blob: df091bb43ec22a37de2aa7969e7ac1c94949706b [file] [log] [blame]
Willy Tarreau2212e6a2015-10-13 14:40:55 +02001 ------------------------
2 HAProxy Management Guide
3 ------------------------
Willy Tarreau0e658fb2016-11-25 16:55:50 +01004 version 1.8
Willy Tarreau2212e6a2015-10-13 14:40:55 +02005
6
7This document describes how to start, stop, manage, and troubleshoot HAProxy,
8as well as some known limitations and traps to avoid. It does not describe how
9to configure it (for this please read configuration.txt).
10
11Note to documentation contributors :
12 This document is formatted with 80 columns per line, with even number of
13 spaces for indentation and without tabs. Please follow these rules strictly
14 so that it remains easily printable everywhere. If you add sections, please
15 update the summary below for easier searching.
16
17
18Summary
19-------
20
211. Prerequisites
222. Quick reminder about HAProxy's architecture
233. Starting HAProxy
244. Stopping and restarting HAProxy
255. File-descriptor limitations
266. Memory management
277. CPU usage
288. Logging
299. Statistics and monitoring
Willy Tarreau44aed902015-10-13 14:45:29 +0200309.1. CSV format
Willy Tarreau5d8b9792016-03-11 11:09:34 +0100319.2. Typed output format
329.3. Unix Socket commands
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003310. Tricks for easier configuration management
3411. Well-known traps to avoid
3512. Debugging and performance issues
3613. Security considerations
37
38
391. Prerequisites
40----------------
41
42In this document it is assumed that the reader has sufficient administration
43skills on a UNIX-like operating system, uses the shell on a daily basis and is
44familiar with troubleshooting utilities such as strace and tcpdump.
45
46
472. Quick reminder about HAProxy's architecture
48----------------------------------------------
49
50HAProxy is a single-threaded, event-driven, non-blocking daemon. This means is
51uses event multiplexing to schedule all of its activities instead of relying on
52the system to schedule between multiple activities. Most of the time it runs as
53a single process, so the output of "ps aux" on a system will report only one
54"haproxy" process, unless a soft reload is in progress and an older process is
55finishing its job in parallel to the new one. It is thus always easy to trace
56its activity using the strace utility.
57
58HAProxy is designed to isolate itself into a chroot jail during startup, where
59it cannot perform any file-system access at all. This is also true for the
60libraries it depends on (eg: libc, libssl, etc). The immediate effect is that
61a running process will not be able to reload a configuration file to apply
62changes, instead a new process will be started using the updated configuration
63file. Some other less obvious effects are that some timezone files or resolver
64files the libc might attempt to access at run time will not be found, though
65this should generally not happen as they're not needed after startup. A nice
66consequence of this principle is that the HAProxy process is totally stateless,
67and no cleanup is needed after it's killed, so any killing method that works
68will do the right thing.
69
70HAProxy doesn't write log files, but it relies on the standard syslog protocol
71to send logs to a remote server (which is often located on the same system).
72
73HAProxy uses its internal clock to enforce timeouts, that is derived from the
74system's time but where unexpected drift is corrected. This is done by limiting
75the time spent waiting in poll() for an event, and measuring the time it really
76took. In practice it never waits more than one second. This explains why, when
77running strace over a completely idle process, periodic calls to poll() (or any
78of its variants) surrounded by two gettimeofday() calls are noticed. They are
79normal, completely harmless and so cheap that the load they imply is totally
80undetectable at the system scale, so there's nothing abnormal there. Example :
81
82 16:35:40.002320 gettimeofday({1442759740, 2605}, NULL) = 0
83 16:35:40.002942 epoll_wait(0, {}, 200, 1000) = 0
84 16:35:41.007542 gettimeofday({1442759741, 7641}, NULL) = 0
85 16:35:41.007998 gettimeofday({1442759741, 8114}, NULL) = 0
86 16:35:41.008391 epoll_wait(0, {}, 200, 1000) = 0
87 16:35:42.011313 gettimeofday({1442759742, 11411}, NULL) = 0
88
89HAProxy is a TCP proxy, not a router. It deals with established connections that
90have been validated by the kernel, and not with packets of any form nor with
91sockets in other states (eg: no SYN_RECV nor TIME_WAIT), though their existence
92may prevent it from binding a port. It relies on the system to accept incoming
93connections and to initiate outgoing connections. An immediate effect of this is
94that there is no relation between packets observed on the two sides of a
95forwarded connection, which can be of different size, numbers and even family.
96Since a connection may only be accepted from a socket in LISTEN state, all the
97sockets it is listening to are necessarily visible using the "netstat" utility
98to show listening sockets. Example :
99
100 # netstat -ltnp
101 Active Internet connections (only servers)
102 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
103 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1629/sshd
104 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2847/haproxy
105 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2847/haproxy
106
107
1083. Starting HAProxy
109-------------------
110
111HAProxy is started by invoking the "haproxy" program with a number of arguments
112passed on the command line. The actual syntax is :
113
114 $ haproxy [<options>]*
115
116where [<options>]* is any number of options. An option always starts with '-'
117followed by one of more letters, and possibly followed by one or multiple extra
118arguments. Without any option, HAProxy displays the help page with a reminder
119about supported options. Available options may vary slightly based on the
120operating system. A fair number of these options overlap with an equivalent one
121if the "global" section. In this case, the command line always has precedence
122over the configuration file, so that the command line can be used to quickly
123enforce some settings without touching the configuration files. The current
124list of options is :
125
126 -- <cfgfile>* : all the arguments following "--" are paths to configuration
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200127 file/directory to be loaded and processed in the declaration order. It is
128 mostly useful when relying on the shell to load many files that are
129 numerically ordered. See also "-f". The difference between "--" and "-f" is
130 that one "-f" must be placed before each file name, while a single "--" is
131 needed before all file names. Both options can be used together, the
132 command line ordering still applies. When more than one file is specified,
133 each file must start on a section boundary, so the first keyword of each
134 file must be one of "global", "defaults", "peers", "listen", "frontend",
135 "backend", and so on. A file cannot contain just a server list for example.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200136
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200137 -f <cfgfile|cfgdir> : adds <cfgfile> to the list of configuration files to be
138 loaded. If <cfgdir> is a directory, all the files (and only files) it
Dan Lloyd8e48b872016-07-01 21:01:18 -0400139 contains are added in lexical order (using LC_COLLATE=C) to the list of
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200140 configuration files to be loaded ; only files with ".cfg" extension are
141 added, only non hidden files (not prefixed with ".") are added.
142 Configuration files are loaded and processed in their declaration order.
143 This option may be specified multiple times to load multiple files. See
144 also "--". The difference between "--" and "-f" is that one "-f" must be
145 placed before each file name, while a single "--" is needed before all file
146 names. Both options can be used together, the command line ordering still
147 applies. When more than one file is specified, each file must start on a
148 section boundary, so the first keyword of each file must be one of
149 "global", "defaults", "peers", "listen", "frontend", "backend", and so on.
150 A file cannot contain just a server list for example.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200151
152 -C <dir> : changes to directory <dir> before loading configuration
153 files. This is useful when using relative paths. Warning when using
154 wildcards after "--" which are in fact replaced by the shell before
155 starting haproxy.
156
157 -D : start as a daemon. The process detaches from the current terminal after
158 forking, and errors are not reported anymore in the terminal. It is
159 equivalent to the "daemon" keyword in the "global" section of the
160 configuration. It is recommended to always force it in any init script so
161 that a faulty configuration doesn't prevent the system from booting.
162
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200163 -L <name> : change the local peer name to <name>, which defaults to the local
164 hostname. This is used only with peers replication.
165
166 -N <limit> : sets the default per-proxy maxconn to <limit> instead of the
167 builtin default value (usually 2000). Only useful for debugging.
168
169 -V : enable verbose mode (disables quiet mode). Reverts the effect of "-q" or
170 "quiet".
171
William Lallemande202b1e2017-06-01 17:38:56 +0200172 -W : master-worker mode. It is equivalent to the "master-worker" keyword in
173 the "global" section of the configuration. This mode will launch a "master"
174 which will monitor the "workers". Using this mode, you can reload HAProxy
175 directly by sending a SIGUSR2 signal to the master. The master-worker mode
176 is compatible either with the foreground or daemon mode. It is
177 recommended to use this mode with multiprocess and systemd.
178
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200179 -c : only performs a check of the configuration files and exits before trying
180 to bind. The exit status is zero if everything is OK, or non-zero if an
181 error is encountered.
182
183 -d : enable debug mode. This disables daemon mode, forces the process to stay
184 in foreground and to show incoming and outgoing events. It is equivalent to
185 the "global" section's "debug" keyword. It must never be used in an init
186 script.
187
188 -dG : disable use of getaddrinfo() to resolve host names into addresses. It
189 can be used when suspecting that getaddrinfo() doesn't work as expected.
190 This option was made available because many bogus implementations of
191 getaddrinfo() exist on various systems and cause anomalies that are
192 difficult to troubleshoot.
193
Dan Lloyd8e48b872016-07-01 21:01:18 -0400194 -dM[<byte>] : forces memory poisoning, which means that each and every
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200195 memory region allocated with malloc() or pool_alloc2() will be filled with
196 <byte> before being passed to the caller. When <byte> is not specified, it
197 defaults to 0x50 ('P'). While this slightly slows down operations, it is
198 useful to reliably trigger issues resulting from missing initializations in
199 the code that cause random crashes. Note that -dM0 has the effect of
200 turning any malloc() into a calloc(). In any case if a bug appears or
201 disappears when using this option it means there is a bug in haproxy, so
202 please report it.
203
204 -dS : disable use of the splice() system call. It is equivalent to the
205 "global" section's "nosplice" keyword. This may be used when splice() is
206 suspected to behave improperly or to cause performance issues, or when
207 using strace to see the forwarded data (which do not appear when using
208 splice()).
209
210 -dV : disable SSL verify on the server side. It is equivalent to having
211 "ssl-server-verify none" in the "global" section. This is useful when
212 trying to reproduce production issues out of the production
213 environment. Never use this in an init script as it degrades SSL security
214 to the servers.
215
216 -db : disable background mode and multi-process mode. The process remains in
217 foreground. It is mainly used during development or during small tests, as
218 Ctrl-C is enough to stop the process. Never use it in an init script.
219
220 -de : disable the use of the "epoll" poller. It is equivalent to the "global"
221 section's keyword "noepoll". It is mostly useful when suspecting a bug
222 related to this poller. On systems supporting epoll, the fallback will
223 generally be the "poll" poller.
224
225 -dk : disable the use of the "kqueue" poller. It is equivalent to the
226 "global" section's keyword "nokqueue". It is mostly useful when suspecting
227 a bug related to this poller. On systems supporting kqueue, the fallback
228 will generally be the "poll" poller.
229
230 -dp : disable the use of the "poll" poller. It is equivalent to the "global"
231 section's keyword "nopoll". It is mostly useful when suspecting a bug
232 related to this poller. On systems supporting poll, the fallback will
233 generally be the "select" poller, which cannot be disabled and is limited
234 to 1024 file descriptors.
235
Willy Tarreau3eed10e2016-11-07 21:03:16 +0100236 -dr : ignore server address resolution failures. It is very common when
237 validating a configuration out of production not to have access to the same
238 resolvers and to fail on server address resolution, making it difficult to
239 test a configuration. This option simply appends the "none" method to the
240 list of address resolution methods for all servers, ensuring that even if
241 the libc fails to resolve an address, the startup sequence is not
242 interrupted.
243
Willy Tarreau70060452015-12-14 12:46:07 +0100244 -m <limit> : limit the total allocatable memory to <limit> megabytes across
245 all processes. This may cause some connection refusals or some slowdowns
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200246 depending on the amount of memory needed for normal operations. This is
Willy Tarreau70060452015-12-14 12:46:07 +0100247 mostly used to force the processes to work in a constrained resource usage
248 scenario. It is important to note that the memory is not shared between
249 processes, so in a multi-process scenario, this value is first divided by
250 global.nbproc before forking.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200251
252 -n <limit> : limits the per-process connection limit to <limit>. This is
253 equivalent to the global section's keyword "maxconn". It has precedence
254 over this keyword. This may be used to quickly force lower limits to avoid
255 a service outage on systems where resource limits are too low.
256
257 -p <file> : write all processes' pids into <file> during startup. This is
258 equivalent to the "global" section's keyword "pidfile". The file is opened
259 before entering the chroot jail, and after doing the chdir() implied by
260 "-C". Each pid appears on its own line.
261
262 -q : set "quiet" mode. This disables some messages during the configuration
263 parsing and during startup. It can be used in combination with "-c" to
264 just check if a configuration file is valid or not.
265
266 -sf <pid>* : send the "finish" signal (SIGUSR1) to older processes after boot
267 completion to ask them to finish what they are doing and to leave. <pid>
268 is a list of pids to signal (one per argument). The list ends on any
269 option starting with a "-". It is not a problem if the list of pids is
270 empty, so that it can be built on the fly based on the result of a command
271 like "pidof" or "pgrep".
272
273 -st <pid>* : send the "terminate" signal (SIGTERM) to older processes after
274 boot completion to terminate them immediately without finishing what they
275 were doing. <pid> is a list of pids to signal (one per argument). The list
276 is ends on any option starting with a "-". It is not a problem if the list
277 of pids is empty, so that it can be built on the fly based on the result of
278 a command like "pidof" or "pgrep".
279
280 -v : report the version and build date.
281
282 -vv : display the version, build options, libraries versions and usable
283 pollers. This output is systematically requested when filing a bug report.
284
Olivier Houchardd33fc3a2017-04-05 22:50:59 +0200285 -x <unix_socket> : connect to the specified socket and try to retrieve any
286 listening sockets from the old process, and use them instead of trying to
287 bind new ones. This is useful to avoid missing any new connection when
William Lallemandf6975e92017-05-26 17:42:10 +0200288 reloading the configuration on Linux. The capability must be enable on the
289 stats socket using "expose-fd listeners" in your configuration.
Olivier Houchardd33fc3a2017-04-05 22:50:59 +0200290
Dan Lloyd8e48b872016-07-01 21:01:18 -0400291A safe way to start HAProxy from an init file consists in forcing the daemon
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200292mode, storing existing pids to a pid file and using this pid file to notify
293older processes to finish before leaving :
294
295 haproxy -f /etc/haproxy.cfg \
296 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
297
298When the configuration is split into a few specific files (eg: tcp vs http),
299it is recommended to use the "-f" option :
300
301 haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
302 -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
303 -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
304 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
305
306When an unknown number of files is expected, such as customer-specific files,
307it is recommended to assign them a name starting with a fixed-size sequence
308number and to use "--" to load them, possibly after loading some defaults :
309
310 haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
311 -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
312 -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
313 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) \
314 -f /etc/haproxy/default-customers.cfg -- /etc/haproxy/customers/*
315
316Sometimes a failure to start may happen for whatever reason. Then it is
317important to verify if the version of HAProxy you are invoking is the expected
318version and if it supports the features you are expecting (eg: SSL, PCRE,
319compression, Lua, etc). This can be verified using "haproxy -vv". Some
320important information such as certain build options, the target system and
321the versions of the libraries being used are reported there. It is also what
322you will systematically be asked for when posting a bug report :
323
324 $ haproxy -vv
325 HA-Proxy version 1.6-dev7-a088d3-4 2015/10/08
326 Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
327
328 Build options :
329 TARGET = linux2628
330 CPU = generic
331 CC = gcc
332 CFLAGS = -pg -O0 -g -fno-strict-aliasing -Wdeclaration-after-statement \
333 -DBUFSIZE=8030 -DMAXREWRITE=1030 -DSO_MARK=36 -DTCP_REPAIR=19
334 OPTIONS = USE_ZLIB=1 USE_DLMALLOC=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
335
336 Default settings :
337 maxconn = 2000, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200
338
339 Encrypted password support via crypt(3): yes
340 Built with zlib version : 1.2.6
341 Compression algorithms supported : identity("identity"), deflate("deflate"), \
342 raw-deflate("deflate"), gzip("gzip")
343 Built with OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
344 Running on OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
345 OpenSSL library supports TLS extensions : yes
346 OpenSSL library supports SNI : yes
347 OpenSSL library supports prefer-server-ciphers : yes
348 Built with PCRE version : 8.12 2011-01-15
349 PCRE library supports JIT : no (USE_PCRE_JIT not set)
350 Built with Lua version : Lua 5.3.1
351 Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
352
353 Available polling systems :
354 epoll : pref=300, test result OK
355 poll : pref=200, test result OK
356 select : pref=150, test result OK
357 Total: 3 (3 usable), will use epoll.
358
359The relevant information that many non-developer users can verify here are :
360 - the version : 1.6-dev7-a088d3-4 above means the code is currently at commit
361 ID "a088d3" which is the 4th one after after official version "1.6-dev7".
362 Version 1.6-dev7 would show as "1.6-dev7-8c1ad7". What matters here is in
363 fact "1.6-dev7". This is the 7th development version of what will become
364 version 1.6 in the future. A development version not suitable for use in
365 production (unless you know exactly what you are doing). A stable version
366 will show as a 3-numbers version, such as "1.5.14-16f863", indicating the
367 14th level of fix on top of version 1.5. This is a production-ready version.
