blob: 887a26fbad1e24dc19ea03943891e16c37ee074f [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
Willy Tarreau8317b282014-04-23 01:49:41 +02002 HAProxy
Willy Tarreau6a06a402007-07-15 20:15:28 +02003 Configuration Manual
4 ----------------------
Willy Tarreau15480d72014-06-19 21:10:58 +02005 version 1.6
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreaua02e8a62015-09-14 12:23:10 +02007 2015/09/14
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
William Lallemandf9873ba2015-05-05 17:37:14 +0200422.2. Quoting and escaping
William Lallemandb2f07452015-05-12 14:27:13 +0200432.3. Environment variables
442.4. Time format
452.5. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020046
473. Global parameters
483.1. Process management and security
493.2. Performance tuning
503.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100513.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200523.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020053
544. Proxies
554.1. Proxy keywords matrix
564.2. Alphabetically sorted keywords reference
57
Willy Tarreau086fbf52012-09-24 20:34:51 +0200585. Bind and Server options
595.1. Bind options
605.2. Server and default-server options
Baptiste Assmann1fa66662015-04-14 00:28:47 +0200615.3. Server DNS resolution
625.3.1. Global overview
635.3.2. The resolvers section
Willy Tarreauc57f0e22009-05-10 13:12:33 +020064
656. HTTP header manipulation
66
Willy Tarreau74ca5042013-06-11 23:12:07 +0200677. Using ACLs and fetching samples
687.1. ACL basics
697.1.1. Matching booleans
707.1.2. Matching integers
717.1.3. Matching strings
727.1.4. Matching regular expressions (regexes)
737.1.5. Matching arbitrary data blocks
747.1.6. Matching IPv4 and IPv6 addresses
757.2. Using ACLs to form conditions
767.3. Fetching samples
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200777.3.1. Converters
787.3.2. Fetching samples from internal states
797.3.3. Fetching samples at Layer 4
807.3.4. Fetching samples at Layer 5
817.3.5. Fetching samples from buffer contents (Layer 6)
827.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +0200837.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020084
858. Logging
868.1. Log levels
878.2. Log formats
888.2.1. Default log format
898.2.2. TCP log format
908.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100918.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +0100928.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200938.3. Advanced logging options
948.3.1. Disabling logging of external tests
958.3.2. Logging before waiting for the session to terminate
968.3.3. Raising log level upon errors
978.3.4. Disabling logging of successful connections
988.4. Timing events
998.5. Session state at disconnection
1008.6. Non-printable characters
1018.7. Capturing HTTP cookies
1028.8. Capturing HTTP headers
1038.9. Examples of logs
104
1059. Statistics and monitoring
1069.1. CSV format
1079.2. Unix Socket commands
108
109
1101. Quick reminder about HTTP
111----------------------------
112
113When haproxy is running in HTTP mode, both the request and the response are
114fully analyzed and indexed, thus it becomes possible to build matching criteria
115on almost anything found in the contents.
116
117However, it is important to understand how HTTP requests and responses are
118formed, and how HAProxy decomposes them. It will then become easier to write
119correct rules and to debug existing configurations.
120
121
1221.1. The HTTP transaction model
123-------------------------------
124
125The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100126to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200127from the client to the server, a request is sent by the client on the
128connection, the server responds and the connection is closed. A new request
129will involve a new connection :
130
131 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
132
133In this mode, called the "HTTP close" mode, there are as many connection
134establishments as there are HTTP transactions. Since the connection is closed
135by the server after the response, the client does not need to know the content
136length.
137
138Due to the transactional nature of the protocol, it was possible to improve it
139to avoid closing a connection between two subsequent transactions. In this mode
140however, it is mandatory that the server indicates the content length for each
141response so that the client does not wait indefinitely. For this, a special
142header is used: "Content-length". This mode is called the "keep-alive" mode :
143
144 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
145
146Its advantages are a reduced latency between transactions, and less processing
147power required on the server side. It is generally better than the close mode,
148but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200149a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200150
151A last improvement in the communications is the pipelining mode. It still uses
152keep-alive, but the client does not wait for the first response to send the
153second request. This is useful for fetching large number of images composing a
154page :
155
156 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
157
158This can obviously have a tremendous benefit on performance because the network
159latency is eliminated between subsequent requests. Many HTTP agents do not
160correctly support pipelining since there is no way to associate a response with
161the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100162server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200163
Willy Tarreau70dffda2014-01-30 03:07:23 +0100164By default HAProxy operates in keep-alive mode with regards to persistent
165connections: for each connection it processes each request and response, and
166leaves the connection idle on both sides between the end of a response and the
167start of a new request.
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200168
Willy Tarreau70dffda2014-01-30 03:07:23 +0100169HAProxy supports 5 connection modes :
170 - keep alive : all requests and responses are processed (default)
171 - tunnel : only the first request and response are processed,
172 everything else is forwarded with no analysis.
173 - passive close : tunnel with "Connection: close" added in both directions.
174 - server close : the server-facing connection is closed after the response.
175 - forced close : the connection is actively closed after end of response.
176
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200177
1781.2. HTTP request
179-----------------
180
181First, let's consider this HTTP request :
182
183 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100184 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200185 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
186 2 Host: www.mydomain.com
187 3 User-agent: my small browser
188 4 Accept: image/jpeg, image/gif
189 5 Accept: image/png
190
191
1921.2.1. The Request line
193-----------------------
194
195Line 1 is the "request line". It is always composed of 3 fields :
196
197 - a METHOD : GET
198 - a URI : /serv/login.php?lang=en&profile=2
199 - a version tag : HTTP/1.1
200
201All of them are delimited by what the standard calls LWS (linear white spaces),
202which are commonly spaces, but can also be tabs or line feeds/carriage returns
203followed by spaces/tabs. The method itself cannot contain any colon (':') and
204is limited to alphabetic letters. All those various combinations make it
205desirable that HAProxy performs the splitting itself rather than leaving it to
206the user to write a complex or inaccurate regular expression.
207
208The URI itself can have several forms :
209
210 - A "relative URI" :
211
212 /serv/login.php?lang=en&profile=2
213
214 It is a complete URL without the host part. This is generally what is
215 received by servers, reverse proxies and transparent proxies.
216
217 - An "absolute URI", also called a "URL" :
218
219 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
220
221 It is composed of a "scheme" (the protocol name followed by '://'), a host
222 name or address, optionally a colon (':') followed by a port number, then
223 a relative URI beginning at the first slash ('/') after the address part.
224 This is generally what proxies receive, but a server supporting HTTP/1.1
225 must accept this form too.
226
227 - a star ('*') : this form is only accepted in association with the OPTIONS
228 method and is not relayable. It is used to inquiry a next hop's
229 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100230
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200231 - an address:port combination : 192.168.0.12:80
232 This is used with the CONNECT method, which is used to establish TCP
233 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
234 other protocols too.
235
236In a relative URI, two sub-parts are identified. The part before the question
237mark is called the "path". It is typically the relative path to static objects
238on the server. The part after the question mark is called the "query string".
239It is mostly used with GET requests sent to dynamic scripts and is very
240specific to the language, framework or application in use.
241
242
2431.2.2. The request headers
244--------------------------
245
246The headers start at the second line. They are composed of a name at the
247beginning of the line, immediately followed by a colon (':'). Traditionally,
248an LWS is added after the colon but that's not required. Then come the values.
249Multiple identical headers may be folded into one single line, delimiting the
250values with commas, provided that their order is respected. This is commonly
251encountered in the "Cookie:" field. A header may span over multiple lines if
252the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
253define a total of 3 values for the "Accept:" header.
254
255Contrary to a common mis-conception, header names are not case-sensitive, and
256their values are not either if they refer to other header names (such as the
257"Connection:" header).
258
259The end of the headers is indicated by the first empty line. People often say
260that it's a double line feed, which is not exact, even if a double line feed
261is one valid form of empty line.
262
263Fortunately, HAProxy takes care of all these complex combinations when indexing
264headers, checking values and counting them, so there is no reason to worry
265about the way they could be written, but it is important not to accuse an
266application of being buggy if it does unusual, valid things.
267
268Important note:
269 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
270 in the middle of headers by LWS in order to join multi-line headers. This
271 is necessary for proper analysis and helps less capable HTTP parsers to work
272 correctly and not to be fooled by such complex constructs.
273
274
2751.3. HTTP response
276------------------
277
278An HTTP response looks very much like an HTTP request. Both are called HTTP
279messages. Let's consider this HTTP response :
280
281 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100282 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200283 1 HTTP/1.1 200 OK
284 2 Content-length: 350
285 3 Content-Type: text/html
286
Willy Tarreau816b9792009-09-15 21:25:21 +0200287As a special case, HTTP supports so called "Informational responses" as status
288codes 1xx. These messages are special in that they don't convey any part of the
289response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100290continue to post its request for instance. In the case of a status 100 response
291the requested information will be carried by the next non-100 response message
292following the informational one. This implies that multiple responses may be
293sent to a single request, and that this only works when keep-alive is enabled
294(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
295correctly forward and skip them, and only process the next non-100 response. As
296such, these messages are neither logged nor transformed, unless explicitly
297state otherwise. Status 101 messages indicate that the protocol is changing
298over the same connection and that haproxy must switch to tunnel mode, just as
299if a CONNECT had occurred. Then the Upgrade header would contain additional
300information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200301
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200302
3031.3.1. The Response line
304------------------------
305
306Line 1 is the "response line". It is always composed of 3 fields :
307
308 - a version tag : HTTP/1.1
309 - a status code : 200
310 - a reason : OK
311
312The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200313 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200314 - 2xx = OK, content is following (eg: 200, 206)
315 - 3xx = OK, no content following (eg: 302, 304)
316 - 4xx = error caused by the client (eg: 401, 403, 404)
317 - 5xx = error caused by the server (eg: 500, 502, 503)
318
319Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100320"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200321found there, but it's a common practice to respect the well-established
322messages. It can be composed of one or multiple words, such as "OK", "Found",
323or "Authentication Required".
