019-10-07 14:58:02 +02006672 The "http-send-name-header" statement causes the header field named <header>
6673 to be set to the name of the target server at the moment the request is about
6674 to be sent on the wire. Any existing occurrences of this header are removed.
6675 Upon retries and redispatches, the header field is updated to always reflect
6676 the server being attempted to connect to. Given that this header is modified
6677 very late in the connection setup, it may have unexpected effects on already
6678 modified headers. For example using it with transport-level header such as
6679 connection, content-length, transfer-encoding and so on will likely result in
6680 invalid requests being sent to the server. Additionally it has been reported
6681 that this directive is currently being used as a way to overwrite the Host
6682 header field in outgoing requests; while this trick has been known to work
6683 as a side effect of the feature for some time, it is not officially supported
6684 and might possibly not work anymore in a future version depending on the
6685 technical difficulties this feature induces. A long-term solution instead
6686 consists in fixing the application which required this trick so that it binds
6687 to the correct host name.
Mark Lamourinec2247f02012-01-04 13:02:01 -05006688
6689 See also : "server"
6690
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01006691id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02006692 Set a persistent ID to a proxy.
6693 May be used in sections : defaults | frontend | listen | backend
6694 no | yes | yes | yes
6695 Arguments : none
6696
6697 Set a persistent ID for the proxy. This ID must be unique and positive.
6698 An unused ID will automatically be assigned if unset. The first assigned
6699 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01006700
6701
Cyril Bonté0d4bf012010-04-25 23:21:46 +02006702ignore-persist { if | unless } <condition>
6703 Declare a condition to ignore persistence
6704 May be used in sections: defaults | frontend | listen | backend
Cyril Bonté4288c5a2018-03-12 22:02:59 +01006705 no | no | yes | yes
Cyril Bonté0d4bf012010-04-25 23:21:46 +02006706
6707 By default, when cookie persistence is enabled, every requests containing
6708 the cookie are unconditionally persistent (assuming the target server is up
6709 and running).
6710
6711 The "ignore-persist" statement allows one to declare various ACL-based
6712 conditions which, when met, will cause a request to ignore persistence.
6713 This is sometimes useful to load balance requests for static files, which
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03006714 often don't require persistence. This can also be used to fully disable
Cyril Bonté0d4bf012010-04-25 23:21:46 +02006715 persistence for a specific User-Agent (for example, some web crawler bots).
6716
Cyril Bonté0d4bf012010-04-25 23:21:46 +02006717 The persistence is ignored when an "if" condition is met, or unless an
6718 "unless" condition is met.
6719
Jarno Huuskonene5ae7022017-04-03 14:36:21 +03006720 Example:
6721 acl url_static path_beg /static /images /img /css
6722 acl url_static path_end .gif .png .jpg .css .js
6723 ignore-persist if url_static
6724
Cyril Bonté0d4bf012010-04-25 23:21:46 +02006725 See also : "force-persist", "cookie", and section 7 about ACL usage.
6726
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006727load-server-state-from-file { global | local | none }
6728 Allow seamless reload of HAProxy
6729 May be used in sections: defaults | frontend | listen | backend
6730 yes | no | yes | yes
6731
6732 This directive points HAProxy to a file where server state from previous
6733 running process has been saved. That way, when starting up, before handling
6734 traffic, the new process can apply old states to servers exactly has if no
Davor Ocelice9ed2812017-12-25 17:49:28 +01006735 reload occurred. The purpose of the "load-server-state-from-file" directive is
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006736 to tell haproxy which file to use. For now, only 2 arguments to either prevent
6737 loading state or load states from a file containing all backends and servers.
6738 The state file can be generated by running the command "show servers state"
6739 over the stats socket and redirect output.
6740
Davor Ocelice9ed2812017-12-25 17:49:28 +01006741 The format of the file is versioned and is very specific. To understand it,
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006742 please read the documentation of the "show servers state" command (chapter
Willy Tarreau1af20c72017-06-23 16:01:14 +02006743 9.3 of Management Guide).
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006744
6745 Arguments:
6746 global load the content of the file pointed by the global directive
6747 named "server-state-file".
6748
6749 local load the content of the file pointed by the directive
6750 "server-state-file-name" if set. If not set, then the backend
6751 name is used as a file name.
6752
6753 none don't load any stat for this backend
6754
6755 Notes:
Willy Tarreaue5a60682016-11-09 14:54:53 +01006756 - server's IP address is preserved across reloads by default, but the
6757 order can be changed thanks to the server's "init-addr" setting. This
6758 means that an IP address change performed on the CLI at run time will
Davor Ocelice9ed2812017-12-25 17:49:28 +01006759 be preserved, and that any change to the local resolver (e.g. /etc/hosts)
Willy Tarreaue5a60682016-11-09 14:54:53 +01006760 will possibly not have any effect if the state file is in use.
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006761
6762 - server's weight is applied from previous running process unless it has
6763 has changed between previous and new configuration files.
6764
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02006765 Example: Minimal configuration
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006766
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02006767 global
6768 stats socket /tmp/socket
6769 server-state-file /tmp/server_state
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006770
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02006771 defaults
6772 load-server-state-from-file global
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006773
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02006774 backend bk
6775 server s1 127.0.0.1:22 check weight 11
6776 server s2 127.0.0.1:22 check weight 12
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006777
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006778
6779 Then one can run :
6780
6781 socat /tmp/socket - <<< "show servers state" > /tmp/server_state
6782
6783 Content of the file /tmp/server_state would be like this:
6784
6785 1
6786 # <field names skipped for the doc example>
6787 1 bk 1 s1 127.0.0.1 2 0 11 11 4 6 3 4 6 0 0
6788 1 bk 2 s2 127.0.0.1 2 0 12 12 4 6 3 4 6 0 0
6789
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02006790 Example: Minimal configuration
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006791
6792 global
6793 stats socket /tmp/socket
6794 server-state-base /etc/haproxy/states
6795
6796 defaults
6797 load-server-state-from-file local
6798
6799 backend bk
6800 server s1 127.0.0.1:22 check weight 11
6801 server s2 127.0.0.1:22 check weight 12
6802
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02006803
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02006804 Then one can run :
6805
6806 socat /tmp/socket - <<< "show servers state bk" > /etc/haproxy/states/bk
6807
6808 Content of the file /etc/haproxy/states/bk would be like this:
6809
6810 1
6811 # <field names skipped for the doc example>
6812 1 bk 1 s1 127.0.0.1 2 0 11 11 4 6 3 4 6 0 0
6813 1 bk 2 s2 127.0.0.1 2 0 12 12 4 6 3 4 6 0 0
6814
6815 See also: "server-state-file", "server-state-file-name", and
6816 "show servers state"
6817
Cyril Bonté0d4bf012010-04-25 23:21:46 +02006818
Willy Tarreau2769aa02007-12-27 18:26:09 +01006819log global
Frédéric Lécailled690dfa2019-04-25 10:52:17 +02006820log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>]
6821 <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02006822no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01006823 Enable per-instance logging of events and traffic.
6824 May be used in sections : defaults | frontend | listen | backend
6825 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02006826
6827 Prefix :
6828 no should be used when the logger list must be flushed. For example,
6829 if you don't want to inherit from the default logger list. This
6830 prefix does not allow arguments.
6831
Willy Tarreau2769aa02007-12-27 18:26:09 +01006832 Arguments :
6833 global should be used when the instance's logging parameters are the
6834 same as the global ones. This is the most common usage. "global"
6835 replaces <address>, <facility> and <level> with those of the log
6836 entries found in the "global" section. Only one "log global"
6837 statement may be used per instance, and this form takes no other
6838 parameter.
6839
6840 <address> indicates where to send the logs. It takes the same format as
6841 for the "global" section's logs, and can be one of :
6842
6843 - An IPv4 address optionally followed by a colon (':') and a UDP
6844 port. If no port is specified, 514 is used by default (the
6845 standard syslog port).
6846
David du Colombier24bb5f52011-03-17 10:40:23 +01006847 - An IPv6 address followed by a colon (':') and optionally a UDP
6848 port. If no port is specified, 514 is used by default (the
6849 standard syslog port).
6850
Willy Tarreau2769aa02007-12-27 18:26:09 +01006851 - A filesystem path to a UNIX domain socket, keeping in mind
6852 considerations for chroot (be sure the path is accessible
6853 inside the chroot) and uid/gid (be sure the path is
Davor Ocelice9ed2812017-12-25 17:49:28 +01006854 appropriately writable).
Willy Tarreau2769aa02007-12-27 18:26:09 +01006855
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01006856 - A file descriptor number in the form "fd@<number>", which may
6857 point to a pipe, terminal, or socket. In this case unbuffered
6858 logs are used and one writev() call per log is performed. This
6859 is a bit expensive but acceptable for most workloads. Messages
6860 sent this way will not be truncated but may be dropped, in
6861 which case the DroppedLogs counter will be incremented. The
6862 writev() call is atomic even on pipes for messages up to
6863 PIPE_BUF size, which POSIX recommends to be at least 512 and
6864 which is 4096 bytes on most modern operating systems. Any
6865 larger message may be interleaved with messages from other
6866 processes. Exceptionally for debugging purposes the file
6867 descriptor may also be directed to a file, but doing so will
6868 significantly slow haproxy down as non-blocking calls will be
6869 ignored. Also there will be no way to purge nor rotate this
6870 file without restarting the process. Note that the configured
6871 syslog format is preserved, so the output is suitable for use
Willy Tarreauc1b06452018-11-12 11:57:56 +01006872 with a TCP syslog server. See also the "short" and "raw"
6873 formats below.
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01006874
6875 - "stdout" / "stderr", which are respectively aliases for "fd@1"
6876 and "fd@2", see above.
6877
Willy Tarreauc046d162019-08-30 15:24:59 +02006878 - A ring buffer in the form "ring@<name>", which will correspond
6879 to an in-memory ring buffer accessible over the CLI using the
6880 "show events" command, which will also list existing rings and
6881 their sizes. Such buffers are lost on reload or restart but
6882 when used as a complement this can help troubleshooting by
6883 having the logs instantly available.
6884
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01006885 You may want to reference some environment variables in the
6886 address parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01006887
Willy Tarreau18324f52014-06-27 18:10:07 +02006888 <length> is an optional maximum line length. Log lines larger than this
6889 value will be truncated before being sent. The reason is that
6890 syslog servers act differently on log line length. All servers
6891 support the default value of 1024, but some servers simply drop
6892 larger lines while others do log them. If a server supports long
6893 lines, it may make sense to set this value here in order to avoid
6894 truncating long lines. Similarly, if a server drops long lines,
6895 it is preferable to truncate them before sending them. Accepted
6896 values are 80 to 65535 inclusive. The default value of 1024 is
6897 generally fine for all standard usages. Some specific cases of
Davor Ocelice9ed2812017-12-25 17:49:28 +01006898 long captures or JSON-formatted logs may require larger values.
Willy Tarreau18324f52014-06-27 18:10:07 +02006899
Frédéric Lécailled690dfa2019-04-25 10:52:17 +02006900 <ranges> A list of comma-separated ranges to identify the logs to sample.
6901 This is used to balance the load of the logs to send to the log
6902 server. The limits of the ranges cannot be null. They are numbered
6903 from 1. The size or period (in number of logs) of the sample must
6904 be set with <sample_size> parameter.
6905
6906 <sample_size>
6907 The size of the sample in number of logs to consider when balancing
6908 their logging loads. It is used to balance the load of the logs to
6909 send to the syslog server. This size must be greater or equal to the
6910 maximum of the high limits of the ranges.
6911 (see also <ranges> parameter).
6912
Willy Tarreauadb345d2018-11-12 07:56:13 +01006913 <format> is the log format used when generating syslog messages. It may be
6914 one of the following :
6915
6916 rfc3164 The RFC3164 syslog message format. This is the default.
6917 (https://tools.ietf.org/html/rfc3164)
6918
6919 rfc5424 The RFC5424 syslog message format.
6920 (https://tools.ietf.org/html/rfc5424)
6921
Emeric Brun54648852020-07-06 15:54:06 +02006922 priority A message containing only a level plus syslog facility between
6923 angle brackets such as '<63>', followed by the text. The PID,
6924 date, time, process name and system name are omitted. This is
6925 designed to be used with a local log server.
6926
Willy Tarreaue8746a02018-11-12 08:45:00 +01006927 short A message containing only a level between angle brackets such as
6928 '<3>', followed by the text. The PID, date, time, process name
6929 and system name are omitted. This is designed to be used with a
6930 local log server. This format is compatible with what the
6931 systemd logger consumes.
6932
Emeric Brun54648852020-07-06 15:54:06 +02006933 timed A message containing only a level between angle brackets such as
6934 '<3>', followed by ISO date and by the text. The PID, process
6935 name and system name are omitted. This is designed to be
6936 used with a local log server.
6937
6938 iso A message containing only the ISO date, followed by the text.
6939 The PID, process name and system name are omitted. This is
6940 designed to be used with a local log server.
6941
Willy Tarreauc1b06452018-11-12 11:57:56 +01006942 raw A message containing only the text. The level, PID, date, time,
6943 process name and system name are omitted. This is designed to
6944 be used in containers or during development, where the severity
6945 only depends on the file descriptor used (stdout/stderr).
6946
Willy Tarreau2769aa02007-12-27 18:26:09 +01006947 <facility> must be one of the 24 standard syslog facilities :
6948
Willy Tarreaue8746a02018-11-12 08:45:00 +01006949 kern user mail daemon auth syslog lpr news
6950 uucp cron auth2 ftp ntp audit alert cron2
6951 local0 local1 local2 local3 local4 local5 local6 local7
6952
Willy Tarreauc1b06452018-11-12 11:57:56 +01006953 Note that the facility is ignored for the "short" and "raw"
6954 formats, but still required as a positional field. It is
6955 recommended to use "daemon" in this case to make it clear that
6956 it's only supposed to be used locally.
Willy Tarreau2769aa02007-12-27 18:26:09 +01006957
6958 <level> is optional and can be specified to filter outgoing messages. By
6959 default, all messages are sent. If a level is specified, only
6960 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02006961 will be sent. An optional minimum level can be specified. If it
6962 is set, logs emitted with a more severe level than this one will
6963 be capped to this level. This is used to avoid sending "emerg"
6964 messages on all terminals on some default syslog configurations.
6965 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01006966
6967 emerg alert crit err warning notice info debug
6968
William Lallemand0f99e342011-10-12 17:50:54 +02006969 It is important to keep in mind that it is the frontend which decides what to
6970 log from a connection, and that in case of content switching, the log entries
6971 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006972
6973 However, backend log declaration define how and where servers status changes
6974 will be logged. Level "notice" will be used to indicate a server going up,
6975 "warning" will be used for termination signals and definitive service
6976 termination, and "alert" will be used for when a server goes down.
6977
6978 Note : According to RFC3164, messages are truncated to 1024 bytes before
6979 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01006980
6981 Example :
6982 log global
Willy Tarreauc1b06452018-11-12 11:57:56 +01006983 log stdout format short daemon # send log to systemd
6984 log stdout format raw daemon # send everything to stdout
6985 log stderr format raw daemon notice # send important events to stderr
Willy Tarreauf7edefa2009-05-10 17:20:05 +02006986 log 127.0.0.1:514 local0 notice # only send important events
6987 log 127.0.0.1:514 local0 notice notice # same but limit output level
William Lallemandb2f07452015-05-12 14:27:13 +02006988 log "${LOCAL_SYSLOG}:514" local0 notice # send to local server
Willy Tarreaudad36a32013-03-11 01:20:04 +01006989
Willy Tarreau2769aa02007-12-27 18:26:09 +01006990
William Lallemand48940402012-01-30 16:47:22 +01006991log-format <string>
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01006992 Specifies the log format string to use for traffic logs
6993 May be used in sections: defaults | frontend | listen | backend
6994 yes | yes | yes | no
William Lallemand48940402012-01-30 16:47:22 +01006995
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01006996 This directive specifies the log format string that will be used for all logs
6997 resulting from traffic passing through the frontend using this line. If the
6998 directive is used in a defaults section, all subsequent frontends will use
6999 the same log format. Please see section 8.2.4 which covers the log format
7000 string in depth.
William Lallemand48940402012-01-30 16:47:22 +01007001
Guillaume de Lafond29f45602017-03-31 19:52:15 +02007002 "log-format" directive overrides previous "option tcplog", "log-format" and
7003 "option httplog" directives.
7004
Dragan Dosen7ad31542015-09-28 17:16:47 +02007005log-format-sd <string>
7006 Specifies the RFC5424 structured-data log format string
7007 May be used in sections: defaults | frontend | listen | backend
7008 yes | yes | yes | no
7009
7010 This directive specifies the RFC5424 structured-data log format string that
7011 will be used for all logs resulting from traffic passing through the frontend
7012 using this line. If the directive is used in a defaults section, all
7013 subsequent frontends will use the same log format. Please see section 8.2.4
7014 which covers the log format string in depth.
7015
7016 See https://tools.ietf.org/html/rfc5424#section-6.3 for more information
7017 about the RFC5424 structured-data part.
7018
7019 Note : This log format string will be used only for loggers that have set
7020 log format to "rfc5424".
7021
7022 Example :
7023 log-format-sd [exampleSDID@1234\ bytes=\"%B\"\ status=\"%ST\"]
7024
7025
Willy Tarreau094af4e2015-01-07 15:03:42 +01007026log-tag <string>
7027 Specifies the log tag to use for all outgoing logs
7028 May be used in sections: defaults | frontend | listen | backend
7029 yes | yes | yes | yes
7030
7031 Sets the tag field in the syslog header to this string. It defaults to the
7032 log-tag set in the global section, otherwise the program name as launched
7033 from the command line, which usually is "haproxy". Sometimes it can be useful
7034 to differentiate between multiple processes running on the same host, or to
7035 differentiate customer instances running in the same process. In the backend,
7036 logs about servers up/down will use this tag. As a hint, it can be convenient
7037 to set a log-tag related to a hosted customer in a defaults section then put
7038 all the frontends and backends for that customer, then start another customer
7039 in a new defaults section. See also the global "log-tag" directive.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007040
Willy Tarreauc35362a2014-04-25 13:58:37 +02007041max-keep-alive-queue <value>
7042 Set the maximum server queue size for maintaining keep-alive connections
7043 May be used in sections: defaults | frontend | listen | backend
7044 yes | no | yes | yes
7045
7046 HTTP keep-alive tries to reuse the same server connection whenever possible,
7047 but sometimes it can be counter-productive, for example if a server has a lot
7048 of connections while other ones are idle. This is especially true for static
7049 servers.
7050
7051 The purpose of this setting is to set a threshold on the number of queued
7052 connections at which haproxy stops trying to reuse the same server and prefers
7053 to find another one. The default value, -1, means there is no limit. A value
7054 of zero means that keep-alive requests will never be queued. For very close
7055 servers which can be reached with a low latency and which are not sensible to
Davor Ocelice9ed2812017-12-25 17:49:28 +01007056 breaking keep-alive, a low value is recommended (e.g. local static server can
Willy Tarreauc35362a2014-04-25 13:58:37 +02007057 use a value of 10 or less). For remote servers suffering from a high latency,
7058 higher values might be needed to cover for the latency and/or the cost of
7059 picking a different server.
7060
7061 Note that this has no impact on responses which are maintained to the same
7062 server consecutively to a 401 response. They will still go to the same server
7063 even if they have to be queued.
7064
7065 See also : "option http-server-close", "option prefer-last-server", server
7066 "maxconn" and cookie persistence.
7067
Olivier Houcharda4d4fdf2018-12-14 19:27:06 +01007068max-session-srv-conns <nb>
7069 Set the maximum number of outgoing connections we can keep idling for a given
7070 client session. The default is 5 (it precisely equals MAX_SRV_LIST which is
7071 defined at build time).
Willy Tarreauc35362a2014-04-25 13:58:37 +02007072
Willy Tarreau2769aa02007-12-27 18:26:09 +01007073maxconn <conns>
7074 Fix the maximum number of concurrent connections on a frontend
7075 May be used in sections : defaults | frontend | listen | backend
7076 yes | yes | yes | no
7077 Arguments :
7078 <conns> is the maximum number of concurrent connections the frontend will
7079 accept to serve. Excess connections will be queued by the system
7080 in the socket's listen queue and will be served once a connection
7081 closes.
7082
7083 If the system supports it, it can be useful on big sites to raise this limit
7084 very high so that haproxy manages connection queues, instead of leaving the
7085 clients with unanswered connection attempts. This value should not exceed the
7086 global maxconn. Also, keep in mind that a connection contains two buffers
Baptiste Assmann79fb45d2016-03-06 23:34:31 +01007087 of tune.bufsize (16kB by default) each, as well as some other data resulting
7088 in about 33 kB of RAM being consumed per established connection. That means
7089 that a medium system equipped with 1GB of RAM can withstand around
7090 20000-25000 concurrent connections if properly tuned.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007091
7092 Also, when <conns> is set to large values, it is possible that the servers
7093 are not sized to accept such loads, and for this reason it is generally wise
7094 to assign them some reasonable connection limits.
7095
Willy Tarreauc8d5b952019-02-27 17:25:52 +01007096 When this value is set to zero, which is the default, the global "maxconn"
7097 value is used.
Vincent Bernat6341be52012-06-27 17:18:30 +02007098
Willy Tarreau2769aa02007-12-27 18:26:09 +01007099 See also : "server", global section's "maxconn", "fullconn"
7100
7101
7102mode { tcp|http|health }
7103 Set the running mode or protocol of the instance
7104 May be used in sections : defaults | frontend | listen | backend
7105 yes | yes | yes | yes
7106 Arguments :
7107 tcp The instance will work in pure TCP mode. A full-duplex connection
7108 will be established between clients and servers, and no layer 7
7109 examination will be performed. This is the default mode. It
7110 should be used for SSL, SSH, SMTP, ...
7111
7112 http The instance will work in HTTP mode. The client request will be
7113 analyzed in depth before connecting to any server. Any request
7114 which is not RFC-compliant will be rejected. Layer 7 filtering,
7115 processing and switching will be possible. This is the mode which
7116 brings HAProxy most of its value.
7117
7118 health The instance will work in "health" mode. It will just reply "OK"
Willy Tarreau82569f92012-09-27 23:48:56 +02007119 to incoming connections and close the connection. Alternatively,
7120 If the "httpchk" option is set, "HTTP/1.0 200 OK" will be sent
7121 instead. Nothing will be logged in either case. This mode is used
7122 to reply to external components health checks. This mode is
7123 deprecated and should not be used anymore as it is possible to do
7124 the same and even better by combining TCP or HTTP modes with the
7125 "monitor" keyword.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007126
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007127 When doing content switching, it is mandatory that the frontend and the
7128 backend are in the same mode (generally HTTP), otherwise the configuration
7129 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007130
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007131 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01007132 defaults http_instances
7133 mode http
7134
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007135 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01007136
Willy Tarreau0ba27502007-12-24 16:55:16 +01007137
Cyril Bontéf0c60612010-02-06 14:44:47 +01007138monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01007139 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007140 May be used in sections : defaults | frontend | listen | backend
7141 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01007142 Arguments :
7143 if <cond> the monitor request will fail if the condition is satisfied,
7144 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007145 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01007146 are met, for instance a low number of servers both in a
7147 backend and its backup.
7148
7149 unless <cond> the monitor request will succeed only if the condition is
7150 satisfied, and will fail otherwise. Such a condition may be
7151 based on a test on the presence of a minimum number of active
7152 servers in a list of backends.
7153
7154 This statement adds a condition which can force the response to a monitor
7155 request to report a failure. By default, when an external component queries
7156 the URI dedicated to monitoring, a 200 response is returned. When one of the
7157 conditions above is met, haproxy will return 503 instead of 200. This is
7158 very useful to report a site failure to an external component which may base
7159 routing advertisements between multiple sites on the availability reported by
7160 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02007161 criterion. Note that "monitor fail" only works in HTTP mode. Both status
7162 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007163
7164 Example:
7165 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01007166 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01007167 acl site_dead nbsrv(dynamic) lt 2
7168 acl site_dead nbsrv(static) lt 2
7169 monitor-uri /site_alive
7170 monitor fail if site_dead
7171
Willy Tarreauae94d4d2011-05-11 16:28:49 +02007172 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01007173
7174
7175monitor-net <source>
7176 Declare a source network which is limited to monitor requests
7177 May be used in sections : defaults | frontend | listen | backend
7178 yes | yes | yes | no
7179 Arguments :
7180 <source> is the source IPv4 address or network which will only be able to
7181 get monitor responses to any request. It can be either an IPv4
7182 address, a host name, or an address followed by a slash ('/')
7183 followed by a mask.
7184
7185 In TCP mode, any connection coming from a source matching <source> will cause
7186 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007187 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01007188 forwarding the connection to a remote server.
7189
7190 In HTTP mode, a connection coming from a source matching <source> will be
7191 accepted, the following response will be sent without waiting for a request,
7192 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
7193 enough for any front-end HTTP probe to detect that the service is UP and
Willy Tarreau82569f92012-09-27 23:48:56 +02007194 running without forwarding the request to a backend server. Note that this
7195 response is sent in raw format, without any transformation. This is important
7196 as it means that it will not be SSL-encrypted on SSL listeners.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007197
Willy Tarreau82569f92012-09-27 23:48:56 +02007198 Monitor requests are processed very early, just after tcp-request connection
7199 ACLs which are the only ones able to block them. These connections are short
7200 lived and never wait for any data from the client. They cannot be logged, and
7201 it is the intended purpose. They are only used to report HAProxy's health to
7202 an upper component, nothing more. Please note that "monitor fail" rules do
7203 not apply to connections intercepted by "monitor-net".
Willy Tarreau2769aa02007-12-27 18:26:09 +01007204
Willy Tarreau95cd2832010-03-04 23:36:33 +01007205 Last, please note that only one "monitor-net" statement can be specified in
7206 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007207
Willy Tarreau2769aa02007-12-27 18:26:09 +01007208 Example :
7209 # addresses .252 and .253 are just probing us.
7210 frontend www
7211 monitor-net 192.168.0.252/31
7212
7213 See also : "monitor fail", "monitor-uri"
7214
7215
7216monitor-uri <uri>
7217 Intercept a URI used by external components' monitor requests
7218 May be used in sections : defaults | frontend | listen | backend
7219 yes | yes | yes | no
7220 Arguments :
7221 <uri> is the exact URI which we want to intercept to return HAProxy's
7222 health status instead of forwarding the request.
7223
7224 When an HTTP request referencing <uri> will be received on a frontend,
7225 HAProxy will not forward it nor log it, but instead will return either
7226 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
7227 conditions defined with "monitor fail". This is normally enough for any
7228 front-end HTTP probe to detect that the service is UP and running without
7229 forwarding the request to a backend server. Note that the HTTP method, the
7230 version and all headers are ignored, but the request must at least be valid
7231 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
7232
Willy Tarreau721d8e02017-12-01 18:25:08 +01007233 Monitor requests are processed very early, just after the request is parsed
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02007234 and even before any "http-request". The only rulesets applied before are the
7235 tcp-request ones. They cannot be logged either, and it is the intended
7236 purpose. They are only used to report HAProxy's health to an upper component,
7237 nothing more. However, it is possible to add any number of conditions using
7238 "monitor fail" and ACLs so that the result can be adjusted to whatever check
7239 can be imagined (most often the number of available servers in a backend).
Willy Tarreau2769aa02007-12-27 18:26:09 +01007240
Christopher Faulet6072beb2020-02-18 15:34:58 +01007241 Note: if <uri> starts by a slash ('/'), the matching is performed against the
7242 request's path instead of the request's uri. It is a workaround to let
7243 the HTTP/2 requests match the monitor-uri. Indeed, in HTTP/2, clients
7244 are encouraged to send absolute URIs only.
7245
Willy Tarreau2769aa02007-12-27 18:26:09 +01007246 Example :
7247 # Use /haproxy_test to report haproxy's status
7248 frontend www
7249 mode http
7250 monitor-uri /haproxy_test
7251
7252 See also : "monitor fail", "monitor-net"
7253
Willy Tarreau0ba27502007-12-24 16:55:16 +01007254
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007255option abortonclose
7256no option abortonclose
7257 Enable or disable early dropping of aborted requests pending in queues.
7258 May be used in sections : defaults | frontend | listen | backend
7259 yes | no | yes | yes
7260 Arguments : none
7261
7262 In presence of very high loads, the servers will take some time to respond.
7263 The per-instance connection queue will inflate, and the response time will
7264 increase respective to the size of the queue times the average per-session
7265 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01007266 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007267 the queue, and slowing down other users, and the servers as well, because the
7268 request will eventually be served, then aborted at the first error
7269 encountered while delivering the response.
7270
7271 As there is no way to distinguish between a full STOP and a simple output
7272 close on the client side, HTTP agents should be conservative and consider
7273 that the client might only have closed its output channel while waiting for
7274 the response. However, this introduces risks of congestion when lots of users
7275 do the same, and is completely useless nowadays because probably no client at
7276 all will close the session while waiting for the response. Some HTTP agents
Davor Ocelice9ed2812017-12-25 17:49:28 +01007277 support this behavior (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007278 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01007279 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007280 of being the single component to break rare but valid traffic is extremely
7281 low, which adds to the temptation to be able to abort a session early while
7282 still not served and not pollute the servers.
7283
Davor Ocelice9ed2812017-12-25 17:49:28 +01007284 In HAProxy, the user can choose the desired behavior using the option
7285 "abortonclose". By default (without the option) the behavior is HTTP
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007286 compliant and aborted requests will be served. But when the option is
7287 specified, a session with an incoming channel closed will be aborted while
7288 it is still possible, either pending in the queue for a connection slot, or
7289 during the connection establishment if the server has not yet acknowledged
7290 the connection request. This considerably reduces the queue size and the load
7291 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01007292 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007293
7294 If this option has been enabled in a "defaults" section, it can be disabled
7295 in a specific instance by prepending the "no" keyword before it.
7296
7297 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
7298
7299
Willy Tarreau4076a152009-04-02 15:18:36 +02007300option accept-invalid-http-request
7301no option accept-invalid-http-request
7302 Enable or disable relaxing of HTTP request parsing
7303 May be used in sections : defaults | frontend | listen | backend
7304 yes | yes | yes | no
7305 Arguments : none
7306
Willy Tarreau91852eb2015-05-01 13:26:00 +02007307 By default, HAProxy complies with RFC7230 in terms of message parsing. This
Willy Tarreau4076a152009-04-02 15:18:36 +02007308 means that invalid characters in header names are not permitted and cause an
Davor Ocelice9ed2812017-12-25 17:49:28 +01007309 error to be returned to the client. This is the desired behavior as such
Willy Tarreau4076a152009-04-02 15:18:36 +02007310 forbidden characters are essentially used to build attacks exploiting server
7311 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
7312 server will emit invalid header names for whatever reason (configuration,
7313 implementation) and the issue will not be immediately fixed. In such a case,
7314 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01007315 even if that does not make sense, by specifying this option. Similarly, the
7316 list of characters allowed to appear in a URI is well defined by RFC3986, and
7317 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
7318 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
Davor Ocelice9ed2812017-12-25 17:49:28 +01007319 not allowed at all. HAProxy always blocks a number of them (0..32, 127). The
Willy Tarreau91852eb2015-05-01 13:26:00 +02007320 remaining ones are blocked by default unless this option is enabled. This
Willy Tarreau13317662015-05-01 13:47:08 +02007321 option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
7322 to pass through (no version specified) and multiple digits for both the major
7323 and the minor version.
Willy Tarreau4076a152009-04-02 15:18:36 +02007324
7325 This option should never be enabled by default as it hides application bugs
7326 and open security breaches. It should only be deployed after a problem has
7327 been confirmed.
7328
7329 When this option is enabled, erroneous header names will still be accepted in
7330 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01007331 analysis using the "show errors" request on the UNIX stats socket. Similarly,
7332 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02007333 also helps confirming that the issue has been solved.
7334
7335 If this option has been enabled in a "defaults" section, it can be disabled
7336 in a specific instance by prepending the "no" keyword before it.
7337
7338 See also : "option accept-invalid-http-response" and "show errors" on the
7339 stats socket.
7340
7341
7342option accept-invalid-http-response
7343no option accept-invalid-http-response
7344 Enable or disable relaxing of HTTP response parsing
7345 May be used in sections : defaults | frontend | listen | backend
7346 yes | no | yes | yes
7347 Arguments : none
7348
Willy Tarreau91852eb2015-05-01 13:26:00 +02007349 By default, HAProxy complies with RFC7230 in terms of message parsing. This
Willy Tarreau4076a152009-04-02 15:18:36 +02007350 means that invalid characters in header names are not permitted and cause an
Davor Ocelice9ed2812017-12-25 17:49:28 +01007351 error to be returned to the client. This is the desired behavior as such
Willy Tarreau4076a152009-04-02 15:18:36 +02007352 forbidden characters are essentially used to build attacks exploiting server
7353 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
7354 server will emit invalid header names for whatever reason (configuration,
7355 implementation) and the issue will not be immediately fixed. In such a case,
7356 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau91852eb2015-05-01 13:26:00 +02007357 even if that does not make sense, by specifying this option. This option also
7358 relaxes the test on the HTTP version format, it allows multiple digits for
7359 both the major and the minor version.
Willy Tarreau4076a152009-04-02 15:18:36 +02007360
7361 This option should never be enabled by default as it hides application bugs
7362 and open security breaches. It should only be deployed after a problem has
7363 been confirmed.
7364
7365 When this option is enabled, erroneous header names will still be accepted in
7366 responses, but the complete response will be captured in order to permit
7367 later analysis using the "show errors" request on the UNIX stats socket.
7368 Doing this also helps confirming that the issue has been solved.
7369
7370 If this option has been enabled in a "defaults" section, it can be disabled
7371 in a specific instance by prepending the "no" keyword before it.
7372
7373 See also : "option accept-invalid-http-request" and "show errors" on the
7374 stats socket.
7375
7376
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007377option allbackups
7378no option allbackups
7379 Use either all backup servers at a time or only the first one
7380 May be used in sections : defaults | frontend | listen | backend
7381 yes | no | yes | yes
7382 Arguments : none
7383
7384 By default, the first operational backup server gets all traffic when normal
7385 servers are all down. Sometimes, it may be preferred to use multiple backups
7386 at once, because one will not be enough. When "option allbackups" is enabled,
7387 the load balancing will be performed among all backup servers when all normal
7388 ones are unavailable. The same load balancing algorithm will be used and the
7389 servers' weights will be respected. Thus, there will not be any priority
7390 order between the backup servers anymore.
7391
7392 This option is mostly used with static server farms dedicated to return a
7393 "sorry" page when an application is completely offline.
7394
7395 If this option has been enabled in a "defaults" section, it can be disabled
7396 in a specific instance by prepending the "no" keyword before it.
7397
7398
7399option checkcache
7400no option checkcache
Godbach7056a352013-12-11 20:01:07 +08007401 Analyze all server responses and block responses with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007402 May be used in sections : defaults | frontend | listen | backend
7403 yes | no | yes | yes
7404 Arguments : none
7405
7406 Some high-level frameworks set application cookies everywhere and do not
7407 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007408 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007409 high risk of session crossing or stealing between users traversing the same
7410 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02007411 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007412
7413 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007414 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01007415 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007416 response to check if there's a risk of caching a cookie on a client-side
7417 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01007418 to the client are :
Davor Ocelice9ed2812017-12-25 17:49:28 +01007419 - all those without "Set-Cookie" header;
Willy Tarreauc55ddce2017-12-21 11:41:38 +01007420 - all those with a return code other than 200, 203, 204, 206, 300, 301,
7421 404, 405, 410, 414, 501, provided that the server has not set a
Davor Ocelice9ed2812017-12-25 17:49:28 +01007422 "Cache-control: public" header field;
Willy Tarreau24ea0bc2017-12-21 11:32:55 +01007423 - all those that result from a request using a method other than GET, HEAD,
7424 OPTIONS, TRACE, provided that the server has not set a 'Cache-Control:
Davor Ocelice9ed2812017-12-25 17:49:28 +01007425 public' header field;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007426 - those with a 'Pragma: no-cache' header
7427 - those with a 'Cache-control: private' header
7428 - those with a 'Cache-control: no-store' header
7429 - those with a 'Cache-control: max-age=0' header
7430 - those with a 'Cache-control: s-maxage=0' header
7431 - those with a 'Cache-control: no-cache' header
7432 - those with a 'Cache-control: no-cache="set-cookie"' header
7433 - those with a 'Cache-control: no-cache="set-cookie,' header
7434 (allowing other fields after set-cookie)
7435
7436 If a response doesn't respect these requirements, then it will be blocked
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02007437 just as if it was from an "http-response deny" rule, with an "HTTP 502 bad
7438 gateway". The session state shows "PH--" meaning that the proxy blocked the
7439 response during headers processing. Additionally, an alert will be sent in
7440 the logs so that admins are informed that there's something to be fixed.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007441
7442 Due to the high impact on the application, the application should be tested
7443 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007444 good practice to always activate it during tests, even if it is not used in
Davor Ocelice9ed2812017-12-25 17:49:28 +01007445 production, as it will report potentially dangerous application behaviors.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007446
7447 If this option has been enabled in a "defaults" section, it can be disabled
7448 in a specific instance by prepending the "no" keyword before it.
7449
7450
7451option clitcpka
7452no option clitcpka
7453 Enable or disable the sending of TCP keepalive packets on the client side
7454 May be used in sections : defaults | frontend | listen | backend
7455 yes | yes | yes | no
7456 Arguments : none
7457
7458 When there is a firewall or any session-aware component between a client and
7459 a server, and when the protocol involves very long sessions with long idle
Davor Ocelice9ed2812017-12-25 17:49:28 +01007460 periods (e.g. remote desktops), there is a risk that one of the intermediate
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007461 components decides to expire a session which has remained idle for too long.
7462
7463 Enabling socket-level TCP keep-alives makes the system regularly send packets
7464 to the other end of the connection, leaving it active. The delay between
7465 keep-alive probes is controlled by the system only and depends both on the
7466 operating system and its tuning parameters.
7467
7468 It is important to understand that keep-alive packets are neither emitted nor
7469 received at the application level. It is only the network stacks which sees
7470 them. For this reason, even if one side of the proxy already uses keep-alives
7471 to maintain its connection alive, those keep-alive packets will not be
7472 forwarded to the other side of the proxy.
7473
7474 Please note that this has nothing to do with HTTP keep-alive.
7475
7476 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
7477 client side of a connection, which should help when session expirations are
7478 noticed between HAProxy and a client.
7479
7480 If this option has been enabled in a "defaults" section, it can be disabled
7481 in a specific instance by prepending the "no" keyword before it.
7482
7483 See also : "option srvtcpka", "option tcpka"
7484
7485
Willy Tarreau0ba27502007-12-24 16:55:16 +01007486option contstats
7487 Enable continuous traffic statistics updates
7488 May be used in sections : defaults | frontend | listen | backend
7489 yes | yes | yes | no
7490 Arguments : none
7491
7492 By default, counters used for statistics calculation are incremented
7493 only when a session finishes. It works quite well when serving small
7494 objects, but with big ones (for example large images or archives) or
7495 with A/V streaming, a graph generated from haproxy counters looks like
Willy Tarreaudef0d222016-11-08 22:03:00 +01007496 a hedgehog. With this option enabled counters get incremented frequently
7497 along the session, typically every 5 seconds, which is often enough to
7498 produce clean graphs. Recounting touches a hotpath directly so it is not
7499 not enabled by default, as it can cause a lot of wakeups for very large
7500 session counts and cause a small performance drop.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007501
Christopher Faulet89aed322020-06-02 17:33:56 +02007502option disable-h2-upgrade
7503no option disable-h2-upgrade
7504 Enable or disable the implicit HTTP/2 upgrade from an HTTP/1.x client
7505 connection.
7506 May be used in sections : defaults | frontend | listen | backend
7507 yes | yes | yes | no
7508 Arguments : none
7509
7510 By default, HAProxy is able to implicitly upgrade an HTTP/1.x client
7511 connection to an HTTP/2 connection if the first request it receives from a
7512 given HTTP connection matches the HTTP/2 connection preface (i.e. the string
7513 "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"). This way, it is possible to support
7514 HTTP/1.x and HTTP/2 clients on a non-SSL connections. This option must be used to
7515 disable the implicit upgrade. Note this implicit upgrade is only supported
7516 for HTTP proxies, thus this option too. Note also it is possible to force the
7517 HTTP/2 on clear connections by specifying "proto h2" on the bind line.
7518
7519 If this option has been enabled in a "defaults" section, it can be disabled
7520 in a specific instance by prepending the "no" keyword before it.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007521
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007522option dontlog-normal
7523no option dontlog-normal
7524 Enable or disable logging of normal, successful connections
7525 May be used in sections : defaults | frontend | listen | backend
7526 yes | yes | yes | no
7527 Arguments : none
7528
7529 There are large sites dealing with several thousand connections per second
7530 and for which logging is a major pain. Some of them are even forced to turn
7531 logs off and cannot debug production issues. Setting this option ensures that
7532 normal connections, those which experience no error, no timeout, no retry nor
7533 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
7534 mode, the response status code is checked and return codes 5xx will still be
7535 logged.
7536
7537 It is strongly discouraged to use this option as most of the time, the key to
7538 complex issues is in the normal logs which will not be logged here. If you
7539 need to separate logs, see the "log-separate-errors" option instead.
7540
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007541 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007542 logging.
7543
7544
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007545option dontlognull
7546no option dontlognull
7547 Enable or disable logging of null connections
7548 May be used in sections : defaults | frontend | listen | backend
7549 yes | yes | yes | no
7550 Arguments : none
7551
7552 In certain environments, there are components which will regularly connect to
7553 various systems to ensure that they are still alive. It can be the case from
7554 another load balancer as well as from monitoring systems. By default, even a
7555 simple port probe or scan will produce a log. If those connections pollute
7556 the logs too much, it is possible to enable option "dontlognull" to indicate
7557 that a connection on which no data has been transferred will not be logged,
Willy Tarreau0f228a02015-05-01 15:37:53 +02007558 which typically corresponds to those probes. Note that errors will still be
7559 returned to the client and accounted for in the stats. If this is not what is
7560 desired, option http-ignore-probes can be used instead.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007561
7562 It is generally recommended not to use this option in uncontrolled
Davor Ocelice9ed2812017-12-25 17:49:28 +01007563 environments (e.g. internet), otherwise scans and other malicious activities
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007564 would not be logged.
7565
7566 If this option has been enabled in a "defaults" section, it can be disabled
7567 in a specific instance by prepending the "no" keyword before it.
7568
Willy Tarreau0f228a02015-05-01 15:37:53 +02007569 See also : "log", "http-ignore-probes", "monitor-net", "monitor-uri", and
7570 section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007571
Willy Tarreaubf1f8162007-12-28 17:42:56 +01007572
Willy Tarreau87cf5142011-08-19 22:57:24 +02007573option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01007574 Enable insertion of the X-Forwarded-For header to requests sent to servers
7575 May be used in sections : defaults | frontend | listen | backend
7576 yes | yes | yes | yes
7577 Arguments :
7578 <network> is an optional argument used to disable this option for sources
7579 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02007580 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01007581 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01007582
7583 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
7584 their client address. This is sometimes annoying when the client's IP address
7585 is expected in server logs. To solve this problem, the well-known HTTP header
7586 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
7587 This header contains a value representing the client's IP address. Since this
7588 header is always appended at the end of the existing header list, the server
7589 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02007590 the server's manual to find how to enable use of this standard header. Note
7591 that only the last occurrence of the header must be used, since it is really
7592 possible that the client has already brought one.
7593
Willy Tarreaud72758d2010-01-12 10:42:19 +01007594 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02007595 the default "X-Forwarded-For". This can be useful where you might already
Davor Ocelice9ed2812017-12-25 17:49:28 +01007596 have a "X-Forwarded-For" header from a different application (e.g. stunnel),
Willy Tarreaud72758d2010-01-12 10:42:19 +01007597 and you need preserve it. Also if your backend server doesn't use the
Davor Ocelice9ed2812017-12-25 17:49:28 +01007598 "X-Forwarded-For" header and requires different one (e.g. Zeus Web Servers
Ross Westaf72a1d2008-08-03 10:51:45 +02007599 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01007600
7601 Sometimes, a same HAProxy instance may be shared between a direct client
7602 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
7603 used to decrypt HTTPS traffic). It is possible to disable the addition of the
7604 header for a known source address or network by adding the "except" keyword
7605 followed by the network address. In this case, any source IP matching the
7606 network will not cause an addition of this header. Most common uses are with
7607 private networks or 127.0.0.1.
7608
Willy Tarreau87cf5142011-08-19 22:57:24 +02007609 Alternatively, the keyword "if-none" states that the header will only be
7610 added if it is not present. This should only be used in perfectly trusted
7611 environment, as this might cause a security issue if headers reaching haproxy
7612 are under the control of the end-user.
7613
Willy Tarreauc27debf2008-01-06 08:57:02 +01007614 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02007615 least one of them uses it, the header will be added. Note that the backend's
7616 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02007617 both are defined. In the case of the "if-none" argument, if at least one of
7618 the frontend or the backend does not specify it, it wants the addition to be
7619 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01007620
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02007621 Example :
Willy Tarreauc27debf2008-01-06 08:57:02 +01007622 # Public HTTP address also used by stunnel on the same machine
7623 frontend www
7624 mode http
7625 option forwardfor except 127.0.0.1 # stunnel already adds the header
7626
Ross Westaf72a1d2008-08-03 10:51:45 +02007627 # Those servers want the IP Address in X-Client
7628 backend www
7629 mode http
7630 option forwardfor header X-Client
7631
Willy Tarreau87cf5142011-08-19 22:57:24 +02007632 See also : "option httpclose", "option http-server-close",
Christopher Faulet315b39c2018-09-21 16:26:19 +02007633 "option http-keep-alive"
Willy Tarreauc27debf2008-01-06 08:57:02 +01007634
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02007635
Christopher Faulet98fbe952019-07-22 16:18:24 +02007636option h1-case-adjust-bogus-client
7637no option h1-case-adjust-bogus-client
7638 Enable or disable the case adjustment of HTTP/1 headers sent to bogus clients
7639 May be used in sections : defaults | frontend | listen | backend
7640 yes | yes | yes | no
7641 Arguments : none
7642
7643 There is no standard case for header names because, as stated in RFC7230,
7644 they are case-insensitive. So applications must handle them in a case-
7645 insensitive manner. But some bogus applications violate the standards and
7646 erroneously rely on the cases most commonly used by browsers. This problem
7647 becomes critical with HTTP/2 because all header names must be exchanged in
7648 lower case, and HAProxy follows the same convention. All header names are
7649 sent in lower case to clients and servers, regardless of the HTTP version.
7650
7651 When HAProxy receives an HTTP/1 response, its header names are converted to
7652 lower case and manipulated and sent this way to the clients. If a client is
7653 known to violate the HTTP standards and to fail to process a response coming
7654 from HAProxy, it is possible to transform the lower case header names to a
7655 different format when the response is formatted and sent to the client, by
7656 enabling this option and specifying the list of headers to be reformatted
7657 using the global directives "h1-case-adjust" or "h1-case-adjust-file". This
7658 must only be a temporary workaround for the time it takes the client to be
7659 fixed, because clients which require such workarounds might be vulnerable to
7660 content smuggling attacks and must absolutely be fixed.
7661
7662 Please note that this option will not affect standards-compliant clients.
7663
7664 If this option has been enabled in a "defaults" section, it can be disabled
7665 in a specific instance by prepending the "no" keyword before it.
7666
7667 See also: "option h1-case-adjust-bogus-server", "h1-case-adjust",
7668 "h1-case-adjust-file".
7669
7670
7671option h1-case-adjust-bogus-server
7672no option h1-case-adjust-bogus-server
7673 Enable or disable the case adjustment of HTTP/1 headers sent to bogus servers
7674 May be used in sections : defaults | frontend | listen | backend
7675 yes | no | yes | yes
7676 Arguments : none
7677
7678 There is no standard case for header names because, as stated in RFC7230,
7679 they are case-insensitive. So applications must handle them in a case-
7680 insensitive manner. But some bogus applications violate the standards and
7681 erroneously rely on the cases most commonly used by browsers. This problem
7682 becomes critical with HTTP/2 because all header names must be exchanged in
7683 lower case, and HAProxy follows the same convention. All header names are
7684 sent in lower case to clients and servers, regardless of the HTTP version.
7685
7686 When HAProxy receives an HTTP/1 request, its header names are converted to
7687 lower case and manipulated and sent this way to the servers. If a server is
7688 known to violate the HTTP standards and to fail to process a request coming
7689 from HAProxy, it is possible to transform the lower case header names to a
7690 different format when the request is formatted and sent to the server, by
7691 enabling this option and specifying the list of headers to be reformatted
7692 using the global directives "h1-case-adjust" or "h1-case-adjust-file". This
7693 must only be a temporary workaround for the time it takes the server to be
7694 fixed, because servers which require such workarounds might be vulnerable to
7695 content smuggling attacks and must absolutely be fixed.
7696
7697 Please note that this option will not affect standards-compliant servers.
7698
7699 If this option has been enabled in a "defaults" section, it can be disabled
7700 in a specific instance by prepending the "no" keyword before it.
7701
7702 See also: "option h1-case-adjust-bogus-client", "h1-case-adjust",
7703 "h1-case-adjust-file".
7704
7705
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02007706option http-buffer-request
7707no option http-buffer-request
7708 Enable or disable waiting for whole HTTP request body before proceeding
7709 May be used in sections : defaults | frontend | listen | backend
7710 yes | yes | yes | yes
7711 Arguments : none
7712
7713 It is sometimes desirable to wait for the body of an HTTP request before
7714 taking a decision. This is what is being done by "balance url_param" for
7715 example. The first use case is to buffer requests from slow clients before
7716 connecting to the server. Another use case consists in taking the routing
7717 decision based on the request body's contents. This option placed in a
7718 frontend or backend forces the HTTP processing to wait until either the whole
Christopher Faulet6db8a2e2019-11-19 16:27:25 +01007719 body is received or the request buffer is full. It can have undesired side
7720 effects with some applications abusing HTTP by expecting unbuffered
7721 transmissions between the frontend and the backend, so this should definitely
7722 not be used by default.
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02007723
Baptiste Assmanneccdf432015-10-28 13:49:01 +01007724 See also : "option http-no-delay", "timeout http-request"
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02007725
7726
Willy Tarreau0f228a02015-05-01 15:37:53 +02007727option http-ignore-probes
7728no option http-ignore-probes
7729 Enable or disable logging of null connections and request timeouts
7730 May be used in sections : defaults | frontend | listen | backend
7731 yes | yes | yes | no
7732 Arguments : none
7733
7734 Recently some browsers started to implement a "pre-connect" feature
7735 consisting in speculatively connecting to some recently visited web sites
7736 just in case the user would like to visit them. This results in many
7737 connections being established to web sites, which end up in 408 Request
7738 Timeout if the timeout strikes first, or 400 Bad Request when the browser
7739 decides to close them first. These ones pollute the log and feed the error
7740 counters. There was already "option dontlognull" but it's insufficient in
7741 this case. Instead, this option does the following things :
7742 - prevent any 400/408 message from being sent to the client if nothing
Davor Ocelice9ed2812017-12-25 17:49:28 +01007743 was received over a connection before it was closed;
7744 - prevent any log from being emitted in this situation;
Willy Tarreau0f228a02015-05-01 15:37:53 +02007745 - prevent any error counter from being incremented
7746
7747 That way the empty connection is silently ignored. Note that it is better
7748 not to use this unless it is clear that it is needed, because it will hide
7749 real problems. The most common reason for not receiving a request and seeing
7750 a 408 is due to an MTU inconsistency between the client and an intermediary
7751 element such as a VPN, which blocks too large packets. These issues are
7752 generally seen with POST requests as well as GET with large cookies. The logs
7753 are often the only way to detect them.
7754
7755 If this option has been enabled in a "defaults" section, it can be disabled
7756 in a specific instance by prepending the "no" keyword before it.
7757
7758 See also : "log", "dontlognull", "errorfile", and section 8 about logging.
7759
7760
Willy Tarreau16bfb022010-01-16 19:48:41 +01007761option http-keep-alive
7762no option http-keep-alive
7763 Enable or disable HTTP keep-alive from client to server
7764 May be used in sections : defaults | frontend | listen | backend
7765 yes | yes | yes | yes
7766 Arguments : none
7767
Willy Tarreau70dffda2014-01-30 03:07:23 +01007768 By default HAProxy operates in keep-alive mode with regards to persistent
7769 connections: for each connection it processes each request and response, and
Christopher Faulet315b39c2018-09-21 16:26:19 +02007770 leaves the connection idle on both sides between the end of a response and
7771 the start of a new request. This mode may be changed by several options such
Christopher Faulet159e6672019-07-16 15:09:52 +02007772 as "option http-server-close" or "option httpclose". This option allows to
7773 set back the keep-alive mode, which can be useful when another mode was used
7774 in a defaults section.
Willy Tarreau70dffda2014-01-30 03:07:23 +01007775
7776 Setting "option http-keep-alive" enables HTTP keep-alive mode on the client-
7777 and server- sides. This provides the lowest latency on the client side (slow
Willy Tarreau16bfb022010-01-16 19:48:41 +01007778 network) and the fastest session reuse on the server side at the expense
7779 of maintaining idle connections to the servers. In general, it is possible
7780 with this option to achieve approximately twice the request rate that the
7781 "http-server-close" option achieves on small objects. There are mainly two
7782 situations where this option may be useful :
7783
7784 - when the server is non-HTTP compliant and authenticates the connection
Davor Ocelice9ed2812017-12-25 17:49:28 +01007785 instead of requests (e.g. NTLM authentication)
Willy Tarreau16bfb022010-01-16 19:48:41 +01007786
7787 - when the cost of establishing the connection to the server is significant
7788 compared to the cost of retrieving the associated object from the server.
7789
7790 This last case can happen when the server is a fast static server of cache.
7791 In this case, the server will need to be properly tuned to support high enough
7792 connection counts because connections will last until the client sends another
7793 request.
7794
7795 If the client request has to go to another backend or another server due to
7796 content switching or the load balancing algorithm, the idle connection will
Willy Tarreau9420b122013-12-15 18:58:25 +01007797 immediately be closed and a new one re-opened. Option "prefer-last-server" is
7798 available to try optimize server selection so that if the server currently
7799 attached to an idle connection is usable, it will be used.
Willy Tarreau16bfb022010-01-16 19:48:41 +01007800
Willy Tarreau16bfb022010-01-16 19:48:41 +01007801 At the moment, logs will not indicate whether requests came from the same
7802 session or not. The accept date reported in the logs corresponds to the end
7803 of the previous request, and the request time corresponds to the time spent
7804 waiting for a new request. The keep-alive request time is still bound to the
7805 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
7806 not set.
7807
Christopher Faulet159e6672019-07-16 15:09:52 +02007808 This option disables and replaces any previous "option httpclose" or "option
7809 http-server-close". When backend and frontend options differ, all of these 4
7810 options have precedence over "option http-keep-alive".
Willy Tarreau16bfb022010-01-16 19:48:41 +01007811
Christopher Faulet315b39c2018-09-21 16:26:19 +02007812 See also : "option httpclose",, "option http-server-close",
Willy Tarreau9420b122013-12-15 18:58:25 +01007813 "option prefer-last-server", "option http-pretend-keepalive",
Frédéric Lécaille93d33162019-03-06 09:35:59 +01007814 and "1.1. The HTTP transaction model".
Willy Tarreau16bfb022010-01-16 19:48:41 +01007815
7816
Willy Tarreau96e31212011-05-30 18:10:30 +02007817option http-no-delay
7818no option http-no-delay
7819 Instruct the system to favor low interactive delays over performance in HTTP
7820 May be used in sections : defaults | frontend | listen | backend
7821 yes | yes | yes | yes
7822 Arguments : none
7823
7824 In HTTP, each payload is unidirectional and has no notion of interactivity.
7825 Any agent is expected to queue data somewhat for a reasonably low delay.
7826 There are some very rare server-to-server applications that abuse the HTTP
7827 protocol and expect the payload phase to be highly interactive, with many
7828 interleaved data chunks in both directions within a single request. This is
7829 absolutely not supported by the HTTP specification and will not work across
7830 most proxies or servers. When such applications attempt to do this through
7831 haproxy, it works but they will experience high delays due to the network
7832 optimizations which favor performance by instructing the system to wait for
7833 enough data to be available in order to only send full packets. Typical
7834 delays are around 200 ms per round trip. Note that this only happens with
7835 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
7836 affected.
7837
7838 When "option http-no-delay" is present in either the frontend or the backend
7839 used by a connection, all such optimizations will be disabled in order to
7840 make the exchanges as fast as possible. Of course this offers no guarantee on
7841 the functionality, as it may break at any other place. But if it works via
7842 HAProxy, it will work as fast as possible. This option should never be used
7843 by default, and should never be used at all unless such a buggy application
7844 is discovered. The impact of using this option is an increase of bandwidth
7845 usage and CPU usage, which may significantly lower performance in high
7846 latency environments.
7847
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02007848 See also : "option http-buffer-request"
7849
Willy Tarreau96e31212011-05-30 18:10:30 +02007850
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02007851option http-pretend-keepalive
7852no option http-pretend-keepalive
7853 Define whether haproxy will announce keepalive to the server or not
7854 May be used in sections : defaults | frontend | listen | backend
Christopher Faulet98db9762018-09-21 10:25:19 +02007855 yes | no | yes | yes
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02007856 Arguments : none
7857
Christopher Faulet315b39c2018-09-21 16:26:19 +02007858 When running with "option http-server-close" or "option httpclose", haproxy
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02007859 adds a "Connection: close" header to the request forwarded to the server.
7860 Unfortunately, when some servers see this header, they automatically refrain
7861 from using the chunked encoding for responses of unknown length, while this
7862 is totally unrelated. The immediate effect is that this prevents haproxy from
7863 maintaining the client connection alive. A second effect is that a client or
7864 a cache could receive an incomplete response without being aware of it, and
7865 consider the response complete.
7866
7867 By setting "option http-pretend-keepalive", haproxy will make the server
7868 believe it will keep the connection alive. The server will then not fall back
7869 to the abnormal undesired above. When haproxy gets the whole response, it
7870 will close the connection with the server just as it would do with the
Christopher Faulet315b39c2018-09-21 16:26:19 +02007871 "option httpclose". That way the client gets a normal response and the
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02007872 connection is correctly closed on the server side.
7873
7874 It is recommended not to enable this option by default, because most servers
7875 will more efficiently close the connection themselves after the last packet,
7876 and release its buffers slightly earlier. Also, the added packet on the
7877 network could slightly reduce the overall peak performance. However it is
7878 worth noting that when this option is enabled, haproxy will have slightly
7879 less work to do. So if haproxy is the bottleneck on the whole architecture,
7880 enabling this option might save a few CPU cycles.
7881
Christopher Faulet98db9762018-09-21 10:25:19 +02007882 This option may be set in backend and listen sections. Using it in a frontend
7883 section will be ignored and a warning will be reported during startup. It is
7884 a backend related option, so there is no real reason to set it on a
7885 frontend. This option may be combined with "option httpclose", which will
7886 cause keepalive to be announced to the server and close to be announced to
7887 the client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02007888
7889 If this option has been enabled in a "defaults" section, it can be disabled
7890 in a specific instance by prepending the "no" keyword before it.
7891
Christopher Faulet315b39c2018-09-21 16:26:19 +02007892 See also : "option httpclose", "option http-server-close", and
Willy Tarreau16bfb022010-01-16 19:48:41 +01007893 "option http-keep-alive"
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02007894
Willy Tarreauc27debf2008-01-06 08:57:02 +01007895
Willy Tarreaub608feb2010-01-02 22:47:18 +01007896option http-server-close
7897no option http-server-close
7898 Enable or disable HTTP connection closing on the server side
7899 May be used in sections : defaults | frontend | listen | backend
7900 yes | yes | yes | yes
7901 Arguments : none
7902
Willy Tarreau70dffda2014-01-30 03:07:23 +01007903 By default HAProxy operates in keep-alive mode with regards to persistent
7904 connections: for each connection it processes each request and response, and
7905 leaves the connection idle on both sides between the end of a response and
7906 the start of a new request. This mode may be changed by several options such
Christopher Faulet159e6672019-07-16 15:09:52 +02007907 as "option http-server-close" or "option httpclose". Setting "option
7908 http-server-close" enables HTTP connection-close mode on the server side
7909 while keeping the ability to support HTTP keep-alive and pipelining on the
7910 client side. This provides the lowest latency on the client side (slow
7911 network) and the fastest session reuse on the server side to save server
7912 resources, similarly to "option httpclose". It also permits non-keepalive
7913 capable servers to be served in keep-alive mode to the clients if they
7914 conform to the requirements of RFC7230. Please note that some servers do not
7915 always conform to those requirements when they see "Connection: close" in the
7916 request. The effect will be that keep-alive will never be used. A workaround
7917 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01007918
7919 At the moment, logs will not indicate whether requests came from the same
7920 session or not. The accept date reported in the logs corresponds to the end
7921 of the previous request, and the request time corresponds to the time spent
7922 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01007923 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
7924 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01007925
7926 This option may be set both in a frontend and in a backend. It is enabled if
7927 at least one of the frontend or backend holding a connection has it enabled.
Christopher Faulet159e6672019-07-16 15:09:52 +02007928 It disables and replaces any previous "option httpclose" or "option
7929 http-keep-alive". Please check section 4 ("Proxies") to see how this option
7930 combines with others when frontend and backend options differ.
Willy Tarreaub608feb2010-01-02 22:47:18 +01007931
7932 If this option has been enabled in a "defaults" section, it can be disabled
7933 in a specific instance by prepending the "no" keyword before it.
7934
Christopher Faulet315b39c2018-09-21 16:26:19 +02007935 See also : "option httpclose", "option http-pretend-keepalive",
7936 "option http-keep-alive", and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01007937
Willy Tarreau88d349d2010-01-25 12:15:43 +01007938option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01007939no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01007940 Make use of non-standard Proxy-Connection header instead of Connection
7941 May be used in sections : defaults | frontend | listen | backend
7942 yes | yes | yes | no
7943 Arguments : none
7944
Lukas Tribus23953682017-04-28 13:24:30 +00007945 While RFC7230 explicitly states that HTTP/1.1 agents must use the
Willy Tarreau88d349d2010-01-25 12:15:43 +01007946 Connection header to indicate their wish of persistent or non-persistent
7947 connections, both browsers and proxies ignore this header for proxied
7948 connections and make use of the undocumented, non-standard Proxy-Connection
7949 header instead. The issue begins when trying to put a load balancer between
7950 browsers and such proxies, because there will be a difference between what
7951 haproxy understands and what the client and the proxy agree on.
7952
7953 By setting this option in a frontend, haproxy can automatically switch to use
7954 that non-standard header if it sees proxied requests. A proxied request is
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01007955 defined here as one where the URI begins with neither a '/' nor a '*'. This
7956 is incompatible with the HTTP tunnel mode. Note that this option can only be
7957 specified in a frontend and will affect the request along its whole life.
Willy Tarreau88d349d2010-01-25 12:15:43 +01007958
Willy Tarreau844a7e72010-01-31 21:46:18 +01007959 Also, when this option is set, a request which requires authentication will
7960 automatically switch to use proxy authentication headers if it is itself a
7961 proxied request. That makes it possible to check or enforce authentication in
7962 front of an existing proxy.
7963
Willy Tarreau88d349d2010-01-25 12:15:43 +01007964 This option should normally never be used, except in front of a proxy.
7965
Christopher Faulet315b39c2018-09-21 16:26:19 +02007966 See also : "option httpclose", and "option http-server-close".
Willy Tarreau88d349d2010-01-25 12:15:43 +01007967
Willy Tarreaud63335a2010-02-26 12:56:52 +01007968option httpchk
7969option httpchk <uri>
7970option httpchk <method> <uri>
7971option httpchk <method> <uri> <version>
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02007972 Enables HTTP protocol to check on the servers health
Willy Tarreaud63335a2010-02-26 12:56:52 +01007973 May be used in sections : defaults | frontend | listen | backend
7974 yes | no | yes | yes
7975 Arguments :
7976 <method> is the optional HTTP method used with the requests. When not set,
7977 the "OPTIONS" method is used, as it generally requires low server
7978 processing and is easy to filter out from the logs. Any method
7979 may be used, though it is not recommended to invent non-standard
7980 ones.
7981
7982 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
7983 which is accessible by default on almost any server, but may be
7984 changed to any other URI. Query strings are permitted.
7985
7986 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
7987 but some servers might behave incorrectly in HTTP 1.0, so turning
7988 it to HTTP/1.1 may sometimes help. Note that the Host field is
Christopher Faulet8acb1282020-04-09 08:44:06 +02007989 mandatory in HTTP/1.1, use "http-check send" directive to add it.
Willy Tarreaud63335a2010-02-26 12:56:52 +01007990
7991 By default, server health checks only consist in trying to establish a TCP
7992 connection. When "option httpchk" is specified, a complete HTTP request is
7993 sent once the TCP connection is established, and responses 2xx and 3xx are
7994 considered valid, while all other ones indicate a server failure, including
7995 the lack of any response.
7996
Christopher Faulete5870d82020-04-15 11:32:03 +02007997 Combined with "http-check" directives, it is possible to customize the
7998 request sent during the HTTP health checks or the matching rules on the
7999 response. It is also possible to configure a send/expect sequence, just like
8000 with the directive "tcp-check" for TCP health checks.
8001
8002 The server configuration is used by default to open connections to perform
8003 HTTP health checks. By it is also possible to overwrite server parameters
8004 using "http-check connect" rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008005
Christopher Faulete5870d82020-04-15 11:32:03 +02008006 "httpchk" option does not necessarily require an HTTP backend, it also works
8007 with plain TCP backends. This is particularly useful to check simple scripts
Christopher Faulet14cd3162020-04-16 14:50:06 +02008008 bound to some dedicated ports using the inetd daemon. However, it will always
Daniel Corbett67a82712020-07-06 23:01:19 -04008009 internally relies on an HTX multiplexer. Thus, it means the request
Christopher Faulet14cd3162020-04-16 14:50:06 +02008010 formatting and the response parsing will be strict.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008011
Christopher Faulet8acb1282020-04-09 08:44:06 +02008012 Note : For a while, there was no way to add headers or body in the request
8013 used for HTTP health checks. So a workaround was to hide it at the end
8014 of the version string with a "\r\n" after the version. It is now
8015 deprecated. The directive "http-check send" must be used instead.
8016
Willy Tarreaud63335a2010-02-26 12:56:52 +01008017 Examples :
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02008018 # Relay HTTPS traffic to Apache instance and check service availability
8019 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
8020 backend https_relay
8021 mode tcp
8022 option httpchk OPTIONS * HTTP/1.1
8023 http-check send hdr Host www
8024 server apache1 192.168.1.1:443 check port 80
Willy Tarreaud63335a2010-02-26 12:56:52 +01008025
Simon Hormanafc47ee2013-11-25 10:46:35 +09008026 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
8027 "option pgsql-check", "http-check" and the "check", "port" and
8028 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008029
8030
Willy Tarreauc27debf2008-01-06 08:57:02 +01008031option httpclose
8032no option httpclose
Christopher Faulet315b39c2018-09-21 16:26:19 +02008033 Enable or disable HTTP connection closing
Willy Tarreauc27debf2008-01-06 08:57:02 +01008034 May be used in sections : defaults | frontend | listen | backend
8035 yes | yes | yes | yes
8036 Arguments : none
8037
Willy Tarreau70dffda2014-01-30 03:07:23 +01008038 By default HAProxy operates in keep-alive mode with regards to persistent
8039 connections: for each connection it processes each request and response, and
8040 leaves the connection idle on both sides between the end of a response and
8041 the start of a new request. This mode may be changed by several options such
Christopher Faulet159e6672019-07-16 15:09:52 +02008042 as "option http-server-close" or "option httpclose".
Willy Tarreau70dffda2014-01-30 03:07:23 +01008043
Christopher Faulet315b39c2018-09-21 16:26:19 +02008044 If "option httpclose" is set, HAProxy will close connections with the server
8045 and the client as soon as the request and the response are received. It will
John Roeslerfb2fce12019-07-10 15:45:51 -05008046 also check if a "Connection: close" header is already set in each direction,
Christopher Faulet315b39c2018-09-21 16:26:19 +02008047 and will add one if missing. Any "Connection" header different from "close"
8048 will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008049
Christopher Faulet315b39c2018-09-21 16:26:19 +02008050 This option may also be combined with "option http-pretend-keepalive", which
8051 will disable sending of the "Connection: close" header, but will still cause
8052 the connection to be closed once the whole response is received.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008053
8054 This option may be set both in a frontend and in a backend. It is enabled if
8055 at least one of the frontend or backend holding a connection has it enabled.
Christopher Faulet159e6672019-07-16 15:09:52 +02008056 It disables and replaces any previous "option http-server-close" or "option
8057 http-keep-alive". Please check section 4 ("Proxies") to see how this option
8058 combines with others when frontend and backend options differ.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008059
8060 If this option has been enabled in a "defaults" section, it can be disabled
8061 in a specific instance by prepending the "no" keyword before it.
8062
Christopher Faulet315b39c2018-09-21 16:26:19 +02008063 See also : "option http-server-close" and "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01008064
8065
Emeric Brun3a058f32009-06-30 18:26:00 +02008066option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01008067 Enable logging of HTTP request, session state and timers
8068 May be used in sections : defaults | frontend | listen | backend
Tim Duesterhus9ad9f352018-02-05 20:52:27 +01008069 yes | yes | yes | no
Emeric Brun3a058f32009-06-30 18:26:00 +02008070 Arguments :
8071 clf if the "clf" argument is added, then the output format will be
8072 the CLF format instead of HAProxy's default HTTP format. You can
8073 use this when you need to feed HAProxy's logs through a specific
Davor Ocelice9ed2812017-12-25 17:49:28 +01008074 log analyzer which only support the CLF format and which is not
Emeric Brun3a058f32009-06-30 18:26:00 +02008075 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008076
8077 By default, the log output format is very poor, as it only contains the
8078 source and destination addresses, and the instance name. By specifying
8079 "option httplog", each log line turns into a much richer format including,
8080 but not limited to, the HTTP request, the connection timers, the session
8081 status, the connections numbers, the captured headers and cookies, the
8082 frontend, backend and server name, and of course the source address and
8083 ports.
8084
PiBa-NLbd556bf2014-12-11 21:31:54 +01008085 Specifying only "option httplog" will automatically clear the 'clf' mode
8086 if it was set by default.
Emeric Brun3a058f32009-06-30 18:26:00 +02008087
Guillaume de Lafond29f45602017-03-31 19:52:15 +02008088 "option httplog" overrides any previous "log-format" directive.
8089
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008090 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008091
Willy Tarreau55165fe2009-05-10 12:02:55 +02008092
8093option http_proxy
8094no option http_proxy
8095 Enable or disable plain HTTP proxy mode
8096 May be used in sections : defaults | frontend | listen | backend
8097 yes | yes | yes | yes
8098 Arguments : none
8099
8100 It sometimes happens that people need a pure HTTP proxy which understands
8101 basic proxy requests without caching nor any fancy feature. In this case,
8102 it may be worth setting up an HAProxy instance with the "option http_proxy"
8103 set. In this mode, no server is declared, and the connection is forwarded to
8104 the IP address and port found in the URL after the "http://" scheme.
8105
8106 No host address resolution is performed, so this only works when pure IP
8107 addresses are passed. Since this option's usage perimeter is rather limited,
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01008108 it will probably be used only by experts who know they need exactly it. This
8109 is incompatible with the HTTP tunnel mode.
Willy Tarreau55165fe2009-05-10 12:02:55 +02008110
8111 If this option has been enabled in a "defaults" section, it can be disabled
8112 in a specific instance by prepending the "no" keyword before it.
8113
8114 Example :
8115 # this backend understands HTTP proxy requests and forwards them directly.
8116 backend direct_forward
8117 option httpclose
8118 option http_proxy
8119
8120 See also : "option httpclose"
8121
Willy Tarreau211ad242009-10-03 21:45:07 +02008122
Jamie Gloudon801a0a32012-08-25 00:18:33 -04008123option independent-streams
8124no option independent-streams
8125 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02008126 May be used in sections : defaults | frontend | listen | backend
8127 yes | yes | yes | yes
8128 Arguments : none
8129
8130 By default, when data is sent over a socket, both the write timeout and the
8131 read timeout for that socket are refreshed, because we consider that there is
8132 activity on that socket, and we have no other means of guessing if we should
8133 receive data or not.
8134
Davor Ocelice9ed2812017-12-25 17:49:28 +01008135 While this default behavior is desirable for almost all applications, there
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02008136 exists a situation where it is desirable to disable it, and only refresh the
8137 read timeout if there are incoming data. This happens on sessions with large
8138 timeouts and low amounts of exchanged data such as telnet session. If the
8139 server suddenly disappears, the output data accumulates in the system's
8140 socket buffers, both timeouts are correctly refreshed, and there is no way
8141 to know the server does not receive them, so we don't timeout. However, when
8142 the underlying protocol always echoes sent data, it would be enough by itself
8143 to detect the issue using the read timeout. Note that this problem does not
8144 happen with more verbose protocols because data won't accumulate long in the
8145 socket buffers.
8146
8147 When this option is set on the frontend, it will disable read timeout updates
8148 on data sent to the client. There probably is little use of this case. When
8149 the option is set on the backend, it will disable read timeout updates on
8150 data sent to the server. Doing so will typically break large HTTP posts from
8151 slow lines, so use it with caution.
8152
Willy Tarreauce887fd2012-05-12 12:50:00 +02008153 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02008154
8155
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02008156option ldap-check
8157 Use LDAPv3 health checks for server testing
8158 May be used in sections : defaults | frontend | listen | backend
8159 yes | no | yes | yes
8160 Arguments : none
8161
8162 It is possible to test that the server correctly talks LDAPv3 instead of just
8163 testing that it accepts the TCP connection. When this option is set, an
8164 LDAPv3 anonymous simple bind message is sent to the server, and the response
8165 is analyzed to find an LDAPv3 bind response message.
8166
8167 The server is considered valid only when the LDAP response contains success
8168 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
8169
8170 Logging of bind requests is server dependent see your documentation how to
8171 configure it.
8172
8173 Example :
8174 option ldap-check
8175
8176 See also : "option httpchk"
8177
8178
Simon Horman98637e52014-06-20 12:30:16 +09008179option external-check
8180 Use external processes for server health checks
8181 May be used in sections : defaults | frontend | listen | backend
8182 yes | no | yes | yes
8183
8184 It is possible to test the health of a server using an external command.
8185 This is achieved by running the executable set using "external-check
8186 command".
8187
8188 Requires the "external-check" global to be set.
8189
8190 See also : "external-check", "external-check command", "external-check path"
8191
8192
Willy Tarreau211ad242009-10-03 21:45:07 +02008193option log-health-checks
8194no option log-health-checks
Willy Tarreaubef1b322014-05-13 21:01:39 +02008195 Enable or disable logging of health checks status updates
Willy Tarreau211ad242009-10-03 21:45:07 +02008196 May be used in sections : defaults | frontend | listen | backend
8197 yes | no | yes | yes
8198 Arguments : none
8199
Willy Tarreaubef1b322014-05-13 21:01:39 +02008200 By default, failed health check are logged if server is UP and successful
8201 health checks are logged if server is DOWN, so the amount of additional
8202 information is limited.
Willy Tarreau211ad242009-10-03 21:45:07 +02008203
Willy Tarreaubef1b322014-05-13 21:01:39 +02008204 When this option is enabled, any change of the health check status or to
8205 the server's health will be logged, so that it becomes possible to know
8206 that a server was failing occasional checks before crashing, or exactly when
8207 it failed to respond a valid HTTP status, then when the port started to
8208 reject connections, then when the server stopped responding at all.
8209
Davor Ocelice9ed2812017-12-25 17:49:28 +01008210 Note that status changes not caused by health checks (e.g. enable/disable on
Willy Tarreaubef1b322014-05-13 21:01:39 +02008211 the CLI) are intentionally not logged by this option.
Willy Tarreau211ad242009-10-03 21:45:07 +02008212
Willy Tarreaubef1b322014-05-13 21:01:39 +02008213 See also: "option httpchk", "option ldap-check", "option mysql-check",
8214 "option pgsql-check", "option redis-check", "option smtpchk",
8215 "option tcp-check", "log" and section 8 about logging.
Willy Tarreau211ad242009-10-03 21:45:07 +02008216
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008217
8218option log-separate-errors
8219no option log-separate-errors
8220 Change log level for non-completely successful connections
8221 May be used in sections : defaults | frontend | listen | backend
8222 yes | yes | yes | no
8223 Arguments : none
8224
8225 Sometimes looking for errors in logs is not easy. This option makes haproxy
8226 raise the level of logs containing potentially interesting information such
8227 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
8228 level changes from "info" to "err". This makes it possible to log them
8229 separately to a different file with most syslog daemons. Be careful not to
8230 remove them from the original file, otherwise you would lose ordering which
8231 provides very important information.
8232
8233 Using this option, large sites dealing with several thousand connections per
8234 second may log normal traffic to a rotating buffer and only archive smaller
8235 error logs.
8236
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008237 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008238 logging.
8239
Willy Tarreauc27debf2008-01-06 08:57:02 +01008240
8241option logasap
8242no option logasap
Jerome Magnin95fb57b2020-04-23 19:01:17 +02008243 Enable or disable early logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008244 May be used in sections : defaults | frontend | listen | backend
8245 yes | yes | yes | no
8246 Arguments : none
8247
Jerome Magnin95fb57b2020-04-23 19:01:17 +02008248 By default, logs are emitted when all the log format variables and sample
8249 fetches used in the definition of the log-format string return a value, or
8250 when the session is terminated. This allows the built in log-format strings
8251 to account for the transfer time, or the number of bytes in log messages.
8252
8253 When handling long lived connections such as large file transfers or RDP,
8254 it may take a while for the request or connection to appear in the logs.
8255 Using "option logasap", the log message is created as soon as the server
8256 connection is established in mode tcp, or as soon as the server sends the
8257 complete headers in mode http. Missing information in the logs will be the
Ilya Shipitsin4329a9a2020-05-05 21:17:10 +05008258 total number of bytes which will only indicate the amount of data transferred
Jerome Magnin95fb57b2020-04-23 19:01:17 +02008259 before the message was created and the total time which will not take the
8260 remainder of the connection life or transfer time into account. For the case
8261 of HTTP, it is good practice to capture the Content-Length response header
8262 so that the logs at least indicate how many bytes are expected to be
Ilya Shipitsin4329a9a2020-05-05 21:17:10 +05008263 transferred.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008264
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008265 Examples :
8266 listen http_proxy 0.0.0.0:80
8267 mode http
8268 option httplog
8269 option logasap
8270 log 192.168.2.200 local3
8271
8272 >>> Feb 6 12:14:14 localhost \
8273 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
8274 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
8275 "GET /image.iso HTTP/1.0"
8276
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008277 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01008278 logging.
8279
8280
Christopher Faulet62f79fe2020-05-18 18:13:03 +02008281option mysql-check [ user <username> [ { post-41 | pre-41 } ] ]
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02008282 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01008283 May be used in sections : defaults | frontend | listen | backend
8284 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02008285 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008286 <username> This is the username which will be used when connecting to MySQL
8287 server.
Christopher Faulet62f79fe2020-05-18 18:13:03 +02008288 post-41 Send post v4.1 client compatible checks (the default)
8289 pre-41 Send pre v4.1 client compatible checks
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02008290
8291 If you specify a username, the check consists of sending two MySQL packet,
8292 one Client Authentication packet, and one QUIT packet, to correctly close
Davor Ocelice9ed2812017-12-25 17:49:28 +01008293 MySQL session. We then parse the MySQL Handshake Initialization packet and/or
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02008294 Error packet. It is a basic but useful test which does not produce error nor
8295 aborted connect on the server. However, it requires adding an authorization
8296 in the MySQL table, like this :
8297
8298 USE mysql;
8299 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
8300 FLUSH PRIVILEGES;
8301
8302 If you don't specify a username (it is deprecated and not recommended), the
Davor Ocelice9ed2812017-12-25 17:49:28 +01008303 check only consists in parsing the Mysql Handshake Initialization packet or
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02008304 Error packet, we don't send anything in this mode. It was reported that it
8305 can generate lockout if check is too frequent and/or if there is not enough
8306 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
8307 value as if a connection is established successfully within fewer than MySQL
8308 "max_connect_errors" attempts after a previous connection was interrupted,
8309 the error count for the host is cleared to zero. If HAProxy's server get
8310 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
8311
8312 Remember that this does not check database presence nor database consistency.
8313 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01008314
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02008315 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01008316
8317 Most often, an incoming MySQL server needs to see the client's IP address for
8318 various purposes, including IP privilege matching and connection logging.
8319 When possible, it is often wise to masquerade the client's IP address when
8320 connecting to the server using the "usesrc" argument of the "source" keyword,
Willy Tarreau29fbe512015-08-20 19:35:14 +02008321 which requires the transparent proxy feature to be compiled in, and the MySQL
8322 server to route the client via the machine hosting haproxy.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01008323
8324 See also: "option httpchk"
8325
8326
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008327option nolinger
8328no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008329 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008330 May be used in sections: defaults | frontend | listen | backend
8331 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01008332 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008333
Davor Ocelice9ed2812017-12-25 17:49:28 +01008334 When clients or servers abort connections in a dirty way (e.g. they are
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008335 physically disconnected), the session timeouts triggers and the session is
8336 closed. But it will remain in FIN_WAIT1 state for some time in the system,
8337 using some resources and possibly limiting the ability to establish newer
8338 connections.
8339
8340 When this happens, it is possible to activate "option nolinger" which forces
8341 the system to immediately remove any socket's pending data on close. Thus,
8342 the session is instantly purged from the system's tables. This usually has
8343 side effects such as increased number of TCP resets due to old retransmits
8344 getting immediately rejected. Some firewalls may sometimes complain about
8345 this too.
8346
8347 For this reason, it is not recommended to use this option when not absolutely
8348 needed. You know that you need it when you have thousands of FIN_WAIT1
8349 sessions on your system (TIME_WAIT ones do not count).
8350
8351 This option may be used both on frontends and backends, depending on the side
8352 where it is required. Use it on the frontend for clients, and on the backend
8353 for servers.
8354
8355 If this option has been enabled in a "defaults" section, it can be disabled
8356 in a specific instance by prepending the "no" keyword before it.
8357
8358
Willy Tarreau55165fe2009-05-10 12:02:55 +02008359option originalto [ except <network> ] [ header <name> ]
8360 Enable insertion of the X-Original-To header to requests sent to servers
8361 May be used in sections : defaults | frontend | listen | backend
8362 yes | yes | yes | yes
8363 Arguments :
8364 <network> is an optional argument used to disable this option for sources
8365 matching <network>
8366 <name> an optional argument to specify a different "X-Original-To"
8367 header name.
8368
8369 Since HAProxy can work in transparent mode, every request from a client can
8370 be redirected to the proxy and HAProxy itself can proxy every request to a
8371 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
8372 be lost. This is annoying when you want access rules based on destination ip
8373 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
8374 added by HAProxy to all requests sent to the server. This header contains a
8375 value representing the original destination IP address. Since this must be
8376 configured to always use the last occurrence of this header only. Note that
8377 only the last occurrence of the header must be used, since it is really
8378 possible that the client has already brought one.
8379
8380 The keyword "header" may be used to supply a different header name to replace
8381 the default "X-Original-To". This can be useful where you might already
8382 have a "X-Original-To" header from a different application, and you need
8383 preserve it. Also if your backend server doesn't use the "X-Original-To"
8384 header and requires different one.
8385
8386 Sometimes, a same HAProxy instance may be shared between a direct client
8387 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
8388 used to decrypt HTTPS traffic). It is possible to disable the addition of the
8389 header for a known source address or network by adding the "except" keyword
8390 followed by the network address. In this case, any source IP matching the
8391 network will not cause an addition of this header. Most common uses are with
8392 private networks or 127.0.0.1.
8393
8394 This option may be specified either in the frontend or in the backend. If at
8395 least one of them uses it, the header will be added. Note that the backend's
8396 setting of the header subargument takes precedence over the frontend's if
8397 both are defined.
8398
Willy Tarreau55165fe2009-05-10 12:02:55 +02008399 Examples :
8400 # Original Destination address
8401 frontend www
8402 mode http
8403 option originalto except 127.0.0.1
8404
8405 # Those servers want the IP Address in X-Client-Dst
8406 backend www
8407 mode http
8408 option originalto header X-Client-Dst
8409
Christopher Faulet315b39c2018-09-21 16:26:19 +02008410 See also : "option httpclose", "option http-server-close".
Willy Tarreau55165fe2009-05-10 12:02:55 +02008411
8412
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008413option persist
8414no option persist
8415 Enable or disable forced persistence on down servers
8416 May be used in sections: defaults | frontend | listen | backend
8417 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01008418 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008419
8420 When an HTTP request reaches a backend with a cookie which references a dead
8421 server, by default it is redispatched to another server. It is possible to
8422 force the request to be sent to the dead server first using "option persist"
8423 if absolutely needed. A common use case is when servers are under extreme
8424 load and spend their time flapping. In this case, the users would still be
8425 directed to the server they opened the session on, in the hope they would be
8426 correctly served. It is recommended to use "option redispatch" in conjunction
8427 with this option so that in the event it would not be possible to connect to
8428 the server at all (server definitely dead), the client would finally be
8429 redirected to another valid server.
8430
8431 If this option has been enabled in a "defaults" section, it can be disabled
8432 in a specific instance by prepending the "no" keyword before it.
8433
Willy Tarreau4de91492010-01-22 19:10:05 +01008434 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008435
8436
Willy Tarreau0c122822013-12-15 18:49:01 +01008437option pgsql-check [ user <username> ]
8438 Use PostgreSQL health checks for server testing
8439 May be used in sections : defaults | frontend | listen | backend
8440 yes | no | yes | yes
8441 Arguments :
8442 <username> This is the username which will be used when connecting to
8443 PostgreSQL server.
8444
8445 The check sends a PostgreSQL StartupMessage and waits for either
8446 Authentication request or ErrorResponse message. It is a basic but useful
8447 test which does not produce error nor aborted connect on the server.
8448 This check is identical with the "mysql-check".
8449
8450 See also: "option httpchk"
8451
8452
Willy Tarreau9420b122013-12-15 18:58:25 +01008453option prefer-last-server
8454no option prefer-last-server
8455 Allow multiple load balanced requests to remain on the same server
8456 May be used in sections: defaults | frontend | listen | backend
8457 yes | no | yes | yes
8458 Arguments : none
8459
8460 When the load balancing algorithm in use is not deterministic, and a previous
8461 request was sent to a server to which haproxy still holds a connection, it is
8462 sometimes desirable that subsequent requests on a same session go to the same
8463 server as much as possible. Note that this is different from persistence, as
8464 we only indicate a preference which haproxy tries to apply without any form
8465 of warranty. The real use is for keep-alive connections sent to servers. When
8466 this option is used, haproxy will try to reuse the same connection that is
8467 attached to the server instead of rebalancing to another server, causing a
8468 close of the connection. This can make sense for static file servers. It does
Willy Tarreau068621e2013-12-23 15:11:25 +01008469 not make much sense to use this in combination with hashing algorithms. Note,
8470 haproxy already automatically tries to stick to a server which sends a 401 or
Lukas Tribus80512b12018-10-27 20:07:40 +02008471 to a proxy which sends a 407 (authentication required), when the load
8472 balancing algorithm is not deterministic. This is mandatory for use with the
8473 broken NTLM authentication challenge, and significantly helps in
Willy Tarreau068621e2013-12-23 15:11:25 +01008474 troubleshooting some faulty applications. Option prefer-last-server might be
8475 desirable in these environments as well, to avoid redistributing the traffic
8476 after every other response.
Willy Tarreau9420b122013-12-15 18:58:25 +01008477
8478 If this option has been enabled in a "defaults" section, it can be disabled
8479 in a specific instance by prepending the "no" keyword before it.