368
369 - the release date : 2015/10/08. It is represented in the universal
370 year/month/day format. Here this means August 8th, 2015. Given that stable
371 releases are issued every few months (1-2 months at the beginning, sometimes
372 6 months once the product becomes very stable), if you're seeing an old date
373 here, it means you're probably affected by a number of bugs or security
374 issues that have since been fixed and that it might be worth checking on the
375 official site.
376
377 - build options : they are relevant to people who build their packages
378 themselves, they can explain why things are not behaving as expected. For
379 example the development version above was built for Linux 2.6.28 or later,
Dan Lloyd8e48b872016-07-01 21:01:18 -0400380 targeting a generic CPU (no CPU-specific optimizations), and lacks any
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200381 code optimization (-O0) so it will perform poorly in terms of performance.
382
383 - libraries versions : zlib version is reported as found in the library
384 itself. In general zlib is considered a very stable product and upgrades
385 are almost never needed. OpenSSL reports two versions, the version used at
386 build time and the one being used, as found on the system. These ones may
387 differ by the last letter but never by the numbers. The build date is also
388 reported because most OpenSSL bugs are security issues and need to be taken
389 seriously, so this library absolutely needs to be kept up to date. Seeing a
390 4-months old version here is highly suspicious and indeed an update was
391 missed. PCRE provides very fast regular expressions and is highly
392 recommended. Certain of its extensions such as JIT are not present in all
393 versions and still young so some people prefer not to build with them,
Dan Lloyd8e48b872016-07-01 21:01:18 -0400394 which is why the build status is reported as well. Regarding the Lua
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200395 scripting language, HAProxy expects version 5.3 which is very young since
396 it was released a little time before HAProxy 1.6. It is important to check
397 on the Lua web site if some fixes are proposed for this branch.
398
399 - Available polling systems will affect the process's scalability when
400 dealing with more than about one thousand of concurrent connections. These
401 ones are only available when the correct system was indicated in the TARGET
402 variable during the build. The "epoll" mechanism is highly recommended on
403 Linux, and the kqueue mechanism is highly recommended on BSD. Lacking them
404 will result in poll() or even select() being used, causing a high CPU usage
405 when dealing with a lot of connections.
406
407
4084. Stopping and restarting HAProxy
409----------------------------------
410
411HAProxy supports a graceful and a hard stop. The hard stop is simple, when the
412SIGTERM signal is sent to the haproxy process, it immediately quits and all
413established connections are closed. The graceful stop is triggered when the
414SIGUSR1 signal is sent to the haproxy process. It consists in only unbinding
415from listening ports, but continue to process existing connections until they
416close. Once the last connection is closed, the process leaves.
417
418The hard stop method is used for the "stop" or "restart" actions of the service
419management script. The graceful stop is used for the "reload" action which
420tries to seamlessly reload a new configuration in a new process.
421
422Both of these signals may be sent by the new haproxy process itself during a
423reload or restart, so that they are sent at the latest possible moment and only
424if absolutely required. This is what is performed by the "-st" (hard) and "-sf"
425(graceful) options respectively.
426
William Lallemande202b1e2017-06-01 17:38:56 +0200427In master-worker mode, it is not needed to start a new haproxy process in
428order to reload the configuration. The master process reacts to the SIGUSR2
429signal by reexecuting itself with the -sf parameter followed by the PIDs of
430the workers. The master will then parse the configuration file and fork new
431workers.
432
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200433To understand better how these signals are used, it is important to understand
434the whole restart mechanism.
435
436First, an existing haproxy process is running. The administrator uses a system
437specific command such as "/etc/init.d/haproxy reload" to indicate he wants to
438take the new configuration file into effect. What happens then is the following.
439First, the service script (/etc/init.d/haproxy or equivalent) will verify that
440the configuration file parses correctly using "haproxy -c". After that it will
441try to start haproxy with this configuration file, using "-st" or "-sf".
442
443Then HAProxy tries to bind to all listening ports. If some fatal errors happen
444(eg: address not present on the system, permission denied), the process quits
445with an error. If a socket binding fails because a port is already in use, then
446the process will first send a SIGTTOU signal to all the pids specified in the
447"-st" or "-sf" pid list. This is what is called the "pause" signal. It instructs
448all existing haproxy processes to temporarily stop listening to their ports so
449that the new process can try to bind again. During this time, the old process
450continues to process existing connections. If the binding still fails (because
451for example a port is shared with another daemon), then the new process sends a
452SIGTTIN signal to the old processes to instruct them to resume operations just
453as if nothing happened. The old processes will then restart listening to the
454ports and continue to accept connections. Not that this mechanism is system
Dan Lloyd8e48b872016-07-01 21:01:18 -0400455dependent and some operating systems may not support it in multi-process mode.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200456
457If the new process manages to bind correctly to all ports, then it sends either
458the SIGTERM (hard stop in case of "-st") or the SIGUSR1 (graceful stop in case
459of "-sf") to all processes to notify them that it is now in charge of operations
460and that the old processes will have to leave, either immediately or once they
461have finished their job.
462
463It is important to note that during this timeframe, there are two small windows
464of a few milliseconds each where it is possible that a few connection failures
465will be noticed during high loads. Typically observed failure rates are around
4661 failure during a reload operation every 10000 new connections per second,
467which means that a heavily loaded site running at 30000 new connections per
468second may see about 3 failed connection upon every reload. The two situations
469where this happens are :
470
471 - if the new process fails to bind due to the presence of the old process,
472 it will first have to go through the SIGTTOU+SIGTTIN sequence, which
473 typically lasts about one millisecond for a few tens of frontends, and
474 during which some ports will not be bound to the old process and not yet
475 bound to the new one. HAProxy works around this on systems that support the
476 SO_REUSEPORT socket options, as it allows the new process to bind without
477 first asking the old one to unbind. Most BSD systems have been supporting
478 this almost forever. Linux has been supporting this in version 2.0 and
479 dropped it around 2.2, but some patches were floating around by then. It
480 was reintroduced in kernel 3.9, so if you are observing a connection
Dan Lloyd8e48b872016-07-01 21:01:18 -0400481 failure rate above the one mentioned above, please ensure that your kernel
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200482 is 3.9 or newer, or that relevant patches were backported to your kernel
483 (less likely).
484
485 - when the old processes close the listening ports, the kernel may not always
486 redistribute any pending connection that was remaining in the socket's
487 backlog. Under high loads, a SYN packet may happen just before the socket
488 is closed, and will lead to an RST packet being sent to the client. In some
489 critical environments where even one drop is not acceptable, these ones are
490 sometimes dealt with using firewall rules to block SYN packets during the
491 reload, forcing the client to retransmit. This is totally system-dependent,
492 as some systems might be able to visit other listening queues and avoid
493 this RST. A second case concerns the ACK from the client on a local socket
494 that was in SYN_RECV state just before the close. This ACK will lead to an
495 RST packet while the haproxy process is still not aware of it. This one is
Dan Lloyd8e48b872016-07-01 21:01:18 -0400496 harder to get rid of, though the firewall filtering rules mentioned above
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200497 will work well if applied one second or so before restarting the process.
498
499For the vast majority of users, such drops will never ever happen since they
500don't have enough load to trigger the race conditions. And for most high traffic
501users, the failure rate is still fairly within the noise margin provided that at
502least SO_REUSEPORT is properly supported on their systems.
503
504
5055. File-descriptor limitations
506------------------------------
507
508In order to ensure that all incoming connections will successfully be served,
509HAProxy computes at load time the total number of file descriptors that will be
510needed during the process's life. A regular Unix process is generally granted
5111024 file descriptors by default, and a privileged process can raise this limit
512itself. This is one reason for starting HAProxy as root and letting it adjust
513the limit. The default limit of 1024 file descriptors roughly allow about 500
514concurrent connections to be processed. The computation is based on the global
515maxconn parameter which limits the total number of connections per process, the
516number of listeners, the number of servers which have a health check enabled,
517the agent checks, the peers, the loggers and possibly a few other technical
518requirements. A simple rough estimate of this number consists in simply
519doubling the maxconn value and adding a few tens to get the approximate number
520of file descriptors needed.
521
522Originally HAProxy did not know how to compute this value, and it was necessary
523to pass the value using the "ulimit-n" setting in the global section. This
524explains why even today a lot of configurations are seen with this setting
525present. Unfortunately it was often miscalculated resulting in connection
526failures when approaching maxconn instead of throttling incoming connection
527while waiting for the needed resources. For this reason it is important to
Dan Lloyd8e48b872016-07-01 21:01:18 -0400528remove any vestigial "ulimit-n" setting that can remain from very old versions.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200529
530Raising the number of file descriptors to accept even moderate loads is
531mandatory but comes with some OS-specific adjustments. First, the select()
532polling system is limited to 1024 file descriptors. In fact on Linux it used
533to be capable of handling more but since certain OS ship with excessively
534restrictive SELinux policies forbidding the use of select() with more than
5351024 file descriptors, HAProxy now refuses to start in this case in order to
536avoid any issue at run time. On all supported operating systems, poll() is
537available and will not suffer from this limitation. It is automatically picked
Dan Lloyd8e48b872016-07-01 21:01:18 -0400538so there is nothing to do to get a working configuration. But poll's becomes
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200539very slow when the number of file descriptors increases. While HAProxy does its
540best to limit this performance impact (eg: via the use of the internal file
541descriptor cache and batched processing), a good rule of thumb is that using
542poll() with more than a thousand concurrent connections will use a lot of CPU.
543
544For Linux systems base on kernels 2.6 and above, the epoll() system call will
545be used. It's a much more scalable mechanism relying on callbacks in the kernel
546that guarantee a constant wake up time regardless of the number of registered
547monitored file descriptors. It is automatically used where detected, provided
548that HAProxy had been built for one of the Linux flavors. Its presence and
549support can be verified using "haproxy -vv".
550
551For BSD systems which support it, kqueue() is available as an alternative. It
552is much faster than poll() and even slightly faster than epoll() thanks to its
553batched handling of changes. At least FreeBSD and OpenBSD support it. Just like
554with Linux's epoll(), its support and availability are reported in the output
555of "haproxy -vv".
556
557Having a good poller is one thing, but it is mandatory that the process can
558reach the limits. When HAProxy starts, it immediately sets the new process's
559file descriptor limits and verifies if it succeeds. In case of failure, it
560reports it before forking so that the administrator can see the problem. As
561long as the process is started by as root, there should be no reason for this
562setting to fail. However, it can fail if the process is started by an
563unprivileged user. If there is a compelling reason for *not* starting haproxy
564as root (eg: started by end users, or by a per-application account), then the
565file descriptor limit can be raised by the system administrator for this
566specific user. The effectiveness of the setting can be verified by issuing
567"ulimit -n" from the user's command line. It should reflect the new limit.
568
569Warning: when an unprivileged user's limits are changed in this user's account,
570it is fairly common that these values are only considered when the user logs in
571and not at all in some scripts run at system boot time nor in crontabs. This is
572totally dependent on the operating system, keep in mind to check "ulimit -n"
573before starting haproxy when running this way. The general advice is never to
574start haproxy as an unprivileged user for production purposes. Another good
575reason is that it prevents haproxy from enabling some security protections.
576
577Once it is certain that the system will allow the haproxy process to use the
578requested number of file descriptors, two new system-specific limits may be
579encountered. The first one is the system-wide file descriptor limit, which is
580the total number of file descriptors opened on the system, covering all
581processes. When this limit is reached, accept() or socket() will typically
582return ENFILE. The second one is the per-process hard limit on the number of
583file descriptors, it prevents setrlimit() from being set higher. Both are very
584dependent on the operating system. On Linux, the system limit is set at boot
585based on the amount of memory. It can be changed with the "fs.file-max" sysctl.
586And the per-process hard limit is set to 1048576 by default, but it can be
587changed using the "fs.nr_open" sysctl.
588
589File descriptor limitations may be observed on a running process when they are
590set too low. The strace utility will report that accept() and socket() return
591"-1 EMFILE" when the process's limits have been reached. In this case, simply
592raising the "ulimit-n" value (or removing it) will solve the problem. If these
593system calls return "-1 ENFILE" then it means that the kernel's limits have
594been reached and that something must be done on a system-wide parameter. These
595trouble must absolutely be addressed, as they result in high CPU usage (when
596accept() fails) and failed connections that are generally visible to the user.
597One solution also consists in lowering the global maxconn value to enforce
598serialization, and possibly to disable HTTP keep-alive to force connections
599to be released and reused faster.
600
601
6026. Memory management
603--------------------
604
605HAProxy uses a simple and fast pool-based memory management. Since it relies on
606a small number of different object types, it's much more efficient to pick new
607objects from a pool which already contains objects of the appropriate size than
608to call malloc() for each different size. The pools are organized as a stack or
609LIFO, so that newly allocated objects are taken from recently released objects
610still hot in the CPU caches. Pools of similar sizes are merged together, in
611order to limit memory fragmentation.
612
613By default, since the focus is set on performance, each released object is put
614back into the pool it came from, and allocated objects are never freed since
615they are expected to be reused very soon.
616
617On the CLI, it is possible to check how memory is being used in pools thanks to
618the "show pools" command :
619
620 > show pools
621 Dumping pools usage. Use SIGQUIT to flush them.
622 - Pool pipe (32 bytes) : 5 allocated (160 bytes), 5 used, 3 users [SHARED]
623 - Pool hlua_com (48 bytes) : 0 allocated (0 bytes), 0 used, 1 users [SHARED]
624 - Pool vars (64 bytes) : 0 allocated (0 bytes), 0 used, 2 users [SHARED]
625 - Pool task (112 bytes) : 5 allocated (560 bytes), 5 used, 1 users [SHARED]
626 - Pool session (128 bytes) : 1 allocated (128 bytes), 1 used, 2 users [SHARED]
627 - Pool http_txn (272 bytes) : 0 allocated (0 bytes), 0 used, 1 users [SHARED]
628 - Pool connection (352 bytes) : 2 allocated (704 bytes), 2 used, 1 users [SHARED]
629 - Pool hdr_idx (416 bytes) : 0 allocated (0 bytes), 0 used, 1 users [SHARED]
630 - Pool stream (864 bytes) : 1 allocated (864 bytes), 1 used, 1 users [SHARED]
631 - Pool requri (1024 bytes) : 0 allocated (0 bytes), 0 used, 1 users [SHARED]
632 - Pool buffer (8064 bytes) : 3 allocated (24192 bytes), 2 used, 1 users [SHARED]
633 Total: 11 pools, 26608 bytes allocated, 18544 used.
634
635The pool name is only indicative, it's the name of the first object type using
636this pool. The size in parenthesis is the object size for objects in this pool.
637Object sizes are always rounded up to the closest multiple of 16 bytes. The
638number of objects currently allocated and the equivalent number of bytes is
639reported so that it is easy to know which pool is responsible for the highest
640memory usage. The number of objects currently in use is reported as well in the
641"used" field. The difference between "allocated" and "used" corresponds to the
642objects that have been freed and are available for immediate use.
643
644It is possible to limit the amount of memory allocated per process using the
645"-m" command line option, followed by a number of megabytes. It covers all of
646the process's addressable space, so that includes memory used by some libraries
647as well as the stack, but it is a reliable limit when building a resource
648constrained system. It works the same way as "ulimit -v" on systems which have
649it, or "ulimit -d" for the other ones.