324
325Haproxy may emit the following status codes by itself :
326
327 Code When / reason
328 200 access to stats page, and when replying to monitoring requests
329 301 when performing a redirection, depending on the configured code
330 302 when performing a redirection, depending on the configured code
331 303 when performing a redirection, depending on the configured code
Willy Tarreaub67fdc42013-03-29 19:28:11 +0100332 307 when performing a redirection, depending on the configured code
333 308 when performing a redirection, depending on the configured code
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200334 400 for an invalid or too large request
335 401 when an authentication is required to perform the action (when
336 accessing the stats page)
337 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
338 408 when the request timeout strikes before the request is complete
339 500 when haproxy encounters an unrecoverable internal error, such as a
340 memory allocation failure, which should never happen
341 502 when the server returns an empty, invalid or incomplete response, or
342 when an "rspdeny" filter blocks the response.
343 503 when no server was available to handle the request, or in response to
344 monitoring requests which match the "monitor fail" condition
345 504 when the response timeout strikes before the server responds
346
347The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3484.2).
349
350
3511.3.2. The response headers
352---------------------------
353
354Response headers work exactly like request headers, and as such, HAProxy uses
355the same parsing function for both. Please refer to paragraph 1.2.2 for more
356details.
357
358
3592. Configuring HAProxy
360----------------------
361
3622.1. Configuration file format
363------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200364
365HAProxy's configuration process involves 3 major sources of parameters :
366
367 - the arguments from the command-line, which always take precedence
368 - the "global" section, which sets process-wide parameters
369 - the proxies sections which can take form of "defaults", "listen",
370 "frontend" and "backend".
371
Willy Tarreau0ba27502007-12-24 16:55:16 +0100372The configuration file syntax consists in lines beginning with a keyword
373referenced in this manual, optionally followed by one or several parameters
William Lallemandf9873ba2015-05-05 17:37:14 +0200374delimited by spaces.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100375
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200376
William Lallemandf9873ba2015-05-05 17:37:14 +02003772.2. Quoting and escaping
378-------------------------
379
380HAProxy's configuration introduces a quoting and escaping system similar to
381many programming languages. The configuration file supports 3 types: escaping
382with a backslash, weak quoting with double quotes, and strong quoting with
383single quotes.
384
385If spaces have to be entered in strings, then they must be escaped by preceding
386them by a backslash ('\') or by quoting them. Backslashes also have to be
387escaped by doubling or strong quoting them.
388
389Escaping is achieved by preceding a special character by a backslash ('\'):
390
391 \ to mark a space and differentiate it from a delimiter
392 \# to mark a hash and differentiate it from a comment
393 \\ to use a backslash
394 \' to use a single quote and differentiate it from strong quoting
395 \" to use a double quote and differentiate it from weak quoting
396
397Weak quoting is achieved by using double quotes (""). Weak quoting prevents
398the interpretation of:
399
400 space as a parameter separator
401 ' single quote as a strong quoting delimiter
402 # hash as a comment start
403
William Lallemandb2f07452015-05-12 14:27:13 +0200404Weak quoting permits the interpretation of variables, if you want to use a non
405-interpreted dollar within a double quoted string, you should escape it with a
406backslash ("\$"), it does not work outside weak quoting.
407
408Interpretation of escaping and special characters are not prevented by weak
William Lallemandf9873ba2015-05-05 17:37:14 +0200409quoting.
410
411Strong quoting is achieved by using single quotes (''). Inside single quotes,
412nothing is interpreted, it's the efficient way to quote regexes.
413
414Quoted and escaped strings are replaced in memory by their interpreted
415equivalent, it allows you to perform concatenation.
416
417 Example:
418 # those are equivalents:
419 log-format %{+Q}o\ %t\ %s\ %{-Q}r
420 log-format "%{+Q}o %t %s %{-Q}r"
421 log-format '%{+Q}o %t %s %{-Q}r'
422 log-format "%{+Q}o %t"' %s %{-Q}r'
423 log-format "%{+Q}o %t"' %s'\ %{-Q}r
424
425 # those are equivalents:
426 reqrep "^([^\ :]*)\ /static/(.*)" \1\ /\2
427 reqrep "^([^ :]*)\ /static/(.*)" '\1 /\2'
428 reqrep "^([^ :]*)\ /static/(.*)" "\1 /\2"
429 reqrep "^([^ :]*)\ /static/(.*)" "\1\ /\2"
430
431
William Lallemandb2f07452015-05-12 14:27:13 +02004322.3. Environment variables
433--------------------------
434
435HAProxy's configuration supports environment variables. Those variables are
436interpreted only within double quotes. Variables are expanded during the
437configuration parsing. Variable names must be preceded by a dollar ("$") and
438optionally enclosed with braces ("{}") similarly to what is done in Bourne
439shell. Variable names can contain alphanumerical characters or the character
440underscore ("_") but should not start with a digit.
441
442 Example:
443
444 bind "fd@${FD_APP1}"
445
446 log "${LOCAL_SYSLOG}:514" local0 notice # send to local server
447
448 user "$HAPROXY_USER"
449
450
4512.4. Time format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200452----------------
453
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100454Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100455values are generally expressed in milliseconds (unless explicitly stated
456otherwise) but may be expressed in any other unit by suffixing the unit to the
457numeric value. It is important to consider this because it will not be repeated
458for every keyword. Supported units are :
459
460 - us : microseconds. 1 microsecond = 1/1000000 second
461 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
462 - s : seconds. 1s = 1000ms
463 - m : minutes. 1m = 60s = 60000ms
464 - h : hours. 1h = 60m = 3600s = 3600000ms
465 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
466
467
William Lallemandf9873ba2015-05-05 17:37:14 +02004682.4. Examples
Patrick Mezard35da19c2010-06-12 17:02:47 +0200469-------------
470
471 # Simple configuration for an HTTP proxy listening on port 80 on all
472 # interfaces and forwarding requests to a single backend "servers" with a
473 # single server "server1" listening on 127.0.0.1:8000
474 global
475 daemon
476 maxconn 256
477
478 defaults
479 mode http
480 timeout connect 5000ms
481 timeout client 50000ms
482 timeout server 50000ms
483
484 frontend http-in
485 bind *:80
486 default_backend servers
487
488 backend servers
489 server server1 127.0.0.1:8000 maxconn 32
490
491
492 # The same configuration defined with a single listen block. Shorter but
493 # less expressive, especially in HTTP mode.
494 global
495 daemon
496 maxconn 256
497
498 defaults
499 mode http
500 timeout connect 5000ms
501 timeout client 50000ms
502 timeout server 50000ms
503
504 listen http-in
505 bind *:80
506 server server1 127.0.0.1:8000 maxconn 32
507
508
509Assuming haproxy is in $PATH, test these configurations in a shell with:
510
Willy Tarreauccb289d2010-12-11 20:19:38 +0100511 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200512
513
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005143. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200515--------------------
516
517Parameters in the "global" section are process-wide and often OS-specific. They
518are generally set once for all and do not need being changed once correct. Some
519of them have command-line equivalents.