8480
8481 See also: "option http-keep-alive"
8482
8483
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008484option redispatch
Joseph Lynch726ab712015-05-11 23:25:34 -07008485option redispatch <interval>
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008486no option redispatch
8487 Enable or disable session redistribution in case of connection failure
8488 May be used in sections: defaults | frontend | listen | backend
8489 yes | no | yes | yes
Joseph Lynch726ab712015-05-11 23:25:34 -07008490 Arguments :
8491 <interval> The optional integer value that controls how often redispatches
8492 occur when retrying connections. Positive value P indicates a
8493 redispatch is desired on every Pth retry, and negative value
Davor Ocelice9ed2812017-12-25 17:49:28 +01008494 N indicate a redispatch is desired on the Nth retry prior to the
Joseph Lynch726ab712015-05-11 23:25:34 -07008495 last retry. For example, the default of -1 preserves the
Davor Ocelice9ed2812017-12-25 17:49:28 +01008496 historical behavior of redispatching on the last retry, a
Joseph Lynch726ab712015-05-11 23:25:34 -07008497 positive value of 1 would indicate a redispatch on every retry,
8498 and a positive value of 3 would indicate a redispatch on every
8499 third retry. You can disable redispatches with a value of 0.
8500
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008501
8502 In HTTP mode, if a server designated by a cookie is down, clients may
8503 definitely stick to it because they cannot flush the cookie, so they will not
8504 be able to access the service anymore.
8505
Willy Tarreau59884a62019-01-02 14:48:31 +01008506 Specifying "option redispatch" will allow the proxy to break cookie or
8507 consistent hash based persistence and redistribute them to a working server.
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008508
Olivier Carrère6e6f59b2020-04-15 11:30:18 +02008509 Active servers are selected from a subset of the list of available
8510 servers. Active servers that are not down or in maintenance (i.e., whose
8511 health is not checked or that have been checked as "up"), are selected in the
8512 following order:
8513
8514 1. Any active, non-backup server, if any, or,
8515
8516 2. If the "allbackups" option is not set, the first backup server in the
8517 list, or
8518
8519 3. If the "allbackups" option is set, any backup server.
8520
8521 When a retry occurs, HAProxy tries to select another server than the last
8522 one. The new server is selected from the current list of servers.
8523
8524 Sometimes, if the list is updated between retries (e.g., if numerous retries
8525 occur and last longer than the time needed to check that a server is down,
8526 remove it from the list and fall back on the list of backup servers),
8527 connections may be redirected to a backup server, though.
8528
Joseph Lynch726ab712015-05-11 23:25:34 -07008529 It also allows to retry connections to another server in case of multiple
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008530 connection failures. Of course, it requires having "retries" set to a nonzero
8531 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01008532
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008533 If this option has been enabled in a "defaults" section, it can be disabled
8534 in a specific instance by prepending the "no" keyword before it.
8535
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02008536 See also : "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008537
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008538
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02008539option redis-check
8540 Use redis health checks for server testing
8541 May be used in sections : defaults | frontend | listen | backend
8542 yes | no | yes | yes
8543 Arguments : none
8544
8545 It is possible to test that the server correctly talks REDIS protocol instead
8546 of just testing that it accepts the TCP connection. When this option is set,
8547 a PING redis command is sent to the server, and the response is analyzed to
8548 find the "+PONG" response message.
8549
8550 Example :
8551 option redis-check
8552
Jarno Huuskonene5ae7022017-04-03 14:36:21 +03008553 See also : "option httpchk", "option tcp-check", "tcp-check expect"
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02008554
8555
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008556option smtpchk
8557option smtpchk <hello> <domain>
8558 Use SMTP health checks for server testing
8559 May be used in sections : defaults | frontend | listen | backend
8560 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01008561 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008562 <hello> is an optional argument. It is the "hello" command to use. It can
Lukas Tribus27935782018-10-01 02:00:16 +02008563 be either "HELO" (for SMTP) or "EHLO" (for ESMTP). All other
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008564 values will be turned into the default command ("HELO").
8565
8566 <domain> is the domain name to present to the server. It may only be
8567 specified (and is mandatory) if the hello command has been
8568 specified. By default, "localhost" is used.
8569
8570 When "option smtpchk" is set, the health checks will consist in TCP
8571 connections followed by an SMTP command. By default, this command is
8572 "HELO localhost". The server's return code is analyzed and only return codes
8573 starting with a "2" will be considered as valid. All other responses,
8574 including a lack of response will constitute an error and will indicate a
8575 dead server.
8576
8577 This test is meant to be used with SMTP servers or relays. Depending on the
8578 request, it is possible that some servers do not log each connection attempt,
Davor Ocelice9ed2812017-12-25 17:49:28 +01008579 so you may want to experiment to improve the behavior. Using telnet on port
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008580 25 is often easier than adjusting the configuration.
8581
8582 Most often, an incoming SMTP server needs to see the client's IP address for
8583 various purposes, including spam filtering, anti-spoofing and logging. When
8584 possible, it is often wise to masquerade the client's IP address when
8585 connecting to the server using the "usesrc" argument of the "source" keyword,
Willy Tarreau29fbe512015-08-20 19:35:14 +02008586 which requires the transparent proxy feature to be compiled in.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008587
8588 Example :
8589 option smtpchk HELO mydomain.org
8590
8591 See also : "option httpchk", "source"
8592
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01008593
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02008594option socket-stats
8595no option socket-stats
8596
8597 Enable or disable collecting & providing separate statistics for each socket.
8598 May be used in sections : defaults | frontend | listen | backend
8599 yes | yes | yes | no
8600
8601 Arguments : none
8602
8603
Willy Tarreauff4f82d2009-02-06 11:28:13 +01008604option splice-auto
8605no option splice-auto
8606 Enable or disable automatic kernel acceleration on sockets in both directions
8607 May be used in sections : defaults | frontend | listen | backend
8608 yes | yes | yes | yes
8609 Arguments : none
8610
8611 When this option is enabled either on a frontend or on a backend, haproxy
8612 will automatically evaluate the opportunity to use kernel tcp splicing to
Davor Ocelice9ed2812017-12-25 17:49:28 +01008613 forward data between the client and the server, in either direction. HAProxy
Willy Tarreauff4f82d2009-02-06 11:28:13 +01008614 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008615 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01008616 are not much aggressive in order to limit excessive use of splicing. This
8617 option requires splicing to be enabled at compile time, and may be globally
8618 disabled with the global option "nosplice". Since splice uses pipes, using it
8619 requires that there are enough spare pipes.
8620
8621 Important note: kernel-based TCP splicing is a Linux-specific feature which
8622 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
8623 transfer data between sockets without copying these data to user-space, thus
8624 providing noticeable performance gains and CPU cycles savings. Since many
8625 early implementations are buggy, corrupt data and/or are inefficient, this
8626 feature is not enabled by default, and it should be used with extreme care.
8627 While it is not possible to detect the correctness of an implementation,
8628 2.6.29 is the first version offering a properly working implementation. In
8629 case of doubt, splicing may be globally disabled using the global "nosplice"
8630 keyword.
8631
8632 Example :
8633 option splice-auto
8634
8635 If this option has been enabled in a "defaults" section, it can be disabled
8636 in a specific instance by prepending the "no" keyword before it.
8637
8638 See also : "option splice-request", "option splice-response", and global
8639 options "nosplice" and "maxpipes"
8640
8641
8642option splice-request
8643no option splice-request
8644 Enable or disable automatic kernel acceleration on sockets for requests
8645 May be used in sections : defaults | frontend | listen | backend
8646 yes | yes | yes | yes
8647 Arguments : none
8648
8649 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008650 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01008651 the client to the server. It might still use the recv/send scheme if there
8652 are no spare pipes left. This option requires splicing to be enabled at
8653 compile time, and may be globally disabled with the global option "nosplice".
8654 Since splice uses pipes, using it requires that there are enough spare pipes.
8655
8656 Important note: see "option splice-auto" for usage limitations.
8657
8658 Example :
8659 option splice-request
8660
8661 If this option has been enabled in a "defaults" section, it can be disabled
8662 in a specific instance by prepending the "no" keyword before it.
8663
8664 See also : "option splice-auto", "option splice-response", and global options
8665 "nosplice" and "maxpipes"
8666
8667
8668option splice-response
8669no option splice-response
8670 Enable or disable automatic kernel acceleration on sockets for responses
8671 May be used in sections : defaults | frontend | listen | backend
8672 yes | yes | yes | yes
8673 Arguments : none
8674
8675 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008676 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01008677 the server to the client. It might still use the recv/send scheme if there
8678 are no spare pipes left. This option requires splicing to be enabled at
8679 compile time, and may be globally disabled with the global option "nosplice".
8680 Since splice uses pipes, using it requires that there are enough spare pipes.
8681
8682 Important note: see "option splice-auto" for usage limitations.
8683
8684 Example :
8685 option splice-response
8686
8687 If this option has been enabled in a "defaults" section, it can be disabled
8688 in a specific instance by prepending the "no" keyword before it.
8689
8690 See also : "option splice-auto", "option splice-request", and global options
8691 "nosplice" and "maxpipes"
8692
8693
Christopher Fauletba7bc162016-11-07 21:07:38 +01008694option spop-check
8695 Use SPOP health checks for server testing
8696 May be used in sections : defaults | frontend | listen | backend
8697 no | no | no | yes
8698 Arguments : none
8699
8700 It is possible to test that the server correctly talks SPOP protocol instead
8701 of just testing that it accepts the TCP connection. When this option is set,
8702 a HELLO handshake is performed between HAProxy and the server, and the
8703 response is analyzed to check no error is reported.
8704
8705 Example :
8706 option spop-check
8707
8708 See also : "option httpchk"
8709
8710
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008711option srvtcpka
8712no option srvtcpka
8713 Enable or disable the sending of TCP keepalive packets on the server side
8714 May be used in sections : defaults | frontend | listen | backend
8715 yes | no | yes | yes
8716 Arguments : none
8717
8718 When there is a firewall or any session-aware component between a client and
8719 a server, and when the protocol involves very long sessions with long idle
Davor Ocelice9ed2812017-12-25 17:49:28 +01008720 periods (e.g. remote desktops), there is a risk that one of the intermediate
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008721 components decides to expire a session which has remained idle for too long.
8722
8723 Enabling socket-level TCP keep-alives makes the system regularly send packets
8724 to the other end of the connection, leaving it active. The delay between
8725 keep-alive probes is controlled by the system only and depends both on the
8726 operating system and its tuning parameters.
8727
8728 It is important to understand that keep-alive packets are neither emitted nor
8729 received at the application level. It is only the network stacks which sees
8730 them. For this reason, even if one side of the proxy already uses keep-alives
8731 to maintain its connection alive, those keep-alive packets will not be
8732 forwarded to the other side of the proxy.
8733
8734 Please note that this has nothing to do with HTTP keep-alive.
8735
8736 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
8737 server side of a connection, which should help when session expirations are
8738 noticed between HAProxy and a server.
8739
8740 If this option has been enabled in a "defaults" section, it can be disabled
8741 in a specific instance by prepending the "no" keyword before it.
8742
8743 See also : "option clitcpka", "option tcpka"
8744
8745
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008746option ssl-hello-chk
8747 Use SSLv3 client hello health checks for server testing
8748 May be used in sections : defaults | frontend | listen | backend
8749 yes | no | yes | yes
8750 Arguments : none
8751
8752 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
8753 possible to test that the server correctly talks SSL instead of just testing
8754 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
8755 SSLv3 client hello messages are sent once the connection is established to
8756 the server, and the response is analyzed to find an SSL server hello message.
8757 The server is considered valid only when the response contains this server
8758 hello message.
8759
8760 All servers tested till there correctly reply to SSLv3 client hello messages,
8761 and most servers tested do not even log the requests containing only hello
8762 messages, which is appreciable.
8763
Willy Tarreau763a95b2012-10-04 23:15:39 +02008764 Note that this check works even when SSL support was not built into haproxy
8765 because it forges the SSL message. When SSL support is available, it is best
8766 to use native SSL health checks instead of this one.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008767
Willy Tarreau763a95b2012-10-04 23:15:39 +02008768 See also: "option httpchk", "check-ssl"
8769
Willy Tarreaua453bdd2008-01-08 19:50:52 +01008770
Willy Tarreaued179852013-12-16 01:07:00 +01008771option tcp-check
8772 Perform health checks using tcp-check send/expect sequences
8773 May be used in sections: defaults | frontend | listen | backend
8774 yes | no | yes | yes
8775
8776 This health check method is intended to be combined with "tcp-check" command
8777 lists in order to support send/expect types of health check sequences.
8778
8779 TCP checks currently support 4 modes of operations :
8780 - no "tcp-check" directive : the health check only consists in a connection
8781 attempt, which remains the default mode.
8782
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008783 - "tcp-check send" or "tcp-check send-binary" only is mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01008784 used to send a string along with a connection opening. With some
8785 protocols, it helps sending a "QUIT" message for example that prevents
8786 the server from logging a connection error for each health check. The
8787 check result will still be based on the ability to open the connection
8788 only.
8789
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008790 - "tcp-check expect" only is mentioned : this is used to test a banner.
Willy Tarreaued179852013-12-16 01:07:00 +01008791 The connection is opened and haproxy waits for the server to present some
8792 contents which must validate some rules. The check result will be based
8793 on the matching between the contents and the rules. This is suited for
8794 POP, IMAP, SMTP, FTP, SSH, TELNET.
8795
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008796 - both "tcp-check send" and "tcp-check expect" are mentioned : this is
Davor Ocelice9ed2812017-12-25 17:49:28 +01008797 used to test a hello-type protocol. HAProxy sends a message, the server
8798 responds and its response is analyzed. the check result will be based on
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008799 the matching between the response contents and the rules. This is often
Willy Tarreaued179852013-12-16 01:07:00 +01008800 suited for protocols which require a binding or a request/response model.
8801 LDAP, MySQL, Redis and SSL are example of such protocols, though they
8802 already all have their dedicated checks with a deeper understanding of
8803 the respective protocols.
8804 In this mode, many questions may be sent and many answers may be
Davor Ocelice9ed2812017-12-25 17:49:28 +01008805 analyzed.
Willy Tarreaued179852013-12-16 01:07:00 +01008806
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02008807 A fifth mode can be used to insert comments in different steps of the script.
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008808
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02008809 For each tcp-check rule you create, you can add a "comment" directive,
8810 followed by a string. This string will be reported in the log and stderr in
8811 debug mode. It is useful to make user-friendly error reporting. The
8812 "comment" is of course optional.
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008813
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02008814 During the execution of a health check, a variable scope is made available to
8815 store data samples, using the "tcp-check set-var" operation. Freeing those
8816 variable is possible using "tcp-check unset-var".
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +01008817
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008818
Willy Tarreaued179852013-12-16 01:07:00 +01008819 Examples :
Davor Ocelice9ed2812017-12-25 17:49:28 +01008820 # perform a POP check (analyze only server's banner)
Willy Tarreaued179852013-12-16 01:07:00 +01008821 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008822 tcp-check expect string +OK\ POP3\ ready comment POP\ protocol
Willy Tarreaued179852013-12-16 01:07:00 +01008823
Davor Ocelice9ed2812017-12-25 17:49:28 +01008824 # perform an IMAP check (analyze only server's banner)
Willy Tarreaued179852013-12-16 01:07:00 +01008825 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008826 tcp-check expect string *\ OK\ IMAP4\ ready comment IMAP\ protocol
Willy Tarreaued179852013-12-16 01:07:00 +01008827
8828 # look for the redis master server after ensuring it speaks well
8829 # redis protocol, then it exits properly.
Davor Ocelice9ed2812017-12-25 17:49:28 +01008830 # (send a command then analyze the response 3 times)
Willy Tarreaued179852013-12-16 01:07:00 +01008831 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008832 tcp-check comment PING\ phase
Willy Tarreaued179852013-12-16 01:07:00 +01008833 tcp-check send PING\r\n
Baptiste Assmanna3322992015-08-04 10:12:18 +02008834 tcp-check expect string +PONG
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008835 tcp-check comment role\ check
Willy Tarreaued179852013-12-16 01:07:00 +01008836 tcp-check send info\ replication\r\n
8837 tcp-check expect string role:master
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008838 tcp-check comment QUIT\ phase
Willy Tarreaued179852013-12-16 01:07:00 +01008839 tcp-check send QUIT\r\n
8840 tcp-check expect string +OK
8841
Davor Ocelice9ed2812017-12-25 17:49:28 +01008842 forge a HTTP request, then analyze the response
Willy Tarreaued179852013-12-16 01:07:00 +01008843 (send many headers before analyzing)
8844 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008845 tcp-check comment forge\ and\ send\ HTTP\ request
Willy Tarreaued179852013-12-16 01:07:00 +01008846 tcp-check send HEAD\ /\ HTTP/1.1\r\n
8847 tcp-check send Host:\ www.mydomain.com\r\n
8848 tcp-check send User-Agent:\ HAProxy\ tcpcheck\r\n
8849 tcp-check send \r\n
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02008850 tcp-check expect rstring HTTP/1\..\ (2..|3..) comment check\ HTTP\ response
Willy Tarreaued179852013-12-16 01:07:00 +01008851
8852
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02008853 See also : "tcp-check connect", "tcp-check expect" and "tcp-check send".
Willy Tarreaued179852013-12-16 01:07:00 +01008854
8855
Willy Tarreau9ea05a72009-06-14 12:07:01 +02008856option tcp-smart-accept
8857no option tcp-smart-accept
8858 Enable or disable the saving of one ACK packet during the accept sequence
8859 May be used in sections : defaults | frontend | listen | backend
8860 yes | yes | yes | no
8861 Arguments : none
8862
8863 When an HTTP connection request comes in, the system acknowledges it on
8864 behalf of HAProxy, then the client immediately sends its request, and the
8865 system acknowledges it too while it is notifying HAProxy about the new
8866 connection. HAProxy then reads the request and responds. This means that we
8867 have one TCP ACK sent by the system for nothing, because the request could
8868 very well be acknowledged by HAProxy when it sends its response.
8869
8870 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
8871 sending this useless ACK on platforms which support it (currently at least
8872 Linux). It must not cause any problem, because the system will send it anyway
8873 after 40 ms if the response takes more time than expected to come.
8874
8875 During complex network debugging sessions, it may be desirable to disable
8876 this optimization because delayed ACKs can make troubleshooting more complex
8877 when trying to identify where packets are delayed. It is then possible to
Davor Ocelice9ed2812017-12-25 17:49:28 +01008878 fall back to normal behavior by specifying "no option tcp-smart-accept".
Willy Tarreau9ea05a72009-06-14 12:07:01 +02008879
8880 It is also possible to force it for non-HTTP proxies by simply specifying
8881 "option tcp-smart-accept". For instance, it can make sense with some services
8882 such as SMTP where the server speaks first.
8883
8884 It is recommended to avoid forcing this option in a defaults section. In case
8885 of doubt, consider setting it back to automatic values by prepending the
8886 "default" keyword before it, or disabling it using the "no" keyword.
8887
Willy Tarreaud88edf22009-06-14 15:48:17 +02008888 See also : "option tcp-smart-connect"
8889
8890
8891option tcp-smart-connect
8892no option tcp-smart-connect
8893 Enable or disable the saving of one ACK packet during the connect sequence
8894 May be used in sections : defaults | frontend | listen | backend
8895 yes | no | yes | yes
8896 Arguments : none
8897
8898 On certain systems (at least Linux), HAProxy can ask the kernel not to
8899 immediately send an empty ACK upon a connection request, but to directly
8900 send the buffer request instead. This saves one packet on the network and
8901 thus boosts performance. It can also be useful for some servers, because they
8902 immediately get the request along with the incoming connection.
8903
8904 This feature is enabled when "option tcp-smart-connect" is set in a backend.
8905 It is not enabled by default because it makes network troubleshooting more
8906 complex.
8907
8908 It only makes sense to enable it with protocols where the client speaks first
8909 such as HTTP. In other situations, if there is no data to send in place of
8910 the ACK, a normal ACK is sent.
8911
8912 If this option has been enabled in a "defaults" section, it can be disabled
8913 in a specific instance by prepending the "no" keyword before it.
8914
8915 See also : "option tcp-smart-accept"
8916
Willy Tarreau9ea05a72009-06-14 12:07:01 +02008917
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008918option tcpka
8919 Enable or disable the sending of TCP keepalive packets on both sides
8920 May be used in sections : defaults | frontend | listen | backend
8921 yes | yes | yes | yes
8922 Arguments : none
8923
8924 When there is a firewall or any session-aware component between a client and
8925 a server, and when the protocol involves very long sessions with long idle
Davor Ocelice9ed2812017-12-25 17:49:28 +01008926 periods (e.g. remote desktops), there is a risk that one of the intermediate
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008927 components decides to expire a session which has remained idle for too long.
8928
8929 Enabling socket-level TCP keep-alives makes the system regularly send packets
8930 to the other end of the connection, leaving it active. The delay between
8931 keep-alive probes is controlled by the system only and depends both on the
8932 operating system and its tuning parameters.
8933
8934 It is important to understand that keep-alive packets are neither emitted nor
8935 received at the application level. It is only the network stacks which sees
8936 them. For this reason, even if one side of the proxy already uses keep-alives
8937 to maintain its connection alive, those keep-alive packets will not be
8938 forwarded to the other side of the proxy.
8939
8940 Please note that this has nothing to do with HTTP keep-alive.
8941
8942 Using option "tcpka" enables the emission of TCP keep-alive probes on both
8943 the client and server sides of a connection. Note that this is meaningful
8944 only in "defaults" or "listen" sections. If this option is used in a
8945 frontend, only the client side will get keep-alives, and if this option is
8946 used in a backend, only the server side will get keep-alives. For this
8947 reason, it is strongly recommended to explicitly use "option clitcpka" and
8948 "option srvtcpka" when the configuration is split between frontends and
8949 backends.
8950
8951 See also : "option clitcpka", "option srvtcpka"
8952
Willy Tarreau844e3c52008-01-11 16:28:18 +01008953
8954option tcplog
8955 Enable advanced logging of TCP connections with session state and timers
8956 May be used in sections : defaults | frontend | listen | backend
Tim Duesterhus9ad9f352018-02-05 20:52:27 +01008957 yes | yes | yes | no
Willy Tarreau844e3c52008-01-11 16:28:18 +01008958 Arguments : none
8959
8960 By default, the log output format is very poor, as it only contains the
8961 source and destination addresses, and the instance name. By specifying
8962 "option tcplog", each log line turns into a much richer format including, but
8963 not limited to, the connection timers, the session status, the connections
8964 numbers, the frontend, backend and server name, and of course the source
8965 address and ports. This option is useful for pure TCP proxies in order to
8966 find which of the client or server disconnects or times out. For normal HTTP
8967 proxies, it's better to use "option httplog" which is even more complete.
8968
Guillaume de Lafond29f45602017-03-31 19:52:15 +02008969 "option tcplog" overrides any previous "log-format" directive.
8970
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008971 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008972
8973
Willy Tarreau844e3c52008-01-11 16:28:18 +01008974option transparent
8975no option transparent
8976 Enable client-side transparent proxying
8977 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01008978 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01008979 Arguments : none
8980
8981 This option was introduced in order to provide layer 7 persistence to layer 3
8982 load balancers. The idea is to use the OS's ability to redirect an incoming
8983 connection for a remote address to a local process (here HAProxy), and let
8984 this process know what address was initially requested. When this option is
8985 used, sessions without cookies will be forwarded to the original destination
8986 IP address of the incoming request (which should match that of another
8987 equipment), while requests with cookies will still be forwarded to the
8988 appropriate server.
8989
8990 Note that contrary to a common belief, this option does NOT make HAProxy
8991 present the client's IP to the server when establishing the connection.
8992
Willy Tarreaua1146052011-03-01 09:51:54 +01008993 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01008994 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008995
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008996
Simon Horman98637e52014-06-20 12:30:16 +09008997external-check command <command>
8998 Executable to run when performing an external-check
8999 May be used in sections : defaults | frontend | listen | backend
9000 yes | no | yes | yes
9001
9002 Arguments :
9003 <command> is the external command to run
9004
Simon Horman98637e52014-06-20 12:30:16 +09009005 The arguments passed to the to the command are:
9006
Cyril Bonté777be862014-12-02 21:21:35 +01009007 <proxy_address> <proxy_port> <server_address> <server_port>
Simon Horman98637e52014-06-20 12:30:16 +09009008
Cyril Bonté777be862014-12-02 21:21:35 +01009009 The <proxy_address> and <proxy_port> are derived from the first listener
9010 that is either IPv4, IPv6 or a UNIX socket. In the case of a UNIX socket
9011 listener the proxy_address will be the path of the socket and the
9012 <proxy_port> will be the string "NOT_USED". In a backend section, it's not
9013 possible to determine a listener, and both <proxy_address> and <proxy_port>
9014 will have the string value "NOT_USED".
Simon Horman98637e52014-06-20 12:30:16 +09009015
Cyril Bonté72cda2a2014-12-27 22:28:39 +01009016 Some values are also provided through environment variables.
9017
9018 Environment variables :
9019 HAPROXY_PROXY_ADDR The first bind address if available (or empty if not
9020 applicable, for example in a "backend" section).
9021
9022 HAPROXY_PROXY_ID The backend id.
9023
9024 HAPROXY_PROXY_NAME The backend name.
9025
9026 HAPROXY_PROXY_PORT The first bind port if available (or empty if not
9027 applicable, for example in a "backend" section or
9028 for a UNIX socket).
9029
9030 HAPROXY_SERVER_ADDR The server address.
9031
9032 HAPROXY_SERVER_CURCONN The current number of connections on the server.
9033
9034 HAPROXY_SERVER_ID The server id.
9035
9036 HAPROXY_SERVER_MAXCONN The server max connections.
9037
9038 HAPROXY_SERVER_NAME The server name.
9039
9040 HAPROXY_SERVER_PORT The server port if available (or empty for a UNIX
9041 socket).
9042
9043 PATH The PATH environment variable used when executing
9044 the command may be set using "external-check path".
9045
William Lallemand4d03e432019-06-14 15:35:37 +02009046 See also "2.3. Environment variables" for other variables.
9047
Simon Horman98637e52014-06-20 12:30:16 +09009048 If the command executed and exits with a zero status then the check is
9049 considered to have passed, otherwise the check is considered to have
9050 failed.
9051
9052 Example :
9053 external-check command /bin/true
9054
9055 See also : "external-check", "option external-check", "external-check path"
9056
9057
9058external-check path <path>
9059 The value of the PATH environment variable used when running an external-check
9060 May be used in sections : defaults | frontend | listen | backend
9061 yes | no | yes | yes
9062
9063 Arguments :
9064 <path> is the path used when executing external command to run
9065
9066 The default path is "".
9067
9068 Example :
9069 external-check path "/usr/bin:/bin"
9070
9071 See also : "external-check", "option external-check",
9072 "external-check command"
9073
9074
Emeric Brun647caf12009-06-30 17:57:00 +02009075persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009076persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02009077 Enable RDP cookie-based persistence
9078 May be used in sections : defaults | frontend | listen | backend
9079 yes | no | yes | yes
9080 Arguments :
9081 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02009082 default cookie name "msts" will be used. There currently is no
9083 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02009084
9085 This statement enables persistence based on an RDP cookie. The RDP cookie
9086 contains all information required to find the server in the list of known
Davor Ocelice9ed2812017-12-25 17:49:28 +01009087 servers. So when this option is set in the backend, the request is analyzed
Emeric Brun647caf12009-06-30 17:57:00 +02009088 and if an RDP cookie is found, it is decoded. If it matches a known server
9089 which is still UP (or if "option persist" is set), then the connection is
9090 forwarded to this server.
9091
9092 Note that this only makes sense in a TCP backend, but for this to work, the
9093 frontend must have waited long enough to ensure that an RDP cookie is present
9094 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009095 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02009096 a single "listen" section.
9097
Willy Tarreau61e28f22010-05-16 22:31:05 +02009098 Also, it is important to understand that the terminal server will emit this
9099 RDP cookie only if it is configured for "token redirection mode", which means
9100 that the "IP address redirection" option is disabled.
9101
Emeric Brun647caf12009-06-30 17:57:00 +02009102 Example :
9103 listen tse-farm
9104 bind :3389
9105 # wait up to 5s for an RDP cookie in the request
9106 tcp-request inspect-delay 5s
9107 tcp-request content accept if RDP_COOKIE
9108 # apply RDP cookie persistence
9109 persist rdp-cookie
9110 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02009111 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02009112 balance rdp-cookie
9113 server srv1 1.1.1.1:3389
9114 server srv2 1.1.1.2:3389
9115
Simon Hormanab814e02011-06-24 14:50:20 +09009116 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
9117 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02009118
9119
Willy Tarreau3a7d2072009-03-05 23:48:25 +01009120rate-limit sessions <rate>
9121 Set a limit on the number of new sessions accepted per second on a frontend
9122 May be used in sections : defaults | frontend | listen | backend
9123 yes | yes | yes | no
9124 Arguments :
9125 <rate> The <rate> parameter is an integer designating the maximum number
9126 of new sessions per second to accept on the frontend.
9127
9128 When the frontend reaches the specified number of new sessions per second, it
9129 stops accepting new connections until the rate drops below the limit again.
9130 During this time, the pending sessions will be kept in the socket's backlog
9131 (in system buffers) and haproxy will not even be aware that sessions are
9132 pending. When applying very low limit on a highly loaded service, it may make
9133 sense to increase the socket's backlog using the "backlog" keyword.
9134
9135 This feature is particularly efficient at blocking connection-based attacks
9136 or service abuse on fragile servers. Since the session rate is measured every
9137 millisecond, it is extremely accurate. Also, the limit applies immediately,
9138 no delay is needed at all to detect the threshold.
9139
9140 Example : limit the connection rate on SMTP to 10 per second max
9141 listen smtp
9142 mode tcp
9143 bind :25
9144 rate-limit sessions 10
Panagiotis Panagiotopoulos7282d8e2016-02-11 16:37:15 +02009145 server smtp1 127.0.0.1:1025
Willy Tarreau3a7d2072009-03-05 23:48:25 +01009146
Willy Tarreaua17c2d92011-07-25 08:16:20 +02009147 Note : when the maximum rate is reached, the frontend's status is not changed
9148 but its sockets appear as "WAITING" in the statistics if the
9149 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01009150
9151 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
9152
9153
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009154redirect location <loc> [code <code>] <option> [{if | unless} <condition>]
9155redirect prefix <pfx> [code <code>] <option> [{if | unless} <condition>]
9156redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02009157 Return an HTTP redirection if/unless a condition is matched
9158 May be used in sections : defaults | frontend | listen | backend
9159 no | yes | yes | yes
9160
9161 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01009162 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02009163
Willy Tarreau0140f252008-11-19 21:07:09 +01009164 Arguments :
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009165 <loc> With "redirect location", the exact value in <loc> is placed into
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01009166 the HTTP "Location" header. When used in an "http-request" rule,
9167 <loc> value follows the log-format rules and can include some
9168 dynamic values (see Custom Log Format in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009169
9170 <pfx> With "redirect prefix", the "Location" header is built from the
9171 concatenation of <pfx> and the complete URI path, including the
9172 query string, unless the "drop-query" option is specified (see
9173 below). As a special case, if <pfx> equals exactly "/", then
9174 nothing is inserted before the original URI. It allows one to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01009175 redirect to the same URL (for instance, to insert a cookie). When
9176 used in an "http-request" rule, <pfx> value follows the log-format
9177 rules and can include some dynamic values (see Custom Log Format
9178 in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009179
9180 <sch> With "redirect scheme", then the "Location" header is built by
9181 concatenating <sch> with "://" then the first occurrence of the
9182 "Host" header, and then the URI path, including the query string
9183 unless the "drop-query" option is specified (see below). If no
9184 path is found or if the path is "*", then "/" is used instead. If
9185 no "Host" header is found, then an empty host component will be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009186 returned, which most recent browsers interpret as redirecting to
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009187 the same host. This directive is mostly used to redirect HTTP to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01009188 HTTPS. When used in an "http-request" rule, <sch> value follows
9189 the log-format rules and can include some dynamic values (see
9190 Custom Log Format in section 8.2.4).
Willy Tarreau0140f252008-11-19 21:07:09 +01009191
9192 <code> The code is optional. It indicates which type of HTTP redirection
Willy Tarreaub67fdc42013-03-29 19:28:11 +01009193 is desired. Only codes 301, 302, 303, 307 and 308 are supported,
9194 with 302 used by default if no code is specified. 301 means
9195 "Moved permanently", and a browser may cache the Location. 302
Baptiste Assmannea849c02015-08-03 11:42:50 +02009196 means "Moved temporarily" and means that the browser should not
Willy Tarreaub67fdc42013-03-29 19:28:11 +01009197 cache the redirection. 303 is equivalent to 302 except that the
9198 browser will fetch the location with a GET method. 307 is just
9199 like 302 but makes it clear that the same method must be reused.
9200 Likewise, 308 replaces 301 if the same method must be used.
Willy Tarreau0140f252008-11-19 21:07:09 +01009201
9202 <option> There are several options which can be specified to adjust the
Davor Ocelice9ed2812017-12-25 17:49:28 +01009203 expected behavior of a redirection :
Willy Tarreau0140f252008-11-19 21:07:09 +01009204
9205 - "drop-query"
9206 When this keyword is used in a prefix-based redirection, then the
9207 location will be set without any possible query-string, which is useful
9208 for directing users to a non-secure page for instance. It has no effect
9209 with a location-type redirect.
9210
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01009211 - "append-slash"
9212 This keyword may be used in conjunction with "drop-query" to redirect
9213 users who use a URL not ending with a '/' to the same one with the '/'.
9214 It can be useful to ensure that search engines will only see one URL.
9215 For this, a return code 301 is preferred.
9216
Willy Tarreau0140f252008-11-19 21:07:09 +01009217 - "set-cookie NAME[=value]"
9218 A "Set-Cookie" header will be added with NAME (and optionally "=value")
9219 to the response. This is sometimes used to indicate that a user has
9220 been seen, for instance to protect against some types of DoS. No other
9221 cookie option is added, so the cookie will be a session cookie. Note
9222 that for a browser, a sole cookie name without an equal sign is
9223 different from a cookie with an equal sign.
9224
9225 - "clear-cookie NAME[=]"
9226 A "Set-Cookie" header will be added with NAME (and optionally "="), but
9227 with the "Max-Age" attribute set to zero. This will tell the browser to
9228 delete this cookie. It is useful for instance on logout pages. It is
9229 important to note that clearing the cookie "NAME" will not remove a
9230 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
9231 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02009232
9233 Example: move the login URL only to HTTPS.
9234 acl clear dst_port 80
9235 acl secure dst_port 8080
9236 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01009237 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01009238 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01009239 acl cookie_set hdr_sub(cookie) SEEN=1
9240
9241 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01009242 redirect prefix https://mysite.com if login_page !secure
9243 redirect prefix http://mysite.com drop-query if login_page !uid_given
9244 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01009245 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02009246
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01009247 Example: send redirects for request for articles without a '/'.
9248 acl missing_slash path_reg ^/article/[^/]*$
9249 redirect code 301 prefix / drop-query append-slash if missing_slash
9250
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009251 Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
David BERARDe7153042012-11-03 00:11:31 +01009252 redirect scheme https if !{ ssl_fc }
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009253
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01009254 Example: append 'www.' prefix in front of all hosts not having it
Coen Rosdorff596659b2016-04-11 11:33:49 +02009255 http-request redirect code 301 location \
9256 http://www.%[hdr(host)]%[capture.req.uri] \
9257 unless { hdr_beg(host) -i www }
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01009258
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009259 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02009260
Willy Tarreau303c0352008-01-17 19:01:39 +01009261
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02009262retries <value>
9263 Set the number of retries to perform on a server after a connection failure
9264 May be used in sections: defaults | frontend | listen | backend
9265 yes | no | yes | yes
9266 Arguments :
9267 <value> is the number of times a connection attempt should be retried on
9268 a server when a connection either is refused or times out. The
9269 default value is 3.
9270
9271 It is important to understand that this value applies to the number of
9272 connection attempts, not full requests. When a connection has effectively
9273 been established to a server, there will be no more retry.
9274
9275 In order to avoid immediate reconnections to a server which is restarting,
Joseph Lynch726ab712015-05-11 23:25:34 -07009276 a turn-around timer of min("timeout connect", one second) is applied before
9277 a retry occurs.
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02009278
9279 When "option redispatch" is set, the last retry may be performed on another
9280 server even if a cookie references a different server.
9281
9282 See also : "option redispatch"
9283
9284
Olivier Houcharda254a372019-04-05 15:30:12 +02009285retry-on [list of keywords]
Jerome Magnin5ce3c142020-05-13 20:09:57 +02009286 Specify when to attempt to automatically retry a failed request.
9287 This setting is only valid when "mode" is set to http and is silently ignored
9288 otherwise.
Olivier Houcharda254a372019-04-05 15:30:12 +02009289 May be used in sections: defaults | frontend | listen | backend
9290 yes | no | yes | yes
9291 Arguments :
9292 <keywords> is a list of keywords or HTTP status codes, each representing a
9293 type of failure event on which an attempt to retry the request
9294 is desired. Please read the notes at the bottom before changing
9295 this setting. The following keywords are supported :
9296
9297 none never retry
9298
9299 conn-failure retry when the connection or the SSL handshake failed
9300 and the request could not be sent. This is the default.
9301
9302 empty-response retry when the server connection was closed after part
9303 of the request was sent, and nothing was received from
9304 the server. This type of failure may be caused by the
9305 request timeout on the server side, poor network
9306 condition, or a server crash or restart while
9307 processing the request.
9308
Olivier Houcharde3249a92019-05-03 23:01:47 +02009309 junk-response retry when the server returned something not looking
9310 like a complete HTTP response. This includes partial
9311 responses headers as well as non-HTTP contents. It
9312 usually is a bad idea to retry on such events, which
9313 may be caused a configuration issue (wrong server port)
9314 or by the request being harmful to the server (buffer
9315 overflow attack for example).
9316
Olivier Houcharda254a372019-04-05 15:30:12 +02009317 response-timeout the server timeout stroke while waiting for the server
9318 to respond to the request. This may be caused by poor
9319 network condition, the reuse of an idle connection
9320 which has expired on the path, or by the request being
9321 extremely expensive to process. It generally is a bad
9322 idea to retry on such events on servers dealing with
9323 heavy database processing (full scans, etc) as it may
9324 amplify denial of service attacks.
9325
Olivier Houchard865d8392019-05-03 22:46:27 +02009326 0rtt-rejected retry requests which were sent over early data and were
9327 rejected by the server. These requests are generally
9328 considered to be safe to retry.
9329
Olivier Houcharda254a372019-04-05 15:30:12 +02009330 <status> any HTTP status code among "404" (Not Found), "408"
9331 (Request Timeout), "425" (Too Early), "500" (Server
9332 Error), "501" (Not Implemented), "502" (Bad Gateway),
9333 "503" (Service Unavailable), "504" (Gateway Timeout).
9334
Olivier Houchardddf0e032019-05-10 18:05:40 +02009335 all-retryable-errors
9336 retry request for any error that are considered
9337 retryable. This currently activates "conn-failure",
9338 "empty-response", "junk-response", "response-timeout",
9339 "0rtt-rejected", "500", "502", "503", and "504".
9340
Olivier Houcharda254a372019-04-05 15:30:12 +02009341 Using this directive replaces any previous settings with the new ones; it is
9342 not cumulative.
9343
9344 Please note that using anything other than "none" and "conn-failure" requires
9345 to allocate a buffer and copy the whole request into it, so it has memory and
9346 performance impacts. Requests not fitting in a single buffer will never be
9347 retried (see the global tune.bufsize setting).
9348
9349 You have to make sure the application has a replay protection mechanism built
9350 in such as a unique transaction IDs passed in requests, or that replaying the
9351 same request has no consequence, or it is very dangerous to use any retry-on
9352 value beside "conn-failure" and "none". Static file servers and caches are
9353 generally considered safe against any type of retry. Using a status code can
9354 be useful to quickly leave a server showing an abnormal behavior (out of
9355 memory, file system issues, etc), but in this case it may be a good idea to
9356 immediately redispatch the connection to another server (please see "option
9357 redispatch" for this). Last, it is important to understand that most causes
9358 of failures are the requests themselves and that retrying a request causing a
9359 server to misbehave will often make the situation even worse for this server,
9360 or for the whole service in case of redispatch.
9361
9362 Unless you know exactly how the application deals with replayed requests, you
9363 should not use this directive.
9364
9365 The default is "conn-failure".
9366
9367 See also: "retries", "option redispatch", "tune.bufsize"
9368
David du Colombier486df472011-03-17 10:40:26 +01009369server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009370 Declare a server in a backend
9371 May be used in sections : defaults | frontend | listen | backend
9372 no | no | yes | yes
9373 Arguments :
9374 <name> is the internal name assigned to this server. This name will
Davor Ocelice9ed2812017-12-25 17:49:28 +01009375 appear in logs and alerts. If "http-send-name-header" is
Mark Lamourinec2247f02012-01-04 13:02:01 -05009376 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009377
David du Colombier486df472011-03-17 10:40:26 +01009378 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
9379 resolvable hostname is supported, but this name will be resolved
9380 during start-up. Address "0.0.0.0" or "*" has a special meaning.
9381 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02009382 address as the one from the client connection. This is useful in
9383 transparent proxy architectures where the client's connection is
9384 intercepted and haproxy must forward to the original destination
9385 address. This is more or less what the "transparent" keyword does
9386 except that with a server it's possible to limit concurrency and
Willy Tarreau24709282013-03-10 21:32:12 +01009387 to report statistics. Optionally, an address family prefix may be
9388 used before the address to force the family regardless of the
9389 address format, which can be useful to specify a path to a unix
9390 socket with no slash ('/'). Currently supported prefixes are :
9391 - 'ipv4@' -> address is always IPv4
9392 - 'ipv6@' -> address is always IPv6
9393 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02009394 - 'abns@' -> address is in abstract namespace (Linux only)
William Lallemand2fe7dd02018-09-11 16:51:29 +02009395 - 'sockpair@' -> address is the FD of a connected unix
9396 socket or of a socketpair. During a connection, the
9397 backend creates a pair of connected sockets, and passes
9398 one of them over the FD. The bind part will use the
9399 received socket as the client FD. Should be used
9400 carefully.
William Lallemandb2f07452015-05-12 14:27:13 +02009401 You may want to reference some environment variables in the
9402 address parameter, see section 2.3 about environment
Willy Tarreau6a031d12016-11-07 19:42:35 +01009403 variables. The "init-addr" setting can be used to modify the way
9404 IP addresses should be resolved upon startup.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009405
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009406 <port> is an optional port specification. If set, all connections will
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009407 be sent to this port. If unset, the same port the client
9408 connected to will be used. The port may also be prefixed by a "+"
9409 or a "-". In this case, the server's port will be determined by
9410 adding this value to the client's port.
9411
9412 <param*> is a list of parameters for this server. The "server" keywords
9413 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009414 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009415
9416 Examples :
9417 server first 10.1.1.1:1080 cookie first check inter 1000
9418 server second 10.1.1.2:1080 cookie second check inter 1000
Willy Tarreau24709282013-03-10 21:32:12 +01009419 server transp ipv4@
William Lallemandb2f07452015-05-12 14:27:13 +02009420 server backup "${SRV_BACKUP}:1080" backup
9421 server www1_dc1 "${LAN_DC1}.101:80"
9422 server www1_dc2 "${LAN_DC2}.101:80"
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009423
Willy Tarreau55dcaf62015-09-27 15:03:15 +02009424 Note: regarding Linux's abstract namespace sockets, HAProxy uses the whole
9425 sun_path length is used for the address length. Some other programs
9426 such as socat use the string length only by default. Pass the option
9427 ",unix-tightsocklen=0" to any abstract socket definition in socat to
9428 make it compatible with HAProxy's.
9429
Mark Lamourinec2247f02012-01-04 13:02:01 -05009430 See also: "default-server", "http-send-name-header" and section 5 about
9431 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009432
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02009433server-state-file-name [<file>]
9434 Set the server state file to read, load and apply to servers available in
9435 this backend. It only applies when the directive "load-server-state-from-file"
9436 is set to "local". When <file> is not provided or if this directive is not
9437 set, then backend name is used. If <file> starts with a slash '/', then it is
9438 considered as an absolute path. Otherwise, <file> is concatenated to the
9439 global directive "server-state-file-base".
9440
9441 Example: the minimal configuration below would make HAProxy look for the
9442 state server file '/etc/haproxy/states/bk':
9443
9444 global
9445 server-state-file-base /etc/haproxy/states
9446
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +01009447 backend bk
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02009448 load-server-state-from-file
9449
9450 See also: "server-state-file-base", "load-server-state-from-file", and
9451 "show servers state"
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009452
Frédéric Lécaillecb4502e2017-04-20 13:36:25 +02009453server-template <prefix> <num | range> <fqdn>[:<port>] [params*]
9454 Set a template to initialize servers with shared parameters.
9455 The names of these servers are built from <prefix> and <num | range> parameters.
9456 May be used in sections : defaults | frontend | listen | backend
9457 no | no | yes | yes
9458
9459 Arguments:
9460 <prefix> A prefix for the server names to be built.
9461
9462 <num | range>
9463 If <num> is provided, this template initializes <num> servers
9464 with 1 up to <num> as server name suffixes. A range of numbers
9465 <num_low>-<num_high> may also be used to use <num_low> up to
9466 <num_high> as server name suffixes.
9467
9468 <fqdn> A FQDN for all the servers this template initializes.
9469
9470 <port> Same meaning as "server" <port> argument (see "server" keyword).
9471
9472 <params*>
9473 Remaining server parameters among all those supported by "server"
9474 keyword.
9475
9476 Examples:
9477 # Initializes 3 servers with srv1, srv2 and srv3 as names,
9478 # google.com as FQDN, and health-check enabled.
9479 server-template srv 1-3 google.com:80 check
9480
9481 # or
9482 server-template srv 3 google.com:80 check
9483
9484 # would be equivalent to:
9485 server srv1 google.com:80 check
9486 server srv2 google.com:80 check
9487 server srv3 google.com:80 check
9488
9489
9490
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009491source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02009492source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01009493source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009494 Set the source address for outgoing connections
9495 May be used in sections : defaults | frontend | listen | backend
9496 yes | no | yes | yes
9497 Arguments :
9498 <addr> is the IPv4 address HAProxy will bind to before connecting to a
9499 server. This address is also used as a source for health checks.
Willy Tarreau24709282013-03-10 21:32:12 +01009500
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009501 The default value of 0.0.0.0 means that the system will select
Willy Tarreau24709282013-03-10 21:32:12 +01009502 the most appropriate address to reach its destination. Optionally
9503 an address family prefix may be used before the address to force
9504 the family regardless of the address format, which can be useful
9505 to specify a path to a unix socket with no slash ('/'). Currently
9506 supported prefixes are :
9507 - 'ipv4@' -> address is always IPv4
9508 - 'ipv6@' -> address is always IPv6
9509 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02009510 - 'abns@' -> address is in abstract namespace (Linux only)
Cyril Bonté307ee1e2015-09-28 23:16:06 +02009511 You may want to reference some environment variables in the
9512 address parameter, see section 2.3 about environment variables.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009513
9514 <port> is an optional port. It is normally not needed but may be useful
9515 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009516 the system will select a free port. Note that port ranges are not
9517 supported in the backend. If you want to force port ranges, you
9518 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009519
9520 <addr2> is the IP address to present to the server when connections are
9521 forwarded in full transparent proxy mode. This is currently only
9522 supported on some patched Linux kernels. When this address is
9523 specified, clients connecting to the server will be presented
9524 with this address, while health checks will still use the address
9525 <addr>.
9526
9527 <port2> is the optional port to present to the server when connections
9528 are forwarded in full transparent proxy mode (see <addr2> above).
9529 The default value of zero means the system will select a free
9530 port.
9531
Willy Tarreaubce70882009-09-07 11:51:47 +02009532 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
9533 This is the name of a comma-separated header list which can
9534 contain multiple IP addresses. By default, the last occurrence is
9535 used. This is designed to work with the X-Forwarded-For header
Baptiste Assmannea3e73b2013-02-02 23:47:49 +01009536 and to automatically bind to the client's IP address as seen
Willy Tarreaubce70882009-09-07 11:51:47 +02009537 by previous proxy, typically Stunnel. In order to use another
9538 occurrence from the last one, please see the <occ> parameter
9539 below. When the header (or occurrence) is not found, no binding
9540 is performed so that the proxy's default IP address is used. Also
9541 keep in mind that the header name is case insensitive, as for any
9542 HTTP header.
9543
9544 <occ> is the occurrence number of a value to be used in a multi-value
9545 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009546 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +02009547 address. Positive values indicate a position from the first
9548 occurrence, 1 being the first one. Negative values indicate
9549 positions relative to the last one, -1 being the last one. This
9550 is helpful for situations where an X-Forwarded-For header is set
9551 at the entry point of an infrastructure and must be used several
9552 proxy layers away. When this value is not specified, -1 is
9553 assumed. Passing a zero here disables the feature.
9554
Willy Tarreaud53f96b2009-02-04 18:46:54 +01009555 <name> is an optional interface name to which to bind to for outgoing
9556 traffic. On systems supporting this features (currently, only
9557 Linux), this allows one to bind all traffic to the server to
9558 this interface even if it is not the one the system would select
9559 based on routing tables. This should be used with extreme care.
9560 Note that using this option requires root privileges.
9561
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009562 The "source" keyword is useful in complex environments where a specific
9563 address only is allowed to connect to the servers. It may be needed when a
9564 private address must be used through a public gateway for instance, and it is
9565 known that the system cannot determine the adequate source address by itself.
9566
9567 An extension which is available on certain patched Linux kernels may be used
9568 through the "usesrc" optional keyword. It makes it possible to connect to the
9569 servers with an IP address which does not belong to the system itself. This
9570 is called "full transparent proxy mode". For this to work, the destination
9571 servers have to route their traffic back to this address through the machine
9572 running HAProxy, and IP forwarding must generally be enabled on this machine.
9573
9574 In this "full transparent proxy" mode, it is possible to force a specific IP
9575 address to be presented to the servers. This is not much used in fact. A more
9576 common use is to tell HAProxy to present the client's IP address. For this,
9577 there are two methods :
9578
9579 - present the client's IP and port addresses. This is the most transparent
9580 mode, but it can cause problems when IP connection tracking is enabled on
9581 the machine, because a same connection may be seen twice with different
9582 states. However, this solution presents the huge advantage of not
9583 limiting the system to the 64k outgoing address+port couples, because all
9584 of the client ranges may be used.
9585
9586 - present only the client's IP address and select a spare port. This
9587 solution is still quite elegant but slightly less transparent (downstream
9588 firewalls logs will not match upstream's). It also presents the downside
9589 of limiting the number of concurrent connections to the usual 64k ports.
9590 However, since the upstream and downstream ports are different, local IP
9591 connection tracking on the machine will not be upset by the reuse of the
9592 same session.
9593
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009594 This option sets the default source for all servers in the backend. It may
9595 also be specified in a "defaults" section. Finer source address specification
9596 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009597 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009598
Baptiste Assmann91bd3372015-07-17 21:59:42 +02009599 In order to work, "usesrc" requires root privileges.
9600
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009601 Examples :
9602 backend private
9603 # Connect to the servers using our 192.168.1.200 source address
9604 source 192.168.1.200
9605
9606 backend transparent_ssl1
9607 # Connect to the SSL farm from the client's source address
9608 source 192.168.1.200 usesrc clientip
9609
9610 backend transparent_ssl2
9611 # Connect to the SSL farm from the client's source address and port
9612 # not recommended if IP conntrack is present on the local machine.
9613 source 192.168.1.200 usesrc client
9614
9615 backend transparent_ssl3
9616 # Connect to the SSL farm from the client's source address. It
9617 # is more conntrack-friendly.
9618 source 192.168.1.200 usesrc clientip
9619
9620 backend transparent_smtp
9621 # Connect to the SMTP farm from the client's source address/port
9622 # with Tproxy version 4.
9623 source 0.0.0.0 usesrc clientip
9624
Willy Tarreaubce70882009-09-07 11:51:47 +02009625 backend transparent_http
9626 # Connect to the servers using the client's IP as seen by previous
9627 # proxy.
9628 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
9629
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009630 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009631 the Linux kernel on www.balabit.com, the "bind" keyword.
9632
Willy Tarreau844e3c52008-01-11 16:28:18 +01009633
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09009634srvtcpka-cnt <count>
9635 Sets the maximum number of keepalive probes TCP should send before dropping
9636 the connection on the server side.
9637 May be used in sections : defaults | frontend | listen | backend
9638 yes | no | yes | yes
9639 Arguments :
9640 <count> is the maximum number of keepalive probes.
9641
9642 This keyword corresponds to the socket option TCP_KEEPCNT. If this keyword
9643 is not specified, system-wide TCP parameter (tcp_keepalive_probes) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02009644 The availability of this setting depends on the operating system. It is
9645 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09009646
9647 See also : "option srvtcpka", "srvtcpka-idle", "srvtcpka-intvl".
9648
9649
9650srvtcpka-idle <timeout>
9651 Sets the time the connection needs to remain idle before TCP starts sending
9652 keepalive probes, if enabled the sending of TCP keepalive packets on the
9653 server side.
9654 May be used in sections : defaults | frontend | listen | backend
9655 yes | no | yes | yes
9656 Arguments :
9657 <timeout> is the time the connection needs to remain idle before TCP starts
9658 sending keepalive probes. It is specified in seconds by default,
9659 but can be in any other unit if the number is suffixed by the
9660 unit, as explained at the top of this document.
9661
9662 This keyword corresponds to the socket option TCP_KEEPIDLE. If this keyword
9663 is not specified, system-wide TCP parameter (tcp_keepalive_time) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02009664 The availability of this setting depends on the operating system. It is
9665 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09009666
9667 See also : "option srvtcpka", "srvtcpka-cnt", "srvtcpka-intvl".
9668
9669
9670srvtcpka-intvl <timeout>
9671 Sets the time between individual keepalive probes on the server side.
9672 May be used in sections : defaults | frontend | listen | backend
9673 yes | no | yes | yes
9674 Arguments :
9675 <timeout> is the time between individual keepalive probes. It is specified
9676 in seconds by default, but can be in any other unit if the number
9677 is suffixed by the unit, as explained at the top of this
9678 document.
9679
9680 This keyword corresponds to the socket option TCP_KEEPINTVL. If this keyword
9681 is not specified, system-wide TCP parameter (tcp_keepalive_intvl) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02009682 The availability of this setting depends on the operating system. It is
9683 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09009684
9685 See also : "option srvtcpka", "srvtcpka-cnt", "srvtcpka-idle".
9686
9687
Cyril Bonté66c327d2010-10-12 00:14:37 +02009688stats admin { if | unless } <cond>
9689 Enable statistics admin level if/unless a condition is matched
9690 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02009691 no | yes | yes | yes
Cyril Bonté66c327d2010-10-12 00:14:37 +02009692
9693 This statement enables the statistics admin level if/unless a condition is
9694 matched.
9695
9696 The admin level allows to enable/disable servers from the web interface. By
9697 default, statistics page is read-only for security reasons.
9698
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01009699 Note : Consider not using this feature in multi-process mode (nbproc > 1)
9700 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +01009701 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01009702
Cyril Bonté23b39d92011-02-10 22:54:44 +01009703 Currently, the POST request is limited to the buffer size minus the reserved
9704 buffer space, which means that if the list of servers is too long, the
9705 request won't be processed. It is recommended to alter few servers at a
9706 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02009707
9708 Example :
9709 # statistics admin level only for localhost
9710 backend stats_localhost
9711 stats enable
9712 stats admin if LOCALHOST
9713
9714 Example :
9715 # statistics admin level always enabled because of the authentication
9716 backend stats_auth
9717 stats enable
9718 stats auth admin:AdMiN123
9719 stats admin if TRUE
9720
9721 Example :
9722 # statistics admin level depends on the authenticated user
9723 userlist stats-auth
9724 group admin users admin
9725 user admin insecure-password AdMiN123
9726 group readonly users haproxy
9727 user haproxy insecure-password haproxy
9728
9729 backend stats_auth
9730 stats enable
9731 acl AUTH http_auth(stats-auth)
9732 acl AUTH_ADMIN http_auth_group(stats-auth) admin
9733 stats http-request auth unless AUTH
9734 stats admin if AUTH_ADMIN
9735
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01009736 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
9737 "bind-process", section 3.4 about userlists and section 7 about
9738 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02009739
9740
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009741stats auth <user>:<passwd>
9742 Enable statistics with authentication and grant access to an account
9743 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02009744 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009745 Arguments :
9746 <user> is a user name to grant access to
9747
9748 <passwd> is the cleartext password associated to this user
9749
9750 This statement enables statistics with default settings, and restricts access
9751 to declared users only. It may be repeated as many times as necessary to
9752 allow as many users as desired. When a user tries to access the statistics
9753 without a valid account, a "401 Forbidden" response will be returned so that
9754 the browser asks the user to provide a valid user and password. The real
9755 which will be returned to the browser is configurable using "stats realm".
9756
9757 Since the authentication method is HTTP Basic Authentication, the passwords
9758 circulate in cleartext on the network. Thus, it was decided that the
9759 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02009760 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009761
9762 It is also possible to reduce the scope of the proxies which appear in the
9763 report using "stats scope".
9764
9765 Though this statement alone is enough to enable statistics reporting, it is
9766 recommended to set all other settings in order to avoid relying on default
9767 unobvious parameters.
9768
9769 Example :
9770 # public access (limited to this backend only)
9771 backend public_www
9772 server srv1 192.168.0.1:80
9773 stats enable
9774 stats hide-version
9775 stats scope .
9776 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +01009777 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009778 stats auth admin1:AdMiN123
9779 stats auth admin2:AdMiN321
9780
9781 # internal monitoring access (unlimited)
9782 backend private_monitoring
9783 stats enable
9784 stats uri /admin?stats
9785 stats refresh 5s
9786
9787 See also : "stats enable", "stats realm", "stats scope", "stats uri"
9788
9789
9790stats enable
9791 Enable statistics reporting with default settings
9792 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02009793 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009794 Arguments : none
9795
9796 This statement enables statistics reporting with default settings defined
9797 at build time. Unless stated otherwise, these settings are used :
9798 - stats uri : /haproxy?stats
9799 - stats realm : "HAProxy Statistics"
9800 - stats auth : no authentication
9801 - stats scope : no restriction
9802
9803 Though this statement alone is enough to enable statistics reporting, it is
9804 recommended to set all other settings in order to avoid relying on default
9805 unobvious parameters.
9806
9807 Example :
9808 # public access (limited to this backend only)
9809 backend public_www
9810 server srv1 192.168.0.1:80
9811 stats enable
9812 stats hide-version
9813 stats scope .
9814 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +01009815 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009816 stats auth admin1:AdMiN123
9817 stats auth admin2:AdMiN321
9818
9819 # internal monitoring access (unlimited)
9820 backend private_monitoring
9821 stats enable
9822 stats uri /admin?stats
9823 stats refresh 5s
9824
9825 See also : "stats auth", "stats realm", "stats uri"
9826
9827
Willy Tarreaud63335a2010-02-26 12:56:52 +01009828stats hide-version
9829 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02009830 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02009831 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01009832 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02009833
Willy Tarreaud63335a2010-02-26 12:56:52 +01009834 By default, the stats page reports some useful status information along with
9835 the statistics. Among them is HAProxy's version. However, it is generally
9836 considered dangerous to report precise version to anyone, as it can help them
9837 target known weaknesses with specific attacks. The "stats hide-version"
9838 statement removes the version from the statistics report. This is recommended
9839 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02009840
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02009841 Though this statement alone is enough to enable statistics reporting, it is
9842 recommended to set all other settings in order to avoid relying on default
9843 unobvious parameters.
9844
Willy Tarreaud63335a2010-02-26 12:56:52 +01009845 Example :
9846 # public access (limited to this backend only)
9847 backend public_www
9848 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02009849 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01009850 stats hide-version
9851 stats scope .
9852 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +01009853 stats realm HAProxy\ Statistics
Willy Tarreaud63335a2010-02-26 12:56:52 +01009854 stats auth admin1:AdMiN123
9855 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02009856
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02009857 # internal monitoring access (unlimited)
9858 backend private_monitoring
9859 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01009860 stats uri /admin?stats
9861 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01009862
Willy Tarreaud63335a2010-02-26 12:56:52 +01009863 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02009864
Willy Tarreau983e01e2010-01-11 18:42:06 +01009865
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02009866stats http-request { allow | deny | auth [realm <realm>] }
9867 [ { if | unless } <condition> ]
9868 Access control for statistics
9869
9870 May be used in sections: defaults | frontend | listen | backend
9871 no | no | yes | yes
9872
9873 As "http-request", these set of options allow to fine control access to
9874 statistics. Each option may be followed by if/unless and acl.
9875 First option with matched condition (or option without condition) is final.
9876 For "deny" a 403 error will be returned, for "allow" normal processing is
9877 performed, for "auth" a 401/407 error code is returned so the client
9878 should be asked to enter a username and password.
9879
9880 There is no fixed limit to the number of http-request statements per
9881 instance.
9882
9883 See also : "http-request", section 3.4 about userlists and section 7
9884 about ACL usage.
9885
9886
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009887stats realm <realm>
9888 Enable statistics and set authentication realm
9889 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02009890 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009891 Arguments :
9892 <realm> is the name of the HTTP Basic Authentication realm reported to
9893 the browser. The browser uses it to display it in the pop-up
9894 inviting the user to enter a valid username and password.
9895
9896 The realm is read as a single word, so any spaces in it should be escaped
9897 using a backslash ('\').
9898
9899 This statement is useful only in conjunction with "stats auth" since it is
9900 only related to authentication.
9901
9902 Though this statement alone is enough to enable statistics reporting, it is
9903 recommended to set all other settings in order to avoid relying on default
9904 unobvious parameters.
9905
9906 Example :
9907 # public access (limited to this backend only)
9908 backend public_www
9909 server srv1 192.168.0.1:80
9910 stats enable
9911 stats hide-version
9912 stats scope .
9913 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +01009914 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009915 stats auth admin1:AdMiN123
9916 stats auth admin2:AdMiN321
9917
9918 # internal monitoring access (unlimited)
9919 backend private_monitoring
9920 stats enable
9921 stats uri /admin?stats
9922 stats refresh 5s
9923
9924 See also : "stats auth", "stats enable", "stats uri"
9925
9926
9927stats refresh <delay>
9928 Enable statistics with automatic refresh
9929 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02009930 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009931 Arguments :
9932 <delay> is the suggested refresh delay, specified in seconds, which will
9933 be returned to the browser consulting the report page. While the
9934 browser is free to apply any delay, it will generally respect it
9935 and refresh the page this every seconds. The refresh interval may
9936 be specified in any other non-default time unit, by suffixing the
9937 unit after the value, as explained at the top of this document.
9938
9939 This statement is useful on monitoring displays with a permanent page
9940 reporting the load balancer's activity. When set, the HTML report page will
9941 include a link "refresh"/"stop refresh" so that the user can select whether
Jackie Tapia749f74c2020-07-22 18:59:40 -05009942 they want automatic refresh of the page or not.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009943
9944 Though this statement alone is enough to enable statistics reporting, it is
9945 recommended to set all other settings in order to avoid relying on default
9946 unobvious parameters.
9947
9948 Example :
9949 # public access (limited to this backend only)
9950 backend public_www
9951 server srv1 192.168.0.1:80
9952 stats enable
9953 stats hide-version
9954 stats scope .
9955 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +01009956 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009957 stats auth admin1:AdMiN123
9958 stats auth admin2:AdMiN321
9959
9960 # internal monitoring access (unlimited)
9961 backend private_monitoring
9962 stats enable
9963 stats uri /admin?stats
9964 stats refresh 5s
9965
9966 See also : "stats auth", "stats enable", "stats realm", "stats uri"
9967
9968
9969stats scope { <name> | "." }
9970 Enable statistics and limit access scope
9971 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02009972 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009973 Arguments :
9974 <name> is the name of a listen, frontend or backend section to be
9975 reported. The special name "." (a single dot) designates the
9976 section in which the statement appears.
9977
9978 When this statement is specified, only the sections enumerated with this
9979 statement will appear in the report. All other ones will be hidden. This
9980 statement may appear as many times as needed if multiple sections need to be
9981 reported. Please note that the name checking is performed as simple string
9982 comparisons, and that it is never checked that a give section name really
9983 exists.
9984
9985 Though this statement alone is enough to enable statistics reporting, it is
9986 recommended to set all other settings in order to avoid relying on default
9987 unobvious parameters.
9988
9989 Example :
9990 # public access (limited to this backend only)
9991 backend public_www
9992 server srv1 192.168.0.1:80
9993 stats enable
9994 stats hide-version
9995 stats scope .
9996 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +01009997 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009998 stats auth admin1:AdMiN123
9999 stats auth admin2:AdMiN321
10000
10001 # internal monitoring access (unlimited)
10002 backend private_monitoring
10003 stats enable
10004 stats uri /admin?stats
10005 stats refresh 5s
10006
10007 See also : "stats auth", "stats enable", "stats realm", "stats uri"
10008
Willy Tarreaud63335a2010-02-26 12:56:52 +010010009
Willy Tarreauc9705a12010-07-27 20:05:50 +020010010stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +010010011 Enable reporting of a description on the statistics page.
10012 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010013 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +010010014
Willy Tarreauc9705a12010-07-27 20:05:50 +020010015 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +010010016 description from global section is automatically used instead.
10017
10018 This statement is useful for users that offer shared services to their
10019 customers, where node or description should be different for each customer.
10020
10021 Though this statement alone is enough to enable statistics reporting, it is
10022 recommended to set all other settings in order to avoid relying on default
Davor Ocelice9ed2812017-12-25 17:49:28 +010010023 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010024
10025 Example :
10026 # internal monitoring access (unlimited)
10027 backend private_monitoring
10028 stats enable
10029 stats show-desc Master node for Europe, Asia, Africa
10030 stats uri /admin?stats
10031 stats refresh 5s
10032
10033 See also: "show-node", "stats enable", "stats uri" and "description" in
10034 global section.
10035
10036
10037stats show-legends
Willy Tarreaued2119c2014-04-24 22:10:39 +020010038 Enable reporting additional information on the statistics page
10039 May be used in sections : defaults | frontend | listen | backend
10040 yes | yes | yes | yes
10041 Arguments : none
10042
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010043 Enable reporting additional information on the statistics page :
Willy Tarreaud63335a2010-02-26 12:56:52 +010010044 - cap: capabilities (proxy)
10045 - mode: one of tcp, http or health (proxy)
10046 - id: SNMP ID (proxy, socket, server)
10047 - IP (socket, server)
10048 - cookie (backend, server)
10049
10050 Though this statement alone is enough to enable statistics reporting, it is
10051 recommended to set all other settings in order to avoid relying on default
Davor Ocelice9ed2812017-12-25 17:49:28 +010010052 unobvious parameters. Default behavior is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010053
10054 See also: "stats enable", "stats uri".
10055
10056
Amaury Denoyelle0b70a8a2020-10-05 11:49:45 +020010057stats show-modules
10058 Enable display of extra statistics module on the statistics page
10059 May be used in sections : defaults | frontend | listen | backend
10060 yes | yes | yes | yes
10061 Arguments : none
10062
10063 New columns are added at the end of the line containing the extra statistics
10064 values as a tooltip.
10065
10066 Though this statement alone is enough to enable statistics reporting, it is
10067 recommended to set all other settings in order to avoid relying on default
10068 unobvious parameters. Default behavior is not to show this information.
10069
10070 See also: "stats enable", "stats uri".
10071
10072
Willy Tarreaud63335a2010-02-26 12:56:52 +010010073stats show-node [ <name> ]
10074 Enable reporting of a host name on the statistics page.
10075 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010076 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +010010077 Arguments:
10078 <name> is an optional name to be reported. If unspecified, the
10079 node name from global section is automatically used instead.
10080
10081 This statement is useful for users that offer shared services to their
10082 customers, where node or description might be different on a stats page
Davor Ocelice9ed2812017-12-25 17:49:28 +010010083 provided for each customer. Default behavior is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010084
10085 Though this statement alone is enough to enable statistics reporting, it is
10086 recommended to set all other settings in order to avoid relying on default
10087 unobvious parameters.
10088
10089 Example:
10090 # internal monitoring access (unlimited)
10091 backend private_monitoring
10092 stats enable
10093 stats show-node Europe-1
10094 stats uri /admin?stats
10095 stats refresh 5s
10096
10097 See also: "show-desc", "stats enable", "stats uri", and "node" in global
10098 section.
10099
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010100
10101stats uri <prefix>
10102 Enable statistics and define the URI prefix to access them
10103 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010104 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010105 Arguments :
10106 <prefix> is the prefix of any URI which will be redirected to stats. This
10107 prefix may contain a question mark ('?') to indicate part of a
10108 query string.
10109
10110 The statistics URI is intercepted on the relayed traffic, so it appears as a
10111 page within the normal application. It is strongly advised to ensure that the
10112 selected URI will never appear in the application, otherwise it will never be
10113 possible to reach it in the application.
10114
10115 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010116 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010117 It is generally a good idea to include a question mark in the URI so that
10118 intermediate proxies refrain from caching the results. Also, since any string
10119 beginning with the prefix will be accepted as a stats request, the question
10120 mark helps ensuring that no valid URI will begin with the same words.
10121
10122 It is sometimes very convenient to use "/" as the URI prefix, and put that
10123 statement in a "listen" instance of its own. That makes it easy to dedicate
10124 an address or a port to statistics only.
10125
10126 Though this statement alone is enough to enable statistics reporting, it is
10127 recommended to set all other settings in order to avoid relying on default
10128 unobvious parameters.
10129
10130 Example :
10131 # public access (limited to this backend only)
10132 backend public_www
10133 server srv1 192.168.0.1:80
10134 stats enable
10135 stats hide-version
10136 stats scope .
10137 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010138 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010139 stats auth admin1:AdMiN123
10140 stats auth admin2:AdMiN321
10141
10142 # internal monitoring access (unlimited)
10143 backend private_monitoring
10144 stats enable
10145 stats uri /admin?stats
10146 stats refresh 5s
10147
10148 See also : "stats auth", "stats enable", "stats realm"
10149
10150
Willy Tarreaud63335a2010-02-26 12:56:52 +010010151stick match <pattern> [table <table>] [{if | unless} <cond>]
10152 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010153 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +010010154 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010155
10156 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020010157 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010158 describes what elements of the incoming request or connection
Davor Ocelice9ed2812017-12-25 17:49:28 +010010159 will be analyzed in the hope to find a matching entry in a
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010160 stickiness table. This rule is mandatory.
10161
10162 <table> is an optional stickiness table name. If unspecified, the same
10163 backend's table is used. A stickiness table is declared using
10164 the "stick-table" statement.
10165
10166 <cond> is an optional matching condition. It makes it possible to match
10167 on a certain criterion only when other conditions are met (or
10168 not met). For instance, it could be used to match on a source IP
10169 address except when a request passes through a known proxy, in
10170 which case we'd match on a header containing that IP address.
10171
10172 Some protocols or applications require complex stickiness rules and cannot
10173 always simply rely on cookies nor hashing. The "stick match" statement
10174 describes a rule to extract the stickiness criterion from an incoming request
10175 or connection. See section 7 for a complete list of possible patterns and
10176 transformation rules.
10177
10178 The table has to be declared using the "stick-table" statement. It must be of
10179 a type compatible with the pattern. By default it is the one which is present
10180 in the same backend. It is possible to share a table with other backends by
10181 referencing it using the "table" keyword. If another table is referenced,
10182 the server's ID inside the backends are used. By default, all server IDs
10183 start at 1 in each backend, so the server ordering is enough. But in case of
10184 doubt, it is highly recommended to force server IDs using their "id" setting.
10185
10186 It is possible to restrict the conditions where a "stick match" statement
10187 will apply, using "if" or "unless" followed by a condition. See section 7 for
10188 ACL based conditions.
10189
10190 There is no limit on the number of "stick match" statements. The first that
10191 applies and matches will cause the request to be directed to the same server
10192 as was used for the request which created the entry. That way, multiple
10193 matches can be used as fallbacks.
10194
10195 The stick rules are checked after the persistence cookies, so they will not
10196 affect stickiness if a cookie has already been used to select a server. That
10197 way, it becomes very easy to insert cookies and match on IP addresses in
10198 order to maintain stickiness between HTTP and HTTPS.
10199
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010200 Note : Consider not using this feature in multi-process mode (nbproc > 1)
10201 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +010010202 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010203
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010204 Example :
10205 # forward SMTP users to the same server they just used for POP in the
10206 # last 30 minutes
10207 backend pop
10208 mode tcp
10209 balance roundrobin
10210 stick store-request src
10211 stick-table type ip size 200k expire 30m
10212 server s1 192.168.1.1:110
10213 server s2 192.168.1.1:110
10214
10215 backend smtp
10216 mode tcp
10217 balance roundrobin
10218 stick match src table pop
10219 server s1 192.168.1.1:25
10220 server s2 192.168.1.1:25
10221
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010222 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +020010223 about ACLs and samples fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010224
10225
10226stick on <pattern> [table <table>] [{if | unless} <condition>]
10227 Define a request pattern to associate a user to a server
10228 May be used in sections : defaults | frontend | listen | backend
10229 no | no | yes | yes
10230
10231 Note : This form is exactly equivalent to "stick match" followed by
10232 "stick store-request", all with the same arguments. Please refer
10233 to both keywords for details. It is only provided as a convenience
10234 for writing more maintainable configurations.
10235
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010236 Note : Consider not using this feature in multi-process mode (nbproc > 1)
10237 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +010010238 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010239
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010240 Examples :
10241 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +010010242 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010243
10244 # ...is strictly equivalent to this one :
10245 stick match src table pop if !localhost
10246 stick store-request src table pop if !localhost
10247
10248
10249 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
10250 # well as HTTP without cookie. Share the same table between both accesses.
10251 backend http
10252 mode http
10253 balance roundrobin
10254 stick on src table https
10255 cookie SRV insert indirect nocache
10256 server s1 192.168.1.1:80 cookie s1
10257 server s2 192.168.1.1:80 cookie s2
10258
10259 backend https
10260 mode tcp
10261 balance roundrobin
10262 stick-table type ip size 200k expire 30m
10263 stick on src
10264 server s1 192.168.1.1:443
10265 server s2 192.168.1.1:443
10266
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010267 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010268
10269
10270stick store-request <pattern> [table <table>] [{if | unless} <condition>]
10271 Define a request pattern used to create an entry in a stickiness table
10272 May be used in sections : defaults | frontend | listen | backend
10273 no | no | yes | yes
10274
10275 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020010276 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010277 describes what elements of the incoming request or connection
Davor Ocelice9ed2812017-12-25 17:49:28 +010010278 will be analyzed, extracted and stored in the table once a
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010279 server is selected.
10280
10281 <table> is an optional stickiness table name. If unspecified, the same
10282 backend's table is used. A stickiness table is declared using
10283 the "stick-table" statement.
10284
10285 <cond> is an optional storage condition. It makes it possible to store
10286 certain criteria only when some conditions are met (or not met).
10287 For instance, it could be used to store the source IP address
10288 except when the request passes through a known proxy, in which
10289 case we'd store a converted form of a header containing that IP
10290 address.
10291
10292 Some protocols or applications require complex stickiness rules and cannot
10293 always simply rely on cookies nor hashing. The "stick store-request" statement
10294 describes a rule to decide what to extract from the request and when to do
10295 it, in order to store it into a stickiness table for further requests to
10296 match it using the "stick match" statement. Obviously the extracted part must
10297 make sense and have a chance to be matched in a further request. Storing a
10298 client's IP address for instance often makes sense. Storing an ID found in a
10299 URL parameter also makes sense. Storing a source port will almost never make
10300 any sense because it will be randomly matched. See section 7 for a complete
10301 list of possible patterns and transformation rules.
10302
10303 The table has to be declared using the "stick-table" statement. It must be of
10304 a type compatible with the pattern. By default it is the one which is present
10305 in the same backend. It is possible to share a table with other backends by
10306 referencing it using the "table" keyword. If another table is referenced,
10307 the server's ID inside the backends are used. By default, all server IDs
10308 start at 1 in each backend, so the server ordering is enough. But in case of
10309 doubt, it is highly recommended to force server IDs using their "id" setting.
10310
10311 It is possible to restrict the conditions where a "stick store-request"
10312 statement will apply, using "if" or "unless" followed by a condition. This
10313 condition will be evaluated while parsing the request, so any criteria can be
10314 used. See section 7 for ACL based conditions.
10315
10316 There is no limit on the number of "stick store-request" statements, but
10317 there is a limit of 8 simultaneous stores per request or response. This
10318 makes it possible to store up to 8 criteria, all extracted from either the
10319 request or the response, regardless of the number of rules. Only the 8 first
10320 ones which match will be kept. Using this, it is possible to feed multiple
10321 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +010010322 another protocol or access method. Using multiple store-request rules with
10323 the same table is possible and may be used to find the best criterion to rely
10324 on, by arranging the rules by decreasing preference order. Only the first
10325 extracted criterion for a given table will be stored. All subsequent store-
10326 request rules referencing the same table will be skipped and their ACLs will
10327 not be evaluated.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010328
10329 The "store-request" rules are evaluated once the server connection has been
10330 established, so that the table will contain the real server that processed
10331 the request.
10332
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010333 Note : Consider not using this feature in multi-process mode (nbproc > 1)
10334 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +010010335 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010336
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010337 Example :
10338 # forward SMTP users to the same server they just used for POP in the
10339 # last 30 minutes
10340 backend pop
10341 mode tcp
10342 balance roundrobin
10343 stick store-request src
10344 stick-table type ip size 200k expire 30m
10345 server s1 192.168.1.1:110
10346 server s2 192.168.1.1:110
10347
10348 backend smtp
10349 mode tcp
10350 balance roundrobin
10351 stick match src table pop
10352 server s1 192.168.1.1:25
10353 server s2 192.168.1.1:25
10354
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010355 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +020010356 about ACLs and sample fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010357
10358
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010359stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +020010360 size <size> [expire <expire>] [nopurge] [peers <peersect>]
10361 [store <data_type>]*
Godbach64cef792013-12-04 16:08:22 +080010362 Configure the stickiness table for the current section
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010363 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +020010364 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010365
10366 Arguments :
10367 ip a table declared with "type ip" will only store IPv4 addresses.
10368 This form is very compact (about 50 bytes per entry) and allows
10369 very fast entry lookup and stores with almost no overhead. This
10370 is mainly used to store client source IP addresses.
10371
David du Colombier9a6d3c92011-03-17 10:40:24 +010010372 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
10373 This form is very compact (about 60 bytes per entry) and allows
10374 very fast entry lookup and stores with almost no overhead. This
10375 is mainly used to store client source IP addresses.
10376
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010377 integer a table declared with "type integer" will store 32bit integers
10378 which can represent a client identifier found in a request for
10379 instance.
10380
10381 string a table declared with "type string" will store substrings of up
10382 to <len> characters. If the string provided by the pattern
10383 extractor is larger than <len>, it will be truncated before
10384 being stored. During matching, at most <len> characters will be
10385 compared between the string in the table and the extracted
10386 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010387 to 32 characters.
10388
10389 binary a table declared with "type binary" will store binary blocks
10390 of <len> bytes. If the block provided by the pattern
10391 extractor is larger than <len>, it will be truncated before
Willy Tarreaube722a22014-06-13 16:31:59 +020010392 being stored. If the block provided by the sample expression
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010393 is shorter than <len>, it will be padded by 0. When not
10394 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010395
10396 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010397 "string" type table (See type "string" above). Or the number
10398 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010399 changing this parameter as memory usage will proportionally
10400 increase.
10401
10402 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +010010403 value directly impacts memory usage. Count approximately
10404 50 bytes per entry, plus the size of a string if any. The size
10405 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010406
10407 [nopurge] indicates that we refuse to purge older entries when the table
10408 is full. When not specified and the table is full when haproxy
10409 wants to store an entry in it, it will flush a few of the oldest
10410 entries in order to release some space for the new ones. This is
Davor Ocelice9ed2812017-12-25 17:49:28 +010010411 most often the desired behavior. In some specific cases, it
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010412 be desirable to refuse new entries instead of purging the older
10413 ones. That may be the case when the amount of data to store is
10414 far above the hardware limits and we prefer not to offer access
10415 to new clients than to reject the ones already connected. When
10416 using this parameter, be sure to properly set the "expire"
10417 parameter (see below).
10418
Emeric Brunf099e792010-09-27 12:05:28 +020010419 <peersect> is the name of the peers section to use for replication. Entries
10420 which associate keys to server IDs are kept synchronized with
10421 the remote peers declared in this section. All entries are also
10422 automatically learned from the local peer (old process) during a
10423 soft restart.
10424
Willy Tarreau1abc6732015-05-01 19:21:02 +020010425 NOTE : each peers section may be referenced only by tables
10426 belonging to the same unique process.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010427
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010428 <expire> defines the maximum duration of an entry in the table since it
10429 was last created, refreshed or matched. The expiration delay is
10430 defined using the standard time format, similarly as the various
10431 timeouts. The maximum duration is slightly above 24 days. See
Jarno Huuskonene0ee0be2017-07-04 10:35:12 +030010432 section 2.4 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +020010433 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010434 be removed once full. Be sure not to use the "nopurge" parameter
10435 if not expiration delay is specified.
10436
Willy Tarreau08d5f982010-06-06 13:34:54 +020010437 <data_type> is used to store additional information in the stick-table. This
10438 may be used by ACLs in order to control various criteria related
10439 to the activity of the client matching the stick-table. For each
10440 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +020010441 that the additional data can fit. Several data types may be
10442 stored with an entry. Multiple data types may be specified after
10443 the "store" keyword, as a comma-separated list. Alternatively,
10444 it is possible to repeat the "store" keyword followed by one or
10445 several data types. Except for the "server_id" type which is
10446 automatically detected and enabled, all data types must be
10447 explicitly declared to be stored. If an ACL references a data
10448 type which is not stored, the ACL will simply not match. Some
10449 data types require an argument which must be passed just after
10450 the type between parenthesis. See below for the supported data
10451 types and their arguments.
10452
10453 The data types that can be stored with an entry are the following :
10454 - server_id : this is an integer which holds the numeric ID of the server a
10455 request was assigned to. It is used by the "stick match", "stick store",
10456 and "stick on" rules. It is automatically enabled when referenced.
10457
10458 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
10459 integer which may be used for anything. Most of the time it will be used
10460 to put a special tag on some entries, for instance to note that a
Davor Ocelice9ed2812017-12-25 17:49:28 +010010461 specific behavior was detected and must be known for future matches.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010462
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010463 - gpc0_rate(<period>) : increment rate of the first General Purpose Counter
10464 over a period. It is a positive 32-bit integer integer which may be used
10465 for anything. Just like <gpc0>, it counts events, but instead of keeping
Davor Ocelice9ed2812017-12-25 17:49:28 +010010466 a cumulative number, it maintains the rate at which the counter is
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010467 incremented. Most of the time it will be used to measure the frequency of
Davor Ocelice9ed2812017-12-25 17:49:28 +010010468 occurrence of certain events (e.g. requests to a specific URL).
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010469
Frédéric Lécaille6778b272018-01-29 15:22:53 +010010470 - gpc1 : second General Purpose Counter. It is a positive 32-bit integer
10471 integer which may be used for anything. Most of the time it will be used
10472 to put a special tag on some entries, for instance to note that a
10473 specific behavior was detected and must be known for future matches.
10474
10475 - gpc1_rate(<period>) : increment rate of the second General Purpose Counter
10476 over a period. It is a positive 32-bit integer integer which may be used
10477 for anything. Just like <gpc1>, it counts events, but instead of keeping
10478 a cumulative number, it maintains the rate at which the counter is
10479 incremented. Most of the time it will be used to measure the frequency of
10480 occurrence of certain events (e.g. requests to a specific URL).
10481
Willy Tarreauc9705a12010-07-27 20:05:50 +020010482 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
10483 the absolute number of connections received from clients which matched
10484 this entry. It does not mean the connections were accepted, just that
10485 they were received.
10486
10487 - conn_cur : Current Connections. It is a positive 32-bit integer which
10488 stores the concurrent connection counts for the entry. It is incremented
10489 once an incoming connection matches the entry, and decremented once the
10490 connection leaves. That way it is possible to know at any time the exact
10491 number of concurrent connections for an entry.
10492
10493 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
10494 integer parameter <period> which indicates in milliseconds the length
10495 of the period over which the average is measured. It reports the average
10496 incoming connection rate over that period, in connections per period. The
10497 result is an integer which can be matched using ACLs.
10498
10499 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
10500 the absolute number of sessions received from clients which matched this
10501 entry. A session is a connection that was accepted by the layer 4 rules.
10502
10503 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
10504 integer parameter <period> which indicates in milliseconds the length
10505 of the period over which the average is measured. It reports the average
10506 incoming session rate over that period, in sessions per period. The
10507 result is an integer which can be matched using ACLs.
10508
10509 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
10510 counts the absolute number of HTTP requests received from clients which
10511 matched this entry. It does not matter whether they are valid requests or
10512 not. Note that this is different from sessions when keep-alive is used on
10513 the client side.
10514
10515 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
10516 integer parameter <period> which indicates in milliseconds the length
10517 of the period over which the average is measured. It reports the average
10518 HTTP request rate over that period, in requests per period. The result is
10519 an integer which can be matched using ACLs. It does not matter whether
10520 they are valid requests or not. Note that this is different from sessions
10521 when keep-alive is used on the client side.
10522
10523 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
10524 counts the absolute number of HTTP requests errors induced by clients
10525 which matched this entry. Errors are counted on invalid and truncated
10526 requests, as well as on denied or tarpitted requests, and on failed
10527 authentications. If the server responds with 4xx, then the request is
10528 also counted as an error since it's an error triggered by the client
Davor Ocelice9ed2812017-12-25 17:49:28 +010010529 (e.g. vulnerability scan).
Willy Tarreauc9705a12010-07-27 20:05:50 +020010530
10531 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
10532 integer parameter <period> which indicates in milliseconds the length
10533 of the period over which the average is measured. It reports the average
10534 HTTP request error rate over that period, in requests per period (see
10535 http_err_cnt above for what is accounted as an error). The result is an
10536 integer which can be matched using ACLs.
10537
10538 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
Davor Ocelice9ed2812017-12-25 17:49:28 +010010539 integer which counts the cumulative number of bytes received from clients
Willy Tarreauc9705a12010-07-27 20:05:50 +020010540 which matched this entry. Headers are included in the count. This may be
10541 used to limit abuse of upload features on photo or video servers.
10542
10543 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
10544 integer parameter <period> which indicates in milliseconds the length
10545 of the period over which the average is measured. It reports the average
10546 incoming bytes rate over that period, in bytes per period. It may be used
10547 to detect users which upload too much and too fast. Warning: with large
10548 uploads, it is possible that the amount of uploaded data will be counted
10549 once upon termination, thus causing spikes in the average transfer speed
10550 instead of having a smooth one. This may partially be smoothed with
10551 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
10552 recommended for better fairness.
10553
10554 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
Davor Ocelice9ed2812017-12-25 17:49:28 +010010555 integer which counts the cumulative number of bytes sent to clients which
Willy Tarreauc9705a12010-07-27 20:05:50 +020010556 matched this entry. Headers are included in the count. This may be used
10557 to limit abuse of bots sucking the whole site.
10558
10559 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
10560 an integer parameter <period> which indicates in milliseconds the length
10561 of the period over which the average is measured. It reports the average
10562 outgoing bytes rate over that period, in bytes per period. It may be used
10563 to detect users which download too much and too fast. Warning: with large
10564 transfers, it is possible that the amount of transferred data will be
10565 counted once upon termination, thus causing spikes in the average
10566 transfer speed instead of having a smooth one. This may partially be
10567 smoothed with "option contstats" though this is not perfect yet. Use of
10568 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +020010569
Willy Tarreauc00cdc22010-06-06 16:48:26 +020010570 There is only one stick-table per proxy. At the moment of writing this doc,
10571 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010572 to be required, simply create a dummy backend with a stick-table in it and
10573 reference it.