650
651If a memory allocation fails due to the memory limit being reached or because
652the system doesn't have any enough memory, then haproxy will first start to
653free all available objects from all pools before attempting to allocate memory
654again. This mechanism of releasing unused memory can be triggered by sending
655the signal SIGQUIT to the haproxy process. When doing so, the pools state prior
656to the flush will also be reported to stderr when the process runs in
657foreground.
658
659During a reload operation, the process switched to the graceful stop state also
660automatically performs some flushes after releasing any connection so that all
661possible memory is released to save it for the new process.
662
663
6647. CPU usage
665------------
666
667HAProxy normally spends most of its time in the system and a smaller part in
668userland. A finely tuned 3.5 GHz CPU can sustain a rate about 80000 end-to-end
669connection setups and closes per second at 100% CPU on a single core. When one
670core is saturated, typical figures are :
671 - 95% system, 5% user for long TCP connections or large HTTP objects
672 - 85% system and 15% user for short TCP connections or small HTTP objects in
673 close mode
674 - 70% system and 30% user for small HTTP objects in keep-alive mode
675
676The amount of rules processing and regular expressions will increase the user
677land part. The presence of firewall rules, connection tracking, complex routing
678tables in the system will instead increase the system part.
679
680On most systems, the CPU time observed during network transfers can be cut in 4
681parts :
682 - the interrupt part, which concerns all the processing performed upon I/O
683 receipt, before the target process is even known. Typically Rx packets are
684 accounted for in interrupt. On some systems such as Linux where interrupt
685 processing may be deferred to a dedicated thread, it can appear as softirq,
686 and the thread is called ksoftirqd/0 (for CPU 0). The CPU taking care of
687 this load is generally defined by the hardware settings, though in the case
688 of softirq it is often possible to remap the processing to another CPU.
689 This interrupt part will often be perceived as parasitic since it's not
690 associated with any process, but it actually is some processing being done
691 to prepare the work for the process.
692
693 - the system part, which concerns all the processing done using kernel code
694 called from userland. System calls are accounted as system for example. All
695 synchronously delivered Tx packets will be accounted for as system time. If
696 some packets have to be deferred due to queues filling up, they may then be
697 processed in interrupt context later (eg: upon receipt of an ACK opening a
698 TCP window).
699
700 - the user part, which exclusively runs application code in userland. HAProxy
701 runs exclusively in this part, though it makes heavy use of system calls.
702 Rules processing, regular expressions, compression, encryption all add to
703 the user portion of CPU consumption.
704
705 - the idle part, which is what the CPU does when there is nothing to do. For
706 example HAProxy waits for an incoming connection, or waits for some data to
707 leave, meaning the system is waiting for an ACK from the client to push
708 these data.
709
710In practice regarding HAProxy's activity, it is in general reasonably accurate
711(but totally inexact) to consider that interrupt/softirq are caused by Rx
712processing in kernel drivers, that user-land is caused by layer 7 processing
713in HAProxy, and that system time is caused by network processing on the Tx
714path.
715
716Since HAProxy runs around an event loop, it waits for new events using poll()
717(or any alternative) and processes all these events as fast as possible before
718going back to poll() waiting for new events. It measures the time spent waiting
719in poll() compared to the time spent doing processing events. The ratio of
720polling time vs total time is called the "idle" time, it's the amount of time
721spent waiting for something to happen. This ratio is reported in the stats page
722on the "idle" line, or "Idle_pct" on the CLI. When it's close to 100%, it means
723the load is extremely low. When it's close to 0%, it means that there is
724constantly some activity. While it cannot be very accurate on an overloaded
725system due to other processes possibly preempting the CPU from the haproxy
726process, it still provides a good estimate about how HAProxy considers it is
727working : if the load is low and the idle ratio is low as well, it may indicate
728that HAProxy has a lot of work to do, possibly due to very expensive rules that
729have to be processed. Conversely, if HAProxy indicates the idle is close to
730100% while things are slow, it means that it cannot do anything to speed things
731up because it is already waiting for incoming data to process. In the example
732below, haproxy is completely idle :
733
734 $ echo "show info" | socat - /var/run/haproxy.sock | grep ^Idle
735 Idle_pct: 100
736
737When the idle ratio starts to become very low, it is important to tune the
738system and place processes and interrupts correctly to save the most possible
739CPU resources for all tasks. If a firewall is present, it may be worth trying
740to disable it or to tune it to ensure it is not responsible for a large part
741of the performance limitation. It's worth noting that unloading a stateful
742firewall generally reduces both the amount of interrupt/softirq and of system
743usage since such firewalls act both on the Rx and the Tx paths. On Linux,
744unloading the nf_conntrack and ip_conntrack modules will show whether there is
745anything to gain. If so, then the module runs with default settings and you'll
746have to figure how to tune it for better performance. In general this consists
747in considerably increasing the hash table size. On FreeBSD, "pfctl -d" will
748disable the "pf" firewall and its stateful engine at the same time.
749
750If it is observed that a lot of time is spent in interrupt/softirq, it is
751important to ensure that they don't run on the same CPU. Most systems tend to
752pin the tasks on the CPU where they receive the network traffic because for
753certain workloads it improves things. But with heavily network-bound workloads
754it is the opposite as the haproxy process will have to fight against its kernel
755counterpart. Pinning haproxy to one CPU core and the interrupts to another one,
756all sharing the same L3 cache tends to sensibly increase network performance
757because in practice the amount of work for haproxy and the network stack are
758quite close, so they can almost fill an entire CPU each. On Linux this is done
759using taskset (for haproxy) or using cpu-map (from the haproxy config), and the
760interrupts are assigned under /proc/irq. Many network interfaces support
761multiple queues and multiple interrupts. In general it helps to spread them
762across a small number of CPU cores provided they all share the same L3 cache.
763Please always stop irq_balance which always does the worst possible thing on
764such workloads.
765
766For CPU-bound workloads consisting in a lot of SSL traffic or a lot of
767compression, it may be worth using multiple processes dedicated to certain
768tasks, though there is no universal rule here and experimentation will have to
769be performed.
770
771In order to increase the CPU capacity, it is possible to make HAProxy run as
772several processes, using the "nbproc" directive in the global section. There
773are some limitations though :
774 - health checks are run per process, so the target servers will get as many
775 checks as there are running processes ;
776 - maxconn values and queues are per-process so the correct value must be set
777 to avoid overloading the servers ;
778 - outgoing connections should avoid using port ranges to avoid conflicts
779 - stick-tables are per process and are not shared between processes ;
780 - each peers section may only run on a single process at a time ;
781 - the CLI operations will only act on a single process at a time.
782
783With this in mind, it appears that the easiest setup often consists in having
784one first layer running on multiple processes and in charge for the heavy
785processing, passing the traffic to a second layer running in a single process.
786This mechanism is suited to SSL and compression which are the two CPU-heavy
787features. Instances can easily be chained over UNIX sockets (which are cheaper
fengpeiyuancc123c62016-01-15 16:40:53 +0800788than TCP sockets and which do not waste ports), and the proxy protocol which is
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200789useful to pass client information to the next stage. When doing so, it is
790generally a good idea to bind all the single-process tasks to process number 1
791and extra tasks to next processes, as this will make it easier to generate
792similar configurations for different machines.
793
794On Linux versions 3.9 and above, running HAProxy in multi-process mode is much
795more efficient when each process uses a distinct listening socket on the same
796IP:port ; this will make the kernel evenly distribute the load across all
797processes instead of waking them all up. Please check the "process" option of
798the "bind" keyword lines in the configuration manual for more information.
799
800
8018. Logging
802----------
803
804For logging, HAProxy always relies on a syslog server since it does not perform
805any file-system access. The standard way of using it is to send logs over UDP
806to the log server (by default on port 514). Very commonly this is configured to
807127.0.0.1 where the local syslog daemon is running, but it's also used over the
808network to log to a central server. The central server provides additional
809benefits especially in active-active scenarios where it is desirable to keep
810the logs merged in arrival order. HAProxy may also make use of a UNIX socket to
811send its logs to the local syslog daemon, but it is not recommended at all,
812because if the syslog server is restarted while haproxy runs, the socket will
813be replaced and new logs will be lost. Since HAProxy will be isolated inside a
814chroot jail, it will not have the ability to reconnect to the new socket. It
815has also been observed in field that the log buffers in use on UNIX sockets are
816very small and lead to lost messages even at very light loads. But this can be
817fine for testing however.
818
819It is recommended to add the following directive to the "global" section to
820make HAProxy log to the local daemon using facility "local0" :
821
822 log 127.0.0.1:514 local0
823
824and then to add the following one to each "defaults" section or to each frontend
825and backend section :
826
827 log global
828
829This way, all logs will be centralized through the global definition of where
830the log server is.
831
832Some syslog daemons do not listen to UDP traffic by default, so depending on
833the daemon being used, the syntax to enable this will vary :
834
835 - on sysklogd, you need to pass argument "-r" on the daemon's command line
836 so that it listens to a UDP socket for "remote" logs ; note that there is
837 no way to limit it to address 127.0.0.1 so it will also receive logs from
838 remote systems ;
839
840 - on rsyslogd, the following lines must be added to the configuration file :
841
842 $ModLoad imudp
843 $UDPServerAddress *
844 $UDPServerRun 514
845
846 - on syslog-ng, a new source can be created the following way, it then needs
847 to be added as a valid source in one of the "log" directives :
848
849 source s_udp {
850 udp(ip(127.0.0.1) port(514));
851 };
852
853Please consult your syslog daemon's manual for more information. If no logs are
854seen in the system's log files, please consider the following tests :
855
856 - restart haproxy. Each frontend and backend logs one line indicating it's
857 starting. If these logs are received, it means logs are working.
858
859 - run "strace -tt -s100 -etrace=sendmsg -p <haproxy's pid>" and perform some
860 activity that you expect to be logged. You should see the log messages
861 being sent using sendmsg() there. If they don't appear, restart using
862 strace on top of haproxy. If you still see no logs, it definitely means
863 that something is wrong in your configuration.
864
865 - run tcpdump to watch for port 514, for example on the loopback interface if
866 the traffic is being sent locally : "tcpdump -As0 -ni lo port 514". If the
867 packets are seen there, it's the proof they're sent then the syslogd daemon
868 needs to be troubleshooted.
869
870While traffic logs are sent from the frontends (where the incoming connections
871are accepted), backends also need to be able to send logs in order to report a
872server state change consecutive to a health check. Please consult HAProxy's
873configuration manual for more information regarding all possible log settings.
874
Dan Lloyd8e48b872016-07-01 21:01:18 -0400875It is convenient to chose a facility that is not used by other daemons. HAProxy
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200876examples often suggest "local0" for traffic logs and "local1" for admin logs
877because they're never seen in field. A single facility would be enough as well.
878Having separate logs is convenient for log analysis, but it's also important to
879remember that logs may sometimes convey confidential information, and as such
Dan Lloyd8e48b872016-07-01 21:01:18 -0400880they must not be mixed with other logs that may accidentally be handed out to
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200881unauthorized people.
882
883For in-field troubleshooting without impacting the server's capacity too much,
884it is recommended to make use of the "halog" utility provided with HAProxy.
885This is sort of a grep-like utility designed to process HAProxy log files at
886a very fast data rate. Typical figures range between 1 and 2 GB of logs per
887second. It is capable of extracting only certain logs (eg: search for some
888classes of HTTP status codes, connection termination status, search by response
889time ranges, look for errors only), count lines, limit the output to a number
890of lines, and perform some more advanced statistics such as sorting servers
891by response time or error counts, sorting URLs by time or count, sorting client
892addresses by access count, and so on. It is pretty convenient to quickly spot
893anomalies such as a bot looping on the site, and block them.
894
895
8969. Statistics and monitoring
897----------------------------
898
Willy Tarreau44aed902015-10-13 14:45:29 +0200899It is possible to query HAProxy about its status. The most commonly used
900mechanism is the HTTP statistics page. This page also exposes an alternative
901CSV output format for monitoring tools. The same format is provided on the
902Unix socket.
903
904
9059.1. CSV format
906---------------
907
908The statistics may be consulted either from the unix socket or from the HTTP
909page. Both means provide a CSV format whose fields follow. The first line
910begins with a sharp ('#') and has one word per comma-delimited field which
911represents the title of the column. All other lines starting at the second one
912use a classical CSV format using a comma as the delimiter, and the double quote
913('"') as an optional text delimiter, but only if the enclosed text is ambiguous
914(if it contains a quote or a comma). The double-quote character ('"') in the
915text is doubled ('""'), which is the format that most tools recognize. Please
916do not insert any column before these ones in order not to break tools which
917use hard-coded column positions.
918
919In brackets after each field name are the types which may have a value for
920that field. The types are L (Listeners), F (Frontends), B (Backends), and
921S (Servers).
922
923 0. pxname [LFBS]: proxy name
924 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend,
925 any name for server/listener)
926 2. qcur [..BS]: current queued requests. For the backend this reports the
927 number queued without a server assigned.
928 3. qmax [..BS]: max value of qcur
929 4. scur [LFBS]: current sessions
930 5. smax [LFBS]: max sessions
931 6. slim [LFBS]: configured session limit
Willy Tarreauc73810f2016-01-11 13:52:04 +0100932 7. stot [LFBS]: cumulative number of sessions
Willy Tarreau44aed902015-10-13 14:45:29 +0200933 8. bin [LFBS]: bytes in
934 9. bout [LFBS]: bytes out
935 10. dreq [LFB.]: requests denied because of security concerns.
936 - For tcp this is because of a matched tcp-request content rule.
937 - For http this is because of a matched http-request or tarpit rule.
938 11. dresp [LFBS]: responses denied because of security concerns.
939 - For http this is because of a matched http-request rule, or
940 "option checkcache".
941 12. ereq [LF..]: request errors. Some of the possible causes are:
942 - early termination from the client, before the request has been sent.
943 - read error from the client
944 - client timeout
945 - client closed connection
946 - various bad requests from the client.
947 - request was tarpitted.
948 13. econ [..BS]: number of requests that encountered an error trying to
949 connect to a backend server. The backend stat is the sum of the stat
950 for all servers of that backend, plus any connection errors not
951 associated with a particular server (such as the backend having no
952 active servers).
953 14. eresp [..BS]: response errors. srv_abrt will be counted here also.
954 Some other errors are:
955 - write error on the client socket (won't be counted for the server stat)
956 - failure applying filters to the response.
957 15. wretr [..BS]: number of times a connection to a server was retried.
958 16. wredis [..BS]: number of times a request was redispatched to another
959 server. The server value counts the number of times that server was
960 switched away from.
Willy Tarreaub96dd282016-11-09 14:45:51 +0100961 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)/MAINT(resolution)...)
Willy Tarreau44aed902015-10-13 14:45:29 +0200962 18. weight [..BS]: total weight (backend), server weight (server)
963 19. act [..BS]: number of active servers (backend), server is active (server)
964 20. bck [..BS]: number of backup servers (backend), server is backup (server)
965 21. chkfail [...S]: number of failed checks. (Only counts checks failed when
966 the server is up.)
967 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
968 transitions to the whole backend being down, rather than the sum of the
969 counters for each server.
970 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition
971 24. downtime [..BS]: total downtime (in seconds). The value for the backend
972 is the downtime for the whole backend, not the sum of the server downtime.
973 25. qlimit [...S]: configured maxqueue for the server, or nothing in the
974 value is 0 (default, meaning no limit)
975 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...)
976 27. iid [LFBS]: unique proxy id
977 28. sid [L..S]: server id (unique inside a proxy)
978 29. throttle [...S]: current throttle percentage for the server, when
979 slowstart is active, or no value if not in slowstart.
980 30. lbtot [..BS]: total number of times a server was selected, either for new
981 sessions, or when re-dispatching. The server counter is the number
982 of times that server was selected.
983 31. tracked [...S]: id of proxy/server if tracking is enabled.