520
521The following keywords are supported in the "global" section :
522
523 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200524 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200525 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200526 - crt-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200527 - daemon
Simon Horman98637e52014-06-20 12:30:16 +0900528 - external-check
Willy Tarreau6a06a402007-07-15 20:15:28 +0200529 - gid
530 - group
531 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100532 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200533 - nbproc
534 - pidfile
535 - uid
536 - ulimit-n
537 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200538 - stats
Emeric Brun850efd52014-01-29 12:24:34 +0100539 - ssl-server-verify
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200540 - node
541 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100542 - unix-bind
Thomas Holmesdb04f192015-05-18 13:21:39 +0100543 - 51degrees-data-file
544 - 51degrees-property-name-list
Dragan Dosen93b38d92015-06-29 16:43:25 +0200545 - 51degrees-property-separator
Dragan Dosenae6d39a2015-06-29 16:43:27 +0200546 - 51degrees-cache-size
Willy Tarreaud72758d2010-01-12 10:42:19 +0100547
Willy Tarreau6a06a402007-07-15 20:15:28 +0200548 * Performance tuning
Willy Tarreau1746eec2014-04-25 10:46:47 +0200549 - max-spread-checks
Willy Tarreau6a06a402007-07-15 20:15:28 +0200550 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200551 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +0100552 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +0100553 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100554 - maxpipes
Willy Tarreau93e7c002013-10-07 18:51:07 +0200555 - maxsessrate
Willy Tarreau403edff2012-09-06 11:58:37 +0200556 - maxsslconn
Willy Tarreaue43d5322013-10-07 20:01:52 +0200557 - maxsslrate
Willy Tarreau6a06a402007-07-15 20:15:28 +0200558 - noepoll
559 - nokqueue
560 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100561 - nosplice
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300562 - nogetaddrinfo
Willy Tarreaufe255b72007-10-14 23:09:26 +0200563 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200564 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200565 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +0100566 - tune.comp.maxlevel
Willy Tarreau193b8c62012-11-22 00:17:38 +0100567 - tune.http.cookielen
Willy Tarreauac1932d2011-10-24 19:14:41 +0200568 - tune.http.maxhdr
Willy Tarreau7e312732014-02-12 16:35:14 +0100569 - tune.idletimer
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100570 - tune.lua.forced-yield
Willy Tarreau32f61e22015-03-18 17:54:59 +0100571 - tune.lua.maxmem
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100572 - tune.lua.session-timeout
573 - tune.lua.task-timeout
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100574 - tune.maxaccept
575 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200576 - tune.maxrewrite
Willy Tarreauf3045d22015-04-29 16:24:50 +0200577 - tune.pattern.cache-size
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200578 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100579 - tune.rcvbuf.client
580 - tune.rcvbuf.server
581 - tune.sndbuf.client
582 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100583 - tune.ssl.cachesize
Willy Tarreaubfd59462013-02-21 07:46:09 +0100584 - tune.ssl.lifetime
Emeric Brun8dc60392014-05-09 13:52:00 +0200585 - tune.ssl.force-private-cache
Willy Tarreaubfd59462013-02-21 07:46:09 +0100586 - tune.ssl.maxrecord
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200587 - tune.ssl.default-dh-param
Christopher Faulet31af49d2015-06-09 17:29:50 +0200588 - tune.ssl.ssl-ctx-cache-size
Thierry FOURNIER4834bc72015-06-06 19:29:07 +0200589 - tune.vars.global-max-size
590 - tune.vars.reqres-max-size
591 - tune.vars.sess-max-size
592 - tune.vars.txn-max-size
William Lallemanda509e4c2012-11-07 16:54:34 +0100593 - tune.zlib.memlevel
594 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +0100595
Willy Tarreau6a06a402007-07-15 20:15:28 +0200596 * Debugging
597 - debug
598 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200599
600
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006013.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200602------------------------------------
603
Emeric Brunc8e8d122012-10-02 18:42:10 +0200604ca-base <dir>
605 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emeric Brunfd33a262012-10-11 16:28:27 +0200606 relative path is used with "ca-file" or "crl-file" directives. Absolute
607 locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200608
Willy Tarreau6a06a402007-07-15 20:15:28 +0200609chroot <jail dir>
610 Changes current directory to <jail dir> and performs a chroot() there before
611 dropping privileges. This increases the security level in case an unknown
612 vulnerability would be exploited, since it would make it very hard for the
613 attacker to exploit the system. This only works when the process is started
614 with superuser privileges. It is important to ensure that <jail_dir> is both
615 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100616
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100617cpu-map <"all"|"odd"|"even"|process_num> <cpu-set>...
618 On Linux 2.6 and above, it is possible to bind a process to a specific CPU
619 set. This means that the process will never run on other CPUs. The "cpu-map"
620 directive specifies CPU sets for process sets. The first argument is the
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100621 process number to bind. This process must have a number between 1 and 32 or
622 64, depending on the machine's word size, and any process IDs above nbproc
623 are ignored. It is possible to specify all processes at once using "all",
624 only odd numbers using "odd" or even numbers using "even", just like with the
625 "bind-process" directive. The second and forthcoming arguments are CPU sets.
626 Each CPU set is either a unique number between 0 and 31 or 63 or a range with
627 two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges
628 may be specified, and the processes will be allowed to bind to all of them.
629 Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map"
630 directive will replace the previous ones when they overlap.
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100631
Emeric Brunc8e8d122012-10-02 18:42:10 +0200632crt-base <dir>
633 Assigns a default directory to fetch SSL certificates from when a relative
634 path is used with "crtfile" directives. Absolute locations specified after
635 "crtfile" prevail and ignore "crt-base".
636
Willy Tarreau6a06a402007-07-15 20:15:28 +0200637daemon
638 Makes the process fork into background. This is the recommended mode of
639 operation. It is equivalent to the command line "-D" argument. It can be
640 disabled by the command line "-db" argument.
641
David Carlier8167f302015-06-01 13:50:06 +0200642deviceatlas-json-file <path>
643 Sets the path of the DeviceAtlas JSON data file to be loaded by the API.
644 The path must be a valid JSON data file and accessible by Haproxy process.
645
646deviceatlas-log-level <value>
647 Sets the level of informations returned by the API. This directive is
648 optional and set to 0 by default if not set.
649
650deviceatlas-separator <char>
651 Sets the character separator for the API properties results. This directive
652 is optional and set to | by default if not set.
653
Simon Horman98637e52014-06-20 12:30:16 +0900654external-check
655 Allows the use of an external agent to perform health checks.
656 This is disabled by default as a security precaution.
657 See "option external-check".
658
Willy Tarreau6a06a402007-07-15 20:15:28 +0200659gid <number>
660 Changes the process' group ID to <number>. It is recommended that the group
661 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
662 be started with a user belonging to this group, or with superuser privileges.
Michael Schererab012dd2013-01-12 18:35:19 +0100663 Note that if haproxy is started from a user having supplementary groups, it
664 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200665 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100666
Willy Tarreau6a06a402007-07-15 20:15:28 +0200667group <group name>
668 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
669 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100670
Willy Tarreau18324f52014-06-27 18:10:07 +0200671log <address> [len <length>] <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200672 Adds a global syslog server. Up to two global servers can be defined. They
673 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100674 configured with "log global".
675
676 <address> can be one of:
677
Willy Tarreau2769aa02007-12-27 18:26:09 +0100678 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100679 no port is specified, 514 is used by default (the standard syslog
680 port).
681
David du Colombier24bb5f52011-03-17 10:40:23 +0100682 - An IPv6 address followed by a colon and optionally a UDP port. If
683 no port is specified, 514 is used by default (the standard syslog
684 port).
685
Robert Tsai81ae1952007-12-05 10:47:29 +0100686 - A filesystem path to a UNIX domain socket, keeping in mind
687 considerations for chroot (be sure the path is accessible inside
688 the chroot) and uid/gid (be sure the path is appropriately
689 writeable).
690
William Lallemandb2f07452015-05-12 14:27:13 +0200691 You may want to reference some environment variables in the address
692 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +0100693
Willy Tarreau18324f52014-06-27 18:10:07 +0200694 <length> is an optional maximum line length. Log lines larger than this value
695 will be truncated before being sent. The reason is that syslog
696 servers act differently on log line length. All servers support the
697 default value of 1024, but some servers simply drop larger lines
698 while others do log them. If a server supports long lines, it may
699 make sense to set this value here in order to avoid truncating long
700 lines. Similarly, if a server drops long lines, it is preferable to
701 truncate them before sending them. Accepted values are 80 to 65535
702 inclusive. The default value of 1024 is generally fine for all
703 standard usages. Some specific cases of long captures or
704 JSON-formated logs may require larger values.
705
Robert Tsai81ae1952007-12-05 10:47:29 +0100706 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200707
708 kern user mail daemon auth syslog lpr news
709 uucp cron auth2 ftp ntp audit alert cron2
710 local0 local1 local2 local3 local4 local5 local6 local7
711
712 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200713 all messages are sent. If a maximum level is specified, only messages with a
714 severity at least as important as this level will be sent. An optional minimum
715 level can be specified. If it is set, logs emitted with a more severe level
716 than this one will be capped to this level. This is used to avoid sending
717 "emerg" messages on all terminals on some default syslog configurations.
718 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200719
Cyril Bontédc4d9032012-04-08 21:57:39 +0200720 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200721
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100722log-send-hostname [<string>]
723 Sets the hostname field in the syslog header. If optional "string" parameter
724 is set the header is set to the string contents, otherwise uses the hostname
725 of the system. Generally used if one is not relaying logs through an
726 intermediate syslog server or for simply customizing the hostname printed in
727 the logs.
728
Kevinm48936af2010-12-22 16:08:21 +0000729log-tag <string>
730 Sets the tag field in the syslog header to this string. It defaults to the
731 program name as launched from the command line, which usually is "haproxy".
732 Sometimes it can be useful to differentiate between multiple processes
Willy Tarreau094af4e2015-01-07 15:03:42 +0100733 running on the same host. See also the per-proxy "log-tag" directive.
Kevinm48936af2010-12-22 16:08:21 +0000734
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100735lua-load <file>
736 This global directive loads and executes a Lua file. This directive can be
737 used multiple times.
738
Willy Tarreau6a06a402007-07-15 20:15:28 +0200739nbproc <number>
740 Creates <number> processes when going daemon. This requires the "daemon"
741 mode. By default, only one process is created, which is the recommended mode
742 of operation. For systems limited to small sets of file descriptors per
743 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
744 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
745
746pidfile <pidfile>
747 Writes pids of all daemons into file <pidfile>. This option is equivalent to
748 the "-p" command line argument. The file must be accessible to the user
749 starting the process. See also "daemon".
750
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100751stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +0200752 Limits the stats socket to a certain set of processes numbers. By default the
753 stats socket is bound to all processes, causing a warning to be emitted when
754 nbproc is greater than 1 because there is no way to select the target process
755 when connecting. However, by using this setting, it becomes possible to pin
756 the stats socket to a specific set of processes, typically the first one. The
757 warning will automatically be disabled when this setting is used, whatever
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100758 the number of processes used. The maximum process ID depends on the machine's
Willy Tarreauae302532014-05-07 19:22:24 +0200759 word size (32 or 64). A better option consists in using the "process" setting
760 of the "stats socket" line to force the process on each line.