10574
10575 It is important to understand that stickiness based on learning information
10576 has some limitations, including the fact that all learned associations are
Baptiste Assmann123ff042016-03-06 23:29:28 +010010577 lost upon restart unless peers are properly configured to transfer such
10578 information upon restart (recommended). In general it can be good as a
10579 complement but not always as an exclusive stickiness.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010580
Willy Tarreauc9705a12010-07-27 20:05:50 +020010581 Last, memory requirements may be important when storing many data types.
10582 Indeed, storing all indicators above at once in each entry requires 116 bytes
10583 per entry, or 116 MB for a 1-million entries table. This is definitely not
10584 something that can be ignored.
10585
10586 Example:
10587 # Keep track of counters of up to 1 million IP addresses over 5 minutes
10588 # and store a general purpose counter and the average connection rate
10589 # computed over a sliding window of 30 seconds.
10590 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
10591
Jarno Huuskonene0ee0be2017-07-04 10:35:12 +030010592 See also : "stick match", "stick on", "stick store-request", section 2.4
David du Colombiera13d1b92011-03-17 10:40:22 +010010593 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010594
10595
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010596stick store-response <pattern> [table <table>] [{if | unless} <condition>]
Baptiste Assmann2f2d2ec2016-03-06 23:27:24 +010010597 Define a response pattern used to create an entry in a stickiness table
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010598 May be used in sections : defaults | frontend | listen | backend
10599 no | no | yes | yes
10600
10601 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020010602 <pattern> is a sample expression rule as described in section 7.3. It
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010603 describes what elements of the response or connection will
Davor Ocelice9ed2812017-12-25 17:49:28 +010010604 be analyzed, extracted and stored in the table once a
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010605 server is selected.
10606
10607 <table> is an optional stickiness table name. If unspecified, the same
10608 backend's table is used. A stickiness table is declared using
10609 the "stick-table" statement.
10610
10611 <cond> is an optional storage condition. It makes it possible to store
10612 certain criteria only when some conditions are met (or not met).
10613 For instance, it could be used to store the SSL session ID only
10614 when the response is a SSL server hello.
10615
10616 Some protocols or applications require complex stickiness rules and cannot
10617 always simply rely on cookies nor hashing. The "stick store-response"
10618 statement describes a rule to decide what to extract from the response and
10619 when to do it, in order to store it into a stickiness table for further
10620 requests to match it using the "stick match" statement. Obviously the
10621 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +020010622 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010623 See section 7 for a complete list of possible patterns and transformation
10624 rules.
10625
10626 The table has to be declared using the "stick-table" statement. It must be of
10627 a type compatible with the pattern. By default it is the one which is present
10628 in the same backend. It is possible to share a table with other backends by
10629 referencing it using the "table" keyword. If another table is referenced,
10630 the server's ID inside the backends are used. By default, all server IDs
10631 start at 1 in each backend, so the server ordering is enough. But in case of
10632 doubt, it is highly recommended to force server IDs using their "id" setting.
10633
10634 It is possible to restrict the conditions where a "stick store-response"
10635 statement will apply, using "if" or "unless" followed by a condition. This
10636 condition will be evaluated while parsing the response, so any criteria can
10637 be used. See section 7 for ACL based conditions.
10638
10639 There is no limit on the number of "stick store-response" statements, but
10640 there is a limit of 8 simultaneous stores per request or response. This
10641 makes it possible to store up to 8 criteria, all extracted from either the
10642 request or the response, regardless of the number of rules. Only the 8 first
10643 ones which match will be kept. Using this, it is possible to feed multiple
10644 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +010010645 another protocol or access method. Using multiple store-response rules with
10646 the same table is possible and may be used to find the best criterion to rely
10647 on, by arranging the rules by decreasing preference order. Only the first
10648 extracted criterion for a given table will be stored. All subsequent store-
10649 response rules referencing the same table will be skipped and their ACLs will
10650 not be evaluated. However, even if a store-request rule references a table, a
10651 store-response rule may also use the same table. This means that each table
10652 may learn exactly one element from the request and one element from the
10653 response at once.
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010654
10655 The table will contain the real server that processed the request.
10656
10657 Example :
10658 # Learn SSL session ID from both request and response and create affinity.
10659 backend https
10660 mode tcp
10661 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +020010662 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010663 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +020010664
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010665 acl clienthello req_ssl_hello_type 1
10666 acl serverhello rep_ssl_hello_type 2
10667
10668 # use tcp content accepts to detects ssl client and server hello.
10669 tcp-request inspect-delay 5s
10670 tcp-request content accept if clienthello
10671
10672 # no timeout on response inspect delay by default.
10673 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +020010674
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010675 # SSL session ID (SSLID) may be present on a client or server hello.
10676 # Its length is coded on 1 byte at offset 43 and its value starts
10677 # at offset 44.
10678
10679 # Match and learn on request if client hello.
10680 stick on payload_lv(43,1) if clienthello
10681
10682 # Learn on response if server hello.
10683 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +020010684
Emeric Brun6a1cefa2010-09-24 18:15:17 +020010685 server s1 192.168.1.1:443
10686 server s2 192.168.1.1:443
10687
10688 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
10689 extraction.
10690
10691
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010692tcp-check comment <string>
10693 Defines a comment for the following the tcp-check rule, reported in logs if
10694 it fails.
10695 May be used in sections : defaults | frontend | listen | backend
10696 yes | no | yes | yes
10697
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010698 Arguments :
10699 <string> is the comment message to add in logs if the following tcp-check
10700 rule fails.
10701
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020010702 It only works for connect, send and expect rules. It is useful to make
10703 user-friendly error reporting.
10704
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010705 See also : "option tcp-check", "tcp-check connect", "tcp-check send" and
10706 "tcp-check expect".
10707
10708
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020010709tcp-check connect [default] [port <expr>] [addr <ip>] [send-proxy] [via-socks4]
10710 [ssl] [sni <sni>] [alpn <alpn>] [linger]
Christopher Fauletedc6ed92020-04-23 16:27:59 +020010711 [proto <name>] [comment <msg>]
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010712 Opens a new connection
10713 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020010714 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010715
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020010716 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010717 comment <msg> defines a message to report if the rule evaluation fails.
10718
Christopher Faulet4dce5922020-03-30 13:54:42 +020010719 default Use default options of the server line to do the health
Daniel Corbett67a82712020-07-06 23:01:19 -040010720 checks. The server options are used only if not redefined.
Christopher Faulet4dce5922020-03-30 13:54:42 +020010721
Christopher Fauletb7d30092020-03-30 15:19:03 +020010722 port <expr> if not set, check port or server port is used.
Christopher Faulet5c288742020-03-31 08:15:58 +020010723 It tells HAProxy where to open the connection to.
10724 <port> must be a valid TCP port source integer, from 1 to
Christopher Fauletb7d30092020-03-30 15:19:03 +020010725 65535 or an sample-fetch expression.
Christopher Faulet5c288742020-03-31 08:15:58 +020010726
10727 addr <ip> defines the IP address to do the health check.
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010728
10729 send-proxy send a PROXY protocol string
10730
Christopher Faulet085426a2020-03-30 13:07:02 +020010731 via-socks4 enables outgoing health checks using upstream socks4 proxy.
10732
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010733 ssl opens a ciphered connection
10734
Christopher Faulet79b31d42020-03-30 13:00:05 +020010735 sni <sni> specifies the SNI to use to do health checks over SSL.
10736
Christopher Faulet98572322020-03-30 13:16:44 +020010737 alpn <alpn> defines which protocols to advertise with ALPN. The protocol
10738 list consists in a comma-delimited list of protocol names,
10739 for instance: "http/1.1,http/1.0" (without quotes).
10740 If it is not set, the server ALPN is used.
10741
Christopher Fauletedc6ed92020-04-23 16:27:59 +020010742 proto <name> forces the multiplexer's protocol to use for this connection.
10743 It must be a TCP mux protocol and it must be usable on the
10744 backend side. The list of available protocols is reported in
10745 haproxy -vv.
10746
Christopher Faulet5c288742020-03-31 08:15:58 +020010747 linger cleanly close the connection instead of using a single RST.
Gaetan Rivetf8ba6772020-02-07 15:37:17 +010010748
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020010749 When an application lies on more than a single TCP port or when HAProxy
10750 load-balance many services in a single backend, it makes sense to probe all
10751 the services individually before considering a server as operational.
10752
10753 When there are no TCP port configured on the server line neither server port
10754 directive, then the 'tcp-check connect port <port>' must be the first step
10755 of the sequence.
10756
10757 In a tcp-check ruleset a 'connect' is required, it is also mandatory to start
10758 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
10759 do.
10760
10761 When a connect must start the ruleset, if may still be preceded by set-var,
10762 unset-var or comment rules.
10763
10764 Examples :
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010765 # check HTTP and HTTPs services on a server.
10766 # first open port 80 thanks to server line port directive, then
10767 # tcp-check opens port 443, ciphered and run a request on it:
10768 option tcp-check
10769 tcp-check connect
10770 tcp-check send GET\ /\ HTTP/1.0\r\n
10771 tcp-check send Host:\ haproxy.1wt.eu\r\n
10772 tcp-check send \r\n
10773 tcp-check expect rstring (2..|3..)
10774 tcp-check connect port 443 ssl
10775 tcp-check send GET\ /\ HTTP/1.0\r\n
10776 tcp-check send Host:\ haproxy.1wt.eu\r\n
10777 tcp-check send \r\n
10778 tcp-check expect rstring (2..|3..)
10779 server www 10.0.0.1 check port 80
10780
10781 # check both POP and IMAP from a single server:
10782 option tcp-check
Gaetan Rivetf8ba6772020-02-07 15:37:17 +010010783 tcp-check connect port 110 linger
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010784 tcp-check expect string +OK\ POP3\ ready
10785 tcp-check connect port 143
10786 tcp-check expect string *\ OK\ IMAP4\ ready
10787 server mail 10.0.0.1 check
10788
10789 See also : "option tcp-check", "tcp-check send", "tcp-check expect"
10790
10791
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010792tcp-check expect [min-recv <int>] [comment <msg>]
Christopher Fauletec07e382020-04-07 14:56:26 +020010793 [ok-status <st>] [error-status <st>] [tout-status <st>]
Christopher Faulet98cc57c2020-04-01 20:52:31 +020010794 [on-success <fmt>] [on-error <fmt>] [status-code <expr>]
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020010795 [!] <match> <pattern>
Davor Ocelice9ed2812017-12-25 17:49:28 +010010796 Specify data to be collected and analyzed during a generic health check
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010797 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020010798 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010799
10800 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010801 comment <msg> defines a message to report if the rule evaluation fails.
10802
Gaetan Rivet1afd8262020-02-07 15:37:17 +010010803 min-recv is optional and can define the minimum amount of data required to
10804 evaluate the current expect rule. If the number of received bytes
10805 is under this limit, the check will wait for more data. This
10806 option can be used to resolve some ambiguous matching rules or to
10807 avoid executing costly regex matches on content known to be still
10808 incomplete. If an exact string (string or binary) is used, the
10809 minimum between the string length and this parameter is used.
10810 This parameter is ignored if it is set to -1. If the expect rule
10811 does not match, the check will wait for more data. If set to 0,
10812 the evaluation result is always conclusive.
10813
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010814 <match> is a keyword indicating how to look for a specific pattern in the
Gaetan Rivetefab6c62020-02-07 15:37:17 +010010815 response. The keyword may be one of "string", "rstring", "binary" or
10816 "rbinary".
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010817 The keyword may be preceded by an exclamation mark ("!") to negate
10818 the match. Spaces are allowed between the exclamation mark and the
10819 keyword. See below for more details on the supported keywords.
10820
Christopher Fauletec07e382020-04-07 14:56:26 +020010821 ok-status <st> is optional and can be used to set the check status if
10822 the expect rule is successfully evaluated and if it is
10823 the last rule in the tcp-check ruleset. "L7OK", "L7OKC",
Christopher Fauletd888f0f2020-05-07 07:40:17 +020010824 "L6OK" and "L4OK" are supported :
10825 - L7OK : check passed on layer 7
10826 - L7OKC : check conditionally passed on layer 7, for
10827 example 404 with disable-on-404
10828 - L6OK : check passed on layer 6
10829 - L4OK : check passed on layer 4
Christopher Fauletec07e382020-04-07 14:56:26 +020010830 By default "L7OK" is used.
10831
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020010832 error-status <st> is optional and can be used to set the check status if
10833 an error occurred during the expect rule evaluation.
Christopher Fauletd888f0f2020-05-07 07:40:17 +020010834 "L7RSP", "L7STS", "L6RSP" and "L4CON" are supported :
10835 - L7RSP : layer 7 invalid response - protocol error
10836 - L7STS : layer 7 response error, for example HTTP 5xx
10837 - L6RSP : layer 6 invalid response - protocol error
10838 - L4CON : layer 1-4 connection problem
10839 By default "L7RSP" is used.
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020010840
Christopher Fauletec07e382020-04-07 14:56:26 +020010841 tout-status <st> is optional and can be used to set the check status if
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020010842 a timeout occurred during the expect rule evaluation.
Christopher Fauletd888f0f2020-05-07 07:40:17 +020010843 "L7TOUT", "L6TOUT", and "L4TOUT" are supported :
10844 - L7TOUT : layer 7 (HTTP/SMTP) timeout
10845 - L6TOUT : layer 6 (SSL) timeout
10846 - L4TOUT : layer 1-4 timeout
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020010847 By default "L7TOUT" is used.
10848
Christopher Fauletbe52b4d2020-04-01 16:30:22 +020010849 on-success <fmt> is optional and can be used to customize the
10850 informational message reported in logs if the expect
10851 rule is successfully evaluated and if it is the last rule
10852 in the tcp-check ruleset. <fmt> is a log-format string.
10853
10854 on-error <fmt> is optional and can be used to customize the
10855 informational message reported in logs if an error
10856 occurred during the expect rule evaluation. <fmt> is a
10857 log-format string.
10858
Christopher Faulet98cc57c2020-04-01 20:52:31 +020010859 status-code <expr> is optional and can be used to set the check status code
10860 reported in logs, on success or on error. <expr> is a
10861 standard HAProxy expression formed by a sample-fetch
10862 followed by some converters.
10863
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010864 <pattern> is the pattern to look for. It may be a string or a regular
10865 expression. If the pattern contains spaces, they must be escaped
10866 with the usual backslash ('\').
10867 If the match is set to binary, then the pattern must be passed as
Davor Ocelice9ed2812017-12-25 17:49:28 +010010868 a series of hexadecimal digits in an even number. Each sequence of
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010869 two digits will represent a byte. The hexadecimal digits may be
10870 used upper or lower case.
10871
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010872 The available matches are intentionally similar to their http-check cousins :
10873
10874 string <string> : test the exact string matches in the response buffer.
10875 A health check response will be considered valid if the
10876 response's buffer contains this exact string. If the
10877 "string" keyword is prefixed with "!", then the response
10878 will be considered invalid if the body contains this
10879 string. This can be used to look for a mandatory pattern
10880 in a protocol response, or to detect a failure when a
10881 specific error appears in a protocol banner.
10882
10883 rstring <regex> : test a regular expression on the response buffer.
10884 A health check response will be considered valid if the
10885 response's buffer matches this expression. If the
10886 "rstring" keyword is prefixed with "!", then the response
10887 will be considered invalid if the body matches the
10888 expression.
10889
Christopher Fauletaaab0832020-05-05 15:54:22 +020010890 string-lf <fmt> : test a log-format string match in the response's buffer.
10891 A health check response will be considered valid if the
10892 response's buffer contains the string resulting of the
10893 evaluation of <fmt>, which follows the log-format rules.
10894 If prefixed with "!", then the response will be
10895 considered invalid if the buffer contains the string.
10896
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010897 binary <hexstring> : test the exact string in its hexadecimal form matches
10898 in the response buffer. A health check response will
10899 be considered valid if the response's buffer contains
10900 this exact hexadecimal string.
10901 Purpose is to match data on binary protocols.
10902
Gaetan Rivetefab6c62020-02-07 15:37:17 +010010903 rbinary <regex> : test a regular expression on the response buffer, like
10904 "rstring". However, the response buffer is transformed
10905 into its hexadecimal form, including NUL-bytes. This
10906 allows using all regex engines to match any binary
10907 content. The hexadecimal transformation takes twice the
10908 size of the original response. As such, the expected
10909 pattern should work on at-most half the response buffer
10910 size.
10911
Christopher Fauletaaab0832020-05-05 15:54:22 +020010912 binary-lf <hexfmt> : test a log-format string in its hexadecimal form
10913 match in the response's buffer. A health check response
10914 will be considered valid if the response's buffer
10915 contains the hexadecimal string resulting of the
10916 evaluation of <fmt>, which follows the log-format
10917 rules. If prefixed with "!", then the response will be
10918 considered invalid if the buffer contains the
10919 hexadecimal string. The hexadecimal string is converted
10920 in a binary string before matching the response's
10921 buffer.
10922
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010923 It is important to note that the responses will be limited to a certain size
10924 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
10925 Thus, too large responses may not contain the mandatory pattern when using
10926 "string", "rstring" or binary. If a large response is absolutely required, it
10927 is possible to change the default max size by setting the global variable.
10928 However, it is worth keeping in mind that parsing very large responses can
10929 waste some CPU cycles, especially when regular expressions are used, and that
10930 it is always better to focus the checks on smaller resources. Also, in its
10931 current state, the check will not find any string nor regex past a null
10932 character in the response. Similarly it is not possible to request matching
10933 the null character.
10934
10935 Examples :
10936 # perform a POP check
10937 option tcp-check
10938 tcp-check expect string +OK\ POP3\ ready
10939
10940 # perform an IMAP check
10941 option tcp-check
10942 tcp-check expect string *\ OK\ IMAP4\ ready
10943
10944 # look for the redis master server
10945 option tcp-check
10946 tcp-check send PING\r\n
Baptiste Assmanna3322992015-08-04 10:12:18 +020010947 tcp-check expect string +PONG
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010948 tcp-check send info\ replication\r\n
10949 tcp-check expect string role:master
10950 tcp-check send QUIT\r\n
10951 tcp-check expect string +OK
10952
10953
10954 See also : "option tcp-check", "tcp-check connect", "tcp-check send",
10955 "tcp-check send-binary", "http-check expect", tune.chksize
10956
10957
Christopher Fauletb50b3e62020-05-05 18:43:43 +020010958tcp-check send <data> [comment <msg>]
10959tcp-check send-lf <fmt> [comment <msg>]
10960 Specify a string or a log-format string to be sent as a question during a
10961 generic health check
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010962 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020010963 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010964
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010965 Arguments :
10966 comment <msg> defines a message to report if the rule evaluation fails.
10967
Christopher Fauletb50b3e62020-05-05 18:43:43 +020010968 <data> is the string that will be sent during a generic health
10969 check session.
Christopher Faulet16fff672020-04-30 07:50:54 +020010970
Christopher Fauletb50b3e62020-05-05 18:43:43 +020010971 <fmt> is the log-format string that will be sent, once evaluated,
10972 during a generic health check session.
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010973
10974 Examples :
10975 # look for the redis master server
10976 option tcp-check
10977 tcp-check send info\ replication\r\n
10978 tcp-check expect string role:master
10979
10980 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
10981 "tcp-check send-binary", tune.chksize
10982
10983
Christopher Fauletb50b3e62020-05-05 18:43:43 +020010984tcp-check send-binary <hexstring> [comment <msg>]
10985tcp-check send-binary-lf <hexfmt> [comment <msg>]
10986 Specify an hex digits string or an hex digits log-format string to be sent as
10987 a binary question during a raw tcp health check
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010988 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020010989 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020010990
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020010991 Arguments :
10992 comment <msg> defines a message to report if the rule evaluation fails.
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020010993
Christopher Fauletb50b3e62020-05-05 18:43:43 +020010994 <hexstring> is the hexadecimal string that will be send, once converted
10995 to binary, during a generic health check session.
Christopher Faulet16fff672020-04-30 07:50:54 +020010996
Christopher Fauletb50b3e62020-05-05 18:43:43 +020010997 <hexfmt> is the hexadecimal log-format string that will be send, once
10998 evaluated and converted to binary, during a generic health
10999 check session.
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011000
11001 Examples :
11002 # redis check in binary
11003 option tcp-check
11004 tcp-check send-binary 50494e470d0a # PING\r\n
11005 tcp-check expect binary 2b504F4e47 # +PONG
11006
11007
11008 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
11009 "tcp-check send", tune.chksize
11010
11011
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011012tcp-check set-var(<var-name>) <expr>
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011013 This operation sets the content of a variable. The variable is declared inline.
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011014 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011015 yes | no | yes | yes
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011016
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011017 Arguments :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011018 <var-name> The name of the variable starts with an indication about its
11019 scope. The scopes allowed for tcp-check are:
11020 "proc" : the variable is shared with the whole process.
11021 "sess" : the variable is shared with the tcp-check session.
11022 "check": the variable is declared for the lifetime of the tcp-check.
11023 This prefix is followed by a name. The separator is a '.'.
11024 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
11025 and '-'.
11026
11027 <expr> Is a sample-fetch expression potentially followed by converters.
11028
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011029 Examples :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011030 tcp-check set-var(check.port) int(1234)
11031
11032
11033tcp-check unset-var(<var-name>)
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011034 Free a reference to a variable within its scope.
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011035 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011036 yes | no | yes | yes
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011037
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011038 Arguments :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011039 <var-name> The name of the variable starts with an indication about its
11040 scope. The scopes allowed for tcp-check are:
11041 "proc" : the variable is shared with the whole process.
11042 "sess" : the variable is shared with the tcp-check session.
11043 "check": the variable is declared for the lifetime of the tcp-check.
11044 This prefix is followed by a name. The separator is a '.'.
11045 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
11046 and '-'.
11047
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011048 Examples :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011049 tcp-check unset-var(check.port)
11050
11051
Willy Tarreaue9656522010-08-17 15:40:09 +020011052tcp-request connection <action> [{if | unless} <condition>]
11053 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +020011054 May be used in sections : defaults | frontend | listen | backend
11055 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +020011056 Arguments :
Willy Tarreauc870bfd2015-09-28 18:47:38 +020011057 <action> defines the action to perform if the condition applies. See
11058 below.
Willy Tarreau1a687942010-05-23 22:40:30 +020011059
Willy Tarreaue9656522010-08-17 15:40:09 +020011060 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011061
11062 Immediately after acceptance of a new incoming connection, it is possible to
11063 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +020011064 or dropped or have its counters tracked. Those conditions cannot make use of
11065 any data contents because the connection has not been read from yet, and the
11066 buffers are not yet allocated. This is used to selectively and very quickly
11067 accept or drop connections from various sources with a very low overhead. If
11068 some contents need to be inspected in order to take the decision, the
11069 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011070
Willy Tarreaue9656522010-08-17 15:40:09 +020011071 The "tcp-request connection" rules are evaluated in their exact declaration
11072 order. If no rule matches or if there is no rule, the default action is to
11073 accept the incoming connection. There is no specific limit to the number of
11074 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011075
Willy Tarreaua9083d02015-05-08 15:27:59 +020011076 Four types of actions are supported :
Willy Tarreaue9656522010-08-17 15:40:09 +020011077 - accept :
11078 accepts the connection if the condition is true (when used with "if")
11079 or false (when used with "unless"). The first such rule executed ends
11080 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011081
Willy Tarreaue9656522010-08-17 15:40:09 +020011082 - reject :
11083 rejects the connection if the condition is true (when used with "if")
11084 or false (when used with "unless"). The first such rule executed ends
11085 the rules evaluation. Rejected connections do not even become a
11086 session, which is why they are accounted separately for in the stats,
11087 as "denied connections". They are not considered for the session
11088 rate-limit and are not logged either. The reason is that these rules
11089 should only be used to filter extremely high connection rates such as
11090 the ones encountered during a massive DDoS attack. Under these extreme
11091 conditions, the simple action of logging each event would make the
11092 system collapse and would considerably lower the filtering capacity. If
11093 logging is absolutely desired, then "tcp-request content" rules should
Willy Tarreau4f614292016-10-21 17:49:36 +020011094 be used instead, as "tcp-request session" rules will not log either.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011095
Willy Tarreau4f0d9192013-06-11 20:40:55 +020011096 - expect-proxy layer4 :
11097 configures the client-facing connection to receive a PROXY protocol
11098 header before any byte is read from the socket. This is equivalent to
11099 having the "accept-proxy" keyword on the "bind" line, except that using
11100 the TCP rule allows the PROXY protocol to be accepted only for certain
11101 IP address ranges using an ACL. This is convenient when multiple layers
11102 of load balancers are passed through by traffic coming from public
11103 hosts.
11104
Bertrand Jacquin90759682016-06-06 15:35:39 +010011105 - expect-netscaler-cip layer4 :
11106 configures the client-facing connection to receive a NetScaler Client
11107 IP insertion protocol header before any byte is read from the socket.
11108 This is equivalent to having the "accept-netscaler-cip" keyword on the
11109 "bind" line, except that using the TCP rule allows the PROXY protocol
11110 to be accepted only for certain IP address ranges using an ACL. This
11111 is convenient when multiple layers of load balancers are passed
11112 through by traffic coming from public hosts.
11113
Willy Tarreau18bf01e2014-06-13 16:18:52 +020011114 - capture <sample> len <length> :
11115 This only applies to "tcp-request content" rules. It captures sample
11116 expression <sample> from the request buffer, and converts it to a
11117 string of at most <len> characters. The resulting string is stored into
11118 the next request "capture" slot, so it will possibly appear next to
11119 some captured HTTP headers. It will then automatically appear in the
11120 logs, and it will be possible to extract it using sample fetch rules to
11121 feed it into headers or anything. The length should be limited given
11122 that this size will be allocated for each capture during the whole
Willy Tarreaua9083d02015-05-08 15:27:59 +020011123 session life. Please check section 7.3 (Fetching samples) and "capture
11124 request header" for more information.
Willy Tarreau18bf01e2014-06-13 16:18:52 +020011125
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011126 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
Willy Tarreaue9656522010-08-17 15:40:09 +020011127 enables tracking of sticky counters from current connection. These
Moemen MHEDHBI9cf46342018-09-25 17:50:53 +020011128 rules do not stop evaluation and do not change default action. The
11129 number of counters that may be simultaneously tracked by the same
11130 connection is set in MAX_SESS_STKCTR at build time (reported in
John Roeslerfb2fce12019-07-10 15:45:51 -050011131 haproxy -vv) which defaults to 3, so the track-sc number is between 0
Moemen MHEDHBI9cf46342018-09-25 17:50:53 +020011132 and (MAX_SESS_STCKTR-1). The first "track-sc0" rule executed enables
11133 tracking of the counters of the specified table as the first set. The
11134 first "track-sc1" rule executed enables tracking of the counters of the
11135 specified table as the second set. The first "track-sc2" rule executed
11136 enables tracking of the counters of the specified table as the third
11137 set. It is a recommended practice to use the first set of counters for
11138 the per-frontend counters and the second set for the per-backend ones.
11139 But this is just a guideline, all may be used everywhere.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011140
Willy Tarreaue9656522010-08-17 15:40:09 +020011141 These actions take one or two arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020011142 <key> is mandatory, and is a sample expression rule as described
Willy Tarreau74ca5042013-06-11 23:12:07 +020011143 in section 7.3. It describes what elements of the incoming
Davor Ocelice9ed2812017-12-25 17:49:28 +010011144 request or connection will be analyzed, extracted, combined,
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011145 and used to select which table entry to update the counters.
11146 Note that "tcp-request connection" cannot use content-based
11147 fetches.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011148
Willy Tarreaue9656522010-08-17 15:40:09 +020011149 <table> is an optional table to be used instead of the default one,
11150 which is the stick-table declared in the current proxy. All
11151 the counters for the matches and updates for the key will
11152 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011153
Willy Tarreaue9656522010-08-17 15:40:09 +020011154 Once a "track-sc*" rule is executed, the key is looked up in the table
11155 and if it is not found, an entry is allocated for it. Then a pointer to
11156 that entry is kept during all the session's life, and this entry's
11157 counters are updated as often as possible, every time the session's
11158 counters are updated, and also systematically when the session ends.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011159 Counters are only updated for events that happen after the tracking has
11160 been started. For example, connection counters will not be updated when
11161 tracking layer 7 information, since the connection event happens before
11162 layer7 information is extracted.
11163
Willy Tarreaue9656522010-08-17 15:40:09 +020011164 If the entry tracks concurrent connection counters, one connection is
11165 counted for as long as the entry is tracked, and the entry will not
11166 expire during that time. Tracking counters also provides a performance
11167 advantage over just checking the keys, because only one table lookup is
11168 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011169
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +020011170 - sc-inc-gpc0(<sc-id>):
11171 The "sc-inc-gpc0" increments the GPC0 counter according to the sticky
11172 counter designated by <sc-id>. If an error occurs, this action silently
11173 fails and the actions evaluation continues.
11174
Frédéric Lécaille6778b272018-01-29 15:22:53 +010011175 - sc-inc-gpc1(<sc-id>):
11176 The "sc-inc-gpc1" increments the GPC1 counter according to the sticky
11177 counter designated by <sc-id>. If an error occurs, this action silently
11178 fails and the actions evaluation continues.
11179
Cédric Dufour0d7712d2019-11-06 18:38:53 +010011180 - sc-set-gpt0(<sc-id>) { <int> | <expr> }:
11181 This action sets the 32-bit unsigned GPT0 tag according to the sticky
11182 counter designated by <sc-id> and the value of <int>/<expr>. The
11183 expected result is a boolean. If an error occurs, this action silently
11184 fails and the actions evaluation continues.
Thierry FOURNIER236657b2015-08-19 08:25:14 +020011185
William Lallemand2e785f22016-05-25 01:48:42 +020011186 - set-src <expr> :
11187 Is used to set the source IP address to the value of specified
11188 expression. Useful if you want to mask source IP for privacy.
11189 If you want to provide an IP from a HTTP header use "http-request
Cyril Bonté6c81d5f2018-10-17 00:14:51 +020011190 set-src".
William Lallemand2e785f22016-05-25 01:48:42 +020011191
Cyril Bonté6c81d5f2018-10-17 00:14:51 +020011192 Arguments:
11193 <expr> Is a standard HAProxy expression formed by a sample-fetch
11194 followed by some converters.
William Lallemand2e785f22016-05-25 01:48:42 +020011195
11196 Example:
William Lallemand2e785f22016-05-25 01:48:42 +020011197 tcp-request connection set-src src,ipmask(24)
11198
Willy Tarreau0c630532016-10-21 17:52:58 +020011199 When possible, set-src preserves the original source port as long as the
11200 address family allows it, otherwise the source port is set to 0.
William Lallemand2e785f22016-05-25 01:48:42 +020011201
William Lallemand44be6402016-05-25 01:51:35 +020011202 - set-src-port <expr> :
11203 Is used to set the source port address to the value of specified
11204 expression.
11205
Cyril Bonté6c81d5f2018-10-17 00:14:51 +020011206 Arguments:
11207 <expr> Is a standard HAProxy expression formed by a sample-fetch
11208 followed by some converters.
William Lallemand44be6402016-05-25 01:51:35 +020011209
11210 Example:
William Lallemand44be6402016-05-25 01:51:35 +020011211 tcp-request connection set-src-port int(4000)
11212
Willy Tarreau0c630532016-10-21 17:52:58 +020011213 When possible, set-src-port preserves the original source address as long
11214 as the address family supports a port, otherwise it forces the source
11215 address to IPv4 "0.0.0.0" before rewriting the port.
William Lallemand44be6402016-05-25 01:51:35 +020011216
William Lallemand13e9b0c2016-05-25 02:34:07 +020011217 - set-dst <expr> :
11218 Is used to set the destination IP address to the value of specified
11219 expression. Useful if you want to mask IP for privacy in log.
11220 If you want to provide an IP from a HTTP header use "http-request
11221 set-dst". If you want to connect to the new address/port, use
11222 '0.0.0.0:0' as a server address in the backend.
11223
11224 <expr> Is a standard HAProxy expression formed by a sample-fetch
11225 followed by some converters.
11226
11227 Example:
11228
11229 tcp-request connection set-dst dst,ipmask(24)
11230 tcp-request connection set-dst ipv4(10.0.0.1)
11231
Willy Tarreau0c630532016-10-21 17:52:58 +020011232 When possible, set-dst preserves the original destination port as long as
11233 the address family allows it, otherwise the destination port is set to 0.
11234
William Lallemand13e9b0c2016-05-25 02:34:07 +020011235 - set-dst-port <expr> :
11236 Is used to set the destination port address to the value of specified
11237 expression. If you want to connect to the new address/port, use
11238 '0.0.0.0:0' as a server address in the backend.
11239
11240
11241 <expr> Is a standard HAProxy expression formed by a sample-fetch
11242 followed by some converters.
11243
11244 Example:
11245
11246 tcp-request connection set-dst-port int(4000)
11247
Willy Tarreau0c630532016-10-21 17:52:58 +020011248 When possible, set-dst-port preserves the original destination address as
11249 long as the address family supports a port, otherwise it forces the
11250 destination address to IPv4 "0.0.0.0" before rewriting the port.
11251
Willy Tarreau2d392c22015-08-24 01:43:45 +020011252 - "silent-drop" :
11253 This stops the evaluation of the rules and makes the client-facing
Davor Ocelice9ed2812017-12-25 17:49:28 +010011254 connection suddenly disappear using a system-dependent way that tries
Willy Tarreau2d392c22015-08-24 01:43:45 +020011255 to prevent the client from being notified. The effect it then that the
11256 client still sees an established connection while there's none on
11257 HAProxy. The purpose is to achieve a comparable effect to "tarpit"
11258 except that it doesn't use any local resource at all on the machine
11259 running HAProxy. It can resist much higher loads than "tarpit", and
Davor Ocelice9ed2812017-12-25 17:49:28 +010011260 slow down stronger attackers. It is important to understand the impact
11261 of using this mechanism. All stateful equipment placed between the
Willy Tarreau2d392c22015-08-24 01:43:45 +020011262 client and HAProxy (firewalls, proxies, load balancers) will also keep
11263 the established connection for a long time and may suffer from this
Davor Ocelice9ed2812017-12-25 17:49:28 +010011264 action. On modern Linux systems running with enough privileges, the
Willy Tarreau2d392c22015-08-24 01:43:45 +020011265 TCP_REPAIR socket option is used to block the emission of a TCP
11266 reset. On other systems, the socket's TTL is reduced to 1 so that the
11267 TCP reset doesn't pass the first router, though it's still delivered to
11268 local networks. Do not use it unless you fully understand how it works.
11269
Willy Tarreaue9656522010-08-17 15:40:09 +020011270 Note that the "if/unless" condition is optional. If no condition is set on
11271 the action, it is simply performed unconditionally. That can be useful for
11272 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011273
Willy Tarreaue9656522010-08-17 15:40:09 +020011274 Example: accept all connections from white-listed hosts, reject too fast
11275 connection without counting them, and track accepted connections.
11276 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011277
Willy Tarreaue9656522010-08-17 15:40:09 +020011278 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011279 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011280 tcp-request connection track-sc0 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011281
Willy Tarreaue9656522010-08-17 15:40:09 +020011282 Example: accept all connections from white-listed hosts, count all other
11283 connections and reject too fast ones. This results in abusive ones
11284 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011285
Willy Tarreaue9656522010-08-17 15:40:09 +020011286 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011287 tcp-request connection track-sc0 src
11288 tcp-request connection reject if { sc0_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011289
Willy Tarreau4f0d9192013-06-11 20:40:55 +020011290 Example: enable the PROXY protocol for traffic coming from all known proxies.
11291
11292 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
11293
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011294 See section 7 about ACL usage.
11295
Willy Tarreau4f614292016-10-21 17:49:36 +020011296 See also : "tcp-request session", "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011297
11298
Willy Tarreaue9656522010-08-17 15:40:09 +020011299tcp-request content <action> [{if | unless} <condition>]
11300 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +020011301 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +020011302 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +020011303 Arguments :
Willy Tarreauc870bfd2015-09-28 18:47:38 +020011304 <action> defines the action to perform if the condition applies. See
11305 below.
Willy Tarreau62644772008-07-16 18:36:06 +020011306
Willy Tarreaue9656522010-08-17 15:40:09 +020011307 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +020011308
Davor Ocelice9ed2812017-12-25 17:49:28 +010011309 A request's contents can be analyzed at an early stage of request processing
Willy Tarreaue9656522010-08-17 15:40:09 +020011310 called "TCP content inspection". During this stage, ACL-based rules are
11311 evaluated every time the request contents are updated, until either an
11312 "accept" or a "reject" rule matches, or the TCP request inspection delay
11313 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +020011314
Willy Tarreaue9656522010-08-17 15:40:09 +020011315 The first difference between these rules and "tcp-request connection" rules
11316 is that "tcp-request content" rules can make use of contents to take a
11317 decision. Most often, these decisions will consider a protocol recognition or
11318 validity. The second difference is that content-based rules can be used in
Willy Tarreauf3338342014-01-28 21:40:28 +010011319 both frontends and backends. In case of HTTP keep-alive with the client, all
11320 tcp-request content rules are evaluated again, so haproxy keeps a record of
11321 what sticky counters were assigned by a "tcp-request connection" versus a
11322 "tcp-request content" rule, and flushes all the content-related ones after
11323 processing an HTTP request, so that they may be evaluated again by the rules
11324 being evaluated again for the next request. This is of particular importance
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011325 when the rule tracks some L7 information or when it is conditioned by an
Willy Tarreauf3338342014-01-28 21:40:28 +010011326 L7-based ACL, since tracking may change between requests.
Willy Tarreau62644772008-07-16 18:36:06 +020011327
Willy Tarreaue9656522010-08-17 15:40:09 +020011328 Content-based rules are evaluated in their exact declaration order. If no
11329 rule matches or if there is no rule, the default action is to accept the
11330 contents. There is no specific limit to the number of rules which may be
11331 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +020011332
Thierry FOURNIER236657b2015-08-19 08:25:14 +020011333 Several types of actions are supported :
Willy Tarreau18bf01e2014-06-13 16:18:52 +020011334 - accept : the request is accepted
Baptiste Assmann333939c2019-01-21 08:34:50 +010011335 - do-resolve: perform a DNS resolution
Willy Tarreau18bf01e2014-06-13 16:18:52 +020011336 - reject : the request is rejected and the connection is closed
11337 - capture : the specified sample expression is captured
Patrick Hemmer268a7072018-05-11 12:52:31 -040011338 - set-priority-class <expr> | set-priority-offset <expr>
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011339 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +020011340 - sc-inc-gpc0(<sc-id>)
Frédéric Lécaille6778b272018-01-29 15:22:53 +010011341 - sc-inc-gpc1(<sc-id>)
Cédric Dufour0d7712d2019-11-06 18:38:53 +010011342 - sc-set-gpt0(<sc-id>) { <int> | <expr> }
Baptiste Assmanne1afd4f2019-04-18 16:21:13 +020011343 - set-dst <expr>
11344 - set-dst-port <expr>
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011345 - set-var(<var-name>) <expr>
Christopher Faulet85d79c92016-11-09 16:54:56 +010011346 - unset-var(<var-name>)
Willy Tarreau2d392c22015-08-24 01:43:45 +020011347 - silent-drop
Davor Ocelice9ed2812017-12-25 17:49:28 +010011348 - send-spoe-group <engine-name> <group-name>
Christopher Faulet579d83b2019-11-22 15:34:17 +010011349 - use-service <service-name>
Willy Tarreau62644772008-07-16 18:36:06 +020011350
Willy Tarreaue9656522010-08-17 15:40:09 +020011351 They have the same meaning as their counter-parts in "tcp-request connection"
11352 so please refer to that section for a complete description.
Baptiste Assmann333939c2019-01-21 08:34:50 +010011353 For "do-resolve" action, please check the "http-request do-resolve"
11354 configuration section.
Willy Tarreau62644772008-07-16 18:36:06 +020011355
Willy Tarreauf3338342014-01-28 21:40:28 +010011356 While there is nothing mandatory about it, it is recommended to use the
11357 track-sc0 in "tcp-request connection" rules, track-sc1 for "tcp-request
11358 content" rules in the frontend, and track-sc2 for "tcp-request content"
11359 rules in the backend, because that makes the configuration more readable
11360 and easier to troubleshoot, but this is just a guideline and all counters
11361 may be used everywhere.
Willy Tarreau62644772008-07-16 18:36:06 +020011362
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010011363 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +020011364 the action, it is simply performed unconditionally. That can be useful for
11365 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +020011366
Christopher Faulet2079a4a2020-10-02 11:48:57 +020011367 Note also that it is recommended to use a "tcp-request session" rule to track
11368 information that does *not* depend on Layer 7 contents, especially for HTTP
11369 frontends. Some HTTP processing are performed at the session level and may
11370 lead to an early rejection of the requests. Thus, the tracking at the content
11371 level may be disturbed in such case. A warning is emitted during startup to
11372 prevent, as far as possible, such unreliable usage.
11373
Willy Tarreaue9656522010-08-17 15:40:09 +020011374 It is perfectly possible to match layer 7 contents with "tcp-request content"
Christopher Faulet7ea509e2020-10-02 11:38:46 +020011375 rules from a TCP proxy, since HTTP-specific ACL matches are able to
11376 preliminarily parse the contents of a buffer before extracting the required
11377 data. If the buffered contents do not parse as a valid HTTP message, then the
11378 ACL does not match. The parser which is involved there is exactly the same
11379 as for all other HTTP processing, so there is no risk of parsing something
11380 differently. In an HTTP frontend or an HTTP backend, it is guaranteed that
11381 HTTP contents will always be immediately present when the rule is evaluated
11382 first because the HTTP parsing is performed in the early stages of the
11383 connection processing, at the session level. But for such proxies, using
11384 "http-request" rules is much more natural and recommended.
Willy Tarreau62644772008-07-16 18:36:06 +020011385
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011386 Tracking layer7 information is also possible provided that the information
Willy Tarreau4d54c7c2014-09-16 15:48:15 +020011387 are present when the rule is processed. The rule processing engine is able to
11388 wait until the inspect delay expires when the data to be tracked is not yet
11389 available.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011390
Baptiste Assmanne1afd4f2019-04-18 16:21:13 +020011391 The "set-dst" and "set-dst-port" are used to set respectively the destination
11392 IP and port. More information on how to use it at "http-request set-dst".
11393
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011394 The "set-var" is used to set the content of a variable. The variable is
Willy Tarreau4f614292016-10-21 17:49:36 +020011395 declared inline. For "tcp-request session" rules, only session-level
11396 variables can be used, without any layer7 contents.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011397
Daniel Schneller0b547052016-03-21 20:46:57 +010011398 <var-name> The name of the variable starts with an indication about
11399 its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010011400 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010011401 "sess" : the variable is shared with the whole session
11402 "txn" : the variable is shared with the transaction
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011403 (request and response)
Daniel Schneller0b547052016-03-21 20:46:57 +010011404 "req" : the variable is shared only during request
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011405 processing
Daniel Schneller0b547052016-03-21 20:46:57 +010011406 "res" : the variable is shared only during response
11407 processing
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011408 This prefix is followed by a name. The separator is a '.'.
Christopher Fauletb71557a2016-10-31 10:49:03 +010011409 The name may only contain characters 'a-z', 'A-Z', '0-9',
11410 '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011411
11412 <expr> Is a standard HAProxy expression formed by a sample-fetch
11413 followed by some converters.
11414
Christopher Faulet85d79c92016-11-09 16:54:56 +010011415 The "unset-var" is used to unset a variable. See above for details about
11416 <var-name>.
11417
Patrick Hemmer268a7072018-05-11 12:52:31 -040011418 The "set-priority-class" is used to set the queue priority class of the
11419 current request. The value must be a sample expression which converts to an
11420 integer in the range -2047..2047. Results outside this range will be
11421 truncated. The priority class determines the order in which queued requests
11422 are processed. Lower values have higher priority.
11423
11424 The "set-priority-offset" is used to set the queue priority timestamp offset
11425 of the current request. The value must be a sample expression which converts
11426 to an integer in the range -524287..524287. Results outside this range will be
11427 truncated. When a request is queued, it is ordered first by the priority
11428 class, then by the current timestamp adjusted by the given offset in
11429 milliseconds. Lower values have higher priority.
11430 Note that the resulting timestamp is is only tracked with enough precision for
11431 524,287ms (8m44s287ms). If the request is queued long enough to where the
11432 adjusted timestamp exceeds this value, it will be misidentified as highest
11433 priority. Thus it is important to set "timeout queue" to a value, where when
11434 combined with the offset, does not exceed this limit.
11435
Christopher Faulet76c09ef2017-09-21 11:03:52 +020011436 The "send-spoe-group" is used to trigger sending of a group of SPOE
11437 messages. To do so, the SPOE engine used to send messages must be defined, as
11438 well as the SPOE group to send. Of course, the SPOE engine must refer to an
11439 existing SPOE filter. If not engine name is provided on the SPOE filter line,
11440 the SPOE agent name must be used.
11441
11442 <engine-name> The SPOE engine name.
11443
11444 <group-name> The SPOE group name as specified in the engine configuration.
11445
Christopher Faulet579d83b2019-11-22 15:34:17 +010011446 The "use-service" is used to executes a TCP service which will reply to the
11447 request and stop the evaluation of the rules. This service may choose to
11448 reply by sending any valid response or it may immediately close the
11449 connection without sending anything. Outside natives services, it is possible
11450 to write your own services in Lua. No further "tcp-request" rules are
11451 evaluated.
11452
11453 Example:
11454 tcp-request content use-service lua.deny { src -f /etc/haproxy/blacklist.lst }
11455
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011456 Example:
11457
11458 tcp-request content set-var(sess.my_var) src
Christopher Faulet85d79c92016-11-09 16:54:56 +010011459 tcp-request content unset-var(sess.my_var2)
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011460
Willy Tarreau62644772008-07-16 18:36:06 +020011461 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +020011462 # Accept HTTP requests containing a Host header saying "example.com"
11463 # and reject everything else.
11464 acl is_host_com hdr(Host) -i example.com
11465 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +020011466 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +020011467 tcp-request content reject
11468
11469 Example:
Willy Tarreau62644772008-07-16 18:36:06 +020011470 # reject SMTP connection if client speaks first
11471 tcp-request inspect-delay 30s
11472 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011473 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +020011474
11475 # Forward HTTPS connection only if client speaks
11476 tcp-request inspect-delay 30s
11477 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011478 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +020011479 tcp-request content reject
11480
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011481 Example:
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030011482 # Track the last IP(stick-table type string) from X-Forwarded-For
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011483 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +020011484 tcp-request content track-sc0 hdr(x-forwarded-for,-1)
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030011485 # Or track the last IP(stick-table type ip|ipv6) from X-Forwarded-For
11486 tcp-request content track-sc0 req.hdr_ip(x-forwarded-for,-1)
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011487
11488 Example:
11489 # track request counts per "base" (concatenation of Host+URL)
11490 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +020011491 tcp-request content track-sc0 base table req-rate
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011492
Willy Tarreaue9656522010-08-17 15:40:09 +020011493 Example: track per-frontend and per-backend counters, block abusers at the
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030011494 frontend when the backend detects abuse(and marks gpc0).
Willy Tarreaue9656522010-08-17 15:40:09 +020011495
11496 frontend http
Davor Ocelice9ed2812017-12-25 17:49:28 +010011497 # Use General Purpose Counter 0 in SC0 as a global abuse counter
Willy Tarreaue9656522010-08-17 15:40:09 +020011498 # protecting all our sites
11499 stick-table type ip size 1m expire 5m store gpc0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011500 tcp-request connection track-sc0 src
11501 tcp-request connection reject if { sc0_get_gpc0 gt 0 }
Willy Tarreaue9656522010-08-17 15:40:09 +020011502 ...
11503 use_backend http_dynamic if { path_end .php }
11504
11505 backend http_dynamic
11506 # if a source makes too fast requests to this dynamic site (tracked
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011507 # by SC1), block it globally in the frontend.
Willy Tarreaue9656522010-08-17 15:40:09 +020011508 stick-table type ip size 1m expire 5m store http_req_rate(10s)
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011509 acl click_too_fast sc1_http_req_rate gt 10
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030011510 acl mark_as_abuser sc0_inc_gpc0(http) gt 0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011511 tcp-request content track-sc1 src
Willy Tarreaue9656522010-08-17 15:40:09 +020011512 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +020011513
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011514 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +020011515
Jarno Huuskonen95b012b2017-04-06 13:59:14 +030011516 See also : "tcp-request connection", "tcp-request session",
11517 "tcp-request inspect-delay", and "http-request".
Willy Tarreau62644772008-07-16 18:36:06 +020011518
11519
11520tcp-request inspect-delay <timeout>
11521 Set the maximum allowed time to wait for data during content inspection
11522 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +020011523 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +020011524 Arguments :
11525 <timeout> is the timeout value specified in milliseconds by default, but
11526 can be in any other unit if the number is suffixed by the unit,
11527 as explained at the top of this document.
11528
11529 People using haproxy primarily as a TCP relay are often worried about the
11530 risk of passing any type of protocol to a server without any analysis. In
11531 order to be able to analyze the request contents, we must first withhold
11532 the data then analyze them. This statement simply enables withholding of
11533 data for at most the specified amount of time.
11534
Willy Tarreaufb356202010-08-03 14:02:05 +020011535 TCP content inspection applies very early when a connection reaches a
11536 frontend, then very early when the connection is forwarded to a backend. This
11537 means that a connection may experience a first delay in the frontend and a
11538 second delay in the backend if both have tcp-request rules.
11539
Willy Tarreau62644772008-07-16 18:36:06 +020011540 Note that when performing content inspection, haproxy will evaluate the whole
11541 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010011542 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +020011543 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +010011544 contents are definitive. If no delay is set, haproxy will not wait at all
11545 and will immediately apply a verdict based on the available information.
11546 Obviously this is unlikely to be very useful and might even be racy, so such
11547 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +020011548
11549 As soon as a rule matches, the request is released and continues as usual. If
11550 the timeout is reached and no rule matches, the default policy will be to let
11551 it pass through unaffected.
11552
11553 For most protocols, it is enough to set it to a few seconds, as most clients
11554 send the full request immediately upon connection. Add 3 or more seconds to
11555 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +010011556 to use large values, for instance to ensure that the client never talks
Davor Ocelice9ed2812017-12-25 17:49:28 +010011557 before the server (e.g. SMTP), or to wait for a client to talk before passing
11558 data to the server (e.g. SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +020011559 least the inspection delay, otherwise it will expire first. If the client
11560 closes the connection or if the buffer is full, the delay immediately expires
11561 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +020011562
Willy Tarreau55165fe2009-05-10 12:02:55 +020011563 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +020011564 "timeout client".
11565
11566
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011567tcp-response content <action> [{if | unless} <condition>]
11568 Perform an action on a session response depending on a layer 4-7 condition
11569 May be used in sections : defaults | frontend | listen | backend
11570 no | no | yes | yes
11571 Arguments :
Willy Tarreauc870bfd2015-09-28 18:47:38 +020011572 <action> defines the action to perform if the condition applies. See
11573 below.
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011574
11575 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
11576
Davor Ocelice9ed2812017-12-25 17:49:28 +010011577 Response contents can be analyzed at an early stage of response processing
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011578 called "TCP content inspection". During this stage, ACL-based rules are
11579 evaluated every time the response contents are updated, until either an
Willy Tarreaucc1e04b2013-09-11 23:20:29 +020011580 "accept", "close" or a "reject" rule matches, or a TCP response inspection
11581 delay is set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011582
11583 Most often, these decisions will consider a protocol recognition or validity.
11584
11585 Content-based rules are evaluated in their exact declaration order. If no
11586 rule matches or if there is no rule, the default action is to accept the
11587 contents. There is no specific limit to the number of rules which may be
11588 inserted.
11589
Thierry FOURNIER236657b2015-08-19 08:25:14 +020011590 Several types of actions are supported :
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011591 - accept :
11592 accepts the response if the condition is true (when used with "if")
11593 or false (when used with "unless"). The first such rule executed ends
11594 the rules evaluation.
11595
Willy Tarreaucc1e04b2013-09-11 23:20:29 +020011596 - close :
11597 immediately closes the connection with the server if the condition is
11598 true (when used with "if"), or false (when used with "unless"). The
11599 first such rule executed ends the rules evaluation. The main purpose of
11600 this action is to force a connection to be finished between a client
11601 and a server after an exchange when the application protocol expects
11602 some long time outs to elapse first. The goal is to eliminate idle
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011603 connections which take significant resources on servers with certain
Willy Tarreaucc1e04b2013-09-11 23:20:29 +020011604 protocols.
11605
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011606 - reject :
11607 rejects the response if the condition is true (when used with "if")
11608 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -040011609 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011610
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011611 - set-var(<var-name>) <expr>
11612 Sets a variable.
11613
Christopher Faulet85d79c92016-11-09 16:54:56 +010011614 - unset-var(<var-name>)
11615 Unsets a variable.
11616
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +020011617 - sc-inc-gpc0(<sc-id>):
11618 This action increments the GPC0 counter according to the sticky
11619 counter designated by <sc-id>. If an error occurs, this action fails
11620 silently and the actions evaluation continues.
11621
Frédéric Lécaille6778b272018-01-29 15:22:53 +010011622 - sc-inc-gpc1(<sc-id>):
11623 This action increments the GPC1 counter according to the sticky
11624 counter designated by <sc-id>. If an error occurs, this action fails
11625 silently and the actions evaluation continues.
11626
Cédric Dufour0d7712d2019-11-06 18:38:53 +010011627 - sc-set-gpt0(<sc-id>) { <int> | <expr> }
11628 This action sets the 32-bit unsigned GPT0 tag according to the sticky
11629 counter designated by <sc-id> and the value of <int>/<expr>. The
11630 expected result is a boolean. If an error occurs, this action silently
11631 fails and the actions evaluation continues.
Thierry FOURNIER236657b2015-08-19 08:25:14 +020011632
Willy Tarreau2d392c22015-08-24 01:43:45 +020011633 - "silent-drop" :
11634 This stops the evaluation of the rules and makes the client-facing
Davor Ocelice9ed2812017-12-25 17:49:28 +010011635 connection suddenly disappear using a system-dependent way that tries
Willy Tarreau2d392c22015-08-24 01:43:45 +020011636 to prevent the client from being notified. The effect it then that the
11637 client still sees an established connection while there's none on
11638 HAProxy. The purpose is to achieve a comparable effect to "tarpit"
11639 except that it doesn't use any local resource at all on the machine
11640 running HAProxy. It can resist much higher loads than "tarpit", and
Davor Ocelice9ed2812017-12-25 17:49:28 +010011641 slow down stronger attackers. It is important to understand the impact
11642 of using this mechanism. All stateful equipment placed between the
Willy Tarreau2d392c22015-08-24 01:43:45 +020011643 client and HAProxy (firewalls, proxies, load balancers) will also keep
11644 the established connection for a long time and may suffer from this
Davor Ocelice9ed2812017-12-25 17:49:28 +010011645 action. On modern Linux systems running with enough privileges, the
Willy Tarreau2d392c22015-08-24 01:43:45 +020011646 TCP_REPAIR socket option is used to block the emission of a TCP
11647 reset. On other systems, the socket's TTL is reduced to 1 so that the
11648 TCP reset doesn't pass the first router, though it's still delivered to
11649 local networks. Do not use it unless you fully understand how it works.
11650
Christopher Faulet76c09ef2017-09-21 11:03:52 +020011651 - send-spoe-group <engine-name> <group-name>
11652 Send a group of SPOE messages.
11653
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011654 Note that the "if/unless" condition is optional. If no condition is set on
11655 the action, it is simply performed unconditionally. That can be useful for
11656 for changing the default action to a reject.
11657
Jamie Gloudonaaa21002012-08-25 00:18:33 -040011658 It is perfectly possible to match layer 7 contents with "tcp-response
11659 content" rules, but then it is important to ensure that a full response has
11660 been buffered, otherwise no contents will match. In order to achieve this,
11661 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011662 period.
11663
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011664 The "set-var" is used to set the content of a variable. The variable is
11665 declared inline.
11666
Daniel Schneller0b547052016-03-21 20:46:57 +010011667 <var-name> The name of the variable starts with an indication about
11668 its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010011669 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010011670 "sess" : the variable is shared with the whole session
11671 "txn" : the variable is shared with the transaction
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011672 (request and response)
Daniel Schneller0b547052016-03-21 20:46:57 +010011673 "req" : the variable is shared only during request
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011674 processing
Daniel Schneller0b547052016-03-21 20:46:57 +010011675 "res" : the variable is shared only during response
11676 processing
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011677 This prefix is followed by a name. The separator is a '.'.
Christopher Fauletb71557a2016-10-31 10:49:03 +010011678 The name may only contain characters 'a-z', 'A-Z', '0-9',
11679 '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011680
11681 <expr> Is a standard HAProxy expression formed by a sample-fetch
11682 followed by some converters.
11683
11684 Example:
11685
11686 tcp-request content set-var(sess.my_var) src
11687
Christopher Faulet85d79c92016-11-09 16:54:56 +010011688 The "unset-var" is used to unset a variable. See above for details about
11689 <var-name>.
11690
11691 Example:
11692
11693 tcp-request content unset-var(sess.my_var)
11694
Christopher Faulet76c09ef2017-09-21 11:03:52 +020011695 The "send-spoe-group" is used to trigger sending of a group of SPOE
11696 messages. To do so, the SPOE engine used to send messages must be defined, as
11697 well as the SPOE group to send. Of course, the SPOE engine must refer to an
11698 existing SPOE filter. If not engine name is provided on the SPOE filter line,
11699 the SPOE agent name must be used.
11700
11701 <engine-name> The SPOE engine name.
11702
11703 <group-name> The SPOE group name as specified in the engine configuration.
11704
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011705 See section 7 about ACL usage.
11706
11707 See also : "tcp-request content", "tcp-response inspect-delay"
11708
11709
Willy Tarreau4f614292016-10-21 17:49:36 +020011710tcp-request session <action> [{if | unless} <condition>]
11711 Perform an action on a validated session depending on a layer 5 condition
11712 May be used in sections : defaults | frontend | listen | backend
11713 no | yes | yes | no
11714 Arguments :
11715 <action> defines the action to perform if the condition applies. See
11716 below.
11717
11718 <condition> is a standard layer5-only ACL-based condition (see section 7).
11719
Davor Ocelice9ed2812017-12-25 17:49:28 +010011720 Once a session is validated, (i.e. after all handshakes have been completed),
Willy Tarreau4f614292016-10-21 17:49:36 +020011721 it is possible to evaluate some conditions to decide whether this session
11722 must be accepted or dropped or have its counters tracked. Those conditions
11723 cannot make use of any data contents because no buffers are allocated yet and
11724 the processing cannot wait at this stage. The main use case it to copy some
11725 early information into variables (since variables are accessible in the
11726 session), or to keep track of some information collected after the handshake,
11727 such as SSL-level elements (SNI, ciphers, client cert's CN) or information
Davor Ocelice9ed2812017-12-25 17:49:28 +010011728 from the PROXY protocol header (e.g. track a source forwarded this way). The
Willy Tarreau4f614292016-10-21 17:49:36 +020011729 extracted information can thus be copied to a variable or tracked using
11730 "track-sc" rules. Of course it is also possible to decide to accept/reject as
11731 with other rulesets. Most operations performed here could also be performed
11732 in "tcp-request content" rules, except that in HTTP these rules are evaluated
11733 for each new request, and that might not always be acceptable. For example a
11734 rule might increment a counter on each evaluation. It would also be possible
11735 that a country is resolved by geolocation from the source IP address,
11736 assigned to a session-wide variable, then the source address rewritten from
11737 an HTTP header for all requests. If some contents need to be inspected in
11738 order to take the decision, the "tcp-request content" statements must be used
11739 instead.
11740
11741 The "tcp-request session" rules are evaluated in their exact declaration
11742 order. If no rule matches or if there is no rule, the default action is to
11743 accept the incoming session. There is no specific limit to the number of
11744 rules which may be inserted.
11745
11746 Several types of actions are supported :
11747 - accept : the request is accepted
11748 - reject : the request is rejected and the connection is closed
11749 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
11750 - sc-inc-gpc0(<sc-id>)
Frédéric Lécaille6778b272018-01-29 15:22:53 +010011751 - sc-inc-gpc1(<sc-id>)
Cédric Dufour0d7712d2019-11-06 18:38:53 +010011752 - sc-set-gpt0(<sc-id>) { <int> | <expr> }
Willy Tarreau4f614292016-10-21 17:49:36 +020011753 - set-var(<var-name>) <expr>
Christopher Faulet85d79c92016-11-09 16:54:56 +010011754 - unset-var(<var-name>)
Willy Tarreau4f614292016-10-21 17:49:36 +020011755 - silent-drop
11756
11757 These actions have the same meaning as their respective counter-parts in
11758 "tcp-request connection" and "tcp-request content", so please refer to these
11759 sections for a complete description.
11760
11761 Note that the "if/unless" condition is optional. If no condition is set on
11762 the action, it is simply performed unconditionally. That can be useful for
11763 "track-sc*" actions as well as for changing the default action to a reject.
11764
11765 Example: track the original source address by default, or the one advertised
11766 in the PROXY protocol header for connection coming from the local
11767 proxies. The first connection-level rule enables receipt of the
11768 PROXY protocol for these ones, the second rule tracks whatever
11769 address we decide to keep after optional decoding.
11770
11771 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
11772 tcp-request session track-sc0 src
11773
11774 Example: accept all sessions from white-listed hosts, reject too fast
11775 sessions without counting them, and track accepted sessions.
11776 This results in session rate being capped from abusive sources.
11777
11778 tcp-request session accept if { src -f /etc/haproxy/whitelist.lst }
11779 tcp-request session reject if { src_sess_rate gt 10 }
11780 tcp-request session track-sc0 src
11781
11782 Example: accept all sessions from white-listed hosts, count all other
11783 sessions and reject too fast ones. This results in abusive ones
11784 being blocked as long as they don't slow down.
11785
11786 tcp-request session accept if { src -f /etc/haproxy/whitelist.lst }
11787 tcp-request session track-sc0 src
11788 tcp-request session reject if { sc0_sess_rate gt 10 }
11789
11790 See section 7 about ACL usage.
11791
11792 See also : "tcp-request connection", "tcp-request content", "stick-table"
11793
11794
Emeric Brun0a3b67f2010-09-24 15:34:53 +020011795tcp-response inspect-delay <timeout>
11796 Set the maximum allowed time to wait for a response during content inspection
11797 May be used in sections : defaults | frontend | listen | backend
11798 no | no | yes | yes
11799 Arguments :
11800 <timeout> is the timeout value specified in milliseconds by default, but
11801 can be in any other unit if the number is suffixed by the unit,
11802 as explained at the top of this document.
11803
11804 See also : "tcp-response content", "tcp-request inspect-delay".
11805
11806
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010011807timeout check <timeout>
11808 Set additional check timeout, but only after a connection has been already
11809 established.
11810
11811 May be used in sections: defaults | frontend | listen | backend
11812 yes | no | yes | yes
11813 Arguments:
11814 <timeout> is the timeout value specified in milliseconds by default, but
11815 can be in any other unit if the number is suffixed by the unit,
11816 as explained at the top of this document.
11817
11818 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
11819 for check and "timeout check" as an additional read timeout. The "min" is
Davor Ocelice9ed2812017-12-25 17:49:28 +010011820 used so that people running with *very* long "timeout connect" (e.g. those
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010011821 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +010011822 (Please also note that there is no valid reason to have such long connect
11823 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
11824 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010011825
11826 If "timeout check" is not set haproxy uses "inter" for complete check
11827 timeout (connect + read) exactly like all <1.3.15 version.
11828
11829 In most cases check request is much simpler and faster to handle than normal
11830 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +010011831 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010011832
11833 This parameter is specific to backends, but can be specified once for all in
11834 "defaults" sections. This is in fact one of the easiest solutions not to
11835 forget about it.
11836
Willy Tarreau41a340d2008-01-22 12:25:31 +010011837 See also: "timeout connect", "timeout queue", "timeout server",
11838 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010011839
11840
Willy Tarreau0ba27502007-12-24 16:55:16 +010011841timeout client <timeout>
Willy Tarreau0ba27502007-12-24 16:55:16 +010011842 Set the maximum inactivity time on the client side.
11843 May be used in sections : defaults | frontend | listen | backend
11844 yes | yes | yes | no
11845 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +010011846 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +010011847 can be in any other unit if the number is suffixed by the unit,
11848 as explained at the top of this document.
11849
11850 The inactivity timeout applies when the client is expected to acknowledge or
11851 send data. In HTTP mode, this timeout is particularly important to consider
11852 during the first phase, when the client sends the request, and during the
Baptiste Assmann2e1941e2016-03-06 23:24:12 +010011853 response while it is reading data sent by the server. That said, for the
11854 first phase, it is preferable to set the "timeout http-request" to better
11855 protect HAProxy from Slowloris like attacks. The value is specified in
11856 milliseconds by default, but can be in any other unit if the number is
Willy Tarreau0ba27502007-12-24 16:55:16 +010011857 suffixed by the unit, as specified at the top of this document. In TCP mode
11858 (and to a lesser extent, in HTTP mode), it is highly recommended that the
11859 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010011860 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +010011861 losses by specifying timeouts that are slightly above multiples of 3 seconds
Davor Ocelice9ed2812017-12-25 17:49:28 +010011862 (e.g. 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
11863 sessions (e.g. WebSocket and HTTP), it's worth considering "timeout tunnel",
Willy Tarreau05cdd962014-05-10 14:30:07 +020011864 which overrides "timeout client" and "timeout server" for tunnels, as well as
11865 "timeout client-fin" for half-closed connections.
Willy Tarreau0ba27502007-12-24 16:55:16 +010011866
11867 This parameter is specific to frontends, but can be specified once for all in
11868 "defaults" sections. This is in fact one of the easiest solutions not to
11869 forget about it. An unspecified timeout results in an infinite timeout, which
11870 is not recommended. Such a usage is accepted and works but reports a warning
John Roeslerfb2fce12019-07-10 15:45:51 -050011871 during startup because it may result in accumulation of expired sessions in
Willy Tarreau0ba27502007-12-24 16:55:16 +010011872 the system if the system's timeouts are not configured either.
11873
Willy Tarreau95c4e142017-11-26 12:18:55 +010011874 This also applies to HTTP/2 connections, which will be closed with GOAWAY.
Lukas Tribus75df9d72017-11-24 19:05:12 +010011875
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020011876 See also : "timeout server", "timeout tunnel", "timeout http-request".
Willy Tarreau0ba27502007-12-24 16:55:16 +010011877
Willy Tarreau0ba27502007-12-24 16:55:16 +010011878
Willy Tarreau05cdd962014-05-10 14:30:07 +020011879timeout client-fin <timeout>
11880 Set the inactivity timeout on the client side for half-closed connections.
11881 May be used in sections : defaults | frontend | listen | backend
11882 yes | yes | yes | no
11883 Arguments :
11884 <timeout> is the timeout value specified in milliseconds by default, but
11885 can be in any other unit if the number is suffixed by the unit,
11886 as explained at the top of this document.
11887
11888 The inactivity timeout applies when the client is expected to acknowledge or
11889 send data while one direction is already shut down. This timeout is different
11890 from "timeout client" in that it only applies to connections which are closed
11891 in one direction. This is particularly useful to avoid keeping connections in
11892 FIN_WAIT state for too long when clients do not disconnect cleanly. This
11893 problem is particularly common long connections such as RDP or WebSocket.
11894 Note that this timeout can override "timeout tunnel" when a connection shuts
Willy Tarreau599391a2017-11-24 10:16:00 +010011895 down in one direction. It is applied to idle HTTP/2 connections once a GOAWAY
11896 frame was sent, often indicating an expectation that the connection quickly
11897 ends.
Willy Tarreau05cdd962014-05-10 14:30:07 +020011898
11899 This parameter is specific to frontends, but can be specified once for all in
11900 "defaults" sections. By default it is not set, so half-closed connections
11901 will use the other timeouts (timeout.client or timeout.tunnel).
11902
11903 See also : "timeout client", "timeout server-fin", and "timeout tunnel".
11904
11905
Willy Tarreau0ba27502007-12-24 16:55:16 +010011906timeout connect <timeout>
Willy Tarreau0ba27502007-12-24 16:55:16 +010011907 Set the maximum time to wait for a connection attempt to a server to succeed.
11908 May be used in sections : defaults | frontend | listen | backend
11909 yes | no | yes | yes
11910 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +010011911 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +010011912 can be in any other unit if the number is suffixed by the unit,
11913 as explained at the top of this document.
11914
11915 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010011916 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +010011917 cover one or several TCP packet losses by specifying timeouts that are
Davor Ocelice9ed2812017-12-25 17:49:28 +010011918 slightly above multiples of 3 seconds (e.g. 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010011919 connect timeout also presets both queue and tarpit timeouts to the same value
11920 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +010011921
11922 This parameter is specific to backends, but can be specified once for all in
11923 "defaults" sections. This is in fact one of the easiest solutions not to
11924 forget about it. An unspecified timeout results in an infinite timeout, which
11925 is not recommended. Such a usage is accepted and works but reports a warning
John Roeslerfb2fce12019-07-10 15:45:51 -050011926 during startup because it may result in accumulation of failed sessions in
Willy Tarreau0ba27502007-12-24 16:55:16 +010011927 the system if the system's timeouts are not configured either.
11928
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020011929 See also: "timeout check", "timeout queue", "timeout server", "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +010011930
Willy Tarreau0ba27502007-12-24 16:55:16 +010011931
Willy Tarreaub16a5742010-01-10 14:46:16 +010011932timeout http-keep-alive <timeout>
11933 Set the maximum allowed time to wait for a new HTTP request to appear
11934 May be used in sections : defaults | frontend | listen | backend
11935 yes | yes | yes | yes
11936 Arguments :
11937 <timeout> is the timeout value specified in milliseconds by default, but
11938 can be in any other unit if the number is suffixed by the unit,
11939 as explained at the top of this document.
11940
11941 By default, the time to wait for a new request in case of keep-alive is set
11942 by "timeout http-request". However this is not always convenient because some
11943 people want very short keep-alive timeouts in order to release connections
11944 faster, and others prefer to have larger ones but still have short timeouts
11945 once the request has started to present itself.
11946
11947 The "http-keep-alive" timeout covers these needs. It will define how long to
11948 wait for a new HTTP request to start coming after a response was sent. Once
11949 the first byte of request has been seen, the "http-request" timeout is used
11950 to wait for the complete request to come. Note that empty lines prior to a
11951 new request do not refresh the timeout and are not counted as a new request.
11952
11953 There is also another difference between the two timeouts : when a connection
11954 expires during timeout http-keep-alive, no error is returned, the connection
11955 just closes. If the connection expires in "http-request" while waiting for a
11956 connection to complete, a HTTP 408 error is returned.
11957
11958 In general it is optimal to set this value to a few tens to hundreds of
11959 milliseconds, to allow users to fetch all objects of a page at once but
Davor Ocelice9ed2812017-12-25 17:49:28 +010011960 without waiting for further clicks. Also, if set to a very small value (e.g.
Willy Tarreaub16a5742010-01-10 14:46:16 +010011961 1 millisecond) it will probably only accept pipelined requests but not the
11962 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +020011963 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +010011964
11965 If this parameter is not set, the "http-request" timeout applies, and if both
11966 are not set, "timeout client" still applies at the lower level. It should be
11967 set in the frontend to take effect, unless the frontend is in TCP mode, in
11968 which case the HTTP backend's timeout will be used.
11969
Willy Tarreau95c4e142017-11-26 12:18:55 +010011970 When using HTTP/2 "timeout client" is applied instead. This is so we can keep
11971 using short keep-alive timeouts in HTTP/1.1 while using longer ones in HTTP/2
Lukas Tribus75df9d72017-11-24 19:05:12 +010011972 (where we only have one connection per client and a connection setup).
11973
Willy Tarreaub16a5742010-01-10 14:46:16 +010011974 See also : "timeout http-request", "timeout client".
11975
11976
Willy Tarreau036fae02008-01-06 13:24:40 +010011977timeout http-request <timeout>
11978 Set the maximum allowed time to wait for a complete HTTP request
11979 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +020011980 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +010011981 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +010011982 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +010011983 can be in any other unit if the number is suffixed by the unit,
11984 as explained at the top of this document.
11985
11986 In order to offer DoS protection, it may be required to lower the maximum
11987 accepted time to receive a complete HTTP request without affecting the client
11988 timeout. This helps protecting against established connections on which
11989 nothing is sent. The client timeout cannot offer a good protection against
11990 this abuse because it is an inactivity timeout, which means that if the
11991 attacker sends one character every now and then, the timeout will not
11992 trigger. With the HTTP request timeout, no matter what speed the client
Willy Tarreau2705a612014-05-23 17:38:34 +020011993 types, the request will be aborted if it does not complete in time. When the
11994 timeout expires, an HTTP 408 response is sent to the client to inform it
11995 about the problem, and the connection is closed. The logs will report
11996 termination codes "cR". Some recent browsers are having problems with this
Davor Ocelice9ed2812017-12-25 17:49:28 +010011997 standard, well-documented behavior, so it might be needed to hide the 408
Willy Tarreau0f228a02015-05-01 15:37:53 +020011998 code using "option http-ignore-probes" or "errorfile 408 /dev/null". See
11999 more details in the explanations of the "cR" termination code in section 8.5.
Willy Tarreau036fae02008-01-06 13:24:40 +010012000
Baptiste Assmanneccdf432015-10-28 13:49:01 +010012001 By default, this timeout only applies to the header part of the request,
12002 and not to any data. As soon as the empty line is received, this timeout is
12003 not used anymore. When combined with "option http-buffer-request", this
12004 timeout also applies to the body of the request..
12005 It is used again on keep-alive connections to wait for a second
Willy Tarreaub16a5742010-01-10 14:46:16 +010012006 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +010012007
12008 Generally it is enough to set it to a few seconds, as most clients send the
12009 full request immediately upon connection. Add 3 or more seconds to cover TCP
Davor Ocelice9ed2812017-12-25 17:49:28 +010012010 retransmits but that's all. Setting it to very low values (e.g. 50 ms) will
Willy Tarreau036fae02008-01-06 13:24:40 +010012011 generally work on local networks as long as there are no packet losses. This
12012 will prevent people from sending bare HTTP requests using telnet.
12013
12014 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +020012015 chunk of the incoming request. It should be set in the frontend to take
12016 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
12017 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +010012018
Willy Tarreau0f228a02015-05-01 15:37:53 +020012019 See also : "errorfile", "http-ignore-probes", "timeout http-keep-alive", and
Baptiste Assmanneccdf432015-10-28 13:49:01 +010012020 "timeout client", "option http-buffer-request".
Willy Tarreau036fae02008-01-06 13:24:40 +010012021
Willy Tarreau844e3c52008-01-11 16:28:18 +010012022
12023timeout queue <timeout>
12024 Set the maximum time to wait in the queue for a connection slot to be free
12025 May be used in sections : defaults | frontend | listen | backend
12026 yes | no | yes | yes
12027 Arguments :
12028 <timeout> is the timeout value specified in milliseconds by default, but
12029 can be in any other unit if the number is suffixed by the unit,
12030 as explained at the top of this document.
12031
12032 When a server's maxconn is reached, connections are left pending in a queue
12033 which may be server-specific or global to the backend. In order not to wait
12034 indefinitely, a timeout is applied to requests pending in the queue. If the
12035 timeout is reached, it is considered that the request will almost never be
12036 served, so it is dropped and a 503 error is returned to the client.
12037
12038 The "timeout queue" statement allows to fix the maximum time for a request to
12039 be left pending in a queue. If unspecified, the same value as the backend's
12040 connection timeout ("timeout connect") is used, for backwards compatibility
12041 with older versions with no "timeout queue" parameter.
12042
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020012043 See also : "timeout connect".
Willy Tarreau844e3c52008-01-11 16:28:18 +010012044
12045
12046timeout server <timeout>
Willy Tarreau844e3c52008-01-11 16:28:18 +010012047 Set the maximum inactivity time on the server side.
12048 May be used in sections : defaults | frontend | listen | backend
12049 yes | no | yes | yes
12050 Arguments :
12051 <timeout> is the timeout value specified in milliseconds by default, but
12052 can be in any other unit if the number is suffixed by the unit,
12053 as explained at the top of this document.
12054
12055 The inactivity timeout applies when the server is expected to acknowledge or
12056 send data. In HTTP mode, this timeout is particularly important to consider
12057 during the first phase of the server's response, when it has to send the
12058 headers, as it directly represents the server's processing time for the
12059 request. To find out what value to put there, it's often good to start with
12060 what would be considered as unacceptable response times, then check the logs
12061 to observe the response time distribution, and adjust the value accordingly.
12062
12063 The value is specified in milliseconds by default, but can be in any other
12064 unit if the number is suffixed by the unit, as specified at the top of this
12065 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
12066 recommended that the client timeout remains equal to the server timeout in
12067 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010012068 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +010012069 packet losses by specifying timeouts that are slightly above multiples of 3
Davor Ocelice9ed2812017-12-25 17:49:28 +010012070 seconds (e.g. 4 or 5 seconds minimum). If some long-lived sessions are mixed
12071 with short-lived sessions (e.g. WebSocket and HTTP), it's worth considering
Willy Tarreauce887fd2012-05-12 12:50:00 +020012072 "timeout tunnel", which overrides "timeout client" and "timeout server" for
12073 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012074
12075 This parameter is specific to backends, but can be specified once for all in
12076 "defaults" sections. This is in fact one of the easiest solutions not to
12077 forget about it. An unspecified timeout results in an infinite timeout, which
12078 is not recommended. Such a usage is accepted and works but reports a warning
John Roeslerfb2fce12019-07-10 15:45:51 -050012079 during startup because it may result in accumulation of expired sessions in
Willy Tarreau844e3c52008-01-11 16:28:18 +010012080 the system if the system's timeouts are not configured either.
12081
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020012082 See also : "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +010012083
Willy Tarreau05cdd962014-05-10 14:30:07 +020012084
12085timeout server-fin <timeout>
12086 Set the inactivity timeout on the server side for half-closed connections.
12087 May be used in sections : defaults | frontend | listen | backend
12088 yes | no | yes | yes
12089 Arguments :
12090 <timeout> is the timeout value specified in milliseconds by default, but
12091 can be in any other unit if the number is suffixed by the unit,
12092 as explained at the top of this document.
12093
12094 The inactivity timeout applies when the server is expected to acknowledge or
12095 send data while one direction is already shut down. This timeout is different
12096 from "timeout server" in that it only applies to connections which are closed
12097 in one direction. This is particularly useful to avoid keeping connections in
12098 FIN_WAIT state for too long when a remote server does not disconnect cleanly.
12099 This problem is particularly common long connections such as RDP or WebSocket.
12100 Note that this timeout can override "timeout tunnel" when a connection shuts
12101 down in one direction. This setting was provided for completeness, but in most
12102 situations, it should not be needed.
12103
12104 This parameter is specific to backends, but can be specified once for all in
12105 "defaults" sections. By default it is not set, so half-closed connections
12106 will use the other timeouts (timeout.server or timeout.tunnel).
12107
12108 See also : "timeout client-fin", "timeout server", and "timeout tunnel".
12109
Willy Tarreau844e3c52008-01-11 16:28:18 +010012110
12111timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +010012112 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +010012113 May be used in sections : defaults | frontend | listen | backend
12114 yes | yes | yes | yes
12115 Arguments :
12116 <timeout> is the tarpit duration specified in milliseconds by default, but
12117 can be in any other unit if the number is suffixed by the unit,
12118 as explained at the top of this document.
12119
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020012120 When a connection is tarpitted using "http-request tarpit", it is maintained
12121 open with no activity for a certain amount of time, then closed. "timeout
12122 tarpit" defines how long it will be maintained open.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012123
12124 The value is specified in milliseconds by default, but can be in any other
12125 unit if the number is suffixed by the unit, as specified at the top of this
12126 document. If unspecified, the same value as the backend's connection timeout
12127 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +010012128 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012129
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020012130 See also : "timeout connect".
Willy Tarreau844e3c52008-01-11 16:28:18 +010012131
12132
Willy Tarreauce887fd2012-05-12 12:50:00 +020012133timeout tunnel <timeout>
12134 Set the maximum inactivity time on the client and server side for tunnels.
12135 May be used in sections : defaults | frontend | listen | backend
12136 yes | no | yes | yes
12137 Arguments :
12138 <timeout> is the timeout value specified in milliseconds by default, but
12139 can be in any other unit if the number is suffixed by the unit,
12140 as explained at the top of this document.
12141
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012142 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +020012143 between a client and a server, and the connection remains inactive in both
12144 directions. This timeout supersedes both the client and server timeouts once
12145 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
Davor Ocelice9ed2812017-12-25 17:49:28 +010012146 analyzer remains attached to either connection (e.g. tcp content rules are
12147 accepted). In HTTP, this timeout is used when a connection is upgraded (e.g.
Willy Tarreauce887fd2012-05-12 12:50:00 +020012148 when switching to the WebSocket protocol, or forwarding a CONNECT request
12149 to a proxy), or after the first response when no keepalive/close option is
12150 specified.
12151
Willy Tarreau05cdd962014-05-10 14:30:07 +020012152 Since this timeout is usually used in conjunction with long-lived connections,
12153 it usually is a good idea to also set "timeout client-fin" to handle the
12154 situation where a client suddenly disappears from the net and does not
12155 acknowledge a close, or sends a shutdown and does not acknowledge pending
12156 data anymore. This can happen in lossy networks where firewalls are present,
12157 and is detected by the presence of large amounts of sessions in a FIN_WAIT
12158 state.
12159
Willy Tarreauce887fd2012-05-12 12:50:00 +020012160 The value is specified in milliseconds by default, but can be in any other
12161 unit if the number is suffixed by the unit, as specified at the top of this
12162 document. Whatever the expected normal idle time, it is a good practice to
12163 cover at least one or several TCP packet losses by specifying timeouts that
Davor Ocelice9ed2812017-12-25 17:49:28 +010012164 are slightly above multiples of 3 seconds (e.g. 4 or 5 seconds minimum).
Willy Tarreauce887fd2012-05-12 12:50:00 +020012165
12166 This parameter is specific to backends, but can be specified once for all in
12167 "defaults" sections. This is in fact one of the easiest solutions not to
12168 forget about it.
12169
12170 Example :
12171 defaults http
12172 option http-server-close
12173 timeout connect 5s
12174 timeout client 30s
Willy Tarreau05cdd962014-05-10 14:30:07 +020012175 timeout client-fin 30s
Willy Tarreauce887fd2012-05-12 12:50:00 +020012176 timeout server 30s
12177 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
12178
Willy Tarreau05cdd962014-05-10 14:30:07 +020012179 See also : "timeout client", "timeout client-fin", "timeout server".
Willy Tarreauce887fd2012-05-12 12:50:00 +020012180
12181
Willy Tarreau844e3c52008-01-11 16:28:18 +010012182transparent (deprecated)
12183 Enable client-side transparent proxying
12184 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +010012185 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +010012186 Arguments : none
12187
12188 This keyword was introduced in order to provide layer 7 persistence to layer
12189 3 load balancers. The idea is to use the OS's ability to redirect an incoming
12190 connection for a remote address to a local process (here HAProxy), and let
12191 this process know what address was initially requested. When this option is
12192 used, sessions without cookies will be forwarded to the original destination
12193 IP address of the incoming request (which should match that of another
12194 equipment), while requests with cookies will still be forwarded to the
12195 appropriate server.
12196
12197 The "transparent" keyword is deprecated, use "option transparent" instead.
12198
12199 Note that contrary to a common belief, this option does NOT make HAProxy
12200 present the client's IP to the server when establishing the connection.
12201
Willy Tarreau844e3c52008-01-11 16:28:18 +010012202 See also: "option transparent"
12203
William Lallemanda73203e2012-03-12 12:48:57 +010012204unique-id-format <string>
12205 Generate a unique ID for each request.
12206 May be used in sections : defaults | frontend | listen | backend
12207 yes | yes | yes | no
12208 Arguments :
12209 <string> is a log-format string.
12210
Cyril Bonté108cf6e2012-04-21 23:30:29 +020012211 This keyword creates a ID for each request using the custom log format. A
12212 unique ID is useful to trace a request passing through many components of
12213 a complex infrastructure. The newly created ID may also be logged using the
12214 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +010012215
Cyril Bonté108cf6e2012-04-21 23:30:29 +020012216 The format should be composed from elements that are guaranteed to be
12217 unique when combined together. For instance, if multiple haproxy instances
12218 are involved, it might be important to include the node name. It is often
12219 needed to log the incoming connection's source and destination addresses
12220 and ports. Note that since multiple requests may be performed over the same
12221 connection, including a request counter may help differentiate them.
12222 Similarly, a timestamp may protect against a rollover of the counter.
12223 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +010012224
Cyril Bonté108cf6e2012-04-21 23:30:29 +020012225 It is recommended to use hexadecimal notation for many fields since it
12226 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +010012227
Cyril Bonté108cf6e2012-04-21 23:30:29 +020012228 Example:
William Lallemanda73203e2012-03-12 12:48:57 +010012229
Julien Vehentf21be322014-03-07 08:27:34 -050012230 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +010012231
12232 will generate:
12233
12234 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
12235
12236 See also: "unique-id-header"
12237
12238unique-id-header <name>
12239 Add a unique ID header in the HTTP request.
12240 May be used in sections : defaults | frontend | listen | backend
12241 yes | yes | yes | no
12242 Arguments :
12243 <name> is the name of the header.
12244
Cyril Bonté108cf6e2012-04-21 23:30:29 +020012245 Add a unique-id header in the HTTP request sent to the server, using the
12246 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +010012247
Cyril Bonté108cf6e2012-04-21 23:30:29 +020012248 Example:
William Lallemanda73203e2012-03-12 12:48:57 +010012249
Julien Vehentf21be322014-03-07 08:27:34 -050012250 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +010012251 unique-id-header X-Unique-ID
12252
12253 will generate:
12254
12255 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
12256
12257 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +010012258
Willy Tarreauf51658d2014-04-23 01:21:56 +020012259use_backend <backend> [{if | unless} <condition>]
Willy Tarreau1d0dfb12009-07-07 15:10:31 +020012260 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012261 May be used in sections : defaults | frontend | listen | backend
12262 no | yes | yes | no
12263 Arguments :
Bertrand Jacquin702d44f2013-11-19 11:43:06 +010012264 <backend> is the name of a valid backend or "listen" section, or a
12265 "log-format" string resolving to a backend name.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012266
Willy Tarreauf51658d2014-04-23 01:21:56 +020012267 <condition> is a condition composed of ACLs, as described in section 7. If
12268 it is omitted, the rule is unconditionally applied.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012269
12270 When doing content-switching, connections arrive on a frontend and are then
12271 dispatched to various backends depending on a number of conditions. The
12272 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +020012273 "use_backend" keyword. While it is normally used with HTTP processing, it can
Davor Ocelice9ed2812017-12-25 17:49:28 +010012274 also be used in pure TCP, either without content using stateless ACLs (e.g.
Willy Tarreau1d0dfb12009-07-07 15:10:31 +020012275 source address validation) or combined with a "tcp-request" rule to wait for
12276 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012277
12278 There may be as many "use_backend" rules as desired. All of these rules are
12279 evaluated in their declaration order, and the first one which matches will
12280 assign the backend.
12281
12282 In the first form, the backend will be used if the condition is met. In the
12283 second form, the backend will be used if the condition is not met. If no
12284 condition is valid, the backend defined with "default_backend" will be used.
12285 If no default backend is defined, either the servers in the same section are
12286 used (in case of a "listen" section) or, in case of a frontend, no server is
12287 used and a 503 service unavailable response is returned.