984 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener)
985 33. rate [.FBS]: number of sessions per second over last elapsed second
986 34. rate_lim [.F..]: configured limit on new sessions per second
987 35. rate_max [.FBS]: max number of new sessions per second
988 36. check_status [...S]: status of last health check, one of:
989 UNK -> unknown
990 INI -> initializing
991 SOCKERR -> socket error
992 L4OK -> check passed on layer 4, no upper layers testing enabled
993 L4TOUT -> layer 1-4 timeout
994 L4CON -> layer 1-4 connection problem, for example
995 "Connection refused" (tcp rst) or "No route to host" (icmp)
996 L6OK -> check passed on layer 6
997 L6TOUT -> layer 6 (SSL) timeout
998 L6RSP -> layer 6 invalid response - protocol error
999 L7OK -> check passed on layer 7
1000 L7OKC -> check conditionally passed on layer 7, for example 404 with
1001 disable-on-404
1002 L7TOUT -> layer 7 (HTTP/SMTP) timeout
1003 L7RSP -> layer 7 invalid response - protocol error
1004 L7STS -> layer 7 response error, for example HTTP 5xx
1005 37. check_code [...S]: layer5-7 code, if available
1006 38. check_duration [...S]: time in ms took to finish last health check
1007 39. hrsp_1xx [.FBS]: http responses with 1xx code
1008 40. hrsp_2xx [.FBS]: http responses with 2xx code
1009 41. hrsp_3xx [.FBS]: http responses with 3xx code
1010 42. hrsp_4xx [.FBS]: http responses with 4xx code
1011 43. hrsp_5xx [.FBS]: http responses with 5xx code
1012 44. hrsp_other [.FBS]: http responses with other codes (protocol error)
1013 45. hanafail [...S]: failed health checks details
1014 46. req_rate [.F..]: HTTP requests per second over last elapsed second
1015 47. req_rate_max [.F..]: max number of HTTP requests per second observed
Willy Tarreaufb981bd2016-12-12 14:31:46 +01001016 48. req_tot [.FB.]: total number of HTTP requests received
Willy Tarreau44aed902015-10-13 14:45:29 +02001017 49. cli_abrt [..BS]: number of data transfers aborted by the client
1018 50. srv_abrt [..BS]: number of data transfers aborted by the server
1019 (inc. in eresp)
1020 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor
1021 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor
1022 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor
1023 (CPU/BW limit)
1024 54. comp_rsp [.FB.]: number of HTTP responses that were compressed
1025 55. lastsess [..BS]: number of seconds since last session assigned to
1026 server/backend
1027 56. last_chk [...S]: last health check contents or textual error
1028 57. last_agt [...S]: last agent check contents or textual error
1029 58. qtime [..BS]: the average queue time in ms over the 1024 last requests
1030 59. ctime [..BS]: the average connect time in ms over the 1024 last requests
1031 60. rtime [..BS]: the average response time in ms over the 1024 last requests
1032 (0 for TCP)
1033 61. ttime [..BS]: the average total session time in ms over the 1024 last
1034 requests
Willy Tarreau7f618842016-01-08 11:40:03 +01001035 62. agent_status [...S]: status of last agent check, one of:
1036 UNK -> unknown
1037 INI -> initializing
1038 SOCKERR -> socket error
1039 L4OK -> check passed on layer 4, no upper layers testing enabled
1040 L4TOUT -> layer 1-4 timeout
1041 L4CON -> layer 1-4 connection problem, for example
1042 "Connection refused" (tcp rst) or "No route to host" (icmp)
1043 L7OK -> agent reported "up"
1044 L7STS -> agent reported "fail", "stop", or "down"
1045 63. agent_code [...S]: numeric code reported by agent if any (unused for now)
1046 64. agent_duration [...S]: time in ms taken to finish last check
Willy Tarreaudd7354b2016-01-08 13:47:26 +01001047 65. check_desc [...S]: short human-readable description of check_status
1048 66. agent_desc [...S]: short human-readable description of agent_status
Willy Tarreau3141f592016-01-08 14:25:28 +01001049 67. check_rise [...S]: server's "rise" parameter used by checks
1050 68. check_fall [...S]: server's "fall" parameter used by checks
1051 69. check_health [...S]: server's health check value between 0 and rise+fall-1
1052 70. agent_rise [...S]: agent's "rise" parameter, normally 1
1053 71. agent_fall [...S]: agent's "fall" parameter, normally 1
1054 72. agent_health [...S]: agent's health parameter, between 0 and rise+fall-1
Willy Tarreaua6f5a732016-01-08 16:59:56 +01001055 73. addr [L..S]: address:port or "unix". IPv6 has brackets around the address.
Willy Tarreaue4847c62016-01-08 15:43:54 +01001056 74: cookie [..BS]: server's cookie value or backend's cookie name
Willy Tarreauf8211df2016-01-11 14:09:38 +01001057 75: mode [LFBS]: proxy mode (tcp, http, health, unknown)
Willy Tarreauf1516d92016-01-11 14:48:36 +01001058 76: algo [..B.]: load balancing algorithm
Willy Tarreauc73810f2016-01-11 13:52:04 +01001059 77: conn_rate [.F..]: number of connections over the last elapsed second
1060 78: conn_rate_max [.F..]: highest known conn_rate
1061 79: conn_tot [.F..]: cumulative number of connections
Willy Tarreau5b9bdff2016-01-11 14:40:47 +01001062 80: intercepted [.FB.]: cum. number of intercepted requests (monitor, stats)
Willy Tarreau8a90b8e2016-10-21 18:15:32 +02001063 81: dcon [LF..]: requests denied by "tcp-request connection" rules
Willy Tarreaua5bc36b2016-10-21 18:16:27 +02001064 82: dses [LF..]: requests denied by "tcp-request session" rules
Willy Tarreau44aed902015-10-13 14:45:29 +02001065
1066
Willy Tarreau5d8b9792016-03-11 11:09:34 +010010679.2) Typed output format
1068------------------------
1069
1070Both "show info" and "show stat" support a mode where each output value comes
1071with its type and sufficient information to know how the value is supposed to
1072be aggregated between processes and how it evolves.
1073
1074In all cases, the output consists in having a single value per line with all
1075the information split into fields delimited by colons (':').
1076
1077The first column designates the object or metric being dumped. Its format is
1078specific to the command producing this output and will not be described in this
1079section. Usually it will consist in a series of identifiers and field names.
1080
1081The second column contains 3 characters respectively indicating the origin, the
1082nature and the scope of the value being reported. The first character (the
1083origin) indicates where the value was extracted from. Possible characters are :
1084
1085 M The value is a metric. It is valid at one instant any may change depending
1086 on its nature .
1087
1088 S The value is a status. It represents a discrete value which by definition
1089 cannot be aggregated. It may be the status of a server ("UP" or "DOWN"),
1090 the PID of the process, etc.
1091
1092 K The value is a sorting key. It represents an identifier which may be used
1093 to group some values together because it is unique among its class. All
1094 internal identifiers are keys. Some names can be listed as keys if they
1095 are unique (eg: a frontend name is unique). In general keys come from the
Dan Lloyd8e48b872016-07-01 21:01:18 -04001096 configuration, even though some of them may automatically be assigned. For
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001097 most purposes keys may be considered as equivalent to configuration.
1098
1099 C The value comes from the configuration. Certain configuration values make
1100 sense on the output, for example a concurrent connection limit or a cookie
1101 name. By definition these values are the same in all processes started
1102 from the same configuration file.
1103
1104 P The value comes from the product itself. There are very few such values,
1105 most common use is to report the product name, version and release date.
1106 These elements are also the same between all processes.
1107
1108The second character (the nature) indicates the nature of the information
1109carried by the field in order to let an aggregator decide on what operation to
1110use to aggregate multiple values. Possible characters are :
1111
1112 A The value represents an age since a last event. This is a bit different
1113 from the duration in that an age is automatically computed based on the
1114 current date. A typical example is how long ago did the last session
1115 happen on a server. Ages are generally aggregated by taking the minimum
1116 value and do not need to be stored.
1117
1118 a The value represents an already averaged value. The average response times
1119 and server weights are of this nature. Averages can typically be averaged
1120 between processes.
1121
1122 C The value represents a cumulative counter. Such measures perpetually
1123 increase until they wrap around. Some monitoring protocols need to tell
1124 the difference between a counter and a gauge to report a different type.
1125 In general counters may simply be summed since they represent events or
1126 volumes. Examples of metrics of this nature are connection counts or byte
1127 counts.
1128
1129 D The value represents a duration for a status. There are a few usages of
1130 this, most of them include the time taken by the last health check and
1131 the time a server has spent down. Durations are generally not summed,
1132 most of the time the maximum will be retained to compute an SLA.
1133
1134 G The value represents a gauge. It's a measure at one instant. The memory
1135 usage or the current number of active connections are of this nature.
1136 Metrics of this type are typically summed during aggregation.
1137
1138 L The value represents a limit (generally a configured one). By nature,
1139 limits are harder to aggregate since they are specific to the point where
1140 they were retrieved. In certain situations they may be summed or be kept
1141 separate.
1142
1143 M The value represents a maximum. In general it will apply to a gauge and
1144 keep the highest known value. An example of such a metric could be the
1145 maximum amount of concurrent connections that was encountered in the
1146 product's life time. To correctly aggregate maxima, you are supposed to
1147 output a range going from the maximum of all maxima and the sum of all
1148 of them. There is indeed no way to know if they were encountered
1149 simultaneously or not.
1150
1151 m The value represents a minimum. In general it will apply to a gauge and
1152 keep the lowest known value. An example of such a metric could be the
1153 minimum amount of free memory pools that was encountered in the product's
1154 life time. To correctly aggregate minima, you are supposed to output a
1155 range going from the minimum of all minima and the sum of all of them.
1156 There is indeed no way to know if they were encountered simultaneously
1157 or not.
1158
1159 N The value represents a name, so it is a string. It is used to report
1160 proxy names, server names and cookie names. Names have configuration or
1161 keys as their origin and are supposed to be the same among all processes.
1162
1163 O The value represents a free text output. Outputs from various commands,
1164 returns from health checks, node descriptions are of such nature.
1165
1166 R The value represents an event rate. It's a measure at one instant. It is
1167 quite similar to a gauge except that the recipient knows that this measure
1168 moves slowly and may decide not to keep all values. An example of such a
1169 metric is the measured amount of connections per second. Metrics of this
1170 type are typically summed during aggregation.
1171
1172 T The value represents a date or time. A field emitting the current date
1173 would be of this type. The method to aggregate such information is left
1174 as an implementation choice. For now no field uses this type.
1175
1176The third character (the scope) indicates what extent the value reflects. Some
1177elements may be per process while others may be per configuration or per system.
1178The distinction is important to know whether or not a single value should be
1179kept during aggregation or if values have to be aggregated. The following
1180characters are currently supported :
1181
1182 C The value is valid for a whole cluster of nodes, which is the set of nodes
1183 communicating over the peers protocol. An example could be the amount of
1184 entries present in a stick table that is replicated with other peers. At
1185 the moment no metric use this scope.
1186
1187 P The value is valid only for the process reporting it. Most metrics use
1188 this scope.
1189
1190 S The value is valid for the whole service, which is the set of processes
1191 started together from the same configuration file. All metrics originating
1192 from the configuration use this scope. Some other metrics may use it as
1193 well for some shared resources (eg: shared SSL cache statistics).
1194
1195 s The value is valid for the whole system, such as the system's hostname,
1196 current date or resource usage. At the moment this scope is not used by
1197 any metric.
1198
1199Consumers of these information will generally have enough of these 3 characters
1200to determine how to accurately report aggregated information across multiple
1201processes.
1202
1203After this column, the third column indicates the type of the field, among "s32"
1204(signed 32-bit integer), "s64" (signed 64-bit integer), "u32" (unsigned 32-bit
1205integer), "u64" (unsigned 64-bit integer), "str" (string). It is important to
1206know the type before parsing the value in order to properly read it. For example
1207a string containing only digits is still a string an not an integer (eg: an
1208error code extracted by a check).
1209
1210Then the fourth column is the value itself, encoded according to its type.
1211Strings are dumped as-is immediately after the colon without any leading space.
1212If a string contains a colon, it will appear normally. This means that the
1213output should not be exclusively split around colons or some check outputs
1214or server addresses might be truncated.
1215
1216
12179.3. Unix Socket commands
Willy Tarreau44aed902015-10-13 14:45:29 +02001218-------------------------
1219
1220The stats socket is not enabled by default. In order to enable it, it is
1221necessary to add one line in the global section of the haproxy configuration.
1222A second line is recommended to set a larger timeout, always appreciated when
1223issuing commands by hand :
1224
1225 global
1226 stats socket /var/run/haproxy.sock mode 600 level admin
1227 stats timeout 2m
1228
1229It is also possible to add multiple instances of the stats socket by repeating
1230the line, and make them listen to a TCP port instead of a UNIX socket. This is
1231never done by default because this is dangerous, but can be handy in some
1232situations :
1233
1234 global
1235 stats socket /var/run/haproxy.sock mode 600 level admin
1236 stats socket ipv4@192.168.0.1:9999 level admin
1237 stats timeout 2m
1238
1239To access the socket, an external utility such as "socat" is required. Socat is
1240a swiss-army knife to connect anything to anything. We use it to connect
1241terminals to the socket, or a couple of stdin/stdout pipes to it for scripts.
1242The two main syntaxes we'll use are the following :
1243
1244 # socat /var/run/haproxy.sock stdio
1245 # socat /var/run/haproxy.sock readline
1246
1247The first one is used with scripts. It is possible to send the output of a
1248script to haproxy, and pass haproxy's output to another script. That's useful
1249for retrieving counters or attack traces for example.
1250
1251The second one is only useful for issuing commands by hand. It has the benefit
1252that the terminal is handled by the readline library which supports line
1253editing and history, which is very convenient when issuing repeated commands
1254(eg: watch a counter).
1255
1256The socket supports two operation modes :
1257 - interactive
1258 - non-interactive
1259
1260The non-interactive mode is the default when socat connects to the socket. In
1261this mode, a single line may be sent. It is processed as a whole, responses are
1262sent back, and the connection closes after the end of the response. This is the
1263mode that scripts and monitoring tools use. It is possible to send multiple
1264commands in this mode, they need to be delimited by a semi-colon (';'). For
1265example :
1266
1267 # echo "show info;show stat;show table" | socat /var/run/haproxy stdio
1268
Dragan Dosena1c35ab2016-11-24 11:33:12 +01001269If a command needs to use a semi-colon or a backslash (eg: in a value), it
1270must be preceeded by a backslash ('\').
Chad Lavoiee3f50312016-05-26 16:42:25 -04001271
Willy Tarreau44aed902015-10-13 14:45:29 +02001272The interactive mode displays a prompt ('>') and waits for commands to be
1273entered on the line, then processes them, and displays the prompt again to wait
1274for a new command. This mode is entered via the "prompt" command which must be
1275sent on the first line in non-interactive mode. The mode is a flip switch, if
1276"prompt" is sent in interactive mode, it is disabled and the connection closes
1277after processing the last command of the same line.
1278
1279For this reason, when debugging by hand, it's quite common to start with the
1280"prompt" command :
1281
1282 # socat /var/run/haproxy readline
1283 prompt
1284 > show info
1285 ...
1286 >
1287
1288Since multiple commands may be issued at once, haproxy uses the empty line as a
1289delimiter to mark an end of output for each command, and takes care of ensuring
1290that no command can emit an empty line on output. A script can thus easily
1291parse the output even when multiple commands were pipelined on a single line.
1292
1293It is important to understand that when multiple haproxy processes are started
1294on the same sockets, any process may pick up the request and will output its
1295own stats.
1296
1297The list of commands currently supported on the stats socket is provided below.
1298If an unknown command is sent, haproxy displays the usage message which reminds
1299all supported commands. Some commands support a more complex syntax, generally
1300it will explain what part of the command is invalid when this happens.
1301
1302add acl <acl> <pattern>
1303 Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
1304 "show acl". This command does not verify if the entry already exists. This
1305 command cannot be used if the reference <acl> is a file also used with a map.
1306 In this case, you must use the command "add map" in place of "add acl".
1307
1308add map <map> <key> <value>
1309 Add an entry into the map <map> to associate the value <value> to the key
1310 <key>. This command does not verify if the entry already exists. It is
1311 mainly used to fill a map after a clear operation. Note that if the reference
1312 <map> is a file and is shared with a map, this map will contain also a new
1313 pattern entry.