Willy Tarreau35b7b162012-10-22 23:17:18 +0200761
Willy Tarreau610f04b2014-02-13 11:36:41 +0100762ssl-default-bind-ciphers <ciphers>
763 This setting is only available when support for OpenSSL was built in. It sets
764 the default string describing the list of cipher algorithms ("cipher suite")
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300765 that are negotiated during the SSL/TLS handshake for all "bind" lines which
Willy Tarreau610f04b2014-02-13 11:36:41 +0100766 do not explicitly define theirs. The format of the string is defined in
767 "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
768 as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
769 "bind" keyword for more information.
770
Emeric Brun2c86cbf2014-10-30 15:56:50 +0100771ssl-default-bind-options [<option>]...
772 This setting is only available when support for OpenSSL was built in. It sets
773 default ssl-options to force on all "bind" lines. Please check the "bind"
774 keyword to see available options.
775
776 Example:
777 global
778 ssl-default-bind-options no-sslv3 no-tls-tickets
779
Willy Tarreau610f04b2014-02-13 11:36:41 +0100780ssl-default-server-ciphers <ciphers>
781 This setting is only available when support for OpenSSL was built in. It
782 sets the default string describing the list of cipher algorithms that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300783 negotiated during the SSL/TLS handshake with the server, for all "server"
Willy Tarreau610f04b2014-02-13 11:36:41 +0100784 lines which do not explicitly define theirs. The format of the string is
785 defined in "man 1 ciphers". Please check the "server" keyword for more
786 information.
787
Emeric Brun2c86cbf2014-10-30 15:56:50 +0100788ssl-default-server-options [<option>]...
789 This setting is only available when support for OpenSSL was built in. It sets
790 default ssl-options to force on all "server" lines. Please check the "server"
791 keyword to see available options.
792
Remi Gacogne47783ef2015-05-29 15:53:22 +0200793ssl-dh-param-file <file>
794 This setting is only available when support for OpenSSL was built in. It sets
795 the default DH parameters that are used during the SSL/TLS handshake when
796 ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
797 which do not explicitely define theirs. It will be overridden by custom DH
798 parameters found in a bind certificate file if any. If custom DH parameters
799 are not specified either by using ssl-dh-param-file or by setting them directly
800 in the certificate file, pre-generated DH parameters of the size specified
801 by tune.ssl.default-dh-param will be used. Custom parameters are known to be
802 more secure and therefore their use is recommended.
803 Custom DH parameters may be generated by using the OpenSSL command
804 "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
805 parameters should not be considered secure anymore.
806
Emeric Brun850efd52014-01-29 12:24:34 +0100807ssl-server-verify [none|required]
808 The default behavior for SSL verify on servers side. If specified to 'none',
809 servers certificates are not verified. The default is 'required' except if
810 forced using cmdline option '-dV'.
811
Willy Tarreauabb175f2012-09-24 12:43:26 +0200812stats socket [<address:port>|<path>] [param*]
813 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
814 Connections to this socket will return various statistics outputs and even
815 allow some commands to be issued to change some runtime settings. Please
816 consult section 9.2 "Unix Socket commands" for more details.
Willy Tarreau6162db22009-10-10 17:13:00 +0200817
Willy Tarreauabb175f2012-09-24 12:43:26 +0200818 All parameters supported by "bind" lines are supported, for instance to
819 restrict access to some users or their access rights. Please consult
820 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200821
822stats timeout <timeout, in milliseconds>
823 The default timeout on the stats socket is set to 10 seconds. It is possible
824 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100825 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200826
827stats maxconn <connections>
828 By default, the stats socket is limited to 10 concurrent connections. It is
829 possible to change this value with "stats maxconn".
830
Willy Tarreau6a06a402007-07-15 20:15:28 +0200831uid <number>
832 Changes the process' user ID to <number>. It is recommended that the user ID
833 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
834 be started with superuser privileges in order to be able to switch to another
835 one. See also "gid" and "user".
836
837ulimit-n <number>
838 Sets the maximum number of per-process file-descriptors to <number>. By
839 default, it is automatically computed, so it is recommended not to use this
840 option.
841
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100842unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
843 [ group <group> ] [ gid <gid> ]
844
845 Fixes common settings to UNIX listening sockets declared in "bind" statements.
846 This is mainly used to simplify declaration of those UNIX sockets and reduce
847 the risk of errors, since those settings are most commonly required but are
848 also process-specific. The <prefix> setting can be used to force all socket
849 path to be relative to that directory. This might be needed to access another
850 component's chroot. Note that those paths are resolved before haproxy chroots
851 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
852 all have the same meaning as their homonyms used by the "bind" statement. If
853 both are specified, the "bind" statement has priority, meaning that the
854 "unix-bind" settings may be seen as process-wide default settings.
855
Willy Tarreau6a06a402007-07-15 20:15:28 +0200856user <user name>
857 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
858 See also "uid" and "group".
859
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200860node <name>
861 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
862
863 This statement is useful in HA configurations where two or more processes or
864 servers share the same IP address. By setting a different node-name on all
865 nodes, it becomes easy to immediately spot what server is handling the
866 traffic.
867
868description <text>
869 Add a text that describes the instance.
870
871 Please note that it is required to escape certain characters (# for example)
872 and this text is inserted into a html page so you should avoid using
873 "<" and ">" characters.
874
Thomas Holmesdb04f192015-05-18 13:21:39 +010087551degrees-data-file <file path>
876 The path of the 51Degrees data file to provide device detection services. The
877 file should be unzipped and accessible by HAProxy with relevavnt permissions.
878
Dragan Dosenae6d39a2015-06-29 16:43:27 +0200879 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +0100880 compiled with USE_51DEGREES.
881
88251degrees-property-name-list [<string>]
883 A list of 51Degrees property names to be load from the dataset. A full list
884 of names is available on the 51Degrees website:
885 https://51degrees.com/resources/property-dictionary
886
Dragan Dosenae6d39a2015-06-29 16:43:27 +0200887 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +0100888 compiled with USE_51DEGREES.
889
Dragan Dosen93b38d92015-06-29 16:43:25 +020089051degrees-property-separator <char>
Thomas Holmesdb04f192015-05-18 13:21:39 +0100891 A char that will be appended to every property value in a response header
892 containing 51Degrees results. If not set that will be set as ','.
893
Dragan Dosenae6d39a2015-06-29 16:43:27 +0200894 Please note that this option is only available when haproxy has been
895 compiled with USE_51DEGREES.
896
89751degrees-cache-size <number>
898 Sets the size of the 51Degrees converter cache to <number> entries. This
899 is an LRU cache which reminds previous device detections and their results.
900 By default, this cache is disabled.
901
902 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +0100903 compiled with USE_51DEGREES.
904
Willy Tarreau6a06a402007-07-15 20:15:28 +0200905
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009063.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200907-----------------------
908
Willy Tarreau1746eec2014-04-25 10:46:47 +0200909max-spread-checks <delay in milliseconds>
910 By default, haproxy tries to spread the start of health checks across the
911 smallest health check interval of all the servers in a farm. The principle is
912 to avoid hammering services running on the same server. But when using large
913 check intervals (10 seconds or more), the last servers in the farm take some
914 time before starting to be tested, which can be a problem. This parameter is
915 used to enforce an upper bound on delay between the first and the last check,
916 even if the servers' check intervals are larger. When servers run with
917 shorter intervals, their intervals will be respected though.
918
Willy Tarreau6a06a402007-07-15 20:15:28 +0200919maxconn <number>
920 Sets the maximum per-process number of concurrent connections to <number>. It
921 is equivalent to the command-line argument "-n". Proxies will stop accepting
922 connections when this limit is reached. The "ulimit-n" parameter is
Willy Tarreau8274e102014-06-19 15:31:25 +0200923 automatically adjusted according to this value. See also "ulimit-n". Note:
924 the "select" poller cannot reliably use more than 1024 file descriptors on
925 some platforms. If your platform only supports select and reports "select
926 FAILED" on startup, you need to reduce maxconn until it works (slightly
Willy Tarreaud0256482015-01-15 21:45:22 +0100927 below 500 in general). If this value is not set, it will default to the value
928 set in DEFAULT_MAXCONN at build time (reported in haproxy -vv) if no memory
929 limit is enforced, or will be computed based on the memory limit, the buffer
930 size, memory allocated to compression, SSL cache size, and use or not of SSL
931 and the associated maxsslconn (which can also be automatic).
Willy Tarreau6a06a402007-07-15 20:15:28 +0200932
Willy Tarreau81c25d02011-09-07 15:17:21 +0200933maxconnrate <number>
934 Sets the maximum per-process number of connections per second to <number>.
935 Proxies will stop accepting connections when this limit is reached. It can be
936 used to limit the global capacity regardless of each frontend capacity. It is
937 important to note that this can only be used as a service protection measure,
938 as there will not necessarily be a fair share between frontends when the
939 limit is reached, so it's a good idea to also limit each frontend to some
940 value close to its expected share. Also, lowering tune.maxaccept can improve
941 fairness.