12288
Willy Tarreau51aecc72009-07-12 09:47:04 +020012289 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012290 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +020012291 and backend processing will immediately follow, or the backend will wait for
12292 a complete HTTP request to get in. This feature is useful when a frontend
12293 must decode several protocols on a unique port, one of them being HTTP.
12294
Bertrand Jacquin702d44f2013-11-19 11:43:06 +010012295 When <backend> is a simple name, it is resolved at configuration time, and an
12296 error is reported if the specified backend does not exist. If <backend> is
12297 a log-format string instead, no check may be done at configuration time, so
12298 the backend name is resolved dynamically at run time. If the resulting
12299 backend name does not correspond to any valid backend, no other rule is
12300 evaluated, and the default_backend directive is applied instead. Note that
12301 when using dynamic backend names, it is highly recommended to use a prefix
12302 that no other backend uses in order to ensure that an unauthorized backend
12303 cannot be forced from the request.
12304
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012305 It is worth mentioning that "use_backend" rules with an explicit name are
Bertrand Jacquin702d44f2013-11-19 11:43:06 +010012306 used to detect the association between frontends and backends to compute the
12307 backend's "fullconn" setting. This cannot be done for dynamic names.
12308
12309 See also: "default_backend", "tcp-request", "fullconn", "log-format", and
12310 section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +010012311
Christopher Fauletb30b3102019-09-12 23:03:09 +020012312use-fcgi-app <name>
12313 Defines the FastCGI application to use for the backend.
12314 May be used in sections : defaults | frontend | listen | backend
12315 no | no | yes | yes
12316 Arguments :
12317 <name> is the name of the FastCGI application to use.
12318
12319 See section 10.1 about FastCGI application setup for details.
Willy Tarreau036fae02008-01-06 13:24:40 +010012320
Willy Tarreau4a5cade2012-04-05 21:09:48 +020012321use-server <server> if <condition>
12322use-server <server> unless <condition>
12323 Only use a specific server if/unless an ACL-based condition is matched.
12324 May be used in sections : defaults | frontend | listen | backend
12325 no | no | yes | yes
12326 Arguments :
Jerome Magnin824186b2020-03-29 09:37:12 +020012327 <server> is the name of a valid server in the same backend section
12328 or a "log-format" string resolving to a server name.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020012329
12330 <condition> is a condition composed of ACLs, as described in section 7.
12331
12332 By default, connections which arrive to a backend are load-balanced across
12333 the available servers according to the configured algorithm, unless a
12334 persistence mechanism such as a cookie is used and found in the request.
12335
12336 Sometimes it is desirable to forward a particular request to a specific
12337 server without having to declare a dedicated backend for this server. This
12338 can be achieved using the "use-server" rules. These rules are evaluated after
12339 the "redirect" rules and before evaluating cookies, and they have precedence
12340 on them. There may be as many "use-server" rules as desired. All of these
12341 rules are evaluated in their declaration order, and the first one which
12342 matches will assign the server.
12343
12344 If a rule designates a server which is down, and "option persist" is not used
12345 and no force-persist rule was validated, it is ignored and evaluation goes on
12346 with the next rules until one matches.
12347
12348 In the first form, the server will be used if the condition is met. In the
12349 second form, the server will be used if the condition is not met. If no
12350 condition is valid, the processing continues and the server will be assigned
12351 according to other persistence mechanisms.
12352
12353 Note that even if a rule is matched, cookie processing is still performed but
12354 does not assign the server. This allows prefixed cookies to have their prefix
12355 stripped.
12356
12357 The "use-server" statement works both in HTTP and TCP mode. This makes it
12358 suitable for use with content-based inspection. For instance, a server could
Lukas Tribusa267b5d2020-07-19 00:25:06 +020012359 be selected in a farm according to the TLS SNI field when using protocols with
12360 implicit TLS (also see "req_ssl_sni"). And if these servers have their weight
12361 set to zero, they will not be used for other traffic.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020012362
12363 Example :
12364 # intercept incoming TLS requests based on the SNI field
12365 use-server www if { req_ssl_sni -i www.example.com }
12366 server www 192.168.0.1:443 weight 0
12367 use-server mail if { req_ssl_sni -i mail.example.com }
Lukas Tribusa267b5d2020-07-19 00:25:06 +020012368 server mail 192.168.0.1:465 weight 0
Willy Tarreau4a5cade2012-04-05 21:09:48 +020012369 use-server imap if { req_ssl_sni -i imap.example.com }
Lukas Tribus98a3e3f2017-03-26 12:55:35 +000012370 server imap 192.168.0.1:993 weight 0
Willy Tarreau4a5cade2012-04-05 21:09:48 +020012371 # all the rest is forwarded to this server
12372 server default 192.168.0.2:443 check
12373
Jerome Magnin824186b2020-03-29 09:37:12 +020012374 When <server> is a simple name, it is checked against existing servers in the
12375 configuration and an error is reported if the specified server does not exist.
12376 If it is a log-format, no check is performed when parsing the configuration,
12377 and if we can't resolve a valid server name at runtime but the use-server rule
Ilya Shipitsin11057a32020-06-21 21:18:27 +050012378 was conditioned by an ACL returning true, no other use-server rule is applied
Jerome Magnin824186b2020-03-29 09:37:12 +020012379 and we fall back to load balancing.
12380
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012381 See also: "use_backend", section 5 about server and section 7 about ACLs.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020012382
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012383
Davor Ocelice9ed2812017-12-25 17:49:28 +0100123845. Bind and server options
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012385--------------------------
12386
12387The "bind", "server" and "default-server" keywords support a number of settings
12388depending on some build options and on the system HAProxy was built on. These
12389settings generally each consist in one word sometimes followed by a value,
12390written on the same line as the "bind" or "server" line. All these options are
12391described in this section.
12392
12393
123945.1. Bind options
12395-----------------
12396
12397The "bind" keyword supports a certain number of settings which are all passed
12398as arguments on the same line. The order in which those arguments appear makes
12399no importance, provided that they appear after the bind address. All of these
12400parameters are optional. Some of them consist in a single words (booleans),
12401while other ones expect a value after them. In this case, the value must be
12402provided immediately after the setting name.
12403
12404The currently supported settings are the following ones.
12405
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010012406accept-netscaler-cip <magic number>
12407 Enforces the use of the NetScaler Client IP insertion protocol over any
12408 connection accepted by any of the TCP sockets declared on the same line. The
12409 NetScaler Client IP insertion protocol dictates the layer 3/4 addresses of
12410 the incoming connection to be used everywhere an address is used, with the
12411 only exception of "tcp-request connection" rules which will only see the
12412 real connection address. Logs will reflect the addresses indicated in the
12413 protocol, unless it is violated, in which case the real address will still
12414 be used. This keyword combined with support from external components can be
12415 used as an efficient and reliable alternative to the X-Forwarded-For
Bertrand Jacquin90759682016-06-06 15:35:39 +010012416 mechanism which is not always reliable and not even always usable. See also
12417 "tcp-request connection expect-netscaler-cip" for a finer-grained setting of
12418 which client is allowed to use the protocol.
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010012419
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012420accept-proxy
12421 Enforces the use of the PROXY protocol over any connection accepted by any of
Willy Tarreau77992672014-06-14 11:06:17 +020012422 the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol
12423 are supported and correctly detected. The PROXY protocol dictates the layer
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012424 3/4 addresses of the incoming connection to be used everywhere an address is
12425 used, with the only exception of "tcp-request connection" rules which will
12426 only see the real connection address. Logs will reflect the addresses
12427 indicated in the protocol, unless it is violated, in which case the real
Davor Ocelice9ed2812017-12-25 17:49:28 +010012428 address will still be used. This keyword combined with support from external
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012429 components can be used as an efficient and reliable alternative to the
12430 X-Forwarded-For mechanism which is not always reliable and not even always
Willy Tarreau4f0d9192013-06-11 20:40:55 +020012431 usable. See also "tcp-request connection expect-proxy" for a finer-grained
12432 setting of which client is allowed to use the protocol.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012433
Olivier Houchardc2aae742017-09-22 18:26:28 +020012434allow-0rtt
Bertrand Jacquina25282b2018-08-14 00:56:13 +010012435 Allow receiving early data when using TLSv1.3. This is disabled by default,
Olivier Houchard69752962019-01-08 15:35:32 +010012436 due to security considerations. Because it is vulnerable to replay attacks,
John Roeslerfb2fce12019-07-10 15:45:51 -050012437 you should only allow if for requests that are safe to replay, i.e. requests
Olivier Houchard69752962019-01-08 15:35:32 +010012438 that are idempotent. You can use the "wait-for-handshake" action for any
12439 request that wouldn't be safe with early data.
Olivier Houchardc2aae742017-09-22 18:26:28 +020012440
Willy Tarreauab861d32013-04-02 02:30:41 +020012441alpn <protocols>
12442 This enables the TLS ALPN extension and advertises the specified protocol
12443 list as supported on top of ALPN. The protocol list consists in a comma-
12444 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
John Roeslerfb2fce12019-07-10 15:45:51 -050012445 quotes). This requires that the SSL library is built with support for TLS
Willy Tarreauab861d32013-04-02 02:30:41 +020012446 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
Willy Tarreau95c4e142017-11-26 12:18:55 +010012447 initial NPN extension. ALPN is required to enable HTTP/2 on an HTTP frontend.
12448 Versions of OpenSSL prior to 1.0.2 didn't support ALPN and only supposed the
12449 now obsolete NPN extension. At the time of writing this, most browsers still
12450 support both ALPN and NPN for HTTP/2 so a fallback to NPN may still work for
12451 a while. But ALPN must be used whenever possible. If both HTTP/2 and HTTP/1.1
12452 are expected to be supported, both versions can be advertised, in order of
12453 preference, like below :
12454
12455 bind :443 ssl crt pub.pem alpn h2,http/1.1
Willy Tarreauab861d32013-04-02 02:30:41 +020012456
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012457backlog <backlog>
Willy Tarreaue2711c72019-02-27 15:39:41 +010012458 Sets the socket's backlog to this value. If unspecified or 0, the frontend's
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012459 backlog is used instead, which generally defaults to the maxconn value.
12460
Emmanuel Hocdete7f2b732017-01-09 16:15:54 +010012461curves <curves>
12462 This setting is only available when support for OpenSSL was built in. It sets
12463 the string describing the list of elliptic curves algorithms ("curve suite")
12464 that are negotiated during the SSL/TLS handshake with ECDHE. The format of the
12465 string is a colon-delimited list of curve name.
12466 Example: "X25519:P-256" (without quote)
12467 When "curves" is set, "ecdhe" parameter is ignored.
12468
Emeric Brun7fb34422012-09-28 15:26:15 +020012469ecdhe <named curve>
12470 This setting is only available when support for OpenSSL was built in. It sets
Emeric Brun6924ef82013-03-06 14:08:53 +010012471 the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
12472 used named curve is prime256v1.
Emeric Brun7fb34422012-09-28 15:26:15 +020012473
Emeric Brunfd33a262012-10-11 16:28:27 +020012474ca-file <cafile>
Emeric Brun1a073b42012-09-28 17:07:34 +020012475 This setting is only available when support for OpenSSL was built in. It
12476 designates a PEM file from which to load CA certificates used to verify
12477 client's certificate.
12478
Emeric Brunb6dc9342012-09-28 17:55:37 +020012479ca-ignore-err [all|<errorID>,...]
12480 This setting is only available when support for OpenSSL was built in.
12481 Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
12482 If set to 'all', all errors are ignored. SSL handshake is not aborted if an
12483 error is ignored.
12484
Christopher Faulet31af49d2015-06-09 17:29:50 +020012485ca-sign-file <cafile>
12486 This setting is only available when support for OpenSSL was built in. It
12487 designates a PEM file containing both the CA certificate and the CA private
12488 key used to create and sign server's certificates. This is a mandatory
12489 setting when the dynamic generation of certificates is enabled. See
12490 'generate-certificates' for details.
12491
Bertrand Jacquind4d0a232016-11-13 16:37:12 +000012492ca-sign-pass <passphrase>
Christopher Faulet31af49d2015-06-09 17:29:50 +020012493 This setting is only available when support for OpenSSL was built in. It is
12494 the CA private key passphrase. This setting is optional and used only when
12495 the dynamic generation of certificates is enabled. See
12496 'generate-certificates' for details.
12497
Emmanuel Hocdet842e94e2019-12-16 16:39:17 +010012498ca-verify-file <cafile>
12499 This setting designates a PEM file from which to load CA certificates used to
12500 verify client's certificate. It designates CA certificates which must not be
12501 included in CA names sent in server hello message. Typically, "ca-file" must
12502 be defined with intermediate certificates, and "ca-verify-file" with
12503 certificates to ending the chain, like root CA.
12504
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012505ciphers <ciphers>
12506 This setting is only available when support for OpenSSL was built in. It sets
12507 the string describing the list of cipher algorithms ("cipher suite") that are
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +000012508 negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000012509 string is defined in "man 1 ciphers" from OpenSSL man pages. For background
Dirkjan Bussink415150f2018-09-14 11:14:21 +020012510 information and recommendations see e.g.
12511 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
12512 (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
12513 cipher configuration, please check the "ciphersuites" keyword.
12514
12515ciphersuites <ciphersuites>
12516 This setting is only available when support for OpenSSL was built in and
12517 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
12518 the list of cipher algorithms ("cipher suite") that are negotiated during the
12519 TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000012520 OpenSSL man pages under the "ciphersuites" section. For cipher configuration
12521 for TLSv1.2 and earlier, please check the "ciphers" keyword.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012522
Emeric Brunfd33a262012-10-11 16:28:27 +020012523crl-file <crlfile>
Emeric Brun1a073b42012-09-28 17:07:34 +020012524 This setting is only available when support for OpenSSL was built in. It
12525 designates a PEM file from which to load certificate revocation list used
12526 to verify client's certificate.
12527
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012528crt <cert>
Alex Davies0fbf0162013-03-02 16:04:50 +000012529 This setting is only available when support for OpenSSL was built in. It
12530 designates a PEM file containing both the required certificates and any
12531 associated private keys. This file can be built by concatenating multiple
12532 PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
12533 requires an intermediate certificate, this can also be concatenated into this
Emmanuel Hocdet70df7bf2019-01-04 11:08:20 +010012534 file. Intermediate certificate can also be shared in a directory via
12535 "issuers-chain-path" directive.
Alex Davies0fbf0162013-03-02 16:04:50 +000012536
William Lallemand4c5adbf2020-02-24 14:23:22 +010012537 If the file does not contain a private key, HAProxy will try to load
12538 the key at the same path suffixed by a ".key".
12539
Alex Davies0fbf0162013-03-02 16:04:50 +000012540 If the OpenSSL used supports Diffie-Hellman, parameters present in this file
12541 are loaded.
12542
12543 If a directory name is used instead of a PEM file, then all files found in
William Lallemand3f25ae32020-02-24 16:30:12 +010012544 that directory will be loaded in alphabetic order unless their name ends
12545 with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This
12546 directive may be specified multiple times in order to load certificates from
12547 multiple files or directories. The certificates will be presented to clients
12548 who provide a valid TLS Server Name Indication field matching one of their
12549 CN or alt subjects. Wildcards are supported, where a wildcard character '*'
12550 is used instead of the first hostname component (e.g. *.example.org matches
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +010012551 www.example.org but not www.sub.example.org).
Alex Davies0fbf0162013-03-02 16:04:50 +000012552
12553 If no SNI is provided by the client or if the SSL library does not support
12554 TLS extensions, or if the client provides an SNI hostname which does not
12555 match any certificate, then the first loaded certificate will be presented.
12556 This means that when loading certificates from a directory, it is highly
Cyril Bonté3180f7b2015-01-25 00:16:08 +010012557 recommended to load the default one first as a file or to ensure that it will
12558 always be the first one in the directory.
Alex Davies0fbf0162013-03-02 16:04:50 +000012559
Emeric Brune032bfa2012-09-28 13:01:45 +020012560 Note that the same cert may be loaded multiple times without side effects.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012561
Davor Ocelice9ed2812017-12-25 17:49:28 +010012562 Some CAs (such as GoDaddy) offer a drop down list of server types that do not
Alex Davies0fbf0162013-03-02 16:04:50 +000012563 include HAProxy when obtaining a certificate. If this happens be sure to
Davor Ocelice9ed2812017-12-25 17:49:28 +010012564 choose a web server that the CA believes requires an intermediate CA (for
12565 GoDaddy, selection Apache Tomcat will get the correct bundle, but many
Alex Davies0fbf0162013-03-02 16:04:50 +000012566 others, e.g. nginx, result in a wrong bundle that will not work for some
12567 clients).
12568
Emeric Brun4147b2e2014-06-16 18:36:30 +020012569 For each PEM file, haproxy checks for the presence of file at the same path
12570 suffixed by ".ocsp". If such file is found, support for the TLS Certificate
12571 Status Request extension (also known as "OCSP stapling") is automatically
12572 enabled. The content of this file is optional. If not empty, it must contain
12573 a valid OCSP Response in DER format. In order to be valid an OCSP Response
12574 must comply with the following rules: it has to indicate a good status,
12575 it has to be a single response for the certificate of the PEM file, and it
12576 has to be valid at the moment of addition. If these rules are not respected
12577 the OCSP Response is ignored and a warning is emitted. In order to identify
12578 which certificate an OCSP Response applies to, the issuer's certificate is
12579 necessary. If the issuer's certificate is not found in the PEM file, it will
12580 be loaded from a file at the same path as the PEM file suffixed by ".issuer"
12581 if it exists otherwise it will fail with an error.
12582
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +010012583 For each PEM file, haproxy also checks for the presence of file at the same
12584 path suffixed by ".sctl". If such file is found, support for Certificate
12585 Transparency (RFC6962) TLS extension is enabled. The file must contain a
12586 valid Signed Certificate Timestamp List, as described in RFC. File is parsed
12587 to check basic syntax, but no signatures are verified.
12588
yanbzhu6c25e9e2016-01-05 12:52:02 -050012589 There are cases where it is desirable to support multiple key types, e.g. RSA
12590 and ECDSA in the cipher suites offered to the clients. This allows clients
12591 that support EC certificates to be able to use EC ciphers, while
12592 simultaneously supporting older, RSA only clients.
yanbzhud19630c2015-12-14 15:10:25 -050012593
William Lallemandf9ff3ec2020-10-02 17:57:44 +020012594 To achieve this, OpenSSL 1.1.1 is required, you can configure this behavior
12595 by providing one crt entry per certificate type, or by configuring a "cert
12596 bundle" like it was required before HAProxy 1.8. See "ssl-load-extra-files".
yanbzhud19630c2015-12-14 15:10:25 -050012597
Emeric Brunb6dc9342012-09-28 17:55:37 +020012598crt-ignore-err <errors>
Alex Davies0fbf0162013-03-02 16:04:50 +000012599 This setting is only available when support for OpenSSL was built in. Sets a
Davor Ocelice9ed2812017-12-25 17:49:28 +010012600 comma separated list of errorIDs to ignore during verify at depth == 0. If
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012601 set to 'all', all errors are ignored. SSL handshake is not aborted if an error
Alex Davies0fbf0162013-03-02 16:04:50 +000012602 is ignored.
Emeric Brunb6dc9342012-09-28 17:55:37 +020012603
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010012604crt-list <file>
12605 This setting is only available when support for OpenSSL was built in. It
Emmanuel Hocdet98263292016-12-29 18:26:15 +010012606 designates a list of PEM file with an optional ssl configuration and a SNI
12607 filter per certificate, with the following format for each line :
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010012608
Emmanuel Hocdet98263292016-12-29 18:26:15 +010012609 <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
12610
William Lallemand5d036392020-06-30 16:11:36 +020012611 sslbindconf supports "allow-0rtt", "alpn", "ca-file", "ca-verify-file",
12612 "ciphers", "ciphersuites", "crl-file", "curves", "ecdhe", "no-ca-names",
12613 "npn", "verify" configuration. With BoringSSL and Openssl >= 1.1.1
12614 "ssl-min-ver" and "ssl-max-ver" are also supported. It overrides the
12615 configuration set in bind line for the certificate.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010012616
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +020012617 Wildcards are supported in the SNI filter. Negative filter are also supported,
12618 only useful in combination with a wildcard filter to exclude a particular SNI.
12619 The certificates will be presented to clients who provide a valid TLS Server
12620 Name Indication field matching one of the SNI filters. If no SNI filter is
12621 specified, the CN and alt subjects are used. This directive may be specified
12622 multiple times. See the "crt" option for more information. The default
12623 certificate is still needed to meet OpenSSL expectations. If it is not used,
12624 the 'strict-sni' option may be used.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010012625
William Lallemandf9ff3ec2020-10-02 17:57:44 +020012626 Multi-cert bundling (see "ssl-load-extra-files") is supported with crt-list,
12627 as long as only the base name is given in the crt-list. SNI filter will do
12628 the same work on all bundled certificates.
yanbzhud19630c2015-12-14 15:10:25 -050012629
William Lallemand7c26ed72020-06-03 17:34:48 +020012630 Empty lines as well as lines beginning with a hash ('#') will be ignored.
12631
Emmanuel Hocdet98263292016-12-29 18:26:15 +010012632 crt-list file example:
12633 cert1.pem
William Lallemand7c26ed72020-06-03 17:34:48 +020012634 # comment
Emmanuel Hocdet05942112017-02-20 16:11:50 +010012635 cert2.pem [alpn h2,http/1.1]
Emmanuel Hocdet98263292016-12-29 18:26:15 +010012636 certW.pem *.domain.tld !secure.domain.tld
Emmanuel Hocdet05942112017-02-20 16:11:50 +010012637 certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384] secure.domain.tld
Emmanuel Hocdet98263292016-12-29 18:26:15 +010012638
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012639defer-accept
12640 Is an optional keyword which is supported only on certain Linux kernels. It
12641 states that a connection will only be accepted once some data arrive on it,
12642 or at worst after the first retransmit. This should be used only on protocols
Davor Ocelice9ed2812017-12-25 17:49:28 +010012643 for which the client talks first (e.g. HTTP). It can slightly improve
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012644 performance by ensuring that most of the request is already available when
12645 the connection is accepted. On the other hand, it will not be able to detect
12646 connections which don't talk. It is important to note that this option is
12647 broken in all kernels up to 2.6.31, as the connection is never accepted until
12648 the client talks. This can cause issues with front firewalls which would see
12649 an established connection while the proxy will only see it in SYN_RECV. This
12650 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
12651
William Lallemandf6975e92017-05-26 17:42:10 +020012652expose-fd listeners
12653 This option is only usable with the stats socket. It gives your stats socket
12654 the capability to pass listeners FD to another HAProxy process.
William Lallemande202b1e2017-06-01 17:38:56 +020012655 During a reload with the master-worker mode, the process is automatically
12656 reexecuted adding -x and one of the stats socket with this option.
Davor Ocelice9ed2812017-12-25 17:49:28 +010012657 See also "-x" in the management guide.
William Lallemandf6975e92017-05-26 17:42:10 +020012658
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012659force-sslv3
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012660 This option enforces use of SSLv3 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012661 this listener. SSLv3 is generally less expensive than the TLS counterparts
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012662 for high connection rates. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012663 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012664
12665force-tlsv10
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012666 This option enforces use of TLSv1.0 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012667 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012668 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012669
12670force-tlsv11
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012671 This option enforces use of TLSv1.1 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012672 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012673 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012674
12675force-tlsv12
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012676 This option enforces use of TLSv1.2 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012677 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012678 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012679
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020012680force-tlsv13
12681 This option enforces use of TLSv1.3 only on SSL connections instantiated from
12682 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012683 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020012684
Christopher Faulet31af49d2015-06-09 17:29:50 +020012685generate-certificates
12686 This setting is only available when support for OpenSSL was built in. It
12687 enables the dynamic SSL certificates generation. A CA certificate and its
12688 private key are necessary (see 'ca-sign-file'). When HAProxy is configured as
12689 a transparent forward proxy, SSL requests generate errors because of a common
12690 name mismatch on the certificate presented to the client. With this option
12691 enabled, HAProxy will try to forge a certificate using the SNI hostname
12692 indicated by the client. This is done only if no certificate matches the SNI
12693 hostname (see 'crt-list'). If an error occurs, the default certificate is
12694 used, else the 'strict-sni' option is set.
12695 It can also be used when HAProxy is configured as a reverse proxy to ease the
12696 deployment of an architecture with many backends.
12697
12698 Creating a SSL certificate is an expensive operation, so a LRU cache is used
12699 to store forged certificates (see 'tune.ssl.ssl-ctx-cache-size'). It
Davor Ocelice9ed2812017-12-25 17:49:28 +010012700 increases the HAProxy's memory footprint to reduce latency when the same
Christopher Faulet31af49d2015-06-09 17:29:50 +020012701 certificate is used many times.
12702
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012703gid <gid>
12704 Sets the group of the UNIX sockets to the designated system gid. It can also
12705 be set by default in the global section's "unix-bind" statement. Note that
12706 some platforms simply ignore this. This setting is equivalent to the "group"
12707 setting except that the group ID is used instead of its name. This setting is
12708 ignored by non UNIX sockets.
12709
12710group <group>
12711 Sets the group of the UNIX sockets to the designated system group. It can
12712 also be set by default in the global section's "unix-bind" statement. Note
12713 that some platforms simply ignore this. This setting is equivalent to the
12714 "gid" setting except that the group name is used instead of its gid. This
12715 setting is ignored by non UNIX sockets.
12716
12717id <id>
12718 Fixes the socket ID. By default, socket IDs are automatically assigned, but
12719 sometimes it is more convenient to fix them to ease monitoring. This value
12720 must be strictly positive and unique within the listener/frontend. This
12721 option can only be used when defining only a single socket.
12722
12723interface <interface>
Lukas Tribusfce2e962013-02-12 22:13:19 +010012724 Restricts the socket to a specific interface. When specified, only packets
12725 received from that particular interface are processed by the socket. This is
12726 currently only supported on Linux. The interface must be a primary system
12727 interface, not an aliased interface. It is also possible to bind multiple
12728 frontends to the same address if they are bound to different interfaces. Note
12729 that binding to a network interface requires root privileges. This parameter
Jérôme Magnin61275192018-02-07 11:39:58 +010012730 is only compatible with TCPv4/TCPv6 sockets. When specified, return traffic
12731 uses the same interface as inbound traffic, and its associated routing table,
12732 even if there are explicit routes through different interfaces configured.
12733 This can prove useful to address asymmetric routing issues when the same
12734 client IP addresses need to be able to reach frontends hosted on different
12735 interfaces.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012736
Willy Tarreauabb175f2012-09-24 12:43:26 +020012737level <level>
12738 This setting is used with the stats sockets only to restrict the nature of
12739 the commands that can be issued on the socket. It is ignored by other
12740 sockets. <level> can be one of :
Davor Ocelice9ed2812017-12-25 17:49:28 +010012741 - "user" is the least privileged level; only non-sensitive stats can be
Willy Tarreauabb175f2012-09-24 12:43:26 +020012742 read, and no change is allowed. It would make sense on systems where it
12743 is not easy to restrict access to the socket.
12744 - "operator" is the default level and fits most common uses. All data can
Davor Ocelice9ed2812017-12-25 17:49:28 +010012745 be read, and only non-sensitive changes are permitted (e.g. clear max
Willy Tarreauabb175f2012-09-24 12:43:26 +020012746 counters).
Davor Ocelice9ed2812017-12-25 17:49:28 +010012747 - "admin" should be used with care, as everything is permitted (e.g. clear
Willy Tarreauabb175f2012-09-24 12:43:26 +020012748 all counters).
12749
Andjelko Iharosc4df59e2017-07-20 11:59:48 +020012750severity-output <format>
12751 This setting is used with the stats sockets only to configure severity
12752 level output prepended to informational feedback messages. Severity
12753 level of messages can range between 0 and 7, conforming to syslog
12754 rfc5424. Valid and successful socket commands requesting data
12755 (i.e. "show map", "get acl foo" etc.) will never have a severity level
12756 prepended. It is ignored by other sockets. <format> can be one of :
12757 - "none" (default) no severity level is prepended to feedback messages.
12758 - "number" severity level is prepended as a number.
12759 - "string" severity level is prepended as a string following the
12760 rfc5424 convention.
12761
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012762maxconn <maxconn>
12763 Limits the sockets to this number of concurrent connections. Extraneous
12764 connections will remain in the system's backlog until a connection is
12765 released. If unspecified, the limit will be the same as the frontend's
12766 maxconn. Note that in case of port ranges or multiple addresses, the same
12767 value will be applied to each socket. This setting enables different
12768 limitations on expensive sockets, for instance SSL entries which may easily
12769 eat all memory.
12770
12771mode <mode>
12772 Sets the octal mode used to define access permissions on the UNIX socket. It
12773 can also be set by default in the global section's "unix-bind" statement.
12774 Note that some platforms simply ignore this. This setting is ignored by non
12775 UNIX sockets.
12776
12777mss <maxseg>
12778 Sets the TCP Maximum Segment Size (MSS) value to be advertised on incoming
12779 connections. This can be used to force a lower MSS for certain specific
12780 ports, for instance for connections passing through a VPN. Note that this
12781 relies on a kernel feature which is theoretically supported under Linux but
12782 was buggy in all versions prior to 2.6.28. It may or may not work on other
12783 operating systems. It may also not change the advertised value but change the
12784 effective size of outgoing segments. The commonly advertised value for TCPv4
12785 over Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
12786 positive, it will be used as the advertised MSS. If it is negative, it will
12787 indicate by how much to reduce the incoming connection's advertised MSS for
12788 outgoing segments. This parameter is only compatible with TCP v4/v6 sockets.
12789
12790name <name>
12791 Sets an optional name for these sockets, which will be reported on the stats
12792 page.
12793
Willy Tarreaud72f0f32015-10-13 14:50:22 +020012794namespace <name>
12795 On Linux, it is possible to specify which network namespace a socket will
12796 belong to. This directive makes it possible to explicitly bind a listener to
12797 a namespace different from the default one. Please refer to your operating
12798 system's documentation to find more details about network namespaces.
12799
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012800nice <nice>
12801 Sets the 'niceness' of connections initiated from the socket. Value must be
12802 in the range -1024..1024 inclusive, and defaults to zero. Positive values
12803 means that such connections are more friendly to others and easily offer
12804 their place in the scheduler. On the opposite, negative values mean that
12805 connections want to run with a higher priority than others. The difference
12806 only happens under high loads when the system is close to saturation.
12807 Negative values are appropriate for low-latency or administration services,
12808 and high values are generally recommended for CPU intensive tasks such as SSL
12809 processing or bulk transfers which are less sensible to latency. For example,
12810 it may make sense to use a positive value for an SMTP socket and a negative
12811 one for an RDP socket.
12812
Emmanuel Hocdet174dfe52017-07-28 15:01:05 +020012813no-ca-names
12814 This setting is only available when support for OpenSSL was built in. It
12815 prevents from send CA names in server hello message when ca-file is used.
Emmanuel Hocdet842e94e2019-12-16 16:39:17 +010012816 Use "ca-verify-file" instead of "ca-file" with "no-ca-names".
Emmanuel Hocdet174dfe52017-07-28 15:01:05 +020012817
Emeric Brun9b3009b2012-10-05 11:55:06 +020012818no-sslv3
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012819 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012820 disables support for SSLv3 on any sockets instantiated from the listener when
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012821 SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012822 be enabled using any configuration option. This option is also available on
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012823 global statement "ssl-default-bind-options". Use "ssl-min-ver" and
12824 "ssl-max-ver" instead.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012825
Emeric Brun90ad8722012-10-02 14:00:59 +020012826no-tls-tickets
12827 This setting is only available when support for OpenSSL was built in. It
12828 disables the stateless session resumption (RFC 5077 TLS Ticket
12829 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012830 session resumption is more expensive in CPU usage. This option is also
12831 available on global statement "ssl-default-bind-options".
Lukas Tribusbdb386d2020-03-10 00:56:09 +010012832 The TLS ticket mechanism is only used up to TLS 1.2.
12833 Forward Secrecy is compromised with TLS tickets, unless ticket keys
12834 are periodically rotated (via reload or by using "tls-ticket-keys").
Emeric Brun90ad8722012-10-02 14:00:59 +020012835
Emeric Brun9b3009b2012-10-05 11:55:06 +020012836no-tlsv10
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012837 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012838 disables support for TLSv1.0 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012839 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012840 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012841 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
12842 and "ssl-max-ver" instead.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012843
Emeric Brun9b3009b2012-10-05 11:55:06 +020012844no-tlsv11
Emeric Brunf5da4932012-09-28 19:42:54 +020012845 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012846 disables support for TLSv1.1 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012847 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012848 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012849 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
12850 and "ssl-max-ver" instead.
Emeric Brunf5da4932012-09-28 19:42:54 +020012851
Emeric Brun9b3009b2012-10-05 11:55:06 +020012852no-tlsv12
Emeric Brunf5da4932012-09-28 19:42:54 +020012853 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012854 disables support for TLSv1.2 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +020012855 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +010012856 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012857 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
12858 and "ssl-max-ver" instead.
Emeric Brunf5da4932012-09-28 19:42:54 +020012859
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020012860no-tlsv13
12861 This setting is only available when support for OpenSSL was built in. It
12862 disables support for TLSv1.3 on any sockets instantiated from the listener
12863 when SSL is supported. Note that SSLv2 is forced disabled in the code and
12864 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012865 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
12866 and "ssl-max-ver" instead.
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020012867
Willy Tarreau6c9a3d52012-10-18 18:57:14 +020012868npn <protocols>
12869 This enables the NPN TLS extension and advertises the specified protocol list
12870 as supported on top of NPN. The protocol list consists in a comma-delimited
12871 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
John Roeslerfb2fce12019-07-10 15:45:51 -050012872 This requires that the SSL library is built with support for TLS extensions
Willy Tarreauab861d32013-04-02 02:30:41 +020012873 enabled (check with haproxy -vv). Note that the NPN extension has been
Willy Tarreau95c4e142017-11-26 12:18:55 +010012874 replaced with the ALPN extension (see the "alpn" keyword), though this one is
12875 only available starting with OpenSSL 1.0.2. If HTTP/2 is desired on an older
12876 version of OpenSSL, NPN might still be used as most clients still support it
12877 at the time of writing this. It is possible to enable both NPN and ALPN
12878 though it probably doesn't make any sense out of testing.
Willy Tarreau6c9a3d52012-10-18 18:57:14 +020012879
Lukas Tribus53ae85c2017-05-04 15:45:40 +000012880prefer-client-ciphers
12881 Use the client's preference when selecting the cipher suite, by default
12882 the server's preference is enforced. This option is also available on
12883 global statement "ssl-default-bind-options".
Lukas Tribus926594f2018-05-18 17:55:57 +020012884 Note that with OpenSSL >= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway
12885 (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of
12886 the client cipher list.
Lukas Tribus53ae85c2017-05-04 15:45:40 +000012887
Christopher Fauletc644fa92017-11-23 22:44:11 +010012888process <process-set>[/<thread-set>]
Willy Tarreaua36b3242019-02-02 13:14:34 +010012889 This restricts the list of processes or threads on which this listener is
Christopher Fauletc644fa92017-11-23 22:44:11 +010012890 allowed to run. It does not enforce any process but eliminates those which do
Davor Ocelice9ed2812017-12-25 17:49:28 +010012891 not match. If the frontend uses a "bind-process" setting, the intersection
Christopher Fauletc644fa92017-11-23 22:44:11 +010012892 between the two is applied. If in the end the listener is not allowed to run
12893 on any remaining process, a warning is emitted, and the listener will either
12894 run on the first process of the listener if a single process was specified,
12895 or on all of its processes if multiple processes were specified. If a thread
Davor Ocelice9ed2812017-12-25 17:49:28 +010012896 set is specified, it limits the threads allowed to process incoming
Willy Tarreaua36b3242019-02-02 13:14:34 +010012897 connections for this listener, for the the process set. If multiple processes
12898 and threads are configured, a warning is emitted, as it either results from a
12899 configuration error or a misunderstanding of these models. For the unlikely
12900 case where several ranges are needed, this directive may be repeated.
12901 <process-set> and <thread-set> must use the format
Christopher Fauletc644fa92017-11-23 22:44:11 +010012902
12903 all | odd | even | number[-[number]]
12904
12905 Ranges can be partially defined. The higher bound can be omitted. In such
12906 case, it is replaced by the corresponding maximum value. The main purpose of
12907 this directive is to be used with the stats sockets and have one different
12908 socket per process. The second purpose is to have multiple bind lines sharing
12909 the same IP:port but not the same process in a listener, so that the system
12910 can distribute the incoming connections into multiple queues and allow a
12911 smoother inter-process load balancing. Currently Linux 3.9 and above is known
12912 for supporting this. See also "bind-process" and "nbproc".
Willy Tarreau6ae1ba62014-05-07 19:01:58 +020012913
Christopher Fauleta717b992018-04-10 14:43:00 +020012914proto <name>
12915 Forces the multiplexer's protocol to use for the incoming connections. It
12916 must be compatible with the mode of the frontend (TCP or HTTP). It must also
12917 be usable on the frontend side. The list of available protocols is reported
12918 in haproxy -vv.
Daniel Corbett67a82712020-07-06 23:01:19 -040012919 Idea behind this option is to bypass the selection of the best multiplexer's
Christopher Fauleta717b992018-04-10 14:43:00 +020012920 protocol for all connections instantiated from this listening socket. For
Joseph Herlant71b4b152018-11-13 16:55:16 -080012921 instance, it is possible to force the http/2 on clear TCP by specifying "proto
Christopher Fauleta717b992018-04-10 14:43:00 +020012922 h2" on the bind line.
12923
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012924ssl
12925 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012926 enables SSL deciphering on connections instantiated from this listener. A
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012927 certificate is necessary (see "crt" above). All contents in the buffers will
12928 appear in clear text, so that ACLs and HTTP processing will only have access
Emmanuel Hocdetbd695fe2017-05-15 15:53:41 +020012929 to deciphered contents. SSLv3 is disabled per default, use "ssl-min-ver SSLv3"
12930 to enable it.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012931
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012932ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
12933 This option enforces use of <version> or lower on SSL connections instantiated
William Lallemand50df1cb2020-06-02 10:52:24 +020012934 from this listener. Using this setting without "ssl-min-ver" can be
12935 ambiguous because the default ssl-min-ver value could change in future HAProxy
12936 versions. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012937 "ssl-default-bind-options". See also "ssl-min-ver".
12938
12939ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
William Lallemand50df1cb2020-06-02 10:52:24 +020012940 This option enforces use of <version> or upper on SSL connections
12941 instantiated from this listener. The default value is "TLSv1.2". This option
12942 is also available on global statement "ssl-default-bind-options".
12943 See also "ssl-max-ver".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020012944
Emmanuel Hocdet65623372013-01-24 17:17:15 +010012945strict-sni
12946 This setting is only available when support for OpenSSL was built in. The
12947 SSL/TLS negotiation is allow only if the client provided an SNI which match
12948 a certificate. The default certificate is not used.
12949 See the "crt" option for more information.
12950
Willy Tarreau2af207a2015-02-04 00:45:58 +010012951tcp-ut <delay>
Tim Düsterhus4896c442016-11-29 02:15:19 +010012952 Sets the TCP User Timeout for all incoming connections instantiated from this
Willy Tarreau2af207a2015-02-04 00:45:58 +010012953 listening socket. This option is available on Linux since version 2.6.37. It
12954 allows haproxy to configure a timeout for sockets which contain data not
Davor Ocelice9ed2812017-12-25 17:49:28 +010012955 receiving an acknowledgment for the configured delay. This is especially
Willy Tarreau2af207a2015-02-04 00:45:58 +010012956 useful on long-lived connections experiencing long idle periods such as
12957 remote terminals or database connection pools, where the client and server
12958 timeouts must remain high to allow a long period of idle, but where it is
12959 important to detect that the client has disappeared in order to release all
12960 resources associated with its connection (and the server's session). The
12961 argument is a delay expressed in milliseconds by default. This only works
12962 for regular TCP connections, and is ignored for other protocols.
12963
Willy Tarreau1c862c52012-10-05 16:21:00 +020012964tfo
Lukas Tribus0defb902013-02-13 23:35:39 +010012965 Is an optional keyword which is supported only on Linux kernels >= 3.7. It
Willy Tarreau1c862c52012-10-05 16:21:00 +020012966 enables TCP Fast Open on the listening socket, which means that clients which
12967 support this feature will be able to send a request and receive a response
12968 during the 3-way handshake starting from second connection, thus saving one
12969 round-trip after the first connection. This only makes sense with protocols
12970 that use high connection rates and where each round trip matters. This can
12971 possibly cause issues with many firewalls which do not accept data on SYN
12972 packets, so this option should only be enabled once well tested. This option
Lukas Tribus0999f762013-04-02 16:43:24 +020012973 is only supported on TCPv4/TCPv6 sockets and ignored by other ones. You may
12974 need to build HAProxy with USE_TFO=1 if your libc doesn't define
12975 TCP_FASTOPEN.
Willy Tarreau1c862c52012-10-05 16:21:00 +020012976
Nenad Merdanovic188ad3e2015-02-27 19:56:50 +010012977tls-ticket-keys <keyfile>
12978 Sets the TLS ticket keys file to load the keys from. The keys need to be 48
Emeric Brun9e754772019-01-10 17:51:55 +010012979 or 80 bytes long, depending if aes128 or aes256 is used, encoded with base64
12980 with one line per key (ex. openssl rand 80 | openssl base64 -A | xargs echo).
12981 The first key determines the key length used for next keys: you can't mix
12982 aes128 and aes256 keys. Number of keys is specified by the TLS_TICKETS_NO
12983 build option (default 3) and at least as many keys need to be present in
12984 the file. Last TLS_TICKETS_NO keys will be used for decryption and the
12985 penultimate one for encryption. This enables easy key rotation by just
12986 appending new key to the file and reloading the process. Keys must be
12987 periodically rotated (ex. every 12h) or Perfect Forward Secrecy is
12988 compromised. It is also a good idea to keep the keys off any permanent
Nenad Merdanovic188ad3e2015-02-27 19:56:50 +010012989 storage such as hard drives (hint: use tmpfs and don't swap those files).
12990 Lifetime hint can be changed using tune.ssl.timeout.
12991
Willy Tarreaub6205fd2012-09-24 12:27:33 +020012992transparent
12993 Is an optional keyword which is supported only on certain Linux kernels. It
12994 indicates that the addresses will be bound even if they do not belong to the
12995 local machine, and that packets targeting any of these addresses will be
12996 intercepted just as if the addresses were locally configured. This normally
12997 requires that IP forwarding is enabled. Caution! do not use this with the
12998 default address '*', as it would redirect any traffic for the specified port.
12999 This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1.
13000 This parameter is only compatible with TCPv4 and TCPv6 sockets, depending on
13001 kernel version. Some distribution kernels include backports of the feature,
13002 so check for support with your vendor.
13003
Willy Tarreau77e3af92012-11-24 15:07:23 +010013004v4v6
13005 Is an optional keyword which is supported only on most recent systems
13006 including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
13007 and IPv6 when it uses the default address. Doing so is sometimes necessary
13008 on systems which bind to IPv6 only by default. It has no effect on non-IPv6
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013009 sockets, and is overridden by the "v6only" option.
Willy Tarreau77e3af92012-11-24 15:07:23 +010013010
Willy Tarreau9b6700f2012-11-24 11:55:28 +010013011v6only
13012 Is an optional keyword which is supported only on most recent systems
13013 including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
13014 when it uses the default address. Doing so is sometimes preferred to doing it
Willy Tarreau77e3af92012-11-24 15:07:23 +010013015 system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
13016 has precedence over the "v4v6" option.
Willy Tarreau9b6700f2012-11-24 11:55:28 +010013017
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013018uid <uid>
13019 Sets the owner of the UNIX sockets to the designated system uid. It can also
13020 be set by default in the global section's "unix-bind" statement. Note that
13021 some platforms simply ignore this. This setting is equivalent to the "user"
13022 setting except that the user numeric ID is used instead of its name. This
13023 setting is ignored by non UNIX sockets.
13024
13025user <user>
13026 Sets the owner of the UNIX sockets to the designated system user. It can also
13027 be set by default in the global section's "unix-bind" statement. Note that
13028 some platforms simply ignore this. This setting is equivalent to the "uid"
13029 setting except that the user name is used instead of its uid. This setting is
13030 ignored by non UNIX sockets.
13031
Emeric Brun1a073b42012-09-28 17:07:34 +020013032verify [none|optional|required]
13033 This setting is only available when support for OpenSSL was built in. If set
13034 to 'none', client certificate is not requested. This is the default. In other
13035 cases, a client certificate is requested. If the client does not provide a
13036 certificate after the request and if 'verify' is set to 'required', then the
13037 handshake is aborted, while it would have succeeded if set to 'optional'. The
Emeric Brunfd33a262012-10-11 16:28:27 +020013038 certificate provided by the client is always verified using CAs from
13039 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
13040 is aborted, regardless of the 'verify' option, unless the error code exactly
13041 matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013042
Willy Tarreaub6205fd2012-09-24 12:27:33 +0200130435.2. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +010013044------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020013045
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010013046The "server" and "default-server" keywords support a certain number of settings
13047which are all passed as arguments on the server line. The order in which those
13048arguments appear does not count, and they are all optional. Some of those
13049settings are single words (booleans) while others expect one or several values
13050after them. In this case, the values must immediately follow the setting name.
13051Except default-server, all those settings must be specified after the server's
13052address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +020013053
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013054 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010013055 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +020013056
Frédéric Lécailled2376272017-03-21 18:52:12 +010013057Note that all these settings are supported both by "server" and "default-server"
13058keywords, except "id" which is only supported by "server".
13059
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013060The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +010013061
Willy Tarreauceb4ac92012-04-28 00:41:46 +020013062addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013063 Using the "addr" parameter, it becomes possible to use a different IP address
Baptiste Assmann13f83532016-03-06 23:14:36 +010013064 to send health-checks or to probe the agent-check. On some servers, it may be
13065 desirable to dedicate an IP address to specific component able to perform
13066 complex tests which are more suitable to health-checks than the application.
13067 This parameter is ignored if the "check" parameter is not set. See also the
13068 "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013069
Simon Hormand60d6912013-11-25 10:46:36 +090013070agent-check
13071 Enable an auxiliary agent check which is run independently of a regular
Willy Tarreau81f5d942013-12-09 20:51:51 +010013072 health check. An agent health check is performed by making a TCP connection
Willy Tarreau7a0139e2018-12-16 08:42:56 +010013073 to the port set by the "agent-port" parameter and reading an ASCII string
13074 terminated by the first '\r' or '\n' met. The string is made of a series of
13075 words delimited by spaces, tabs or commas in any order, each consisting of :
Simon Hormand60d6912013-11-25 10:46:36 +090013076
Willy Tarreau81f5d942013-12-09 20:51:51 +010013077 - An ASCII representation of a positive integer percentage, e.g. "75%".
Simon Hormand60d6912013-11-25 10:46:36 +090013078 Values in this format will set the weight proportional to the initial
Willy Tarreauc5af3a62014-10-07 15:27:33 +020013079 weight of a server as configured when haproxy starts. Note that a zero
13080 weight is reported on the stats page as "DRAIN" since it has the same
13081 effect on the server (it's removed from the LB farm).
Simon Hormand60d6912013-11-25 10:46:36 +090013082
Davor Ocelice9ed2812017-12-25 17:49:28 +010013083 - The string "maxconn:" followed by an integer (no space between). Values
13084 in this format will set the maxconn of a server. The maximum number of
13085 connections advertised needs to be multiplied by the number of load
13086 balancers and different backends that use this health check to get the
13087 total number of connections the server might receive. Example: maxconn:30
Nenad Merdanovic174dd372016-04-24 23:10:06 +020013088
Willy Tarreau81f5d942013-12-09 20:51:51 +010013089 - The word "ready". This will turn the server's administrative state to the
Davor Ocelice9ed2812017-12-25 17:49:28 +010013090 READY mode, thus canceling any DRAIN or MAINT state
Simon Hormand60d6912013-11-25 10:46:36 +090013091
Willy Tarreau81f5d942013-12-09 20:51:51 +010013092 - The word "drain". This will turn the server's administrative state to the
13093 DRAIN mode, thus it will not accept any new connections other than those
13094 that are accepted via persistence.
Simon Hormand60d6912013-11-25 10:46:36 +090013095
Willy Tarreau81f5d942013-12-09 20:51:51 +010013096 - The word "maint". This will turn the server's administrative state to the
13097 MAINT mode, thus it will not accept any new connections at all, and health
13098 checks will be stopped.
Simon Hormand60d6912013-11-25 10:46:36 +090013099
William Dauchyf8e795c2020-09-26 13:35:51 +020013100 - The words "down", "fail", or "stopped", optionally followed by a
Willy Tarreau81f5d942013-12-09 20:51:51 +010013101 description string after a sharp ('#'). All of these mark the server's
13102 operating state as DOWN, but since the word itself is reported on the stats
13103 page, the difference allows an administrator to know if the situation was
13104 expected or not : the service may intentionally be stopped, may appear up
Davor Ocelice9ed2812017-12-25 17:49:28 +010013105 but fail some validity tests, or may be seen as down (e.g. missing process,
Willy Tarreau81f5d942013-12-09 20:51:51 +010013106 or port not responding).
Simon Hormand60d6912013-11-25 10:46:36 +090013107
Willy Tarreau81f5d942013-12-09 20:51:51 +010013108 - The word "up" sets back the server's operating state as UP if health checks
13109 also report that the service is accessible.
Simon Hormand60d6912013-11-25 10:46:36 +090013110
Willy Tarreau81f5d942013-12-09 20:51:51 +010013111 Parameters which are not advertised by the agent are not changed. For
13112 example, an agent might be designed to monitor CPU usage and only report a
13113 relative weight and never interact with the operating status. Similarly, an
13114 agent could be designed as an end-user interface with 3 radio buttons
13115 allowing an administrator to change only the administrative state. However,
13116 it is important to consider that only the agent may revert its own actions,
13117 so if a server is set to DRAIN mode or to DOWN state using the agent, the
13118 agent must implement the other equivalent actions to bring the service into
13119 operations again.
Simon Hormand60d6912013-11-25 10:46:36 +090013120
Simon Horman2f1f9552013-11-25 10:46:37 +090013121 Failure to connect to the agent is not considered an error as connectivity
13122 is tested by the regular health check which is enabled by the "check"
Willy Tarreau81f5d942013-12-09 20:51:51 +010013123 parameter. Warning though, it is not a good idea to stop an agent after it
13124 reports "down", since only an agent reporting "up" will be able to turn the
13125 server up again. Note that the CLI on the Unix stats socket is also able to
Willy Tarreau989222a2016-01-15 10:26:26 +010013126 force an agent's result in order to work around a bogus agent if needed.
Simon Horman2f1f9552013-11-25 10:46:37 +090013127
Willy Tarreau81f5d942013-12-09 20:51:51 +010013128 Requires the "agent-port" parameter to be set. See also the "agent-inter"
Frédéric Lécailled2376272017-03-21 18:52:12 +010013129 and "no-agent-check" parameters.
Simon Hormand60d6912013-11-25 10:46:36 +090013130
James Brown55f9ff12015-10-21 18:19:05 -070013131agent-send <string>
13132 If this option is specified, haproxy will send the given string (verbatim)
13133 to the agent server upon connection. You could, for example, encode
13134 the backend name into this string, which would enable your agent to send
13135 different responses based on the backend. Make sure to include a '\n' if
13136 you want to terminate your request with a newline.
13137
Simon Hormand60d6912013-11-25 10:46:36 +090013138agent-inter <delay>
13139 The "agent-inter" parameter sets the interval between two agent checks
13140 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
13141
13142 Just as with every other time-based parameter, it may be entered in any
13143 other explicit unit among { us, ms, s, m, h, d }. The "agent-inter"
13144 parameter also serves as a timeout for agent checks "timeout check" is
13145 not set. In order to reduce "resonance" effects when multiple servers are
13146 hosted on the same hardware, the agent and health checks of all servers
13147 are started with a small time offset between them. It is also possible to
13148 add some random noise in the agent and health checks interval using the
13149 global "spread-checks" keyword. This makes sense for instance when a lot
13150 of backends use the same servers.
13151
13152 See also the "agent-check" and "agent-port" parameters.
13153
Misiek768d8602017-01-09 09:52:43 +010013154agent-addr <addr>
13155 The "agent-addr" parameter sets address for agent check.
13156
13157 You can offload agent-check to another target, so you can make single place
13158 managing status and weights of servers defined in haproxy in case you can't
13159 make self-aware and self-managing services. You can specify both IP or
13160 hostname, it will be resolved.
13161
Simon Hormand60d6912013-11-25 10:46:36 +090013162agent-port <port>
13163 The "agent-port" parameter sets the TCP port used for agent checks.
13164
13165 See also the "agent-check" and "agent-inter" parameters.
13166
Olivier Houchard8cb2d2e2019-05-06 18:58:48 +020013167allow-0rtt
13168 Allow sending early data to the server when using TLS 1.3.
Olivier Houchard22c9b442019-05-06 19:01:04 +020013169 Note that early data will be sent only if the client used early data, or
13170 if the backend uses "retry-on" with the "0rtt-rejected" keyword.
Olivier Houchard8cb2d2e2019-05-06 18:58:48 +020013171
Olivier Houchardc7566002018-11-20 23:33:50 +010013172alpn <protocols>
13173 This enables the TLS ALPN extension and advertises the specified protocol
13174 list as supported on top of ALPN. The protocol list consists in a comma-
13175 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
John Roeslerfb2fce12019-07-10 15:45:51 -050013176 quotes). This requires that the SSL library is built with support for TLS
Olivier Houchardc7566002018-11-20 23:33:50 +010013177 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
13178 initial NPN extension. ALPN is required to connect to HTTP/2 servers.
13179 Versions of OpenSSL prior to 1.0.2 didn't support ALPN and only supposed the
13180 now obsolete NPN extension.
13181 If both HTTP/2 and HTTP/1.1 are expected to be supported, both versions can
13182 be advertised, in order of preference, like below :
13183
13184 server 127.0.0.1:443 ssl crt pub.pem alpn h2,http/1.1
13185
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013186backup
13187 When "backup" is present on a server line, the server is only used in load
13188 balancing when all other non-backup servers are unavailable. Requests coming
13189 with a persistence cookie referencing the server will always be served
13190 though. By default, only the first operational backup server is used, unless
Frédéric Lécailled2376272017-03-21 18:52:12 +010013191 the "allbackups" option is set in the backend. See also the "no-backup" and
13192 "allbackups" options.
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013193
Emeric Brunef42d922012-10-11 16:11:36 +020013194ca-file <cafile>
13195 This setting is only available when support for OpenSSL was built in. It
13196 designates a PEM file from which to load CA certificates used to verify
13197 server's certificate.
13198
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013199check
Jerome Magnin90702bc2020-04-26 14:23:04 +020013200 This option enables health checks on a server:
13201 - when not set, no health checking is performed, and the server is always
13202 considered available.
13203 - when set and no other check method is configured, the server is considered
13204 available when a connection can be established at the highest configured
13205 transport layer. This means TCP by default, or SSL/TLS when "ssl" or
13206 "check-ssl" are set, both possibly combined with connection prefixes such
13207 as a PROXY protocol header when "send-proxy" or "check-send-proxy" are
13208 set.
13209 - when set and an application-level health check is defined, the
13210 application-level exchanges are performed on top of the configured
13211 transport layer and the server is considered available if all of the
13212 exchanges succeed.
13213
13214 By default, health checks are performed on the same address and port as
13215 configured on the server, using the same encapsulation parameters (SSL/TLS,
13216 proxy-protocol header, etc... ). It is possible to change the destination
13217 address using "addr" and the port using "port". When done, it is assumed the
13218 server isn't checked on the service port, and configured encapsulation
Ilya Shipitsin4329a9a2020-05-05 21:17:10 +050013219 parameters are not reused. One must explicitly set "check-send-proxy" to send
Jerome Magnin90702bc2020-04-26 14:23:04 +020013220 connection headers, "check-ssl" to use SSL/TLS.
13221
13222 When "sni" or "alpn" are set on the server line, their value is not used for
13223 health checks and one must use "check-sni" or "check-alpn".
13224
13225 The default source address for health check traffic is the same as the one
13226 defined in the backend. It can be changed with the "source" keyword.
13227
13228 The interval between checks can be set using the "inter" keyword, and the
13229 "rise" and "fall" keywords can be used to define how many successful or
13230 failed health checks are required to flag a server available or not
13231 available.
13232
13233 Optional application-level health checks can be configured with "option
13234 httpchk", "option mysql-check" "option smtpchk", "option pgsql-check",
13235 "option ldap-check", or "option redis-check".
13236
13237 Example:
13238 # simple tcp check
13239 backend foo
13240 server s1 192.168.0.1:80 check
13241 # this does a tcp connect + tls handshake
13242 backend foo
13243 server s1 192.168.0.1:443 ssl check
13244 # simple tcp check is enough for check success
13245 backend foo
13246 option tcp-check
13247 tcp-check connect
13248 server s1 192.168.0.1:443 ssl check
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013249
Willy Tarreau6c16adc2012-10-05 00:04:16 +020013250check-send-proxy
13251 This option forces emission of a PROXY protocol line with outgoing health
13252 checks, regardless of whether the server uses send-proxy or not for the
13253 normal traffic. By default, the PROXY protocol is enabled for health checks
13254 if it is already enabled for normal traffic and if no "port" nor "addr"
13255 directive is present. However, if such a directive is present, the
13256 "check-send-proxy" option needs to be used to force the use of the
13257 protocol. See also the "send-proxy" option for more information.
13258
Olivier Houchard92150142018-12-21 19:47:01 +010013259check-alpn <protocols>
13260 Defines which protocols to advertise with ALPN. The protocol list consists in
13261 a comma-delimited list of protocol names, for instance: "http/1.1,http/1.0"
13262 (without quotes). If it is not set, the server ALPN is used.
13263
Christopher Fauletedc6ed92020-04-23 16:27:59 +020013264check-proto <name>
13265 Forces the multiplexer's protocol to use for the server's health-check
13266 connections. It must be compatible with the health-check type (TCP or
13267 HTTP). It must also be usable on the backend side. The list of available
13268 protocols is reported in haproxy -vv.
Daniel Corbett67a82712020-07-06 23:01:19 -040013269 Idea behind this option is to bypass the selection of the best multiplexer's
Christopher Fauletedc6ed92020-04-23 16:27:59 +020013270 protocol for health-check connections established to this server.
13271 If not defined, the server one will be used, if set.
13272
Jérôme Magninae9bb762018-12-09 16:08:26 +010013273check-sni <sni>
Olivier Houchard9130a962017-10-17 17:33:43 +020013274 This option allows you to specify the SNI to be used when doing health checks
Jérôme Magninae9bb762018-12-09 16:08:26 +010013275 over SSL. It is only possible to use a string to set <sni>. If you want to
13276 set a SNI for proxied traffic, see "sni".
Olivier Houchard9130a962017-10-17 17:33:43 +020013277
Willy Tarreau763a95b2012-10-04 23:15:39 +020013278check-ssl
13279 This option forces encryption of all health checks over SSL, regardless of
13280 whether the server uses SSL or not for the normal traffic. This is generally
13281 used when an explicit "port" or "addr" directive is specified and SSL health
13282 checks are not inherited. It is important to understand that this option
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013283 inserts an SSL transport layer below the checks, so that a simple TCP connect
Willy Tarreau763a95b2012-10-04 23:15:39 +020013284 check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
13285 common use is to send HTTPS checks by combining "httpchk" with SSL checks.
Davor Ocelice9ed2812017-12-25 17:49:28 +010013286 All SSL settings are common to health checks and traffic (e.g. ciphers).
Frédéric Lécailled2376272017-03-21 18:52:12 +010013287 See the "ssl" option for more information and "no-check-ssl" to disable
13288 this option.
Willy Tarreau763a95b2012-10-04 23:15:39 +020013289
Alexander Liu2a54bb72019-05-22 19:44:48 +080013290check-via-socks4
John Roeslerfb2fce12019-07-10 15:45:51 -050013291 This option enables outgoing health checks using upstream socks4 proxy. By
Alexander Liu2a54bb72019-05-22 19:44:48 +080013292 default, the health checks won't go through socks tunnel even it was enabled
13293 for normal traffic.
13294
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020013295ciphers <ciphers>
Dirkjan Bussink415150f2018-09-14 11:14:21 +020013296 This setting is only available when support for OpenSSL was built in. This
13297 option sets the string describing the list of cipher algorithms that is
13298 negotiated during the SSL/TLS handshake with the server. The format of the
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000013299 string is defined in "man 1 ciphers" from OpenSSL man pages. For background
13300 information and recommendations see e.g.
13301 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
13302 (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
13303 cipher configuration, please check the "ciphersuites" keyword.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020013304
Dirkjan Bussink415150f2018-09-14 11:14:21 +020013305ciphersuites <ciphersuites>
13306 This setting is only available when support for OpenSSL was built in and
13307 OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
13308 describing the list of cipher algorithms that is negotiated during the TLS
13309 1.3 handshake with the server. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000013310 "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
13311 For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
13312 keyword.
Dirkjan Bussink415150f2018-09-14 11:14:21 +020013313
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013314cookie <value>
13315 The "cookie" parameter sets the cookie value assigned to the server to
13316 <value>. This value will be checked in incoming requests, and the first
13317 operational server possessing the same value will be selected. In return, in
13318 cookie insertion or rewrite modes, this value will be assigned to the cookie
13319 sent to the client. There is nothing wrong in having several servers sharing
13320 the same cookie value, and it is in fact somewhat common between normal and
13321 backup servers. See also the "cookie" keyword in backend section.
13322
Emeric Brunef42d922012-10-11 16:11:36 +020013323crl-file <crlfile>
13324 This setting is only available when support for OpenSSL was built in. It
13325 designates a PEM file from which to load certificate revocation list used
13326 to verify server's certificate.
13327
Emeric Bruna7aa3092012-10-26 12:58:00 +020013328crt <cert>
13329 This setting is only available when support for OpenSSL was built in.
13330 It designates a PEM file from which to load both a certificate and the
13331 associated private key. This file can be built by concatenating both PEM
13332 files into one. This certificate will be sent if the server send a client
13333 certificate request.
13334
Willy Tarreau96839092010-03-29 10:02:24 +020013335disabled
13336 The "disabled" keyword starts the server in the "disabled" state. That means
13337 that it is marked down in maintenance mode, and no connection other than the
13338 ones allowed by persist mode will reach it. It is very well suited to setup
13339 new servers, because normal traffic will never reach them, while it is still
13340 possible to test the service by making use of the force-persist mechanism.
Frédéric Lécailled2376272017-03-21 18:52:12 +010013341 See also "enabled" setting.
Willy Tarreau96839092010-03-29 10:02:24 +020013342
Frédéric Lécailled2376272017-03-21 18:52:12 +010013343enabled
13344 This option may be used as 'server' setting to reset any 'disabled'
13345 setting which would have been inherited from 'default-server' directive as
13346 default value.
13347 It may also be used as 'default-server' setting to reset any previous
13348 'default-server' 'disabled' setting.
Willy Tarreau96839092010-03-29 10:02:24 +020013349
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013350error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +010013351 If health observing is enabled, the "error-limit" parameter specifies the
13352 number of consecutive errors that triggers event selected by the "on-error"
13353 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010013354
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013355 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010013356
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013357fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013358 The "fall" parameter states that a server will be considered as dead after
13359 <count> consecutive unsuccessful health checks. This value defaults to 3 if
13360 unspecified. See also the "check", "inter" and "rise" parameters.
13361
Emeric Brun8694b9a2012-10-05 14:39:07 +020013362force-sslv3
13363 This option enforces use of SSLv3 only when SSL is used to communicate with
13364 the server. SSLv3 is generally less expensive than the TLS counterparts for
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013365 high connection rates. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013366 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020013367
13368force-tlsv10
13369 This option enforces use of TLSv1.0 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013370 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013371 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020013372
13373force-tlsv11
13374 This option enforces use of TLSv1.1 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013375 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013376 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020013377
13378force-tlsv12
13379 This option enforces use of TLSv1.2 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013380 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013381 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020013382
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020013383force-tlsv13
13384 This option enforces use of TLSv1.3 only when SSL is used to communicate with
13385 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013386 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020013387
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013388id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +020013389 Set a persistent ID for the server. This ID must be positive and unique for
13390 the proxy. An unused ID will automatically be assigned if unset. The first
13391 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013392
Willy Tarreau6a031d12016-11-07 19:42:35 +010013393init-addr {last | libc | none | <ip>},[...]*
13394 Indicate in what order the server's address should be resolved upon startup
13395 if it uses an FQDN. Attempts are made to resolve the address by applying in
Davor Ocelice9ed2812017-12-25 17:49:28 +010013396 turn each of the methods mentioned in the comma-delimited list. The first
Willy Tarreau6a031d12016-11-07 19:42:35 +010013397 method which succeeds is used. If the end of the list is reached without
13398 finding a working method, an error is thrown. Method "last" suggests to pick
13399 the address which appears in the state file (see "server-state-file"). Method
13400 "libc" uses the libc's internal resolver (gethostbyname() or getaddrinfo()
13401 depending on the operating system and build options). Method "none"
13402 specifically indicates that the server should start without any valid IP
13403 address in a down state. It can be useful to ignore some DNS issues upon
13404 startup, waiting for the situation to get fixed later. Finally, an IP address
13405 (IPv4 or IPv6) may be provided. It can be the currently known address of the
Davor Ocelice9ed2812017-12-25 17:49:28 +010013406 server (e.g. filled by a configuration generator), or the address of a dummy
Willy Tarreau6a031d12016-11-07 19:42:35 +010013407 server used to catch old sessions and present them with a decent error
13408 message for example. When the "first" load balancing algorithm is used, this
13409 IP address could point to a fake server used to trigger the creation of new
13410 instances on the fly. This option defaults to "last,libc" indicating that the
13411 previous address found in the state file (if any) is used first, otherwise
13412 the libc's resolver is used. This ensures continued compatibility with the
Davor Ocelice9ed2812017-12-25 17:49:28 +010013413 historic behavior.
Willy Tarreau6a031d12016-11-07 19:42:35 +010013414
13415 Example:
13416 defaults
13417 # never fail on address resolution
13418 default-server init-addr last,libc,none
13419
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013420inter <delay>
13421fastinter <delay>
13422downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013423 The "inter" parameter sets the interval between two consecutive health checks
13424 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
13425 It is also possible to use "fastinter" and "downinter" to optimize delays
13426 between checks depending on the server state :
13427
Pieter Baauw44fc9df2015-09-17 21:30:46 +020013428 Server state | Interval used
13429 ----------------------------------------+----------------------------------
13430 UP 100% (non-transitional) | "inter"
13431 ----------------------------------------+----------------------------------
13432 Transitionally UP (going down "fall"), | "fastinter" if set,
13433 Transitionally DOWN (going up "rise"), | "inter" otherwise.
13434 or yet unchecked. |
13435 ----------------------------------------+----------------------------------
13436 DOWN 100% (non-transitional) | "downinter" if set,
13437 | "inter" otherwise.
13438 ----------------------------------------+----------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +010013439
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013440 Just as with every other time-based parameter, they can be entered in any
13441 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
13442 serves as a timeout for health checks sent to servers if "timeout check" is
13443 not set. In order to reduce "resonance" effects when multiple servers are
Simon Hormand60d6912013-11-25 10:46:36 +090013444 hosted on the same hardware, the agent and health checks of all servers
13445 are started with a small time offset between them. It is also possible to
13446 add some random noise in the agent and health checks interval using the
13447 global "spread-checks" keyword. This makes sense for instance when a lot
13448 of backends use the same servers.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013449
Emeric Brun97556472020-05-30 01:42:45 +020013450log-proto <logproto>
13451 The "log-proto" specifies the protocol used to forward event messages to
13452 a server configured in a ring section. Possible values are "legacy"
13453 and "octet-count" corresponding respectively to "Non-transparent-framing"
13454 and "Octet counting" in rfc6587. "legacy" is the default.
13455
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013456maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013457 The "maxconn" parameter specifies the maximal number of concurrent
13458 connections that will be sent to this server. If the number of incoming
Tim Duesterhuscefbbd92019-11-27 22:35:27 +010013459 concurrent connections goes higher than this value, they will be queued,
13460 waiting for a slot to be released. This parameter is very important as it can
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013461 save fragile servers from going down under extreme loads. If a "minconn"
13462 parameter is specified, the limit becomes dynamic. The default value is "0"
13463 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
13464 the backend's "fullconn" keyword.
13465
Tim Duesterhuscefbbd92019-11-27 22:35:27 +010013466 In HTTP mode this parameter limits the number of concurrent requests instead
13467 of the number of connections. Multiple requests might be multiplexed over a
13468 single TCP connection to the server. As an example if you specify a maxconn
13469 of 50 you might see between 1 and 50 actual server connections, but no more
13470 than 50 concurrent requests.
13471
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013472maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013473 The "maxqueue" parameter specifies the maximal number of connections which
13474 will wait in the queue for this server. If this limit is reached, next
13475 requests will be redispatched to other servers instead of indefinitely
13476 waiting to be served. This will break persistence but may allow people to
13477 quickly re-log in when the server they try to connect to is dying. The
13478 default value is "0" which means the queue is unlimited. See also the
13479 "maxconn" and "minconn" parameters.
13480
Willy Tarreau9c538e02019-01-23 10:21:49 +010013481max-reuse <count>
13482 The "max-reuse" argument indicates the HTTP connection processors that they
13483 should not reuse a server connection more than this number of times to send
13484 new requests. Permitted values are -1 (the default), which disables this
13485 limit, or any positive value. Value zero will effectively disable keep-alive.
13486 This is only used to work around certain server bugs which cause them to leak
13487 resources over time. The argument is not necessarily respected by the lower
13488 layers as there might be technical limitations making it impossible to
13489 enforce. At least HTTP/2 connections to servers will respect it.
13490
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013491minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013492 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
13493 limit following the backend's load. The server will always accept at least
13494 <minconn> connections, never more than <maxconn>, and the limit will be on
13495 the ramp between both values when the backend has less than <fullconn>
13496 concurrent connections. This makes it possible to limit the load on the
13497 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013498 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013499 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010013500
Willy Tarreaud72f0f32015-10-13 14:50:22 +020013501namespace <name>
13502 On Linux, it is possible to specify which network namespace a socket will
13503 belong to. This directive makes it possible to explicitly bind a server to
13504 a namespace different from the default one. Please refer to your operating
13505 system's documentation to find more details about network namespaces.
13506
Frédéric Lécailled2376272017-03-21 18:52:12 +010013507no-agent-check
13508 This option may be used as "server" setting to reset any "agent-check"
13509 setting which would have been inherited from "default-server" directive as
13510 default value.
13511 It may also be used as "default-server" setting to reset any previous
13512 "default-server" "agent-check" setting.
13513
13514no-backup
13515 This option may be used as "server" setting to reset any "backup"
13516 setting which would have been inherited from "default-server" directive as
13517 default value.
13518 It may also be used as "default-server" setting to reset any previous
13519 "default-server" "backup" setting.
13520
13521no-check
13522 This option may be used as "server" setting to reset any "check"
13523 setting which would have been inherited from "default-server" directive as
13524 default value.
13525 It may also be used as "default-server" setting to reset any previous
13526 "default-server" "check" setting.
13527
13528no-check-ssl
13529 This option may be used as "server" setting to reset any "check-ssl"
13530 setting which would have been inherited from "default-server" directive as
13531 default value.
13532 It may also be used as "default-server" setting to reset any previous
13533 "default-server" "check-ssl" setting.
13534
Frédéric Lécailled2376272017-03-21 18:52:12 +010013535no-send-proxy
13536 This option may be used as "server" setting to reset any "send-proxy"
13537 setting which would have been inherited from "default-server" directive as
13538 default value.
13539 It may also be used as "default-server" setting to reset any previous
13540 "default-server" "send-proxy" setting.
13541
13542no-send-proxy-v2
13543 This option may be used as "server" setting to reset any "send-proxy-v2"
13544 setting which would have been inherited from "default-server" directive as
13545 default value.
13546 It may also be used as "default-server" setting to reset any previous
13547 "default-server" "send-proxy-v2" setting.
13548
13549no-send-proxy-v2-ssl
13550 This option may be used as "server" setting to reset any "send-proxy-v2-ssl"
13551 setting which would have been inherited from "default-server" directive as
13552 default value.
13553 It may also be used as "default-server" setting to reset any previous
13554 "default-server" "send-proxy-v2-ssl" setting.
13555
13556no-send-proxy-v2-ssl-cn
13557 This option may be used as "server" setting to reset any "send-proxy-v2-ssl-cn"
13558 setting which would have been inherited from "default-server" directive as
13559 default value.
13560 It may also be used as "default-server" setting to reset any previous
13561 "default-server" "send-proxy-v2-ssl-cn" setting.
13562
13563no-ssl
13564 This option may be used as "server" setting to reset any "ssl"
13565 setting which would have been inherited from "default-server" directive as
13566 default value.
13567 It may also be used as "default-server" setting to reset any previous
13568 "default-server" "ssl" setting.
13569
Willy Tarreau2a3fb1c2015-02-05 16:47:07 +010013570no-ssl-reuse
13571 This option disables SSL session reuse when SSL is used to communicate with
13572 the server. It will force the server to perform a full handshake for every
13573 new connection. It's probably only useful for benchmarking, troubleshooting,
13574 and for paranoid users.
13575
Emeric Brun9b3009b2012-10-05 11:55:06 +020013576no-sslv3
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020013577 This option disables support for SSLv3 when SSL is used to communicate with
13578 the server. Note that SSLv2 is disabled in the code and cannot be enabled
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013579 using any configuration option. Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020013580
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020013581 Supported in default-server: No
13582
Emeric Brunf9c5c472012-10-11 15:28:34 +020013583no-tls-tickets
13584 This setting is only available when support for OpenSSL was built in. It
13585 disables the stateless session resumption (RFC 5077 TLS Ticket
13586 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013587 session resumption is more expensive in CPU usage for servers. This option
13588 is also available on global statement "ssl-default-server-options".
Lukas Tribusbdb386d2020-03-10 00:56:09 +010013589 The TLS ticket mechanism is only used up to TLS 1.2.
13590 Forward Secrecy is compromised with TLS tickets, unless ticket keys
13591 are periodically rotated (via reload or by using "tls-ticket-keys").
Frédéric Lécailled2376272017-03-21 18:52:12 +010013592 See also "tls-tickets".
Emeric Brunf9c5c472012-10-11 15:28:34 +020013593
Emeric Brun9b3009b2012-10-05 11:55:06 +020013594no-tlsv10
Emeric Brun8694b9a2012-10-05 14:39:07 +020013595 This option disables support for TLSv1.0 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +020013596 the server. Note that SSLv2 is disabled in the code and cannot be enabled
13597 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013598 often makes sense to disable it when communicating with local servers. This
13599 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013600 Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreau763a95b2012-10-04 23:15:39 +020013601
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020013602 Supported in default-server: No
13603
Emeric Brun9b3009b2012-10-05 11:55:06 +020013604no-tlsv11
Emeric Brun8694b9a2012-10-05 14:39:07 +020013605 This option disables support for TLSv1.1 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +020013606 the server. Note that SSLv2 is disabled in the code and cannot be enabled
13607 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013608 often makes sense to disable it when communicating with local servers. This
13609 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013610 Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreau763a95b2012-10-04 23:15:39 +020013611
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020013612 Supported in default-server: No
13613
Emeric Brun9b3009b2012-10-05 11:55:06 +020013614no-tlsv12
Emeric Brun8694b9a2012-10-05 14:39:07 +020013615 This option disables support for TLSv1.2 when SSL is used to communicate with
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020013616 the server. Note that SSLv2 is disabled in the code and cannot be enabled
13617 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013618 often makes sense to disable it when communicating with local servers. This
13619 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013620 Use "ssl-min-ver" and "ssl-max-ver" instead.
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020013621
13622 Supported in default-server: No
13623
13624no-tlsv13
13625 This option disables support for TLSv1.3 when SSL is used to communicate with
13626 the server. Note that SSLv2 is disabled in the code and cannot be enabled
13627 using any configuration option. TLSv1 is more expensive than SSLv3 so it
13628 often makes sense to disable it when communicating with local servers. This
13629 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013630 Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020013631
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020013632 Supported in default-server: No
13633
Frédéric Lécailled2376272017-03-21 18:52:12 +010013634no-verifyhost
13635 This option may be used as "server" setting to reset any "verifyhost"
13636 setting which would have been inherited from "default-server" directive as
13637 default value.
13638 It may also be used as "default-server" setting to reset any previous
13639 "default-server" "verifyhost" setting.
Willy Tarreau763a95b2012-10-04 23:15:39 +020013640
Frédéric Lécaille1b9423d2019-07-04 14:19:06 +020013641no-tfo
13642 This option may be used as "server" setting to reset any "tfo"
13643 setting which would have been inherited from "default-server" directive as
13644 default value.
13645 It may also be used as "default-server" setting to reset any previous
13646 "default-server" "tfo" setting.
13647
Simon Hormanfa461682011-06-25 09:39:49 +090013648non-stick
13649 Never add connections allocated to this sever to a stick-table.
13650 This may be used in conjunction with backup to ensure that
13651 stick-table persistence is disabled for backup servers.
13652
Olivier Houchardc7566002018-11-20 23:33:50 +010013653npn <protocols>
13654 This enables the NPN TLS extension and advertises the specified protocol list
13655 as supported on top of NPN. The protocol list consists in a comma-delimited
13656 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
John Roeslerfb2fce12019-07-10 15:45:51 -050013657 This requires that the SSL library is built with support for TLS extensions
Olivier Houchardc7566002018-11-20 23:33:50 +010013658 enabled (check with haproxy -vv). Note that the NPN extension has been
13659 replaced with the ALPN extension (see the "alpn" keyword), though this one is
13660 only available starting with OpenSSL 1.0.2.
13661
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010013662observe <mode>
13663 This option enables health adjusting based on observing communication with
13664 the server. By default this functionality is disabled and enabling it also
13665 requires to enable health checks. There are two supported modes: "layer4" and
13666 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
13667 significant. In layer7, which is only allowed for http proxies, responses
13668 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +010013669 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010013670
13671 See also the "check", "on-error" and "error-limit".
13672
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013673on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010013674 Select what should happen when enough consecutive errors are detected.
13675 Currently, four modes are available:
13676 - fastinter: force fastinter
13677 - fail-check: simulate a failed check, also forces fastinter (default)
13678 - sudden-death: simulate a pre-fatal failed health check, one more failed
13679 check will mark a server down, forces fastinter
13680 - mark-down: mark the server immediately down and force fastinter
13681
13682 See also the "check", "observe" and "error-limit".
13683
Simon Hormane0d1bfb2011-06-21 14:34:58 +090013684on-marked-down <action>
13685 Modify what occurs when a server is marked down.
13686 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070013687 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
13688 all connections to the server are immediately terminated when the server
13689 goes down. It might be used if the health check detects more complex cases
13690 than a simple connection status, and long timeouts would cause the service
13691 to remain unresponsive for too long a time. For instance, a health check
13692 might detect that a database is stuck and that there's no chance to reuse
13693 existing connections anymore. Connections killed this way are logged with
13694 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +090013695
13696 Actions are disabled by default
13697
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070013698on-marked-up <action>
13699 Modify what occurs when a server is marked up.
13700 Currently one action is available:
13701 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
13702 done only if the server is not in backup state and if it is not disabled
13703 (it must have an effective weight > 0). This can be used sometimes to force
13704 an active server to take all the traffic back after recovery when dealing
Davor Ocelice9ed2812017-12-25 17:49:28 +010013705 with long sessions (e.g. LDAP, SQL, ...). Doing this can cause more trouble
13706 than it tries to solve (e.g. incomplete transactions), so use this feature
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070013707 with extreme care. Sessions killed because a server comes up are logged
13708 with an 'U' termination code (for "Up").
13709
13710 Actions are disabled by default
13711
Willy Tarreau2f3f4d32020-07-01 07:43:51 +020013712pool-low-conn <max>
13713 Set a low threshold on the number of idling connections for a server, below
13714 which a thread will not try to steal a connection from another thread. This
13715 can be useful to improve CPU usage patterns in scenarios involving many very
13716 fast servers, in order to ensure all threads will keep a few idle connections
13717 all the time instead of letting them accumulate over one thread and migrating
13718 them from thread to thread. Typical values of twice the number of threads
13719 seem to show very good performance already with sub-millisecond response
13720 times. The default is zero, indicating that any idle connection can be used
13721 at any time. It is the recommended setting for normal use. This only applies
13722 to connections that can be shared according to the same principles as those
13723 applying to "http-reuse".
13724
Olivier Houchard006e3102018-12-10 18:30:32 +010013725pool-max-conn <max>
13726 Set the maximum number of idling connections for a server. -1 means unlimited
13727 connections, 0 means no idle connections. The default is -1. When idle
13728 connections are enabled, orphaned idle connections which do not belong to any
13729 client session anymore are moved to a dedicated pool so that they remain
13730 usable by future clients. This only applies to connections that can be shared
13731 according to the same principles as those applying to "http-reuse".
13732
Olivier Houchardb7b3faa2018-12-14 18:15:36 +010013733pool-purge-delay <delay>
13734 Sets the delay to start purging idle connections. Each <delay> interval, half
Olivier Houcharda56eebf2019-03-19 16:44:02 +010013735 of the idle connections are closed. 0 means we don't keep any idle connection.
Willy Tarreaufb553652019-06-04 14:06:31 +020013736 The default is 5s.
Olivier Houchardb7b3faa2018-12-14 18:15:36 +010013737
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013738port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013739 Using the "port" parameter, it becomes possible to use a different port to
13740 send health-checks. On some servers, it may be desirable to dedicate a port
13741 to a specific component able to perform complex tests which are more suitable
13742 to health-checks than the application. It is common to run a simple script in
13743 inetd for instance. This parameter is ignored if the "check" parameter is not
13744 set. See also the "addr" parameter.
13745
Christopher Faulet8ed0a3e2018-04-10 14:45:45 +020013746proto <name>
Christopher Faulet8ed0a3e2018-04-10 14:45:45 +020013747 Forces the multiplexer's protocol to use for the outgoing connections to this
13748 server. It must be compatible with the mode of the backend (TCP or HTTP). It
13749 must also be usable on the backend side. The list of available protocols is
13750 reported in haproxy -vv.
Daniel Corbett67a82712020-07-06 23:01:19 -040013751 Idea behind this option is to bypass the selection of the best multiplexer's
Christopher Faulet8ed0a3e2018-04-10 14:45:45 +020013752 protocol for all connections established to this server.
13753
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013754redir <prefix>
13755 The "redir" parameter enables the redirection mode for all GET and HEAD
13756 requests addressing this server. This means that instead of having HAProxy
13757 forward the request to the server, it will send an "HTTP 302" response with
13758 the "Location" header composed of this prefix immediately followed by the
13759 requested URI beginning at the leading '/' of the path component. That means
13760 that no trailing slash should be used after <prefix>. All invalid requests
13761 will be rejected, and all non-GET or HEAD requests will be normally served by
13762 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013763 mangling nor cookie insertion is possible in the response. However, cookies in
Davor Ocelice9ed2812017-12-25 17:49:28 +010013764 requests are still analyzed, making this solution completely usable to direct
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013765 users to a remote location in case of local disaster. Main use consists in
13766 increasing bandwidth for static servers by having the clients directly
13767 connect to them. Note: never use a relative location here, it would cause a
13768 loop between the client and HAProxy!
13769
13770 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
13771
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013772rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013773 The "rise" parameter states that a server will be considered as operational
13774 after <count> consecutive successful health checks. This value defaults to 2
13775 if unspecified. See also the "check", "inter" and "fall" parameters.
13776
Baptiste Assmann8e2d9432018-06-22 15:04:43 +020013777resolve-opts <option>,<option>,...
13778 Comma separated list of options to apply to DNS resolution linked to this
13779 server.
13780
13781 Available options:
13782
13783 * allow-dup-ip
13784 By default, HAProxy prevents IP address duplication in a backend when DNS
13785 resolution at runtime is in operation.
13786 That said, for some cases, it makes sense that two servers (in the same
13787 backend, being resolved by the same FQDN) have the same IP address.
13788 For such case, simply enable this option.
13789 This is the opposite of prevent-dup-ip.
13790
Daniel Corbettf8716912019-11-17 09:48:56 -050013791 * ignore-weight
13792 Ignore any weight that is set within an SRV record. This is useful when
13793 you would like to control the weights using an alternate method, such as
13794 using an "agent-check" or through the runtime api.
13795
Baptiste Assmann8e2d9432018-06-22 15:04:43 +020013796 * prevent-dup-ip
13797 Ensure HAProxy's default behavior is enforced on a server: prevent re-using
13798 an IP address already set to a server in the same backend and sharing the
13799 same fqdn.
13800 This is the opposite of allow-dup-ip.
13801
13802 Example:
13803 backend b_myapp
13804 default-server init-addr none resolvers dns
13805 server s1 myapp.example.com:80 check resolve-opts allow-dup-ip
13806 server s2 myapp.example.com:81 check resolve-opts allow-dup-ip
13807
13808 With the option allow-dup-ip set:
13809 * if the nameserver returns a single IP address, then both servers will use
13810 it
13811 * If the nameserver returns 2 IP addresses, then each server will pick up a
13812 different address
13813
13814 Default value: not set
13815
Baptiste Assmann1fa66662015-04-14 00:28:47 +020013816resolve-prefer <family>
13817 When DNS resolution is enabled for a server and multiple IP addresses from
13818 different families are returned, HAProxy will prefer using an IP address
13819 from the family mentioned in the "resolve-prefer" parameter.
13820 Available families: "ipv4" and "ipv6"
13821
Baptiste Assmannc4aabae2015-08-04 22:43:06 +020013822 Default value: ipv6
13823
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020013824 Example:
13825
13826 server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6
Baptiste Assmann1fa66662015-04-14 00:28:47 +020013827
Thierry Fournierac88cfe2016-02-17 22:05:30 +010013828resolve-net <network>[,<network[,...]]
John Roeslerfb2fce12019-07-10 15:45:51 -050013829 This option prioritizes the choice of an ip address matching a network. This is
Thierry Fournierac88cfe2016-02-17 22:05:30 +010013830 useful with clouds to prefer a local ip. In some cases, a cloud high
Tim Düsterhus4896c442016-11-29 02:15:19 +010013831 availability service can be announced with many ip addresses on many
Davor Ocelice9ed2812017-12-25 17:49:28 +010013832 different datacenters. The latency between datacenter is not negligible, so
13833 this patch permits to prefer a local datacenter. If no address matches the
Thierry Fournierac88cfe2016-02-17 22:05:30 +010013834 configured network, another address is selected.
13835
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020013836 Example:
13837
13838 server s1 app1.domain.com:80 resolvers mydns resolve-net 10.0.0.0/8
Thierry Fournierac88cfe2016-02-17 22:05:30 +010013839
Baptiste Assmann1fa66662015-04-14 00:28:47 +020013840resolvers <id>
13841 Points to an existing "resolvers" section to resolve current server's
13842 hostname.
13843
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020013844 Example:
13845
13846 server s1 app1.domain.com:80 check resolvers mydns
Baptiste Assmann1fa66662015-04-14 00:28:47 +020013847
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020013848 See also section 5.3
Baptiste Assmann1fa66662015-04-14 00:28:47 +020013849
Willy Tarreau5ab04ec2011-03-20 10:32:26 +010013850send-proxy
13851 The "send-proxy" parameter enforces use of the PROXY protocol over any
13852 connection established to this server. The PROXY protocol informs the other
13853 end about the layer 3/4 addresses of the incoming connection, so that it can
13854 know the client's address or the public address it accessed to, whatever the
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010013855 upper layer protocol. For connections accepted by an "accept-proxy" or
13856 "accept-netscaler-cip" listener, the advertised address will be used. Only
13857 TCPv4 and TCPv6 address families are supported. Other families such as
13858 Unix sockets, will report an UNKNOWN family. Servers using this option can
13859 fully be chained to another instance of haproxy listening with an
13860 "accept-proxy" setting. This setting must not be used if the server isn't
13861 aware of the protocol. When health checks are sent to the server, the PROXY
13862 protocol is automatically used when this option is set, unless there is an
13863 explicit "port" or "addr" directive, in which case an explicit
13864 "check-send-proxy" directive would also be needed to use the PROXY protocol.