1314
1315clear counters
1316 Clear the max values of the statistics counters in each proxy (frontend &
Dan Lloyd8e48b872016-07-01 21:01:18 -04001317 backend) and in each server. The accumulated counters are not affected. This
Willy Tarreau44aed902015-10-13 14:45:29 +02001318 can be used to get clean counters after an incident, without having to
1319 restart nor to clear traffic counters. This command is restricted and can
1320 only be issued on sockets configured for levels "operator" or "admin".
1321
1322clear counters all
1323 Clear all statistics counters in each proxy (frontend & backend) and in each
1324 server. This has the same effect as restarting. This command is restricted
1325 and can only be issued on sockets configured for level "admin".
1326
1327clear acl <acl>
1328 Remove all entries from the acl <acl>. <acl> is the #<id> or the <file>
1329 returned by "show acl". Note that if the reference <acl> is a file and is
1330 shared with a map, this map will be also cleared.
1331
1332clear map <map>
1333 Remove all entries from the map <map>. <map> is the #<id> or the <file>
1334 returned by "show map". Note that if the reference <map> is a file and is
1335 shared with a acl, this acl will be also cleared.
1336
1337clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
1338 Remove entries from the stick-table <table>.
1339
1340 This is typically used to unblock some users complaining they have been
1341 abusively denied access to a service, but this can also be used to clear some
1342 stickiness entries matching a server that is going to be replaced (see "show
1343 table" below for details). Note that sometimes, removal of an entry will be
1344 refused because it is currently tracked by a session. Retrying a few seconds
1345 later after the session ends is usual enough.
1346
1347 In the case where no options arguments are given all entries will be removed.
1348
1349 When the "data." form is used entries matching a filter applied using the
1350 stored data (see "stick-table" in section 4.2) are removed. A stored data
1351 type must be specified in <type>, and this data type must be stored in the
1352 table otherwise an error is reported. The data is compared according to
1353 <operator> with the 64-bit integer <value>. Operators are the same as with
1354 the ACLs :
1355
1356 - eq : match entries whose data is equal to this value
1357 - ne : match entries whose data is not equal to this value
1358 - le : match entries whose data is less than or equal to this value
1359 - ge : match entries whose data is greater than or equal to this value
1360 - lt : match entries whose data is less than this value
1361 - gt : match entries whose data is greater than this value
1362
1363 When the key form is used the entry <key> is removed. The key must be of the
1364 same type as the table, which currently is limited to IPv4, IPv6, integer and
1365 string.
1366
1367 Example :
1368 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1369 >>> # table: http_proxy, type: ip, size:204800, used:2
1370 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
1371 bytes_out_rate(60000)=187
1372 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
1373 bytes_out_rate(60000)=191
1374
1375 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
1376
1377 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1378 >>> # table: http_proxy, type: ip, size:204800, used:1
1379 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
1380 bytes_out_rate(60000)=191
1381 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
1382 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1383 >>> # table: http_proxy, type: ip, size:204800, used:1
1384
1385del acl <acl> [<key>|#<ref>]
1386 Delete all the acl entries from the acl <acl> corresponding to the key <key>.
1387 <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used,
1388 this command delete only the listed reference. The reference can be found with
1389 listing the content of the acl. Note that if the reference <acl> is a file and
1390 is shared with a map, the entry will be also deleted in the map.
1391
1392del map <map> [<key>|#<ref>]
1393 Delete all the map entries from the map <map> corresponding to the key <key>.
1394 <map> is the #<id> or the <file> returned by "show map". If the <ref> is used,
1395 this command delete only the listed reference. The reference can be found with
1396 listing the content of the map. Note that if the reference <map> is a file and
1397 is shared with a acl, the entry will be also deleted in the map.
1398
1399disable agent <backend>/<server>
1400 Mark the auxiliary agent check as temporarily stopped.
1401
1402 In the case where an agent check is being run as a auxiliary check, due
1403 to the agent-check parameter of a server directive, new checks are only
Dan Lloyd8e48b872016-07-01 21:01:18 -04001404 initialized when the agent is in the enabled. Thus, disable agent will
Willy Tarreau44aed902015-10-13 14:45:29 +02001405 prevent any new agent checks from begin initiated until the agent
1406 re-enabled using enable agent.
1407
1408 When an agent is disabled the processing of an auxiliary agent check that
1409 was initiated while the agent was set as enabled is as follows: All
1410 results that would alter the weight, specifically "drain" or a weight
1411 returned by the agent, are ignored. The processing of agent check is
1412 otherwise unchanged.
1413
1414 The motivation for this feature is to allow the weight changing effects
1415 of the agent checks to be paused to allow the weight of a server to be
1416 configured using set weight without being overridden by the agent.
1417
1418 This command is restricted and can only be issued on sockets configured for
1419 level "admin".
1420
Olivier Houchard614f8d72017-03-14 20:08:46 +01001421disable dynamic-cookie backend <backend>
1422 Disable the generation of dynamic cookies fot the backend <backend>
1423
Willy Tarreau44aed902015-10-13 14:45:29 +02001424disable frontend <frontend>
1425 Mark the frontend as temporarily stopped. This corresponds to the mode which
1426 is used during a soft restart : the frontend releases the port but can be
1427 enabled again if needed. This should be used with care as some non-Linux OSes
1428 are unable to enable it back. This is intended to be used in environments
1429 where stopping a proxy is not even imaginable but a misconfigured proxy must
1430 be fixed. That way it's possible to release the port and bind it into another
1431 process to restore operations. The frontend will appear with status "STOP"
1432 on the stats page.
1433
1434 The frontend may be specified either by its name or by its numeric ID,
1435 prefixed with a sharp ('#').
1436
1437 This command is restricted and can only be issued on sockets configured for
1438 level "admin".
1439
1440disable health <backend>/<server>
1441 Mark the primary health check as temporarily stopped. This will disable
1442 sending of health checks, and the last health check result will be ignored.
1443 The server will be in unchecked state and considered UP unless an auxiliary
1444 agent check forces it down.
1445
1446 This command is restricted and can only be issued on sockets configured for
1447 level "admin".
1448
1449disable server <backend>/<server>
1450 Mark the server DOWN for maintenance. In this mode, no more checks will be
1451 performed on the server until it leaves maintenance.
1452 If the server is tracked by other servers, those servers will be set to DOWN
1453 during the maintenance.
1454
1455 In the statistics page, a server DOWN for maintenance will appear with a
1456 "MAINT" status, its tracking servers with the "MAINT(via)" one.
1457
1458 Both the backend and the server may be specified either by their name or by
1459 their numeric ID, prefixed with a sharp ('#').
1460
1461 This command is restricted and can only be issued on sockets configured for
1462 level "admin".
1463
1464enable agent <backend>/<server>
1465 Resume auxiliary agent check that was temporarily stopped.
1466
1467 See "disable agent" for details of the effect of temporarily starting
1468 and stopping an auxiliary agent.
1469
1470 This command is restricted and can only be issued on sockets configured for
1471 level "admin".
1472
Olivier Houchard614f8d72017-03-14 20:08:46 +01001473enable dynamic-cookie backend <backend>
1474 Enable the generation of dynamic cookies fot the backend <backend>
1475 A secret key must also be provided
1476
Willy Tarreau44aed902015-10-13 14:45:29 +02001477enable frontend <frontend>
1478 Resume a frontend which was temporarily stopped. It is possible that some of
1479 the listening ports won't be able to bind anymore (eg: if another process
1480 took them since the 'disable frontend' operation). If this happens, an error
1481 is displayed. Some operating systems might not be able to resume a frontend
1482 which was disabled.
1483
1484 The frontend may be specified either by its name or by its numeric ID,
1485 prefixed with a sharp ('#').
1486
1487 This command is restricted and can only be issued on sockets configured for
1488 level "admin".
1489
1490enable health <backend>/<server>
1491 Resume a primary health check that was temporarily stopped. This will enable
1492 sending of health checks again. Please see "disable health" for details.
1493
1494 This command is restricted and can only be issued on sockets configured for
1495 level "admin".
1496
1497enable server <backend>/<server>
1498 If the server was previously marked as DOWN for maintenance, this marks the
1499 server UP and checks are re-enabled.
1500
1501 Both the backend and the server may be specified either by their name or by
1502 their numeric ID, prefixed with a sharp ('#').
1503
1504 This command is restricted and can only be issued on sockets configured for
1505 level "admin".
1506
1507get map <map> <value>
1508get acl <acl> <value>
1509 Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl>
1510 are the #<id> or the <file> returned by "show map" or "show acl". This command
1511 returns all the matching patterns associated with this map. This is useful for
1512 debugging maps and ACLs. The output format is composed by one line par
1513 matching type. Each line is composed by space-delimited series of words.
1514
1515 The first two words are:
1516
1517 <match method>: The match method applied. It can be "found", "bool",
1518 "int", "ip", "bin", "len", "str", "beg", "sub", "dir",
1519 "dom", "end" or "reg".
1520
1521 <match result>: The result. Can be "match" or "no-match".
1522
1523 The following words are returned only if the pattern matches an entry.
1524
1525 <index type>: "tree" or "list". The internal lookup algorithm.
1526
1527 <case>: "case-insensitive" or "case-sensitive". The
1528 interpretation of the case.
1529
1530 <entry matched>: match="<entry>". Return the matched pattern. It is
1531 useful with regular expressions.
1532
1533 The two last word are used to show the returned value and its type. With the
1534 "acl" case, the pattern doesn't exist.
1535
1536 return=nothing: No return because there are no "map".
1537 return="<value>": The value returned in the string format.
1538 return=cannot-display: The value cannot be converted as string.
1539
1540 type="<type>": The type of the returned sample.
1541
1542get weight <backend>/<server>
1543 Report the current weight and the initial weight of server <server> in
1544 backend <backend> or an error if either doesn't exist. The initial weight is
1545 the one that appears in the configuration file. Both are normally equal
1546 unless the current weight has been changed. Both the backend and the server
1547 may be specified either by their name or by their numeric ID, prefixed with a
1548 sharp ('#').
1549
1550help
1551 Print the list of known keywords and their basic usage. The same help screen
1552 is also displayed for unknown commands.
1553
1554prompt
1555 Toggle the prompt at the beginning of the line and enter or leave interactive
1556 mode. In interactive mode, the connection is not closed after a command
1557 completes. Instead, the prompt will appear again, indicating the user that
1558 the interpreter is waiting for a new command. The prompt consists in a right
1559 angle bracket followed by a space "> ". This mode is particularly convenient
1560 when one wants to periodically check information such as stats or errors.
1561 It is also a good idea to enter interactive mode before issuing a "help"
1562 command.
1563
1564quit
1565 Close the connection when in interactive mode.
1566
Olivier Houchard614f8d72017-03-14 20:08:46 +01001567set dynamic-cookie-key backend <backend> <value>
1568 Modify the secret key used to generate the dynamic persistent cookies.
1569 This will break the existing sessions.
1570
Willy Tarreau44aed902015-10-13 14:45:29 +02001571set map <map> [<key>|#<ref>] <value>
1572 Modify the value corresponding to each key <key> in a map <map>. <map> is the
1573 #<id> or <file> returned by "show map". If the <ref> is used in place of
1574 <key>, only the entry pointed by <ref> is changed. The new value is <value>.
1575
1576set maxconn frontend <frontend> <value>
1577 Dynamically change the specified frontend's maxconn setting. Any positive
1578 value is allowed including zero, but setting values larger than the global
1579 maxconn does not make much sense. If the limit is increased and connections
1580 were pending, they will immediately be accepted. If it is lowered to a value
1581 below the current number of connections, new connections acceptation will be
1582 delayed until the threshold is reached. The frontend might be specified by
1583 either its name or its numeric ID prefixed with a sharp ('#').
1584
Andrew Hayworthedb93a72015-10-27 21:46:25 +00001585set maxconn server <backend/server> <value>
1586 Dynamically change the specified server's maxconn setting. Any positive
1587 value is allowed including zero, but setting values larger than the global
1588 maxconn does not make much sense.
1589
Willy Tarreau44aed902015-10-13 14:45:29 +02001590set maxconn global <maxconn>
1591 Dynamically change the global maxconn setting within the range defined by the
1592 initial global maxconn setting. If it is increased and connections were
1593 pending, they will immediately be accepted. If it is lowered to a value below
1594 the current number of connections, new connections acceptation will be
1595 delayed until the threshold is reached. A value of zero restores the initial
1596 setting.
1597
1598set rate-limit connections global <value>
1599 Change the process-wide connection rate limit, which is set by the global
1600 'maxconnrate' setting. A value of zero disables the limitation. This limit
1601 applies to all frontends and the change has an immediate effect. The value
1602 is passed in number of connections per second.
1603
1604set rate-limit http-compression global <value>
1605 Change the maximum input compression rate, which is set by the global
1606 'maxcomprate' setting. A value of zero disables the limitation. The value is
1607 passed in number of kilobytes per second. The value is available in the "show
1608 info" on the line "CompressBpsRateLim" in bytes.
1609
1610set rate-limit sessions global <value>
1611 Change the process-wide session rate limit, which is set by the global
1612 'maxsessrate' setting. A value of zero disables the limitation. This limit
1613 applies to all frontends and the change has an immediate effect. The value
1614 is passed in number of sessions per second.
1615
1616set rate-limit ssl-sessions global <value>
1617 Change the process-wide SSL session rate limit, which is set by the global
1618 'maxsslrate' setting. A value of zero disables the limitation. This limit
1619 applies to all frontends and the change has an immediate effect. The value
1620 is passed in number of sessions per second sent to the SSL stack. It applies
1621 before the handshake in order to protect the stack against handshake abuses.
1622
Baptiste Assmann3749ebf2016-08-03 22:34:12 +02001623set server <backend>/<server> addr <ip4 or ip6 address> [port <port>]
Willy Tarreau44aed902015-10-13 14:45:29 +02001624 Replace the current IP address of a server by the one provided.
Baptiste Assmann3749ebf2016-08-03 22:34:12 +02001625 Optionnaly, the port can be changed using the 'port' parameter.
1626 Note that changing the port also support switching from/to port mapping
1627 (notation with +X or -Y), only if a port is configured for the health check.
Willy Tarreau44aed902015-10-13 14:45:29 +02001628
1629set server <backend>/<server> agent [ up | down ]
1630 Force a server's agent to a new state. This can be useful to immediately
1631 switch a server's state regardless of some slow agent checks for example.
1632 Note that the change is propagated to tracking servers if any.
1633
Misiek43972902017-01-09 09:53:06 +01001634set server <backend>/<server> agent-addr <addr>
1635 Change addr for servers agent checks. Allows to migrate agent-checks to
1636 another address at runtime. You can specify both IP and hostname, it will be
1637 resolved.
1638
1639set server <backend>/<server> agent-send <value>
1640 Change agent string sent to agent check target. Allows to update string while
1641 changing server address to keep those two matching.
1642
Willy Tarreau44aed902015-10-13 14:45:29 +02001643set server <backend>/<server> health [ up | stopping | down ]
1644 Force a server's health to a new state. This can be useful to immediately
1645 switch a server's state regardless of some slow health checks for example.
1646 Note that the change is propagated to tracking servers if any.
1647
Baptiste Assmann50946562016-08-31 23:26:29 +02001648set server <backend>/<server> check-port <port>
1649 Change the port used for health checking to <port>
1650
Willy Tarreau44aed902015-10-13 14:45:29 +02001651set server <backend>/<server> state [ ready | drain | maint ]
1652 Force a server's administrative state to a new state. This can be useful to
1653 disable load balancing and/or any traffic to a server. Setting the state to
1654 "ready" puts the server in normal mode, and the command is the equivalent of
1655 the "enable server" command. Setting the state to "maint" disables any traffic
1656 to the server as well as any health checks. This is the equivalent of the
1657 "disable server" command. Setting the mode to "drain" only removes the server
1658 from load balancing but still allows it to be checked and to accept new
1659 persistent connections. Changes are propagated to tracking servers if any.
1660
1661set server <backend>/<server> weight <weight>[%]
1662 Change a server's weight to the value passed in argument. This is the exact
1663 equivalent of the "set weight" command below.