942
William Lallemandd85f9172012-11-09 17:05:39 +0100943maxcomprate <number>
944 Sets the maximum per-process input compression rate to <number> kilobytes
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300945 per second. For each session, if the maximum is reached, the compression
William Lallemandd85f9172012-11-09 17:05:39 +0100946 level will be decreased during the session. If the maximum is reached at the
947 beginning of a session, the session will not compress at all. If the maximum
948 is not reached, the compression level will be increased up to
949 tune.comp.maxlevel. A value of zero means there is no limit, this is the
950 default value.
951
William Lallemand072a2bf2012-11-20 17:01:01 +0100952maxcompcpuusage <number>
953 Sets the maximum CPU usage HAProxy can reach before stopping the compression
954 for new requests or decreasing the compression level of current requests.
955 It works like 'maxcomprate' but measures CPU usage instead of incoming data
956 bandwidth. The value is expressed in percent of the CPU used by haproxy. In
957 case of multiple processes (nbproc > 1), each process manages its individual
958 usage. A value of 100 disable the limit. The default value is 100. Setting
959 a lower value will prevent the compression work from slowing the whole
960 process down and from introducing high latencies.
961
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100962maxpipes <number>
963 Sets the maximum per-process number of pipes to <number>. Currently, pipes
964 are only used by kernel-based tcp splicing. Since a pipe contains two file
965 descriptors, the "ulimit-n" value will be increased accordingly. The default
966 value is maxconn/4, which seems to be more than enough for most heavy usages.
967 The splice code dynamically allocates and releases pipes, and can fall back
968 to standard copy, so setting this value too low may only impact performance.
969
Willy Tarreau93e7c002013-10-07 18:51:07 +0200970maxsessrate <number>
971 Sets the maximum per-process number of sessions per second to <number>.
972 Proxies will stop accepting connections when this limit is reached. It can be
973 used to limit the global capacity regardless of each frontend capacity. It is
974 important to note that this can only be used as a service protection measure,
975 as there will not necessarily be a fair share between frontends when the
976 limit is reached, so it's a good idea to also limit each frontend to some
977 value close to its expected share. Also, lowering tune.maxaccept can improve
978 fairness.
979
Willy Tarreau403edff2012-09-06 11:58:37 +0200980maxsslconn <number>
981 Sets the maximum per-process number of concurrent SSL connections to
982 <number>. By default there is no SSL-specific limit, which means that the
983 global maxconn setting will apply to all connections. Setting this limit
984 avoids having openssl use too much memory and crash when malloc returns NULL
985 (since it unfortunately does not reliably check for such conditions). Note
986 that the limit applies both to incoming and outgoing connections, so one
987 connection which is deciphered then ciphered accounts for 2 SSL connections.
Willy Tarreaud0256482015-01-15 21:45:22 +0100988 If this value is not set, but a memory limit is enforced, this value will be
989 automatically computed based on the memory limit, maxconn, the buffer size,
990 memory allocated to compression, SSL cache size, and use of SSL in either
991 frontends, backends or both. If neither maxconn nor maxsslconn are specified
992 when there is a memory limit, haproxy will automatically adjust these values
993 so that 100% of the connections can be made over SSL with no risk, and will
994 consider the sides where it is enabled (frontend, backend, both).
Willy Tarreau403edff2012-09-06 11:58:37 +0200995
Willy Tarreaue43d5322013-10-07 20:01:52 +0200996maxsslrate <number>
997 Sets the maximum per-process number of SSL sessions per second to <number>.
998 SSL listeners will stop accepting connections when this limit is reached. It
999 can be used to limit the global SSL CPU usage regardless of each frontend
1000 capacity. It is important to note that this can only be used as a service
1001 protection measure, as there will not necessarily be a fair share between
1002 frontends when the limit is reached, so it's a good idea to also limit each
1003 frontend to some value close to its expected share. It is also important to
1004 note that the sessions are accounted before they enter the SSL stack and not
1005 after, which also protects the stack against bad handshakes. Also, lowering
1006 tune.maxaccept can improve fairness.
1007
William Lallemand9d5f5482012-11-07 16:12:57 +01001008maxzlibmem <number>
1009 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
1010 When the maximum amount is reached, future sessions will not compress as long
1011 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +01001012 The default value is 0. The value is available in bytes on the UNIX socket
1013 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
1014 "ZlibMemUsage" in bytes.
1015
Willy Tarreau6a06a402007-07-15 20:15:28 +02001016noepoll
1017 Disables the use of the "epoll" event polling system on Linux. It is
1018 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +01001019 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001020
1021nokqueue
1022 Disables the use of the "kqueue" event polling system on BSD. It is
1023 equivalent to the command-line argument "-dk". The next polling system
1024 used will generally be "poll". See also "nopoll".
1025
1026nopoll
1027 Disables the use of the "poll" event polling system. It is equivalent to the
1028 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001029 It should never be needed to disable "poll" since it's available on all
Willy Tarreaue9f49e72012-11-11 17:42:00 +01001030 platforms supported by HAProxy. See also "nokqueue" and "noepoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001031
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001032nosplice
1033 Disables the use of kernel tcp splicing between sockets on Linux. It is
1034 equivalent to the command line argument "-dS". Data will then be copied
1035 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001036 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001037 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
1038 be used. This option makes it easier to globally disable kernel splicing in
1039 case of doubt. See also "option splice-auto", "option splice-request" and
1040 "option splice-response".
1041
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001042nogetaddrinfo
1043 Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
1044 the command line argument "-dG". Deprecated gethostbyname(3) will be used.
1045
Willy Tarreaufe255b72007-10-14 23:09:26 +02001046spread-checks <0..50, in percent>
Simon Hormand60d6912013-11-25 10:46:36 +09001047 Sometimes it is desirable to avoid sending agent and health checks to
1048 servers at exact intervals, for instance when many logical servers are
1049 located on the same physical server. With the help of this parameter, it
1050 becomes possible to add some randomness in the check interval between 0
1051 and +/- 50%. A value between 2 and 5 seems to show good results. The
1052 default value remains at 0.
Willy Tarreaufe255b72007-10-14 23:09:26 +02001053
Willy Tarreau33cb0652014-12-23 22:52:37 +01001054tune.buffers.limit <number>
1055 Sets a hard limit on the number of buffers which may be allocated per process.
1056 The default value is zero which means unlimited. The minimum non-zero value
1057 will always be greater than "tune.buffers.reserve" and should ideally always
1058 be about twice as large. Forcing this value can be particularly useful to
1059 limit the amount of memory a process may take, while retaining a sane
1060 behaviour. When this limit is reached, sessions which need a buffer wait for
1061 another one to be released by another session. Since buffers are dynamically
1062 allocated and released, the waiting time is very short and not perceptible
1063 provided that limits remain reasonable. In fact sometimes reducing the limit
1064 may even increase performance by increasing the CPU cache's efficiency. Tests
1065 have shown good results on average HTTP traffic with a limit to 1/10 of the
1066 expected global maxconn setting, which also significantly reduces memory
1067 usage. The memory savings come from the fact that a number of connections
1068 will not allocate 2*tune.bufsize. It is best not to touch this value unless
1069 advised to do so by an haproxy core developer.
1070
Willy Tarreau1058ae72014-12-23 22:40:40 +01001071tune.buffers.reserve <number>
1072 Sets the number of buffers which are pre-allocated and reserved for use only
1073 during memory shortage conditions resulting in failed memory allocations. The
1074 minimum value is 2 and is also the default. There is no reason a user would
1075 want to change this value, it's mostly aimed at haproxy core developers.
1076
Willy Tarreau27a674e2009-08-17 07:23:33 +02001077tune.bufsize <number>
1078 Sets the buffer size to this size (in bytes). Lower values allow more
1079 sessions to coexist in the same amount of RAM, and higher values allow some
1080 applications with very large cookies to work. The default value is 16384 and
1081 can be changed at build time. It is strongly recommended not to change this
1082 from the default value, as very low values will break some services such as
1083 statistics, and values larger than default size will increase memory usage,
1084 possibly causing the system to run out of memory. At least the global maxconn
1085 parameter should be decreased by the same factor as this one is increased.
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04001086 If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
1087 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
1088 than this size, haproxy will return HTTP 502 (Bad Gateway).
Willy Tarreau27a674e2009-08-17 07:23:33 +02001089
Willy Tarreau43961d52010-10-04 20:39:20 +02001090tune.chksize <number>
1091 Sets the check buffer size to this size (in bytes). Higher values may help
1092 find string or regex patterns in very large pages, though doing so may imply
1093 more memory and CPU usage. The default value is 16384 and can be changed at
1094 build time. It is not recommended to change this value, but to use better
1095 checks whenever possible.
1096
William Lallemandf3747832012-11-09 12:33:10 +01001097tune.comp.maxlevel <number>
1098 Sets the maximum compression level. The compression level affects CPU
1099 usage during compression. This value affects CPU usage during compression.
1100 Each session using compression initializes the compression algorithm with
1101 this value. The default value is 1.
1102
Willy Tarreau193b8c62012-11-22 00:17:38 +01001103tune.http.cookielen <number>
1104 Sets the maximum length of captured cookies. This is the maximum value that
1105 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
1106 will automatically be truncated to this one. It is important not to set too
1107 high a value because all cookie captures still allocate this size whatever
1108 their configured value (they share a same pool). This value is per request
1109 per response, so the memory allocated is twice this value per connection.
1110 When not specified, the limit is set to 63 characters. It is recommended not
1111 to change this value.