Frédéric Lécailled2376272017-03-21 18:52:12 +010013865 See also the "no-send-proxy" option of this section and "accept-proxy" and
13866 "accept-netscaler-cip" option of the "bind" keyword.
Willy Tarreau5ab04ec2011-03-20 10:32:26 +010013867
David Safb76832014-05-08 23:42:08 -040013868send-proxy-v2
13869 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2
13870 over any connection established to this server. The PROXY protocol informs
13871 the other end about the layer 3/4 addresses of the incoming connection, so
13872 that it can know the client's address or the public address it accessed to,
Emmanuel Hocdet404d9782017-10-24 10:55:14 +020013873 whatever the upper layer protocol. It also send ALPN information if an alpn
13874 have been negotiated. This setting must not be used if the server isn't aware
13875 of this version of the protocol. See also the "no-send-proxy-v2" option of
13876 this section and send-proxy" option of the "bind" keyword.
David Safb76832014-05-08 23:42:08 -040013877
Emmanuel Hocdetf643b802018-02-01 15:20:32 +010013878proxy-v2-options <option>[,<option>]*
Tim Duesterhuscf6e0c82020-03-13 12:34:24 +010013879 The "proxy-v2-options" parameter add options to send in PROXY protocol
13880 version 2 when "send-proxy-v2" is used. Options available are:
13881
13882 - ssl : See also "send-proxy-v2-ssl".
13883 - cert-cn : See also "send-proxy-v2-ssl-cn".
13884 - ssl-cipher: Name of the used cipher.
13885 - cert-sig : Signature algorithm of the used certificate.
13886 - cert-key : Key algorithm of the used certificate
13887 - authority : Host name value passed by the client (only SNI from a TLS
13888 connection is supported).
13889 - crc32c : Checksum of the PROXYv2 header.
13890 - unique-id : Send a unique ID generated using the frontend's
13891 "unique-id-format" within the PROXYv2 header.
13892 This unique-id is primarily meant for "mode tcp". It can
13893 lead to unexpected results in "mode http", because the
13894 generated unique ID is also used for the first HTTP request
13895 within a Keep-Alive connection.
Emmanuel Hocdetf643b802018-02-01 15:20:32 +010013896
David Safb76832014-05-08 23:42:08 -040013897send-proxy-v2-ssl
13898 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
13899 2 over any connection established to this server. The PROXY protocol informs
13900 the other end about the layer 3/4 addresses of the incoming connection, so
13901 that it can know the client's address or the public address it accessed to,
13902 whatever the upper layer protocol. In addition, the SSL information extension
13903 of the PROXY protocol is added to the PROXY protocol header. This setting
13904 must not be used if the server isn't aware of this version of the protocol.
Frédéric Lécailled2376272017-03-21 18:52:12 +010013905 See also the "no-send-proxy-v2-ssl" option of this section and the
13906 "send-proxy-v2" option of the "bind" keyword.
David Safb76832014-05-08 23:42:08 -040013907
13908send-proxy-v2-ssl-cn
13909 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
13910 2 over any connection established to this server. The PROXY protocol informs
13911 the other end about the layer 3/4 addresses of the incoming connection, so
13912 that it can know the client's address or the public address it accessed to,
13913 whatever the upper layer protocol. In addition, the SSL information extension
13914 of the PROXY protocol, along along with the Common Name from the subject of
13915 the client certificate (if any), is added to the PROXY protocol header. This
13916 setting must not be used if the server isn't aware of this version of the
Davor Ocelice9ed2812017-12-25 17:49:28 +010013917 protocol. See also the "no-send-proxy-v2-ssl-cn" option of this section and
13918 the "send-proxy-v2" option of the "bind" keyword.
David Safb76832014-05-08 23:42:08 -040013919
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013920slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013921 The "slowstart" parameter for a server accepts a value in milliseconds which
13922 indicates after how long a server which has just come back up will run at
13923 full speed. Just as with every other time-based parameter, it can be entered
13924 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
13925 linearly from 0 to 100% during this time. The limitation applies to two
13926 parameters :
13927
13928 - maxconn: the number of connections accepted by the server will grow from 1
13929 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
13930
13931 - weight: when the backend uses a dynamic weighted algorithm, the weight
13932 grows linearly from 1 to 100%. In this case, the weight is updated at every
13933 health-check. For this reason, it is important that the "inter" parameter
13934 is smaller than the "slowstart", in order to maximize the number of steps.
13935
13936 The slowstart never applies when haproxy starts, otherwise it would cause
13937 trouble to running servers. It only applies when a server has been previously
13938 seen as failed.
13939
Willy Tarreau732eac42015-07-09 11:40:25 +020013940sni <expression>
13941 The "sni" parameter evaluates the sample fetch expression, converts it to a
13942 string and uses the result as the host name sent in the SNI TLS extension to
13943 the server. A typical use case is to send the SNI received from the client in
13944 a bridged HTTPS scenario, using the "ssl_fc_sni" sample fetch for the
Willy Tarreau2ab88672017-07-05 18:23:03 +020013945 expression, though alternatives such as req.hdr(host) can also make sense. If
13946 "verify required" is set (which is the recommended setting), the resulting
Willy Tarreauad92a9a2017-07-28 11:38:41 +020013947 name will also be matched against the server certificate's names. See the
Jérôme Magninb36a6d22018-12-09 16:03:40 +010013948 "verify" directive for more details. If you want to set a SNI for health
13949 checks, see the "check-sni" directive for more details.
Willy Tarreau732eac42015-07-09 11:40:25 +020013950
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020013951source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +020013952source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020013953source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013954 The "source" parameter sets the source address which will be used when
13955 connecting to the server. It follows the exact same parameters and principle
13956 as the backend "source" keyword, except that it only applies to the server
13957 referencing it. Please consult the "source" keyword for details.
13958
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020013959 Additionally, the "source" statement on a server line allows one to specify a
13960 source port range by indicating the lower and higher bounds delimited by a
13961 dash ('-'). Some operating systems might require a valid IP address when a
13962 source port range is specified. It is permitted to have the same IP/range for
13963 several servers. Doing so makes it possible to bypass the maximum of 64k
13964 total concurrent connections. The limit will then reach 64k connections per
13965 server.
13966
Lukas Tribus7d56c6d2016-09-13 09:51:15 +000013967 Since Linux 4.2/libc 2.23 IP_BIND_ADDRESS_NO_PORT is set for connections
13968 specifying the source address without port(s).
13969
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020013970ssl
Willy Tarreau44f65392013-06-25 07:56:20 +020013971 This option enables SSL ciphering on outgoing connections to the server. It
13972 is critical to verify server certificates using "verify" when using SSL to
13973 connect to servers, otherwise the communication is prone to trivial man in
13974 the-middle attacks rendering SSL useless. When this option is used, health
13975 checks are automatically sent in SSL too unless there is a "port" or an
13976 "addr" directive indicating the check should be sent to a different location.
Frédéric Lécailled2376272017-03-21 18:52:12 +010013977 See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
13978 SSL health checks.
Willy Tarreau763a95b2012-10-04 23:15:39 +020013979
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013980ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
13981 This option enforces use of <version> or lower when SSL is used to communicate
13982 with the server. This option is also available on global statement
13983 "ssl-default-server-options". See also "ssl-min-ver".
13984
13985ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
13986 This option enforces use of <version> or upper when SSL is used to communicate
13987 with the server. This option is also available on global statement
13988 "ssl-default-server-options". See also "ssl-max-ver".
13989
Frédéric Lécailled2376272017-03-21 18:52:12 +010013990ssl-reuse
13991 This option may be used as "server" setting to reset any "no-ssl-reuse"
13992 setting which would have been inherited from "default-server" directive as
13993 default value.
13994 It may also be used as "default-server" setting to reset any previous
13995 "default-server" "no-ssl-reuse" setting.
13996
13997stick
13998 This option may be used as "server" setting to reset any "non-stick"
13999 setting which would have been inherited from "default-server" directive as
14000 default value.
14001 It may also be used as "default-server" setting to reset any previous
14002 "default-server" "non-stick" setting.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014003
Alexander Liu2a54bb72019-05-22 19:44:48 +080014004socks4 <addr>:<port>
John Roeslerfb2fce12019-07-10 15:45:51 -050014005 This option enables upstream socks4 tunnel for outgoing connections to the
Alexander Liu2a54bb72019-05-22 19:44:48 +080014006 server. Using this option won't force the health check to go via socks4 by
14007 default. You will have to use the keyword "check-via-socks4" to enable it.
14008
Willy Tarreau163d4622015-10-13 16:16:41 +020014009tcp-ut <delay>
14010 Sets the TCP User Timeout for all outgoing connections to this server. This
14011 option is available on Linux since version 2.6.37. It allows haproxy to
14012 configure a timeout for sockets which contain data not receiving an
Davor Ocelice9ed2812017-12-25 17:49:28 +010014013 acknowledgment for the configured delay. This is especially useful on
Willy Tarreau163d4622015-10-13 16:16:41 +020014014 long-lived connections experiencing long idle periods such as remote
14015 terminals or database connection pools, where the client and server timeouts
14016 must remain high to allow a long period of idle, but where it is important to
14017 detect that the server has disappeared in order to release all resources
14018 associated with its connection (and the client's session). One typical use
14019 case is also to force dead server connections to die when health checks are
14020 too slow or during a soft reload since health checks are then disabled. The
14021 argument is a delay expressed in milliseconds by default. This only works for
14022 regular TCP connections, and is ignored for other protocols.
14023
Willy Tarreau034c88c2017-01-23 23:36:45 +010014024tfo
14025 This option enables using TCP fast open when connecting to servers, on
14026 systems that support it (currently only the Linux kernel >= 4.11).
14027 See the "tfo" bind option for more information about TCP fast open.
14028 Please note that when using tfo, you should also use the "conn-failure",
14029 "empty-response" and "response-timeout" keywords for "retry-on", or haproxy
Frédéric Lécaille1b9423d2019-07-04 14:19:06 +020014030 won't be able to retry the connection on failure. See also "no-tfo".
Willy Tarreau034c88c2017-01-23 23:36:45 +010014031
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014032track [<proxy>/]<server>
Willy Tarreau32091232014-05-16 13:52:00 +020014033 This option enables ability to set the current state of the server by tracking
14034 another one. It is possible to track a server which itself tracks another
14035 server, provided that at the end of the chain, a server has health checks
14036 enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014037 used, it has to be enabled on both proxies.
14038
Frédéric Lécailled2376272017-03-21 18:52:12 +010014039tls-tickets
14040 This option may be used as "server" setting to reset any "no-tls-tickets"
14041 setting which would have been inherited from "default-server" directive as
14042 default value.
Lukas Tribusbdb386d2020-03-10 00:56:09 +010014043 The TLS ticket mechanism is only used up to TLS 1.2.
14044 Forward Secrecy is compromised with TLS tickets, unless ticket keys
14045 are periodically rotated (via reload or by using "tls-ticket-keys").
Frédéric Lécailled2376272017-03-21 18:52:12 +010014046 It may also be used as "default-server" setting to reset any previous
Bjoern Jacke5ab7eb62020-02-13 14:16:16 +010014047 "default-server" "no-tls-tickets" setting.
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014048
Emeric Brunef42d922012-10-11 16:11:36 +020014049verify [none|required]
14050 This setting is only available when support for OpenSSL was built in. If set
Emeric Brun850efd52014-01-29 12:24:34 +010014051 to 'none', server certificate is not verified. In the other case, The
Willy Tarreauad92a9a2017-07-28 11:38:41 +020014052 certificate provided by the server is verified using CAs from 'ca-file' and
14053 optional CRLs from 'crl-file' after having checked that the names provided in
Davor Ocelice9ed2812017-12-25 17:49:28 +010014054 the certificate's subject and subjectAlternateNames attributes match either
Willy Tarreauad92a9a2017-07-28 11:38:41 +020014055 the name passed using the "sni" directive, or if not provided, the static
14056 host name passed using the "verifyhost" directive. When no name is found, the
14057 certificate's names are ignored. For this reason, without SNI it's important
14058 to use "verifyhost". On verification failure the handshake is aborted. It is
14059 critically important to verify server certificates when using SSL to connect
14060 to servers, otherwise the communication is prone to trivial man-in-the-middle
14061 attacks rendering SSL totally useless. Unless "ssl_server_verify" appears in
14062 the global section, "verify" is set to "required" by default.
Emeric Brunef42d922012-10-11 16:11:36 +020014063
Evan Broderbe554312013-06-27 00:05:25 -070014064verifyhost <hostname>
14065 This setting is only available when support for OpenSSL was built in, and
Willy Tarreauad92a9a2017-07-28 11:38:41 +020014066 only takes effect if 'verify required' is also specified. This directive sets
14067 a default static hostname to check the server's certificate against when no
14068 SNI was used to connect to the server. If SNI is not used, this is the only
14069 way to enable hostname verification. This static hostname, when set, will
14070 also be used for health checks (which cannot provide an SNI value). If none
14071 of the hostnames in the certificate match the specified hostname, the
14072 handshake is aborted. The hostnames in the server-provided certificate may
14073 include wildcards. See also "verify", "sni" and "no-verifyhost" options.
Evan Broderbe554312013-06-27 00:05:25 -070014074
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014075weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014076 The "weight" parameter is used to adjust the server's weight relative to
14077 other servers. All servers will receive a load proportional to their weight
14078 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +020014079 load. The default weight is 1, and the maximal value is 256. A value of 0
14080 means the server will not participate in load-balancing but will still accept
14081 persistent connections. If this parameter is used to distribute the load
14082 according to server's capacity, it is recommended to start with values which
14083 can both grow and shrink, for instance between 10 and 100 to leave enough
14084 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014085
14086
Cyril Bonté46175dd2015-07-02 22:45:32 +0200140875.3. Server IP address resolution using DNS
14088-------------------------------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014089
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014090HAProxy allows using a host name on the server line to retrieve its IP address
14091using name servers. By default, HAProxy resolves the name when parsing the
14092configuration file, at startup and cache the result for the process' life.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014093This is not sufficient in some cases, such as in Amazon where a server's IP
14094can change after a reboot or an ELB Virtual IP can change based on current
14095workload.
14096This chapter describes how HAProxy can be configured to process server's name
14097resolution at run time.
14098Whether run time server name resolution has been enable or not, HAProxy will
14099carry on doing the first resolution when parsing the configuration.
14100
14101
Cyril Bonté46175dd2015-07-02 22:45:32 +0200141025.3.1. Global overview
14103----------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014104
14105As we've seen in introduction, name resolution in HAProxy occurs at two
14106different steps of the process life:
14107
14108 1. when starting up, HAProxy parses the server line definition and matches a
14109 host name. It uses libc functions to get the host name resolved. This
14110 resolution relies on /etc/resolv.conf file.
14111
Christopher Faulet67957bd2017-09-27 11:00:59 +020014112 2. at run time, HAProxy performs periodically name resolutions for servers
14113 requiring DNS resolutions.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014114
14115A few other events can trigger a name resolution at run time:
14116 - when a server's health check ends up in a connection timeout: this may be
14117 because the server has a new IP address. So we need to trigger a name
14118 resolution to know this new IP.
14119
Christopher Faulet67957bd2017-09-27 11:00:59 +020014120When using resolvers, the server name can either be a hostname, or a SRV label.
Davor Ocelice9ed2812017-12-25 17:49:28 +010014121HAProxy considers anything that starts with an underscore as a SRV label. If a
Christopher Faulet67957bd2017-09-27 11:00:59 +020014122SRV label is specified, then the corresponding SRV records will be retrieved
14123from the DNS server, and the provided hostnames will be used. The SRV label
14124will be checked periodically, and if any server are added or removed, haproxy
14125will automatically do the same.
Olivier Houchardecfa18d2017-08-07 17:30:03 +020014126
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014127A few things important to notice:
John Roeslerfb2fce12019-07-10 15:45:51 -050014128 - all the name servers are queried in the meantime. HAProxy will process the
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014129 first valid response.
14130
14131 - a resolution is considered as invalid (NX, timeout, refused), when all the
14132 servers return an error.
14133
14134
Cyril Bonté46175dd2015-07-02 22:45:32 +0200141355.3.2. The resolvers section
14136----------------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014137
14138This section is dedicated to host information related to name resolution in
Christopher Faulet67957bd2017-09-27 11:00:59 +020014139HAProxy. There can be as many as resolvers section as needed. Each section can
14140contain many name servers.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014141
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014142When multiple name servers are configured in a resolvers section, then HAProxy
14143uses the first valid response. In case of invalid responses, only the last one
14144is treated. Purpose is to give the chance to a slow server to deliver a valid
14145answer after a fast faulty or outdated server.
14146
14147When each server returns a different error type, then only the last error is
Christopher Faulet67957bd2017-09-27 11:00:59 +020014148used by HAProxy. The following processing is applied on this error:
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014149
Christopher Faulet67957bd2017-09-27 11:00:59 +020014150 1. HAProxy retries the same DNS query with a new query type. The A queries are
14151 switch to AAAA or the opposite. SRV queries are not concerned here. Timeout
14152 errors are also excluded.
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014153
Christopher Faulet67957bd2017-09-27 11:00:59 +020014154 2. When the fallback on the query type was done (or not applicable), HAProxy
14155 retries the original DNS query, with the preferred query type.
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014156
Christopher Faulet67957bd2017-09-27 11:00:59 +020014157 3. HAProxy retries previous steps <resolve_retires> times. If no valid
14158 response is received after that, it stops the DNS resolution and reports
14159 the error.
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014160
Christopher Faulet67957bd2017-09-27 11:00:59 +020014161For example, with 2 name servers configured in a resolvers section, the
14162following scenarios are possible:
14163
14164 - First response is valid and is applied directly, second response is
14165 ignored
14166
14167 - First response is invalid and second one is valid, then second response is
14168 applied
14169
14170 - First response is a NX domain and second one a truncated response, then
14171 HAProxy retries the query with a new type
14172
14173 - First response is a NX domain and second one is a timeout, then HAProxy
14174 retries the query with a new type
14175
14176 - Query timed out for both name servers, then HAProxy retries it with the
14177 same query type
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014178
Olivier Houcharda8c6db82017-07-06 18:46:47 +020014179As a DNS server may not answer all the IPs in one DNS request, haproxy keeps
14180a cache of previous answers, an answer will be considered obsolete after
Christopher Faulet67957bd2017-09-27 11:00:59 +020014181<hold obsolete> seconds without the IP returned.
Olivier Houcharda8c6db82017-07-06 18:46:47 +020014182
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014183
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014184resolvers <resolvers id>
Davor Ocelice9ed2812017-12-25 17:49:28 +010014185 Creates a new name server list labeled <resolvers id>
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014186
14187A resolvers section accept the following parameters:
14188
Baptiste Assmann2af08fe2017-08-14 00:13:01 +020014189accepted_payload_size <nb>
Davor Ocelice9ed2812017-12-25 17:49:28 +010014190 Defines the maximum payload size accepted by HAProxy and announced to all the
Christopher Faulet67957bd2017-09-27 11:00:59 +020014191 name servers configured in this resolvers section.
Baptiste Assmann2af08fe2017-08-14 00:13:01 +020014192 <nb> is in bytes. If not set, HAProxy announces 512. (minimal value defined
14193 by RFC 6891)
14194
Baptiste Assmann9d8dbbc2017-08-18 23:35:08 +020014195 Note: the maximum allowed value is 8192.
14196
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014197nameserver <id> <ip>:<port>
14198 DNS server description:
14199 <id> : label of the server, should be unique
14200 <ip> : IP address of the server
14201 <port> : port where the DNS service actually runs
14202
Ben Draut44e609b2018-05-29 15:40:08 -060014203parse-resolv-conf
14204 Adds all nameservers found in /etc/resolv.conf to this resolvers nameservers
14205 list. Ordered as if each nameserver in /etc/resolv.conf was individually
14206 placed in the resolvers section in place of this directive.
14207
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014208hold <status> <period>
14209 Defines <period> during which the last name resolution should be kept based
14210 on last resolution <status>
Baptiste Assmann987e16d2016-11-02 22:23:31 +010014211 <status> : last name resolution status. Acceptable values are "nx",
Olivier Houcharda8c6db82017-07-06 18:46:47 +020014212 "other", "refused", "timeout", "valid", "obsolete".
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014213 <period> : interval between two successive name resolution when the last
14214 answer was in <status>. It follows the HAProxy time format.
14215 <period> is in milliseconds by default.
14216
Baptiste Assmann686408b2017-08-18 10:15:42 +020014217 Default value is 10s for "valid", 0s for "obsolete" and 30s for others.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014218
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014219resolve_retries <nb>
14220 Defines the number <nb> of queries to send to resolve a server name before
14221 giving up.
14222 Default value: 3
14223
Baptiste Assmann62b75b42015-09-09 01:11:36 +020014224 A retry occurs on name server timeout or when the full sequence of DNS query
14225 type failover is over and we need to start up from the default ANY query
14226 type.
14227
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014228timeout <event> <time>
14229 Defines timeouts related to name resolution
14230 <event> : the event on which the <time> timeout period applies to.
14231 events available are:
Frédéric Lécaille93d33162019-03-06 09:35:59 +010014232 - resolve : default time to trigger name resolutions when no
14233 other time applied.
Christopher Faulet67957bd2017-09-27 11:00:59 +020014234 Default value: 1s
14235 - retry : time between two DNS queries, when no valid response
Frédéric Lécaille93d33162019-03-06 09:35:59 +010014236 have been received.
Christopher Faulet67957bd2017-09-27 11:00:59 +020014237 Default value: 1s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014238 <time> : time related to the event. It follows the HAProxy time format.
14239 <time> is expressed in milliseconds.
14240
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020014241 Example:
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014242
14243 resolvers mydns
14244 nameserver dns1 10.0.0.1:53
14245 nameserver dns2 10.0.0.2:53
Ben Draut44e609b2018-05-29 15:40:08 -060014246 parse-resolv-conf
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014247 resolve_retries 3
Christopher Faulet67957bd2017-09-27 11:00:59 +020014248 timeout resolve 1s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014249 timeout retry 1s
Baptiste Assmann987e16d2016-11-02 22:23:31 +010014250 hold other 30s
14251 hold refused 30s
14252 hold nx 30s
14253 hold timeout 30s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014254 hold valid 10s
Olivier Houcharda8c6db82017-07-06 18:46:47 +020014255 hold obsolete 30s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014256
14257
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200142586. Cache
14259---------
14260
14261HAProxy provides a cache, which was designed to perform cache on small objects
14262(favicon, css...). This is a minimalist low-maintenance cache which runs in
14263RAM.
14264
14265The cache is based on a memory which is shared between processes and threads,
14266this memory is split in blocks of 1k.
14267
14268If an object is not used anymore, it can be deleted to store a new object
14269independently of its expiration date. The oldest objects are deleted first
14270when we try to allocate a new one.
14271
14272The cache uses a hash of the host header and the URI as the key.
14273
14274It's possible to view the status of a cache using the Unix socket command
14275"show cache" consult section 9.3 "Unix Socket commands" of Management Guide
14276for more details.
14277
14278When an object is delivered from the cache, the server name in the log is
14279replaced by "<CACHE>".
14280
14281
142826.1. Limitation
14283----------------
14284
14285The cache won't store and won't deliver objects in these cases:
14286
14287- If the response is not a 200
14288- If the response contains a Vary header
14289- If the Content-Length + the headers size is greater than "max-object-size"
14290- If the response is not cacheable
14291
14292- If the request is not a GET
14293- If the HTTP version of the request is smaller than 1.1
14294- If the request contains an Authorization header
14295
14296
142976.2. Setup
14298-----------
14299
14300To setup a cache, you must define a cache section and use it in a proxy with
14301the corresponding http-request and response actions.
14302
14303
143046.2.1. Cache section
14305---------------------
14306
14307cache <name>
14308 Declare a cache section, allocate a shared cache memory named <name>, the
14309 size of cache is mandatory.
14310
14311total-max-size <megabytes>
14312 Define the size in RAM of the cache in megabytes. This size is split in
14313 blocks of 1kB which are used by the cache entries. Its maximum value is 4095.
14314
14315max-object-size <bytes>
14316 Define the maximum size of the objects to be cached. Must not be greater than
14317 an half of "total-max-size". If not set, it equals to a 256th of the cache size.
14318 All objects with sizes larger than "max-object-size" will not be cached.
14319
14320max-age <seconds>
14321 Define the maximum expiration duration. The expiration is set has the lowest
14322 value between the s-maxage or max-age (in this order) directive in the
14323 Cache-Control response header and this value. The default value is 60
14324 seconds, which means that you can't cache an object more than 60 seconds by
14325 default.
14326
14327
143286.2.2. Proxy section
14329---------------------
14330
14331http-request cache-use <name> [ { if | unless } <condition> ]
14332 Try to deliver a cached object from the cache <name>. This directive is also
14333 mandatory to store the cache as it calculates the cache hash. If you want to
14334 use a condition for both storage and delivering that's a good idea to put it
14335 after this one.
14336
14337http-response cache-store <name> [ { if | unless } <condition> ]
14338 Store an http-response within the cache. The storage of the response headers
14339 is done at this step, which means you can use others http-response actions
14340 to modify headers before or after the storage of the response. This action
14341 is responsible for the setup of the cache storage filter.
14342
14343
14344Example:
14345
14346 backend bck1
14347 mode http
14348
14349 http-request cache-use foobar
14350 http-response cache-store foobar
14351 server srv1 127.0.0.1:80
14352
14353 cache foobar
14354 total-max-size 4
14355 max-age 240
14356
14357
Willy Tarreau74ca5042013-06-11 23:12:07 +0200143587. Using ACLs and fetching samples
14359----------------------------------
14360
Davor Ocelice9ed2812017-12-25 17:49:28 +010014361HAProxy is capable of extracting data from request or response streams, from
Willy Tarreau74ca5042013-06-11 23:12:07 +020014362client or server information, from tables, environmental information etc...
14363The action of extracting such data is called fetching a sample. Once retrieved,
14364these samples may be used for various purposes such as a key to a stick-table,
14365but most common usages consist in matching them against predefined constant
14366data called patterns.
14367
14368
143697.1. ACL basics
14370---------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014371
14372The use of Access Control Lists (ACL) provides a flexible solution to perform
14373content switching and generally to take decisions based on content extracted
14374from the request, the response or any environmental status. The principle is
14375simple :
14376
Willy Tarreau74ca5042013-06-11 23:12:07 +020014377 - extract a data sample from a stream, table or the environment
Willy Tarreaue6b11e42013-11-26 19:02:32 +010014378 - optionally apply some format conversion to the extracted sample
Willy Tarreau74ca5042013-06-11 23:12:07 +020014379 - apply one or multiple pattern matching methods on this sample
14380 - perform actions only when a pattern matches the sample
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014381
Willy Tarreau74ca5042013-06-11 23:12:07 +020014382The actions generally consist in blocking a request, selecting a backend, or
14383adding a header.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014384
14385In order to define a test, the "acl" keyword is used. The syntax is :
14386
Willy Tarreau74ca5042013-06-11 23:12:07 +020014387 acl <aclname> <criterion> [flags] [operator] [<value>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014388
14389This creates a new ACL <aclname> or completes an existing one with new tests.
14390Those tests apply to the portion of request/response specified in <criterion>
14391and may be adjusted with optional flags [flags]. Some criteria also support
Willy Tarreaue6b11e42013-11-26 19:02:32 +010014392an operator which may be specified before the set of values. Optionally some
14393conversion operators may be applied to the sample, and they will be specified
14394as a comma-delimited list of keywords just after the first keyword. The values
14395are of the type supported by the criterion, and are separated by spaces.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014396
14397ACL names must be formed from upper and lower case letters, digits, '-' (dash),
14398'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
14399which means that "my_acl" and "My_Acl" are two different ACLs.
14400
14401There is no enforced limit to the number of ACLs. The unused ones do not affect
14402performance, they just consume a small amount of memory.
14403
Willy Tarreau74ca5042013-06-11 23:12:07 +020014404The criterion generally is the name of a sample fetch method, or one of its ACL
14405specific declinations. The default test method is implied by the output type of
14406this sample fetch method. The ACL declinations can describe alternate matching
Willy Tarreaue6b11e42013-11-26 19:02:32 +010014407methods of a same sample fetch method. The sample fetch methods are the only
14408ones supporting a conversion.
Willy Tarreau74ca5042013-06-11 23:12:07 +020014409
14410Sample fetch methods return data which can be of the following types :
14411 - boolean
14412 - integer (signed or unsigned)
14413 - IPv4 or IPv6 address
14414 - string
14415 - data block
14416
Willy Tarreaue6b11e42013-11-26 19:02:32 +010014417Converters transform any of these data into any of these. For example, some
14418converters might convert a string to a lower-case string while other ones
14419would turn a string to an IPv4 address, or apply a netmask to an IP address.
14420The resulting sample is of the type of the last converter applied to the list,
14421which defaults to the type of the sample fetch method.
14422
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020014423Each sample or converter returns data of a specific type, specified with its
14424keyword in this documentation. When an ACL is declared using a standard sample
14425fetch method, certain types automatically involved a default matching method
14426which are summarized in the table below :
14427
14428 +---------------------+-----------------+
14429 | Sample or converter | Default |
14430 | output type | matching method |
14431 +---------------------+-----------------+
14432 | boolean | bool |
14433 +---------------------+-----------------+
14434 | integer | int |
14435 +---------------------+-----------------+
14436 | ip | ip |
14437 +---------------------+-----------------+
14438 | string | str |
14439 +---------------------+-----------------+
14440 | binary | none, use "-m" |
14441 +---------------------+-----------------+
14442
14443Note that in order to match a binary samples, it is mandatory to specify a
14444matching method, see below.
14445
Willy Tarreau74ca5042013-06-11 23:12:07 +020014446The ACL engine can match these types against patterns of the following types :
14447 - boolean
14448 - integer or integer range
14449 - IP address / network
14450 - string (exact, substring, suffix, prefix, subdir, domain)
14451 - regular expression
14452 - hex block
14453
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014454The following ACL flags are currently supported :
14455
Willy Tarreau2b5285d2010-05-09 23:45:24 +020014456 -i : ignore case during matching of all subsequent patterns.
14457 -f : load patterns from a file.
Willy Tarreau74ca5042013-06-11 23:12:07 +020014458 -m : use a specific pattern matching method
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010014459 -n : forbid the DNS resolutions
Thierry FOURNIER9860c412014-01-29 14:23:29 +010014460 -M : load the file pointed by -f like a map file.
Thierry FOURNIER3534d882014-01-20 17:01:44 +010014461 -u : force the unique id of the ACL
Willy Tarreau6a06a402007-07-15 20:15:28 +020014462 -- : force end of flags. Useful when a string looks like one of the flags.
14463
Willy Tarreau74ca5042013-06-11 23:12:07 +020014464The "-f" flag is followed by the name of a file from which all lines will be
14465read as individual values. It is even possible to pass multiple "-f" arguments
14466if the patterns are to be loaded from multiple files. Empty lines as well as
14467lines beginning with a sharp ('#') will be ignored. All leading spaces and tabs
14468will be stripped. If it is absolutely necessary to insert a valid pattern
14469beginning with a sharp, just prefix it with a space so that it is not taken for
14470a comment. Depending on the data type and match method, haproxy may load the
14471lines into a binary tree, allowing very fast lookups. This is true for IPv4 and
14472exact string matching. In this case, duplicates will automatically be removed.
14473
Thierry FOURNIER9860c412014-01-29 14:23:29 +010014474The "-M" flag allows an ACL to use a map file. If this flag is set, the file is
14475parsed as two column file. The first column contains the patterns used by the
14476ACL, and the second column contain the samples. The sample can be used later by
14477a map. This can be useful in some rare cases where an ACL would just be used to
14478check for the existence of a pattern in a map before a mapping is applied.
14479
Thierry FOURNIER3534d882014-01-20 17:01:44 +010014480The "-u" flag forces the unique id of the ACL. This unique id is used with the
14481socket interface to identify ACL and dynamically change its values. Note that a
14482file is always identified by its name even if an id is set.
14483
Willy Tarreau74ca5042013-06-11 23:12:07 +020014484Also, note that the "-i" flag applies to subsequent entries and not to entries
14485loaded from files preceding it. For instance :
14486
14487 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
14488
14489In this example, each line of "exact-ua.lst" will be exactly matched against
14490the "user-agent" header of the request. Then each line of "generic-ua" will be
14491case-insensitively matched. Then the word "test" will be insensitively matched
14492as well.
14493
14494The "-m" flag is used to select a specific pattern matching method on the input
14495sample. All ACL-specific criteria imply a pattern matching method and generally
14496do not need this flag. However, this flag is useful with generic sample fetch
14497methods to describe how they're going to be matched against the patterns. This
14498is required for sample fetches which return data type for which there is no
Davor Ocelice9ed2812017-12-25 17:49:28 +010014499obvious matching method (e.g. string or binary). When "-m" is specified and
Willy Tarreau74ca5042013-06-11 23:12:07 +020014500followed by a pattern matching method name, this method is used instead of the
14501default one for the criterion. This makes it possible to match contents in ways
14502that were not initially planned, or with sample fetch methods which return a
14503string. The matching method also affects the way the patterns are parsed.
14504
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010014505The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
14506By default, if the parser cannot parse ip address it considers that the parsed
14507string is maybe a domain name and try dns resolution. The flag "-n" disable this
14508resolution. It is useful for detecting malformed ip lists. Note that if the DNS
14509server is not reachable, the haproxy configuration parsing may last many minutes
John Roeslerfb2fce12019-07-10 15:45:51 -050014510waiting for the timeout. During this time no error messages are displayed. The
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010014511flag "-n" disable this behavior. Note also that during the runtime, this
14512function is disabled for the dynamic acl modifications.
14513
Willy Tarreau74ca5042013-06-11 23:12:07 +020014514There are some restrictions however. Not all methods can be used with all
14515sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
14516be placed first. The pattern matching method must be one of the following :
Willy Tarreau5adeda12013-03-31 22:13:34 +020014517
14518 - "found" : only check if the requested sample could be found in the stream,
14519 but do not compare it against any pattern. It is recommended not
Willy Tarreau74ca5042013-06-11 23:12:07 +020014520 to pass any pattern to avoid confusion. This matching method is
14521 particularly useful to detect presence of certain contents such
14522 as headers, cookies, etc... even if they are empty and without
14523 comparing them to anything nor counting them.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014524
14525 - "bool" : check the value as a boolean. It can only be applied to fetches
14526 which return a boolean or integer value, and takes no pattern.
Willy Tarreau74ca5042013-06-11 23:12:07 +020014527 Value zero or false does not match, all other values do match.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014528
14529 - "int" : match the value as an integer. It can be used with integer and
Willy Tarreau74ca5042013-06-11 23:12:07 +020014530 boolean samples. Boolean false is integer 0, true is integer 1.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014531
14532 - "ip" : match the value as an IPv4 or IPv6 address. It is compatible
Willy Tarreau74ca5042013-06-11 23:12:07 +020014533 with IP address samples only, so it is implied and never needed.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014534
Davor Ocelice9ed2812017-12-25 17:49:28 +010014535 - "bin" : match the contents against a hexadecimal string representing a
Willy Tarreau5adeda12013-03-31 22:13:34 +020014536 binary sequence. This may be used with binary or string samples.
14537
14538 - "len" : match the sample's length as an integer. This may be used with
14539 binary or string samples.
14540
Willy Tarreau74ca5042013-06-11 23:12:07 +020014541 - "str" : exact match : match the contents against a string. This may be
14542 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014543
Willy Tarreau74ca5042013-06-11 23:12:07 +020014544 - "sub" : substring match : check that the contents contain at least one of
14545 the provided string patterns. This may be used with binary or
14546 string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014547
Willy Tarreau74ca5042013-06-11 23:12:07 +020014548 - "reg" : regex match : match the contents against a list of regular
14549 expressions. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014550
Willy Tarreau74ca5042013-06-11 23:12:07 +020014551 - "beg" : prefix match : check that the contents begin like the provided
14552 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014553
Willy Tarreau74ca5042013-06-11 23:12:07 +020014554 - "end" : suffix match : check that the contents end like the provided
14555 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014556
Willy Tarreau74ca5042013-06-11 23:12:07 +020014557 - "dir" : subdir match : check that a slash-delimited portion of the
14558 contents exactly matches one of the provided string patterns.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014559 This may be used with binary or string samples.
14560
Willy Tarreau74ca5042013-06-11 23:12:07 +020014561 - "dom" : domain match : check that a dot-delimited portion of the contents
14562 exactly match one of the provided string patterns. This may be
14563 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020014564
14565For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
14566request, it is possible to do :
14567
14568 acl jsess_present cook(JSESSIONID) -m found
14569
14570In order to apply a regular expression on the 500 first bytes of data in the
14571buffer, one would use the following acl :
14572
14573 acl script_tag payload(0,500) -m reg -i <script>
14574
Willy Tarreaue6b11e42013-11-26 19:02:32 +010014575On systems where the regex library is much slower when using "-i", it is
14576possible to convert the sample to lowercase before matching, like this :
14577
14578 acl script_tag payload(0,500),lower -m reg <script>
14579
Willy Tarreau74ca5042013-06-11 23:12:07 +020014580All ACL-specific criteria imply a default matching method. Most often, these
14581criteria are composed by concatenating the name of the original sample fetch
14582method and the matching method. For example, "hdr_beg" applies the "beg" match
14583to samples retrieved using the "hdr" fetch method. Since all ACL-specific
14584criteria rely on a sample fetch method, it is always possible instead to use
14585the original sample fetch method and the explicit matching method using "-m".
Willy Tarreau2b5285d2010-05-09 23:45:24 +020014586
Willy Tarreau74ca5042013-06-11 23:12:07 +020014587If an alternate match is specified using "-m" on an ACL-specific criterion,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030014588the matching method is simply applied to the underlying sample fetch method.
14589For example, all ACLs below are exact equivalent :
Willy Tarreau2b5285d2010-05-09 23:45:24 +020014590
Willy Tarreau74ca5042013-06-11 23:12:07 +020014591 acl short_form hdr_beg(host) www.
14592 acl alternate1 hdr_beg(host) -m beg www.
14593 acl alternate2 hdr_dom(host) -m beg www.
14594 acl alternate3 hdr(host) -m beg www.
Willy Tarreau2b5285d2010-05-09 23:45:24 +020014595
Willy Tarreau2b5285d2010-05-09 23:45:24 +020014596
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020014597The table below summarizes the compatibility matrix between sample or converter
14598types and the pattern types to fetch against. It indicates for each compatible
14599combination the name of the matching method to be used, surrounded with angle
14600brackets ">" and "<" when the method is the default one and will work by
14601default without "-m".
Willy Tarreau0ba27502007-12-24 16:55:16 +010014602
Willy Tarreau74ca5042013-06-11 23:12:07 +020014603 +-------------------------------------------------+
14604 | Input sample type |
14605 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020014606 | pattern type | boolean | integer | ip | string | binary |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014607 +----------------------+---------+---------+---------+---------+---------+
14608 | none (presence only) | found | found | found | found | found |
14609 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020014610 | none (boolean value) |> bool <| bool | | bool | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014611 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020014612 | integer (value) | int |> int <| int | int | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014613 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010014614 | integer (length) | len | len | len | len | len |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014615 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020014616 | IP address | | |> ip <| ip | ip |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014617 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020014618 | exact string | str | str | str |> str <| str |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014619 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010014620 | prefix | beg | beg | beg | beg | beg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014621 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010014622 | suffix | end | end | end | end | end |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014623 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010014624 | substring | sub | sub | sub | sub | sub |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014625 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010014626 | subdir | dir | dir | dir | dir | dir |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014627 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010014628 | domain | dom | dom | dom | dom | dom |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014629 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010014630 | regex | reg | reg | reg | reg | reg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020014631 +----------------------+---------+---------+---------+---------+---------+
14632 | hex block | | | | bin | bin |
14633 +----------------------+---------+---------+---------+---------+---------+
Willy Tarreau6a06a402007-07-15 20:15:28 +020014634
14635
Willy Tarreau74ca5042013-06-11 23:12:07 +0200146367.1.1. Matching booleans
14637------------------------
14638
14639In order to match a boolean, no value is needed and all values are ignored.
14640Boolean matching is used by default for all fetch methods of type "boolean".
14641When boolean matching is used, the fetched value is returned as-is, which means
14642that a boolean "true" will always match and a boolean "false" will never match.
14643
14644Boolean matching may also be enforced using "-m bool" on fetch methods which
14645return an integer value. Then, integer value 0 is converted to the boolean
14646"false" and all other values are converted to "true".
14647
Willy Tarreau6a06a402007-07-15 20:15:28 +020014648
Willy Tarreau74ca5042013-06-11 23:12:07 +0200146497.1.2. Matching integers
14650------------------------
14651
14652Integer matching applies by default to integer fetch methods. It can also be
14653enforced on boolean fetches using "-m int". In this case, "false" is converted
14654to the integer 0, and "true" is converted to the integer 1.
14655
14656Integer matching also supports integer ranges and operators. Note that integer
14657matching only applies to positive values. A range is a value expressed with a
14658lower and an upper bound separated with a colon, both of which may be omitted.
Willy Tarreau6a06a402007-07-15 20:15:28 +020014659
14660For instance, "1024:65535" is a valid range to represent a range of
14661unprivileged ports, and "1024:" would also work. "0:1023" is a valid
14662representation of privileged ports, and ":1023" would also work.
14663
Willy Tarreau62644772008-07-16 18:36:06 +020014664As a special case, some ACL functions support decimal numbers which are in fact
14665two integers separated by a dot. This is used with some version checks for
14666instance. All integer properties apply to those decimal numbers, including
14667ranges and operators.
14668
Willy Tarreau6a06a402007-07-15 20:15:28 +020014669For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +010014670operators with ranges does not make much sense and is strongly discouraged.
14671Similarly, it does not make much sense to perform order comparisons with a set
14672of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +020014673
Willy Tarreau0ba27502007-12-24 16:55:16 +010014674Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +020014675
14676 eq : true if the tested value equals at least one value
14677 ge : true if the tested value is greater than or equal to at least one value
14678 gt : true if the tested value is greater than at least one value
14679 le : true if the tested value is less than or equal to at least one value
14680 lt : true if the tested value is less than at least one value
14681
Willy Tarreau0ba27502007-12-24 16:55:16 +010014682For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +020014683
14684 acl negative-length hdr_val(content-length) lt 0
14685
Willy Tarreau62644772008-07-16 18:36:06 +020014686This one matches SSL versions between 3.0 and 3.1 (inclusive) :
14687
14688 acl sslv3 req_ssl_ver 3:3.1
14689
Willy Tarreau6a06a402007-07-15 20:15:28 +020014690
Willy Tarreau74ca5042013-06-11 23:12:07 +0200146917.1.3. Matching strings
14692-----------------------
14693
14694String matching applies to string or binary fetch methods, and exists in 6
14695different forms :
14696
14697 - exact match (-m str) : the extracted string must exactly match the
Davor Ocelice9ed2812017-12-25 17:49:28 +010014698 patterns;
Willy Tarreau74ca5042013-06-11 23:12:07 +020014699
14700 - substring match (-m sub) : the patterns are looked up inside the
Davor Ocelice9ed2812017-12-25 17:49:28 +010014701 extracted string, and the ACL matches if any of them is found inside;
Willy Tarreau74ca5042013-06-11 23:12:07 +020014702
14703 - prefix match (-m beg) : the patterns are compared with the beginning of
14704 the extracted string, and the ACL matches if any of them matches.
14705
14706 - suffix match (-m end) : the patterns are compared with the end of the
14707 extracted string, and the ACL matches if any of them matches.
14708
Baptiste Assmann33db6002016-03-06 23:32:10 +010014709 - subdir match (-m dir) : the patterns are looked up inside the extracted
Willy Tarreau74ca5042013-06-11 23:12:07 +020014710 string, delimited with slashes ("/"), and the ACL matches if any of them
14711 matches.
14712
14713 - domain match (-m dom) : the patterns are looked up inside the extracted
14714 string, delimited with dots ("."), and the ACL matches if any of them
14715 matches.
Willy Tarreau6a06a402007-07-15 20:15:28 +020014716
14717String matching applies to verbatim strings as they are passed, with the
14718exception of the backslash ("\") which makes it possible to escape some
14719characters such as the space. If the "-i" flag is passed before the first
14720string, then the matching will be performed ignoring the case. In order
14721to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +010014722before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020014723
Mathias Weiersmuellercb250fc2019-12-02 09:43:40 +010014724Do not use string matches for binary fetches which might contain null bytes
14725(0x00), as the comparison stops at the occurrence of the first null byte.
14726Instead, convert the binary fetch to a hex string with the hex converter first.
14727
14728Example:
14729 # matches if the string <tag> is present in the binary sample
14730 acl tag_found req.payload(0,0),hex -m sub 3C7461673E
14731
Willy Tarreau6a06a402007-07-15 20:15:28 +020014732
Willy Tarreau74ca5042013-06-11 23:12:07 +0200147337.1.4. Matching regular expressions (regexes)
14734---------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020014735
14736Just like with string matching, regex matching applies to verbatim strings as
14737they are passed, with the exception of the backslash ("\") which makes it
14738possible to escape some characters such as the space. If the "-i" flag is
14739passed before the first regex, then the matching will be performed ignoring
14740the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +010014741the "--" flag before the first string. Same principle applies of course to
14742match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020014743
14744
Willy Tarreau74ca5042013-06-11 23:12:07 +0200147457.1.5. Matching arbitrary data blocks
14746-------------------------------------
14747
14748It is possible to match some extracted samples against a binary block which may
14749not safely be represented as a string. For this, the patterns must be passed as
14750a series of hexadecimal digits in an even number, when the match method is set
14751to binary. Each sequence of two digits will represent a byte. The hexadecimal
14752digits may be used upper or lower case.
14753
14754Example :
14755 # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
14756 acl hello payload(0,6) -m bin 48656c6c6f0a
14757
14758
147597.1.6. Matching IPv4 and IPv6 addresses
14760---------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020014761
14762IPv4 addresses values can be specified either as plain addresses or with a
14763netmask appended, in which case the IPv4 address matches whenever it is
14764within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010014765host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +010014766difficult to read and debug configurations. If hostnames are used, you should
14767at least ensure that they are present in /etc/hosts so that the configuration
14768does not depend on any random DNS match at the moment the configuration is
14769parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +020014770
Daniel Schnellereba56342016-04-13 00:26:52 +020014771The dotted IPv4 address notation is supported in both regular as well as the
14772abbreviated form with all-0-octets omitted:
14773
14774 +------------------+------------------+------------------+
14775 | Example 1 | Example 2 | Example 3 |
14776 +------------------+------------------+------------------+
14777 | 192.168.0.1 | 10.0.0.12 | 127.0.0.1 |
14778 | 192.168.1 | 10.12 | 127.1 |
14779 | 192.168.0.1/22 | 10.0.0.12/8 | 127.0.0.1/8 |
14780 | 192.168.1/22 | 10.12/8 | 127.1/8 |
14781 +------------------+------------------+------------------+
14782
14783Notice that this is different from RFC 4632 CIDR address notation in which
14784192.168.42/24 would be equivalent to 192.168.42.0/24.
14785
Willy Tarreauceb4ac92012-04-28 00:41:46 +020014786IPv6 may be entered in their usual form, with or without a netmask appended.
14787Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
14788trouble with randomly resolved IP addresses, host names are never allowed in
14789IPv6 patterns.
14790
14791HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
14792following situations :
14793 - tested address is IPv4, pattern address is IPv4, the match applies
14794 in IPv4 using the supplied mask if any.
14795 - tested address is IPv6, pattern address is IPv6, the match applies
14796 in IPv6 using the supplied mask if any.
14797 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
14798 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
14799 ::IPV4 or ::ffff:IPV4, otherwise it fails.
14800 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
14801 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
14802 applied in IPv6 using the supplied IPv6 mask.
14803
Willy Tarreau74ca5042013-06-11 23:12:07 +020014804
148057.2. Using ACLs to form conditions
14806----------------------------------
14807
14808Some actions are only performed upon a valid condition. A condition is a
14809combination of ACLs with operators. 3 operators are supported :
14810
14811 - AND (implicit)
14812 - OR (explicit with the "or" keyword or the "||" operator)
14813 - Negation with the exclamation mark ("!")
Willy Tarreau6a06a402007-07-15 20:15:28 +020014814
Willy Tarreau74ca5042013-06-11 23:12:07 +020014815A condition is formed as a disjunctive form:
Willy Tarreau6a06a402007-07-15 20:15:28 +020014816
Willy Tarreau74ca5042013-06-11 23:12:07 +020014817 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreaubef91e72013-03-31 23:14:46 +020014818
Willy Tarreau74ca5042013-06-11 23:12:07 +020014819Such conditions are generally used after an "if" or "unless" statement,
14820indicating when the condition will trigger the action.
Willy Tarreaubef91e72013-03-31 23:14:46 +020014821
Willy Tarreau74ca5042013-06-11 23:12:07 +020014822For instance, to block HTTP requests to the "*" URL with methods other than
14823"OPTIONS", as well as POST requests without content-length, and GET or HEAD
14824requests with a content-length greater than 0, and finally every request which
14825is not either GET/HEAD/POST/OPTIONS !
14826
14827 acl missing_cl hdr_cnt(Content-length) eq 0
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030014828 http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
14829 http-request deny if METH_GET HTTP_CONTENT
14830 http-request deny unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreau74ca5042013-06-11 23:12:07 +020014831
14832To select a different backend for requests to static contents on the "www" site
14833and to every request on the "img", "video", "download" and "ftp" hosts :
14834
14835 acl url_static path_beg /static /images /img /css
14836 acl url_static path_end .gif .png .jpg .css .js
14837 acl host_www hdr_beg(host) -i www
14838 acl host_static hdr_beg(host) -i img. video. download. ftp.
14839
Davor Ocelice9ed2812017-12-25 17:49:28 +010014840 # now use backend "static" for all static-only hosts, and for static URLs
Willy Tarreau74ca5042013-06-11 23:12:07 +020014841 # of host "www". Use backend "www" for the rest.
14842 use_backend static if host_static or host_www url_static
14843 use_backend www if host_www
14844
14845It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
14846expressions that are built on the fly without needing to be declared. They must
14847be enclosed between braces, with a space before and after each brace (because
14848the braces must be seen as independent words). Example :
14849
14850 The following rule :
14851
14852 acl missing_cl hdr_cnt(Content-length) eq 0
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030014853 http-request deny if METH_POST missing_cl
Willy Tarreau74ca5042013-06-11 23:12:07 +020014854
14855 Can also be written that way :
14856
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030014857 http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 }
Willy Tarreau74ca5042013-06-11 23:12:07 +020014858
14859It is generally not recommended to use this construct because it's a lot easier
14860to leave errors in the configuration when written that way. However, for very
14861simple rules matching only one source IP address for instance, it can make more
14862sense to use them than to declare ACLs with random names. Another example of
14863good use is the following :
14864
14865 With named ACLs :
14866
14867 acl site_dead nbsrv(dynamic) lt 2
14868 acl site_dead nbsrv(static) lt 2
14869 monitor fail if site_dead
14870
14871 With anonymous ACLs :
14872
14873 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
14874
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030014875See section 4.2 for detailed help on the "http-request deny" and "use_backend"
14876keywords.
Willy Tarreau74ca5042013-06-11 23:12:07 +020014877
14878
148797.3. Fetching samples
14880---------------------
14881
14882Historically, sample fetch methods were only used to retrieve data to match
14883against patterns using ACLs. With the arrival of stick-tables, a new class of
14884sample fetch methods was created, most often sharing the same syntax as their
14885ACL counterpart. These sample fetch methods are also known as "fetches". As
14886of now, ACLs and fetches have converged. All ACL fetch methods have been made
14887available as fetch methods, and ACLs may use any sample fetch method as well.
14888
14889This section details all available sample fetch methods and their output type.
14890Some sample fetch methods have deprecated aliases that are used to maintain
14891compatibility with existing configurations. They are then explicitly marked as
14892deprecated and should not be used in new setups.
14893
14894The ACL derivatives are also indicated when available, with their respective
14895matching methods. These ones all have a well defined default pattern matching
14896method, so it is never necessary (though allowed) to pass the "-m" option to
14897indicate how the sample will be matched using ACLs.
14898
14899As indicated in the sample type versus matching compatibility matrix above,
14900when using a generic sample fetch method in an ACL, the "-m" option is
14901mandatory unless the sample type is one of boolean, integer, IPv4 or IPv6. When
14902the same keyword exists as an ACL keyword and as a standard fetch method, the
14903ACL engine will automatically pick the ACL-only one by default.
14904
14905Some of these keywords support one or multiple mandatory arguments, and one or
14906multiple optional arguments. These arguments are strongly typed and are checked
14907when the configuration is parsed so that there is no risk of running with an
Davor Ocelice9ed2812017-12-25 17:49:28 +010014908incorrect argument (e.g. an unresolved backend name). Fetch function arguments
14909are passed between parenthesis and are delimited by commas. When an argument
Willy Tarreau74ca5042013-06-11 23:12:07 +020014910is optional, it will be indicated below between square brackets ('[ ]'). When
14911all arguments are optional, the parenthesis may be omitted.
14912
14913Thus, the syntax of a standard sample fetch method is one of the following :
14914 - name
14915 - name(arg1)
14916 - name(arg1,arg2)
14917
Thierry FOURNIER060762e2014-04-23 13:29:15 +020014918
149197.3.1. Converters
14920-----------------
14921
Willy Tarreaue6b11e42013-11-26 19:02:32 +010014922Sample fetch methods may be combined with transformations to be applied on top
14923of the fetched sample (also called "converters"). These combinations form what
14924is called "sample expressions" and the result is a "sample". Initially this
14925was only supported by "stick on" and "stick store-request" directives but this
Davor Ocelice9ed2812017-12-25 17:49:28 +010014926has now be extended to all places where samples may be used (ACLs, log-format,
Willy Tarreaue6b11e42013-11-26 19:02:32 +010014927unique-id-format, add-header, ...).
14928
14929These transformations are enumerated as a series of specific keywords after the
14930sample fetch method. These keywords may equally be appended immediately after
14931the fetch keyword's argument, delimited by a comma. These keywords can also
Davor Ocelice9ed2812017-12-25 17:49:28 +010014932support some arguments (e.g. a netmask) which must be passed in parenthesis.
Willy Tarreau0ba27502007-12-24 16:55:16 +010014933
Willy Tarreau97707872015-01-27 15:12:13 +010014934A certain category of converters are bitwise and arithmetic operators which
14935support performing basic operations on integers. Some bitwise operations are
14936supported (and, or, xor, cpl) and some arithmetic operations are supported
14937(add, sub, mul, div, mod, neg). Some comparators are provided (odd, even, not,
14938bool) which make it possible to report a match without having to write an ACL.
14939
Willy Tarreau74ca5042013-06-11 23:12:07 +020014940The currently available list of transformation keywords include :
Willy Tarreau0ba27502007-12-24 16:55:16 +010014941
Ben Shillitof25e8e52016-12-02 14:25:37 +00001494251d.single(<prop>[,<prop>*])
14943 Returns values for the properties requested as a string, where values are
14944 separated by the delimiter specified with "51degrees-property-separator".
14945 The device is identified using the User-Agent header passed to the
14946 converter. The function can be passed up to five property names, and if a
14947 property name can't be found, the value "NoData" is returned.
14948
14949 Example :
Davor Ocelice9ed2812017-12-25 17:49:28 +010014950 # Here the header "X-51D-DeviceTypeMobileTablet" is added to the request,
14951 # containing values for the three properties requested by using the
Ben Shillitof25e8e52016-12-02 14:25:37 +000014952 # User-Agent passed to the converter.
14953 frontend http-in
14954 bind *:8081
14955 default_backend servers
14956 http-request set-header X-51D-DeviceTypeMobileTablet \
14957 %[req.fhdr(User-Agent),51d.single(DeviceType,IsMobile,IsTablet)]
14958
Willy Tarreau97707872015-01-27 15:12:13 +010014959add(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020014960 Adds <value> to the input value of type signed integer, and returns the
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020014961 result as a signed integer. <value> can be a numeric value or a variable
Daniel Schneller0b547052016-03-21 20:46:57 +010014962 name. The name of the variable starts with an indication about its scope. The
14963 scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010014964 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010014965 "sess" : the variable is shared with the whole session
14966 "txn" : the variable is shared with the transaction (request and response)
14967 "req" : the variable is shared only during request processing
14968 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010014969 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010014970 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010014971
Nenad Merdanovicc31499d2019-03-23 11:00:32 +010014972aes_gcm_dec(<bits>,<nonce>,<key>,<aead_tag>)
14973 Decrypts the raw byte input using the AES128-GCM, AES192-GCM or
14974 AES256-GCM algorithm, depending on the <bits> parameter. All other parameters
14975 need to be base64 encoded and the returned result is in raw byte format.
14976 If the <aead_tag> validation fails, the converter doesn't return any data.
14977 The <nonce>, <key> and <aead_tag> can either be strings or variables. This
14978 converter requires at least OpenSSL 1.0.1.
14979
14980 Example:
14981 http-response set-header X-Decrypted-Text %[var(txn.enc),\
14982 aes_gcm_dec(128,txn.nonce,Zm9vb2Zvb29mb29wZm9vbw==,txn.aead_tag)]
14983
Willy Tarreau97707872015-01-27 15:12:13 +010014984and(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020014985 Performs a bitwise "AND" between <value> and the input value of type signed
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020014986 integer, and returns the result as an signed integer. <value> can be a
Daniel Schneller0b547052016-03-21 20:46:57 +010014987 numeric value or a variable name. The name of the variable starts with an
14988 indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010014989 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010014990 "sess" : the variable is shared with the whole session
14991 "txn" : the variable is shared with the transaction (request and response)
14992 "req" : the variable is shared only during request processing
14993 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010014994 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010014995 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010014996
Holger Just1bfc24b2017-05-06 00:56:53 +020014997b64dec
14998 Converts (decodes) a base64 encoded input string to its binary
14999 representation. It performs the inverse operation of base64().
15000
Emeric Brun53d1a982014-04-30 18:21:37 +020015001base64
15002 Converts a binary input sample to a base64 string. It is used to log or
Davor Ocelice9ed2812017-12-25 17:49:28 +010015003 transfer binary content in a way that can be reliably transferred (e.g.
Emeric Brun53d1a982014-04-30 18:21:37 +020015004 an SSL ID can be copied in a header).
15005
Willy Tarreau97707872015-01-27 15:12:13 +010015006bool
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015007 Returns a boolean TRUE if the input value of type signed integer is
Willy Tarreau97707872015-01-27 15:12:13 +010015008 non-null, otherwise returns FALSE. Used in conjunction with and(), it can be
Davor Ocelice9ed2812017-12-25 17:49:28 +010015009 used to report true/false for bit testing on input values (e.g. verify the
Willy Tarreau97707872015-01-27 15:12:13 +010015010 presence of a flag).
15011
Emeric Brun54c4ac82014-11-03 15:32:43 +010015012bytes(<offset>[,<length>])
15013 Extracts some bytes from an input binary sample. The result is a binary
15014 sample starting at an offset (in bytes) of the original sample and
Tim Düsterhus4896c442016-11-29 02:15:19 +010015015 optionally truncated at the given length.
Emeric Brun54c4ac82014-11-03 15:32:43 +010015016
Willy Tarreau280f42b2018-02-19 15:34:12 +010015017concat([<start>],[<var>],[<end>])
15018 Concatenates up to 3 fields after the current sample which is then turned to
15019 a string. The first one, <start>, is a constant string, that will be appended
15020 immediately after the existing sample. It may be omitted if not used. The
15021 second one, <var>, is a variable name. The variable will be looked up, its
15022 contents converted to a string, and it will be appended immediately after the
15023 <first> part. If the variable is not found, nothing is appended. It may be
15024 omitted as well. The third field, <end> is a constant string that will be
15025 appended after the variable. It may also be omitted. Together, these elements
15026 allow to concatenate variables with delimiters to an existing set of
15027 variables. This can be used to build new variables made of a succession of
Willy Tarreauef21fac2020-02-14 13:37:20 +010015028 other variables, such as colon-delimited values. If commas or closing
Daniel Corbett67a82712020-07-06 23:01:19 -040015029 parenthesis are needed as delimiters, they must be protected by quotes or
Willy Tarreauef21fac2020-02-14 13:37:20 +010015030 backslashes, themselves protected so that they are not stripped by the first
15031 level parser. See examples below.
Willy Tarreau280f42b2018-02-19 15:34:12 +010015032
15033 Example:
15034 tcp-request session set-var(sess.src) src
15035 tcp-request session set-var(sess.dn) ssl_c_s_dn
15036 tcp-request session set-var(txn.sig) str(),concat(<ip=,sess.ip,>),concat(<dn=,sess.dn,>)
Willy Tarreauef21fac2020-02-14 13:37:20 +010015037 tcp-request session set-var(txn.ipport) "str(),concat('addr=(',sess.ip),concat(',',sess.port,')')"
Willy Tarreau280f42b2018-02-19 15:34:12 +010015038 http-request set-header x-hap-sig %[var(txn.sig)]
15039
Willy Tarreau97707872015-01-27 15:12:13 +010015040cpl
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015041 Takes the input value of type signed integer, applies a ones-complement
15042 (flips all bits) and returns the result as an signed integer.
Willy Tarreau97707872015-01-27 15:12:13 +010015043
Willy Tarreau80599772015-01-20 19:35:24 +010015044crc32([<avalanche>])
15045 Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32
15046 hash function. Optionally, it is possible to apply a full avalanche hash
15047 function to the output if the optional <avalanche> argument equals 1. This
15048 converter uses the same functions as used by the various hash-based load
15049 balancing algorithms, so it will provide exactly the same results. It is
15050 provided for compatibility with other software which want a CRC32 to be
15051 computed on some input keys, so it follows the most common implementation as
15052 found in Ethernet, Gzip, PNG, etc... It is slower than the other algorithms
15053 but may provide a better or at least less predictable distribution. It must
15054 not be used for security purposes as a 32-bit hash is trivial to break. See
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010015055 also "djb2", "sdbm", "wt6", "crc32c" and the "hash-type" directive.
15056
15057crc32c([<avalanche>])
15058 Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32C
15059 hash function. Optionally, it is possible to apply a full avalanche hash
15060 function to the output if the optional <avalanche> argument equals 1. This
15061 converter uses the same functions as described in RFC4960, Appendix B [8].
15062 It is provided for compatibility with other software which want a CRC32C to be
15063 computed on some input keys. It is slower than the other algorithms and it must
15064 not be used for security purposes as a 32-bit hash is trivial to break. See
15065 also "djb2", "sdbm", "wt6", "crc32" and the "hash-type" directive.
Willy Tarreau80599772015-01-20 19:35:24 +010015066
Christopher Fauletea159d62020-04-01 16:21:44 +020015067cut_crlf
15068 Cuts the string representation of the input sample on the first carriage
15069 return ('\r') or newline ('\n') character found. Only the string length is
15070 updated.
15071
David Carlier29b3ca32015-09-25 14:09:21 +010015072da-csv-conv(<prop>[,<prop>*])
David Carlier4542b102015-06-01 13:54:29 +020015073 Asks the DeviceAtlas converter to identify the User Agent string passed on
15074 input, and to emit a string made of the concatenation of the properties
15075 enumerated in argument, delimited by the separator defined by the global
15076 keyword "deviceatlas-property-separator", or by default the pipe character
David Carlier840b0242016-03-16 10:09:55 +000015077 ('|'). There's a limit of 12 different properties imposed by the haproxy
David Carlier4542b102015-06-01 13:54:29 +020015078 configuration language.
15079
15080 Example:
15081 frontend www
Cyril Bonté307ee1e2015-09-28 23:16:06 +020015082 bind *:8881
15083 default_backend servers
David Carlier840b0242016-03-16 10:09:55 +000015084 http-request set-header X-DeviceAtlas-Data %[req.fhdr(User-Agent),da-csv(primaryHardwareType,osName,osVersion,browserName,browserVersion,browserRenderingEngine)]
David Carlier4542b102015-06-01 13:54:29 +020015085
Willy Tarreau0851fd52019-12-17 10:07:25 +010015086debug([<prefix][,<destination>])
15087 This converter is used as debug tool. It takes a capture of the input sample
15088 and sends it to event sink <destination>, which may designate a ring buffer
15089 such as "buf0", as well as "stdout", or "stderr". Available sinks may be
15090 checked at run time by issuing "show events" on the CLI. When not specified,
15091 the output will be "buf0", which may be consulted via the CLI's "show events"
15092 command. An optional prefix <prefix> may be passed to help distinguish
15093 outputs from multiple expressions. It will then appear before the colon in
15094 the output message. The input sample is passed as-is on the output, so that
15095 it is safe to insert the debug converter anywhere in a chain, even with non-
15096 printable sample types.
15097
15098 Example:
15099 tcp-request connection track-sc0 src,debug(track-sc)
Thierry FOURNIER9687c772015-05-07 15:46:29 +020015100
Patrick Gansterer8e366512020-04-22 16:47:57 +020015101digest(<algorithm>)
15102 Converts a binary input sample to a message digest. The result is a binary
15103 sample. The <algorithm> must be an OpenSSL message digest name (e.g. sha256).
15104
15105 Please note that this converter is only available when haproxy has been
15106 compiled with USE_OPENSSL.
15107
Willy Tarreau97707872015-01-27 15:12:13 +010015108div(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015109 Divides the input value of type signed integer by <value>, and returns the
15110 result as an signed integer. If <value> is null, the largest unsigned
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015111 integer is returned (typically 2^63-1). <value> can be a numeric value or a
Daniel Schneller0b547052016-03-21 20:46:57 +010015112 variable name. The name of the variable starts with an indication about its
15113 scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015114 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015115 "sess" : the variable is shared with the whole session
15116 "txn" : the variable is shared with the transaction (request and response)
15117 "req" : the variable is shared only during request processing
15118 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010015119 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015120 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015121
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020015122djb2([<avalanche>])
15123 Hashes a binary input sample into an unsigned 32-bit quantity using the DJB2
15124 hash function. Optionally, it is possible to apply a full avalanche hash
15125 function to the output if the optional <avalanche> argument equals 1. This
15126 converter uses the same functions as used by the various hash-based load
15127 balancing algorithms, so it will provide exactly the same results. It is
15128 mostly intended for debugging, but can be used as a stick-table entry to
15129 collect rough statistics. It must not be used for security purposes as a
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010015130 32-bit hash is trivial to break. See also "crc32", "sdbm", "wt6", "crc32c",
15131 and the "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020015132
Willy Tarreau97707872015-01-27 15:12:13 +010015133even
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015134 Returns a boolean TRUE if the input value of type signed integer is even
Willy Tarreau97707872015-01-27 15:12:13 +010015135 otherwise returns FALSE. It is functionally equivalent to "not,and(1),bool".
15136
Marcin Deranek9631a282018-04-16 14:30:46 +020015137field(<index>,<delimiters>[,<count>])
15138 Extracts the substring at the given index counting from the beginning
15139 (positive index) or from the end (negative index) considering given delimiters
15140 from an input string. Indexes start at 1 or -1 and delimiters are a string
15141 formatted list of chars. Optionally you can specify <count> of fields to
15142 extract (default: 1). Value of 0 indicates extraction of all remaining
15143 fields.
15144
15145 Example :
15146 str(f1_f2_f3__f5),field(5,_) # f5
15147 str(f1_f2_f3__f5),field(2,_,0) # f2_f3__f5
15148 str(f1_f2_f3__f5),field(2,_,2) # f2_f3
15149 str(f1_f2_f3__f5),field(-2,_,3) # f2_f3_
15150 str(f1_f2_f3__f5),field(-3,_,0) # f1_f2_f3
Emeric Brunf399b0d2014-11-03 17:07:03 +010015151
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015152hex
Davor Ocelice9ed2812017-12-25 17:49:28 +010015153 Converts a binary input sample to a hex string containing two hex digits per
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015154 input byte. It is used to log or transfer hex dumps of some binary input data
Davor Ocelice9ed2812017-12-25 17:49:28 +010015155 in a way that can be reliably transferred (e.g. an SSL ID can be copied in a
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015156 header).
Thierry FOURNIER2f49d6d2014-03-12 15:01:52 +010015157
Dragan Dosen3f957b22017-10-24 09:27:34 +020015158hex2i
15159 Converts a hex string containing two hex digits per input byte to an
John Roeslerfb2fce12019-07-10 15:45:51 -050015160 integer. If the input value cannot be converted, then zero is returned.
Dragan Dosen3f957b22017-10-24 09:27:34 +020015161
Christopher Faulet4ccc12f2020-04-01 09:08:32 +020015162htonl
15163 Converts the input integer value to its 32-bit binary representation in the
15164 network byte order. Because sample fetches own signed 64-bit integer, when
15165 this converter is used, the input integer value is first casted to an
15166 unsigned 32-bit integer.
15167
Patrick Gansterer8e366512020-04-22 16:47:57 +020015168hmac(<algorithm>, <key>)
15169 Converts a binary input sample to a message authentication code with the given
15170 key. The result is a binary sample. The <algorithm> must be one of the
15171 registered OpenSSL message digest names (e.g. sha256). The <key> parameter must
15172 be base64 encoded and can either be a string or a variable.
15173
15174 Please note that this converter is only available when haproxy has been
15175 compiled with USE_OPENSSL.
15176
Cyril Bonté6bcd1822019-11-05 23:13:59 +010015177http_date([<offset],[<unit>])
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015178 Converts an integer supposed to contain a date since epoch to a string
15179 representing this date in a format suitable for use in HTTP header fields. If
Damien Claisseae6f1252019-10-30 15:57:28 +000015180 an offset value is specified, then it is added to the date before the
15181 conversion is operated. This is particularly useful to emit Date header fields,
15182 Expires values in responses when combined with a positive offset, or
15183 Last-Modified values when the offset is negative.
15184 If a unit value is specified, then consider the timestamp as either
15185 "s" for seconds (default behavior), "ms" for milliseconds, or "us" for
15186 microseconds since epoch. Offset is assumed to have the same unit as
15187 input timestamp.
Willy Tarreau74ca5042013-06-11 23:12:07 +020015188
Tim Duesterhus3943e4f2020-09-11 14:25:23 +020015189iif(<true>,<false>)
15190 Returns the <true> string if the input value is true. Returns the <false>
15191 string otherwise.
15192
15193 Example:
Tim Duesterhus870713b2020-09-11 17:13:12 +020015194 http-request set-header x-forwarded-proto %[ssl_fc,iif(https,http)]
Tim Duesterhus3943e4f2020-09-11 14:25:23 +020015195
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015196in_table(<table>)
15197 Uses the string representation of the input sample to perform a look up in
15198 the specified table. If the key is not found in the table, a boolean false
15199 is returned. Otherwise a boolean true is returned. This can be used to verify
Davor Ocelice9ed2812017-12-25 17:49:28 +010015200 the presence of a certain key in a table tracking some elements (e.g. whether
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015201 or not a source IP address or an Authorization header was already seen).
15202
Tim Duesterhus1478aa72018-01-25 16:24:51 +010015203ipmask(<mask4>, [<mask6>])
15204 Apply a mask to an IP address, and use the result for lookups and storage.
Willy Tarreauffcb2e42014-07-10 16:29:08 +020015205 This can be used to make all hosts within a certain mask to share the same
Tim Duesterhus1478aa72018-01-25 16:24:51 +010015206 table entries and as such use the same server. The mask4 can be passed in
15207 dotted form (e.g. 255.255.255.0) or in CIDR form (e.g. 24). The mask6 can
15208 be passed in quadruplet form (e.g. ffff:ffff::) or in CIDR form (e.g. 64).
15209 If no mask6 is given IPv6 addresses will fail to convert for backwards
15210 compatibility reasons.
Willy Tarreauffcb2e42014-07-10 16:29:08 +020015211
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015212json([<input-code>])
Davor Ocelice9ed2812017-12-25 17:49:28 +010015213 Escapes the input string and produces an ASCII output string ready to use as a
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015214 JSON string. The converter tries to decode the input string according to the
Herve COMMOWICK8dfe8632016-08-05 12:01:20 +020015215 <input-code> parameter. It can be "ascii", "utf8", "utf8s", "utf8p" or
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015216 "utf8ps". The "ascii" decoder never fails. The "utf8" decoder detects 3 types
15217 of errors:
15218 - bad UTF-8 sequence (lone continuation byte, bad number of continuation
15219 bytes, ...)
15220 - invalid range (the decoded value is within a UTF-8 prohibited range),
15221 - code overlong (the value is encoded with more bytes than necessary).
15222
15223 The UTF-8 JSON encoding can produce a "too long value" error when the UTF-8
15224 character is greater than 0xffff because the JSON string escape specification
15225 only authorizes 4 hex digits for the value encoding. The UTF-8 decoder exists
15226 in 4 variants designated by a combination of two suffix letters : "p" for
15227 "permissive" and "s" for "silently ignore". The behaviors of the decoders
15228 are :
Davor Ocelice9ed2812017-12-25 17:49:28 +010015229 - "ascii" : never fails;
15230 - "utf8" : fails on any detected errors;
15231 - "utf8s" : never fails, but removes characters corresponding to errors;
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015232 - "utf8p" : accepts and fixes the overlong errors, but fails on any other
Davor Ocelice9ed2812017-12-25 17:49:28 +010015233 error;
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015234 - "utf8ps" : never fails, accepts and fixes the overlong errors, but removes
15235 characters corresponding to the other errors.
15236
15237 This converter is particularly useful for building properly escaped JSON for
Davor Ocelice9ed2812017-12-25 17:49:28 +010015238 logging to servers which consume JSON-formatted traffic logs.
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015239
15240 Example:
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015241 capture request header Host len 15
Herve COMMOWICK8dfe8632016-08-05 12:01:20 +020015242 capture request header user-agent len 150
15243 log-format '{"ip":"%[src]","user-agent":"%[capture.req.hdr(1),json(utf8s)]"}'
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020015244
15245 Input request from client 127.0.0.1:
15246 GET / HTTP/1.0
15247 User-Agent: Very "Ugly" UA 1/2
15248
15249 Output log:
15250 {"ip":"127.0.0.1","user-agent":"Very \"Ugly\" UA 1\/2"}
15251
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015252language(<value>[,<default>])
15253 Returns the value with the highest q-factor from a list as extracted from the
15254 "accept-language" header using "req.fhdr". Values with no q-factor have a
15255 q-factor of 1. Values with a q-factor of 0 are dropped. Only values which
15256 belong to the list of semi-colon delimited <values> will be considered. The
15257 argument <value> syntax is "lang[;lang[;lang[;...]]]". If no value matches the
15258 given list and a default value is provided, it is returned. Note that language
15259 names may have a variant after a dash ('-'). If this variant is present in the
15260 list, it will be matched, but if it is not, only the base language is checked.
15261 The match is case-sensitive, and the output string is always one of those
Davor Ocelice9ed2812017-12-25 17:49:28 +010015262 provided in arguments. The ordering of arguments is meaningless, only the
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015263 ordering of the values in the request counts, as the first value among
15264 multiple sharing the same q-factor is used.
Thierry FOURNIERad903512014-04-11 17:51:01 +020015265
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015266 Example :
Thierry FOURNIERad903512014-04-11 17:51:01 +020015267
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015268 # this configuration switches to the backend matching a
15269 # given language based on the request :
Thierry FOURNIERad903512014-04-11 17:51:01 +020015270
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015271 acl es req.fhdr(accept-language),language(es;fr;en) -m str es
15272 acl fr req.fhdr(accept-language),language(es;fr;en) -m str fr
15273 acl en req.fhdr(accept-language),language(es;fr;en) -m str en
15274 use_backend spanish if es
15275 use_backend french if fr
15276 use_backend english if en
15277 default_backend choose_your_language
Thierry FOURNIERad903512014-04-11 17:51:01 +020015278
Willy Tarreau60a2ee72017-12-15 07:13:48 +010015279length
Etienne Carriereed0d24e2017-12-13 13:41:34 +010015280 Get the length of the string. This can only be placed after a string
15281 sample fetch function or after a transformation keyword returning a string
15282 type. The result is of type integer.
15283
Willy Tarreauffcb2e42014-07-10 16:29:08 +020015284lower
15285 Convert a string sample to lower case. This can only be placed after a string
15286 sample fetch function or after a transformation keyword returning a string
15287 type. The result is of type string.
15288
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020015289ltime(<format>[,<offset>])
15290 Converts an integer supposed to contain a date since epoch to a string
15291 representing this date in local time using a format defined by the <format>
15292 string using strftime(3). The purpose is to allow any date format to be used
15293 in logs. An optional <offset> in seconds may be applied to the input date
15294 (positive or negative). See the strftime() man page for the format supported
15295 by your operating system. See also the utime converter.
15296
15297 Example :
15298
15299 # Emit two colons, one with the local time and another with ip:port
Davor Ocelice9ed2812017-12-25 17:49:28 +010015300 # e.g. 20140710162350 127.0.0.1:57325
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020015301 log-format %[date,ltime(%Y%m%d%H%M%S)]\ %ci:%cp
15302
Christopher Faulet51fc9d12020-04-01 17:24:41 +020015303ltrim(<chars>)
15304 Skips any characters from <chars> from the beginning of the string
15305 representation of the input sample.
15306
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015307map(<map_file>[,<default_value>])
15308map_<match_type>(<map_file>[,<default_value>])
15309map_<match_type>_<output_type>(<map_file>[,<default_value>])
15310 Search the input value from <map_file> using the <match_type> matching method,
15311 and return the associated value converted to the type <output_type>. If the
15312 input value cannot be found in the <map_file>, the converter returns the
15313 <default_value>. If the <default_value> is not set, the converter fails and
15314 acts as if no input value could be fetched. If the <match_type> is not set, it
15315 defaults to "str". Likewise, if the <output_type> is not set, it defaults to
15316 "str". For convenience, the "map" keyword is an alias for "map_str" and maps a
15317 string to another string.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010015318
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015319 It is important to avoid overlapping between the keys : IP addresses and
15320 strings are stored in trees, so the first of the finest match will be used.
15321 Other keys are stored in lists, so the first matching occurrence will be used.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010015322
Tim Düsterhus4896c442016-11-29 02:15:19 +010015323 The following array contains the list of all map functions available sorted by
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015324 input type, match type and output type.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010015325
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015326 input type | match method | output type str | output type int | output type ip
15327 -----------+--------------+-----------------+-----------------+---------------
15328 str | str | map_str | map_str_int | map_str_ip
15329 -----------+--------------+-----------------+-----------------+---------------
Willy Tarreau787a4c02014-05-10 07:55:30 +020015330 str | beg | map_beg | map_beg_int | map_end_ip
15331 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015332 str | sub | map_sub | map_sub_int | map_sub_ip
15333 -----------+--------------+-----------------+-----------------+---------------
15334 str | dir | map_dir | map_dir_int | map_dir_ip
15335 -----------+--------------+-----------------+-----------------+---------------
15336 str | dom | map_dom | map_dom_int | map_dom_ip
15337 -----------+--------------+-----------------+-----------------+---------------
15338 str | end | map_end | map_end_int | map_end_ip
15339 -----------+--------------+-----------------+-----------------+---------------
Ruoshan Huang3c5e3742016-12-02 16:25:31 +080015340 str | reg | map_reg | map_reg_int | map_reg_ip
15341 -----------+--------------+-----------------+-----------------+---------------
15342 str | reg | map_regm | map_reg_int | map_reg_ip
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015343 -----------+--------------+-----------------+-----------------+---------------
15344 int | int | map_int | map_int_int | map_int_ip
15345 -----------+--------------+-----------------+-----------------+---------------
15346 ip | ip | map_ip | map_ip_int | map_ip_ip
15347 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010015348
Thierry Fournier8feaa662016-02-10 22:55:20 +010015349 The special map called "map_regm" expect matching zone in the regular
15350 expression and modify the output replacing back reference (like "\1") by
15351 the corresponding match text.
15352
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015353 The file contains one key + value per line. Lines which start with '#' are
15354 ignored, just like empty lines. Leading tabs and spaces are stripped. The key
15355 is then the first "word" (series of non-space/tabs characters), and the value
15356 is what follows this series of space/tab till the end of the line excluding
15357 trailing spaces/tabs.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010015358
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015359 Example :
15360
15361 # this is a comment and is ignored
15362 2.22.246.0/23 United Kingdom \n
15363 <-><-----------><--><------------><---->
15364 | | | | `- trailing spaces ignored
15365 | | | `---------- value
15366 | | `-------------------- middle spaces ignored
15367 | `---------------------------- key
15368 `------------------------------------ leading spaces ignored
15369
Willy Tarreau97707872015-01-27 15:12:13 +010015370mod(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015371 Divides the input value of type signed integer by <value>, and returns the
15372 remainder as an signed integer. If <value> is null, then zero is returned.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015373 <value> can be a numeric value or a variable name. The name of the variable
Daniel Schneller0b547052016-03-21 20:46:57 +010015374 starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015375 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015376 "sess" : the variable is shared with the whole session
15377 "txn" : the variable is shared with the transaction (request and response)
15378 "req" : the variable is shared only during request processing
15379 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010015380 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015381 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015382
15383mul(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015384 Multiplies the input value of type signed integer by <value>, and returns
Thierry FOURNIER00c005c2015-07-08 01:10:21 +020015385 the product as an signed integer. In case of overflow, the largest possible
15386 value for the sign is returned so that the operation doesn't wrap around.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015387 <value> can be a numeric value or a variable name. The name of the variable
Daniel Schneller0b547052016-03-21 20:46:57 +010015388 starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015389 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015390 "sess" : the variable is shared with the whole session
15391 "txn" : the variable is shared with the transaction (request and response)
15392 "req" : the variable is shared only during request processing
15393 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010015394 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015395 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015396
Nenad Merdanovicb7e7c472017-03-12 21:56:55 +010015397nbsrv
15398 Takes an input value of type string, interprets it as a backend name and
15399 returns the number of usable servers in that backend. Can be used in places
15400 where we want to look up a backend from a dynamic name, like a result of a
15401 map lookup.
15402
Willy Tarreau97707872015-01-27 15:12:13 +010015403neg
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015404 Takes the input value of type signed integer, computes the opposite value,
15405 and returns the remainder as an signed integer. 0 is identity. This operator
15406 is provided for reversed subtracts : in order to subtract the input from a
15407 constant, simply perform a "neg,add(value)".
Willy Tarreau97707872015-01-27 15:12:13 +010015408
15409not
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015410 Returns a boolean FALSE if the input value of type signed integer is
Willy Tarreau97707872015-01-27 15:12:13 +010015411 non-null, otherwise returns TRUE. Used in conjunction with and(), it can be
Davor Ocelice9ed2812017-12-25 17:49:28 +010015412 used to report true/false for bit testing on input values (e.g. verify the
Willy Tarreau97707872015-01-27 15:12:13 +010015413 absence of a flag).
15414
15415odd
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015416 Returns a boolean TRUE if the input value of type signed integer is odd
Willy Tarreau97707872015-01-27 15:12:13 +010015417 otherwise returns FALSE. It is functionally equivalent to "and(1),bool".
15418
15419or(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015420 Performs a bitwise "OR" between <value> and the input value of type signed
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015421 integer, and returns the result as an signed integer. <value> can be a
Daniel Schneller0b547052016-03-21 20:46:57 +010015422 numeric value or a variable name. The name of the variable starts with an
15423 indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015424 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015425 "sess" : the variable is shared with the whole session
15426 "txn" : the variable is shared with the transaction (request and response)
15427 "req" : the variable is shared only during request processing
15428 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010015429 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015430 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015431
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010015432protobuf(<field_number>,[<field_type>])
15433 This extracts the protocol buffers message field in raw mode of an input binary
15434 sample representation of a protocol buffer message with <field_number> as field
15435 number (dotted notation) if <field_type> is not present, or as an integer sample
15436 if this field is present (see also "ungrpc" below).
15437 The list of the authorized types is the following one: "int32", "int64", "uint32",
15438 "uint64", "sint32", "sint64", "bool", "enum" for the "varint" wire type 0
15439 "fixed64", "sfixed64", "double" for the 64bit wire type 1, "fixed32", "sfixed32",
15440 "float" for the wire type 5. Note that "string" is considered as a length-delimited
15441 type, so it does not require any <field_type> argument to be extracted.
15442 More information may be found here about the protocol buffers message field types:
15443 https://developers.google.com/protocol-buffers/docs/encoding
15444
Willy Tarreauc4dc3502015-01-23 20:39:28 +010015445regsub(<regex>,<subst>[,<flags>])
Willy Tarreau7eda8492015-01-20 19:47:06 +010015446 Applies a regex-based substitution to the input string. It does the same
15447 operation as the well-known "sed" utility with "s/<regex>/<subst>/". By
15448 default it will replace in the input string the first occurrence of the
15449 largest part matching the regular expression <regex> with the substitution
15450 string <subst>. It is possible to replace all occurrences instead by adding
15451 the flag "g" in the third argument <flags>. It is also possible to make the
15452 regex case insensitive by adding the flag "i" in <flags>. Since <flags> is a
15453 string, it is made up from the concatenation of all desired flags. Thus if
15454 both "i" and "g" are desired, using "gi" or "ig" will have the same effect.
Willy Tarreauef21fac2020-02-14 13:37:20 +010015455 The first use of this converter is to replace certain characters or sequence
15456 of characters with other ones.
15457
15458 It is highly recommended to enclose the regex part using protected quotes to
15459 improve clarity and never have a closing parenthesis from the regex mixed up
15460 with the parenthesis from the function. Just like in Bourne shell, the first
15461 level of quotes is processed when delimiting word groups on the line, a
15462 second level is usable for argument. It is recommended to use single quotes
15463 outside since these ones do not try to resolve backslashes nor dollar signs.
Willy Tarreau7eda8492015-01-20 19:47:06 +010015464
Willy Tarreaucd0d2ed2020-02-14 17:33:06 +010015465 Examples:
Willy Tarreau7eda8492015-01-20 19:47:06 +010015466
15467 # de-duplicate "/" in header "x-path".
15468 # input: x-path: /////a///b/c/xzxyz/
15469 # output: x-path: /a/b/c/xzxyz/
Willy Tarreauef21fac2020-02-14 13:37:20 +010015470 http-request set-header x-path "%[hdr(x-path),regsub('/+','/','g')]"
Willy Tarreau7eda8492015-01-20 19:47:06 +010015471
Willy Tarreaucd0d2ed2020-02-14 17:33:06 +010015472 # copy query string to x-query and drop all leading '?', ';' and '&'
15473 http-request set-header x-query "%[query,regsub([?;&]*,'')]"
15474
Jerome Magnin07e1e3c2020-02-16 19:20:19 +010015475 # capture groups and backreferences
15476 # both lines do the same.
Willy Tarreau465dc7d2020-10-08 18:05:56 +020015477 http-request redirect location %[url,'regsub("(foo|bar)([0-9]+)?","\2\1",i)']
Jerome Magnin07e1e3c2020-02-16 19:20:19 +010015478 http-request redirect location %[url,regsub(\"(foo|bar)([0-9]+)?\",\"\2\1\",i)]
15479
Thierry FOURNIER35ab2752015-05-28 13:22:03 +020015480capture-req(<id>)
15481 Capture the string entry in the request slot <id> and returns the entry as
15482 is. If the slot doesn't exist, the capture fails silently.
15483
15484 See also: "declare capture", "http-request capture",
Baptiste Assmann5ac425c2015-10-21 23:13:46 +020015485 "http-response capture", "capture.req.hdr" and
15486 "capture.res.hdr" (sample fetches).
Thierry FOURNIER35ab2752015-05-28 13:22:03 +020015487
15488capture-res(<id>)
15489 Capture the string entry in the response slot <id> and returns the entry as
15490 is. If the slot doesn't exist, the capture fails silently.