1664
Frédéric Lécailleb418c122017-04-26 11:24:02 +02001665set server <backend>/<server> fqdn <FQDN>
1666 Change a server's FQDN to the value passed in argument.
1667
Willy Tarreau44aed902015-10-13 14:45:29 +02001668set ssl ocsp-response <response>
1669 This command is used to update an OCSP Response for a certificate (see "crt"
1670 on "bind" lines). Same controls are performed as during the initial loading of
1671 the response. The <response> must be passed as a base64 encoded string of the
Emmanuel Hocdet2c32d8f2017-05-22 14:58:00 +02001672 DER encoded response from the OCSP server. This command is not supported with
1673 BoringSSL.
Willy Tarreau44aed902015-10-13 14:45:29 +02001674
1675 Example:
1676 openssl ocsp -issuer issuer.pem -cert server.pem \
1677 -host ocsp.issuer.com:80 -respout resp.der
1678 echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
1679 socat stdio /var/run/haproxy.stat
1680
1681set ssl tls-key <id> <tlskey>
1682 Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
1683 ultimate key, while the penultimate one is used for encryption (others just
1684 decrypt). The oldest TLS key present is overwritten. <id> is either a numeric
1685 #<id> or <file> returned by "show tls-keys". <tlskey> is a base64 encoded 48
1686 bit TLS ticket key (ex. openssl rand -base64 48).
1687
1688set table <table> key <key> [data.<data_type> <value>]*
1689 Create or update a stick-table entry in the table. If the key is not present,
1690 an entry is inserted. See stick-table in section 4.2 to find all possible
1691 values for <data_type>. The most likely use consists in dynamically entering
1692 entries for source IP addresses, with a flag in gpc0 to dynamically block an
1693 IP address or affect its quality of service. It is possible to pass multiple
1694 data_types in a single call.
1695
1696set timeout cli <delay>
1697 Change the CLI interface timeout for current connection. This can be useful
1698 during long debugging sessions where the user needs to constantly inspect
1699 some indicators without being disconnected. The delay is passed in seconds.
1700
1701set weight <backend>/<server> <weight>[%]
1702 Change a server's weight to the value passed in argument. If the value ends
1703 with the '%' sign, then the new weight will be relative to the initially
1704 configured weight. Absolute weights are permitted between 0 and 256.
1705 Relative weights must be positive with the resulting absolute weight is
1706 capped at 256. Servers which are part of a farm running a static
1707 load-balancing algorithm have stricter limitations because the weight
1708 cannot change once set. Thus for these servers, the only accepted values
1709 are 0 and 100% (or 0 and the initial weight). Changes take effect
1710 immediately, though certain LB algorithms require a certain amount of
1711 requests to consider changes. A typical usage of this command is to
1712 disable a server during an update by setting its weight to zero, then to
1713 enable it again after the update by setting it back to 100%. This command
1714 is restricted and can only be issued on sockets configured for level
1715 "admin". Both the backend and the server may be specified either by their
1716 name or by their numeric ID, prefixed with a sharp ('#').
1717
William Lallemand51132162016-12-16 16:38:58 +01001718show cli sockets
1719 List CLI sockets. The output format is composed of 3 fields separated by
1720 spaces. The first field is the socket address, it can be a unix socket, a
1721 ipv4 address:port couple or a ipv6 one. Socket of other types won't be dump.
1722 The second field describe the level of the socket: 'admin', 'user' or
1723 'operator'. The last field list the processes on which the socket is bound,
1724 separated by commas, it can be numbers or 'all'.
1725
1726 Example :
1727
1728 $ echo 'show cli sockets' | socat stdio /tmp/sock1
1729 # socket lvl processes
1730 /tmp/sock1 admin all
1731 127.0.0.1:9999 user 2,3,4
1732 127.0.0.2:9969 user 2
1733 [::1]:9999 operator 2
1734
Willy Tarreauae795722016-02-16 11:27:28 +01001735show env [<name>]
1736 Dump one or all environment variables known by the process. Without any
1737 argument, all variables are dumped. With an argument, only the specified
1738 variable is dumped if it exists. Otherwise "Variable not found" is emitted.
1739 Variables are dumped in the same format as they are stored or returned by the
1740 "env" utility, that is, "<name>=<value>". This can be handy when debugging
1741 certain configuration files making heavy use of environment variables to
1742 ensure that they contain the expected values. This command is restricted and
1743 can only be issued on sockets configured for levels "operator" or "admin".
1744
Willy Tarreau35069f82016-11-25 09:16:37 +01001745show errors [<iid>|<proxy>] [request|response]
Willy Tarreau44aed902015-10-13 14:45:29 +02001746 Dump last known request and response errors collected by frontends and
1747 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau234ba2d2016-11-25 08:39:10 +01001748 either frontend or backend whose ID is <iid>. Proxy ID "-1" will cause
1749 all instances to be dumped. If a proxy name is specified instead, its ID
Willy Tarreau35069f82016-11-25 09:16:37 +01001750 will be used as the filter. If "request" or "response" is added after the
1751 proxy name or ID, only request or response errors will be dumped. This
1752 command is restricted and can only be issued on sockets configured for
1753 levels "operator" or "admin".
Willy Tarreau44aed902015-10-13 14:45:29 +02001754
1755 The errors which may be collected are the last request and response errors
1756 caused by protocol violations, often due to invalid characters in header
1757 names. The report precisely indicates what exact character violated the
1758 protocol. Other important information such as the exact date the error was
1759 detected, frontend and backend names, the server name (when known), the
1760 internal session ID and the source address which has initiated the session
1761 are reported too.
1762
1763 All characters are returned, and non-printable characters are encoded. The
1764 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
1765 letter following a backslash. The backslash itself is encoded as '\\' to
1766 avoid confusion. Other non-printable characters are encoded '\xNN' where
1767 NN is the two-digits hexadecimal representation of the character's ASCII
1768 code.
1769
1770 Lines are prefixed with the position of their first character, starting at 0
1771 for the beginning of the buffer. At most one input line is printed per line,
1772 and large lines will be broken into multiple consecutive output lines so that
1773 the output never goes beyond 79 characters wide. It is easy to detect if a
1774 line was broken, because it will not end with '\n' and the next line's offset
1775 will be followed by a '+' sign, indicating it is a continuation of previous
1776 line.
1777
1778 Example :
Willy Tarreau35069f82016-11-25 09:16:37 +01001779 $ echo "show errors -1 response" | socat stdio /tmp/sock1
Willy Tarreau44aed902015-10-13 14:45:29 +02001780 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
1781 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
1782 response length 213 bytes, error at position 23:
1783
1784 00000 HTTP/1.0 200 OK\r\n
1785 00017 header/bizarre:blah\r\n
1786 00038 Location: blah\r\n
1787 00054 Long-line: this is a very long line which should b
1788 00104+ e broken into multiple lines on the output buffer,
1789 00154+ otherwise it would be too large to print in a ter
1790 00204+ minal\r\n
1791 00211 \r\n
1792
1793 In the example above, we see that the backend "http-in" which has internal
1794 ID 2 has blocked an invalid response from its server s2 which has internal
1795 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
1796 received by frontend fe-eth0 whose ID is 1. The total response length was
1797 213 bytes when the error was detected, and the error was at byte 23. This
1798 is the slash ('/') in header name "header/bizarre", which is not a valid
1799 HTTP character for a header name.
1800
1801show backend
1802 Dump the list of backends available in the running process
1803
Simon Horman05ee2132017-01-04 09:37:25 +01001804show info [typed|json]
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001805 Dump info about haproxy status on current process. If "typed" is passed as an
1806 optional argument, field numbers, names and types are emitted as well so that
1807 external monitoring products can easily retrieve, possibly aggregate, then
1808 report information found in fields they don't know. Each field is dumped on
Simon Horman05ee2132017-01-04 09:37:25 +01001809 its own line. If "json" is passed as an optional argument then
1810 information provided by "typed" output is provided in JSON format as a
1811 list of JSON objects. By default, the format contains only two columns
1812 delimited by a colon (':'). The left one is the field name and the right
1813 one is the value. It is very important to note that in typed output
1814 format, the dump for a single object is contiguous so that there is no
1815 need for a consumer to store everything at once.
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001816
1817 When using the typed output format, each line is made of 4 columns delimited
1818 by colons (':'). The first column is a dot-delimited series of 3 elements. The
1819 first element is the numeric position of the field in the list (starting at
1820 zero). This position shall not change over time, but holes are to be expected,
1821 depending on build options or if some fields are deleted in the future. The
1822 second element is the field name as it appears in the default "show info"
1823 output. The third element is the relative process number starting at 1.
1824
1825 The rest of the line starting after the first colon follows the "typed output
1826 format" described in the section above. In short, the second column (after the
1827 first ':') indicates the origin, nature and scope of the variable. The third
1828 column indicates the type of the field, among "s32", "s64", "u32", "u64" and
1829 "str". Then the fourth column is the value itself, which the consumer knows
1830 how to parse thanks to column 3 and how to process thanks to column 2.
1831
1832 Thus the overall line format in typed mode is :
1833
1834 <field_pos>.<field_name>.<process_num>:<tags>:<type>:<value>
1835
1836 Example :
1837
1838 > show info
1839 Name: HAProxy
1840 Version: 1.7-dev1-de52ea-146
1841 Release_date: 2016/03/11
1842 Nbproc: 1
1843 Process_num: 1
1844 Pid: 28105
1845 Uptime: 0d 0h00m04s
1846 Uptime_sec: 4
1847 Memmax_MB: 0
1848 PoolAlloc_MB: 0
1849 PoolUsed_MB: 0
1850 PoolFailed: 0
1851 (...)
1852
1853 > show info typed
1854 0.Name.1:POS:str:HAProxy
1855 1.Version.1:POS:str:1.7-dev1-de52ea-146
1856 2.Release_date.1:POS:str:2016/03/11
1857 3.Nbproc.1:CGS:u32:1
1858 4.Process_num.1:KGP:u32:1
1859 5.Pid.1:SGP:u32:28105
1860 6.Uptime.1:MDP:str:0d 0h00m08s
1861 7.Uptime_sec.1:MDP:u32:8
1862 8.Memmax_MB.1:CLP:u32:0
1863 9.PoolAlloc_MB.1:MGP:u32:0
1864 10.PoolUsed_MB.1:MGP:u32:0
1865 11.PoolFailed.1:MCP:u32:0
1866 (...)
1867
Simon Horman1084a362016-11-21 17:00:24 +01001868 In the typed format, the presence of the process ID at the end of the
1869 first column makes it very easy to visually aggregate outputs from
1870 multiple processes.
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001871 Example :
1872
1873 $ ( echo show info typed | socat /var/run/haproxy.sock1 ; \
1874 echo show info typed | socat /var/run/haproxy.sock2 ) | \
1875 sort -t . -k 1,1n -k 2,2 -k 3,3n
1876 0.Name.1:POS:str:HAProxy
1877 0.Name.2:POS:str:HAProxy
1878 1.Version.1:POS:str:1.7-dev1-868ab3-148
1879 1.Version.2:POS:str:1.7-dev1-868ab3-148
1880 2.Release_date.1:POS:str:2016/03/11
1881 2.Release_date.2:POS:str:2016/03/11
1882 3.Nbproc.1:CGS:u32:2
1883 3.Nbproc.2:CGS:u32:2
1884 4.Process_num.1:KGP:u32:1
1885 4.Process_num.2:KGP:u32:2
1886 5.Pid.1:SGP:u32:30120
1887 5.Pid.2:SGP:u32:30121
1888 6.Uptime.1:MDP:str:0d 0h01m28s
1889 6.Uptime.2:MDP:str:0d 0h01m28s
1890 (...)
Willy Tarreau44aed902015-10-13 14:45:29 +02001891
Simon Horman05ee2132017-01-04 09:37:25 +01001892 The format of JSON output is described in a schema which may be output
Simon Horman6f6bb382017-01-04 09:37:26 +01001893 using "show schema json".
Simon Horman05ee2132017-01-04 09:37:25 +01001894
1895 The JSON output contains no extra whitespace in order to reduce the
1896 volume of output. For human consumption passing the output through a
1897 pretty printer may be helpful. Example :
1898
1899 $ echo "show info json" | socat /var/run/haproxy.sock stdio | \
1900 python -m json.tool
1901
Simon Horman6f6bb382017-01-04 09:37:26 +01001902 The JSON output contains no extra whitespace in order to reduce the
1903 volume of output. For human consumption passing the output through a
1904 pretty printer may be helpful. Example :
1905
1906 $ echo "show info json" | socat /var/run/haproxy.sock stdio | \
1907 python -m json.tool
1908
Willy Tarreau44aed902015-10-13 14:45:29 +02001909show map [<map>]
1910 Dump info about map converters. Without argument, the list of all available
1911 maps is returned. If a <map> is specified, its contents are dumped. <map> is
1912 the #<id> or <file>. The first column is a unique identifier. It can be used
1913 as reference for the operation "del map" and "set map". The second column is
1914 the pattern and the third column is the sample if available. The data returned
1915 are not directly a list of available maps, but are the list of all patterns
1916 composing any map. Many of these patterns can be shared with ACL.
1917
1918show acl [<acl>]
1919 Dump info about acl converters. Without argument, the list of all available
1920 acls is returned. If a <acl> is specified, its contents are dumped. <acl> if
1921 the #<id> or <file>. The dump format is the same than the map even for the
1922 sample value. The data returned are not a list of available ACL, but are the
1923 list of all patterns composing any ACL. Many of these patterns can be shared
1924 with maps.
1925
1926show pools
1927 Dump the status of internal memory pools. This is useful to track memory
1928 usage when suspecting a memory leak for example. It does exactly the same
1929 as the SIGQUIT when running in foreground except that it does not flush
1930 the pools.
1931
1932show servers state [<backend>]
1933 Dump the state of the servers found in the running configuration. A backend
1934 name or identifier may be provided to limit the output to this backend only.
1935
1936 The dump has the following format:
1937 - first line contains the format version (1 in this specification);
1938 - second line contains the column headers, prefixed by a sharp ('#');
1939 - third line and next ones contain data;
1940 - each line starting by a sharp ('#') is considered as a comment.
1941
Dan Lloyd8e48b872016-07-01 21:01:18 -04001942 Since multiple versions of the output may co-exist, below is the list of
Willy Tarreau44aed902015-10-13 14:45:29 +02001943 fields and their order per file format version :
1944 1:
1945 be_id: Backend unique id.
1946 be_name: Backend label.
1947 srv_id: Server unique id (in the backend).
1948 srv_name: Server label.
1949 srv_addr: Server IP address.
1950 srv_op_state: Server operational state (UP/DOWN/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01001951 0 = SRV_ST_STOPPED
1952 The server is down.
1953 1 = SRV_ST_STARTING
1954 The server is warming up (up but
1955 throttled).
1956 2 = SRV_ST_RUNNING
1957 The server is fully up.
1958 3 = SRV_ST_STOPPING
1959 The server is up but soft-stopping
1960 (eg: 404).
Willy Tarreau44aed902015-10-13 14:45:29 +02001961 srv_admin_state: Server administrative state (MAINT/DRAIN/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01001962 The state is actually a mask of values :
1963 0x01 = SRV_ADMF_FMAINT
1964 The server was explicitly forced into
1965 maintenance.
1966 0x02 = SRV_ADMF_IMAINT
1967 The server has inherited the maintenance
1968 status from a tracked server.
1969 0x04 = SRV_ADMF_CMAINT
1970 The server is in maintenance because of
1971 the configuration.
1972 0x08 = SRV_ADMF_FDRAIN
1973 The server was explicitly forced into
1974 drain state.
1975 0x10 = SRV_ADMF_IDRAIN
1976 The server has inherited the drain status
1977 from a tracked server.
Baptiste Assmann89aa7f32016-11-02 21:31:27 +01001978 0x20 = SRV_ADMF_RMAINT
1979 The server is in maintenance because of an
1980 IP address resolution failure.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02001981 0x40 = SRV_ADMF_HMAINT
1982 The server FQDN was set from stats socket.
1983
Willy Tarreau44aed902015-10-13 14:45:29 +02001984 srv_uweight: User visible server's weight.
1985 srv_iweight: Server's initial weight.
1986 srv_time_since_last_change: Time since last operational change.
1987 srv_check_status: Last health check status.
1988 srv_check_result: Last check result (FAILED/PASSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01001989 0 = CHK_RES_UNKNOWN
1990 Initialized to this by default.
1991 1 = CHK_RES_NEUTRAL
1992 Valid check but no status information.
1993 2 = CHK_RES_FAILED
1994 Check failed.
1995 3 = CHK_RES_PASSED
1996 Check succeeded and server is fully up
1997 again.