1112
Willy Tarreauac1932d2011-10-24 19:14:41 +02001113tune.http.maxhdr <number>
1114 Sets the maximum number of headers in a request. When a request comes with a
1115 number of headers greater than this value (including the first line), it is
1116 rejected with a "400 Bad Request" status code. Similarly, too large responses
1117 are blocked with "502 Bad Gateway". The default value is 101, which is enough
1118 for all usages, considering that the widely deployed Apache server uses the
1119 same limit. It can be useful to push this limit further to temporarily allow
1120 a buggy application to work by the time it gets fixed. Keep in mind that each
1121 new header consumes 32bits of memory for each session, so don't push this
1122 limit too high.
1123
Willy Tarreau7e312732014-02-12 16:35:14 +01001124tune.idletimer <timeout>
1125 Sets the duration after which haproxy will consider that an empty buffer is
1126 probably associated with an idle stream. This is used to optimally adjust
1127 some packet sizes while forwarding large and small data alternatively. The
1128 decision to use splice() or to send large buffers in SSL is modulated by this
1129 parameter. The value is in milliseconds between 0 and 65535. A value of zero
1130 means that haproxy will not try to detect idle streams. The default is 1000,
1131 which seems to correctly detect end user pauses (eg: read a page before
1132 clicking). There should be not reason for changing this value. Please check
1133 tune.ssl.maxrecord below.
1134
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001135tune.lua.forced-yield <number>
1136 This directive forces the Lua engine to execute a yield each <number> of
1137 instructions executed. This permits interruptng a long script and allows the
1138 HAProxy scheduler to process other tasks like accepting connections or
1139 forwarding traffic. The default value is 10000 instructions. If HAProxy often
1140 executes some Lua code but more reactivity is required, this value can be
1141 lowered. If the Lua code is quite long and its result is absolutely required
1142 to process the data, the <number> can be increased.
1143
Willy Tarreau32f61e22015-03-18 17:54:59 +01001144tune.lua.maxmem
1145 Sets the maximum amount of RAM in megabytes per process usable by Lua. By
1146 default it is zero which means unlimited. It is important to set a limit to
1147 ensure that a bug in a script will not result in the system running out of
1148 memory.
1149
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001150tune.lua.session-timeout <timeout>
1151 This is the execution timeout for the Lua sessions. This is useful for
1152 preventing infinite loops or spending too much time in Lua. This timeout has a
1153 priority over other timeouts. For example, if this timeout is set to 4s and
1154 you run a 5s sleep, the code will be interrupted with an error after waiting
1155 4s.
1156
1157tune.lua.task-timeout <timeout>
1158 Purpose is the same as "tune.lua.session-timeout", but this timeout is
1159 dedicated to the tasks. By default, this timeout isn't set because a task may
1160 remain alive during of the lifetime of HAProxy. For example, a task used to
1161 check servers.
1162
Willy Tarreaua0250ba2008-01-06 11:22:57 +01001163tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +01001164 Sets the maximum number of consecutive connections a process may accept in a
1165 row before switching to other work. In single process mode, higher numbers
1166 give better performance at high connection rates. However in multi-process
1167 modes, keeping a bit of fairness between processes generally is better to
1168 increase performance. This value applies individually to each listener, so
1169 that the number of processes a listener is bound to is taken into account.
1170 This value defaults to 64. In multi-process mode, it is divided by twice
1171 the number of processes the listener is bound to. Setting this value to -1
1172 completely disables the limitation. It should normally not be needed to tweak
1173 this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +01001174
1175tune.maxpollevents <number>
1176 Sets the maximum amount of events that can be processed at once in a call to
1177 the polling system. The default value is adapted to the operating system. It
1178 has been noticed that reducing it below 200 tends to slightly decrease
1179 latency at the expense of network bandwidth, and increasing it above 200
1180 tends to trade latency for slightly increased bandwidth.
1181
Willy Tarreau27a674e2009-08-17 07:23:33 +02001182tune.maxrewrite <number>
1183 Sets the reserved buffer space to this size in bytes. The reserved space is
1184 used for header rewriting or appending. The first reads on sockets will never
1185 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
1186 bufsize, though that does not make much sense since there are rarely large
1187 numbers of headers to add. Setting it too high prevents processing of large
1188 requests or responses. Setting it too low prevents addition of new headers
1189 to already large requests or to POST requests. It is generally wise to set it
1190 to about 1024. It is automatically readjusted to half of bufsize if it is
1191 larger than that. This means you don't have to worry about it when changing
1192 bufsize.
1193
Willy Tarreauf3045d22015-04-29 16:24:50 +02001194tune.pattern.cache-size <number>
1195 Sets the size of the pattern lookup cache to <number> entries. This is an LRU
1196 cache which reminds previous lookups and their results. It is used by ACLs
1197 and maps on slow pattern lookups, namely the ones using the "sub", "reg",
1198 "dir", "dom", "end", "bin" match methods as well as the case-insensitive
1199 strings. It applies to pattern expressions which means that it will be able
1200 to memorize the result of a lookup among all the patterns specified on a
1201 configuration line (including all those loaded from files). It automatically
1202 invalidates entries which are updated using HTTP actions or on the CLI. The
1203 default cache size is set to 10000 entries, which limits its footprint to
1204 about 5 MB on 32-bit systems and 8 MB on 64-bit systems. There is a very low
1205 risk of collision in this cache, which is in the order of the size of the
1206 cache divided by 2^64. Typically, at 10000 requests per second with the
1207 default cache size of 10000 entries, there's 1% chance that a brute force
1208 attack could cause a single collision after 60 years, or 0.1% after 6 years.
1209 This is considered much lower than the risk of a memory corruption caused by
1210 aging components. If this is not acceptable, the cache can be disabled by
1211 setting this parameter to 0.
1212
Willy Tarreaubd9a0a72011-10-23 21:14:29 +02001213tune.pipesize <number>
1214 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
1215 are the default size for the system. But sometimes when using TCP splicing,
1216 it can improve performance to increase pipe sizes, especially if it is
1217 suspected that pipes are not filled and that many calls to splice() are
1218 performed. This has an impact on the kernel's memory footprint, so this must
1219 not be changed if impacts are not understood.
1220
Willy Tarreaue803de22010-01-21 17:43:04 +01001221tune.rcvbuf.client <number>
1222tune.rcvbuf.server <number>
1223 Forces the kernel socket receive buffer size on the client or the server side
1224 to the specified value in bytes. This value applies to all TCP/HTTP frontends
1225 and backends. It should normally never be set, and the default size (0) lets
1226 the kernel autotune this value depending on the amount of available memory.
1227 However it can sometimes help to set it to very low values (eg: 4096) in
1228 order to save kernel memory by preventing it from buffering too large amounts
1229 of received data. Lower values will significantly increase CPU usage though.
1230
1231tune.sndbuf.client <number>
1232tune.sndbuf.server <number>
1233 Forces the kernel socket send buffer size on the client or the server side to
1234 the specified value in bytes. This value applies to all TCP/HTTP frontends
1235 and backends. It should normally never be set, and the default size (0) lets
1236 the kernel autotune this value depending on the amount of available memory.
1237 However it can sometimes help to set it to very low values (eg: 4096) in
1238 order to save kernel memory by preventing it from buffering too large amounts
1239 of received data. Lower values will significantly increase CPU usage though.
1240 Another use case is to prevent write timeouts with extremely slow clients due
1241 to the kernel waiting for a large part of the buffer to be read before
1242 notifying haproxy again.
1243
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001244tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +01001245 Sets the size of the global SSL session cache, in a number of blocks. A block
1246 is large enough to contain an encoded session without peer certificate.
1247 An encoded session with peer certificate is stored in multiple blocks
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001248 depending on the size of the peer certificate. A block uses approximately
Emeric Brunaf9619d2012-11-28 18:47:52 +01001249 200 bytes of memory. The default value may be forced at build time, otherwise
1250 defaults to 20000. When the cache is full, the most idle entries are purged
1251 and reassigned. Higher values reduce the occurrence of such a purge, hence
1252 the number of CPU-intensive SSL handshakes by ensuring that all users keep
1253 their session as long as possible. All entries are pre-allocated upon startup
Emeric Brun22890a12012-12-28 14:41:32 +01001254 and are shared between all processes if "nbproc" is greater than 1. Setting
1255 this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001256
Emeric Brun8dc60392014-05-09 13:52:00 +02001257tune.ssl.force-private-cache
1258 This boolean disables SSL session cache sharing between all processes. It
1259 should normally not be used since it will force many renegotiations due to
1260 clients hitting a random process. But it may be required on some operating
1261 systems where none of the SSL cache synchronization method may be used. In
1262 this case, adding a first layer of hash-based load balancing before the SSL
1263 layer might limit the impact of the lack of session sharing.
1264
Emeric Brun4f65bff2012-11-16 15:11:00 +01001265tune.ssl.lifetime <timeout>
1266 Sets how long a cached SSL session may remain valid. This time is expressed
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001267 in seconds and defaults to 300 (5 min). It is important to understand that it
Emeric Brun4f65bff2012-11-16 15:11:00 +01001268 does not guarantee that sessions will last that long, because if the cache is
1269 full, the longest idle sessions will be purged despite their configured
1270 lifetime. The real usefulness of this setting is to prevent sessions from
1271 being used for too long.