15491
15492 See also: "declare capture", "http-request capture",
Baptiste Assmann5ac425c2015-10-21 23:13:46 +020015493 "http-response capture", "capture.req.hdr" and
15494 "capture.res.hdr" (sample fetches).
Thierry FOURNIER35ab2752015-05-28 13:22:03 +020015495
Christopher Faulet568415a2020-04-01 17:24:47 +020015496rtrim(<chars>)
15497 Skips any characters from <chars> from the end of the string representation
15498 of the input sample.
15499
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020015500sdbm([<avalanche>])
15501 Hashes a binary input sample into an unsigned 32-bit quantity using the SDBM
15502 hash function. Optionally, it is possible to apply a full avalanche hash
15503 function to the output if the optional <avalanche> argument equals 1. This
15504 converter uses the same functions as used by the various hash-based load
15505 balancing algorithms, so it will provide exactly the same results. It is
15506 mostly intended for debugging, but can be used as a stick-table entry to
15507 collect rough statistics. It must not be used for security purposes as a
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010015508 32-bit hash is trivial to break. See also "crc32", "djb2", "wt6", "crc32c",
15509 and the "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020015510
Tim Duesterhusf38175c2020-06-09 11:48:42 +020015511secure_memcmp(<var>)
15512 Compares the contents of <var> with the input value. Both values are treated
15513 as a binary string. Returns a boolean indicating whether both binary strings
15514 match.
15515
15516 If both binary strings have the same length then the comparison will be
15517 performed in constant time.
15518
15519 Please note that this converter is only available when haproxy has been
15520 compiled with USE_OPENSSL.
15521
15522 Example :
15523
15524 http-request set-var(txn.token) hdr(token)
15525 # Check whether the token sent by the client matches the secret token
15526 # value, without leaking the contents using a timing attack.
15527 acl token_given str(my_secret_token),secure_memcmp(txn.token)
15528
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020015529set-var(<var name>)
Davor Ocelice9ed2812017-12-25 17:49:28 +010015530 Sets a variable with the input content and returns the content on the output
15531 as-is. The variable keeps the value and the associated input type. The name of
15532 the variable starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015533 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015534 "sess" : the variable is shared with the whole session
15535 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020015536 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010015537 "req" : the variable is shared only during request processing,
15538 "res" : the variable is shared only during response processing.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020015539 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015540 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020015541
Dragan Dosen6e5a9ca2017-10-24 09:18:23 +020015542sha1
Tim Duesterhusd4376302019-06-17 12:41:44 +020015543 Converts a binary input sample to a SHA-1 digest. The result is a binary
Dragan Dosen6e5a9ca2017-10-24 09:18:23 +020015544 sample with length of 20 bytes.
15545
Tim Duesterhusd4376302019-06-17 12:41:44 +020015546sha2([<bits>])
15547 Converts a binary input sample to a digest in the SHA-2 family. The result
15548 is a binary sample with length of <bits>/8 bytes.
15549
15550 Valid values for <bits> are 224, 256, 384, 512, each corresponding to
15551 SHA-<bits>. The default value is 256.
15552
15553 Please note that this converter is only available when haproxy has been
15554 compiled with USE_OPENSSL.
15555
Nenad Merdanovic177adc92019-08-27 01:58:13 +020015556srv_queue
15557 Takes an input value of type string, either a server name or <backend>/<server>
15558 format and returns the number of queued sessions on that server. Can be used
15559 in places where we want to look up queued sessions from a dynamic name, like a
15560 cookie value (e.g. req.cook(SRVID),srv_queue) and then make a decision to break
15561 persistence or direct a request elsewhere.
15562
Tim Duesterhusca097c12018-04-27 21:18:45 +020015563strcmp(<var>)
15564 Compares the contents of <var> with the input value of type string. Returns
15565 the result as a signed integer compatible with strcmp(3): 0 if both strings
15566 are identical. A value less than 0 if the left string is lexicographically
15567 smaller than the right string or if the left string is shorter. A value greater
15568 than 0 otherwise (right string greater than left string or the right string is
15569 shorter).
15570
Tim Duesterhusf38175c2020-06-09 11:48:42 +020015571 See also the secure_memcmp converter if you need to compare two binary
15572 strings in constant time.
15573
Tim Duesterhusca097c12018-04-27 21:18:45 +020015574 Example :
15575
15576 http-request set-var(txn.host) hdr(host)
15577 # Check whether the client is attempting domain fronting.
15578 acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0
15579
15580
Willy Tarreau97707872015-01-27 15:12:13 +010015581sub(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015582 Subtracts <value> from the input value of type signed integer, and returns
15583 the result as an signed integer. Note: in order to subtract the input from
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015584 a constant, simply perform a "neg,add(value)". <value> can be a numeric value
Daniel Schneller0b547052016-03-21 20:46:57 +010015585 or a variable name. The name of the variable starts with an indication about
15586 its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015587 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015588 "sess" : the variable is shared with the whole session
15589 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015590 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010015591 "req" : the variable is shared only during request processing,
15592 "res" : the variable is shared only during response processing.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015593 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015594 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015595
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015596table_bytes_in_rate(<table>)
15597 Uses the string representation of the input sample to perform a look up in
15598 the specified table. If the key is not found in the table, integer value zero
15599 is returned. Otherwise the converter returns the average client-to-server
15600 bytes rate associated with the input sample in the designated table, measured
15601 in amount of bytes over the period configured in the table. See also the
15602 sc_bytes_in_rate sample fetch keyword.
15603
15604
15605table_bytes_out_rate(<table>)
15606 Uses the string representation of the input sample to perform a look up in
15607 the specified table. If the key is not found in the table, integer value zero
15608 is returned. Otherwise the converter returns the average server-to-client
15609 bytes rate associated with the input sample in the designated table, measured
15610 in amount of bytes over the period configured in the table. See also the
15611 sc_bytes_out_rate sample fetch keyword.
15612
15613table_conn_cnt(<table>)
15614 Uses the string representation of the input sample to perform a look up in
15615 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010015616 is returned. Otherwise the converter returns the cumulative number of incoming
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015617 connections associated with the input sample in the designated table. See
15618 also the sc_conn_cnt sample fetch keyword.
15619
15620table_conn_cur(<table>)
15621 Uses the string representation of the input sample to perform a look up in
15622 the specified table. If the key is not found in the table, integer value zero
15623 is returned. Otherwise the converter returns the current amount of concurrent
15624 tracked connections associated with the input sample in the designated table.
15625 See also the sc_conn_cur sample fetch keyword.
15626
15627table_conn_rate(<table>)
15628 Uses the string representation of the input sample to perform a look up in
15629 the specified table. If the key is not found in the table, integer value zero
15630 is returned. Otherwise the converter returns the average incoming connection
15631 rate associated with the input sample in the designated table. See also the
15632 sc_conn_rate sample fetch keyword.
15633
Thierry FOURNIER236657b2015-08-19 08:25:14 +020015634table_gpt0(<table>)
15635 Uses the string representation of the input sample to perform a look up in
15636 the specified table. If the key is not found in the table, boolean value zero
15637 is returned. Otherwise the converter returns the current value of the first
15638 general purpose tag associated with the input sample in the designated table.
15639 See also the sc_get_gpt0 sample fetch keyword.
15640
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015641table_gpc0(<table>)
15642 Uses the string representation of the input sample to perform a look up in
15643 the specified table. If the key is not found in the table, integer value zero
15644 is returned. Otherwise the converter returns the current value of the first
15645 general purpose counter associated with the input sample in the designated
15646 table. See also the sc_get_gpc0 sample fetch keyword.
15647
15648table_gpc0_rate(<table>)
15649 Uses the string representation of the input sample to perform a look up in
15650 the specified table. If the key is not found in the table, integer value zero
15651 is returned. Otherwise the converter returns the frequency which the gpc0
15652 counter was incremented over the configured period in the table, associated
15653 with the input sample in the designated table. See also the sc_get_gpc0_rate
15654 sample fetch keyword.
15655
Frédéric Lécaille6778b272018-01-29 15:22:53 +010015656table_gpc1(<table>)
15657 Uses the string representation of the input sample to perform a look up in
15658 the specified table. If the key is not found in the table, integer value zero
15659 is returned. Otherwise the converter returns the current value of the second
15660 general purpose counter associated with the input sample in the designated
15661 table. See also the sc_get_gpc1 sample fetch keyword.
15662
15663table_gpc1_rate(<table>)
15664 Uses the string representation of the input sample to perform a look up in
15665 the specified table. If the key is not found in the table, integer value zero
15666 is returned. Otherwise the converter returns the frequency which the gpc1
15667 counter was incremented over the configured period in the table, associated
15668 with the input sample in the designated table. See also the sc_get_gpc1_rate
15669 sample fetch keyword.
15670
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015671table_http_err_cnt(<table>)
15672 Uses the string representation of the input sample to perform a look up in
15673 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010015674 is returned. Otherwise the converter returns the cumulative number of HTTP
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015675 errors associated with the input sample in the designated table. See also the
15676 sc_http_err_cnt sample fetch keyword.
15677
15678table_http_err_rate(<table>)
15679 Uses the string representation of the input sample to perform a look up in
15680 the specified table. If the key is not found in the table, integer value zero
15681 is returned. Otherwise the average rate of HTTP errors associated with the
15682 input sample in the designated table, measured in amount of errors over the
15683 period configured in the table. See also the sc_http_err_rate sample fetch
15684 keyword.
15685
15686table_http_req_cnt(<table>)
15687 Uses the string representation of the input sample to perform a look up in
15688 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010015689 is returned. Otherwise the converter returns the cumulative number of HTTP
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015690 requests associated with the input sample in the designated table. See also
15691 the sc_http_req_cnt sample fetch keyword.
15692
15693table_http_req_rate(<table>)
15694 Uses the string representation of the input sample to perform a look up in
15695 the specified table. If the key is not found in the table, integer value zero
15696 is returned. Otherwise the average rate of HTTP requests associated with the
15697 input sample in the designated table, measured in amount of requests over the
15698 period configured in the table. See also the sc_http_req_rate sample fetch
15699 keyword.
15700
15701table_kbytes_in(<table>)
15702 Uses the string representation of the input sample to perform a look up in
15703 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010015704 is returned. Otherwise the converter returns the cumulative number of client-
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015705 to-server data associated with the input sample in the designated table,
15706 measured in kilobytes. The test is currently performed on 32-bit integers,
15707 which limits values to 4 terabytes. See also the sc_kbytes_in sample fetch
15708 keyword.
15709
15710table_kbytes_out(<table>)
15711 Uses the string representation of the input sample to perform a look up in
15712 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010015713 is returned. Otherwise the converter returns the cumulative number of server-
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015714 to-client data associated with the input sample in the designated table,
15715 measured in kilobytes. The test is currently performed on 32-bit integers,
15716 which limits values to 4 terabytes. See also the sc_kbytes_out sample fetch
15717 keyword.
15718
15719table_server_id(<table>)
15720 Uses the string representation of the input sample to perform a look up in
15721 the specified table. If the key is not found in the table, integer value zero
15722 is returned. Otherwise the converter returns the server ID associated with
15723 the input sample in the designated table. A server ID is associated to a
15724 sample by a "stick" rule when a connection to a server succeeds. A server ID
15725 zero means that no server is associated with this key.
15726
15727table_sess_cnt(<table>)
15728 Uses the string representation of the input sample to perform a look up in
15729 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010015730 is returned. Otherwise the converter returns the cumulative number of incoming
Willy Tarreaud9f316a2014-07-10 14:03:38 +020015731 sessions associated with the input sample in the designated table. Note that
15732 a session here refers to an incoming connection being accepted by the
15733 "tcp-request connection" rulesets. See also the sc_sess_cnt sample fetch
15734 keyword.
15735
15736table_sess_rate(<table>)
15737 Uses the string representation of the input sample to perform a look up in
15738 the specified table. If the key is not found in the table, integer value zero
15739 is returned. Otherwise the converter returns the average incoming session
15740 rate associated with the input sample in the designated table. Note that a
15741 session here refers to an incoming connection being accepted by the
15742 "tcp-request connection" rulesets. See also the sc_sess_rate sample fetch
15743 keyword.
15744
15745table_trackers(<table>)
15746 Uses the string representation of the input sample to perform a look up in
15747 the specified table. If the key is not found in the table, integer value zero
15748 is returned. Otherwise the converter returns the current amount of concurrent
15749 connections tracking the same key as the input sample in the designated
15750 table. It differs from table_conn_cur in that it does not rely on any stored
15751 information but on the table's reference count (the "use" value which is
15752 returned by "show table" on the CLI). This may sometimes be more suited for
15753 layer7 tracking. It can be used to tell a server how many concurrent
15754 connections there are from a given address for example. See also the
15755 sc_trackers sample fetch keyword.
15756
Willy Tarreauffcb2e42014-07-10 16:29:08 +020015757upper
15758 Convert a string sample to upper case. This can only be placed after a string
15759 sample fetch function or after a transformation keyword returning a string
15760 type. The result is of type string.
15761
Willy Tarreau62ba9ba2020-04-23 17:54:47 +020015762url_dec([<in_form>])
15763 Takes an url-encoded string provided as input and returns the decoded version
15764 as output. The input and the output are of type string. If the <in_form>
15765 argument is set to a non-zero integer value, the input string is assumed to
15766 be part of a form or query string and the '+' character will be turned into a
15767 space (' '). Otherwise this will only happen after a question mark indicating
15768 a query string ('?').
Thierry FOURNIER82ff3c92015-05-07 15:46:20 +020015769
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010015770ungrpc(<field_number>,[<field_type>])
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010015771 This extracts the protocol buffers message field in raw mode of an input binary
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010015772 sample representation of a gRPC message with <field_number> as field number
15773 (dotted notation) if <field_type> is not present, or as an integer sample if this
15774 field is present.
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010015775 The list of the authorized types is the following one: "int32", "int64", "uint32",
15776 "uint64", "sint32", "sint64", "bool", "enum" for the "varint" wire type 0
15777 "fixed64", "sfixed64", "double" for the 64bit wire type 1, "fixed32", "sfixed32",
15778 "float" for the wire type 5. Note that "string" is considered as a length-delimited
Frédéric Lécaille93d33162019-03-06 09:35:59 +010015779 type, so it does not require any <field_type> argument to be extracted.
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010015780 More information may be found here about the protocol buffers message field types:
15781 https://developers.google.com/protocol-buffers/docs/encoding
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010015782
15783 Example:
15784 // with such a protocol buffer .proto file content adapted from
15785 // https://github.com/grpc/grpc/blob/master/examples/protos/route_guide.proto
15786
15787 message Point {
15788 int32 latitude = 1;
15789 int32 longitude = 2;
15790 }
15791
15792 message PPoint {
15793 Point point = 59;
15794 }
15795
15796 message Rectangle {
15797 // One corner of the rectangle.
15798 PPoint lo = 48;
15799 // The other corner of the rectangle.
15800 PPoint hi = 49;
15801 }
15802
Peter Gervaidf4c9d22020-06-11 18:05:11 +020015803 let's say a body request is made of a "Rectangle" object value (two PPoint
15804 protocol buffers messages), the four protocol buffers fields could be
15805 extracted with these "ungrpc" directives:
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010015806
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010015807 req.body,ungrpc(48.59.1,int32) # "latitude" of "lo" first PPoint
15808 req.body,ungrpc(48.59.2,int32) # "longitude" of "lo" first PPoint
John Roeslerfb2fce12019-07-10 15:45:51 -050015809 req.body,ungrpc(49.59.1,int32) # "latitude" of "hi" second PPoint
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010015810 req.body,ungrpc(49.59.2,int32) # "longitude" of "hi" second PPoint
15811
Peter Gervaidf4c9d22020-06-11 18:05:11 +020015812 We could also extract the intermediary 48.59 field as a binary sample as follows:
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010015813
Frédéric Lécaille93d33162019-03-06 09:35:59 +010015814 req.body,ungrpc(48.59)
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010015815
Peter Gervaidf4c9d22020-06-11 18:05:11 +020015816 As a gRPC message is always made of a gRPC header followed by protocol buffers
15817 messages, in the previous example the "latitude" of "lo" first PPoint
15818 could be extracted with these equivalent directives:
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010015819
15820 req.body,ungrpc(48.59),protobuf(1,int32)
15821 req.body,ungrpc(48),protobuf(59.1,int32)
15822 req.body,ungrpc(48),protobuf(59),protobuf(1,int32)
15823
Peter Gervaidf4c9d22020-06-11 18:05:11 +020015824 Note that the first convert must be "ungrpc", the remaining ones must be
15825 "protobuf" and only the last one may have or not a second argument to
15826 interpret the previous binary sample.
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010015827
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010015828
Christopher Faulet85d79c92016-11-09 16:54:56 +010015829unset-var(<var name>)
15830 Unsets a variable if the input content is defined. The name of the variable
15831 starts with an indication about its scope. The scopes allowed are:
15832 "proc" : the variable is shared with the whole process
15833 "sess" : the variable is shared with the whole session
15834 "txn" : the variable is shared with the transaction (request and
15835 response),
15836 "req" : the variable is shared only during request processing,
15837 "res" : the variable is shared only during response processing.
15838 This prefix is followed by a name. The separator is a '.'. The name may only
15839 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
15840
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020015841utime(<format>[,<offset>])
15842 Converts an integer supposed to contain a date since epoch to a string
15843 representing this date in UTC time using a format defined by the <format>
15844 string using strftime(3). The purpose is to allow any date format to be used
15845 in logs. An optional <offset> in seconds may be applied to the input date
15846 (positive or negative). See the strftime() man page for the format supported
15847 by your operating system. See also the ltime converter.
15848
15849 Example :
15850
15851 # Emit two colons, one with the UTC time and another with ip:port
Davor Ocelice9ed2812017-12-25 17:49:28 +010015852 # e.g. 20140710162350 127.0.0.1:57325
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020015853 log-format %[date,utime(%Y%m%d%H%M%S)]\ %ci:%cp
15854
Marcin Deranek9631a282018-04-16 14:30:46 +020015855word(<index>,<delimiters>[,<count>])
15856 Extracts the nth word counting from the beginning (positive index) or from
15857 the end (negative index) considering given delimiters from an input string.
15858 Indexes start at 1 or -1 and delimiters are a string formatted list of chars.
Jerome Magnin88209322020-01-28 13:33:44 +010015859 Delimiters at the beginning or end of the input string are ignored.
Marcin Deranek9631a282018-04-16 14:30:46 +020015860 Optionally you can specify <count> of words to extract (default: 1).
15861 Value of 0 indicates extraction of all remaining words.
15862
15863 Example :
15864 str(f1_f2_f3__f5),word(4,_) # f5
15865 str(f1_f2_f3__f5),word(2,_,0) # f2_f3__f5
15866 str(f1_f2_f3__f5),word(3,_,2) # f3__f5
15867 str(f1_f2_f3__f5),word(-2,_,3) # f1_f2_f3
15868 str(f1_f2_f3__f5),word(-3,_,0) # f1_f2
Jerome Magnin88209322020-01-28 13:33:44 +010015869 str(/f1/f2/f3/f4),word(1,/) # f1
Emeric Brunc9a0f6d2014-11-25 14:09:01 +010015870
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020015871wt6([<avalanche>])
15872 Hashes a binary input sample into an unsigned 32-bit quantity using the WT6
15873 hash function. Optionally, it is possible to apply a full avalanche hash
15874 function to the output if the optional <avalanche> argument equals 1. This
15875 converter uses the same functions as used by the various hash-based load
15876 balancing algorithms, so it will provide exactly the same results. It is
15877 mostly intended for debugging, but can be used as a stick-table entry to
15878 collect rough statistics. It must not be used for security purposes as a
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010015879 32-bit hash is trivial to break. See also "crc32", "djb2", "sdbm", "crc32c",
15880 and the "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020015881
Willy Tarreau97707872015-01-27 15:12:13 +010015882xor(<value>)
15883 Performs a bitwise "XOR" (exclusive OR) between <value> and the input value
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015884 of type signed integer, and returns the result as an signed integer.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015885 <value> can be a numeric value or a variable name. The name of the variable
Daniel Schneller0b547052016-03-21 20:46:57 +010015886 starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015887 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015888 "sess" : the variable is shared with the whole session
15889 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015890 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010015891 "req" : the variable is shared only during request processing,
15892 "res" : the variable is shared only during response processing.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015893 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015894 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015895
Thierry FOURNIER01e09742016-12-26 11:46:11 +010015896xxh32([<seed>])
15897 Hashes a binary input sample into an unsigned 32-bit quantity using the 32-bit
15898 variant of the XXHash hash function. This hash supports a seed which defaults
15899 to zero but a different value maybe passed as the <seed> argument. This hash
15900 is known to be very good and very fast so it can be used to hash URLs and/or
15901 URL parameters for use as stick-table keys to collect statistics with a low
15902 collision rate, though care must be taken as the algorithm is not considered
15903 as cryptographically secure.
15904
15905xxh64([<seed>])
15906 Hashes a binary input sample into a signed 64-bit quantity using the 64-bit
15907 variant of the XXHash hash function. This hash supports a seed which defaults
15908 to zero but a different value maybe passed as the <seed> argument. This hash
15909 is known to be very good and very fast so it can be used to hash URLs and/or
15910 URL parameters for use as stick-table keys to collect statistics with a low
15911 collision rate, though care must be taken as the algorithm is not considered
15912 as cryptographically secure.
15913
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010015914
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200159157.3.2. Fetching samples from internal states
Willy Tarreau74ca5042013-06-11 23:12:07 +020015916--------------------------------------------
15917
15918A first set of sample fetch methods applies to internal information which does
15919not even relate to any client information. These ones are sometimes used with
15920"monitor-fail" directives to report an internal status to external watchers.
15921The sample fetch methods described in this section are usable anywhere.
15922
15923always_false : boolean
15924 Always returns the boolean "false" value. It may be used with ACLs as a
15925 temporary replacement for another one when adjusting configurations.
15926
15927always_true : boolean
15928 Always returns the boolean "true" value. It may be used with ACLs as a
15929 temporary replacement for another one when adjusting configurations.
15930
15931avg_queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010015932 Returns the total number of queued connections of the designated backend
Willy Tarreau74ca5042013-06-11 23:12:07 +020015933 divided by the number of active servers. The current backend is used if no
15934 backend is specified. This is very similar to "queue" except that the size of
15935 the farm is considered, in order to give a more accurate measurement of the
15936 time it may take for a new connection to be processed. The main usage is with
15937 ACL to return a sorry page to new users when it becomes certain they will get
15938 a degraded service, or to pass to the backend servers in a header so that
15939 they decide to work in degraded mode or to disable some functions to speed up
15940 the processing a bit. Note that in the event there would not be any active
15941 server anymore, twice the number of queued connections would be considered as
15942 the measured value. This is a fair estimate, as we expect one server to get
15943 back soon anyway, but we still prefer to send new traffic to another backend
15944 if in better shape. See also the "queue", "be_conn", and "be_sess_rate"
15945 sample fetches.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +010015946
Willy Tarreau74ca5042013-06-11 23:12:07 +020015947be_conn([<backend>]) : integer
Willy Tarreaua36af912009-10-10 12:02:45 +020015948 Applies to the number of currently established connections on the backend,
15949 possibly including the connection being evaluated. If no backend name is
15950 specified, the current one is used. But it is also possible to check another
15951 backend. It can be used to use a specific farm when the nominal one is full.
Patrick Hemmer4cdf3ab2018-06-14 17:10:27 -040015952 See also the "fe_conn", "queue", "be_conn_free", and "be_sess_rate" criteria.
15953
15954be_conn_free([<backend>]) : integer
15955 Returns an integer value corresponding to the number of available connections
15956 across available servers in the backend. Queue slots are not included. Backup
15957 servers are also not included, unless all other servers are down. If no
15958 backend name is specified, the current one is used. But it is also possible
15959 to check another backend. It can be used to use a specific farm when the
Patrick Hemmer155e93e2018-06-14 18:01:35 -040015960 nominal one is full. See also the "be_conn", "connslots", and "srv_conn_free"
15961 criteria.
Patrick Hemmer4cdf3ab2018-06-14 17:10:27 -040015962
15963 OTHER CAVEATS AND NOTES: if any of the server maxconn, or maxqueue is 0
15964 (meaning unlimited), then this fetch clearly does not make sense, in which
15965 case the value returned will be -1.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015966
Willy Tarreau74ca5042013-06-11 23:12:07 +020015967be_sess_rate([<backend>]) : integer
15968 Returns an integer value corresponding to the sessions creation rate on the
15969 backend, in number of new sessions per second. This is used with ACLs to
15970 switch to an alternate backend when an expensive or fragile one reaches too
Davor Ocelice9ed2812017-12-25 17:49:28 +010015971 high a session rate, or to limit abuse of service (e.g. prevent sucking of an
Willy Tarreau74ca5042013-06-11 23:12:07 +020015972 online dictionary). It can also be useful to add this element to logs using a
15973 log-format directive.
Willy Tarreaud63335a2010-02-26 12:56:52 +010015974
15975 Example :
15976 # Redirect to an error page if the dictionary is requested too often
15977 backend dynamic
15978 mode http
15979 acl being_scanned be_sess_rate gt 100
15980 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +010015981
Davor Ocelice9ed2812017-12-25 17:49:28 +010015982bin(<hex>) : bin
Thierry FOURNIERcc103292015-06-06 19:30:17 +020015983 Returns a binary chain. The input is the hexadecimal representation
15984 of the string.
15985
15986bool(<bool>) : bool
15987 Returns a boolean value. <bool> can be 'true', 'false', '1' or '0'.
15988 'false' and '0' are the same. 'true' and '1' are the same.
15989
Willy Tarreau74ca5042013-06-11 23:12:07 +020015990connslots([<backend>]) : integer
15991 Returns an integer value corresponding to the number of connection slots
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030015992 still available in the backend, by totaling the maximum amount of
Willy Tarreau74ca5042013-06-11 23:12:07 +020015993 connections on all servers and the maximum queue size. This is probably only
15994 used with ACLs.
Tait Clarridge7896d522012-12-05 21:39:31 -050015995
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080015996 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +020015997 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080015998 usage; see "use_backend" keyword) can be redirected to a different backend.
15999
Willy Tarreau55165fe2009-05-10 12:02:55 +020016000 'connslots' = number of available server connection slots, + number of
16001 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080016002
Willy Tarreaua36af912009-10-10 12:02:45 +020016003 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +020016004 useful when you have a case of traffic going to one single ip, splitting into
Willy Tarreau74ca5042013-06-11 23:12:07 +020016005 multiple backends (perhaps using ACLs to do name-based load balancing) and
Willy Tarreau55165fe2009-05-10 12:02:55 +020016006 you want to be able to differentiate between different backends, and their
Davor Ocelice9ed2812017-12-25 17:49:28 +010016007 available "connslots". Also, whereas "nbsrv" only measures servers that are
Willy Tarreau74ca5042013-06-11 23:12:07 +020016008 actually *down*, this fetch is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +020016009 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080016010
Willy Tarreau55165fe2009-05-10 12:02:55 +020016011 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
16012 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
Willy Tarreau74ca5042013-06-11 23:12:07 +020016013 then this fetch clearly does not make sense, in which case the value returned
Willy Tarreau55165fe2009-05-10 12:02:55 +020016014 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080016015
Willy Tarreau70fe9442018-11-22 16:07:39 +010016016cpu_calls : integer
16017 Returns the number of calls to the task processing the stream or current
16018 request since it was allocated. This number is reset for each new request on
16019 the same connections in case of HTTP keep-alive. This value should usually be
16020 low and stable (around 2 calls for a typically simple request) but may become
16021 high if some processing (compression, caching or analysis) is performed. This
16022 is purely for performance monitoring purposes.
16023
16024cpu_ns_avg : integer
16025 Returns the average number of nanoseconds spent in each call to the task
16026 processing the stream or current request. This number is reset for each new
16027 request on the same connections in case of HTTP keep-alive. This value
16028 indicates the overall cost of processing the request or the connection for
16029 each call. There is no good nor bad value but the time spent in a call
16030 automatically causes latency for other processing (see lat_ns_avg below),
16031 and may affect other connection's apparent response time. Certain operations
16032 like compression, complex regex matching or heavy Lua operations may directly
16033 affect this value, and having it in the logs will make it easier to spot the
16034 faulty processing that needs to be fixed to recover decent performance.
16035 Note: this value is exactly cpu_ns_tot divided by cpu_calls.
16036
16037cpu_ns_tot : integer
16038 Returns the total number of nanoseconds spent in each call to the task
16039 processing the stream or current request. This number is reset for each new
16040 request on the same connections in case of HTTP keep-alive. This value
16041 indicates the overall cost of processing the request or the connection for
16042 each call. There is no good nor bad value but the time spent in a call
16043 automatically causes latency for other processing (see lat_ns_avg below),
16044 induces CPU costs on the machine, and may affect other connection's apparent
16045 response time. Certain operations like compression, complex regex matching or
16046 heavy Lua operations may directly affect this value, and having it in the
16047 logs will make it easier to spot the faulty processing that needs to be fixed
16048 to recover decent performance. The value may be artificially high due to a
16049 high cpu_calls count, for example when processing many HTTP chunks, and for
16050 this reason it is often preferred to log cpu_ns_avg instead.
16051
Cyril Bonté6bcd1822019-11-05 23:13:59 +010016052date([<offset>],[<unit>]) : integer
Willy Tarreau6236d3a2013-07-25 14:28:25 +020016053 Returns the current date as the epoch (number of seconds since 01/01/1970).
Damien Claisseae6f1252019-10-30 15:57:28 +000016054
16055 If an offset value is specified, then it is added to the current date before
16056 returning the value. This is particularly useful to compute relative dates,
16057 as both positive and negative offsets are allowed.
Willy Tarreau276fae92013-07-25 14:36:01 +020016058 It is useful combined with the http_date converter.
16059
Damien Claisseae6f1252019-10-30 15:57:28 +000016060 <unit> is facultative, and can be set to "s" for seconds (default behavior),
16061 "ms" for milliseconds or "us" for microseconds.
16062 If unit is set, return value is an integer reflecting either seconds,
16063 milliseconds or microseconds since epoch, plus offset.
16064 It is useful when a time resolution of less than a second is needed.
16065
Willy Tarreau276fae92013-07-25 14:36:01 +020016066 Example :
16067
16068 # set an expires header to now+1 hour in every response
16069 http-response set-header Expires %[date(3600),http_date]
Willy Tarreau6236d3a2013-07-25 14:28:25 +020016070
Damien Claisseae6f1252019-10-30 15:57:28 +000016071 # set an expires header to now+1 hour in every response, with
16072 # millisecond granularity
16073 http-response set-header Expires %[date(3600000,ms),http_date(0,ms)]
16074
Etienne Carrierea792a0a2018-01-17 13:43:24 +010016075date_us : integer
16076 Return the microseconds part of the date (the "second" part is returned by
16077 date sample). This sample is coherent with the date sample as it is comes
16078 from the same timeval structure.
16079
Willy Tarreaud716f9b2017-10-13 11:03:15 +020016080distcc_body(<token>[,<occ>]) : binary
16081 Parses a distcc message and returns the body associated to occurrence #<occ>
16082 of the token <token>. Occurrences start at 1, and when unspecified, any may
16083 match though in practice only the first one is checked for now. This can be
16084 used to extract file names or arguments in files built using distcc through
16085 haproxy. Please refer to distcc's protocol documentation for the complete
16086 list of supported tokens.
16087
16088distcc_param(<token>[,<occ>]) : integer
16089 Parses a distcc message and returns the parameter associated to occurrence
16090 #<occ> of the token <token>. Occurrences start at 1, and when unspecified,
16091 any may match though in practice only the first one is checked for now. This
16092 can be used to extract certain information such as the protocol version, the
16093 file size or the argument in files built using distcc through haproxy.
16094 Another use case consists in waiting for the start of the preprocessed file
16095 contents before connecting to the server to avoid keeping idle connections.
16096 Please refer to distcc's protocol documentation for the complete list of
16097 supported tokens.
16098
16099 Example :
16100 # wait up to 20s for the pre-processed file to be uploaded
16101 tcp-request inspect-delay 20s
16102 tcp-request content accept if { distcc_param(DOTI) -m found }
16103 # send large files to the big farm
16104 use_backend big_farm if { distcc_param(DOTI) gt 1000000 }
16105
Willy Tarreau595ec542013-06-12 21:34:28 +020016106env(<name>) : string
16107 Returns a string containing the value of environment variable <name>. As a
16108 reminder, environment variables are per-process and are sampled when the
16109 process starts. This can be useful to pass some information to a next hop
16110 server, or with ACLs to take specific action when the process is started a
16111 certain way.
16112
16113 Examples :
16114 # Pass the Via header to next hop with the local hostname in it
16115 http-request add-header Via 1.1\ %[env(HOSTNAME)]
16116
16117 # reject cookie-less requests when the STOP environment variable is set
16118 http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
16119
Willy Tarreau74ca5042013-06-11 23:12:07 +020016120fe_conn([<frontend>]) : integer
16121 Returns the number of currently established connections on the frontend,
Willy Tarreaud63335a2010-02-26 12:56:52 +010016122 possibly including the connection being evaluated. If no frontend name is
16123 specified, the current one is used. But it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020016124 frontend. It can be used to return a sorry page before hard-blocking, or to
16125 use a specific backend to drain new requests when the farm is considered
Davor Ocelice9ed2812017-12-25 17:49:28 +010016126 full. This is mostly used with ACLs but can also be used to pass some
Willy Tarreau74ca5042013-06-11 23:12:07 +020016127 statistics to servers in HTTP headers. See also the "dst_conn", "be_conn",
16128 "fe_sess_rate" fetches.
Willy Tarreaua36af912009-10-10 12:02:45 +020016129
Nenad Merdanovicad9a7e92016-10-03 04:57:37 +020016130fe_req_rate([<frontend>]) : integer
16131 Returns an integer value corresponding to the number of HTTP requests per
16132 second sent to a frontend. This number can differ from "fe_sess_rate" in
16133 situations where client-side keep-alive is enabled.
16134
Willy Tarreau74ca5042013-06-11 23:12:07 +020016135fe_sess_rate([<frontend>]) : integer
16136 Returns an integer value corresponding to the sessions creation rate on the
16137 frontend, in number of new sessions per second. This is used with ACLs to
16138 limit the incoming session rate to an acceptable range in order to prevent
16139 abuse of service at the earliest moment, for example when combined with other
16140 layer 4 ACLs in order to force the clients to wait a bit for the rate to go
16141 down below the limit. It can also be useful to add this element to logs using
16142 a log-format directive. See also the "rate-limit sessions" directive for use
16143 in frontends.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010016144
16145 Example :
16146 # This frontend limits incoming mails to 10/s with a max of 100
16147 # concurrent connections. We accept any connection below 10/s, and
16148 # force excess clients to wait for 100 ms. Since clients are limited to
16149 # 100 max, there cannot be more than 10 incoming mails per second.
16150 frontend mail
16151 bind :25
16152 mode tcp
16153 maxconn 100
16154 acl too_fast fe_sess_rate ge 10
16155 tcp-request inspect-delay 100ms
16156 tcp-request content accept if ! too_fast
16157 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +010016158
Nenad Merdanovic807a6e72017-03-12 22:00:00 +010016159hostname : string
16160 Returns the system hostname.
16161
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016162int(<integer>) : signed integer
16163 Returns a signed integer.
16164
Thierry FOURNIERcc103292015-06-06 19:30:17 +020016165ipv4(<ipv4>) : ipv4
16166 Returns an ipv4.
16167
16168ipv6(<ipv6>) : ipv6
16169 Returns an ipv6.
16170
Willy Tarreau70fe9442018-11-22 16:07:39 +010016171lat_ns_avg : integer
16172 Returns the average number of nanoseconds spent between the moment the task
16173 handling the stream is woken up and the moment it is effectively called. This
16174 number is reset for each new request on the same connections in case of HTTP
16175 keep-alive. This value indicates the overall latency inflicted to the current
16176 request by all other requests being processed in parallel, and is a direct
16177 indicator of perceived performance due to noisy neighbours. In order to keep
16178 the value low, it is possible to reduce the scheduler's run queue depth using
16179 "tune.runqueue-depth", to reduce the number of concurrent events processed at
16180 once using "tune.maxpollevents", to decrease the stream's nice value using
Willy Tarreaue7723bd2020-06-24 11:11:02 +020016181 the "nice" option on the "bind" lines or in the frontend, to enable low
16182 latency scheduling using "tune.sched.low-latency", or to look for other heavy
16183 requests in logs (those exhibiting large values of "cpu_ns_avg"), whose
16184 processing needs to be adjusted or fixed. Compression of large buffers could
16185 be a culprit, like heavy regex or long lists of regex. Note: this value is
16186 exactly lat_ns_tot divided by cpu_calls.
Willy Tarreau70fe9442018-11-22 16:07:39 +010016187
16188lat_ns_tot : integer
16189 Returns the total number of nanoseconds spent between the moment the task
16190 handling the stream is woken up and the moment it is effectively called. This
16191 number is reset for each new request on the same connections in case of HTTP
16192 keep-alive. This value indicates the overall latency inflicted to the current
16193 request by all other requests being processed in parallel, and is a direct
16194 indicator of perceived performance due to noisy neighbours. In order to keep
16195 the value low, it is possible to reduce the scheduler's run queue depth using
16196 "tune.runqueue-depth", to reduce the number of concurrent events processed at
16197 once using "tune.maxpollevents", to decrease the stream's nice value using
Willy Tarreaue7723bd2020-06-24 11:11:02 +020016198 the "nice" option on the "bind" lines or in the frontend, to enable low
16199 latency scheduling using "tune.sched.low-latency", or to look for other heavy
16200 requests in logs (those exhibiting large values of "cpu_ns_avg"), whose
16201 processing needs to be adjusted or fixed. Compression of large buffers could
16202 be a culprit, like heavy regex or long lists of regex. Note: while it
Willy Tarreau70fe9442018-11-22 16:07:39 +010016203 may intuitively seem that the total latency adds to a transfer time, it is
16204 almost never true because while a task waits for the CPU, network buffers
16205 continue to fill up and the next call will process more at once. The value
16206 may be artificially high due to a high cpu_calls count, for example when
16207 processing many HTTP chunks, and for this reason it is often preferred to log
16208 lat_ns_avg instead, which is a more relevant performance indicator.
16209
Thierry FOURNIERcc103292015-06-06 19:30:17 +020016210meth(<method>) : method
16211 Returns a method.
16212
Willy Tarreau0f30d262014-11-24 16:02:05 +010016213nbproc : integer
16214 Returns an integer value corresponding to the number of processes that were
16215 started (it equals the global "nbproc" setting). This is useful for logging
16216 and debugging purposes.
16217
Willy Tarreau74ca5042013-06-11 23:12:07 +020016218nbsrv([<backend>]) : integer
16219 Returns an integer value corresponding to the number of usable servers of
16220 either the current backend or the named backend. This is mostly used with
16221 ACLs but can also be useful when added to logs. This is normally used to
Willy Tarreaud63335a2010-02-26 12:56:52 +010016222 switch to an alternate backend when the number of servers is too low to
16223 to handle some load. It is useful to report a failure when combined with
16224 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +010016225
Patrick Hemmerfabb24f2018-08-13 14:07:57 -040016226prio_class : integer
16227 Returns the priority class of the current session for http mode or connection
16228 for tcp mode. The value will be that set by the last call to "http-request
16229 set-priority-class" or "tcp-request content set-priority-class".
16230
16231prio_offset : integer
16232 Returns the priority offset of the current session for http mode or
16233 connection for tcp mode. The value will be that set by the last call to
16234 "http-request set-priority-offset" or "tcp-request content
16235 set-priority-offset".
16236
Willy Tarreau0f30d262014-11-24 16:02:05 +010016237proc : integer
16238 Returns an integer value corresponding to the position of the process calling
16239 the function, between 1 and global.nbproc. This is useful for logging and
16240 debugging purposes.
16241
Willy Tarreau74ca5042013-06-11 23:12:07 +020016242queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010016243 Returns the total number of queued connections of the designated backend,
16244 including all the connections in server queues. If no backend name is
16245 specified, the current one is used, but it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020016246 one. This is useful with ACLs or to pass statistics to backend servers. This
16247 can be used to take actions when queuing goes above a known level, generally
16248 indicating a surge of traffic or a massive slowdown on the servers. One
16249 possible action could be to reject new users but still accept old ones. See
16250 also the "avg_queue", "be_conn", and "be_sess_rate" fetches.
16251
Willy Tarreau84310e22014-02-14 11:59:04 +010016252rand([<range>]) : integer
16253 Returns a random integer value within a range of <range> possible values,
16254 starting at zero. If the range is not specified, it defaults to 2^32, which
16255 gives numbers between 0 and 4294967295. It can be useful to pass some values
16256 needed to take some routing decisions for example, or just for debugging
16257 purposes. This random must not be used for security purposes.
16258
Luca Schimweg8a694b82019-09-10 15:42:52 +020016259uuid([<version>]) : string
16260 Returns a UUID following the RFC4122 standard. If the version is not
16261 specified, a UUID version 4 (fully random) is returned.
16262 Currently, only version 4 is supported.
16263
Willy Tarreau74ca5042013-06-11 23:12:07 +020016264srv_conn([<backend>/]<server>) : integer
16265 Returns an integer value corresponding to the number of currently established
16266 connections on the designated server, possibly including the connection being
16267 evaluated. If <backend> is omitted, then the server is looked up in the
16268 current backend. It can be used to use a specific farm when one server is
16269 full, or to inform the server about our view of the number of active
Patrick Hemmer155e93e2018-06-14 18:01:35 -040016270 connections with it. See also the "fe_conn", "be_conn", "queue", and
16271 "srv_conn_free" fetch methods.
16272
16273srv_conn_free([<backend>/]<server>) : integer
16274 Returns an integer value corresponding to the number of available connections
16275 on the designated server, possibly including the connection being evaluated.
16276 The value does not include queue slots. If <backend> is omitted, then the
16277 server is looked up in the current backend. It can be used to use a specific
16278 farm when one server is full, or to inform the server about our view of the
16279 number of active connections with it. See also the "be_conn_free" and
16280 "srv_conn" fetch methods.
16281
16282 OTHER CAVEATS AND NOTES: If the server maxconn is 0, then this fetch clearly
16283 does not make sense, in which case the value returned will be -1.
Willy Tarreau74ca5042013-06-11 23:12:07 +020016284
16285srv_is_up([<backend>/]<server>) : boolean
16286 Returns true when the designated server is UP, and false when it is either
16287 DOWN or in maintenance mode. If <backend> is omitted, then the server is
16288 looked up in the current backend. It is mainly used to take action based on
Davor Ocelice9ed2812017-12-25 17:49:28 +010016289 an external status reported via a health check (e.g. a geographical site's
Willy Tarreau74ca5042013-06-11 23:12:07 +020016290 availability). Another possible use which is more of a hack consists in
16291 using dummy servers as boolean variables that can be enabled or disabled from
16292 the CLI, so that rules depending on those ACLs can be tweaked in realtime.
16293
Willy Tarreauff2b7af2017-10-13 11:46:26 +020016294srv_queue([<backend>/]<server>) : integer
16295 Returns an integer value corresponding to the number of connections currently
16296 pending in the designated server's queue. If <backend> is omitted, then the
16297 server is looked up in the current backend. It can sometimes be used together
16298 with the "use-server" directive to force to use a known faster server when it
16299 is not much loaded. See also the "srv_conn", "avg_queue" and "queue" sample
16300 fetch methods.
16301
Willy Tarreau74ca5042013-06-11 23:12:07 +020016302srv_sess_rate([<backend>/]<server>) : integer
16303 Returns an integer corresponding to the sessions creation rate on the
16304 designated server, in number of new sessions per second. If <backend> is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030016305 omitted, then the server is looked up in the current backend. This is mostly
Willy Tarreau74ca5042013-06-11 23:12:07 +020016306 used with ACLs but can make sense with logs too. This is used to switch to an
16307 alternate backend when an expensive or fragile one reaches too high a session
Davor Ocelice9ed2812017-12-25 17:49:28 +010016308 rate, or to limit abuse of service (e.g. prevent latent requests from
Willy Tarreau74ca5042013-06-11 23:12:07 +020016309 overloading servers).
16310
16311 Example :
16312 # Redirect to a separate back
16313 acl srv1_full srv_sess_rate(be1/srv1) gt 50
16314 acl srv2_full srv_sess_rate(be1/srv2) gt 50
16315 use_backend be2 if srv1_full or srv2_full
16316
Christopher Faulet1bea8652020-07-10 16:03:45 +020016317srv_iweight([<backend>/]<server>): integer
16318 Returns an integer corresponding to the server's initial weight. If <backend>
16319 is omitted, then the server is looked up in the current backend. See also
16320 "srv_weight" and "srv_uweight".
16321
16322srv_uweight([<backend>/]<server>): integer
16323 Returns an integer corresponding to the user visible server's weight. If
16324 <backend> is omitted, then the server is looked up in the current
16325 backend. See also "srv_weight" and "srv_iweight".
16326
16327srv_weight([<backend>/]<server>): integer
16328 Returns an integer corresponding to the current (or effective) server's
16329 weight. If <backend> is omitted, then the server is looked up in the current
16330 backend. See also "srv_iweight" and "srv_uweight".
16331
Willy Tarreau0f30d262014-11-24 16:02:05 +010016332stopping : boolean
16333 Returns TRUE if the process calling the function is currently stopping. This
16334 can be useful for logging, or for relaxing certain checks or helping close
16335 certain connections upon graceful shutdown.
16336
Thierry FOURNIERcc103292015-06-06 19:30:17 +020016337str(<string>) : string
16338 Returns a string.
16339
Willy Tarreau74ca5042013-06-11 23:12:07 +020016340table_avl([<table>]) : integer
16341 Returns the total number of available entries in the current proxy's
16342 stick-table or in the designated stick-table. See also table_cnt.
16343
16344table_cnt([<table>]) : integer
16345 Returns the total number of entries currently in use in the current proxy's
16346 stick-table or in the designated stick-table. See also src_conn_cnt and
16347 table_avl for other entry counting methods.
16348
Christopher Faulet34adb2a2017-11-21 21:45:38 +010016349thread : integer
16350 Returns an integer value corresponding to the position of the thread calling
16351 the function, between 0 and (global.nbthread-1). This is useful for logging
16352 and debugging purposes.
16353
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020016354var(<var-name>) : undefined
16355 Returns a variable with the stored type. If the variable is not set, the
Daniel Schneller0b547052016-03-21 20:46:57 +010016356 sample fetch fails. The name of the variable starts with an indication
16357 about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010016358 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010016359 "sess" : the variable is shared with the whole session
16360 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020016361 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010016362 "req" : the variable is shared only during request processing,
16363 "res" : the variable is shared only during response processing.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020016364 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010016365 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020016366
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200163677.3.3. Fetching samples at Layer 4
Willy Tarreau74ca5042013-06-11 23:12:07 +020016368----------------------------------
16369
16370The layer 4 usually describes just the transport layer which in haproxy is
16371closest to the connection, where no content is yet made available. The fetch
16372methods described here are usable as low as the "tcp-request connection" rule
16373sets unless they require some future information. Those generally include
16374TCP/IP addresses and ports, as well as elements from stick-tables related to
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016375the incoming connection. For retrieving a value from a sticky counters, the
16376counter number can be explicitly set as 0, 1, or 2 using the pre-defined
Moemen MHEDHBI9cf46342018-09-25 17:50:53 +020016377"sc0_", "sc1_", or "sc2_" prefix. These three pre-defined prefixes can only be
16378used if MAX_SESS_STKCTR value does not exceed 3, otherwise the counter number
16379can be specified as the first integer argument when using the "sc_" prefix.
16380Starting from "sc_0" to "sc_N" where N is (MAX_SESS_STKCTR-1). An optional
16381table may be specified with the "sc*" form, in which case the currently
16382tracked key will be looked up into this alternate table instead of the table
16383currently being tracked.
Willy Tarreau74ca5042013-06-11 23:12:07 +020016384
Jérôme Magnin35e53a62019-01-16 14:38:37 +010016385bc_http_major : integer
Jérôme Magnin86577422018-12-07 09:03:11 +010016386 Returns the backend connection's HTTP major version encoding, which may be 1
16387 for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire
16388 encoding and not the version present in the request header.
16389
Willy Tarreau74ca5042013-06-11 23:12:07 +020016390be_id : integer
16391 Returns an integer containing the current backend's id. It can be used in
Christopher Fauletd1b44642020-04-30 09:51:15 +020016392 frontends with responses to check which backend processed the request. It can
16393 also be used in a tcp-check or an http-check ruleset.
Willy Tarreau74ca5042013-06-11 23:12:07 +020016394
Marcin Deranekd2471c22016-12-12 14:08:05 +010016395be_name : string
16396 Returns a string containing the current backend's name. It can be used in
Christopher Fauletd1b44642020-04-30 09:51:15 +020016397 frontends with responses to check which backend processed the request. It can
16398 also be used in a tcp-check or an http-check ruleset.
Marcin Deranekd2471c22016-12-12 14:08:05 +010016399
Willy Tarreau74ca5042013-06-11 23:12:07 +020016400dst : ip
16401 This is the destination IPv4 address of the connection on the client side,
16402 which is the address the client connected to. It can be useful when running
16403 in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
16404 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
Willy Tarreau64ded3d2019-01-23 10:02:15 +010016405 RFC 4291. When the incoming connection passed through address translation or
16406 redirection involving connection tracking, the original destination address
16407 before the redirection will be reported. On Linux systems, the source and
16408 destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl
16409 is set, because a late response may reopen a timed out connection and switch
16410 what is believed to be the source and the destination.
Willy Tarreau74ca5042013-06-11 23:12:07 +020016411
16412dst_conn : integer
16413 Returns an integer value corresponding to the number of currently established
16414 connections on the same socket including the one being evaluated. It is
16415 normally used with ACLs but can as well be used to pass the information to
16416 servers in an HTTP header or in logs. It can be used to either return a sorry
16417 page before hard-blocking, or to use a specific backend to drain new requests
16418 when the socket is considered saturated. This offers the ability to assign
16419 different limits to different listening ports or addresses. See also the
16420 "fe_conn" and "be_conn" fetches.
Willy Tarreaud63335a2010-02-26 12:56:52 +010016421
Willy Tarreau16e01562016-08-09 16:46:18 +020016422dst_is_local : boolean
16423 Returns true if the destination address of the incoming connection is local
16424 to the system, or false if the address doesn't exist on the system, meaning
16425 that it was intercepted in transparent mode. It can be useful to apply
16426 certain rules by default to forwarded traffic and other rules to the traffic
Davor Ocelice9ed2812017-12-25 17:49:28 +010016427 targeting the real address of the machine. For example the stats page could
Willy Tarreau16e01562016-08-09 16:46:18 +020016428 be delivered only on this address, or SSH access could be locally redirected.
16429 Please note that the check involves a few system calls, so it's better to do
16430 it only once per connection.
16431
Willy Tarreau74ca5042013-06-11 23:12:07 +020016432dst_port : integer
16433 Returns an integer value corresponding to the destination TCP port of the
16434 connection on the client side, which is the port the client connected to.
16435 This might be used when running in transparent mode, when assigning dynamic
16436 ports to some clients for a whole application session, to stick all users to
16437 a same server, or to pass the destination port information to a server using
16438 an HTTP header.
16439
Willy Tarreau60ca10a2017-08-18 15:26:54 +020016440fc_http_major : integer
16441 Reports the front connection's HTTP major version encoding, which may be 1
16442 for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire
16443 encoding and not on the version present in the request header.
16444
Geoff Simmons7185b782019-08-27 18:31:16 +020016445fc_pp_authority : string
16446 Returns the authority TLV sent by the client in the PROXY protocol header,
16447 if any.
16448
Tim Duesterhusd1b15b62020-03-13 12:34:23 +010016449fc_pp_unique_id : string
16450 Returns the unique ID TLV sent by the client in the PROXY protocol header,
16451 if any.
16452
Emeric Brun4f603012017-01-05 15:11:44 +010016453fc_rcvd_proxy : boolean
16454 Returns true if the client initiated the connection with a PROXY protocol
16455 header.
16456
Thierry Fournier / OZON.IO6310bef2016-07-24 20:16:50 +020016457fc_rtt(<unit>) : integer
16458 Returns the Round Trip Time (RTT) measured by the kernel for the client
16459 connection. <unit> is facultative, by default the unit is milliseconds. <unit>
16460 can be set to "ms" for milliseconds or "us" for microseconds. If the server
16461 connection is not established, if the connection is not TCP or if the
16462 operating system does not support TCP_INFO, for example Linux kernels before
16463 2.4, the sample fetch fails.
16464
16465fc_rttvar(<unit>) : integer
16466 Returns the Round Trip Time (RTT) variance measured by the kernel for the
16467 client connection. <unit> is facultative, by default the unit is milliseconds.
16468 <unit> can be set to "ms" for milliseconds or "us" for microseconds. If the
16469 server connection is not established, if the connection is not TCP or if the
16470 operating system does not support TCP_INFO, for example Linux kernels before
16471 2.4, the sample fetch fails.
16472
Christopher Fauletba0c53e2019-10-17 14:40:48 +020016473fc_unacked : integer
Joe Williams30fcd392016-08-10 07:06:44 -070016474 Returns the unacked counter measured by the kernel for the client connection.
16475 If the server connection is not established, if the connection is not TCP or
16476 if the operating system does not support TCP_INFO, for example Linux kernels
16477 before 2.4, the sample fetch fails.
16478
Christopher Fauletba0c53e2019-10-17 14:40:48 +020016479fc_sacked : integer
Joe Williams30fcd392016-08-10 07:06:44 -070016480 Returns the sacked counter measured by the kernel for the client connection.
16481 If the server connection is not established, if the connection is not TCP or
16482 if the operating system does not support TCP_INFO, for example Linux kernels
16483 before 2.4, the sample fetch fails.
16484
Christopher Fauletba0c53e2019-10-17 14:40:48 +020016485fc_retrans : integer
Joe Williams30fcd392016-08-10 07:06:44 -070016486 Returns the retransmits counter measured by the kernel for the client
16487 connection. If the server connection is not established, if the connection is
16488 not TCP or if the operating system does not support TCP_INFO, for example
16489 Linux kernels before 2.4, the sample fetch fails.
16490
Christopher Fauletba0c53e2019-10-17 14:40:48 +020016491fc_fackets : integer
Joe Williams30fcd392016-08-10 07:06:44 -070016492 Returns the fack counter measured by the kernel for the client
16493 connection. If the server connection is not established, if the connection is
16494 not TCP or if the operating system does not support TCP_INFO, for example
16495 Linux kernels before 2.4, the sample fetch fails.
16496
Christopher Fauletba0c53e2019-10-17 14:40:48 +020016497fc_lost : integer
Joe Williams30fcd392016-08-10 07:06:44 -070016498 Returns the lost counter measured by the kernel for the client
16499 connection. If the server connection is not established, if the connection is
16500 not TCP or if the operating system does not support TCP_INFO, for example
16501 Linux kernels before 2.4, the sample fetch fails.
16502
Christopher Fauletba0c53e2019-10-17 14:40:48 +020016503fc_reordering : integer
Joe Williams30fcd392016-08-10 07:06:44 -070016504 Returns the reordering counter measured by the kernel for the client
16505 connection. If the server connection is not established, if the connection is
16506 not TCP or if the operating system does not support TCP_INFO, for example
16507 Linux kernels before 2.4, the sample fetch fails.
16508
Marcin Deranek9a66dfb2018-04-13 14:37:50 +020016509fe_defbe : string
16510 Returns a string containing the frontend's default backend name. It can be
16511 used in frontends to check which backend will handle requests by default.
16512
Willy Tarreau74ca5042013-06-11 23:12:07 +020016513fe_id : integer
16514 Returns an integer containing the current frontend's id. It can be used in
Marcin Deranek6e413ed2016-12-13 12:40:01 +010016515 backends to check from which frontend it was called, or to stick all users
Willy Tarreau74ca5042013-06-11 23:12:07 +020016516 coming via a same frontend to the same server.
16517
Marcin Deranekd2471c22016-12-12 14:08:05 +010016518fe_name : string
16519 Returns a string containing the current frontend's name. It can be used in
16520 backends to check from which frontend it was called, or to stick all users
16521 coming via a same frontend to the same server.
16522
Cyril Bonté62ba8702014-04-22 23:52:25 +020016523sc_bytes_in_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016524sc0_bytes_in_rate([<table>]) : integer
16525sc1_bytes_in_rate([<table>]) : integer
16526sc2_bytes_in_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016527 Returns the average client-to-server bytes rate from the currently tracked
16528 counters, measured in amount of bytes over the period configured in the
16529 table. See also src_bytes_in_rate.
16530
Cyril Bonté62ba8702014-04-22 23:52:25 +020016531sc_bytes_out_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016532sc0_bytes_out_rate([<table>]) : integer
16533sc1_bytes_out_rate([<table>]) : integer
16534sc2_bytes_out_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016535 Returns the average server-to-client bytes rate from the currently tracked
16536 counters, measured in amount of bytes over the period configured in the
16537 table. See also src_bytes_out_rate.
16538
Cyril Bonté62ba8702014-04-22 23:52:25 +020016539sc_clr_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016540sc0_clr_gpc0([<table>]) : integer
16541sc1_clr_gpc0([<table>]) : integer
16542sc2_clr_gpc0([<table>]) : integer
Willy Tarreauf73cd112011-08-13 01:45:16 +020016543 Clears the first General Purpose Counter associated to the currently tracked
16544 counters, and returns its previous value. Before the first invocation, the
Willy Tarreau869948b2013-01-04 14:14:57 +010016545 stored value is zero, so first invocation will always return zero. This is
16546 typically used as a second ACL in an expression in order to mark a connection
16547 when a first ACL was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020016548
Jarno Huuskonen676f6222017-03-30 09:19:45 +030016549 Example:
Willy Tarreauf73cd112011-08-13 01:45:16 +020016550 # block if 5 consecutive requests continue to come faster than 10 sess
16551 # per second, and reset the counter as soon as the traffic slows down.
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020016552 acl abuse sc0_http_req_rate gt 10
16553 acl kill sc0_inc_gpc0 gt 5
16554 acl save sc0_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020016555 tcp-request connection accept if !abuse save
16556 tcp-request connection reject if abuse kill
16557
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016558sc_clr_gpc1(<ctr>[,<table>]) : integer
16559sc0_clr_gpc1([<table>]) : integer
16560sc1_clr_gpc1([<table>]) : integer
16561sc2_clr_gpc1([<table>]) : integer
16562 Clears the second General Purpose Counter associated to the currently tracked
16563 counters, and returns its previous value. Before the first invocation, the
16564 stored value is zero, so first invocation will always return zero. This is
16565 typically used as a second ACL in an expression in order to mark a connection
16566 when a first ACL was verified.
16567
Cyril Bonté62ba8702014-04-22 23:52:25 +020016568sc_conn_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016569sc0_conn_cnt([<table>]) : integer
16570sc1_conn_cnt([<table>]) : integer
16571sc2_conn_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016572 Returns the cumulative number of incoming connections from currently tracked
Willy Tarreaue9656522010-08-17 15:40:09 +020016573 counters. See also src_conn_cnt.
16574
Cyril Bonté62ba8702014-04-22 23:52:25 +020016575sc_conn_cur(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016576sc0_conn_cur([<table>]) : integer
16577sc1_conn_cur([<table>]) : integer
16578sc2_conn_cur([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016579 Returns the current amount of concurrent connections tracking the same
16580 tracked counters. This number is automatically incremented when tracking
16581 begins and decremented when tracking stops. See also src_conn_cur.
16582
Cyril Bonté62ba8702014-04-22 23:52:25 +020016583sc_conn_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016584sc0_conn_rate([<table>]) : integer
16585sc1_conn_rate([<table>]) : integer
16586sc2_conn_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016587 Returns the average connection rate from the currently tracked counters,
16588 measured in amount of connections over the period configured in the table.
16589 See also src_conn_rate.
16590
Cyril Bonté62ba8702014-04-22 23:52:25 +020016591sc_get_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016592sc0_get_gpc0([<table>]) : integer
16593sc1_get_gpc0([<table>]) : integer
16594sc2_get_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016595 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016596 currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020016597
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016598sc_get_gpc1(<ctr>[,<table>]) : integer
16599sc0_get_gpc1([<table>]) : integer
16600sc1_get_gpc1([<table>]) : integer
16601sc2_get_gpc1([<table>]) : integer
16602 Returns the value of the second General Purpose Counter associated to the
16603 currently tracked counters. See also src_get_gpc1 and sc/sc0/sc1/sc2_inc_gpc1.
16604
Thierry FOURNIER236657b2015-08-19 08:25:14 +020016605sc_get_gpt0(<ctr>[,<table>]) : integer
16606sc0_get_gpt0([<table>]) : integer
16607sc1_get_gpt0([<table>]) : integer
16608sc2_get_gpt0([<table>]) : integer
16609 Returns the value of the first General Purpose Tag associated to the
16610 currently tracked counters. See also src_get_gpt0.
16611
Cyril Bonté62ba8702014-04-22 23:52:25 +020016612sc_gpc0_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016613sc0_gpc0_rate([<table>]) : integer
16614sc1_gpc0_rate([<table>]) : integer
16615sc2_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020016616 Returns the average increment rate of the first General Purpose Counter
16617 associated to the currently tracked counters. It reports the frequency
16618 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016619 src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
16620 that the "gpc0_rate" counter must be stored in the stick-table for a value to
16621 be returned, as "gpc0" only holds the event count.
Willy Tarreaue9656522010-08-17 15:40:09 +020016622
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016623sc_gpc1_rate(<ctr>[,<table>]) : integer
16624sc0_gpc1_rate([<table>]) : integer
16625sc1_gpc1_rate([<table>]) : integer
16626sc2_gpc1_rate([<table>]) : integer
16627 Returns the average increment rate of the second General Purpose Counter
16628 associated to the currently tracked counters. It reports the frequency
16629 which the gpc1 counter was incremented over the configured period. See also
16630 src_gpcA_rate, sc/sc0/sc1/sc2_get_gpc1, and sc/sc0/sc1/sc2_inc_gpc1. Note
16631 that the "gpc1_rate" counter must be stored in the stick-table for a value to
16632 be returned, as "gpc1" only holds the event count.
16633
Cyril Bonté62ba8702014-04-22 23:52:25 +020016634sc_http_err_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016635sc0_http_err_cnt([<table>]) : integer
16636sc1_http_err_cnt([<table>]) : integer
16637sc2_http_err_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016638 Returns the cumulative number of HTTP errors from the currently tracked
Willy Tarreaue9656522010-08-17 15:40:09 +020016639 counters. This includes the both request errors and 4xx error responses.
16640 See also src_http_err_cnt.
16641
Cyril Bonté62ba8702014-04-22 23:52:25 +020016642sc_http_err_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016643sc0_http_err_rate([<table>]) : integer
16644sc1_http_err_rate([<table>]) : integer
16645sc2_http_err_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016646 Returns the average rate of HTTP errors from the currently tracked counters,
16647 measured in amount of errors over the period configured in the table. This
16648 includes the both request errors and 4xx error responses. See also
16649 src_http_err_rate.
16650
Cyril Bonté62ba8702014-04-22 23:52:25 +020016651sc_http_req_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016652sc0_http_req_cnt([<table>]) : integer
16653sc1_http_req_cnt([<table>]) : integer
16654sc2_http_req_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016655 Returns the cumulative number of HTTP requests from the currently tracked
Willy Tarreaue9656522010-08-17 15:40:09 +020016656 counters. This includes every started request, valid or not. See also
16657 src_http_req_cnt.
16658
Cyril Bonté62ba8702014-04-22 23:52:25 +020016659sc_http_req_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016660sc0_http_req_rate([<table>]) : integer
16661sc1_http_req_rate([<table>]) : integer
16662sc2_http_req_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016663 Returns the average rate of HTTP requests from the currently tracked
16664 counters, measured in amount of requests over the period configured in
16665 the table. This includes every started request, valid or not. See also
16666 src_http_req_rate.
16667
Cyril Bonté62ba8702014-04-22 23:52:25 +020016668sc_inc_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016669sc0_inc_gpc0([<table>]) : integer
16670sc1_inc_gpc0([<table>]) : integer
16671sc2_inc_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016672 Increments the first General Purpose Counter associated to the currently
Willy Tarreau869948b2013-01-04 14:14:57 +010016673 tracked counters, and returns its new value. Before the first invocation,
16674 the stored value is zero, so first invocation will increase it to 1 and will
16675 return 1. This is typically used as a second ACL in an expression in order
16676 to mark a connection when a first ACL was verified :
Willy Tarreaue9656522010-08-17 15:40:09 +020016677
Jarno Huuskonen676f6222017-03-30 09:19:45 +030016678 Example:
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020016679 acl abuse sc0_http_req_rate gt 10
16680 acl kill sc0_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020016681 tcp-request connection reject if abuse kill
16682
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016683sc_inc_gpc1(<ctr>[,<table>]) : integer
16684sc0_inc_gpc1([<table>]) : integer
16685sc1_inc_gpc1([<table>]) : integer
16686sc2_inc_gpc1([<table>]) : integer
16687 Increments the second General Purpose Counter associated to the currently
16688 tracked counters, and returns its new value. Before the first invocation,
16689 the stored value is zero, so first invocation will increase it to 1 and will
16690 return 1. This is typically used as a second ACL in an expression in order
16691 to mark a connection when a first ACL was verified.
16692
Cyril Bonté62ba8702014-04-22 23:52:25 +020016693sc_kbytes_in(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016694sc0_kbytes_in([<table>]) : integer
16695sc1_kbytes_in([<table>]) : integer
16696sc2_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020016697 Returns the total amount of client-to-server data from the currently tracked
16698 counters, measured in kilobytes. The test is currently performed on 32-bit
16699 integers, which limits values to 4 terabytes. See also src_kbytes_in.
Willy Tarreaue9656522010-08-17 15:40:09 +020016700
Cyril Bonté62ba8702014-04-22 23:52:25 +020016701sc_kbytes_out(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016702sc0_kbytes_out([<table>]) : integer
16703sc1_kbytes_out([<table>]) : integer
16704sc2_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020016705 Returns the total amount of server-to-client data from the currently tracked
16706 counters, measured in kilobytes. The test is currently performed on 32-bit
16707 integers, which limits values to 4 terabytes. See also src_kbytes_out.
Willy Tarreaue9656522010-08-17 15:40:09 +020016708
Cyril Bonté62ba8702014-04-22 23:52:25 +020016709sc_sess_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016710sc0_sess_cnt([<table>]) : integer
16711sc1_sess_cnt([<table>]) : integer
16712sc2_sess_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016713 Returns the cumulative number of incoming connections that were transformed
Willy Tarreaue9656522010-08-17 15:40:09 +020016714 into sessions, which means that they were accepted by a "tcp-request
16715 connection" rule, from the currently tracked counters. A backend may count
16716 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -040016717 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +020016718 with the client. See also src_sess_cnt.
16719
Cyril Bonté62ba8702014-04-22 23:52:25 +020016720sc_sess_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016721sc0_sess_rate([<table>]) : integer
16722sc1_sess_rate([<table>]) : integer
16723sc2_sess_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020016724 Returns the average session rate from the currently tracked counters,
16725 measured in amount of sessions over the period configured in the table. A
16726 session is a connection that got past the early "tcp-request connection"
16727 rules. A backend may count more sessions than connections because each
16728 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -040016729 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +020016730
Cyril Bonté62ba8702014-04-22 23:52:25 +020016731sc_tracked(<ctr>[,<table>]) : boolean
Willy Tarreau0f791d42013-07-23 19:56:43 +020016732sc0_tracked([<table>]) : boolean
16733sc1_tracked([<table>]) : boolean
16734sc2_tracked([<table>]) : boolean
Willy Tarreau6f1615f2013-06-03 15:15:22 +020016735 Returns true if the designated session counter is currently being tracked by
16736 the current session. This can be useful when deciding whether or not we want
16737 to set some values in a header passed to the server.
16738
Cyril Bonté62ba8702014-04-22 23:52:25 +020016739sc_trackers(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020016740sc0_trackers([<table>]) : integer
16741sc1_trackers([<table>]) : integer
16742sc2_trackers([<table>]) : integer
Willy Tarreau2406db42012-12-09 12:16:43 +010016743 Returns the current amount of concurrent connections tracking the same
16744 tracked counters. This number is automatically incremented when tracking
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020016745 begins and decremented when tracking stops. It differs from sc0_conn_cur in
Willy Tarreau2406db42012-12-09 12:16:43 +010016746 that it does not rely on any stored information but on the table's reference
16747 count (the "use" value which is returned by "show table" on the CLI). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020016748 may sometimes be more suited for layer7 tracking. It can be used to tell a
16749 server how many concurrent connections there are from a given address for
16750 example.
Willy Tarreau2406db42012-12-09 12:16:43 +010016751
Willy Tarreau74ca5042013-06-11 23:12:07 +020016752so_id : integer
16753 Returns an integer containing the current listening socket's id. It is useful
16754 in frontends involving many "bind" lines, or to stick all users coming via a
16755 same socket to the same server.
Willy Tarreaud63335a2010-02-26 12:56:52 +010016756
Jerome Magnineb421b22020-03-27 22:08:40 +010016757so_name : string
16758 Returns a string containing the current listening socket's name, as defined
16759 with name on a "bind" line. It can serve the same purposes as so_id but with
16760 strings instead of integers.
16761
Willy Tarreau74ca5042013-06-11 23:12:07 +020016762src : ip
Davor Ocelice9ed2812017-12-25 17:49:28 +010016763 This is the source IPv4 address of the client of the session. It is of type
Willy Tarreau74ca5042013-06-11 23:12:07 +020016764 IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
16765 mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
16766 TCP-level source address which is used, and not the address of a client
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010016767 behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind
16768 directive is used, it can be the address of a client behind another
16769 PROXY-protocol compatible component for all rule sets except
Willy Tarreau64ded3d2019-01-23 10:02:15 +010016770 "tcp-request connection" which sees the real address. When the incoming
16771 connection passed through address translation or redirection involving
16772 connection tracking, the original destination address before the redirection
16773 will be reported. On Linux systems, the source and destination may seldom
16774 appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late
16775 response may reopen a timed out connection and switch what is believed to be
16776 the source and the destination.
Willy Tarreaud63335a2010-02-26 12:56:52 +010016777
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010016778 Example:
16779 # add an HTTP header in requests with the originating address' country
16780 http-request set-header X-Country %[src,map_ip(geoip.lst)]
16781
Willy Tarreau74ca5042013-06-11 23:12:07 +020016782src_bytes_in_rate([<table>]) : integer
16783 Returns the average bytes rate from the incoming connection's source address
16784 in the current proxy's stick-table or in the designated stick-table, measured
16785 in amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016786 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016787
Willy Tarreau74ca5042013-06-11 23:12:07 +020016788src_bytes_out_rate([<table>]) : integer
16789 Returns the average bytes rate to the incoming connection's source address in
16790 the current proxy's stick-table or in the designated stick-table, measured in
Willy Tarreauc9705a12010-07-27 20:05:50 +020016791 amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016792 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016793
Willy Tarreau74ca5042013-06-11 23:12:07 +020016794src_clr_gpc0([<table>]) : integer
16795 Clears the first General Purpose Counter associated to the incoming
16796 connection's source address in the current proxy's stick-table or in the
16797 designated stick-table, and returns its previous value. If the address is not
16798 found, an entry is created and 0 is returned. This is typically used as a
16799 second ACL in an expression in order to mark a connection when a first ACL
16800 was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020016801
Jarno Huuskonen676f6222017-03-30 09:19:45 +030016802 Example:
Willy Tarreauf73cd112011-08-13 01:45:16 +020016803 # block if 5 consecutive requests continue to come faster than 10 sess
16804 # per second, and reset the counter as soon as the traffic slows down.
16805 acl abuse src_http_req_rate gt 10
16806 acl kill src_inc_gpc0 gt 5
Willy Tarreau869948b2013-01-04 14:14:57 +010016807 acl save src_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020016808 tcp-request connection accept if !abuse save
16809 tcp-request connection reject if abuse kill
16810
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016811src_clr_gpc1([<table>]) : integer
16812 Clears the second General Purpose Counter associated to the incoming
16813 connection's source address in the current proxy's stick-table or in the
16814 designated stick-table, and returns its previous value. If the address is not
16815 found, an entry is created and 0 is returned. This is typically used as a
16816 second ACL in an expression in order to mark a connection when a first ACL
16817 was verified.
16818
Willy Tarreau74ca5042013-06-11 23:12:07 +020016819src_conn_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016820 Returns the cumulative number of connections initiated from the current
Willy Tarreau74ca5042013-06-11 23:12:07 +020016821 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020016822 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016823 See also sc/sc0/sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016824
Willy Tarreau74ca5042013-06-11 23:12:07 +020016825src_conn_cur([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020016826 Returns the current amount of concurrent connections initiated from the
Willy Tarreau74ca5042013-06-11 23:12:07 +020016827 current incoming connection's source address in the current proxy's
16828 stick-table or in the designated stick-table. If the address is not found,
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016829 zero is returned. See also sc/sc0/sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016830
Willy Tarreau74ca5042013-06-11 23:12:07 +020016831src_conn_rate([<table>]) : integer
16832 Returns the average connection rate from the incoming connection's source
16833 address in the current proxy's stick-table or in the designated stick-table,
16834 measured in amount of connections over the period configured in the table. If
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016835 the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016836
Willy Tarreau74ca5042013-06-11 23:12:07 +020016837src_get_gpc0([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020016838 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau74ca5042013-06-11 23:12:07 +020016839 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020016840 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016841 See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016842
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016843src_get_gpc1([<table>]) : integer
16844 Returns the value of the second General Purpose Counter associated to the
16845 incoming connection's source address in the current proxy's stick-table or in
16846 the designated stick-table. If the address is not found, zero is returned.
16847 See also sc/sc0/sc1/sc2_get_gpc1 and src_inc_gpc1.
16848
Thierry FOURNIER236657b2015-08-19 08:25:14 +020016849src_get_gpt0([<table>]) : integer
16850 Returns the value of the first General Purpose Tag associated to the
16851 incoming connection's source address in the current proxy's stick-table or in
16852 the designated stick-table. If the address is not found, zero is returned.
16853 See also sc/sc0/sc1/sc2_get_gpt0.
16854
Willy Tarreau74ca5042013-06-11 23:12:07 +020016855src_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020016856 Returns the average increment rate of the first General Purpose Counter
Willy Tarreau74ca5042013-06-11 23:12:07 +020016857 associated to the incoming connection's source address in the current proxy's
Willy Tarreauba2ffd12013-05-29 15:54:14 +020016858 stick-table or in the designated stick-table. It reports the frequency
16859 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016860 sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
16861 that the "gpc0_rate" counter must be stored in the stick-table for a value to
16862 be returned, as "gpc0" only holds the event count.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020016863
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016864src_gpc1_rate([<table>]) : integer
16865 Returns the average increment rate of the second General Purpose Counter
16866 associated to the incoming connection's source address in the current proxy's
16867 stick-table or in the designated stick-table. It reports the frequency
16868 which the gpc1 counter was incremented over the configured period. See also
16869 sc/sc0/sc1/sc2_gpc1_rate, src_get_gpc1, and sc/sc0/sc1/sc2_inc_gpc1. Note
16870 that the "gpc1_rate" counter must be stored in the stick-table for a value to
16871 be returned, as "gpc1" only holds the event count.
16872
Willy Tarreau74ca5042013-06-11 23:12:07 +020016873src_http_err_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016874 Returns the cumulative number of HTTP errors from the incoming connection's
Willy Tarreau74ca5042013-06-11 23:12:07 +020016875 source address in the current proxy's stick-table or in the designated
Willy Tarreauc9705a12010-07-27 20:05:50 +020016876 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016877 See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is
Willy Tarreau74ca5042013-06-11 23:12:07 +020016878 returned.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016879
Willy Tarreau74ca5042013-06-11 23:12:07 +020016880src_http_err_rate([<table>]) : integer
16881 Returns the average rate of HTTP errors from the incoming connection's source
16882 address in the current proxy's stick-table or in the designated stick-table,
16883 measured in amount of errors over the period configured in the table. This
16884 includes the both request errors and 4xx error responses. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016885 not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016886
Willy Tarreau74ca5042013-06-11 23:12:07 +020016887src_http_req_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016888 Returns the cumulative number of HTTP requests from the incoming connection's
Willy Tarreau74ca5042013-06-11 23:12:07 +020016889 source address in the current proxy's stick-table or in the designated stick-
16890 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016891 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016892
Willy Tarreau74ca5042013-06-11 23:12:07 +020016893src_http_req_rate([<table>]) : integer
16894 Returns the average rate of HTTP requests from the incoming connection's
16895 source address in the current proxy's stick-table or in the designated stick-
16896 table, measured in amount of requests over the period configured in the
Willy Tarreauc9705a12010-07-27 20:05:50 +020016897 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016898 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016899
Willy Tarreau74ca5042013-06-11 23:12:07 +020016900src_inc_gpc0([<table>]) : integer
16901 Increments the first General Purpose Counter associated to the incoming
16902 connection's source address in the current proxy's stick-table or in the
16903 designated stick-table, and returns its new value. If the address is not
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020016904 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0.
Willy Tarreau74ca5042013-06-11 23:12:07 +020016905 This is typically used as a second ACL in an expression in order to mark a
16906 connection when a first ACL was verified :
Willy Tarreauc9705a12010-07-27 20:05:50 +020016907
Jarno Huuskonen676f6222017-03-30 09:19:45 +030016908 Example:
Willy Tarreauc9705a12010-07-27 20:05:50 +020016909 acl abuse src_http_req_rate gt 10
Willy Tarreau869948b2013-01-04 14:14:57 +010016910 acl kill src_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020016911 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +020016912
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016913src_inc_gpc1([<table>]) : integer
16914 Increments the second General Purpose Counter associated to the incoming
16915 connection's source address in the current proxy's stick-table or in the
16916 designated stick-table, and returns its new value. If the address is not
16917 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc1.
16918 This is typically used as a second ACL in an expression in order to mark a
16919 connection when a first ACL was verified.
16920
Willy Tarreau16e01562016-08-09 16:46:18 +020016921src_is_local : boolean
16922 Returns true if the source address of the incoming connection is local to the
16923 system, or false if the address doesn't exist on the system, meaning that it
16924 comes from a remote machine. Note that UNIX addresses are considered local.
16925 It can be useful to apply certain access restrictions based on where the
Davor Ocelice9ed2812017-12-25 17:49:28 +010016926 client comes from (e.g. require auth or https for remote machines). Please
Willy Tarreau16e01562016-08-09 16:46:18 +020016927 note that the check involves a few system calls, so it's better to do it only
16928 once per connection.
16929
Willy Tarreau74ca5042013-06-11 23:12:07 +020016930src_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020016931 Returns the total amount of data received from the incoming connection's
16932 source address in the current proxy's stick-table or in the designated
16933 stick-table, measured in kilobytes. If the address is not found, zero is
16934 returned. The test is currently performed on 32-bit integers, which limits
16935 values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016936
Willy Tarreau74ca5042013-06-11 23:12:07 +020016937src_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020016938 Returns the total amount of data sent to the incoming connection's source
16939 address in the current proxy's stick-table or in the designated stick-table,
16940 measured in kilobytes. If the address is not found, zero is returned. The
16941 test is currently performed on 32-bit integers, which limits values to 4
16942 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020016943
Willy Tarreau74ca5042013-06-11 23:12:07 +020016944src_port : integer
16945 Returns an integer value corresponding to the TCP source port of the
16946 connection on the client side, which is the port the client connected from.
16947 Usage of this function is very limited as modern protocols do not care much
16948 about source ports nowadays.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010016949
Willy Tarreau74ca5042013-06-11 23:12:07 +020016950src_sess_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010016951 Returns the cumulative number of connections initiated from the incoming
Willy Tarreauc9705a12010-07-27 20:05:50 +020016952 connection's source IPv4 address in the current proxy's stick-table or in the
16953 designated stick-table, that were transformed into sessions, which means that
16954 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016955 is returned. See also sc/sc0/sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016956
Willy Tarreau74ca5042013-06-11 23:12:07 +020016957src_sess_rate([<table>]) : integer
16958 Returns the average session rate from the incoming connection's source
16959 address in the current proxy's stick-table or in the designated stick-table,
16960 measured in amount of sessions over the period configured in the table. A
16961 session is a connection that went past the early "tcp-request" rules. If the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020016962 address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020016963
Willy Tarreau74ca5042013-06-11 23:12:07 +020016964src_updt_conn_cnt([<table>]) : integer
16965 Creates or updates the entry associated to the incoming connection's source
16966 address in the current proxy's stick-table or in the designated stick-table.
16967 This table must be configured to store the "conn_cnt" data type, otherwise
16968 the match will be ignored. The current count is incremented by one, and the
16969 expiration timer refreshed. The updated count is returned, so this match
16970 can't return zero. This was used to reject service abusers based on their
16971 source address. Note: it is recommended to use the more complete "track-sc*"
16972 actions in "tcp-request" rules instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020016973
16974 Example :
16975 # This frontend limits incoming SSH connections to 3 per 10 second for
16976 # each source address, and rejects excess connections until a 10 second
16977 # silence is observed. At most 20 addresses are tracked.
16978 listen ssh
16979 bind :22
16980 mode tcp
16981 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +020016982 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreau74ca5042013-06-11 23:12:07 +020016983 tcp-request content reject if { src_updt_conn_cnt gt 3 }
Willy Tarreaua975b8f2010-06-05 19:13:27 +020016984 server local 127.0.0.1:22
16985
Willy Tarreau74ca5042013-06-11 23:12:07 +020016986srv_id : integer
16987 Returns an integer containing the server's id when processing the response.
16988 While it's almost only used with ACLs, it may be used for logging or
Christopher Fauletd1b44642020-04-30 09:51:15 +020016989 debugging. It can also be used in a tcp-check or an http-check ruleset.
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +020016990
vkill1dfd1652019-10-30 16:58:14 +080016991srv_name : string
16992 Returns a string containing the server's name when processing the response.
16993 While it's almost only used with ACLs, it may be used for logging or
Christopher Fauletd1b44642020-04-30 09:51:15 +020016994 debugging. It can also be used in a tcp-check or an http-check ruleset.
vkill1dfd1652019-10-30 16:58:14 +080016995
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200169967.3.4. Fetching samples at Layer 5
Willy Tarreau74ca5042013-06-11 23:12:07 +020016997----------------------------------
Willy Tarreau0b1cd942010-05-16 22:18:27 +020016998
Willy Tarreau74ca5042013-06-11 23:12:07 +020016999The layer 5 usually describes just the session layer which in haproxy is
17000closest to the session once all the connection handshakes are finished, but
17001when no content is yet made available. The fetch methods described here are
17002usable as low as the "tcp-request content" rule sets unless they require some
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030017003future information. Those generally include the results of SSL negotiations.
Willy Tarreauc735a072011-03-29 00:57:02 +020017004
Ben Shillitof25e8e52016-12-02 14:25:37 +00001700551d.all(<prop>[,<prop>*]) : string
17006 Returns values for the properties requested as a string, where values are
17007 separated by the delimiter specified with "51degrees-property-separator".
17008 The device is identified using all the important HTTP headers from the
17009 request. The function can be passed up to five property names, and if a
17010 property name can't be found, the value "NoData" is returned.
17011
17012 Example :
17013 # Here the header "X-51D-DeviceTypeMobileTablet" is added to the request
17014 # containing the three properties requested using all relevant headers from
17015 # the request.
17016 frontend http-in
17017 bind *:8081
17018 default_backend servers
17019 http-request set-header X-51D-DeviceTypeMobileTablet \
17020 %[51d.all(DeviceType,IsMobile,IsTablet)]
17021
Emeric Brun645ae792014-04-30 14:21:06 +020017022ssl_bc : boolean
17023 Returns true when the back connection was made via an SSL/TLS transport
17024 layer and is locally deciphered. This means the outgoing connection was made
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017025 other a server with the "ssl" option. It can be used in a tcp-check or an
17026 http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020017027
17028ssl_bc_alg_keysize : integer
17029 Returns the symmetric cipher key size supported in bits when the outgoing
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017030 connection was made over an SSL/TLS transport layer. It can be used in a
17031 tcp-check or an http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020017032
Olivier Houchard6b77f492018-11-22 18:18:29 +010017033ssl_bc_alpn : string
17034 This extracts the Application Layer Protocol Negotiation field from an
17035 outgoing connection made via a TLS transport layer.
Michael Prokop4438c602019-05-24 10:25:45 +020017036 The result is a string containing the protocol name negotiated with the
Olivier Houchard6b77f492018-11-22 18:18:29 +010017037 server. The SSL library must have been built with support for TLS
17038 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
17039 not advertised unless the "alpn" keyword on the "server" line specifies a
17040 protocol list. Also, nothing forces the server to pick a protocol from this
17041 list, any other one may be requested. The TLS ALPN extension is meant to
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017042 replace the TLS NPN extension. See also "ssl_bc_npn". It can be used in a
17043 tcp-check or an http-check ruleset.
Olivier Houchard6b77f492018-11-22 18:18:29 +010017044
Emeric Brun645ae792014-04-30 14:21:06 +020017045ssl_bc_cipher : string
17046 Returns the name of the used cipher when the outgoing connection was made
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017047 over an SSL/TLS transport layer. It can be used in a tcp-check or an
17048 http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020017049
Patrick Hemmer65674662019-06-04 08:13:03 -040017050ssl_bc_client_random : binary
17051 Returns the client random of the back connection when the incoming connection
17052 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
17053 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017054 It can be used in a tcp-check or an http-check ruleset.
Patrick Hemmer65674662019-06-04 08:13:03 -040017055
Emeric Brun74f7ffa2018-02-19 16:14:12 +010017056ssl_bc_is_resumed : boolean
17057 Returns true when the back connection was made over an SSL/TLS transport
17058 layer and the newly created SSL session was resumed using a cached
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017059 session or a TLS ticket. It can be used in a tcp-check or an http-check
17060 ruleset.
Emeric Brun74f7ffa2018-02-19 16:14:12 +010017061
Olivier Houchard6b77f492018-11-22 18:18:29 +010017062ssl_bc_npn : string
17063 This extracts the Next Protocol Negotiation field from an outgoing connection
17064 made via a TLS transport layer. The result is a string containing the
Michael Prokop4438c602019-05-24 10:25:45 +020017065 protocol name negotiated with the server . The SSL library must have been
Olivier Houchard6b77f492018-11-22 18:18:29 +010017066 built with support for TLS extensions enabled (check haproxy -vv). Note that
17067 the TLS NPN extension is not advertised unless the "npn" keyword on the
17068 "server" line specifies a protocol list. Also, nothing forces the server to
17069 pick a protocol from this list, any other one may be used. Please note that
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017070 the TLS NPN extension was replaced with ALPN. It can be used in a tcp-check
17071 or an http-check ruleset.
Olivier Houchard6b77f492018-11-22 18:18:29 +010017072
Emeric Brun645ae792014-04-30 14:21:06 +020017073ssl_bc_protocol : string
17074 Returns the name of the used protocol when the outgoing connection was made
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017075 over an SSL/TLS transport layer. It can be used in a tcp-check or an
17076 http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020017077
Emeric Brunb73a9b02014-04-30 18:49:19 +020017078ssl_bc_unique_id : binary
Emeric Brun645ae792014-04-30 14:21:06 +020017079 When the outgoing connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020017080 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017081 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". It
17082 can be used in a tcp-check or an http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020017083
Patrick Hemmer65674662019-06-04 08:13:03 -040017084ssl_bc_server_random : binary
17085 Returns the server random of the back connection when the incoming connection
17086 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
17087 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017088 It can be used in a tcp-check or an http-check ruleset.