1998 4 = CHK_RES_CONDPASS
1999 Check reports the server doesn't want new
2000 sessions.
Willy Tarreau44aed902015-10-13 14:45:29 +02002001 srv_check_health: Checks rise / fall current counter.
2002 srv_check_state: State of the check (ENABLED/PAUSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002003 The state is actually a mask of values :
2004 0x01 = CHK_ST_INPROGRESS
2005 A check is currently running.
2006 0x02 = CHK_ST_CONFIGURED
2007 This check is configured and may be
2008 enabled.
2009 0x04 = CHK_ST_ENABLED
2010 This check is currently administratively
2011 enabled.
2012 0x08 = CHK_ST_PAUSED
2013 Checks are paused because of maintenance
2014 (health only).
Willy Tarreau44aed902015-10-13 14:45:29 +02002015 srv_agent_state: State of the agent check (ENABLED/PAUSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002016 This state uses the same mask values as
2017 "srv_check_state", adding this specific one :
2018 0x10 = CHK_ST_AGENT
2019 Check is an agent check (otherwise it's a
2020 health check).
Willy Tarreau44aed902015-10-13 14:45:29 +02002021 bk_f_forced_id: Flag to know if the backend ID is forced by
2022 configuration.
2023 srv_f_forced_id: Flag to know if the server's ID is forced by
2024 configuration.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002025 srv_fqdn: Server FQDN.
Willy Tarreau44aed902015-10-13 14:45:29 +02002026
2027show sess
2028 Dump all known sessions. Avoid doing this on slow connections as this can
2029 be huge. This command is restricted and can only be issued on sockets
2030 configured for levels "operator" or "admin".
2031
2032show sess <id>
2033 Display a lot of internal information about the specified session identifier.
2034 This identifier is the first field at the beginning of the lines in the dumps
2035 of "show sess" (it corresponds to the session pointer). Those information are
2036 useless to most users but may be used by haproxy developers to troubleshoot a
2037 complex bug. The output format is intentionally not documented so that it can
2038 freely evolve depending on demands. You may find a description of all fields
2039 returned in src/dumpstats.c
2040
2041 The special id "all" dumps the states of all sessions, which must be avoided
2042 as much as possible as it is highly CPU intensive and can take a lot of time.
2043
Simon Horman05ee2132017-01-04 09:37:25 +01002044show stat [{<iid>|<proxy>} <type> <sid>] [typed|json]
2045 Dump statistics using the CSV format; using the extended typed output
2046 format described in the section above if "typed" is passed after the
2047 other arguments; or in JSON if "json" is passed after the other arguments
2048 . By passing <id>, <type> and <sid>, it is possible to dump only selected
2049 items :
Willy Tarreaua1b1ed52016-11-25 08:50:58 +01002050 - <iid> is a proxy ID, -1 to dump everything. Alternatively, a proxy name
2051 <proxy> may be specified. In this case, this proxy's ID will be used as
2052 the ID selector.
Willy Tarreau44aed902015-10-13 14:45:29 +02002053 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
2054 backends, 4 for servers, -1 for everything. These values can be ORed,
2055 for example:
2056 1 + 2 = 3 -> frontend + backend.
2057 1 + 2 + 4 = 7 -> frontend + backend + server.
2058 - <sid> is a server ID, -1 to dump everything from the selected proxy.
2059
2060 Example :
2061 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
2062 >>> Name: HAProxy
2063 Version: 1.4-dev2-49
2064 Release_date: 2009/09/23
2065 Nbproc: 1
2066 Process_num: 1
2067 (...)
2068
2069 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
2070 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
2071 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
2072 (...)
2073 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
2074
2075 $
2076
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002077 In this example, two commands have been issued at once. That way it's easy to
2078 find which process the stats apply to in multi-process mode. This is not
2079 needed in the typed output format as the process number is reported on each
2080 line. Notice the empty line after the information output which marks the end
2081 of the first block. A similar empty line appears at the end of the second
2082 block (stats) so that the reader knows the output has not been truncated.
2083
2084 When "typed" is specified, the output format is more suitable to monitoring
2085 tools because it provides numeric positions and indicates the type of each
2086 output field. Each value stands on its own line with process number, element
2087 number, nature, origin and scope. This same format is available via the HTTP
2088 stats by passing ";typed" after the URI. It is very important to note that in
Dan Lloyd8e48b872016-07-01 21:01:18 -04002089 typed output format, the dump for a single object is contiguous so that there
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002090 is no need for a consumer to store everything at once.
2091
2092 When using the typed output format, each line is made of 4 columns delimited
2093 by colons (':'). The first column is a dot-delimited series of 5 elements. The
2094 first element is a letter indicating the type of the object being described.
2095 At the moment the following object types are known : 'F' for a frontend, 'B'
2096 for a backend, 'L' for a listener, and 'S' for a server. The second element
2097 The second element is a positive integer representing the unique identifier of
2098 the proxy the object belongs to. It is equivalent to the "iid" column of the
2099 CSV output and matches the value in front of the optional "id" directive found
2100 in the frontend or backend section. The third element is a positive integer
2101 containing the unique object identifier inside the proxy, and corresponds to
2102 the "sid" column of the CSV output. ID 0 is reported when dumping a frontend
2103 or a backend. For a listener or a server, this corresponds to their respective
2104 ID inside the proxy. The fourth element is the numeric position of the field
2105 in the list (starting at zero). This position shall not change over time, but
2106 holes are to be expected, depending on build options or if some fields are
2107 deleted in the future. The fifth element is the field name as it appears in
2108 the CSV output. The sixth element is a positive integer and is the relative
2109 process number starting at 1.
2110
2111 The rest of the line starting after the first colon follows the "typed output
2112 format" described in the section above. In short, the second column (after the
2113 first ':') indicates the origin, nature and scope of the variable. The third
2114 column indicates the type of the field, among "s32", "s64", "u32", "u64" and
2115 "str". Then the fourth column is the value itself, which the consumer knows
2116 how to parse thanks to column 3 and how to process thanks to column 2.
2117
2118 Thus the overall line format in typed mode is :
2119
2120 <obj>.<px_id>.<id>.<fpos>.<fname>.<process_num>:<tags>:<type>:<value>
2121
2122 Here's an example of typed output format :
2123
2124 $ echo "show stat typed" | socat stdio unix-connect:/tmp/sock1
2125 F.2.0.0.pxname.1:MGP:str:private-frontend
2126 F.2.0.1.svname.1:MGP:str:FRONTEND
2127 F.2.0.8.bin.1:MGP:u64:0
2128 F.2.0.9.bout.1:MGP:u64:0
2129 F.2.0.40.hrsp_2xx.1:MGP:u64:0
2130 L.2.1.0.pxname.1:MGP:str:private-frontend
2131 L.2.1.1.svname.1:MGP:str:sock-1
2132 L.2.1.17.status.1:MGP:str:OPEN
2133 L.2.1.73.addr.1:MGP:str:0.0.0.0:8001
2134 S.3.13.60.rtime.1:MCP:u32:0
2135 S.3.13.61.ttime.1:MCP:u32:0
2136 S.3.13.62.agent_status.1:MGP:str:L4TOUT
2137 S.3.13.64.agent_duration.1:MGP:u64:2001
2138 S.3.13.65.check_desc.1:MCP:str:Layer4 timeout
2139 S.3.13.66.agent_desc.1:MCP:str:Layer4 timeout
2140 S.3.13.67.check_rise.1:MCP:u32:2
2141 S.3.13.68.check_fall.1:MCP:u32:3
2142 S.3.13.69.check_health.1:SGP:u32:0
2143 S.3.13.70.agent_rise.1:MaP:u32:1
2144 S.3.13.71.agent_fall.1:SGP:u32:1
2145 S.3.13.72.agent_health.1:SGP:u32:1
2146 S.3.13.73.addr.1:MCP:str:1.255.255.255:8888
2147 S.3.13.75.mode.1:MAP:str:http
2148 B.3.0.0.pxname.1:MGP:str:private-backend
2149 B.3.0.1.svname.1:MGP:str:BACKEND
2150 B.3.0.2.qcur.1:MGP:u32:0
2151 B.3.0.3.qmax.1:MGP:u32:0
2152 B.3.0.4.scur.1:MGP:u32:0
2153 B.3.0.5.smax.1:MGP:u32:0
2154 B.3.0.6.slim.1:MGP:u32:1000
2155 B.3.0.55.lastsess.1:MMP:s32:-1
2156 (...)
2157
Simon Horman1084a362016-11-21 17:00:24 +01002158 In the typed format, the presence of the process ID at the end of the
2159 first column makes it very easy to visually aggregate outputs from
2160 multiple processes, as show in the example below where each line appears
2161 for each process :
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002162
2163 $ ( echo show stat typed | socat /var/run/haproxy.sock1 - ; \
2164 echo show stat typed | socat /var/run/haproxy.sock2 - ) | \
2165 sort -t . -k 1,1 -k 2,2n -k 3,3n -k 4,4n -k 5,5 -k 6,6n
2166 B.3.0.0.pxname.1:MGP:str:private-backend
2167 B.3.0.0.pxname.2:MGP:str:private-backend
2168 B.3.0.1.svname.1:MGP:str:BACKEND
2169 B.3.0.1.svname.2:MGP:str:BACKEND
2170 B.3.0.2.qcur.1:MGP:u32:0
2171 B.3.0.2.qcur.2:MGP:u32:0
2172 B.3.0.3.qmax.1:MGP:u32:0
2173 B.3.0.3.qmax.2:MGP:u32:0
2174 B.3.0.4.scur.1:MGP:u32:0
2175 B.3.0.4.scur.2:MGP:u32:0
2176 B.3.0.5.smax.1:MGP:u32:0
2177 B.3.0.5.smax.2:MGP:u32:0
2178 B.3.0.6.slim.1:MGP:u32:1000
2179 B.3.0.6.slim.2:MGP:u32:1000
2180 (...)
Willy Tarreau44aed902015-10-13 14:45:29 +02002181
Simon Horman05ee2132017-01-04 09:37:25 +01002182 The format of JSON output is described in a schema which may be output
Simon Horman6f6bb382017-01-04 09:37:26 +01002183 using "show schema json".
2184
2185 The JSON output contains no extra whitespace in order to reduce the
2186 volume of output. For human consumption passing the output through a
2187 pretty printer may be helpful. Example :
2188
2189 $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
2190 python -m json.tool
Simon Horman05ee2132017-01-04 09:37:25 +01002191
2192 The JSON output contains no extra whitespace in order to reduce the
2193 volume of output. For human consumption passing the output through a
2194 pretty printer may be helpful. Example :
2195
2196 $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
2197 python -m json.tool
2198
Willy Tarreau44aed902015-10-13 14:45:29 +02002199show stat resolvers [<resolvers section id>]
2200 Dump statistics for the given resolvers section, or all resolvers sections
2201 if no section is supplied.
2202
2203 For each name server, the following counters are reported:
2204 sent: number of DNS requests sent to this server
2205 valid: number of DNS valid responses received from this server
2206 update: number of DNS responses used to update the server's IP address
2207 cname: number of CNAME responses
2208 cname_error: CNAME errors encountered with this server
2209 any_err: number of empty response (IE: server does not support ANY type)
2210 nx: non existent domain response received from this server
2211 timeout: how many time this server did not answer in time
2212 refused: number of requests refused by this server
2213 other: any other DNS errors
2214 invalid: invalid DNS response (from a protocol point of view)
2215 too_big: too big response
2216 outdated: number of response arrived too late (after an other name server)
2217
2218show table
2219 Dump general information on all known stick-tables. Their name is returned
2220 (the name of the proxy which holds them), their type (currently zero, always
2221 IP), their size in maximum possible number of entries, and the number of
2222 entries currently in use.
2223
2224 Example :
2225 $ echo "show table" | socat stdio /tmp/sock1
2226 >>> # table: front_pub, type: ip, size:204800, used:171454
2227 >>> # table: back_rdp, type: ip, size:204800, used:0
2228
2229show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
2230 Dump contents of stick-table <name>. In this mode, a first line of generic
2231 information about the table is reported as with "show table", then all
2232 entries are dumped. Since this can be quite heavy, it is possible to specify
2233 a filter in order to specify what entries to display.
2234
2235 When the "data." form is used the filter applies to the stored data (see
2236 "stick-table" in section 4.2). A stored data type must be specified
2237 in <type>, and this data type must be stored in the table otherwise an
2238 error is reported. The data is compared according to <operator> with the
2239 64-bit integer <value>. Operators are the same as with the ACLs :
2240
2241 - eq : match entries whose data is equal to this value
2242 - ne : match entries whose data is not equal to this value
2243 - le : match entries whose data is less than or equal to this value
2244 - ge : match entries whose data is greater than or equal to this value
2245 - lt : match entries whose data is less than this value
2246 - gt : match entries whose data is greater than this value
2247
2248
2249 When the key form is used the entry <key> is shown. The key must be of the
2250 same type as the table, which currently is limited to IPv4, IPv6, integer,
2251 and string.
2252
2253 Example :
2254 $ echo "show table http_proxy" | socat stdio /tmp/sock1
2255 >>> # table: http_proxy, type: ip, size:204800, used:2
2256 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
2257 bytes_out_rate(60000)=187
2258 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
2259 bytes_out_rate(60000)=191
2260
2261 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
2262 >>> # table: http_proxy, type: ip, size:204800, used:2
2263 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
2264 bytes_out_rate(60000)=191
2265
2266 $ echo "show table http_proxy data.conn_rate gt 5" | \
2267 socat stdio /tmp/sock1
2268 >>> # table: http_proxy, type: ip, size:204800, used:2
2269 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
2270 bytes_out_rate(60000)=191
2271
2272 $ echo "show table http_proxy key 127.0.0.2" | \
2273 socat stdio /tmp/sock1
2274 >>> # table: http_proxy, type: ip, size:204800, used:2
2275 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
2276 bytes_out_rate(60000)=191
2277
2278 When the data criterion applies to a dynamic value dependent on time such as
2279 a bytes rate, the value is dynamically computed during the evaluation of the
2280 entry in order to decide whether it has to be dumped or not. This means that
2281 such a filter could match for some time then not match anymore because as
2282 time goes, the average event rate drops.
2283
2284 It is possible to use this to extract lists of IP addresses abusing the
2285 service, in order to monitor them or even blacklist them in a firewall.
2286 Example :
2287 $ echo "show table http_proxy data.gpc0 gt 0" \
2288 | socat stdio /tmp/sock1 \
2289 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
2290 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
2291
William Lallemandbb933462016-05-31 21:09:53 +02002292show tls-keys [id|*]
2293 Dump all loaded TLS ticket keys references. The TLS ticket key reference ID
2294 and the file from which the keys have been loaded is shown. Both of those
2295 can be used to update the TLS keys using "set ssl tls-key". If an ID is
2296 specified as parameter, it will dump the tickets, using * it will dump every
2297 keys from every references.
Willy Tarreau44aed902015-10-13 14:45:29 +02002298
Simon Horman6f6bb382017-01-04 09:37:26 +01002299show schema json
2300 Dump the schema used for the output of "show info json" and "show stat json".
2301
2302 The contains no extra whitespace in order to reduce the volume of output.
2303 For human consumption passing the output through a pretty printer may be
2304 helpful. Example :
2305
2306 $ echo "show schema json" | socat /var/run/haproxy.sock stdio | \
2307 python -m json.tool
2308
2309 The schema follows "JSON Schema" (json-schema.org) and accordingly
2310 verifiers may be used to verify the output of "show info json" and "show
2311 stat json" against the schema.
2312
2313
Willy Tarreau44aed902015-10-13 14:45:29 +02002314shutdown frontend <frontend>
2315 Completely delete the specified frontend. All the ports it was bound to will
2316 be released. It will not be possible to enable the frontend anymore after
2317 this operation. This is intended to be used in environments where stopping a
2318 proxy is not even imaginable but a misconfigured proxy must be fixed. That
2319 way it's possible to release the port and bind it into another process to
2320 restore operations. The frontend will not appear at all on the stats page
2321 once it is terminated.
2322
2323 The frontend may be specified either by its name or by its numeric ID,
2324 prefixed with a sharp ('#').
2325
2326 This command is restricted and can only be issued on sockets configured for
2327 level "admin".