1272
Willy Tarreaubfd59462013-02-21 07:46:09 +01001273tune.ssl.maxrecord <number>
1274 Sets the maximum amount of bytes passed to SSL_write() at a time. Default
1275 value 0 means there is no limit. Over SSL/TLS, the client can decipher the
1276 data only once it has received a full record. With large records, it means
1277 that clients might have to download up to 16kB of data before starting to
1278 process them. Limiting the value can improve page load times on browsers
1279 located over high latency or low bandwidth networks. It is suggested to find
1280 optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over
1281 Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled),
1282 keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and
1283 2859 gave good results during tests. Use "strace -e trace=write" to find the
Willy Tarreau7e312732014-02-12 16:35:14 +01001284 best value. Haproxy will automatically switch to this setting after an idle
1285 stream has been detected (see tune.idletimer above).
Willy Tarreaubfd59462013-02-21 07:46:09 +01001286
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001287tune.ssl.default-dh-param <number>
1288 Sets the maximum size of the Diffie-Hellman parameters used for generating
1289 the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
1290 final size will try to match the size of the server's RSA (or DSA) key (e.g,
1291 a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
1292 this maximum value. Default value if 1024. Only 1024 or higher values are
1293 allowed. Higher values will increase the CPU load, and values greater than
1294 1024 bits are not supported by Java 7 and earlier clients. This value is not
Remi Gacogne47783ef2015-05-29 15:53:22 +02001295 used if static Diffie-Hellman parameters are supplied either directly
1296 in the certificate file or by using the ssl-dh-param-file parameter.
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001297
Christopher Faulet31af49d2015-06-09 17:29:50 +02001298tune.ssl.ssl-ctx-cache-size <number>
1299 Sets the size of the cache used to store generated certificates to <number>
1300 entries. This is a LRU cache. Because generating a SSL certificate
1301 dynamically is expensive, they are cached. The default cache size is set to
1302 1000 entries.
1303
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02001304tune.vars.global-max-size <size>
1305tune.vars.reqres-max-size <size>
1306tune.vars.sess-max-size <size>
1307tune.vars.txn-max-size <size>
1308 These four tunes helps to manage the allowed amount of memory used by the
1309 variables system. "global" limits the memory for all the systems. "sess" limit
1310 the memory by session, "txn" limits the memory by transaction and "reqres"
1311 limits the memory for each request or response processing. during the
1312 accounting, "sess" embbed "txn" and "txn" embed "reqres".
1313
1314 By example, we considers that "tune.vars.sess-max-size" is fixed to 100,
1315 "tune.vars.txn-max-size" is fixed to 100, "tune.vars.reqres-max-size" is
1316 also fixed to 100. If we create a variable "txn.var" that contains 100 bytes,
1317 we cannot create any more variable in the other contexts.
1318
William Lallemanda509e4c2012-11-07 16:54:34 +01001319tune.zlib.memlevel <number>
1320 Sets the memLevel parameter in zlib initialization for each session. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001321 defines how much memory should be allocated for the internal compression
William Lallemanda509e4c2012-11-07 16:54:34 +01001322 state. A value of 1 uses minimum memory but is slow and reduces compression
1323 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
1324 between 1 and 9. The default value is 8.
1325
1326tune.zlib.windowsize <number>
1327 Sets the window size (the size of the history buffer) as a parameter of the
1328 zlib initialization for each session. Larger values of this parameter result
1329 in better compression at the expense of memory usage. Can be a value between
1330 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001331
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013323.3. Debugging
1333--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02001334
1335debug
1336 Enables debug mode which dumps to stdout all exchanges, and disables forking
1337 into background. It is the equivalent of the command-line argument "-d". It
1338 should never be used in a production configuration since it may prevent full
1339 system startup.
1340
1341quiet
1342 Do not display any message during startup. It is equivalent to the command-
1343 line argument "-q".
1344
Emeric Brunf099e792010-09-27 12:05:28 +02001345
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010013463.4. Userlists
1347--------------
1348It is possible to control access to frontend/backend/listen sections or to
1349http stats by allowing only authenticated and authorized users. To do this,
1350it is required to create at least one userlist and to define users.
1351
1352userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +01001353 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001354 used to store authentication & authorization data for independent customers.
1355
1356group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +01001357 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001358 attach users to this group by using a comma separated list of names
1359 proceeded by "users" keyword.
1360
Cyril Bontéf0c60612010-02-06 14:44:47 +01001361user <username> [password|insecure-password <password>]
1362 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001363 Adds user <username> to the current userlist. Both secure (encrypted) and
1364 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +01001365 evaluated using the crypt(3) function so depending of the system's
1366 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001367 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001368 DES-based method of encrypting passwords.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001369
1370
1371 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +01001372 userlist L1
1373 group G1 users tiger,scott
1374 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001375
Cyril Bontéf0c60612010-02-06 14:44:47 +01001376 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
1377 user scott insecure-password elgato
1378 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001379
Cyril Bontéf0c60612010-02-06 14:44:47 +01001380 userlist L2
1381 group G1
1382 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001383
Cyril Bontéf0c60612010-02-06 14:44:47 +01001384 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
1385 user scott insecure-password elgato groups G1,G2
1386 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001387
1388 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001389
Emeric Brunf099e792010-09-27 12:05:28 +02001390
13913.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +02001392----------
Emeric Brun94900952015-06-11 18:25:54 +02001393It is possible to propagate entries of any data-types in stick-tables between
1394several haproxy instances over TCP connections in a multi-master fashion. Each
1395instance pushes its local updates and insertions to remote peers. The pushed
1396values overwrite remote ones without aggregation. Interrupted exchanges are
1397automatically detected and recovered from the last known point.
1398In addition, during a soft restart, the old process connects to the new one
1399using such a TCP connection to push all its entries before the new process
1400tries to connect to other peers. That ensures very fast replication during a
1401reload, it typically takes a fraction of a second even for large tables.
1402Note that Server IDs are used to identify servers remotely, so it is important
1403that configurations look similar or at least that the same IDs are forced on
1404each server on all participants.
Emeric Brunf099e792010-09-27 12:05:28 +02001405
1406peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001407 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +02001408 which is referenced by one or more stick-tables.
1409
Willy Tarreau77e4bd12015-05-01 20:02:17 +02001410disabled
1411 Disables a peers section. It disables both listening and any synchronization
1412 related to this section. This is provided to disable synchronization of stick
1413 tables without having to comment out all "peers" references.
1414
1415enable
1416 This re-enables a disabled peers section which was previously disabled.
1417
Emeric Brunf099e792010-09-27 12:05:28 +02001418peer <peername> <ip>:<port>
1419 Defines a peer inside a peers section.
1420 If <peername> is set to the local peer name (by default hostname, or forced
1421 using "-L" command line option), haproxy will listen for incoming remote peer
1422 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
1423 to join the remote peer, and <peername> is used at the protocol level to
1424 identify and validate the remote peer on the server side.
1425
1426 During a soft restart, local peer <ip>:<port> is used by the old instance to
1427 connect the new one and initiate a complete replication (teaching process).
1428
1429 It is strongly recommended to have the exact same peers declaration on all
1430 peers and to only rely on the "-L" command line argument to change the local
1431 peer name. This makes it easier to maintain coherent configuration files
1432 across all peers.
1433
William Lallemandb2f07452015-05-12 14:27:13 +02001434 You may want to reference some environment variables in the address
1435 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01001436
Cyril Bontédc4d9032012-04-08 21:57:39 +02001437 Example:
Emeric Brunf099e792010-09-27 12:05:28 +02001438 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001439 peer haproxy1 192.168.0.1:1024
1440 peer haproxy2 192.168.0.2:1024
1441 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02001442
1443 backend mybackend
1444 mode tcp
1445 balance roundrobin
1446 stick-table type ip size 20k peers mypeers
1447 stick on src
1448
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001449 server srv1 192.168.0.30:80
1450 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02001451
1452
Simon Horman51a1cf62015-02-03 13:00:44 +090014533.6. Mailers
1454------------
1455It is possible to send email alerts when the state of servers changes.
1456If configured email alerts are sent to each mailer that is configured
1457in a mailers section. Email is sent to mailers using SMTP.
1458
Pieter Baauw386a1272015-08-16 15:26:24 +02001459mailers <mailersect>
Simon Horman51a1cf62015-02-03 13:00:44 +09001460 Creates a new mailer list with the name <mailersect>. It is an
1461 independent section which is referenced by one or more proxies.
1462
1463mailer <mailername> <ip>:<port>
1464 Defines a mailer inside a mailers section.
1465
1466 Example:
1467 mailers mymailers
1468 mailer smtp1 192.168.0.1:587
1469 mailer smtp2 192.168.0.2:587
1470
1471 backend mybackend
1472 mode tcp
1473 balance roundrobin
1474
1475 email-alert mailers mymailers
1476 email-alert from test1@horms.org
1477 email-alert to test2@horms.org
1478
1479 server srv1 192.168.0.30:80
1480 server srv2 192.168.0.31:80
1481
1482
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014834. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02001484----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001485
Willy Tarreau6a06a402007-07-15 20:15:28 +02001486Proxy configuration can be located in a set of sections :
William Lallemand6e62fb62015-04-28 16:55:23 +02001487 - defaults [<name>]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001488 - frontend <name>
1489 - backend <name>
1490 - listen <name>
1491
1492A "defaults" section sets default parameters for all other sections following
1493its declaration. Those default parameters are reset by the next "defaults"
1494section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001495section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001496
1497A "frontend" section describes a set of listening sockets accepting client
1498connections.
1499
1500A "backend" section describes a set of servers to which the proxy will connect
1501to forward incoming connections.