Patrick Hemmer65674662019-06-04 08:13:03 -040017089
Emeric Brun645ae792014-04-30 14:21:06 +020017090ssl_bc_session_id : binary
17091 Returns the SSL ID of the back connection when the outgoing connection was
17092 made over an SSL/TLS transport layer. It is useful to log if we want to know
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017093 if session was reused or not. It can be used in a tcp-check or an http-check
17094 ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020017095
Patrick Hemmere0275472018-04-28 19:15:51 -040017096ssl_bc_session_key : binary
17097 Returns the SSL session master key of the back connection when the outgoing
17098 connection was made over an SSL/TLS transport layer. It is useful to decrypt
17099 traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017100 BoringSSL. It can be used in a tcp-check or an http-check ruleset.
Patrick Hemmere0275472018-04-28 19:15:51 -040017101
Emeric Brun645ae792014-04-30 14:21:06 +020017102ssl_bc_use_keysize : integer
17103 Returns the symmetric cipher key size used in bits when the outgoing
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020017104 connection was made over an SSL/TLS transport layer. It can be used in a
17105 tcp-check or an http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020017106
Willy Tarreau74ca5042013-06-11 23:12:07 +020017107ssl_c_ca_err : integer
17108 When the incoming connection was made over an SSL/TLS transport layer,
17109 returns the ID of the first error detected during verification of the client
17110 certificate at depth > 0, or 0 if no error was encountered during this
17111 verification process. Please refer to your SSL library's documentation to
17112 find the exhaustive list of error codes.
Willy Tarreauc735a072011-03-29 00:57:02 +020017113
Willy Tarreau74ca5042013-06-11 23:12:07 +020017114ssl_c_ca_err_depth : integer
17115 When the incoming connection was made over an SSL/TLS transport layer,
17116 returns the depth in the CA chain of the first error detected during the
17117 verification of the client certificate. If no error is encountered, 0 is
17118 returned.
Willy Tarreau0ba27502007-12-24 16:55:16 +010017119
Emeric Brun43e79582014-10-29 19:03:26 +010017120ssl_c_der : binary
17121 Returns the DER formatted certificate presented by the client when the
17122 incoming connection was made over an SSL/TLS transport layer. When used for
17123 an ACL, the value(s) to match against can be passed in hexadecimal form.
17124
William Dauchya598b502020-08-06 18:11:38 +020017125ssl_c_der_chain : binary
17126 Returns the DER formatted chain certificate presented by the client when the
17127 incoming connection was made over an SSL/TLS transport layer. When used for
17128 an ACL, the value(s) to match against can be passed in hexadecimal form. One
17129 can parse the result with any lib accepting ASN.1 DER data. It currentlly
17130 does not support resumed sessions.
17131
Willy Tarreau74ca5042013-06-11 23:12:07 +020017132ssl_c_err : integer
17133 When the incoming connection was made over an SSL/TLS transport layer,
17134 returns the ID of the first error detected during verification at depth 0, or
17135 0 if no error was encountered during this verification process. Please refer
17136 to your SSL library's documentation to find the exhaustive list of error
17137 codes.
Willy Tarreau62644772008-07-16 18:36:06 +020017138
Elliot Otchet71f82972020-01-15 08:12:14 -050017139ssl_c_i_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020017140 When the incoming connection was made over an SSL/TLS transport layer,
17141 returns the full distinguished name of the issuer of the certificate
17142 presented by the client when no <entry> is specified, or the value of the
17143 first given entry found from the beginning of the DN. If a positive/negative
17144 occurrence number is specified as the optional second argument, it returns
17145 the value of the nth given entry value from the beginning/end of the DN.
17146 For instance, "ssl_c_i_dn(OU,2)" the second organization unit, and
17147 "ssl_c_i_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050017148 The <format> parameter allows you to receive the DN suitable for
17149 consumption by different protocols. Currently supported is rfc2253 for
17150 LDAP v3.
17151 If you'd like to modify the format only you can specify an empty string
17152 and zero for the first two parameters. Example: ssl_c_i_dn(,0,rfc2253)
Willy Tarreau62644772008-07-16 18:36:06 +020017153
Willy Tarreau74ca5042013-06-11 23:12:07 +020017154ssl_c_key_alg : string
17155 Returns the name of the algorithm used to generate the key of the certificate
17156 presented by the client when the incoming connection was made over an SSL/TLS
17157 transport layer.
Willy Tarreau62644772008-07-16 18:36:06 +020017158
Willy Tarreau74ca5042013-06-11 23:12:07 +020017159ssl_c_notafter : string
17160 Returns the end date presented by the client as a formatted string
17161 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
17162 transport layer.
Emeric Brunbede3d02009-06-30 17:54:00 +020017163
Willy Tarreau74ca5042013-06-11 23:12:07 +020017164ssl_c_notbefore : string
17165 Returns the start date presented by the client as a formatted string
17166 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
17167 transport layer.
Willy Tarreaub6672b52011-12-12 17:23:41 +010017168
Elliot Otchet71f82972020-01-15 08:12:14 -050017169ssl_c_s_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020017170 When the incoming connection was made over an SSL/TLS transport layer,
17171 returns the full distinguished name of the subject of the certificate
17172 presented by the client when no <entry> is specified, or the value of the
17173 first given entry found from the beginning of the DN. If a positive/negative
17174 occurrence number is specified as the optional second argument, it returns
17175 the value of the nth given entry value from the beginning/end of the DN.
17176 For instance, "ssl_c_s_dn(OU,2)" the second organization unit, and
17177 "ssl_c_s_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050017178 The <format> parameter allows you to receive the DN suitable for
17179 consumption by different protocols. Currently supported is rfc2253 for
17180 LDAP v3.
17181 If you'd like to modify the format only you can specify an empty string
17182 and zero for the first two parameters. Example: ssl_c_s_dn(,0,rfc2253)
Willy Tarreaub6672b52011-12-12 17:23:41 +010017183
Willy Tarreau74ca5042013-06-11 23:12:07 +020017184ssl_c_serial : binary
17185 Returns the serial of the certificate presented by the client when the
17186 incoming connection was made over an SSL/TLS transport layer. When used for
17187 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun2525b6b2012-10-18 15:59:43 +020017188
Willy Tarreau74ca5042013-06-11 23:12:07 +020017189ssl_c_sha1 : binary
17190 Returns the SHA-1 fingerprint of the certificate presented by the client when
17191 the incoming connection was made over an SSL/TLS transport layer. This can be
17192 used to stick a client to a server, or to pass this information to a server.
Willy Tarreau2d0caa32014-07-02 19:01:22 +020017193 Note that the output is binary, so if you want to pass that signature to the
17194 server, you need to encode it in hex or base64, such as in the example below:
17195
Jarno Huuskonen676f6222017-03-30 09:19:45 +030017196 Example:
Willy Tarreau2d0caa32014-07-02 19:01:22 +020017197 http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]
Emeric Brun2525b6b2012-10-18 15:59:43 +020017198
Willy Tarreau74ca5042013-06-11 23:12:07 +020017199ssl_c_sig_alg : string
17200 Returns the name of the algorithm used to sign the certificate presented by
17201 the client when the incoming connection was made over an SSL/TLS transport
17202 layer.
Emeric Brun87855892012-10-17 17:39:35 +020017203
Willy Tarreau74ca5042013-06-11 23:12:07 +020017204ssl_c_used : boolean
17205 Returns true if current SSL session uses a client certificate even if current
17206 connection uses SSL session resumption. See also "ssl_fc_has_crt".
Emeric Brun7f56e742012-10-19 18:15:40 +020017207
Willy Tarreau74ca5042013-06-11 23:12:07 +020017208ssl_c_verify : integer
17209 Returns the verify result error ID when the incoming connection was made over
17210 an SSL/TLS transport layer, otherwise zero if no error is encountered. Please
17211 refer to your SSL library's documentation for an exhaustive list of error
17212 codes.
Emeric Brunce5ad802012-10-22 14:11:22 +020017213
Willy Tarreau74ca5042013-06-11 23:12:07 +020017214ssl_c_version : integer
17215 Returns the version of the certificate presented by the client when the
17216 incoming connection was made over an SSL/TLS transport layer.
Emeric Brunce5ad802012-10-22 14:11:22 +020017217
Emeric Brun43e79582014-10-29 19:03:26 +010017218ssl_f_der : binary
17219 Returns the DER formatted certificate presented by the frontend when the
17220 incoming connection was made over an SSL/TLS transport layer. When used for
17221 an ACL, the value(s) to match against can be passed in hexadecimal form.
17222
Elliot Otchet71f82972020-01-15 08:12:14 -050017223ssl_f_i_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020017224 When the incoming connection was made over an SSL/TLS transport layer,
17225 returns the full distinguished name of the issuer of the certificate
17226 presented by the frontend when no <entry> is specified, or the value of the
17227 first given entry found from the beginning of the DN. If a positive/negative
Emeric Brun87855892012-10-17 17:39:35 +020017228 occurrence number is specified as the optional second argument, it returns
Willy Tarreau74ca5042013-06-11 23:12:07 +020017229 the value of the nth given entry value from the beginning/end of the DN.
17230 For instance, "ssl_f_i_dn(OU,2)" the second organization unit, and
17231 "ssl_f_i_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050017232 The <format> parameter allows you to receive the DN suitable for
17233 consumption by different protocols. Currently supported is rfc2253 for
17234 LDAP v3.
17235 If you'd like to modify the format only you can specify an empty string
17236 and zero for the first two parameters. Example: ssl_f_i_dn(,0,rfc2253)
Emeric Brun87855892012-10-17 17:39:35 +020017237
Willy Tarreau74ca5042013-06-11 23:12:07 +020017238ssl_f_key_alg : string
17239 Returns the name of the algorithm used to generate the key of the certificate
17240 presented by the frontend when the incoming connection was made over an
17241 SSL/TLS transport layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020017242
Willy Tarreau74ca5042013-06-11 23:12:07 +020017243ssl_f_notafter : string
17244 Returns the end date presented by the frontend as a formatted string
17245 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
17246 transport layer.
Emeric Brun2525b6b2012-10-18 15:59:43 +020017247
Willy Tarreau74ca5042013-06-11 23:12:07 +020017248ssl_f_notbefore : string
17249 Returns the start date presented by the frontend as a formatted string
17250 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
17251 transport layer.
Emeric Brun87855892012-10-17 17:39:35 +020017252
Elliot Otchet71f82972020-01-15 08:12:14 -050017253ssl_f_s_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020017254 When the incoming connection was made over an SSL/TLS transport layer,
17255 returns the full distinguished name of the subject of the certificate
17256 presented by the frontend when no <entry> is specified, or the value of the
17257 first given entry found from the beginning of the DN. If a positive/negative
17258 occurrence number is specified as the optional second argument, it returns
17259 the value of the nth given entry value from the beginning/end of the DN.
17260 For instance, "ssl_f_s_dn(OU,2)" the second organization unit, and
17261 "ssl_f_s_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050017262 The <format> parameter allows you to receive the DN suitable for
17263 consumption by different protocols. Currently supported is rfc2253 for
17264 LDAP v3.
17265 If you'd like to modify the format only you can specify an empty string
17266 and zero for the first two parameters. Example: ssl_f_s_dn(,0,rfc2253)
Emeric Brunce5ad802012-10-22 14:11:22 +020017267
Willy Tarreau74ca5042013-06-11 23:12:07 +020017268ssl_f_serial : binary
17269 Returns the serial of the certificate presented by the frontend when the
17270 incoming connection was made over an SSL/TLS transport layer. When used for
17271 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun87855892012-10-17 17:39:35 +020017272
Emeric Brun55f4fa82014-04-30 17:11:25 +020017273ssl_f_sha1 : binary
17274 Returns the SHA-1 fingerprint of the certificate presented by the frontend
17275 when the incoming connection was made over an SSL/TLS transport layer. This
17276 can be used to know which certificate was chosen using SNI.
17277
Willy Tarreau74ca5042013-06-11 23:12:07 +020017278ssl_f_sig_alg : string
17279 Returns the name of the algorithm used to sign the certificate presented by
17280 the frontend when the incoming connection was made over an SSL/TLS transport
17281 layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020017282
Willy Tarreau74ca5042013-06-11 23:12:07 +020017283ssl_f_version : integer
17284 Returns the version of the certificate presented by the frontend when the
17285 incoming connection was made over an SSL/TLS transport layer.
17286
17287ssl_fc : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020017288 Returns true when the front connection was made via an SSL/TLS transport
17289 layer and is locally deciphered. This means it has matched a socket declared
17290 with a "bind" line having the "ssl" option.
17291
Willy Tarreau74ca5042013-06-11 23:12:07 +020017292 Example :
17293 # This passes "X-Proto: https" to servers when client connects over SSL
17294 listen http-https
17295 bind :80
17296 bind :443 ssl crt /etc/haproxy.pem
17297 http-request add-header X-Proto https if { ssl_fc }
17298
17299ssl_fc_alg_keysize : integer
17300 Returns the symmetric cipher key size supported in bits when the incoming
17301 connection was made over an SSL/TLS transport layer.
17302
17303ssl_fc_alpn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030017304 This extracts the Application Layer Protocol Negotiation field from an
Willy Tarreau74ca5042013-06-11 23:12:07 +020017305 incoming connection made via a TLS transport layer and locally deciphered by
17306 haproxy. The result is a string containing the protocol name advertised by
17307 the client. The SSL library must have been built with support for TLS
17308 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
17309 not advertised unless the "alpn" keyword on the "bind" line specifies a
17310 protocol list. Also, nothing forces the client to pick a protocol from this
17311 list, any other one may be requested. The TLS ALPN extension is meant to
17312 replace the TLS NPN extension. See also "ssl_fc_npn".
17313
Willy Tarreau74ca5042013-06-11 23:12:07 +020017314ssl_fc_cipher : string
17315 Returns the name of the used cipher when the incoming connection was made
17316 over an SSL/TLS transport layer.
Willy Tarreauab861d32013-04-02 02:30:41 +020017317
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010017318ssl_fc_cipherlist_bin : binary
17319 Returns the binary form of the client hello cipher list. The maximum returned
17320 value length is according with the value of
Emmanuel Hocdetaaee7502017-03-07 18:34:58 +010017321 "tune.ssl.capture-cipherlist-size".
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010017322
17323ssl_fc_cipherlist_hex : string
17324 Returns the binary form of the client hello cipher list encoded as
17325 hexadecimal. The maximum returned value length is according with the value of
Emmanuel Hocdetaaee7502017-03-07 18:34:58 +010017326 "tune.ssl.capture-cipherlist-size".
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010017327
17328ssl_fc_cipherlist_str : string
17329 Returns the decoded text form of the client hello cipher list. The maximum
17330 number of ciphers returned is according with the value of
17331 "tune.ssl.capture-cipherlist-size". Note that this sample-fetch is only
Davor Ocelice9ed2812017-12-25 17:49:28 +010017332 available with OpenSSL >= 1.0.2. If the function is not enabled, this
Emmanuel Hocdetddcde192017-09-01 17:32:08 +020017333 sample-fetch returns the hash like "ssl_fc_cipherlist_xxh".
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010017334
17335ssl_fc_cipherlist_xxh : integer
17336 Returns a xxh64 of the cipher list. This hash can be return only is the value
17337 "tune.ssl.capture-cipherlist-size" is set greater than 0, however the hash
Emmanuel Hocdetaaee7502017-03-07 18:34:58 +010017338 take in account all the data of the cipher list.
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010017339
Patrick Hemmer65674662019-06-04 08:13:03 -040017340ssl_fc_client_random : binary
17341 Returns the client random of the front connection when the incoming connection
17342 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
17343 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
17344
William Lallemand7d42ef52020-07-06 11:41:30 +020017345ssl_fc_client_early_traffic_secret : string
17346 Return the CLIENT_EARLY_TRAFFIC_SECRET as an hexadecimal string for the
17347 front connection when the incoming connection was made over a TLS 1.3
17348 transport layer.
17349 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
17350 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
17351 activated with "tune.ssl.keylog on" in the global section. See also
17352 "tune.ssl.keylog"
17353
17354ssl_fc_client_handshake_traffic_secret : string
17355 Return the CLIENT_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the
17356 front connection when the incoming connection was made over a TLS 1.3
17357 transport layer.
17358 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
17359 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
17360 activated with "tune.ssl.keylog on" in the global section. See also
17361 "tune.ssl.keylog"
17362
17363ssl_fc_client_traffic_secret_0 : string
17364 Return the CLIENT_TRAFFIC_SECRET_0 as an hexadecimal string for the
17365 front connection when the incoming connection was made over a TLS 1.3
17366 transport layer.
17367 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
17368 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
17369 activated with "tune.ssl.keylog on" in the global section. See also
17370 "tune.ssl.keylog"
17371
17372ssl_fc_exporter_secret : string
17373 Return the EXPORTER_SECRET as an hexadecimal string for the
17374 front connection when the incoming connection was made over a TLS 1.3
17375 transport layer.
17376 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
17377 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
17378 activated with "tune.ssl.keylog on" in the global section. See also
17379 "tune.ssl.keylog"
17380
17381ssl_fc_early_exporter_secret : string
17382 Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the
17383 front connection when the incoming connection was made over an TLS 1.3
17384 transport layer.
17385 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
17386 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
17387 activated with "tune.ssl.keylog on" in the global section. See also
17388 "tune.ssl.keylog"
17389
Willy Tarreau74ca5042013-06-11 23:12:07 +020017390ssl_fc_has_crt : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020017391 Returns true if a client certificate is present in an incoming connection over
17392 SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Emeric Brun9143d372012-12-20 15:44:16 +010017393 Note: on SSL session resumption with Session ID or TLS ticket, client
17394 certificate is not present in the current connection but may be retrieved
17395 from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
17396 current SSL session uses a client certificate.
Emeric Brun2525b6b2012-10-18 15:59:43 +020017397
Olivier Houchardccaa7de2017-10-02 11:51:03 +020017398ssl_fc_has_early : boolean
17399 Returns true if early data were sent, and the handshake didn't happen yet. As
17400 it has security implications, it is useful to be able to refuse those, or
17401 wait until the handshake happened.
17402
Willy Tarreau74ca5042013-06-11 23:12:07 +020017403ssl_fc_has_sni : boolean
17404 This checks for the presence of a Server Name Indication TLS extension (SNI)
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020017405 in an incoming connection was made over an SSL/TLS transport layer. Returns
17406 true when the incoming connection presents a TLS SNI field. This requires
John Roeslerfb2fce12019-07-10 15:45:51 -050017407 that the SSL library is built with support for TLS extensions enabled (check
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020017408 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +020017409
Nenad Merdanovic1516fe32016-05-17 03:31:21 +020017410ssl_fc_is_resumed : boolean
Nenad Merdanovic26ea8222015-05-18 02:28:57 +020017411 Returns true if the SSL/TLS session has been resumed through the use of
Jérôme Magnin4a326cb2018-01-15 14:01:17 +010017412 SSL session cache or TLS tickets on an incoming connection over an SSL/TLS
17413 transport layer.
Nenad Merdanovic26ea8222015-05-18 02:28:57 +020017414
Willy Tarreau74ca5042013-06-11 23:12:07 +020017415ssl_fc_npn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030017416 This extracts the Next Protocol Negotiation field from an incoming connection
Willy Tarreau74ca5042013-06-11 23:12:07 +020017417 made via a TLS transport layer and locally deciphered by haproxy. The result
17418 is a string containing the protocol name advertised by the client. The SSL
17419 library must have been built with support for TLS extensions enabled (check
17420 haproxy -vv). Note that the TLS NPN extension is not advertised unless the
17421 "npn" keyword on the "bind" line specifies a protocol list. Also, nothing
17422 forces the client to pick a protocol from this list, any other one may be
17423 requested. Please note that the TLS NPN extension was replaced with ALPN.
Willy Tarreaua33c6542012-10-15 13:19:06 +020017424
Willy Tarreau74ca5042013-06-11 23:12:07 +020017425ssl_fc_protocol : string
17426 Returns the name of the used protocol when the incoming connection was made
17427 over an SSL/TLS transport layer.
Willy Tarreau7875d092012-09-10 08:20:03 +020017428
Emeric Brunb73a9b02014-04-30 18:49:19 +020017429ssl_fc_unique_id : binary
David Sc1ad52e2014-04-08 18:48:47 -040017430 When the incoming connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020017431 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
17432 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
David Sc1ad52e2014-04-08 18:48:47 -040017433
William Lallemand7d42ef52020-07-06 11:41:30 +020017434ssl_fc_server_handshake_traffic_secret : string
17435 Return the SERVER_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the
17436 front connection when the incoming connection was made over a TLS 1.3
17437 transport layer.
17438 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
17439 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
17440 activated with "tune.ssl.keylog on" in the global section. See also
17441 "tune.ssl.keylog"
17442
17443ssl_fc_server_traffic_secret_0 : string
17444 Return the SERVER_TRAFFIC_SECRET_0 as an hexadecimal string for the
17445 front connection when the incoming connection was made over an TLS 1.3
17446 transport layer.
17447 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
17448 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
17449 activated with "tune.ssl.keylog on" in the global section. See also
17450 "tune.ssl.keylog"
17451
Patrick Hemmer65674662019-06-04 08:13:03 -040017452ssl_fc_server_random : binary
17453 Returns the server random of the front connection when the incoming connection
17454 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
17455 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
17456
Willy Tarreau74ca5042013-06-11 23:12:07 +020017457ssl_fc_session_id : binary
17458 Returns the SSL ID of the front connection when the incoming connection was
17459 made over an SSL/TLS transport layer. It is useful to stick a given client to
17460 a server. It is important to note that some browsers refresh their session ID
17461 every few minutes.
Willy Tarreau7875d092012-09-10 08:20:03 +020017462
Patrick Hemmere0275472018-04-28 19:15:51 -040017463ssl_fc_session_key : binary
17464 Returns the SSL session master key of the front connection when the incoming
17465 connection was made over an SSL/TLS transport layer. It is useful to decrypt
17466 traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
17467 BoringSSL.
17468
17469
Willy Tarreau74ca5042013-06-11 23:12:07 +020017470ssl_fc_sni : string
17471 This extracts the Server Name Indication TLS extension (SNI) field from an
17472 incoming connection made via an SSL/TLS transport layer and locally
17473 deciphered by haproxy. The result (when present) typically is a string
17474 matching the HTTPS host name (253 chars or less). The SSL library must have
17475 been built with support for TLS extensions enabled (check haproxy -vv).
17476
17477 This fetch is different from "req_ssl_sni" above in that it applies to the
17478 connection being deciphered by haproxy and not to SSL contents being blindly
17479 forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
John Roeslerfb2fce12019-07-10 15:45:51 -050017480 requires that the SSL library is built with support for TLS extensions
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +020017481 enabled (check haproxy -vv).
Willy Tarreau62644772008-07-16 18:36:06 +020017482
Willy Tarreau74ca5042013-06-11 23:12:07 +020017483 ACL derivatives :
Willy Tarreau74ca5042013-06-11 23:12:07 +020017484 ssl_fc_sni_end : suffix match
17485 ssl_fc_sni_reg : regex match
Emeric Brun589fcad2012-10-16 14:13:26 +020017486
Willy Tarreau74ca5042013-06-11 23:12:07 +020017487ssl_fc_use_keysize : integer
17488 Returns the symmetric cipher key size used in bits when the incoming
17489 connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020017490
William Lallemandbfa3e812020-06-25 20:07:18 +020017491ssl_s_der : binary
17492 Returns the DER formatted certificate presented by the server when the
17493 outgoing connection was made over an SSL/TLS transport layer. When used for
17494 an ACL, the value(s) to match against can be passed in hexadecimal form.
17495
William Dauchya598b502020-08-06 18:11:38 +020017496ssl_s_chain_der : binary
17497 Returns the DER formatted chain certificate presented by the server when the
17498 outgoing connection was made over an SSL/TLS transport layer. When used for
17499 an ACL, the value(s) to match against can be passed in hexadecimal form. One
17500 can parse the result with any lib accepting ASN.1 DER data. It currentlly
17501 does not support resumed sessions.
17502
William Lallemandbfa3e812020-06-25 20:07:18 +020017503ssl_s_key_alg : string
17504 Returns the name of the algorithm used to generate the key of the certificate
17505 presented by the server when the outgoing connection was made over an
17506 SSL/TLS transport layer.
17507
17508ssl_s_notafter : string
17509 Returns the end date presented by the server as a formatted string
17510 YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS
17511 transport layer.
17512
17513ssl_s_notbefore : string
17514 Returns the start date presented by the server as a formatted string
17515 YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS
17516 transport layer.
17517
17518ssl_s_i_dn([<entry>[,<occ>[,<format>]]]) : string
17519 When the outgoing connection was made over an SSL/TLS transport layer,
17520 returns the full distinguished name of the issuer of the certificate
17521 presented by the server when no <entry> is specified, or the value of the
17522 first given entry found from the beginning of the DN. If a positive/negative
17523 occurrence number is specified as the optional second argument, it returns
17524 the value of the nth given entry value from the beginning/end of the DN.
William Lallemand8f600c82020-06-26 09:55:06 +020017525 For instance, "ssl_s_i_dn(OU,2)" the second organization unit, and
17526 "ssl_s_i_dn(CN)" retrieves the common name.
William Lallemandbfa3e812020-06-25 20:07:18 +020017527 The <format> parameter allows you to receive the DN suitable for
17528 consumption by different protocols. Currently supported is rfc2253 for
17529 LDAP v3.
17530 If you'd like to modify the format only you can specify an empty string
17531 and zero for the first two parameters. Example: ssl_s_i_dn(,0,rfc2253)
17532
17533ssl_s_s_dn([<entry>[,<occ>[,<format>]]]) : string
17534 When the outgoing connection was made over an SSL/TLS transport layer,
17535 returns the full distinguished name of the subject of the certificate
17536 presented by the server when no <entry> is specified, or the value of the
17537 first given entry found from the beginning of the DN. If a positive/negative
17538 occurrence number is specified as the optional second argument, it returns
17539 the value of the nth given entry value from the beginning/end of the DN.
William Lallemand8f600c82020-06-26 09:55:06 +020017540 For instance, "ssl_s_s_dn(OU,2)" the second organization unit, and
17541 "ssl_s_s_dn(CN)" retrieves the common name.
William Lallemandbfa3e812020-06-25 20:07:18 +020017542 The <format> parameter allows you to receive the DN suitable for
17543 consumption by different protocols. Currently supported is rfc2253 for
17544 LDAP v3.
17545 If you'd like to modify the format only you can specify an empty string
17546 and zero for the first two parameters. Example: ssl_s_s_dn(,0,rfc2253)
17547
17548ssl_s_serial : binary
17549 Returns the serial of the certificate presented by the server when the
17550 outgoing connection was made over an SSL/TLS transport layer. When used for
17551 an ACL, the value(s) to match against can be passed in hexadecimal form.
17552
17553ssl_s_sha1 : binary
17554 Returns the SHA-1 fingerprint of the certificate presented by the server
17555 when the outgoing connection was made over an SSL/TLS transport layer. This
17556 can be used to know which certificate was chosen using SNI.
17557
17558ssl_s_sig_alg : string
17559 Returns the name of the algorithm used to sign the certificate presented by
17560 the server when the outgoing connection was made over an SSL/TLS transport
17561 layer.
17562
17563ssl_s_version : integer
17564 Returns the version of the certificate presented by the server when the
17565 outgoing connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020017566
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200175677.3.5. Fetching samples from buffer contents (Layer 6)
Willy Tarreau74ca5042013-06-11 23:12:07 +020017568------------------------------------------------------
Willy Tarreaub6fb4202008-07-20 11:18:28 +020017569
Willy Tarreau74ca5042013-06-11 23:12:07 +020017570Fetching samples from buffer contents is a bit different from the previous
17571sample fetches above because the sampled data are ephemeral. These data can
17572only be used when they're available and will be lost when they're forwarded.
17573For this reason, samples fetched from buffer contents during a request cannot
17574be used in a response for example. Even while the data are being fetched, they
17575can change. Sometimes it is necessary to set some delays or combine multiple
17576sample fetch methods to ensure that the expected data are complete and usable,
17577for example through TCP request content inspection. Please see the "tcp-request
17578content" keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +020017579
Willy Tarreau74ca5042013-06-11 23:12:07 +020017580payload(<offset>,<length>) : binary (deprecated)
Davor Ocelice9ed2812017-12-25 17:49:28 +010017581 This is an alias for "req.payload" when used in the context of a request (e.g.
Willy Tarreau74ca5042013-06-11 23:12:07 +020017582 "stick on", "stick match"), and for "res.payload" when used in the context of
17583 a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010017584
Willy Tarreau74ca5042013-06-11 23:12:07 +020017585payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated)
17586 This is an alias for "req.payload_lv" when used in the context of a request
Davor Ocelice9ed2812017-12-25 17:49:28 +010017587 (e.g. "stick on", "stick match"), and for "res.payload_lv" when used in the
Willy Tarreau74ca5042013-06-11 23:12:07 +020017588 context of a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010017589
Thierry FOURNIERd7d88812017-04-19 15:15:14 +020017590req.hdrs : string
17591 Returns the current request headers as string including the last empty line
17592 separating headers from the request body. The last empty line can be used to
17593 detect a truncated header block. This sample fetch is useful for some SPOE
17594 headers analyzers and for advanced logging.
17595
Thierry FOURNIER5617dce2017-04-09 05:38:19 +020017596req.hdrs_bin : binary
17597 Returns the current request headers contained in preparsed binary form. This
17598 is useful for offloading some processing with SPOE. Each string is described
17599 by a length followed by the number of bytes indicated in the length. The
17600 length is represented using the variable integer encoding detailed in the
17601 SPOE documentation. The end of the list is marked by a couple of empty header
17602 names and values (length of 0 for both).
17603
17604 *(<str:header-name><str:header-value>)<empty string><empty string>
17605
17606 int: refer to the SPOE documentation for the encoding
17607 str: <int:length><bytes>
17608
Willy Tarreau74ca5042013-06-11 23:12:07 +020017609req.len : integer
17610req_len : integer (deprecated)
17611 Returns an integer value corresponding to the number of bytes present in the
17612 request buffer. This is mostly used in ACL. It is important to understand
17613 that this test does not return false as long as the buffer is changing. This
17614 means that a check with equality to zero will almost always immediately match
17615 at the beginning of the session, while a test for more data will wait for
17616 that data to come in and return false only when haproxy is certain that no
17617 more data will come in. This test was designed to be used with TCP request
17618 content inspection.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017619
Willy Tarreau74ca5042013-06-11 23:12:07 +020017620req.payload(<offset>,<length>) : binary
17621 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020017622 in the request buffer. As a special case, if the <length> argument is zero,
17623 the the whole buffer from <offset> to the end is extracted. This can be used
17624 with ACLs in order to check for the presence of some content in a buffer at
17625 any location.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017626
Willy Tarreau74ca5042013-06-11 23:12:07 +020017627 ACL alternatives :
17628 payload(<offset>,<length>) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017629
Willy Tarreau74ca5042013-06-11 23:12:07 +020017630req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
17631 This extracts a binary block whose size is specified at <offset1> for <length>
17632 bytes, and which starts at <offset2> if specified or just after the length in
17633 the request buffer. The <offset2> parameter also supports relative offsets if
17634 prepended with a '+' or '-' sign.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017635
Willy Tarreau74ca5042013-06-11 23:12:07 +020017636 ACL alternatives :
17637 payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017638
Willy Tarreau74ca5042013-06-11 23:12:07 +020017639 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017640
Willy Tarreau74ca5042013-06-11 23:12:07 +020017641req.proto_http : boolean
17642req_proto_http : boolean (deprecated)
17643 Returns true when data in the request buffer look like HTTP and correctly
17644 parses as such. It is the same parser as the common HTTP request parser which
17645 is used so there should be no surprises. The test does not match until the
17646 request is complete, failed or timed out. This test may be used to report the
17647 protocol in TCP logs, but the biggest use is to block TCP request analysis
17648 until a complete HTTP request is present in the buffer, for example to track
17649 a header.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017650
Willy Tarreau74ca5042013-06-11 23:12:07 +020017651 Example:
17652 # track request counts per "base" (concatenation of Host+URL)
17653 tcp-request inspect-delay 10s
17654 tcp-request content reject if !HTTP
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020017655 tcp-request content track-sc0 base table req-rate
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020017656
Willy Tarreau74ca5042013-06-11 23:12:07 +020017657req.rdp_cookie([<name>]) : string
17658rdp_cookie([<name>]) : string (deprecated)
17659 When the request buffer looks like the RDP protocol, extracts the RDP cookie
17660 <name>, or any cookie if unspecified. The parser only checks for the first
17661 cookie, as illustrated in the RDP protocol specification. The cookie name is
17662 case insensitive. Generally the "MSTS" cookie name will be used, as it can
17663 contain the user name of the client connecting to the server if properly
17664 configured on the client. The "MSTSHASH" cookie is often used as well for
17665 session stickiness to servers.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017666
Willy Tarreau74ca5042013-06-11 23:12:07 +020017667 This differs from "balance rdp-cookie" in that any balancing algorithm may be
17668 used and thus the distribution of clients to backend servers is not linked to
17669 a hash of the RDP cookie. It is envisaged that using a balancing algorithm
17670 such as "balance roundrobin" or "balance leastconn" will lead to a more even
17671 distribution of clients to backend servers than the hash used by "balance
17672 rdp-cookie".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017673
Willy Tarreau74ca5042013-06-11 23:12:07 +020017674 ACL derivatives :
17675 req_rdp_cookie([<name>]) : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017676
Willy Tarreau74ca5042013-06-11 23:12:07 +020017677 Example :
17678 listen tse-farm
17679 bind 0.0.0.0:3389
17680 # wait up to 5s for an RDP cookie in the request
17681 tcp-request inspect-delay 5s
17682 tcp-request content accept if RDP_COOKIE
17683 # apply RDP cookie persistence
17684 persist rdp-cookie
17685 # Persist based on the mstshash cookie
17686 # This is only useful makes sense if
17687 # balance rdp-cookie is not used
17688 stick-table type string size 204800
17689 stick on req.rdp_cookie(mstshash)
17690 server srv1 1.1.1.1:3389
17691 server srv1 1.1.1.2:3389
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017692
Willy Tarreau74ca5042013-06-11 23:12:07 +020017693 See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
17694 "req_rdp_cookie" ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017695
Willy Tarreau74ca5042013-06-11 23:12:07 +020017696req.rdp_cookie_cnt([name]) : integer
17697rdp_cookie_cnt([name]) : integer (deprecated)
17698 Tries to parse the request buffer as RDP protocol, then returns an integer
17699 corresponding to the number of RDP cookies found. If an optional cookie name
17700 is passed, only cookies matching this name are considered. This is mostly
17701 used in ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017702
Willy Tarreau74ca5042013-06-11 23:12:07 +020017703 ACL derivatives :
17704 req_rdp_cookie_cnt([<name>]) : integer match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017705
Alex Zorin4afdd132018-12-30 13:56:28 +110017706req.ssl_alpn : string
17707 Returns a string containing the values of the Application-Layer Protocol
17708 Negotiation (ALPN) TLS extension (RFC7301), sent by the client within the SSL
17709 ClientHello message. Note that this only applies to raw contents found in the
17710 request buffer and not to the contents deciphered via an SSL data layer, so
17711 this will not work with "bind" lines having the "ssl" option. This is useful
17712 in ACL to make a routing decision based upon the ALPN preferences of a TLS
Jarno Huuskonene504f812019-01-03 07:56:49 +020017713 client, like in the example below. See also "ssl_fc_alpn".
Alex Zorin4afdd132018-12-30 13:56:28 +110017714
17715 Examples :
17716 # Wait for a client hello for at most 5 seconds
17717 tcp-request inspect-delay 5s
17718 tcp-request content accept if { req_ssl_hello_type 1 }
Jarno Huuskonene504f812019-01-03 07:56:49 +020017719 use_backend bk_acme if { req.ssl_alpn acme-tls/1 }
Alex Zorin4afdd132018-12-30 13:56:28 +110017720 default_backend bk_default
17721
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +020017722req.ssl_ec_ext : boolean
17723 Returns a boolean identifying if client sent the Supported Elliptic Curves
17724 Extension as defined in RFC4492, section 5.1. within the SSL ClientHello
Cyril Bonté307ee1e2015-09-28 23:16:06 +020017725 message. This can be used to present ECC compatible clients with EC
17726 certificate and to use RSA for all others, on the same IP address. Note that
17727 this only applies to raw contents found in the request buffer and not to
17728 contents deciphered via an SSL data layer, so this will not work with "bind"
17729 lines having the "ssl" option.
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +020017730
Willy Tarreau74ca5042013-06-11 23:12:07 +020017731req.ssl_hello_type : integer
17732req_ssl_hello_type : integer (deprecated)
17733 Returns an integer value containing the type of the SSL hello message found
17734 in the request buffer if the buffer contains data that parse as a complete
17735 SSL (v3 or superior) client hello message. Note that this only applies to raw
17736 contents found in the request buffer and not to contents deciphered via an
17737 SSL data layer, so this will not work with "bind" lines having the "ssl"
17738 option. This is mostly used in ACL to detect presence of an SSL hello message
17739 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017740
Willy Tarreau74ca5042013-06-11 23:12:07 +020017741req.ssl_sni : string
17742req_ssl_sni : string (deprecated)
17743 Returns a string containing the value of the Server Name TLS extension sent
17744 by a client in a TLS stream passing through the request buffer if the buffer
17745 contains data that parse as a complete SSL (v3 or superior) client hello
17746 message. Note that this only applies to raw contents found in the request
17747 buffer and not to contents deciphered via an SSL data layer, so this will not
Lukas Tribusa267b5d2020-07-19 00:25:06 +020017748 work with "bind" lines having the "ssl" option. This will only work for actual
17749 implicit TLS based protocols like HTTPS (443), IMAPS (993), SMTPS (465),
17750 however it will not work for explicit TLS based protocols, like SMTP (25/587)
17751 or IMAP (143). SNI normally contains the name of the host the client tries to
17752 connect to (for recent browsers). SNI is useful for allowing or denying access
17753 to certain hosts when SSL/TLS is used by the client. This test was designed to
17754 be used with TCP request content inspection. If content switching is needed,
17755 it is recommended to first wait for a complete client hello (type 1), like in
17756 the example below. See also "ssl_fc_sni".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017757
Willy Tarreau74ca5042013-06-11 23:12:07 +020017758 ACL derivatives :
17759 req_ssl_sni : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017760
Willy Tarreau74ca5042013-06-11 23:12:07 +020017761 Examples :
17762 # Wait for a client hello for at most 5 seconds
17763 tcp-request inspect-delay 5s
17764 tcp-request content accept if { req_ssl_hello_type 1 }
17765 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
17766 default_backend bk_sorry_page
Willy Tarreau04aa6a92012-04-06 18:57:55 +020017767
Pradeep Jindalbb2acf52015-09-29 10:12:57 +053017768req.ssl_st_ext : integer
17769 Returns 0 if the client didn't send a SessionTicket TLS Extension (RFC5077)
17770 Returns 1 if the client sent SessionTicket TLS Extension
17771 Returns 2 if the client also sent non-zero length TLS SessionTicket
17772 Note that this only applies to raw contents found in the request buffer and
17773 not to contents deciphered via an SSL data layer, so this will not work with
17774 "bind" lines having the "ssl" option. This can for example be used to detect
17775 whether the client sent a SessionTicket or not and stick it accordingly, if
17776 no SessionTicket then stick on SessionID or don't stick as there's no server
17777 side state is there when SessionTickets are in use.
17778
Willy Tarreau74ca5042013-06-11 23:12:07 +020017779req.ssl_ver : integer
17780req_ssl_ver : integer (deprecated)
17781 Returns an integer value containing the version of the SSL/TLS protocol of a
17782 stream present in the request buffer. Both SSLv2 hello messages and SSLv3
17783 messages are supported. TLSv1 is announced as SSL version 3.1. The value is
17784 composed of the major version multiplied by 65536, added to the minor
17785 version. Note that this only applies to raw contents found in the request
17786 buffer and not to contents deciphered via an SSL data layer, so this will not
17787 work with "bind" lines having the "ssl" option. The ACL version of the test
Davor Ocelice9ed2812017-12-25 17:49:28 +010017788 matches against a decimal notation in the form MAJOR.MINOR (e.g. 3.1). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020017789 fetch is mostly used in ACL.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017790
Willy Tarreau74ca5042013-06-11 23:12:07 +020017791 ACL derivatives :
17792 req_ssl_ver : decimal match
Willy Tarreaud63335a2010-02-26 12:56:52 +010017793
Willy Tarreau47e8eba2013-09-11 23:28:46 +020017794res.len : integer
17795 Returns an integer value corresponding to the number of bytes present in the
17796 response buffer. This is mostly used in ACL. It is important to understand
17797 that this test does not return false as long as the buffer is changing. This
17798 means that a check with equality to zero will almost always immediately match
17799 at the beginning of the session, while a test for more data will wait for
17800 that data to come in and return false only when haproxy is certain that no
17801 more data will come in. This test was designed to be used with TCP response
Christopher Faulete596d182020-05-05 17:46:34 +020017802 content inspection. But it may also be used in tcp-check based expect rules.
Willy Tarreau47e8eba2013-09-11 23:28:46 +020017803
Willy Tarreau74ca5042013-06-11 23:12:07 +020017804res.payload(<offset>,<length>) : binary
17805 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020017806 in the response buffer. As a special case, if the <length> argument is zero,
Christopher Faulete596d182020-05-05 17:46:34 +020017807 the whole buffer from <offset> to the end is extracted. This can be used
Willy Tarreau00f00842013-08-02 11:07:32 +020017808 with ACLs in order to check for the presence of some content in a buffer at
Christopher Faulete596d182020-05-05 17:46:34 +020017809 any location. It may also be used in tcp-check based expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017810
Willy Tarreau74ca5042013-06-11 23:12:07 +020017811res.payload_lv(<offset1>,<length>[,<offset2>]) : binary
17812 This extracts a binary block whose size is specified at <offset1> for <length>
17813 bytes, and which starts at <offset2> if specified or just after the length in
17814 the response buffer. The <offset2> parameter also supports relative offsets
Christopher Faulete596d182020-05-05 17:46:34 +020017815 if prepended with a '+' or '-' sign. It may also be used in tcp-check based
17816 expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017817
Willy Tarreau74ca5042013-06-11 23:12:07 +020017818 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017819
Willy Tarreau971f7b62015-09-29 14:06:59 +020017820res.ssl_hello_type : integer
17821rep_ssl_hello_type : integer (deprecated)
17822 Returns an integer value containing the type of the SSL hello message found
17823 in the response buffer if the buffer contains data that parses as a complete
17824 SSL (v3 or superior) hello message. Note that this only applies to raw
17825 contents found in the response buffer and not to contents deciphered via an
17826 SSL data layer, so this will not work with "server" lines having the "ssl"
17827 option. This is mostly used in ACL to detect presence of an SSL hello message
17828 that is supposed to contain an SSL session ID usable for stickiness.
17829
Willy Tarreau74ca5042013-06-11 23:12:07 +020017830wait_end : boolean
17831 This fetch either returns true when the inspection period is over, or does
17832 not fetch. It is only used in ACLs, in conjunction with content analysis to
Davor Ocelice9ed2812017-12-25 17:49:28 +010017833 avoid returning a wrong verdict early. It may also be used to delay some
Willy Tarreau74ca5042013-06-11 23:12:07 +020017834 actions, such as a delayed reject for some special addresses. Since it either
17835 stops the rules evaluation or immediately returns true, it is recommended to
Davor Ocelice9ed2812017-12-25 17:49:28 +010017836 use this acl as the last one in a rule. Please note that the default ACL
Willy Tarreau74ca5042013-06-11 23:12:07 +020017837 "WAIT_END" is always usable without prior declaration. This test was designed
17838 to be used with TCP request content inspection.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017839
Willy Tarreau74ca5042013-06-11 23:12:07 +020017840 Examples :
17841 # delay every incoming request by 2 seconds
17842 tcp-request inspect-delay 2s
17843 tcp-request content accept if WAIT_END
Willy Tarreaud63335a2010-02-26 12:56:52 +010017844
Willy Tarreau74ca5042013-06-11 23:12:07 +020017845 # don't immediately tell bad guys they are rejected
17846 tcp-request inspect-delay 10s
17847 acl goodguys src 10.0.0.0/24
17848 acl badguys src 10.0.1.0/24
17849 tcp-request content accept if goodguys
17850 tcp-request content reject if badguys WAIT_END
17851 tcp-request content reject
17852
17853
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200178547.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +020017855--------------------------------------
17856
17857It is possible to fetch samples from HTTP contents, requests and responses.
17858This application layer is also called layer 7. It is only possible to fetch the
17859data in this section when a full HTTP request or response has been parsed from
17860its respective request or response buffer. This is always the case with all
17861HTTP specific rules and for sections running with "mode http". When using TCP
17862content inspection, it may be necessary to support an inspection delay in order
17863to let the request or response come in first. These fetches may require a bit
17864more CPU resources than the layer 4 ones, but not much since the request and
17865response are indexed.
17866
17867base : string
17868 This returns the concatenation of the first Host header and the path part of
17869 the request, which starts at the first slash and ends before the question
17870 mark. It can be useful in virtual hosted environments to detect URL abuses as
17871 well as to improve shared caches efficiency. Using this with a limited size
17872 stick table also allows one to collect statistics about most commonly
17873 requested objects by host/path. With ACLs it can allow simple content
17874 switching rules involving the host and the path at the same time, such as
17875 "www.example.com/favicon.ico". See also "path" and "uri".
17876
17877 ACL derivatives :
17878 base : exact string match
17879 base_beg : prefix match
17880 base_dir : subdir match
17881 base_dom : domain match
17882 base_end : suffix match
17883 base_len : length match
17884 base_reg : regex match
17885 base_sub : substring match
17886
17887base32 : integer
17888 This returns a 32-bit hash of the value returned by the "base" fetch method
17889 above. This is useful to track per-URL activity on high traffic sites without
17890 having to store all URLs. Instead a shorter hash is stored, saving a lot of
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020017891 memory. The output type is an unsigned integer. The hash function used is
17892 SDBM with full avalanche on the output. Technically, base32 is exactly equal
17893 to "base,sdbm(1)".
Willy Tarreau74ca5042013-06-11 23:12:07 +020017894
17895base32+src : binary
17896 This returns the concatenation of the base32 fetch above and the src fetch
17897 below. The resulting type is of type binary, with a size of 8 or 20 bytes
17898 depending on the source address family. This can be used to track per-IP,
17899 per-URL counters.
17900
William Lallemand65ad6e12014-01-31 15:08:02 +010017901capture.req.hdr(<idx>) : string
17902 This extracts the content of the header captured by the "capture request
17903 header", idx is the position of the capture keyword in the configuration.
17904 The first entry is an index of 0. See also: "capture request header".
17905
17906capture.req.method : string
17907 This extracts the METHOD of an HTTP request. It can be used in both request
17908 and response. Unlike "method", it can be used in both request and response
17909 because it's allocated.
17910
17911capture.req.uri : string
17912 This extracts the request's URI, which starts at the first slash and ends
17913 before the first space in the request (without the host part). Unlike "path"
17914 and "url", it can be used in both request and response because it's
17915 allocated.
17916
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020017917capture.req.ver : string
17918 This extracts the request's HTTP version and returns either "HTTP/1.0" or
17919 "HTTP/1.1". Unlike "req.ver", it can be used in both request, response, and
17920 logs because it relies on a persistent flag.
17921
William Lallemand65ad6e12014-01-31 15:08:02 +010017922capture.res.hdr(<idx>) : string
17923 This extracts the content of the header captured by the "capture response
17924 header", idx is the position of the capture keyword in the configuration.
17925 The first entry is an index of 0.
17926 See also: "capture response header"
17927
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020017928capture.res.ver : string
17929 This extracts the response's HTTP version and returns either "HTTP/1.0" or
17930 "HTTP/1.1". Unlike "res.ver", it can be used in logs because it relies on a
17931 persistent flag.
17932
Willy Tarreaua5910cc2015-05-02 00:46:08 +020017933req.body : binary
Christopher Fauletaf4dc4c2020-05-05 17:33:25 +020017934 This returns the HTTP request's available body as a block of data. It is
17935 recommended to use "option http-buffer-request" to be sure to wait, as much
17936 as possible, for the request's body.
Willy Tarreaua5910cc2015-05-02 00:46:08 +020017937
Thierry FOURNIER9826c772015-05-20 15:50:54 +020017938req.body_param([<name>) : string
17939 This fetch assumes that the body of the POST request is url-encoded. The user
17940 can check if the "content-type" contains the value
17941 "application/x-www-form-urlencoded". This extracts the first occurrence of the
17942 parameter <name> in the body, which ends before '&'. The parameter name is
17943 case-sensitive. If no name is given, any parameter will match, and the first
17944 one will be returned. The result is a string corresponding to the value of the
17945 parameter <name> as presented in the request body (no URL decoding is
17946 performed). Note that the ACL version of this fetch iterates over multiple
17947 parameters and will iteratively report all parameters values if no name is
17948 given.
17949
Willy Tarreaua5910cc2015-05-02 00:46:08 +020017950req.body_len : integer
17951 This returns the length of the HTTP request's available body in bytes. It may
17952 be lower than the advertised length if the body is larger than the buffer. It
Christopher Fauletaf4dc4c2020-05-05 17:33:25 +020017953 is recommended to use "option http-buffer-request" to be sure to wait, as
17954 much as possible, for the request's body.
Willy Tarreaua5910cc2015-05-02 00:46:08 +020017955
17956req.body_size : integer
17957 This returns the advertised length of the HTTP request's body in bytes. It
Christopher Fauletaf4dc4c2020-05-05 17:33:25 +020017958 will represent the advertised Content-Length header, or the size of the
17959 available data in case of chunked encoding.
Willy Tarreaua5910cc2015-05-02 00:46:08 +020017960
Willy Tarreau74ca5042013-06-11 23:12:07 +020017961req.cook([<name>]) : string
17962cook([<name>]) : string (deprecated)
17963 This extracts the last occurrence of the cookie name <name> on a "Cookie"
17964 header line from the request, and returns its value as string. If no name is
17965 specified, the first cookie value is returned. When used with ACLs, all
17966 matching cookies are evaluated. Spaces around the name and the value are
17967 ignored as requested by the Cookie header specification (RFC6265). The cookie
17968 name is case-sensitive. Empty cookies are valid, so an empty cookie may very
17969 well return an empty value if it is present. Use the "found" match to detect
17970 presence. Use the res.cook() variant for response cookies sent by the server.
17971
17972 ACL derivatives :
17973 cook([<name>]) : exact string match
17974 cook_beg([<name>]) : prefix match
17975 cook_dir([<name>]) : subdir match
17976 cook_dom([<name>]) : domain match
17977 cook_end([<name>]) : suffix match
17978 cook_len([<name>]) : length match
17979 cook_reg([<name>]) : regex match
17980 cook_sub([<name>]) : substring match
Willy Tarreaud63335a2010-02-26 12:56:52 +010017981
Willy Tarreau74ca5042013-06-11 23:12:07 +020017982req.cook_cnt([<name>]) : integer
17983cook_cnt([<name>]) : integer (deprecated)
17984 Returns an integer value representing the number of occurrences of the cookie
17985 <name> in the request, or all cookies if <name> is not specified.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017986
Willy Tarreau74ca5042013-06-11 23:12:07 +020017987req.cook_val([<name>]) : integer
17988cook_val([<name>]) : integer (deprecated)
17989 This extracts the last occurrence of the cookie name <name> on a "Cookie"
17990 header line from the request, and converts its value to an integer which is
17991 returned. If no name is specified, the first cookie value is returned. When
17992 used in ACLs, all matching names are iterated over until a value matches.
Willy Tarreau0e698542011-09-16 08:32:32 +020017993
Willy Tarreau74ca5042013-06-11 23:12:07 +020017994cookie([<name>]) : string (deprecated)
17995 This extracts the last occurrence of the cookie name <name> on a "Cookie"
17996 header line from the request, or a "Set-Cookie" header from the response, and
17997 returns its value as a string. A typical use is to get multiple clients
17998 sharing a same profile use the same server. This can be similar to what
Willy Tarreau294d0f02015-08-10 19:40:12 +020017999 "appsession" did with the "request-learn" statement, but with support for
Willy Tarreau74ca5042013-06-11 23:12:07 +020018000 multi-peer synchronization and state keeping across restarts. If no name is
18001 specified, the first cookie value is returned. This fetch should not be used
18002 anymore and should be replaced by req.cook() or res.cook() instead as it
18003 ambiguously uses the direction based on the context where it is used.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018004
Willy Tarreau74ca5042013-06-11 23:12:07 +020018005hdr([<name>[,<occ>]]) : string
18006 This is equivalent to req.hdr() when used on requests, and to res.hdr() when
18007 used on responses. Please refer to these respective fetches for more details.
18008 In case of doubt about the fetch direction, please use the explicit ones.
18009 Note that contrary to the hdr() sample fetch method, the hdr_* ACL keywords
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030018010 unambiguously apply to the request headers.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018011
Willy Tarreau74ca5042013-06-11 23:12:07 +020018012req.fhdr(<name>[,<occ>]) : string
18013 This extracts the last occurrence of header <name> in an HTTP request. When
18014 used from an ACL, all occurrences are iterated over until a match is found.
18015 Optionally, a specific occurrence might be specified as a position number.
18016 Positive values indicate a position from the first occurrence, with 1 being
18017 the first one. Negative values indicate positions relative to the last one,
18018 with -1 being the last one. It differs from req.hdr() in that any commas
18019 present in the value are returned and are not used as delimiters. This is
18020 sometimes useful with headers such as User-Agent.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018021
Willy Tarreau74ca5042013-06-11 23:12:07 +020018022req.fhdr_cnt([<name>]) : integer
18023 Returns an integer value representing the number of occurrences of request
18024 header field name <name>, or the total number of header fields if <name> is
18025 not specified. Contrary to its req.hdr_cnt() cousin, this function returns
18026 the number of full line headers and does not stop on commas.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018027
Willy Tarreau74ca5042013-06-11 23:12:07 +020018028req.hdr([<name>[,<occ>]]) : string
18029 This extracts the last occurrence of header <name> in an HTTP request. When
18030 used from an ACL, all occurrences are iterated over until a match is found.
18031 Optionally, a specific occurrence might be specified as a position number.
18032 Positive values indicate a position from the first occurrence, with 1 being
18033 the first one. Negative values indicate positions relative to the last one,
18034 with -1 being the last one. A typical use is with the X-Forwarded-For header
18035 once converted to IP, associated with an IP stick-table. The function
18036 considers any comma as a delimiter for distinct values. If full-line headers
Lukas Tribus23953682017-04-28 13:24:30 +000018037 are desired instead, use req.fhdr(). Please carefully check RFC7231 to know
Willy Tarreau74ca5042013-06-11 23:12:07 +020018038 how certain headers are supposed to be parsed. Also, some of them are case
Davor Ocelice9ed2812017-12-25 17:49:28 +010018039 insensitive (e.g. Connection).
Willy Tarreaud63335a2010-02-26 12:56:52 +010018040
Willy Tarreau74ca5042013-06-11 23:12:07 +020018041 ACL derivatives :
18042 hdr([<name>[,<occ>]]) : exact string match
18043 hdr_beg([<name>[,<occ>]]) : prefix match
18044 hdr_dir([<name>[,<occ>]]) : subdir match
18045 hdr_dom([<name>[,<occ>]]) : domain match
18046 hdr_end([<name>[,<occ>]]) : suffix match
18047 hdr_len([<name>[,<occ>]]) : length match
18048 hdr_reg([<name>[,<occ>]]) : regex match
18049 hdr_sub([<name>[,<occ>]]) : substring match
18050
18051req.hdr_cnt([<name>]) : integer
18052hdr_cnt([<header>]) : integer (deprecated)
18053 Returns an integer value representing the number of occurrences of request
18054 header field name <name>, or the total number of header field values if
18055 <name> is not specified. It is important to remember that one header line may
18056 count as several headers if it has several values. The function considers any
18057 comma as a delimiter for distinct values. If full-line headers are desired
18058 instead, req.fhdr_cnt() should be used instead. With ACLs, it can be used to
18059 detect presence, absence or abuse of a specific header, as well as to block
18060 request smuggling attacks by rejecting requests which contain more than one
18061 of certain headers. See "req.hdr" for more information on header matching.
18062
18063req.hdr_ip([<name>[,<occ>]]) : ip
18064hdr_ip([<name>[,<occ>]]) : ip (deprecated)
18065 This extracts the last occurrence of header <name> in an HTTP request,
18066 converts it to an IPv4 or IPv6 address and returns this address. When used
18067 with ACLs, all occurrences are checked, and if <name> is omitted, every value
18068 of every header is checked. Optionally, a specific occurrence might be
18069 specified as a position number. Positive values indicate a position from the
Davor Ocelice9ed2812017-12-25 17:49:28 +010018070 first occurrence, with 1 being the first one. Negative values indicate
Willy Tarreau74ca5042013-06-11 23:12:07 +020018071 positions relative to the last one, with -1 being the last one. A typical use
18072 is with the X-Forwarded-For and X-Client-IP headers.
18073
18074req.hdr_val([<name>[,<occ>]]) : integer
18075hdr_val([<name>[,<occ>]]) : integer (deprecated)
18076 This extracts the last occurrence of header <name> in an HTTP request, and
18077 converts it to an integer value. When used with ACLs, all occurrences are
18078 checked, and if <name> is omitted, every value of every header is checked.
18079 Optionally, a specific occurrence might be specified as a position number.
18080 Positive values indicate a position from the first occurrence, with 1 being
18081 the first one. Negative values indicate positions relative to the last one,
18082 with -1 being the last one. A typical use is with the X-Forwarded-For header.
18083
Frédéric Lécailleec891192019-02-26 15:02:35 +010018084
18085
Willy Tarreau74ca5042013-06-11 23:12:07 +020018086http_auth(<userlist>) : boolean
18087 Returns a boolean indicating whether the authentication data received from
18088 the client match a username & password stored in the specified userlist. This
18089 fetch function is not really useful outside of ACLs. Currently only http
18090 basic auth is supported.
18091
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010018092http_auth_group(<userlist>) : string
18093 Returns a string corresponding to the user name found in the authentication
18094 data received from the client if both the user name and password are valid
18095 according to the specified userlist. The main purpose is to use it in ACLs
18096 where it is then checked whether the user belongs to any group within a list.
Willy Tarreau74ca5042013-06-11 23:12:07 +020018097 This fetch function is not really useful outside of ACLs. Currently only http
18098 basic auth is supported.
18099
18100 ACL derivatives :
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010018101 http_auth_group(<userlist>) : group ...
18102 Returns true when the user extracted from the request and whose password is
18103 valid according to the specified userlist belongs to at least one of the
18104 groups.
Willy Tarreau74ca5042013-06-11 23:12:07 +020018105
Christopher Fauleta4063562019-08-02 11:51:37 +020018106http_auth_pass : string
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +010018107 Returns the user's password found in the authentication data received from
18108 the client, as supplied in the Authorization header. Not checks are
18109 performed by this sample fetch. Only Basic authentication is supported.
Christopher Fauleta4063562019-08-02 11:51:37 +020018110
18111http_auth_type : string
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +010018112 Returns the authentication method found in the authentication data received from
18113 the client, as supplied in the Authorization header. Not checks are
18114 performed by this sample fetch. Only Basic authentication is supported.
Christopher Fauleta4063562019-08-02 11:51:37 +020018115
18116http_auth_user : string
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +010018117 Returns the user name found in the authentication data received from the
18118 client, as supplied in the Authorization header. Not checks are performed by
18119 this sample fetch. Only Basic authentication is supported.
Christopher Fauleta4063562019-08-02 11:51:37 +020018120
Willy Tarreau74ca5042013-06-11 23:12:07 +020018121http_first_req : boolean
Willy Tarreau7f18e522010-10-22 20:04:13 +020018122 Returns true when the request being processed is the first one of the
18123 connection. This can be used to add or remove headers that may be missing
Willy Tarreau74ca5042013-06-11 23:12:07 +020018124 from some requests when a request is not the first one, or to help grouping
18125 requests in the logs.
Willy Tarreau7f18e522010-10-22 20:04:13 +020018126
Willy Tarreau74ca5042013-06-11 23:12:07 +020018127method : integer + string
18128 Returns an integer value corresponding to the method in the HTTP request. For
18129 example, "GET" equals 1 (check sources to establish the matching). Value 9
18130 means "other method" and may be converted to a string extracted from the
18131 stream. This should not be used directly as a sample, this is only meant to
18132 be used from ACLs, which transparently convert methods from patterns to these
18133 integer + string values. Some predefined ACL already check for most common
18134 methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018135
Willy Tarreau74ca5042013-06-11 23:12:07 +020018136 ACL derivatives :
18137 method : case insensitive method match
Willy Tarreau6a06a402007-07-15 20:15:28 +020018138
Willy Tarreau74ca5042013-06-11 23:12:07 +020018139 Example :
18140 # only accept GET and HEAD requests
18141 acl valid_method method GET HEAD
18142 http-request deny if ! valid_method
Willy Tarreau6a06a402007-07-15 20:15:28 +020018143
Willy Tarreau74ca5042013-06-11 23:12:07 +020018144path : string
18145 This extracts the request's URL path, which starts at the first slash and
18146 ends before the question mark (without the host part). A typical use is with
18147 prefetch-capable caches, and with portals which need to aggregate multiple
18148 information from databases and keep them in caches. Note that with outgoing
18149 caches, it would be wiser to use "url" instead. With ACLs, it's typically
Davor Ocelice9ed2812017-12-25 17:49:28 +010018150 used to match exact file names (e.g. "/login.php"), or directory parts using
Willy Tarreau74ca5042013-06-11 23:12:07 +020018151 the derivative forms. See also the "url" and "base" fetch methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018152
Willy Tarreau74ca5042013-06-11 23:12:07 +020018153 ACL derivatives :
18154 path : exact string match
18155 path_beg : prefix match
18156 path_dir : subdir match
18157 path_dom : domain match
18158 path_end : suffix match
18159 path_len : length match
18160 path_reg : regex match
18161 path_sub : substring match
Willy Tarreau6a06a402007-07-15 20:15:28 +020018162
Christopher Faulete720c322020-09-02 17:25:18 +020018163pathq : string
18164 This extracts the request's URL path with the query-string, which starts at
18165 the first slash. This sample fetch is pretty handy to always retrieve a
18166 relative URI, excluding the scheme and the authority part, if any. Indeed,
18167 while it is the common representation for an HTTP/1.1 request target, in
18168 HTTP/2, an absolute URI is often used. This sample fetch will return the same
18169 result in both cases.
18170
Willy Tarreau49ad95c2015-01-19 15:06:26 +010018171query : string
18172 This extracts the request's query string, which starts after the first
18173 question mark. If no question mark is present, this fetch returns nothing. If
18174 a question mark is present but nothing follows, it returns an empty string.
18175 This means it's possible to easily know whether a query string is present
Tim Düsterhus4896c442016-11-29 02:15:19 +010018176 using the "found" matching method. This fetch is the complement of "path"
Willy Tarreau49ad95c2015-01-19 15:06:26 +010018177 which stops before the question mark.
18178
Willy Tarreaueb27ec72015-02-20 13:55:29 +010018179req.hdr_names([<delim>]) : string
18180 This builds a string made from the concatenation of all header names as they
18181 appear in the request when the rule is evaluated. The default delimiter is
18182 the comma (',') but it may be overridden as an optional argument <delim>. In
18183 this case, only the first character of <delim> is considered.
18184
Willy Tarreau74ca5042013-06-11 23:12:07 +020018185req.ver : string
18186req_ver : string (deprecated)
18187 Returns the version string from the HTTP request, for example "1.1". This can
18188 be useful for logs, but is mostly there for ACL. Some predefined ACL already
18189 check for versions 1.0 and 1.1.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018190
Willy Tarreau74ca5042013-06-11 23:12:07 +020018191 ACL derivatives :
18192 req_ver : exact string match
Willy Tarreau0e698542011-09-16 08:32:32 +020018193
Christopher Faulete596d182020-05-05 17:46:34 +020018194res.body : binary
18195 This returns the HTTP response's available body as a block of data. Unlike
18196 the request side, there is no directive to wait for the response's body. This
18197 sample fetch is really useful (and usable) in the health-check context. It
18198 may be used in tcp-check based expect rules.
18199
18200res.body_len : integer
18201 This returns the length of the HTTP response available body in bytes. Unlike
18202 the request side, there is no directive to wait for the response's body. This
18203 sample fetch is really useful (and usable) in the health-check context. It
18204 may be used in tcp-check based expect rules.
18205
18206res.body_size : integer
18207 This returns the advertised length of the HTTP response body in bytes. It
18208 will represent the advertised Content-Length header, or the size of the
18209 available data in case of chunked encoding. Unlike the request side, there is
18210 no directive to wait for the response body. This sample fetch is really
18211 useful (and usable) in the health-check context. It may be used in tcp-check
18212 based expect rules.
18213
Willy Tarreau74ca5042013-06-11 23:12:07 +020018214res.comp : boolean
18215 Returns the boolean "true" value if the response has been compressed by
18216 HAProxy, otherwise returns boolean "false". This may be used to add
18217 information in the logs.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018218
Willy Tarreau74ca5042013-06-11 23:12:07 +020018219res.comp_algo : string
18220 Returns a string containing the name of the algorithm used if the response
18221 was compressed by HAProxy, for example : "deflate". This may be used to add
18222 some information in the logs.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018223
Willy Tarreau74ca5042013-06-11 23:12:07 +020018224res.cook([<name>]) : string
18225scook([<name>]) : string (deprecated)
18226 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
18227 header line from the response, and returns its value as string. If no name is
Christopher Faulete596d182020-05-05 17:46:34 +020018228 specified, the first cookie value is returned. It may be used in tcp-check
18229 based expect rules.
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020018230
Willy Tarreau74ca5042013-06-11 23:12:07 +020018231 ACL derivatives :
18232 scook([<name>] : exact string match
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020018233
Willy Tarreau74ca5042013-06-11 23:12:07 +020018234res.cook_cnt([<name>]) : integer
18235scook_cnt([<name>]) : integer (deprecated)
18236 Returns an integer value representing the number of occurrences of the cookie
18237 <name> in the response, or all cookies if <name> is not specified. This is
Christopher Faulete596d182020-05-05 17:46:34 +020018238 mostly useful when combined with ACLs to detect suspicious responses. It may
18239 be used in tcp-check based expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018240
Willy Tarreau74ca5042013-06-11 23:12:07 +020018241res.cook_val([<name>]) : integer
18242scook_val([<name>]) : integer (deprecated)
18243 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
18244 header line from the response, and converts its value to an integer which is
Christopher Faulete596d182020-05-05 17:46:34 +020018245 returned. If no name is specified, the first cookie value is returned. It may
18246 be used in tcp-check based expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018247
Willy Tarreau74ca5042013-06-11 23:12:07 +020018248res.fhdr([<name>[,<occ>]]) : string
18249 This extracts the last occurrence of header <name> in an HTTP response, or of
18250 the last header if no <name> is specified. Optionally, a specific occurrence
18251 might be specified as a position number. Positive values indicate a position
18252 from the first occurrence, with 1 being the first one. Negative values
18253 indicate positions relative to the last one, with -1 being the last one. It
18254 differs from res.hdr() in that any commas present in the value are returned
18255 and are not used as delimiters. If this is not desired, the res.hdr() fetch
18256 should be used instead. This is sometimes useful with headers such as Date or
Christopher Faulete596d182020-05-05 17:46:34 +020018257 Expires. It may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018258
Willy Tarreau74ca5042013-06-11 23:12:07 +020018259res.fhdr_cnt([<name>]) : integer
18260 Returns an integer value representing the number of occurrences of response
18261 header field name <name>, or the total number of header fields if <name> is
18262 not specified. Contrary to its res.hdr_cnt() cousin, this function returns
18263 the number of full line headers and does not stop on commas. If this is not
Christopher Faulete596d182020-05-05 17:46:34 +020018264 desired, the res.hdr_cnt() fetch should be used instead. It may be used in
18265 tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018266
Willy Tarreau74ca5042013-06-11 23:12:07 +020018267res.hdr([<name>[,<occ>]]) : string
18268shdr([<name>[,<occ>]]) : string (deprecated)
18269 This extracts the last occurrence of header <name> in an HTTP response, or of
18270 the last header if no <name> is specified. Optionally, a specific occurrence
18271 might be specified as a position number. Positive values indicate a position
18272 from the first occurrence, with 1 being the first one. Negative values
18273 indicate positions relative to the last one, with -1 being the last one. This
18274 can be useful to learn some data into a stick-table. The function considers
18275 any comma as a delimiter for distinct values. If this is not desired, the
Christopher Faulete596d182020-05-05 17:46:34 +020018276 res.fhdr() fetch should be used instead. It may be used in tcp-check based
18277 expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018278
Willy Tarreau74ca5042013-06-11 23:12:07 +020018279 ACL derivatives :
18280 shdr([<name>[,<occ>]]) : exact string match
18281 shdr_beg([<name>[,<occ>]]) : prefix match
18282 shdr_dir([<name>[,<occ>]]) : subdir match
18283 shdr_dom([<name>[,<occ>]]) : domain match
18284 shdr_end([<name>[,<occ>]]) : suffix match
18285 shdr_len([<name>[,<occ>]]) : length match
18286 shdr_reg([<name>[,<occ>]]) : regex match
18287 shdr_sub([<name>[,<occ>]]) : substring match
18288
18289res.hdr_cnt([<name>]) : integer
18290shdr_cnt([<name>]) : integer (deprecated)
18291 Returns an integer value representing the number of occurrences of response
18292 header field name <name>, or the total number of header fields if <name> is
18293 not specified. The function considers any comma as a delimiter for distinct
18294 values. If this is not desired, the res.fhdr_cnt() fetch should be used
Christopher Faulete596d182020-05-05 17:46:34 +020018295 instead. It may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018296
Willy Tarreau74ca5042013-06-11 23:12:07 +020018297res.hdr_ip([<name>[,<occ>]]) : ip
18298shdr_ip([<name>[,<occ>]]) : ip (deprecated)
18299 This extracts the last occurrence of header <name> in an HTTP response,
18300 convert it to an IPv4 or IPv6 address and returns this address. Optionally, a
18301 specific occurrence might be specified as a position number. Positive values
18302 indicate a position from the first occurrence, with 1 being the first one.
18303 Negative values indicate positions relative to the last one, with -1 being
Christopher Faulete596d182020-05-05 17:46:34 +020018304 the last one. This can be useful to learn some data into a stick table. It
18305 may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020018306
Willy Tarreaueb27ec72015-02-20 13:55:29 +010018307res.hdr_names([<delim>]) : string
18308 This builds a string made from the concatenation of all header names as they
18309 appear in the response when the rule is evaluated. The default delimiter is
18310 the comma (',') but it may be overridden as an optional argument <delim>. In
Christopher Faulete596d182020-05-05 17:46:34 +020018311 this case, only the first character of <delim> is considered. It may be used
18312 in tcp-check based expect rules.
Willy Tarreaueb27ec72015-02-20 13:55:29 +010018313
Willy Tarreau74ca5042013-06-11 23:12:07 +020018314res.hdr_val([<name>[,<occ>]]) : integer
18315shdr_val([<name>[,<occ>]]) : integer (deprecated)
18316 This extracts the last occurrence of header <name> in an HTTP response, and
18317 converts it to an integer value. Optionally, a specific occurrence might be
18318 specified as a position number. Positive values indicate a position from the
18319 first occurrence, with 1 being the first one. Negative values indicate
18320 positions relative to the last one, with -1 being the last one. This can be
Christopher Faulete596d182020-05-05 17:46:34 +020018321 useful to learn some data into a stick table. It may be used in tcp-check
18322 based expect rules.
18323
18324res.hdrs : string
18325 Returns the current response headers as string including the last empty line
18326 separating headers from the request body. The last empty line can be used to
18327 detect a truncated header block. This sample fetch is useful for some SPOE
18328 headers analyzers and for advanced logging. It may also be used in tcp-check
18329 based expect rules.
18330
18331res.hdrs_bin : binary
18332 Returns the current response headers contained in preparsed binary form. This
18333 is useful for offloading some processing with SPOE. It may be used in
18334 tcp-check based expect rules. Each string is described by a length followed
18335 by the number of bytes indicated in the length. The length is represented
18336 using the variable integer encoding detailed in the SPOE documentation. The
18337 end of the list is marked by a couple of empty header names and values
18338 (length of 0 for both).
18339
18340 *(<str:header-name><str:header-value>)<empty string><empty string>
18341
18342 int: refer to the SPOE documentation for the encoding
18343 str: <int:length><bytes>
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010018344
Willy Tarreau74ca5042013-06-11 23:12:07 +020018345res.ver : string
18346resp_ver : string (deprecated)
18347 Returns the version string from the HTTP response, for example "1.1". This
Christopher Faulete596d182020-05-05 17:46:34 +020018348 can be useful for logs, but is mostly there for ACL. It may be used in
18349 tcp-check based expect rules.
Willy Tarreau0e698542011-09-16 08:32:32 +020018350
Willy Tarreau74ca5042013-06-11 23:12:07 +020018351 ACL derivatives :
18352 resp_ver : exact string match
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010018353
Willy Tarreau74ca5042013-06-11 23:12:07 +020018354set-cookie([<name>]) : string (deprecated)
18355 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
18356 header line from the response and uses the corresponding value to match. This
Willy Tarreau294d0f02015-08-10 19:40:12 +020018357 can be comparable to what "appsession" did with default options, but with
Willy Tarreau74ca5042013-06-11 23:12:07 +020018358 support for multi-peer synchronization and state keeping across restarts.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010018359
Willy Tarreau74ca5042013-06-11 23:12:07 +020018360 This fetch function is deprecated and has been superseded by the "res.cook"
18361 fetch. This keyword will disappear soon.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010018362
Willy Tarreau74ca5042013-06-11 23:12:07 +020018363status : integer
18364 Returns an integer containing the HTTP status code in the HTTP response, for
18365 example, 302. It is mostly used within ACLs and integer ranges, for example,
Christopher Faulete596d182020-05-05 17:46:34 +020018366 to remove any Location header if the response is not a 3xx. It may be used in
18367 tcp-check based expect rules.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018368
Thierry Fournier0e00dca2016-04-07 15:47:40 +020018369unique-id : string
18370 Returns the unique-id attached to the request. The directive
18371 "unique-id-format" must be set. If it is not set, the unique-id sample fetch
18372 fails. Note that the unique-id is usually used with HTTP requests, however this
18373 sample fetch can be used with other protocols. Obviously, if it is used with
18374 other protocols than HTTP, the unique-id-format directive must not contain
18375 HTTP parts. See: unique-id-format and unique-id-header
18376
Willy Tarreau74ca5042013-06-11 23:12:07 +020018377url : string
18378 This extracts the request's URL as presented in the request. A typical use is
18379 with prefetch-capable caches, and with portals which need to aggregate
18380 multiple information from databases and keep them in caches. With ACLs, using
18381 "path" is preferred over using "url", because clients may send a full URL as
18382 is normally done with proxies. The only real use is to match "*" which does
18383 not match in "path", and for which there is already a predefined ACL. See
18384 also "path" and "base".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018385
Willy Tarreau74ca5042013-06-11 23:12:07 +020018386 ACL derivatives :
18387 url : exact string match
18388 url_beg : prefix match
18389 url_dir : subdir match
18390 url_dom : domain match
18391 url_end : suffix match
18392 url_len : length match
18393 url_reg : regex match
18394 url_sub : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018395
Willy Tarreau74ca5042013-06-11 23:12:07 +020018396url_ip : ip
18397 This extracts the IP address from the request's URL when the host part is
18398 presented as an IP address. Its use is very limited. For instance, a
18399 monitoring system might use this field as an alternative for the source IP in
18400 order to test what path a given source address would follow, or to force an
18401 entry in a table for a given source address. With ACLs it can be used to
18402 restrict access to certain systems through a proxy, for example when combined
18403 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018404
Willy Tarreau74ca5042013-06-11 23:12:07 +020018405url_port : integer
18406 This extracts the port part from the request's URL. Note that if the port is
18407 not specified in the request, port 80 is assumed. With ACLs it can be used to
18408 restrict access to certain systems through a proxy, for example when combined
18409 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018410
Willy Tarreau1ede1da2015-05-07 16:06:18 +020018411urlp([<name>[,<delim>]]) : string
18412url_param([<name>[,<delim>]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020018413 This extracts the first occurrence of the parameter <name> in the query
18414 string, which begins after either '?' or <delim>, and which ends before '&',
Willy Tarreau1ede1da2015-05-07 16:06:18 +020018415 ';' or <delim>. The parameter name is case-sensitive. If no name is given,
18416 any parameter will match, and the first one will be returned. The result is
18417 a string corresponding to the value of the parameter <name> as presented in
18418 the request (no URL decoding is performed). This can be used for session
Willy Tarreau74ca5042013-06-11 23:12:07 +020018419 stickiness based on a client ID, to extract an application cookie passed as a
18420 URL parameter, or in ACLs to apply some checks. Note that the ACL version of
Willy Tarreau1ede1da2015-05-07 16:06:18 +020018421 this fetch iterates over multiple parameters and will iteratively report all
18422 parameters values if no name is given
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018423
Willy Tarreau74ca5042013-06-11 23:12:07 +020018424 ACL derivatives :
18425 urlp(<name>[,<delim>]) : exact string match
18426 urlp_beg(<name>[,<delim>]) : prefix match
18427 urlp_dir(<name>[,<delim>]) : subdir match
18428 urlp_dom(<name>[,<delim>]) : domain match
18429 urlp_end(<name>[,<delim>]) : suffix match
18430 urlp_len(<name>[,<delim>]) : length match
18431 urlp_reg(<name>[,<delim>]) : regex match
18432 urlp_sub(<name>[,<delim>]) : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018433
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018434
Willy Tarreau74ca5042013-06-11 23:12:07 +020018435 Example :
18436 # match http://example.com/foo?PHPSESSIONID=some_id
18437 stick on urlp(PHPSESSIONID)
18438 # match http://example.com/foo;JSESSIONID=some_id
18439 stick on urlp(JSESSIONID,;)
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020018440
Jarno Huuskonen676f6222017-03-30 09:19:45 +030018441urlp_val([<name>[,<delim>]]) : integer
Willy Tarreau74ca5042013-06-11 23:12:07 +020018442 See "urlp" above. This one extracts the URL parameter <name> in the request
18443 and converts it to an integer value. This can be used for session stickiness
18444 based on a user ID for example, or with ACLs to match a page number or price.
Willy Tarreaua9fddca2012-07-31 07:51:48 +020018445
Dragan Dosen0070cd52016-06-16 12:19:49 +020018446url32 : integer
18447 This returns a 32-bit hash of the value obtained by concatenating the first
18448 Host header and the whole URL including parameters (not only the path part of
18449 the request, as in the "base32" fetch above). This is useful to track per-URL
18450 activity. A shorter hash is stored, saving a lot of memory. The output type
18451 is an unsigned integer.
18452
18453url32+src : binary
18454 This returns the concatenation of the "url32" fetch and the "src" fetch. The
18455 resulting type is of type binary, with a size of 8 or 20 bytes depending on
18456 the source address family. This can be used to track per-IP, per-URL counters.
18457
Christopher Faulet16032ab2020-04-30 11:30:00 +020018458
Christopher Faulete596d182020-05-05 17:46:34 +0200184597.3.7. Fetching samples for developers
Christopher Fauletd47941d2020-01-08 14:40:19 +010018460---------------------------------------
18461
18462This set of sample fetch methods is reserved to developers and must never be
18463used on a production environment, except on developer demand, for debugging
18464purposes. Moreover, no special care will be taken on backwards compatibility.
18465There is no warranty the following sample fetches will never change, be renamed
18466or simply removed. So be really careful if you should use one of them. To avoid
18467any ambiguity, these sample fetches are placed in the dedicated scope "internal",
18468for instance "internal.strm.is_htx".
18469
18470internal.htx.data : integer
18471 Returns the size in bytes used by data in the HTX message associated to a
18472 channel. The channel is chosen depending on the sample direction.
18473
18474internal.htx.free : integer
18475 Returns the free space (size - used) in bytes in the HTX message associated
18476 to a channel. The channel is chosen depending on the sample direction.
18477
18478internal.htx.free_data : integer
18479 Returns the free space for the data in bytes in the HTX message associated to
18480 a channel. The channel is chosen depending on the sample direction.
18481
18482internal.htx.has_eom : boolean
18483 Returns true if the HTX message associated to a channel contains an
18484 end-of-message block (EOM). Otherwise, it returns false. The channel is
18485 chosen depending on the sample direction.
18486
18487internal.htx.nbblks : integer
18488 Returns the number of blocks present in the HTX message associated to a
18489 channel. The channel is chosen depending on the sample direction.
18490
18491internal.htx.size : integer
18492 Returns the total size in bytes of the HTX message associated to a
18493 channel. The channel is chosen depending on the sample direction.
18494
18495internal.htx.used : integer
18496 Returns the total size used in bytes (data + metadata) in the HTX message
18497 associated to a channel. The channel is chosen depending on the sample
18498 direction.
18499
18500internal.htx_blk.size(<idx>) : integer
18501 Returns the size of the block at the position <idx> in the HTX message
18502 associated to a channel or 0 if it does not exist. The channel is chosen
18503 depending on the sample direction. <idx> may be any positive integer or one
18504 of the special value :
18505 * head : The oldest inserted block
18506 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050018507 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010018508
18509internal.htx_blk.type(<idx>) : string
18510 Returns the type of the block at the position <idx> in the HTX message
18511 associated to a channel or "HTX_BLK_UNUSED" if it does not exist. The channel
18512 is chosen depending on the sample direction. <idx> may be any positive
18513 integer or one of the special value :
18514 * head : The oldest inserted block
18515 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050018516 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010018517
18518internal.htx_blk.data(<idx>) : binary
18519 Returns the value of the DATA block at the position <idx> in the HTX message
18520 associated to a channel or an empty string if it does not exist or if it is
18521 not a DATA block. The channel is chosen depending on the sample direction.
18522 <idx> may be any positive integer or one of the special value :
18523
18524 * head : The oldest inserted block
18525 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050018526 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010018527
18528internal.htx_blk.hdrname(<idx>) : string
18529 Returns the header name of the HEADER block at the position <idx> in the HTX
18530 message associated to a channel or an empty string if it does not exist or if
18531 it is not an HEADER block. The channel is chosen depending on the sample
18532 direction. <idx> may be any positive integer or one of the special value :
18533
18534 * head : The oldest inserted block
18535 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050018536 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010018537
18538internal.htx_blk.hdrval(<idx>) : string
18539 Returns the header value of the HEADER block at the position <idx> in the HTX
18540 message associated to a channel or an empty string if it does not exist or if
18541 it is not an HEADER block. The channel is chosen depending on the sample
18542 direction. <idx> may be any positive integer or one of the special value :
18543
18544 * head : The oldest inserted block
18545 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050018546 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010018547
18548internal.htx_blk.start_line(<idx>) : string
18549 Returns the value of the REQ_SL or RES_SL block at the position <idx> in the
18550 HTX message associated to a channel or an empty string if it does not exist
18551 or if it is not a SL block. The channel is chosen depending on the sample
18552 direction. <idx> may be any positive integer or one of the special value :
18553
18554 * head : The oldest inserted block
18555 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050018556 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010018557
18558internal.strm.is_htx : boolean
18559 Returns true if the current stream is an HTX stream. It means the data in the
18560 channels buffers are stored using the internal HTX representation. Otherwise,
18561 it returns false.
18562
18563
Willy Tarreau74ca5042013-06-11 23:12:07 +0200185647.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018565---------------------
Willy Tarreauced27012008-01-17 20:35:34 +010018566
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018567Some predefined ACLs are hard-coded so that they do not have to be declared in
18568every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +020018569order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +010018570
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018571ACL name Equivalent to Usage
18572---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018573FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +020018574HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018575HTTP_1.0 req_ver 1.0 match HTTP version 1.0
18576HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +010018577HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
18578HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
18579HTTP_URL_SLASH url_beg / match URL beginning with "/"
18580HTTP_URL_STAR url * match URL equal to "*"
18581LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018582METH_CONNECT method CONNECT match HTTP CONNECT method
Daniel Schneller9ff96c72016-04-11 17:45:29 +020018583METH_DELETE method DELETE match HTTP DELETE method
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018584METH_GET method GET HEAD match HTTP GET or HEAD method
18585METH_HEAD method HEAD match HTTP HEAD method
18586METH_OPTIONS method OPTIONS match HTTP OPTIONS method
18587METH_POST method POST match HTTP POST method
Daniel Schneller9ff96c72016-04-11 17:45:29 +020018588METH_PUT method PUT match HTTP PUT method
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018589METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +020018590RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018591REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +010018592TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018593WAIT_END wait_end wait for end of content analysis
18594---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +010018595
Willy Tarreaub937b7e2010-01-12 15:27:54 +010018596
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200185978. Logging
18598----------
Willy Tarreau844e3c52008-01-11 16:28:18 +010018599
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018600One of HAProxy's strong points certainly lies is its precise logs. It probably
18601provides the finest level of information available for such a product, which is
18602very important for troubleshooting complex environments. Standard information
18603provided in logs include client ports, TCP/HTTP state timers, precise session
18604state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010018605to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018606headers.
18607
18608In order to improve administrators reactivity, it offers a great transparency
18609about encountered problems, both internal and external, and it is possible to
18610send logs to different sources at the same time with different level filters :
18611
18612 - global process-level logs (system errors, start/stop, etc..)
18613 - per-instance system and internal errors (lack of resource, bugs, ...)
18614 - per-instance external troubles (servers up/down, max connections)
18615 - per-instance activity (client connections), either at the establishment or
18616 at the termination.
Davor Ocelice9ed2812017-12-25 17:49:28 +010018617 - per-request control of log-level, e.g.
Jim Freeman9e8714b2015-05-26 09:16:34 -060018618 http-request set-log-level silent if sensitive_request
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018619
18620The ability to distribute different levels of logs to different log servers
18621allow several production teams to interact and to fix their problems as soon
18622as possible. For example, the system team might monitor system-wide errors,
18623while the application team might be monitoring the up/down for their servers in
18624real time, and the security team might analyze the activity logs with one hour
18625delay.
18626
18627
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200186288.1. Log levels
18629---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018630
Simon Hormandf791f52011-05-29 15:01:10 +090018631TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018632source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +090018633HTTP request, HTTP return code, number of bytes transmitted, conditions
18634in which the session ended, and even exchanged cookies values. For example
18635track a particular user's problems. All messages may be sent to up to two
18636syslog servers. Check the "log" keyword in section 4.2 for more information
18637about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018638
18639
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200186408.2. Log formats
18641----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018642
William Lallemand48940402012-01-30 16:47:22 +010018643HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +090018644and will be detailed in the following sections. A few of them may vary
18645slightly with the configuration, due to indicators specific to certain
18646options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018647
18648 - the default format, which is very basic and very rarely used. It only
18649 provides very basic information about the incoming connection at the moment
18650 it is accepted : source IP:port, destination IP:port, and frontend-name.
18651 This mode will eventually disappear so it will not be described to great
18652 extents.
18653
18654 - the TCP format, which is more advanced. This format is enabled when "option
18655 tcplog" is set on the frontend. HAProxy will then usually wait for the
18656 connection to terminate before logging. This format provides much richer
18657 information, such as timers, connection counts, queue size, etc... This
18658 format is recommended for pure TCP proxies.
18659
18660 - the HTTP format, which is the most advanced for HTTP proxying. This format
18661 is enabled when "option httplog" is set on the frontend. It provides the
18662 same information as the TCP format with some HTTP-specific fields such as
18663 the request, the status code, and captures of headers and cookies. This
18664 format is recommended for HTTP proxies.
18665
Emeric Brun3a058f32009-06-30 18:26:00 +020018666 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
18667 fields arranged in the same order as the CLF format. In this mode, all
18668 timers, captures, flags, etc... appear one per field after the end of the
18669 common fields, in the same order they appear in the standard HTTP format.
18670
William Lallemand48940402012-01-30 16:47:22 +010018671 - the custom log format, allows you to make your own log line.