2328
2329shutdown session <id>
2330 Immediately terminate the session matching the specified session identifier.
2331 This identifier is the first field at the beginning of the lines in the dumps
2332 of "show sess" (it corresponds to the session pointer). This can be used to
2333 terminate a long-running session without waiting for a timeout or when an
2334 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
2335 flag in the logs.
2336
2337shutdown sessions server <backend>/<server>
2338 Immediately terminate all the sessions attached to the specified server. This
2339 can be used to terminate long-running sessions after a server is put into
2340 maintenance mode, for instance. Such terminated sessions are reported with a
2341 'K' flag in the logs.
2342
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002343
234410. Tricks for easier configuration management
2345----------------------------------------------
2346
2347It is very common that two HAProxy nodes constituting a cluster share exactly
2348the same configuration modulo a few addresses. Instead of having to maintain a
2349duplicate configuration for each node, which will inevitably diverge, it is
2350possible to include environment variables in the configuration. Thus multiple
2351configuration may share the exact same file with only a few different system
2352wide environment variables. This started in version 1.5 where only addresses
2353were allowed to include environment variables, and 1.6 goes further by
2354supporting environment variables everywhere. The syntax is the same as in the
2355UNIX shell, a variable starts with a dollar sign ('$'), followed by an opening
2356curly brace ('{'), then the variable name followed by the closing brace ('}').
2357Except for addresses, environment variables are only interpreted in arguments
2358surrounded with double quotes (this was necessary not to break existing setups
2359using regular expressions involving the dollar symbol).
2360
2361Environment variables also make it convenient to write configurations which are
2362expected to work on various sites where only the address changes. It can also
2363permit to remove passwords from some configs. Example below where the the file
2364"site1.env" file is sourced by the init script upon startup :
2365
2366 $ cat site1.env
2367 LISTEN=192.168.1.1
2368 CACHE_PFX=192.168.11
2369 SERVER_PFX=192.168.22
2370 LOGGER=192.168.33.1
2371 STATSLP=admin:pa$$w0rd
2372 ABUSERS=/etc/haproxy/abuse.lst
2373 TIMEOUT=10s
2374
2375 $ cat haproxy.cfg
2376 global
2377 log "${LOGGER}:514" local0
2378
2379 defaults
2380 mode http
2381 timeout client "${TIMEOUT}"
2382 timeout server "${TIMEOUT}"
2383 timeout connect 5s
2384
2385 frontend public
2386 bind "${LISTEN}:80"
2387 http-request reject if { src -f "${ABUSERS}" }
2388 stats uri /stats
2389 stats auth "${STATSLP}"
2390 use_backend cache if { path_end .jpg .css .ico }
2391 default_backend server
2392
2393 backend cache
2394 server cache1 "${CACHE_PFX}.1:18080" check
2395 server cache2 "${CACHE_PFX}.2:18080" check
2396
2397 backend server
2398 server cache1 "${SERVER_PFX}.1:8080" check
2399 server cache2 "${SERVER_PFX}.2:8080" check
2400
2401
240211. Well-known traps to avoid
2403-----------------------------
2404
2405Once in a while, someone reports that after a system reboot, the haproxy
2406service wasn't started, and that once they start it by hand it works. Most
2407often, these people are running a clustered IP address mechanism such as
2408keepalived, to assign the service IP address to the master node only, and while
2409it used to work when they used to bind haproxy to address 0.0.0.0, it stopped
2410working after they bound it to the virtual IP address. What happens here is
2411that when the service starts, the virtual IP address is not yet owned by the
2412local node, so when HAProxy wants to bind to it, the system rejects this
2413because it is not a local IP address. The fix doesn't consist in delaying the
2414haproxy service startup (since it wouldn't stand a restart), but instead to
2415properly configure the system to allow binding to non-local addresses. This is
2416easily done on Linux by setting the net.ipv4.ip_nonlocal_bind sysctl to 1. This
2417is also needed in order to transparently intercept the IP traffic that passes
2418through HAProxy for a specific target address.
2419
2420Multi-process configurations involving source port ranges may apparently seem
2421to work but they will cause some random failures under high loads because more
2422than one process may try to use the same source port to connect to the same
2423server, which is not possible. The system will report an error and a retry will
2424happen, picking another port. A high value in the "retries" parameter may hide
2425the effect to a certain extent but this also comes with increased CPU usage and
2426processing time. Logs will also report a certain number of retries. For this
2427reason, port ranges should be avoided in multi-process configurations.
2428
Dan Lloyd8e48b872016-07-01 21:01:18 -04002429Since HAProxy uses SO_REUSEPORT and supports having multiple independent
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002430processes bound to the same IP:port, during troubleshooting it can happen that
2431an old process was not stopped before a new one was started. This provides
2432absurd test results which tend to indicate that any change to the configuration
2433is ignored. The reason is that in fact even the new process is restarted with a
2434new configuration, the old one also gets some incoming connections and
2435processes them, returning unexpected results. When in doubt, just stop the new
2436process and try again. If it still works, it very likely means that an old
2437process remains alive and has to be stopped. Linux's "netstat -lntp" is of good
2438help here.
2439
2440When adding entries to an ACL from the command line (eg: when blacklisting a
2441source address), it is important to keep in mind that these entries are not
2442synchronized to the file and that if someone reloads the configuration, these
2443updates will be lost. While this is often the desired effect (for blacklisting)
2444it may not necessarily match expectations when the change was made as a fix for
2445a problem. See the "add acl" action of the CLI interface.
2446
2447
244812. Debugging and performance issues
2449------------------------------------
2450
2451When HAProxy is started with the "-d" option, it will stay in the foreground
2452and will print one line per event, such as an incoming connection, the end of a
2453connection, and for each request or response header line seen. This debug
2454output is emitted before the contents are processed, so they don't consider the
2455local modifications. The main use is to show the request and response without
2456having to run a network sniffer. The output is less readable when multiple
2457connections are handled in parallel, though the "debug2ansi" and "debug2html"
2458scripts found in the examples/ directory definitely help here by coloring the
2459output.
2460
2461If a request or response is rejected because HAProxy finds it is malformed, the
2462best thing to do is to connect to the CLI and issue "show errors", which will
2463report the last captured faulty request and response for each frontend and
2464backend, with all the necessary information to indicate precisely the first
2465character of the input stream that was rejected. This is sometimes needed to
2466prove to customers or to developers that a bug is present in their code. In
2467this case it is often possible to relax the checks (but still keep the
2468captures) using "option accept-invalid-http-request" or its equivalent for
2469responses coming from the server "option accept-invalid-http-response". Please
2470see the configuration manual for more details.
2471
2472Example :
2473
2474 > show errors
2475 Total events captured on [13/Oct/2015:13:43:47.169] : 1
2476
2477 [13/Oct/2015:13:43:40.918] frontend HAProxyLocalStats (#2): invalid request
2478 backend <NONE> (#-1), server <NONE> (#-1), event #0
2479 src 127.0.0.1:51981, session #0, session flags 0x00000080
2480 HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000
2481 HTTP chunk len 0 bytes, HTTP body len 0 bytes
2482 buffer flags 0x00808002, out 0 bytes, total 31 bytes
2483 pending 31 bytes, wrapping at 8040, error at position 13:
2484
2485 00000 GET /invalid request HTTP/1.1\r\n
2486
2487
2488The output of "show info" on the CLI provides a number of useful information
2489regarding the maximum connection rate ever reached, maximum SSL key rate ever
2490reached, and in general all information which can help to explain temporary
2491issues regarding CPU or memory usage. Example :
2492
2493 > show info
2494 Name: HAProxy
2495 Version: 1.6-dev7-e32d18-17
2496 Release_date: 2015/10/12
2497 Nbproc: 1
2498 Process_num: 1
2499 Pid: 7949
2500 Uptime: 0d 0h02m39s
2501 Uptime_sec: 159
2502 Memmax_MB: 0
2503 Ulimit-n: 120032
2504 Maxsock: 120032
2505 Maxconn: 60000
2506 Hard_maxconn: 60000
2507 CurrConns: 0
2508 CumConns: 3
2509 CumReq: 3
2510 MaxSslConns: 0
2511 CurrSslConns: 0
2512 CumSslConns: 0
2513 Maxpipes: 0
2514 PipesUsed: 0
2515 PipesFree: 0
2516 ConnRate: 0
2517 ConnRateLimit: 0
2518 MaxConnRate: 1
2519 SessRate: 0
2520 SessRateLimit: 0
2521 MaxSessRate: 1
2522 SslRate: 0
2523 SslRateLimit: 0
2524 MaxSslRate: 0
2525 SslFrontendKeyRate: 0
2526 SslFrontendMaxKeyRate: 0
2527 SslFrontendSessionReuse_pct: 0
2528 SslBackendKeyRate: 0
2529 SslBackendMaxKeyRate: 0
2530 SslCacheLookups: 0
2531 SslCacheMisses: 0
2532 CompressBpsIn: 0
2533 CompressBpsOut: 0
2534 CompressBpsRateLim: 0
2535 ZlibMemUsage: 0
2536 MaxZlibMemUsage: 0
2537 Tasks: 5
2538 Run_queue: 1
2539 Idle_pct: 100
2540 node: wtap
2541 description:
2542
2543When an issue seems to randomly appear on a new version of HAProxy (eg: every
2544second request is aborted, occasional crash, etc), it is worth trying to enable
Dan Lloyd8e48b872016-07-01 21:01:18 -04002545memory poisoning so that each call to malloc() is immediately followed by the
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002546filling of the memory area with a configurable byte. By default this byte is
25470x50 (ASCII for 'P'), but any other byte can be used, including zero (which
2548will have the same effect as a calloc() and which may make issues disappear).
Dan Lloyd8e48b872016-07-01 21:01:18 -04002549Memory poisoning is enabled on the command line using the "-dM" option. It
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002550slightly hurts performance and is not recommended for use in production. If
Dan Lloyd8e48b872016-07-01 21:01:18 -04002551an issue happens all the time with it or never happens when poisoning uses
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002552byte zero, it clearly means you've found a bug and you definitely need to
2553report it. Otherwise if there's no clear change, the problem it is not related.
2554
2555When debugging some latency issues, it is important to use both strace and
2556tcpdump on the local machine, and another tcpdump on the remote system. The
2557reason for this is that there are delays everywhere in the processing chain and
2558it is important to know which one is causing latency to know where to act. In
2559practice, the local tcpdump will indicate when the input data come in. Strace
2560will indicate when haproxy receives these data (using recv/recvfrom). Warning,
2561openssl uses read()/write() syscalls instead of recv()/send(). Strace will also
2562show when haproxy sends the data, and tcpdump will show when the system sends
2563these data to the interface. Then the external tcpdump will show when the data
2564sent are really received (since the local one only shows when the packets are
2565queued). The benefit of sniffing on the local system is that strace and tcpdump
2566will use the same reference clock. Strace should be used with "-tts200" to get
2567complete timestamps and report large enough chunks of data to read them.
2568Tcpdump should be used with "-nvvttSs0" to report full packets, real sequence
2569numbers and complete timestamps.
2570
2571In practice, received data are almost always immediately received by haproxy
2572(unless the machine has a saturated CPU or these data are invalid and not
2573delivered). If these data are received but not sent, it generally is because
2574the output buffer is saturated (ie: recipient doesn't consume the data fast
2575enough). This can be confirmed by seeing that the polling doesn't notify of
2576the ability to write on the output file descriptor for some time (it's often
2577easier to spot in the strace output when the data finally leave and then roll
2578back to see when the write event was notified). It generally matches an ACK
2579received from the recipient, and detected by tcpdump. Once the data are sent,
2580they may spend some time in the system doing nothing. Here again, the TCP
2581congestion window may be limited and not allow these data to leave, waiting for
2582an ACK to open the window. If the traffic is idle and the data take 40 ms or
2583200 ms to leave, it's a different issue (which is not an issue), it's the fact
2584that the Nagle algorithm prevents empty packets from leaving immediately, in
2585hope that they will be merged with subsequent data. HAProxy automatically
2586disables Nagle in pure TCP mode and in tunnels. However it definitely remains
2587enabled when forwarding an HTTP body (and this contributes to the performance
2588improvement there by reducing the number of packets). Some HTTP non-compliant
2589applications may be sensitive to the latency when delivering incomplete HTTP
2590response messages. In this case you will have to enable "option http-no-delay"
2591to disable Nagle in order to work around their design, keeping in mind that any
2592other proxy in the chain may similarly be impacted. If tcpdump reports that data
2593leave immediately but the other end doesn't see them quickly, it can mean there
Dan Lloyd8e48b872016-07-01 21:01:18 -04002594is a congested WAN link, a congested LAN with flow control enabled and
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002595preventing the data from leaving, or more commonly that HAProxy is in fact
2596running in a virtual machine and that for whatever reason the hypervisor has
2597decided that the data didn't need to be sent immediately. In virtualized
2598environments, latency issues are almost always caused by the virtualization
2599layer, so in order to save time, it's worth first comparing tcpdump in the VM
2600and on the external components. Any difference has to be credited to the
2601hypervisor and its accompanying drivers.
2602
2603When some TCP SACK segments are seen in tcpdump traces (using -vv), it always
2604means that the side sending them has got the proof of a lost packet. While not
2605seeing them doesn't mean there are no losses, seeing them definitely means the
2606network is lossy. Losses are normal on a network, but at a rate where SACKs are
2607not noticeable at the naked eye. If they appear a lot in the traces, it is
2608worth investigating exactly what happens and where the packets are lost. HTTP
2609doesn't cope well with TCP losses, which introduce huge latencies.
2610
2611The "netstat -i" command will report statistics per interface. An interface
2612where the Rx-Ovr counter grows indicates that the system doesn't have enough
2613resources to receive all incoming packets and that they're lost before being
2614processed by the network driver. Rx-Drp indicates that some received packets
2615were lost in the network stack because the application doesn't process them
2616fast enough. This can happen during some attacks as well. Tx-Drp means that
2617the output queues were full and packets had to be dropped. When using TCP it
Dan Lloyd8e48b872016-07-01 21:01:18 -04002618should be very rare, but will possibly indicate a saturated outgoing link.
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002619
2620
262113. Security considerations
2622---------------------------
2623
2624HAProxy is designed to run with very limited privileges. The standard way to
2625use it is to isolate it into a chroot jail and to drop its privileges to a
2626non-root user without any permissions inside this jail so that if any future
2627vulnerability were to be discovered, its compromise would not affect the rest
2628of the system.
2629
Dan Lloyd8e48b872016-07-01 21:01:18 -04002630In order to perform a chroot, it first needs to be started as a root user. It is
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002631pointless to build hand-made chroots to start the process there, these ones are
2632painful to build, are never properly maintained and always contain way more
2633bugs than the main file-system. And in case of compromise, the intruder can use
2634the purposely built file-system. Unfortunately many administrators confuse
2635"start as root" and "run as root", resulting in the uid change to be done prior
2636to starting haproxy, and reducing the effective security restrictions.
2637
2638HAProxy will need to be started as root in order to :
2639 - adjust the file descriptor limits
2640 - bind to privileged port numbers
2641 - bind to a specific network interface
2642 - transparently listen to a foreign address
2643 - isolate itself inside the chroot jail
2644 - drop to another non-privileged UID
2645
2646HAProxy may require to be run as root in order to :
2647 - bind to an interface for outgoing connections
2648 - bind to privileged source ports for outgoing connections
Dan Lloyd8e48b872016-07-01 21:01:18 -04002649 - transparently bind to a foreign address for outgoing connections
Willy Tarreau2212e6a2015-10-13 14:40:55 +02002650
2651Most users will never need the "run as root" case. But the "start as root"
2652covers most usages.
2653
2654A safe configuration will have :
2655
2656 - a chroot statement pointing to an empty location without any access
2657 permissions. This can be prepared this way on the UNIX command line :
2658
2659 # mkdir /var/empty && chmod 0 /var/empty || echo "Failed"
2660
2661 and referenced like this in the HAProxy configuration's global section :
2662
2663 chroot /var/empty
2664
2665 - both a uid/user and gid/group statements in the global section :
2666
2667 user haproxy
2668 group haproxy
2669
2670 - a stats socket whose mode, uid and gid are set to match the user and/or
2671 group allowed to access the CLI so that nobody may access it :
2672
2673 stats socket /var/run/haproxy.stat uid hatop gid hatop mode 600
2674