18672
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018673Next sections will go deeper into details for each of these formats. Format
18674specification will be performed on a "field" basis. Unless stated otherwise, a
18675field is a portion of text delimited by any number of spaces. Since syslog
18676servers are susceptible of inserting fields at the beginning of a line, it is
18677always assumed that the first field is the one containing the process name and
18678identifier.
18679
18680Note : Since log lines may be quite long, the log examples in sections below
18681 might be broken into multiple lines. The example log lines will be
18682 prefixed with 3 closing angle brackets ('>>>') and each time a log is
18683 broken into multiple lines, each non-final line will end with a
18684 backslash ('\') and the next line will start indented by two characters.
18685
18686
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200186878.2.1. Default log format
18688-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018689
18690This format is used when no specific option is set. The log is emitted as soon
18691as the connection is accepted. One should note that this currently is the only
18692format which logs the request's destination IP and ports.
18693
18694 Example :
18695 listen www
18696 mode http
18697 log global
18698 server srv1 127.0.0.1:8000
18699
18700 >>> Feb 6 12:12:09 localhost \
18701 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
18702 (www/HTTP)
18703
18704 Field Format Extract from the example above
18705 1 process_name '[' pid ']:' haproxy[14385]:
18706 2 'Connect from' Connect from
18707 3 source_ip ':' source_port 10.0.1.2:33312
18708 4 'to' to
18709 5 destination_ip ':' destination_port 10.0.3.31:8012
18710 6 '(' frontend_name '/' mode ')' (www/HTTP)
18711
18712Detailed fields description :
18713 - "source_ip" is the IP address of the client which initiated the connection.
18714 - "source_port" is the TCP port of the client which initiated the connection.
18715 - "destination_ip" is the IP address the client connected to.
18716 - "destination_port" is the TCP port the client connected to.
18717 - "frontend_name" is the name of the frontend (or listener) which received
18718 and processed the connection.
18719 - "mode is the mode the frontend is operating (TCP or HTTP).
18720
Willy Tarreauceb24bc2010-11-09 12:46:41 +010018721In case of a UNIX socket, the source and destination addresses are marked as
18722"unix:" and the ports reflect the internal ID of the socket which accepted the
18723connection (the same ID as reported in the stats).
18724
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018725It is advised not to use this deprecated format for newer installations as it
18726will eventually disappear.
18727
18728
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200187298.2.2. TCP log format
18730---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018731
18732The TCP format is used when "option tcplog" is specified in the frontend, and
18733is the recommended format for pure TCP proxies. It provides a lot of precious
18734information for troubleshooting. Since this format includes timers and byte
18735counts, the log is normally emitted at the end of the session. It can be
18736emitted earlier if "option logasap" is specified, which makes sense in most
18737environments with long sessions such as remote terminals. Sessions which match
18738the "monitor" rules are never logged. It is also possible not to emit logs for
18739sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020018740specifying "option dontlognull" in the frontend. Successful connections will
18741not be logged if "option dontlog-normal" is specified in the frontend. A few
18742fields may slightly vary depending on some configuration options, those are
18743marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018744
18745 Example :
18746 frontend fnt
18747 mode tcp
18748 option tcplog
18749 log global
18750 default_backend bck
18751
18752 backend bck
18753 server srv1 127.0.0.1:8000
18754
18755 >>> Feb 6 12:12:56 localhost \
18756 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
18757 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
18758
18759 Field Format Extract from the example above
18760 1 process_name '[' pid ']:' haproxy[14387]:
18761 2 client_ip ':' client_port 10.0.1.2:33313
18762 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
18763 4 frontend_name fnt
18764 5 backend_name '/' server_name bck/srv1
18765 6 Tw '/' Tc '/' Tt* 0/0/5007
18766 7 bytes_read* 212
18767 8 termination_state --
18768 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
18769 10 srv_queue '/' backend_queue 0/0
18770
18771Detailed fields description :
18772 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010018773 connection to haproxy. If the connection was accepted on a UNIX socket
18774 instead, the IP address would be replaced with the word "unix". Note that
18775 when the connection is accepted on a socket configured with "accept-proxy"
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010018776 and the PROXY protocol is correctly used, or with a "accept-netscaler-cip"
Davor Ocelice9ed2812017-12-25 17:49:28 +010018777 and the NetScaler Client IP insertion protocol is correctly used, then the
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010018778 logs will reflect the forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018779
18780 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010018781 If the connection was accepted on a UNIX socket instead, the port would be
18782 replaced with the ID of the accepting socket, which is also reported in the
18783 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018784
18785 - "accept_date" is the exact date when the connection was received by haproxy
18786 (which might be very slightly different from the date observed on the
18787 network if there was some queuing in the system's backlog). This is usually
Willy Tarreau590a0512018-09-05 11:56:48 +020018788 the same date which may appear in any upstream firewall's log. When used in
18789 HTTP mode, the accept_date field will be reset to the first moment the
18790 connection is ready to receive a new request (end of previous response for
18791 HTTP/1, immediately after previous request for HTTP/2).
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018792
18793 - "frontend_name" is the name of the frontend (or listener) which received
18794 and processed the connection.
18795
18796 - "backend_name" is the name of the backend (or listener) which was selected
18797 to manage the connection to the server. This will be the same as the
18798 frontend if no switching rule has been applied, which is common for TCP
18799 applications.
18800
18801 - "server_name" is the name of the last server to which the connection was
18802 sent, which might differ from the first one if there were connection errors
18803 and a redispatch occurred. Note that this server belongs to the backend
18804 which processed the request. If the connection was aborted before reaching
18805 a server, "<NOSRV>" is indicated instead of a server name.
18806
18807 - "Tw" is the total time in milliseconds spent waiting in the various queues.
18808 It can be "-1" if the connection was aborted before reaching the queue.
18809 See "Timers" below for more details.
18810
18811 - "Tc" is the total time in milliseconds spent waiting for the connection to
18812 establish to the final server, including retries. It can be "-1" if the
18813 connection was aborted before a connection could be established. See
18814 "Timers" below for more details.
18815
18816 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030018817 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018818 "option logasap" was specified, then the time counting stops at the moment
18819 the log is emitted. In this case, a '+' sign is prepended before the value,
18820 indicating that the final one will be larger. See "Timers" below for more
18821 details.
18822
18823 - "bytes_read" is the total number of bytes transmitted from the server to
18824 the client when the log is emitted. If "option logasap" is specified, the
18825 this value will be prefixed with a '+' sign indicating that the final one
18826 may be larger. Please note that this value is a 64-bit counter, so log
18827 analysis tools must be able to handle it without overflowing.
18828
18829 - "termination_state" is the condition the session was in when the session
18830 ended. This indicates the session state, which side caused the end of
18831 session to happen, and for what reason (timeout, error, ...). The normal
18832 flags should be "--", indicating the session was closed by either end with
18833 no data remaining in buffers. See below "Session state at disconnection"
18834 for more details.
18835
18836 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040018837 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018838 limits have been reached. For instance, if actconn is close to 512 when
18839 multiple connection errors occur, chances are high that the system limits
18840 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018841 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018842
18843 - "feconn" is the total number of concurrent connections on the frontend when
18844 the session was logged. It is useful to estimate the amount of resource
18845 required to sustain high loads, and to detect when the frontend's "maxconn"
18846 has been reached. Most often when this value increases by huge jumps, it is
18847 because there is congestion on the backend servers, but sometimes it can be
18848 caused by a denial of service attack.
18849
18850 - "beconn" is the total number of concurrent connections handled by the
18851 backend when the session was logged. It includes the total number of
18852 concurrent connections active on servers as well as the number of
18853 connections pending in queues. It is useful to estimate the amount of
18854 additional servers needed to support high loads for a given application.
18855 Most often when this value increases by huge jumps, it is because there is
18856 congestion on the backend servers, but sometimes it can be caused by a
18857 denial of service attack.
18858
18859 - "srv_conn" is the total number of concurrent connections still active on
18860 the server when the session was logged. It can never exceed the server's
18861 configured "maxconn" parameter. If this value is very often close or equal
18862 to the server's "maxconn", it means that traffic regulation is involved a
18863 lot, meaning that either the server's maxconn value is too low, or that
18864 there aren't enough servers to process the load with an optimal response
18865 time. When only one of the server's "srv_conn" is high, it usually means
18866 that this server has some trouble causing the connections to take longer to
18867 be processed than on other servers.
18868
18869 - "retries" is the number of connection retries experienced by this session
18870 when trying to connect to the server. It must normally be zero, unless a
18871 server is being stopped at the same moment the connection was attempted.
18872 Frequent retries generally indicate either a network problem between
18873 haproxy and the server, or a misconfigured system backlog on the server
18874 preventing new connections from being queued. This field may optionally be
18875 prefixed with a '+' sign, indicating that the session has experienced a
18876 redispatch after the maximal retry count has been reached on the initial
18877 server. In this case, the server name appearing in the log is the one the
18878 connection was redispatched to, and not the first one, though both may
18879 sometimes be the same in case of hashing for instance. So as a general rule
18880 of thumb, when a '+' is present in front of the retry count, this count
18881 should not be attributed to the logged server.
18882
18883 - "srv_queue" is the total number of requests which were processed before
18884 this one in the server queue. It is zero when the request has not gone
18885 through the server queue. It makes it possible to estimate the approximate
18886 server's response time by dividing the time spent in queue by the number of
18887 requests in the queue. It is worth noting that if a session experiences a
18888 redispatch and passes through two server queues, their positions will be
Davor Ocelice9ed2812017-12-25 17:49:28 +010018889 cumulative. A request should not pass through both the server queue and the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018890 backend queue unless a redispatch occurs.
18891
18892 - "backend_queue" is the total number of requests which were processed before
18893 this one in the backend's global queue. It is zero when the request has not
18894 gone through the global queue. It makes it possible to estimate the average
18895 queue length, which easily translates into a number of missing servers when
18896 divided by a server's "maxconn" parameter. It is worth noting that if a
18897 session experiences a redispatch, it may pass twice in the backend's queue,
Davor Ocelice9ed2812017-12-25 17:49:28 +010018898 and then both positions will be cumulative. A request should not pass
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018899 through both the server queue and the backend queue unless a redispatch
18900 occurs.
18901
18902
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200189038.2.3. HTTP log format
18904----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018905
18906The HTTP format is the most complete and the best suited for HTTP proxies. It
18907is enabled by when "option httplog" is specified in the frontend. It provides
18908the same level of information as the TCP format with additional features which
18909are specific to the HTTP protocol. Just like the TCP format, the log is usually
18910emitted at the end of the session, unless "option logasap" is specified, which
18911generally only makes sense for download sites. A session which matches the
18912"monitor" rules will never logged. It is also possible not to log sessions for
18913which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020018914frontend. Successful connections will not be logged if "option dontlog-normal"
18915is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018916
18917Most fields are shared with the TCP log, some being different. A few fields may
18918slightly vary depending on some configuration options. Those ones are marked
18919with a star ('*') after the field name below.
18920
18921 Example :
18922 frontend http-in
18923 mode http
18924 option httplog
18925 log global
18926 default_backend bck
18927
18928 backend static
18929 server srv1 127.0.0.1:8000
18930
18931 >>> Feb 6 12:14:14 localhost \
18932 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
18933 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010018934 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018935
18936 Field Format Extract from the example above
18937 1 process_name '[' pid ']:' haproxy[14389]:
18938 2 client_ip ':' client_port 10.0.1.2:33317
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020018939 3 '[' request_date ']' [06/Feb/2009:12:14:14.655]
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018940 4 frontend_name http-in
18941 5 backend_name '/' server_name static/srv1
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020018942 6 TR '/' Tw '/' Tc '/' Tr '/' Ta* 10/0/30/69/109
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018943 7 status_code 200
18944 8 bytes_read* 2750
18945 9 captured_request_cookie -
18946 10 captured_response_cookie -
18947 11 termination_state ----
18948 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
18949 13 srv_queue '/' backend_queue 0/0
18950 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
18951 15 '{' captured_response_headers* '}' {}
18952 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +010018953
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018954Detailed fields description :
18955 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010018956 connection to haproxy. If the connection was accepted on a UNIX socket
18957 instead, the IP address would be replaced with the word "unix". Note that
18958 when the connection is accepted on a socket configured with "accept-proxy"
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010018959 and the PROXY protocol is correctly used, or with a "accept-netscaler-cip"
Davor Ocelice9ed2812017-12-25 17:49:28 +010018960 and the NetScaler Client IP insertion protocol is correctly used, then the
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010018961 logs will reflect the forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018962
18963 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010018964 If the connection was accepted on a UNIX socket instead, the port would be
18965 replaced with the ID of the accepting socket, which is also reported in the
18966 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018967
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020018968 - "request_date" is the exact date when the first byte of the HTTP request
18969 was received by haproxy (log field %tr).
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018970
18971 - "frontend_name" is the name of the frontend (or listener) which received
18972 and processed the connection.
18973
18974 - "backend_name" is the name of the backend (or listener) which was selected
18975 to manage the connection to the server. This will be the same as the
18976 frontend if no switching rule has been applied.
18977
18978 - "server_name" is the name of the last server to which the connection was
18979 sent, which might differ from the first one if there were connection errors
18980 and a redispatch occurred. Note that this server belongs to the backend
18981 which processed the request. If the request was aborted before reaching a
18982 server, "<NOSRV>" is indicated instead of a server name. If the request was
18983 intercepted by the stats subsystem, "<STATS>" is indicated instead.
18984
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020018985 - "TR" is the total time in milliseconds spent waiting for a full HTTP
18986 request from the client (not counting body) after the first byte was
18987 received. It can be "-1" if the connection was aborted before a complete
John Roeslerfb2fce12019-07-10 15:45:51 -050018988 request could be received or a bad request was received. It should
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020018989 always be very small because a request generally fits in one single packet.
18990 Large times here generally indicate network issues between the client and
Willy Tarreau590a0512018-09-05 11:56:48 +020018991 haproxy or requests being typed by hand. See section 8.4 "Timing Events"
18992 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018993
18994 - "Tw" is the total time in milliseconds spent waiting in the various queues.
18995 It can be "-1" if the connection was aborted before reaching the queue.
Willy Tarreau590a0512018-09-05 11:56:48 +020018996 See section 8.4 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010018997
18998 - "Tc" is the total time in milliseconds spent waiting for the connection to
18999 establish to the final server, including retries. It can be "-1" if the
Willy Tarreau590a0512018-09-05 11:56:48 +020019000 request was aborted before a connection could be established. See section
19001 8.4 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019002
19003 - "Tr" is the total time in milliseconds spent waiting for the server to send
19004 a full HTTP response, not counting data. It can be "-1" if the request was
19005 aborted before a complete response could be received. It generally matches
19006 the server's processing time for the request, though it may be altered by
19007 the amount of data sent by the client to the server. Large times here on
Willy Tarreau590a0512018-09-05 11:56:48 +020019008 "GET" requests generally indicate an overloaded server. See section 8.4
19009 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019010
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019011 - "Ta" is the time the request remained active in haproxy, which is the total
19012 time in milliseconds elapsed between the first byte of the request was
19013 received and the last byte of response was sent. It covers all possible
19014 processing except the handshake (see Th) and idle time (see Ti). There is
19015 one exception, if "option logasap" was specified, then the time counting
19016 stops at the moment the log is emitted. In this case, a '+' sign is
19017 prepended before the value, indicating that the final one will be larger.
Willy Tarreau590a0512018-09-05 11:56:48 +020019018 See section 8.4 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019019
19020 - "status_code" is the HTTP status code returned to the client. This status
19021 is generally set by the server, but it might also be set by haproxy when
19022 the server cannot be reached or when its response is blocked by haproxy.
19023
19024 - "bytes_read" is the total number of bytes transmitted to the client when
19025 the log is emitted. This does include HTTP headers. If "option logasap" is
John Roeslerfb2fce12019-07-10 15:45:51 -050019026 specified, this value will be prefixed with a '+' sign indicating that
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019027 the final one may be larger. Please note that this value is a 64-bit
19028 counter, so log analysis tools must be able to handle it without
19029 overflowing.
19030
19031 - "captured_request_cookie" is an optional "name=value" entry indicating that
19032 the client had this cookie in the request. The cookie name and its maximum
19033 length are defined by the "capture cookie" statement in the frontend
19034 configuration. The field is a single dash ('-') when the option is not
19035 set. Only one cookie may be captured, it is generally used to track session
19036 ID exchanges between a client and a server to detect session crossing
19037 between clients due to application bugs. For more details, please consult
19038 the section "Capturing HTTP headers and cookies" below.
19039
19040 - "captured_response_cookie" is an optional "name=value" entry indicating
19041 that the server has returned a cookie with its response. The cookie name
19042 and its maximum length are defined by the "capture cookie" statement in the
19043 frontend configuration. The field is a single dash ('-') when the option is
19044 not set. Only one cookie may be captured, it is generally used to track
19045 session ID exchanges between a client and a server to detect session
19046 crossing between clients due to application bugs. For more details, please
19047 consult the section "Capturing HTTP headers and cookies" below.
19048
19049 - "termination_state" is the condition the session was in when the session
19050 ended. This indicates the session state, which side caused the end of
19051 session to happen, for what reason (timeout, error, ...), just like in TCP
19052 logs, and information about persistence operations on cookies in the last
19053 two characters. The normal flags should begin with "--", indicating the
19054 session was closed by either end with no data remaining in buffers. See
19055 below "Session state at disconnection" for more details.
19056
19057 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040019058 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019059 limits have been reached. For instance, if actconn is close to 512 or 1024
19060 when multiple connection errors occur, chances are high that the system
19061 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +020019062 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019063 system.
19064
19065 - "feconn" is the total number of concurrent connections on the frontend when
19066 the session was logged. It is useful to estimate the amount of resource
19067 required to sustain high loads, and to detect when the frontend's "maxconn"
19068 has been reached. Most often when this value increases by huge jumps, it is
19069 because there is congestion on the backend servers, but sometimes it can be
19070 caused by a denial of service attack.
19071
19072 - "beconn" is the total number of concurrent connections handled by the
19073 backend when the session was logged. It includes the total number of
19074 concurrent connections active on servers as well as the number of
19075 connections pending in queues. It is useful to estimate the amount of
19076 additional servers needed to support high loads for a given application.
19077 Most often when this value increases by huge jumps, it is because there is
19078 congestion on the backend servers, but sometimes it can be caused by a
19079 denial of service attack.
19080
19081 - "srv_conn" is the total number of concurrent connections still active on
19082 the server when the session was logged. It can never exceed the server's
19083 configured "maxconn" parameter. If this value is very often close or equal
19084 to the server's "maxconn", it means that traffic regulation is involved a
19085 lot, meaning that either the server's maxconn value is too low, or that
19086 there aren't enough servers to process the load with an optimal response
19087 time. When only one of the server's "srv_conn" is high, it usually means
19088 that this server has some trouble causing the requests to take longer to be
19089 processed than on other servers.
19090
19091 - "retries" is the number of connection retries experienced by this session
19092 when trying to connect to the server. It must normally be zero, unless a
19093 server is being stopped at the same moment the connection was attempted.
19094 Frequent retries generally indicate either a network problem between
19095 haproxy and the server, or a misconfigured system backlog on the server
19096 preventing new connections from being queued. This field may optionally be
19097 prefixed with a '+' sign, indicating that the session has experienced a
19098 redispatch after the maximal retry count has been reached on the initial
19099 server. In this case, the server name appearing in the log is the one the
19100 connection was redispatched to, and not the first one, though both may
19101 sometimes be the same in case of hashing for instance. So as a general rule
19102 of thumb, when a '+' is present in front of the retry count, this count
19103 should not be attributed to the logged server.
19104
19105 - "srv_queue" is the total number of requests which were processed before
19106 this one in the server queue. It is zero when the request has not gone
19107 through the server queue. It makes it possible to estimate the approximate
19108 server's response time by dividing the time spent in queue by the number of
19109 requests in the queue. It is worth noting that if a session experiences a
19110 redispatch and passes through two server queues, their positions will be
Davor Ocelice9ed2812017-12-25 17:49:28 +010019111 cumulative. A request should not pass through both the server queue and the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019112 backend queue unless a redispatch occurs.
19113
19114 - "backend_queue" is the total number of requests which were processed before
19115 this one in the backend's global queue. It is zero when the request has not
19116 gone through the global queue. It makes it possible to estimate the average
19117 queue length, which easily translates into a number of missing servers when
19118 divided by a server's "maxconn" parameter. It is worth noting that if a
19119 session experiences a redispatch, it may pass twice in the backend's queue,
Davor Ocelice9ed2812017-12-25 17:49:28 +010019120 and then both positions will be cumulative. A request should not pass
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019121 through both the server queue and the backend queue unless a redispatch
19122 occurs.
19123
19124 - "captured_request_headers" is a list of headers captured in the request due
19125 to the presence of the "capture request header" statement in the frontend.
19126 Multiple headers can be captured, they will be delimited by a vertical bar
19127 ('|'). When no capture is enabled, the braces do not appear, causing a
19128 shift of remaining fields. It is important to note that this field may
19129 contain spaces, and that using it requires a smarter log parser than when
19130 it's not used. Please consult the section "Capturing HTTP headers and
19131 cookies" below for more details.
19132
19133 - "captured_response_headers" is a list of headers captured in the response
19134 due to the presence of the "capture response header" statement in the
19135 frontend. Multiple headers can be captured, they will be delimited by a
19136 vertical bar ('|'). When no capture is enabled, the braces do not appear,
19137 causing a shift of remaining fields. It is important to note that this
19138 field may contain spaces, and that using it requires a smarter log parser
19139 than when it's not used. Please consult the section "Capturing HTTP headers
19140 and cookies" below for more details.
19141
19142 - "http_request" is the complete HTTP request line, including the method,
19143 request and HTTP version string. Non-printable characters are encoded (see
19144 below the section "Non-printable characters"). This is always the last
19145 field, and it is always delimited by quotes and is the only one which can
19146 contain quotes. If new fields are added to the log format, they will be
19147 added before this field. This field might be truncated if the request is
19148 huge and does not fit in the standard syslog buffer (1024 characters). This
19149 is the reason why this field must always remain the last one.
19150
19151
Cyril Bontédc4d9032012-04-08 21:57:39 +0200191528.2.4. Custom log format
19153------------------------
William Lallemand48940402012-01-30 16:47:22 +010019154
Willy Tarreau2beef582012-12-20 17:22:52 +010019155The directive log-format allows you to customize the logs in http mode and tcp
William Lallemandbddd4fd2012-02-27 11:23:10 +010019156mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +010019157
Davor Ocelice9ed2812017-12-25 17:49:28 +010019158HAProxy understands some log format variables. % precedes log format variables.
William Lallemand48940402012-01-30 16:47:22 +010019159Variables can take arguments using braces ('{}'), and multiple arguments are
19160separated by commas within the braces. Flags may be added or removed by
19161prefixing them with a '+' or '-' sign.
19162
19163Special variable "%o" may be used to propagate its flags to all other
19164variables on the same format string. This is particularly handy with quoted
Dragan Dosen835b9212016-02-12 13:23:03 +010019165("Q") and escaped ("E") string formats.
William Lallemand48940402012-01-30 16:47:22 +010019166
Willy Tarreauc8368452012-12-21 00:09:23 +010019167If a variable is named between square brackets ('[' .. ']') then it is used
Willy Tarreaube722a22014-06-13 16:31:59 +020019168as a sample expression rule (see section 7.3). This it useful to add some
Willy Tarreauc8368452012-12-21 00:09:23 +010019169less common information such as the client's SSL certificate's DN, or to log
19170the key that would be used to store an entry into a stick table.
19171
Dragan Dosen1e3b16f2020-06-23 18:16:44 +020019172Note: spaces must be escaped. In configuration directives "log-format",
19173"log-format-sd" and "unique-id-format", spaces are considered as
19174delimiters and are merged. In order to emit a verbatim '%', it must be
19175preceded by another '%' resulting in '%%'.
William Lallemand48940402012-01-30 16:47:22 +010019176
Dragan Dosen835b9212016-02-12 13:23:03 +010019177Note: when using the RFC5424 syslog message format, the characters '"',
19178'\' and ']' inside PARAM-VALUE should be escaped with '\' as prefix (see
19179https://tools.ietf.org/html/rfc5424#section-6.3.3 for more details). In
19180such cases, the use of the flag "E" should be considered.
19181
William Lallemand48940402012-01-30 16:47:22 +010019182Flags are :
19183 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -040019184 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
Dragan Dosen835b9212016-02-12 13:23:03 +010019185 * E: escape characters '"', '\' and ']' in a string with '\' as prefix
19186 (intended purpose is for the RFC5424 structured-data log formats)
William Lallemand48940402012-01-30 16:47:22 +010019187
19188 Example:
19189
19190 log-format %T\ %t\ Some\ Text
19191 log-format %{+Q}o\ %t\ %s\ %{-Q}r
19192
Dragan Dosen835b9212016-02-12 13:23:03 +010019193 log-format-sd %{+Q,+E}o\ [exampleSDID@1234\ header=%[capture.req.hdr(0)]]
19194
William Lallemand48940402012-01-30 16:47:22 +010019195At the moment, the default HTTP format is defined this way :
19196
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019197 log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \
19198 %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
William Lallemand48940402012-01-30 16:47:22 +010019199
William Lallemandbddd4fd2012-02-27 11:23:10 +010019200the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +010019201
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019202 log-format "%{+Q}o %{-Q}ci - - [%trg] %r %ST %B \"\" \"\" %cp \
19203 %ms %ft %b %s %TR %Tw %Tc %Tr %Ta %tsc %ac %fc \
19204 %bc %sc %rc %sq %bq %CC %CS %hrl %hsl"
William Lallemand48940402012-01-30 16:47:22 +010019205
William Lallemandbddd4fd2012-02-27 11:23:10 +010019206and the default TCP format is defined this way :
19207
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019208 log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts \
19209 %ac/%fc/%bc/%sc/%rc %sq/%bq"
William Lallemandbddd4fd2012-02-27 11:23:10 +010019210
William Lallemand48940402012-01-30 16:47:22 +010019211Please refer to the table below for currently defined variables :
19212
William Lallemandbddd4fd2012-02-27 11:23:10 +010019213 +---+------+-----------------------------------------------+-------------+
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020019214 | R | var | field name (8.2.2 and 8.2.3 for description) | type |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019215 +---+------+-----------------------------------------------+-------------+
19216 | | %o | special variable, apply flags on all next var | |
19217 +---+------+-----------------------------------------------+-------------+
Willy Tarreau2beef582012-12-20 17:22:52 +010019218 | | %B | bytes_read (from server to client) | numeric |
19219 | H | %CC | captured_request_cookie | string |
19220 | H | %CS | captured_response_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +020019221 | | %H | hostname | string |
Andrew Hayworth0ebc55f2015-04-27 21:37:03 +000019222 | H | %HM | HTTP method (ex: POST) | string |
19223 | H | %HP | HTTP request URI without query string (path) | string |
Andrew Hayworthe63ac872015-07-31 16:14:16 +000019224 | H | %HQ | HTTP request URI query string (ex: ?bar=baz) | string |
Andrew Hayworth0ebc55f2015-04-27 21:37:03 +000019225 | H | %HU | HTTP request URI (ex: /foo?bar=baz) | string |
19226 | H | %HV | HTTP version (ex: HTTP/1.0) | string |
William Lallemanda73203e2012-03-12 12:48:57 +010019227 | | %ID | unique-id | string |
Willy Tarreau4bf99632014-06-13 12:21:40 +020019228 | | %ST | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020019229 | | %T | gmt_date_time | date |
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019230 | | %Ta | Active time of the request (from TR to end) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019231 | | %Tc | Tc | numeric |
Willy Tarreau27b639d2016-05-17 17:55:27 +020019232 | | %Td | Td = Tt - (Tq + Tw + Tc + Tr) | numeric |
Yuxans Yao4e25b012012-10-19 10:36:09 +080019233 | | %Tl | local_date_time | date |
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019234 | | %Th | connection handshake time (SSL, PROXY proto) | numeric |
19235 | H | %Ti | idle time before the HTTP request | numeric |
19236 | H | %Tq | Th + Ti + TR | numeric |
19237 | H | %TR | time to receive the full request from 1st byte| numeric |
19238 | H | %Tr | Tr (response time) | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020019239 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019240 | | %Tt | Tt | numeric |
Damien Claisse57c8eb92020-04-28 12:09:19 +000019241 | | %Tu | Tu | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019242 | | %Tw | Tw | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010019243 | | %U | bytes_uploaded (from client to server) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019244 | | %ac | actconn | numeric |
19245 | | %b | backend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010019246 | | %bc | beconn (backend concurrent connections) | numeric |
19247 | | %bi | backend_source_ip (connecting address) | IP |
19248 | | %bp | backend_source_port (connecting address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019249 | | %bq | backend_queue | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010019250 | | %ci | client_ip (accepted address) | IP |
19251 | | %cp | client_port (accepted address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019252 | | %f | frontend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010019253 | | %fc | feconn (frontend concurrent connections) | numeric |
19254 | | %fi | frontend_ip (accepting address) | IP |
19255 | | %fp | frontend_port (accepting address) | numeric |
Willy Tarreau773d65f2012-10-12 14:56:11 +020019256 | | %ft | frontend_name_transport ('~' suffix for SSL) | string |
Willy Tarreau7346acb2014-08-28 15:03:15 +020019257 | | %lc | frontend_log_counter | numeric |
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020019258 | | %hr | captured_request_headers default style | string |
19259 | | %hrl | captured_request_headers CLF style | string list |
19260 | | %hs | captured_response_headers default style | string |
19261 | | %hsl | captured_response_headers CLF style | string list |
Willy Tarreau812c88e2015-08-09 10:56:35 +020019262 | | %ms | accept date milliseconds (left-padded with 0) | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020019263 | | %pid | PID | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020019264 | H | %r | http_request | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019265 | | %rc | retries | numeric |
Willy Tarreau1f0da242014-01-25 11:01:50 +010019266 | | %rt | request_counter (HTTP req or TCP session) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019267 | | %s | server_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010019268 | | %sc | srv_conn (server concurrent connections) | numeric |
19269 | | %si | server_IP (target address) | IP |
19270 | | %sp | server_port (target address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019271 | | %sq | srv_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020019272 | S | %sslc| ssl_ciphers (ex: AES-SHA) | string |
19273 | S | %sslv| ssl_version (ex: TLSv1) | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010019274 | | %t | date_time (with millisecond resolution) | date |
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019275 | H | %tr | date_time of HTTP request | date |
19276 | H | %trg | gmt_date_time of start of HTTP request | date |
Jens Bissinger15c64ff2018-08-23 14:11:27 +020019277 | H | %trl | local_date_time of start of HTTP request | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019278 | | %ts | termination_state | string |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020019279 | H | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010019280 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +010019281
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020019282 R = Restrictions : H = mode http only ; S = SSL only
William Lallemand48940402012-01-30 16:47:22 +010019283
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010019284
192858.2.5. Error log format
19286-----------------------
19287
19288When an incoming connection fails due to an SSL handshake or an invalid PROXY
19289protocol header, haproxy will log the event using a shorter, fixed line format.
19290By default, logs are emitted at the LOG_INFO level, unless the option
19291"log-separate-errors" is set in the backend, in which case the LOG_ERR level
Davor Ocelice9ed2812017-12-25 17:49:28 +010019292will be used. Connections on which no data are exchanged (e.g. probes) are not
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010019293logged if the "dontlognull" option is set.
19294
19295The format looks like this :
19296
19297 >>> Dec 3 18:27:14 localhost \
19298 haproxy[6103]: 127.0.0.1:56059 [03/Dec/2012:17:35:10.380] frt/f1: \
19299 Connection error during SSL handshake
19300
19301 Field Format Extract from the example above
19302 1 process_name '[' pid ']:' haproxy[6103]:
19303 2 client_ip ':' client_port 127.0.0.1:56059
19304 3 '[' accept_date ']' [03/Dec/2012:17:35:10.380]
19305 4 frontend_name "/" bind_name ":" frt/f1:
19306 5 message Connection error during SSL handshake
19307
19308These fields just provide minimal information to help debugging connection
19309failures.
19310
19311
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200193128.3. Advanced logging options
19313-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019314
19315Some advanced logging options are often looked for but are not easy to find out
19316just by looking at the various options. Here is an entry point for the few
19317options which can enable better logging. Please refer to the keywords reference
19318for more information about their usage.
19319
19320
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200193218.3.1. Disabling logging of external tests
19322------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019323
19324It is quite common to have some monitoring tools perform health checks on
19325haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
19326commercial load-balancer, and sometimes it will simply be a more complete
19327monitoring system such as Nagios. When the tests are very frequent, users often
19328ask how to disable logging for those checks. There are three possibilities :
19329
19330 - if connections come from everywhere and are just TCP probes, it is often
19331 desired to simply disable logging of connections without data exchange, by
19332 setting "option dontlognull" in the frontend. It also disables logging of
19333 port scans, which may or may not be desired.
19334
19335 - if the connection come from a known source network, use "monitor-net" to
19336 declare this network as monitoring only. Any host in this network will then
19337 only be able to perform health checks, and their requests will not be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030019338 logged. This is generally appropriate to designate a list of equipment
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019339 such as other load-balancers.
19340
19341 - if the tests are performed on a known URI, use "monitor-uri" to declare
19342 this URI as dedicated to monitoring. Any host sending this request will
19343 only get the result of a health-check, and the request will not be logged.
19344
19345
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200193468.3.2. Logging before waiting for the session to terminate
19347----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019348
19349The problem with logging at end of connection is that you have no clue about
19350what is happening during very long sessions, such as remote terminal sessions
19351or large file downloads. This problem can be worked around by specifying
Davor Ocelice9ed2812017-12-25 17:49:28 +010019352"option logasap" in the frontend. HAProxy will then log as soon as possible,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019353just before data transfer begins. This means that in case of TCP, it will still
19354log the connection status to the server, and in case of HTTP, it will log just
19355after processing the server headers. In this case, the number of bytes reported
19356is the number of header bytes sent to the client. In order to avoid confusion
19357with normal logs, the total time field and the number of bytes are prefixed
19358with a '+' sign which means that real numbers are certainly larger.
19359
19360
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200193618.3.3. Raising log level upon errors
19362------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020019363
19364Sometimes it is more convenient to separate normal traffic from errors logs,
19365for instance in order to ease error monitoring from log files. When the option
19366"log-separate-errors" is used, connections which experience errors, timeouts,
19367retries, redispatches or HTTP status codes 5xx will see their syslog level
19368raised from "info" to "err". This will help a syslog daemon store the log in
19369a separate file. It is very important to keep the errors in the normal traffic
19370file too, so that log ordering is not altered. You should also be careful if
19371you already have configured your syslog daemon to store all logs higher than
19372"notice" in an "admin" file, because the "err" level is higher than "notice".
19373
19374
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200193758.3.4. Disabling logging of successful connections
19376--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020019377
19378Although this may sound strange at first, some large sites have to deal with
19379multiple thousands of logs per second and are experiencing difficulties keeping
19380them intact for a long time or detecting errors within them. If the option
19381"dontlog-normal" is set on the frontend, all normal connections will not be
19382logged. In this regard, a normal connection is defined as one without any
19383error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
19384and a response with a status 5xx is not considered normal and will be logged
19385too. Of course, doing is is really discouraged as it will remove most of the
19386useful information from the logs. Do this only if you have no other
19387alternative.
19388
19389
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200193908.4. Timing events
19391------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019392
19393Timers provide a great help in troubleshooting network problems. All values are
19394reported in milliseconds (ms). These timers should be used in conjunction with
19395the session termination flags. In TCP mode with "option tcplog" set on the
19396frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019397mode, 5 control points are reported under the form "TR/Tw/Tc/Tr/Ta". In
19398addition, three other measures are provided, "Th", "Ti", and "Tq".
19399
Guillaume de Lafondf27cddc2016-12-23 17:32:43 +010019400Timings events in HTTP mode:
19401
19402 first request 2nd request
19403 |<-------------------------------->|<-------------- ...
19404 t tr t tr ...
19405 ---|----|----|----|----|----|----|----|----|--
19406 : Th Ti TR Tw Tc Tr Td : Ti ...
19407 :<---- Tq ---->: :
19408 :<-------------- Tt -------------->:
Damien Claisse57c8eb92020-04-28 12:09:19 +000019409 :<-- -----Tu--------------->:
Guillaume de Lafondf27cddc2016-12-23 17:32:43 +010019410 :<--------- Ta --------->:
19411
19412Timings events in TCP mode:
19413
19414 TCP session
19415 |<----------------->|
19416 t t
19417 ---|----|----|----|----|---
19418 | Th Tw Tc Td |
19419 |<------ Tt ------->|
19420
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019421 - Th: total time to accept tcp connection and execute handshakes for low level
Davor Ocelice9ed2812017-12-25 17:49:28 +010019422 protocols. Currently, these protocols are proxy-protocol and SSL. This may
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019423 only happen once during the whole connection's lifetime. A large time here
19424 may indicate that the client only pre-established the connection without
19425 speaking, that it is experiencing network issues preventing it from
Davor Ocelice9ed2812017-12-25 17:49:28 +010019426 completing a handshake in a reasonable time (e.g. MTU issues), or that an
Willy Tarreau590a0512018-09-05 11:56:48 +020019427 SSL handshake was very expensive to compute. Please note that this time is
19428 reported only before the first request, so it is safe to average it over
19429 all request to calculate the amortized value. The second and subsequent
19430 request will always report zero here.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019431
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019432 - Ti: is the idle time before the HTTP request (HTTP mode only). This timer
19433 counts between the end of the handshakes and the first byte of the HTTP
19434 request. When dealing with a second request in keep-alive mode, it starts
Willy Tarreau590a0512018-09-05 11:56:48 +020019435 to count after the end of the transmission the previous response. When a
19436 multiplexed protocol such as HTTP/2 is used, it starts to count immediately
19437 after the previous request. Some browsers pre-establish connections to a
19438 server in order to reduce the latency of a future request, and keep them
19439 pending until they need it. This delay will be reported as the idle time. A
19440 value of -1 indicates that nothing was received on the connection.
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019441
19442 - TR: total time to get the client request (HTTP mode only). It's the time
19443 elapsed between the first bytes received and the moment the proxy received
19444 the empty line marking the end of the HTTP headers. The value "-1"
19445 indicates that the end of headers has never been seen. This happens when
19446 the client closes prematurely or times out. This time is usually very short
19447 since most requests fit in a single packet. A large time may indicate a
19448 request typed by hand during a test.
19449
19450 - Tq: total time to get the client request from the accept date or since the
19451 emission of the last byte of the previous response (HTTP mode only). It's
Davor Ocelice9ed2812017-12-25 17:49:28 +010019452 exactly equal to Th + Ti + TR unless any of them is -1, in which case it
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019453 returns -1 as well. This timer used to be very useful before the arrival of
19454 HTTP keep-alive and browsers' pre-connect feature. It's recommended to drop
19455 it in favor of TR nowadays, as the idle time adds a lot of noise to the
19456 reports.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019457
19458 - Tw: total time spent in the queues waiting for a connection slot. It
19459 accounts for backend queue as well as the server queues, and depends on the
19460 queue size, and the time needed for the server to complete previous
19461 requests. The value "-1" means that the request was killed before reaching
19462 the queue, which is generally what happens with invalid or denied requests.
19463
19464 - Tc: total time to establish the TCP connection to the server. It's the time
19465 elapsed between the moment the proxy sent the connection request, and the
19466 moment it was acknowledged by the server, or between the TCP SYN packet and
19467 the matching SYN/ACK packet in return. The value "-1" means that the
19468 connection never established.
19469
19470 - Tr: server response time (HTTP mode only). It's the time elapsed between
19471 the moment the TCP connection was established to the server and the moment
19472 the server sent its complete response headers. It purely shows its request
19473 processing time, without the network overhead due to the data transmission.
19474 It is worth noting that when the client has data to send to the server, for
19475 instance during a POST request, the time already runs, and this can distort
19476 apparent response time. For this reason, it's generally wise not to trust
19477 too much this field for POST requests initiated from clients behind an
19478 untrusted network. A value of "-1" here means that the last the response
19479 header (empty line) was never seen, most likely because the server timeout
19480 stroke before the server managed to process the request.
19481
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019482 - Ta: total active time for the HTTP request, between the moment the proxy
19483 received the first byte of the request header and the emission of the last
19484 byte of the response body. The exception is when the "logasap" option is
19485 specified. In this case, it only equals (TR+Tw+Tc+Tr), and is prefixed with
19486 a '+' sign. From this field, we can deduce "Td", the data transmission time,
19487 by subtracting other timers when valid :
19488
19489 Td = Ta - (TR + Tw + Tc + Tr)
19490
19491 Timers with "-1" values have to be excluded from this equation. Note that
19492 "Ta" can never be negative.
19493
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019494 - Tt: total session duration time, between the moment the proxy accepted it
19495 and the moment both ends were closed. The exception is when the "logasap"
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019496 option is specified. In this case, it only equals (Th+Ti+TR+Tw+Tc+Tr), and
19497 is prefixed with a '+' sign. From this field, we can deduce "Td", the data
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030019498 transmission time, by subtracting other timers when valid :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019499
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019500 Td = Tt - (Th + Ti + TR + Tw + Tc + Tr)
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019501
19502 Timers with "-1" values have to be excluded from this equation. In TCP
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019503 mode, "Ti", "Tq" and "Tr" have to be excluded too. Note that "Tt" can never
19504 be negative and that for HTTP, Tt is simply equal to (Th+Ti+Ta).
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019505
Damien Claisse57c8eb92020-04-28 12:09:19 +000019506 - Tu: total estimated time as seen from client, between the moment the proxy
19507 accepted it and the moment both ends were closed, without idle time.
19508 This is useful to roughly measure end-to-end time as a user would see it,
19509 without idle time pollution from keep-alive time between requests. This
19510 timer in only an estimation of time seen by user as it assumes network
19511 latency is the same in both directions. The exception is when the "logasap"
19512 option is specified. In this case, it only equals (Th+TR+Tw+Tc+Tr), and is
19513 prefixed with a '+' sign.
19514
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019515These timers provide precious indications on trouble causes. Since the TCP
19516protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
19517that timers close to multiples of 3s are nearly always related to lost packets
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019518due to network problems (wires, negotiation, congestion). Moreover, if "Ta" or
19519"Tt" is close to a timeout value specified in the configuration, it often means
19520that a session has been aborted on timeout.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019521
19522Most common cases :
19523
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019524 - If "Th" or "Ti" are close to 3000, a packet has probably been lost between
19525 the client and the proxy. This is very rare on local networks but might
19526 happen when clients are on far remote networks and send large requests. It
19527 may happen that values larger than usual appear here without any network
19528 cause. Sometimes, during an attack or just after a resource starvation has
19529 ended, haproxy may accept thousands of connections in a few milliseconds.
19530 The time spent accepting these connections will inevitably slightly delay
19531 processing of other connections, and it can happen that request times in the
19532 order of a few tens of milliseconds are measured after a few thousands of
19533 new connections have been accepted at once. Using one of the keep-alive
19534 modes may display larger idle times since "Ti" measures the time spent
Patrick Mezard105faca2010-06-12 17:02:46 +020019535 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019536
19537 - If "Tc" is close to 3000, a packet has probably been lost between the
19538 server and the proxy during the server connection phase. This value should
19539 always be very low, such as 1 ms on local networks and less than a few tens
19540 of ms on remote networks.
19541
Willy Tarreau55165fe2009-05-10 12:02:55 +020019542 - If "Tr" is nearly always lower than 3000 except some rare values which seem
19543 to be the average majored by 3000, there are probably some packets lost
19544 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019545
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019546 - If "Ta" is large even for small byte counts, it generally is because
19547 neither the client nor the server decides to close the connection while
19548 haproxy is running in tunnel mode and both have agreed on a keep-alive
19549 connection mode. In order to solve this issue, it will be needed to specify
19550 one of the HTTP options to manipulate keep-alive or close options on either
19551 the frontend or the backend. Having the smallest possible 'Ta' or 'Tt' is
19552 important when connection regulation is used with the "maxconn" option on
19553 the servers, since no new connection will be sent to the server until
19554 another one is released.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019555
19556Other noticeable HTTP log cases ('xx' means any value to be ignored) :
19557
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019558 TR/Tw/Tc/Tr/+Ta The "option logasap" is present on the frontend and the log
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019559 was emitted before the data phase. All the timers are valid
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019560 except "Ta" which is shorter than reality.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019561
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019562 -1/xx/xx/xx/Ta The client was not able to send a complete request in time
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019563 or it aborted too early. Check the session termination flags
19564 then "timeout http-request" and "timeout client" settings.
19565
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019566 TR/-1/xx/xx/Ta It was not possible to process the request, maybe because
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019567 servers were out of order, because the request was invalid
19568 or forbidden by ACL rules. Check the session termination
19569 flags.
19570
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019571 TR/Tw/-1/xx/Ta The connection could not establish on the server. Either it
19572 actively refused it or it timed out after Ta-(TR+Tw) ms.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019573 Check the session termination flags, then check the
19574 "timeout connect" setting. Note that the tarpit action might
19575 return similar-looking patterns, with "Tw" equal to the time
19576 the client connection was maintained open.
19577
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019578 TR/Tw/Tc/-1/Ta The server has accepted the connection but did not return
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030019579 a complete response in time, or it closed its connection
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020019580 unexpectedly after Ta-(TR+Tw+Tc) ms. Check the session
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019581 termination flags, then check the "timeout server" setting.
19582
19583
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200195848.5. Session state at disconnection
19585-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019586
19587TCP and HTTP logs provide a session termination indicator in the
19588"termination_state" field, just before the number of active connections. It is
195892-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
19590each of which has a special meaning :
19591
19592 - On the first character, a code reporting the first event which caused the
19593 session to terminate :
19594
19595 C : the TCP session was unexpectedly aborted by the client.
19596
19597 S : the TCP session was unexpectedly aborted by the server, or the
19598 server explicitly refused it.
19599
19600 P : the session was prematurely aborted by the proxy, because of a
19601 connection limit enforcement, because a DENY filter was matched,
19602 because of a security check which detected and blocked a dangerous
19603 error in server response which might have caused information leak
Davor Ocelice9ed2812017-12-25 17:49:28 +010019604 (e.g. cacheable cookie).
Willy Tarreau570f2212013-06-10 16:42:09 +020019605
19606 L : the session was locally processed by haproxy and was not passed to
19607 a server. This is what happens for stats and redirects.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019608
19609 R : a resource on the proxy has been exhausted (memory, sockets, source
19610 ports, ...). Usually, this appears during the connection phase, and
19611 system logs should contain a copy of the precise error. If this
19612 happens, it must be considered as a very serious anomaly which
19613 should be fixed as soon as possible by any means.
19614
19615 I : an internal error was identified by the proxy during a self-check.
19616 This should NEVER happen, and you are encouraged to report any log
19617 containing this, because this would almost certainly be a bug. It
19618 would be wise to preventively restart the process after such an
19619 event too, in case it would be caused by memory corruption.
19620
Simon Horman752dc4a2011-06-21 14:34:59 +090019621 D : the session was killed by haproxy because the server was detected
19622 as down and was configured to kill all connections when going down.
19623
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070019624 U : the session was killed by haproxy on this backup server because an
19625 active server was detected as up and was configured to kill all
19626 backup connections when going up.
19627
Willy Tarreaua2a64e92011-09-07 23:01:56 +020019628 K : the session was actively killed by an admin operating on haproxy.
19629
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019630 c : the client-side timeout expired while waiting for the client to
19631 send or receive data.
19632
19633 s : the server-side timeout expired while waiting for the server to
19634 send or receive data.
19635
19636 - : normal session completion, both the client and the server closed
19637 with nothing left in the buffers.
19638
19639 - on the second character, the TCP or HTTP session state when it was closed :
19640
Willy Tarreauf7b30a92010-12-06 22:59:17 +010019641 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019642 (HTTP mode only). Nothing was sent to any server.
19643
19644 Q : the proxy was waiting in the QUEUE for a connection slot. This can
19645 only happen when servers have a 'maxconn' parameter set. It can
19646 also happen in the global queue after a redispatch consecutive to
19647 a failed attempt to connect to a dying server. If no redispatch is
19648 reported, then no connection attempt was made to any server.
19649
19650 C : the proxy was waiting for the CONNECTION to establish on the
19651 server. The server might at most have noticed a connection attempt.
19652
19653 H : the proxy was waiting for complete, valid response HEADERS from the
19654 server (HTTP only).
19655
19656 D : the session was in the DATA phase.
19657
19658 L : the proxy was still transmitting LAST data to the client while the
19659 server had already finished. This one is very rare as it can only
19660 happen when the client dies while receiving the last packets.
19661
19662 T : the request was tarpitted. It has been held open with the client
19663 during the whole "timeout tarpit" duration or until the client
19664 closed, both of which will be reported in the "Tw" timer.
19665
19666 - : normal session completion after end of data transfer.
19667
19668 - the third character tells whether the persistence cookie was provided by
19669 the client (only in HTTP mode) :
19670
19671 N : the client provided NO cookie. This is usually the case for new
19672 visitors, so counting the number of occurrences of this flag in the
19673 logs generally indicate a valid trend for the site frequentation.
19674
19675 I : the client provided an INVALID cookie matching no known server.
19676 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +020019677 cookies between HTTP/HTTPS sites, persistence conditionally
19678 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019679
19680 D : the client provided a cookie designating a server which was DOWN,
19681 so either "option persist" was used and the client was sent to
19682 this server, or it was not set and the client was redispatched to
19683 another server.
19684
Willy Tarreau996a92c2010-10-13 19:30:47 +020019685 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019686 server.
19687
Willy Tarreau996a92c2010-10-13 19:30:47 +020019688 E : the client provided a valid cookie, but with a last date which was
19689 older than what is allowed by the "maxidle" cookie parameter, so
19690 the cookie is consider EXPIRED and is ignored. The request will be
19691 redispatched just as if there was no cookie.
19692
19693 O : the client provided a valid cookie, but with a first date which was
19694 older than what is allowed by the "maxlife" cookie parameter, so
19695 the cookie is consider too OLD and is ignored. The request will be
19696 redispatched just as if there was no cookie.
19697
Willy Tarreauc89ccb62012-04-05 21:18:22 +020019698 U : a cookie was present but was not used to select the server because
19699 some other server selection mechanism was used instead (typically a
19700 "use-server" rule).
19701
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019702 - : does not apply (no cookie set in configuration).
19703
19704 - the last character reports what operations were performed on the persistence
19705 cookie returned by the server (only in HTTP mode) :
19706
19707 N : NO cookie was provided by the server, and none was inserted either.
19708
19709 I : no cookie was provided by the server, and the proxy INSERTED one.
19710 Note that in "cookie insert" mode, if the server provides a cookie,
19711 it will still be overwritten and reported as "I" here.
19712
Willy Tarreau996a92c2010-10-13 19:30:47 +020019713 U : the proxy UPDATED the last date in the cookie that was presented by
19714 the client. This can only happen in insert mode with "maxidle". It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030019715 happens every time there is activity at a different date than the
Willy Tarreau996a92c2010-10-13 19:30:47 +020019716 date indicated in the cookie. If any other change happens, such as
19717 a redispatch, then the cookie will be marked as inserted instead.
19718
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019719 P : a cookie was PROVIDED by the server and transmitted as-is.
19720
19721 R : the cookie provided by the server was REWRITTEN by the proxy, which
19722 happens in "cookie rewrite" or "cookie prefix" modes.
19723
19724 D : the cookie provided by the server was DELETED by the proxy.
19725
19726 - : does not apply (no cookie set in configuration).
19727
Willy Tarreau996a92c2010-10-13 19:30:47 +020019728The combination of the two first flags gives a lot of information about what
19729was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019730helpful to detect server saturation, network troubles, local system resource
19731starvation, attacks, etc...
19732
19733The most common termination flags combinations are indicated below. They are
19734alphabetically sorted, with the lowercase set just after the upper case for
19735easier finding and understanding.
19736
19737 Flags Reason
19738
19739 -- Normal termination.
19740
19741 CC The client aborted before the connection could be established to the
19742 server. This can happen when haproxy tries to connect to a recently
19743 dead (or unchecked) server, and the client aborts while haproxy is
19744 waiting for the server to respond or for "timeout connect" to expire.
19745
19746 CD The client unexpectedly aborted during data transfer. This can be
19747 caused by a browser crash, by an intermediate equipment between the
19748 client and haproxy which decided to actively break the connection,
19749 by network routing issues between the client and haproxy, or by a
19750 keep-alive session between the server and the client terminated first
19751 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +010019752
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019753 cD The client did not send nor acknowledge any data for as long as the
19754 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +020019755 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019756
19757 CH The client aborted while waiting for the server to start responding.
19758 It might be the server taking too long to respond or the client
19759 clicking the 'Stop' button too fast.
19760
19761 cH The "timeout client" stroke while waiting for client data during a
19762 POST request. This is sometimes caused by too large TCP MSS values
19763 for PPPoE networks which cannot transport full-sized packets. It can
19764 also happen when client timeout is smaller than server timeout and
19765 the server takes too long to respond.
19766
19767 CQ The client aborted while its session was queued, waiting for a server
19768 with enough empty slots to accept it. It might be that either all the
19769 servers were saturated or that the assigned server was taking too
19770 long a time to respond.
19771
19772 CR The client aborted before sending a full HTTP request. Most likely
19773 the request was typed by hand using a telnet client, and aborted
19774 too early. The HTTP status code is likely a 400 here. Sometimes this
19775 might also be caused by an IDS killing the connection between haproxy
Willy Tarreau0f228a02015-05-01 15:37:53 +020019776 and the client. "option http-ignore-probes" can be used to ignore
19777 connections without any data transfer.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019778
19779 cR The "timeout http-request" stroke before the client sent a full HTTP
19780 request. This is sometimes caused by too large TCP MSS values on the
19781 client side for PPPoE networks which cannot transport full-sized
19782 packets, or by clients sending requests by hand and not typing fast
19783 enough, or forgetting to enter the empty line at the end of the
Willy Tarreau2705a612014-05-23 17:38:34 +020019784 request. The HTTP status code is likely a 408 here. Note: recently,
Willy Tarreau0f228a02015-05-01 15:37:53 +020019785 some browsers started to implement a "pre-connect" feature consisting
19786 in speculatively connecting to some recently visited web sites just
19787 in case the user would like to visit them. This results in many
19788 connections being established to web sites, which end up in 408
19789 Request Timeout if the timeout strikes first, or 400 Bad Request when
19790 the browser decides to close them first. These ones pollute the log
19791 and feed the error counters. Some versions of some browsers have even
19792 been reported to display the error code. It is possible to work
Davor Ocelice9ed2812017-12-25 17:49:28 +010019793 around the undesirable effects of this behavior by adding "option
Willy Tarreau0f228a02015-05-01 15:37:53 +020019794 http-ignore-probes" in the frontend, resulting in connections with
19795 zero data transfer to be totally ignored. This will definitely hide
19796 the errors of people experiencing connectivity issues though.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019797
19798 CT The client aborted while its session was tarpitted. It is important to
19799 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +020019800 wrong tarpit rules have been written. If a lot of them happen, it
19801 might make sense to lower the "timeout tarpit" value to something
19802 closer to the average reported "Tw" timer, in order not to consume
19803 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019804
Willy Tarreau570f2212013-06-10 16:42:09 +020019805 LR The request was intercepted and locally handled by haproxy. Generally
19806 it means that this was a redirect or a stats request.
19807
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010019808 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019809 the TCP connection (the proxy received a TCP RST or an ICMP message
19810 in return). Under some circumstances, it can also be the network
Davor Ocelice9ed2812017-12-25 17:49:28 +010019811 stack telling the proxy that the server is unreachable (e.g. no route,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019812 or no ARP response on local network). When this happens in HTTP mode,
19813 the status code is likely a 502 or 503 here.
19814
19815 sC The "timeout connect" stroke before a connection to the server could
19816 complete. When this happens in HTTP mode, the status code is likely a
19817 503 or 504 here.
19818
19819 SD The connection to the server died with an error during the data
19820 transfer. This usually means that haproxy has received an RST from
19821 the server or an ICMP message from an intermediate equipment while
19822 exchanging data with the server. This can be caused by a server crash
19823 or by a network issue on an intermediate equipment.
19824
19825 sD The server did not send nor acknowledge any data for as long as the
19826 "timeout server" setting during the data phase. This is often caused
Davor Ocelice9ed2812017-12-25 17:49:28 +010019827 by too short timeouts on L4 equipment before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019828 load-balancers, ...), as well as keep-alive sessions maintained
19829 between the client and the server expiring first on haproxy.
19830
19831 SH The server aborted before sending its full HTTP response headers, or
19832 it crashed while processing the request. Since a server aborting at
19833 this moment is very rare, it would be wise to inspect its logs to
19834 control whether it crashed and why. The logged request may indicate a
19835 small set of faulty requests, demonstrating bugs in the application.
19836 Sometimes this might also be caused by an IDS killing the connection
19837 between haproxy and the server.
19838
19839 sH The "timeout server" stroke before the server could return its
19840 response headers. This is the most common anomaly, indicating too
19841 long transactions, probably caused by server or database saturation.
19842 The immediate workaround consists in increasing the "timeout server"
19843 setting, but it is important to keep in mind that the user experience
19844 will suffer from these long response times. The only long term
19845 solution is to fix the application.
19846
19847 sQ The session spent too much time in queue and has been expired. See
19848 the "timeout queue" and "timeout connect" settings to find out how to
19849 fix this if it happens too often. If it often happens massively in
19850 short periods, it may indicate general problems on the affected
19851 servers due to I/O or database congestion, or saturation caused by
19852 external attacks.
19853
19854 PC The proxy refused to establish a connection to the server because the
19855 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +020019856 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019857 so that it does not happen anymore. This status is very rare and
19858 might happen when the global "ulimit-n" parameter is forced by hand.
19859
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010019860 PD The proxy blocked an incorrectly formatted chunked encoded message in
19861 a request or a response, after the server has emitted its headers. In
19862 most cases, this will indicate an invalid message from the server to
Davor Ocelice9ed2812017-12-25 17:49:28 +010019863 the client. HAProxy supports chunk sizes of up to 2GB - 1 (2147483647
Willy Tarreauf3a3e132013-08-31 08:16:26 +020019864 bytes). Any larger size will be considered as an error.
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010019865
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019866 PH The proxy blocked the server's response, because it was invalid,
19867 incomplete, dangerous (cache control), or matched a security filter.
19868 In any case, an HTTP 502 error is sent to the client. One possible
19869 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010019870 containing unauthorized characters. It is also possible but quite
19871 rare, that the proxy blocked a chunked-encoding request from the
19872 client due to an invalid syntax, before the server responded. In this
19873 case, an HTTP 400 error is sent to the client and reported in the
19874 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019875
19876 PR The proxy blocked the client's HTTP request, either because of an
19877 invalid HTTP syntax, in which case it returned an HTTP 400 error to
19878 the client, or because a deny filter matched, in which case it
19879 returned an HTTP 403 error.
19880
19881 PT The proxy blocked the client's request and has tarpitted its
19882 connection before returning it a 500 server error. Nothing was sent
19883 to the server. The connection was maintained open for as long as
19884 reported by the "Tw" timer field.
19885
19886 RC A local resource has been exhausted (memory, sockets, source ports)
19887 preventing the connection to the server from establishing. The error
19888 logs will tell precisely what was missing. This is very rare and can
19889 only be solved by proper system tuning.
19890
Willy Tarreau996a92c2010-10-13 19:30:47 +020019891The combination of the two last flags gives a lot of information about how
19892persistence was handled by the client, the server and by haproxy. This is very
19893important to troubleshoot disconnections, when users complain they have to
19894re-authenticate. The commonly encountered flags are :
19895
19896 -- Persistence cookie is not enabled.
19897
19898 NN No cookie was provided by the client, none was inserted in the
19899 response. For instance, this can be in insert mode with "postonly"
19900 set on a GET request.
19901
19902 II A cookie designating an invalid server was provided by the client,
19903 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040019904 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +020019905 value can be presented by a client when no other server knows it.
19906
19907 NI No cookie was provided by the client, one was inserted in the
19908 response. This typically happens for first requests from every user
19909 in "insert" mode, which makes it an easy way to count real users.
19910
19911 VN A cookie was provided by the client, none was inserted in the
19912 response. This happens for most responses for which the client has
19913 already got a cookie.
19914
19915 VU A cookie was provided by the client, with a last visit date which is
19916 not completely up-to-date, so an updated cookie was provided in
19917 response. This can also happen if there was no date at all, or if
19918 there was a date but the "maxidle" parameter was not set, so that the
19919 cookie can be switched to unlimited time.
19920
19921 EI A cookie was provided by the client, with a last visit date which is
19922 too old for the "maxidle" parameter, so the cookie was ignored and a
19923 new cookie was inserted in the response.
19924
19925 OI A cookie was provided by the client, with a first visit date which is
19926 too old for the "maxlife" parameter, so the cookie was ignored and a
19927 new cookie was inserted in the response.
19928
19929 DI The server designated by the cookie was down, a new server was
19930 selected and a new cookie was emitted in the response.
19931
19932 VI The server designated by the cookie was not marked dead but could not
19933 be reached. A redispatch happened and selected another one, which was
19934 then advertised in the response.
19935
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019936
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200199378.6. Non-printable characters
19938-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019939
19940In order not to cause trouble to log analysis tools or terminals during log
19941consulting, non-printable characters are not sent as-is into log files, but are
19942converted to the two-digits hexadecimal representation of their ASCII code,
19943prefixed by the character '#'. The only characters that can be logged without
19944being escaped are comprised between 32 and 126 (inclusive). Obviously, the
19945escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
19946is the same for the character '"' which becomes "#22", as well as '{', '|' and
19947'}' when logging headers.
19948
19949Note that the space character (' ') is not encoded in headers, which can cause
19950issues for tools relying on space count to locate fields. A typical header
19951containing spaces is "User-Agent".
19952
19953Last, it has been observed that some syslog daemons such as syslog-ng escape
19954the quote ('"') with a backslash ('\'). The reverse operation can safely be
19955performed since no quote may appear anywhere else in the logs.
19956
19957
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200199588.7. Capturing HTTP cookies
19959---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019960
19961Cookie capture simplifies the tracking a complete user session. This can be
19962achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020019963section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019964cookie will simultaneously be checked in the request ("Cookie:" header) and in
19965the response ("Set-Cookie:" header). The respective values will be reported in
19966the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020019967locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019968not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
19969user switches to a new session for example, because the server will reassign it
19970a new cookie. It is also possible to detect if a server unexpectedly sets a
19971wrong cookie to a client, leading to session crossing.
19972
19973 Examples :
19974 # capture the first cookie whose name starts with "ASPSESSION"
19975 capture cookie ASPSESSION len 32
19976
19977 # capture the first cookie whose name is exactly "vgnvisitor"
19978 capture cookie vgnvisitor= len 32
19979
19980
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200199818.8. Capturing HTTP headers
19982---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019983
19984Header captures are useful to track unique request identifiers set by an upper
19985proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
19986the response, one can search for information about the response length, how the
19987server asked the cache to behave, or an object location during a redirection.
19988
19989Header captures are performed using the "capture request header" and "capture
19990response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020019991section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019992
19993It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010019994time. Non-existent headers are logged as empty strings, and if one header
19995appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019996are grouped within braces '{' and '}' in the same order as they were declared,
19997and delimited with a vertical bar '|' without any space. Response headers
19998follow the same representation, but are displayed after a space following the
19999request headers block. These blocks are displayed just before the HTTP request
20000in the logs.
20001
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020020002As a special case, it is possible to specify an HTTP header capture in a TCP
20003frontend. The purpose is to enable logging of headers which will be parsed in
20004an HTTP backend if the request is then switched to this HTTP backend.
20005
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020006 Example :
20007 # This instance chains to the outgoing proxy
20008 listen proxy-out
20009 mode http
20010 option httplog
20011 option logasap
20012 log global
20013 server cache1 192.168.1.1:3128
20014
20015 # log the name of the virtual server
20016 capture request header Host len 20
20017
20018 # log the amount of data uploaded during a POST
20019 capture request header Content-Length len 10
20020
20021 # log the beginning of the referrer
20022 capture request header Referer len 20
20023
20024 # server name (useful for outgoing proxies only)
20025 capture response header Server len 20
20026
20027 # logging the content-length is useful with "option logasap"
20028 capture response header Content-Length len 10
20029
Davor Ocelice9ed2812017-12-25 17:49:28 +010020030 # log the expected cache behavior on the response
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020031 capture response header Cache-Control len 8
20032
20033 # the Via header will report the next proxy's name
20034 capture response header Via len 20
20035
20036 # log the URL location during a redirection
20037 capture response header Location len 20
20038
20039 >>> Aug 9 20:26:09 localhost \
20040 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
20041 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
20042 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
20043 "GET http://fr.adserver.yahoo.com/"
20044
20045 >>> Aug 9 20:30:46 localhost \
20046 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
20047 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
20048 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010020049 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020050
20051 >>> Aug 9 20:30:46 localhost \
20052 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
20053 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
20054 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
20055 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010020056 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020057
20058
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200200598.9. Examples of logs
20060---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020061
20062These are real-world examples of logs accompanied with an explanation. Some of
20063them have been made up by hand. The syslog part has been removed for better
20064reading. Their sole purpose is to explain how to decipher them.
20065
20066 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
20067 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
20068 "HEAD / HTTP/1.0"
20069
20070 => long request (6.5s) entered by hand through 'telnet'. The server replied
20071 in 147 ms, and the session ended normally ('----')
20072
20073 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
20074 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
20075 0/9 "HEAD / HTTP/1.0"
20076
20077 => Idem, but the request was queued in the global queue behind 9 other
20078 requests, and waited there for 1230 ms.
20079
20080 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
20081 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
20082 "GET /image.iso HTTP/1.0"
20083
20084 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010020085 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020086 14 ms, 243 bytes of headers were sent to the client, and total time from
20087 accept to first data byte is 30 ms.
20088
20089 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
20090 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
20091 "GET /cgi-bin/bug.cgi? HTTP/1.0"
20092
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020020093 => the proxy blocked a server response either because of an "http-response
20094 deny" rule, or because the response was improperly formatted and not
20095 HTTP-compliant, or because it blocked sensitive information which risked
20096 being cached. In this case, the response is replaced with a "502 bad
20097 gateway". The flags ("PH--") tell us that it was haproxy who decided to
20098 return the 502 and not the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020099
20100 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +010020101 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020102
20103 => the client never completed its request and aborted itself ("C---") after
20104 8.5s, while the proxy was waiting for the request headers ("-R--").
20105 Nothing was sent to any server.
20106
20107 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
20108 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
20109
20110 => The client never completed its request, which was aborted by the
20111 time-out ("c---") after 50s, while the proxy was waiting for the request
Davor Ocelice9ed2812017-12-25 17:49:28 +010020112 headers ("-R--"). Nothing was sent to any server, but the proxy could
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020113 send a 408 return code to the client.
20114
20115 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
20116 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
20117
20118 => This log was produced with "option tcplog". The client timed out after
20119 5 seconds ("c----").
20120
20121 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
20122 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +010020123 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020124
20125 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +020020126 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020127 (config says 'retries 3'), and no redispatch (otherwise we would have
20128 seen "/+3"). Status code 503 was returned to the client. There were 115
20129 connections on this server, 202 connections on this proxy, and 205 on
20130 the global process. It is possible that the server refused the
20131 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010020132
Willy Tarreau52b2d222011-09-07 23:48:48 +020020133
Christopher Fauletc3fe5332016-04-07 15:30:10 +0200201349. Supported filters
20135--------------------
20136
20137Here are listed officially supported filters with the list of parameters they
20138accept. Depending on compile options, some of these filters might be
20139unavailable. The list of available filters is reported in haproxy -vv.
20140
20141See also : "filter"
20142
201439.1. Trace
20144----------
20145
Christopher Faulet31bfe1f2016-12-09 17:42:38 +010020146filter trace [name <name>] [random-parsing] [random-forwarding] [hexdump]
Christopher Fauletc3fe5332016-04-07 15:30:10 +020020147
20148 Arguments:
20149 <name> is an arbitrary name that will be reported in
20150 messages. If no name is provided, "TRACE" is used.
20151
20152 <random-parsing> enables the random parsing of data exchanged between
20153 the client and the server. By default, this filter
20154 parses all available data. With this parameter, it
20155 only parses a random amount of the available data.
20156
Davor Ocelice9ed2812017-12-25 17:49:28 +010020157 <random-forwarding> enables the random forwarding of parsed data. By
Christopher Fauletc3fe5332016-04-07 15:30:10 +020020158 default, this filter forwards all previously parsed
20159 data. With this parameter, it only forwards a random
20160 amount of the parsed data.
20161
Davor Ocelice9ed2812017-12-25 17:49:28 +010020162 <hexdump> dumps all forwarded data to the server and the client.
Christopher Faulet31bfe1f2016-12-09 17:42:38 +010020163
Christopher Fauletc3fe5332016-04-07 15:30:10 +020020164This filter can be used as a base to develop new filters. It defines all
20165callbacks and print a message on the standard error stream (stderr) with useful
20166information for all of them. It may be useful to debug the activity of other
20167filters or, quite simply, HAProxy's activity.
20168
20169Using <random-parsing> and/or <random-forwarding> parameters is a good way to
20170tests the behavior of a filter that parses data exchanged between a client and
20171a server by adding some latencies in the processing.
20172
20173
201749.2. HTTP compression
20175---------------------
20176
20177filter compression
20178
20179The HTTP compression has been moved in a filter in HAProxy 1.7. "compression"
20180keyword must still be used to enable and configure the HTTP compression. And
Christopher Fauletb30b3102019-09-12 23:03:09 +020020181when no other filter is used, it is enough. When used with the cache or the
20182fcgi-app enabled, it is also enough. In this case, the compression is always
20183done after the response is stored in the cache. But it is mandatory to
20184explicitly use a filter line to enable the HTTP compression when at least one
20185filter other than the cache or the fcgi-app is used for the same
20186listener/frontend/backend. This is important to know the filters evaluation
20187order.
Christopher Fauletc3fe5332016-04-07 15:30:10 +020020188
Christopher Fauletb30b3102019-09-12 23:03:09 +020020189See also : "compression", section 9.4 about the cache filter and section 9.5
20190 about the fcgi-app filter.
Christopher Fauletc3fe5332016-04-07 15:30:10 +020020191
20192
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +0200201939.3. Stream Processing Offload Engine (SPOE)
20194--------------------------------------------
20195
20196filter spoe [engine <name>] config <file>
20197
20198 Arguments :
20199
20200 <name> is the engine name that will be used to find the right scope in
20201 the configuration file. If not provided, all the file will be
20202 parsed.
20203
20204 <file> is the path of the engine configuration file. This file can
20205 contain configuration of several engines. In this case, each
20206 part must be placed in its own scope.
20207
20208The Stream Processing Offload Engine (SPOE) is a filter communicating with
20209external components. It allows the offload of some specifics processing on the
Davor Ocelice9ed2812017-12-25 17:49:28 +010020210streams in tiered applications. These external components and information
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +020020211exchanged with them are configured in dedicated files, for the main part. It
20212also requires dedicated backends, defined in HAProxy configuration.
20213
20214SPOE communicates with external components using an in-house binary protocol,
20215the Stream Processing Offload Protocol (SPOP).
20216
Tim Düsterhus4896c442016-11-29 02:15:19 +010020217For all information about the SPOE configuration and the SPOP specification, see
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +020020218"doc/SPOE.txt".
20219
Christopher Faulet99a17a22018-12-11 09:18:27 +0100202209.4. Cache
20221----------
20222
20223filter cache <name>
20224
20225 Arguments :
20226
20227 <name> is name of the cache section this filter will use.
20228
20229The cache uses a filter to store cacheable responses. The HTTP rules
20230"cache-store" and "cache-use" must be used to define how and when to use a
John Roeslerfb2fce12019-07-10 15:45:51 -050020231cache. By default the corresponding filter is implicitly defined. And when no
Christopher Fauletb30b3102019-09-12 23:03:09 +020020232other filters than fcgi-app or compression are used, it is enough. In such
20233case, the compression filter is always evaluated after the cache filter. But it
20234is mandatory to explicitly use a filter line to use a cache when at least one
20235filter other than the compression or the fcgi-app is used for the same
Christopher Faulet27d93c32018-12-15 22:32:02 +010020236listener/frontend/backend. This is important to know the filters evaluation
20237order.
Christopher Faulet99a17a22018-12-11 09:18:27 +010020238
Christopher Fauletb30b3102019-09-12 23:03:09 +020020239See also : section 9.2 about the compression filter, section 9.5 about the
20240 fcgi-app filter and section 6 about cache.
20241
20242
202439.5. Fcgi-app
20244-------------
20245
Daniel Corbett67a82712020-07-06 23:01:19 -040020246filter fcgi-app <name>
Christopher Fauletb30b3102019-09-12 23:03:09 +020020247
20248 Arguments :
20249
20250 <name> is name of the fcgi-app section this filter will use.
20251
20252The FastCGI application uses a filter to evaluate all custom parameters on the
20253request path, and to process the headers on the response path. the <name> must
20254reference an existing fcgi-app section. The directive "use-fcgi-app" should be
20255used to define the application to use. By default the corresponding filter is
20256implicitly defined. And when no other filters than cache or compression are
20257used, it is enough. But it is mandatory to explicitly use a filter line to a
20258fcgi-app when at least one filter other than the compression or the cache is
20259used for the same backend. This is important to know the filters evaluation
20260order.
20261
20262See also: "use-fcgi-app", section 9.2 about the compression filter, section 9.4
20263 about the cache filter and section 10 about FastCGI application.
20264
20265
2026610. FastCGI applications
20267-------------------------
20268
20269HAProxy is able to send HTTP requests to Responder FastCGI applications. This
20270feature was added in HAProxy 2.1. To do so, servers must be configured to use
20271the FastCGI protocol (using the keyword "proto fcgi" on the server line) and a
20272FastCGI application must be configured and used by the backend managing these
20273servers (using the keyword "use-fcgi-app" into the proxy section). Several
20274FastCGI applications may be defined, but only one can be used at a time by a
20275backend.
20276
20277HAProxy implements all features of the FastCGI specification for Responder
20278application. Especially it is able to multiplex several requests on a simple
20279connection.
20280
2028110.1. Setup
20282-----------
20283
2028410.1.1. Fcgi-app section
20285--------------------------
20286
20287fcgi-app <name>
20288 Declare a FastCGI application named <name>. To be valid, at least the
20289 document root must be defined.
20290
20291acl <aclname> <criterion> [flags] [operator] <value> ...
20292 Declare or complete an access list.
20293
20294 See "acl" keyword in section 4.2 and section 7 about ACL usage for
20295 details. ACLs defined for a FastCGI application are private. They cannot be
20296 used by any other application or by any proxy. In the same way, ACLs defined
20297 in any other section are not usable by a FastCGI application. However,
20298 Pre-defined ACLs are available.
20299
20300docroot <path>
20301 Define the document root on the remote host. <path> will be used to build
20302 the default value of FastCGI parameters SCRIPT_FILENAME and
20303 PATH_TRANSLATED. It is a mandatory setting.
20304
20305index <script-name>
20306 Define the script name that will be appended after an URI that ends with a
20307 slash ("/") to set the default value of the FastCGI parameter SCRIPT_NAME. It
20308 is an optional setting.
20309
20310 Example :
20311 index index.php
20312
20313log-stderr global
20314log-stderr <address> [len <length>] [format <format>]
20315 [sample <ranges>:<smp_size>] <facility> [<level> [<minlevel>]]
20316 Enable logging of STDERR messages reported by the FastCGI application.
20317
20318 See "log" keyword in section 4.2 for details. It is an optional setting. By
20319 default STDERR messages are ignored.
20320
20321pass-header <name> [ { if | unless } <condition> ]
20322 Specify the name of a request header which will be passed to the FastCGI
20323 application. It may optionally be followed by an ACL-based condition, in
20324 which case it will only be evaluated if the condition is true.
20325
20326 Most request headers are already available to the FastCGI application,
20327 prefixed with "HTTP_". Thus, this directive is only required to pass headers
20328 that are purposefully omitted. Currently, the headers "Authorization",
20329 "Proxy-Authorization" and hop-by-hop headers are omitted.
20330
20331 Note that the headers "Content-type" and "Content-length" are never passed to
20332 the FastCGI application because they are already converted into parameters.
20333
20334path-info <regex>
Christopher Faulet28cb3662020-02-14 14:47:37 +010020335 Define a regular expression to extract the script-name and the path-info from
Christopher Faulet6c57f2d2020-02-14 16:55:52 +010020336 the URL-decoded path. Thus, <regex> may have two captures: the first one to
20337 capture the script name and the second one to capture the path-info. The
20338 first one is mandatory, the second one is optional. This way, it is possible
20339 to extract the script-name from the path ignoring the path-info. It is an
20340 optional setting. If it is not defined, no matching is performed on the
20341 path. and the FastCGI parameters PATH_INFO and PATH_TRANSLATED are not
20342 filled.
Christopher Faulet28cb3662020-02-14 14:47:37 +010020343
20344 For security reason, when this regular expression is defined, the newline and
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050020345 the null characters are forbidden from the path, once URL-decoded. The reason
Christopher Faulet28cb3662020-02-14 14:47:37 +010020346 to such limitation is because otherwise the matching always fails (due to a
20347 limitation one the way regular expression are executed in HAProxy). So if one
20348 of these two characters is found in the URL-decoded path, an error is
20349 returned to the client. The principle of least astonishment is applied here.
Christopher Fauletb30b3102019-09-12 23:03:09 +020020350
20351 Example :
Christopher Faulet6c57f2d2020-02-14 16:55:52 +010020352 path-info ^(/.+\.php)(/.*)?$ # both script-name and path-info may be set
20353 path-info ^(/.+\.php) # the path-info is ignored
Christopher Fauletb30b3102019-09-12 23:03:09 +020020354
20355option get-values
20356no option get-values
20357 Enable or disable the retrieve of variables about connection management.
20358
Daniel Corbett67a82712020-07-06 23:01:19 -040020359 HAProxy is able to send the record FCGI_GET_VALUES on connection
Christopher Fauletb30b3102019-09-12 23:03:09 +020020360 establishment to retrieve the value for following variables:
20361
20362 * FCGI_MAX_REQS The maximum number of concurrent requests this
20363 application will accept.
20364
William Lallemand93e548e2019-09-30 13:54:02 +020020365 * FCGI_MPXS_CONNS "0" if this application does not multiplex connections,
20366 "1" otherwise.
Christopher Fauletb30b3102019-09-12 23:03:09 +020020367
20368 Some FastCGI applications does not support this feature. Some others close
Ilya Shipitsin11057a32020-06-21 21:18:27 +050020369 the connection immediately after sending their response. So, by default, this
Christopher Fauletb30b3102019-09-12 23:03:09 +020020370 option is disabled.
20371
20372 Note that the maximum number of concurrent requests accepted by a FastCGI
20373 application is a connection variable. It only limits the number of streams
20374 per connection. If the global load must be limited on the application, the
20375 server parameters "maxconn" and "pool-max-conn" must be set. In addition, if
20376 an application does not support connection multiplexing, the maximum number
20377 of concurrent requests is automatically set to 1.
20378
20379option keep-conn
20380no option keep-conn
20381 Instruct the FastCGI application to keep the connection open or not after
20382 sending a response.
20383
20384 If disabled, the FastCGI application closes the connection after responding
20385 to this request. By default, this option is enabled.
20386
20387option max-reqs <reqs>
20388 Define the maximum number of concurrent requests this application will
20389 accept.
20390
20391 This option may be overwritten if the variable FCGI_MAX_REQS is retrieved
20392 during connection establishment. Furthermore, if the application does not
20393 support connection multiplexing, this option will be ignored. By default set
20394 to 1.
20395
20396option mpxs-conns
20397no option mpxs-conns
20398 Enable or disable the support of connection multiplexing.
20399
20400 This option may be overwritten if the variable FCGI_MPXS_CONNS is retrieved
20401 during connection establishment. It is disabled by default.
20402
20403set-param <name> <fmt> [ { if | unless } <condition> ]
20404 Set a FastCGI parameter that should be passed to this application. Its
20405 value, defined by <fmt> must follows the log-format rules (see section 8.2.4
20406 "Custom Log format"). It may optionally be followed by an ACL-based
20407 condition, in which case it will only be evaluated if the condition is true.
20408
20409 With this directive, it is possible to overwrite the value of default FastCGI
20410 parameters. If the value is evaluated to an empty string, the rule is
20411 ignored. These directives are evaluated in their declaration order.
20412
20413 Example :
20414 # PHP only, required if PHP was built with --enable-force-cgi-redirect
20415 set-param REDIRECT_STATUS 200
20416
20417 set-param PHP_AUTH_DIGEST %[req.hdr(Authorization)]
20418
20419
2042010.1.2. Proxy section
20421---------------------
20422
20423use-fcgi-app <name>
20424 Define the FastCGI application to use for the backend.
20425
20426 Arguments :
20427 <name> is the name of the FastCGI application to use.
20428
20429 This keyword is only available for HTTP proxies with the backend capability
20430 and with at least one FastCGI server. However, FastCGI servers can be mixed
20431 with HTTP servers. But except there is a good reason to do so, it is not
20432 recommended (see section 10.3 about the limitations for details). Only one
20433 application may be defined at a time per backend.
20434
20435 Note that, once a FastCGI application is referenced for a backend, depending
20436 on the configuration some processing may be done even if the request is not
20437 sent to a FastCGI server. Rules to set parameters or pass headers to an
20438 application are evaluated.
20439
20440
2044110.1.3. Example
20442---------------
20443
20444 frontend front-http
20445 mode http
20446 bind *:80
20447 bind *:
20448
20449 use_backend back-dynamic if { path_reg ^/.+\.php(/.*)?$ }
20450 default_backend back-static
20451
20452 backend back-static
20453 mode http
20454 server www A.B.C.D:80
20455
20456 backend back-dynamic
20457 mode http
20458 use-fcgi-app php-fpm
20459 server php-fpm A.B.C.D:9000 proto fcgi
20460
20461 fcgi-app php-fpm
20462 log-stderr global
20463 option keep-conn
20464
20465 docroot /var/www/my-app
20466 index index.php
20467 path-info ^(/.+\.php)(/.*)?$
20468
20469
2047010.2. Default parameters
20471------------------------
20472
20473A Responder FastCGI application has the same purpose as a CGI/1.1 program. In
20474the CGI/1.1 specification (RFC3875), several variables must be passed to the
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050020475script. So HAProxy set them and some others commonly used by FastCGI
Christopher Fauletb30b3102019-09-12 23:03:09 +020020476applications. All these variables may be overwritten, with caution though.
20477
20478 +-------------------+-----------------------------------------------------+
20479 | AUTH_TYPE | Identifies the mechanism, if any, used by HAProxy |
20480 | | to authenticate the user. Concretely, only the |
20481 | | BASIC authentication mechanism is supported. |
20482 | | |
20483 +-------------------+-----------------------------------------------------+
20484 | CONTENT_LENGTH | Contains the size of the message-body attached to |
20485 | | the request. It means only requests with a known |
20486 | | size are considered as valid and sent to the |
20487 | | application. |
20488 | | |
20489 +-------------------+-----------------------------------------------------+
20490 | CONTENT_TYPE | Contains the type of the message-body attached to |
20491 | | the request. It may not be set. |
20492 | | |
20493 +-------------------+-----------------------------------------------------+
20494 | DOCUMENT_ROOT | Contains the document root on the remote host under |
20495 | | which the script should be executed, as defined in |
20496 | | the application's configuration. |
20497 | | |
20498 +-------------------+-----------------------------------------------------+
20499 | GATEWAY_INTERFACE | Contains the dialect of CGI being used by HAProxy |
20500 | | to communicate with the FastCGI application. |
20501 | | Concretely, it is set to "CGI/1.1". |
20502 | | |
20503 +-------------------+-----------------------------------------------------+
20504 | PATH_INFO | Contains the portion of the URI path hierarchy |
20505 | | following the part that identifies the script |
20506 | | itself. To be set, the directive "path-info" must |
20507 | | be defined. |
20508 | | |
20509 +-------------------+-----------------------------------------------------+
20510 | PATH_TRANSLATED | If PATH_INFO is set, it is its translated version. |
20511 | | It is the concatenation of DOCUMENT_ROOT and |
20512 | | PATH_INFO. If PATH_INFO is not set, this parameters |
20513 | | is not set too. |
20514 | | |
20515 +-------------------+-----------------------------------------------------+
20516 | QUERY_STRING | Contains the request's query string. It may not be |
20517 | | set. |
20518 | | |
20519 +-------------------+-----------------------------------------------------+
20520 | REMOTE_ADDR | Contains the network address of the client sending |
20521 | | the request. |
20522 | | |
20523 +-------------------+-----------------------------------------------------+
20524 | REMOTE_USER | Contains the user identification string supplied by |
20525 | | client as part of user authentication. |
20526 | | |
20527 +-------------------+-----------------------------------------------------+
20528 | REQUEST_METHOD | Contains the method which should be used by the |
20529 | | script to process the request. |
20530 | | |
20531 +-------------------+-----------------------------------------------------+
20532 | REQUEST_URI | Contains the request's URI. |
20533 | | |
20534 +-------------------+-----------------------------------------------------+
20535 | SCRIPT_FILENAME | Contains the absolute pathname of the script. it is |
20536 | | the concatenation of DOCUMENT_ROOT and SCRIPT_NAME. |
20537 | | |
20538 +-------------------+-----------------------------------------------------+
20539 | SCRIPT_NAME | Contains the name of the script. If the directive |
20540 | | "path-info" is defined, it is the first part of the |
20541 | | URI path hierarchy, ending with the script name. |
20542 | | Otherwise, it is the entire URI path. |
20543 | | |
20544 +-------------------+-----------------------------------------------------+
20545 | SERVER_NAME | Contains the name of the server host to which the |
20546 | | client request is directed. It is the value of the |
20547 | | header "Host", if defined. Otherwise, the |
20548 | | destination address of the connection on the client |
20549 | | side. |
20550 | | |
20551 +-------------------+-----------------------------------------------------+
20552 | SERVER_PORT | Contains the destination TCP port of the connection |
20553 | | on the client side, which is the port the client |
20554 | | connected to. |
20555 | | |
20556 +-------------------+-----------------------------------------------------+
20557 | SERVER_PROTOCOL | Contains the request's protocol. |
20558 | | |
20559 +-------------------+-----------------------------------------------------+
20560 | HTTPS | Set to a non-empty value ("on") if the script was |
20561 | | queried through the HTTPS protocol. |
20562 | | |
20563 +-------------------+-----------------------------------------------------+
20564
20565
2056610.3. Limitations
20567------------------
20568
20569The current implementation have some limitations. The first one is about the
20570way some request headers are hidden to the FastCGI applications. This happens
20571during the headers analysis, on the backend side, before the connection
20572establishment. At this stage, HAProxy know the backend is using a FastCGI
20573application but it don't know if the request will be routed to a FastCGI server
20574or not. But to hide request headers, it simply removes them from the HTX
20575message. So, if the request is finally routed to an HTTP server, it never see
20576these headers. For this reason, it is not recommended to mix FastCGI servers
20577and HTTP servers under the same backend.
20578
20579Similarly, the rules "set-param" and "pass-header" are evaluated during the
20580request headers analysis. So the evaluation is always performed, even if the
20581requests is finally forwarded to an HTTP server.
20582
20583About the rules "set-param", when a rule is applied, a pseudo header is added
20584into the HTX message. So, the same way than for HTTP header rewrites, it may
20585fail if the buffer is full. The rules "set-param" will compete with
20586"http-request" ones.
20587
20588Finally, all FastCGI params and HTTP headers are sent into a unique record
20589FCGI_PARAM. Encoding of this record must be done in one pass, otherwise a
20590processing error is returned. It means the record FCGI_PARAM, once encoded,
20591must not exceeds the size of a buffer. However, there is no reserve to respect
20592here.
William Lallemand86d0df02017-11-24 21:36:45 +010020593
Willy Tarreau0ba27502007-12-24 16:55:16 +010020594/*
20595 * Local variables:
20596 * fill-column: 79
20597 * End:
20598 */