1502
1503A "listen" section defines a complete proxy with its frontend and backend
1504parts combined in one section. It is generally useful for TCP-only traffic.
1505
Willy Tarreau0ba27502007-12-24 16:55:16 +01001506All proxy names must be formed from upper and lower case letters, digits,
1507'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
1508case-sensitive, which means that "www" and "WWW" are two different proxies.
1509
1510Historically, all proxy names could overlap, it just caused troubles in the
1511logs. Since the introduction of content switching, it is mandatory that two
1512proxies with overlapping capabilities (frontend/backend) have different names.
1513However, it is still permitted that a frontend and a backend share the same
1514name, as this configuration seems to be commonly encountered.
1515
1516Right now, two major proxy modes are supported : "tcp", also known as layer 4,
1517and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001518bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001519protocol, and can interact with it by allowing, blocking, switching, adding,
1520modifying, or removing arbitrary contents in requests or responses, based on
1521arbitrary criteria.
1522
Willy Tarreau70dffda2014-01-30 03:07:23 +01001523In HTTP mode, the processing applied to requests and responses flowing over
1524a connection depends in the combination of the frontend's HTTP options and
1525the backend's. HAProxy supports 5 connection modes :
1526
1527 - KAL : keep alive ("option http-keep-alive") which is the default mode : all
1528 requests and responses are processed, and connections remain open but idle
1529 between responses and new requests.
1530
1531 - TUN: tunnel ("option http-tunnel") : this was the default mode for versions
1532 1.0 to 1.5-dev21 : only the first request and response are processed, and
1533 everything else is forwarded with no analysis at all. This mode should not
1534 be used as it creates lots of trouble with logging and HTTP processing.
1535
1536 - PCL: passive close ("option httpclose") : exactly the same as tunnel mode,
1537 but with "Connection: close" appended in both directions to try to make
1538 both ends close after the first request/response exchange.
1539
1540 - SCL: server close ("option http-server-close") : the server-facing
1541 connection is closed after the end of the response is received, but the
1542 client-facing connection remains open.
1543
1544 - FCL: forced close ("option forceclose") : the connection is actively closed
1545 after the end of the response.
1546
1547The effective mode that will be applied to a connection passing through a
1548frontend and a backend can be determined by both proxy modes according to the
1549following matrix, but in short, the modes are symmetric, keep-alive is the
1550weakest option and force close is the strongest.
1551
1552 Backend mode
1553
1554 | KAL | TUN | PCL | SCL | FCL
1555 ----+-----+-----+-----+-----+----
1556 KAL | KAL | TUN | PCL | SCL | FCL
1557 ----+-----+-----+-----+-----+----
1558 TUN | TUN | TUN | PCL | SCL | FCL
1559 Frontend ----+-----+-----+-----+-----+----
1560 mode PCL | PCL | PCL | PCL | FCL | FCL
1561 ----+-----+-----+-----+-----+----
1562 SCL | SCL | SCL | FCL | SCL | FCL
1563 ----+-----+-----+-----+-----+----
1564 FCL | FCL | FCL | FCL | FCL | FCL
1565
Willy Tarreau0ba27502007-12-24 16:55:16 +01001566
Willy Tarreau70dffda2014-01-30 03:07:23 +01001567
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015684.1. Proxy keywords matrix
1569--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001570
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001571The following list of keywords is supported. Most of them may only be used in a
1572limited set of section types. Some of them are marked as "deprecated" because
1573they are inherited from an old syntax which may be confusing or functionally
1574limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001575marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001576option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02001577and must be disabled for a specific instance. Such options may also be prefixed
1578with "default" in order to restore default settings regardless of what has been
1579specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001580
Willy Tarreau6a06a402007-07-15 20:15:28 +02001581
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001582 keyword defaults frontend listen backend
1583------------------------------------+----------+----------+---------+---------
1584acl - X X X
Willy Tarreau294d0f02015-08-10 19:40:12 +02001585appsession - - - -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001586backlog X X X -
1587balance X - X X
1588bind - X X -
1589bind-process X X X X
1590block - X X X
1591capture cookie - X X -
1592capture request header - X X -
1593capture response header - X X -
1594clitimeout (deprecated) X X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02001595compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001596contimeout (deprecated) X - X X
1597cookie X - X X
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02001598declare capture - X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001599default-server X - X X
1600default_backend X X X -
1601description - X X X
1602disabled X X X X
1603dispatch - - X X
Simon Horman51a1cf62015-02-03 13:00:44 +09001604email-alert from X X X X
Simon Horman64e34162015-02-06 11:11:57 +09001605email-alert level X X X X
Simon Horman51a1cf62015-02-03 13:00:44 +09001606email-alert mailers X X X X
1607email-alert myhostname X X X X
1608email-alert to X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001609enabled X X X X
1610errorfile X X X X
1611errorloc X X X X
1612errorloc302 X X X X
1613-- keyword -------------------------- defaults - frontend - listen -- backend -
1614errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001615force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001616fullconn X - X X
1617grace X X X X
1618hash-type X - X X
1619http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +01001620http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02001621http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001622http-request - X X X
Willy Tarreaue365c0b2013-06-11 16:06:12 +02001623http-response - X X X
Willy Tarreau30631952015-08-06 15:05:24 +02001624http-reuse X - X X
Baptiste Assmann2c42ef52013-10-09 21:57:02 +02001625http-send-name-header - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001626id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001627ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001628log (*) X X X X
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01001629log-format X X X -
Willy Tarreau094af4e2015-01-07 15:03:42 +01001630log-tag X X X X
Willy Tarreauc35362a2014-04-25 13:58:37 +02001631max-keep-alive-queue X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001632maxconn X X X -
1633mode X X X X
1634monitor fail - X X -
1635monitor-net X X X -
1636monitor-uri X X X -
1637option abortonclose (*) X - X X
1638option accept-invalid-http-request (*) X X X -
1639option accept-invalid-http-response (*) X - X X
1640option allbackups (*) X - X X
1641option checkcache (*) X - X X
1642option clitcpka (*) X X X -
1643option contstats (*) X X X -
1644option dontlog-normal (*) X X X -
1645option dontlognull (*) X X X -
1646option forceclose (*) X X X X
1647-- keyword -------------------------- defaults - frontend - listen -- backend -
1648option forwardfor X X X X
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02001649option http-buffer-request (*) X X X X
Willy Tarreau82649f92015-05-01 22:40:51 +02001650option http-ignore-probes (*) X X X -
Willy Tarreau16bfb022010-01-16 19:48:41 +01001651option http-keep-alive (*) X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001652option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001653option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001654option http-server-close (*) X X X X
Willy Tarreau02bce8b2014-01-30 00:15:28 +01001655option http-tunnel (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001656option http-use-proxy-header (*) X X X -
1657option httpchk X - X X
1658option httpclose (*) X X X X
1659option httplog X X X X
1660option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001661option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001662option ldap-check X - X X
Simon Horman98637e52014-06-20 12:30:16 +09001663option external-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001664option log-health-checks (*) X - X X
1665option log-separate-errors (*) X X X -
1666option logasap (*) X X X -
1667option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001668option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001669option nolinger (*) X X X X
1670option originalto X X X X
1671option persist (*) X - X X
1672option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001673option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001674option smtpchk X - X X
1675option socket-stats (*) X X X -
1676option splice-auto (*) X X X X
1677option splice-request (*) X X X X
1678option splice-response (*) X X X X
1679option srvtcpka (*) X - X X
1680option ssl-hello-chk X - X X
1681-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreaued179852013-12-16 01:07:00 +01001682option tcp-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001683option tcp-smart-accept (*) X X X -
1684option tcp-smart-connect (*) X - X X
1685option tcpka X X X X
1686option tcplog X X X X
1687option transparent (*) X - X X
Simon Horman98637e52014-06-20 12:30:16 +09001688external-check command X - X X
1689external-check path X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001690persist rdp-cookie X - X X
1691rate-limit sessions X X X -
1692redirect - X X X
1693redisp (deprecated) X - X X
1694redispatch (deprecated) X - X X
1695reqadd - X X X
1696reqallow - X X X
1697reqdel - X X X
1698reqdeny - X X X
1699reqiallow - X X X
1700reqidel - X X X
1701reqideny - X X X
1702reqipass - X X X
1703reqirep - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001704reqitarpit - X X X
1705reqpass - X X X
1706reqrep - X X X
1707-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001708reqtarpit - X X X
1709retries X - X X
1710rspadd - X X X
1711rspdel - X X X
1712rspdeny - X X X
1713rspidel - X X X
1714rspideny - X X X
1715rspirep - X X X
1716rsprep - X X X
1717server - - X X
1718source X - X X
1719srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001720stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001721stats auth X - X X
1722stats enable X - X X
1723stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001724stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001725stats realm X - X X
1726stats refresh X - X X
1727stats scope X - X X
1728stats show-desc X - X X
1729stats show-legends X - X X
1730stats show-node X - X X
1731stats uri X - X X
1732-- keyword -------------------------- defaults - frontend - listen -- backend -
1733stick match - - X X
1734stick on - - X X
1735stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001736stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001737stick-table - - X X
Willy Tarreau938c7fe2014-04-25 14:21:39 +02001738tcp-check connect - - X X
1739tcp-check expect - - X X
1740tcp-check send - - X X
1741tcp-check send-binary - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001742tcp-request connection - X X -
1743tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001744tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001745tcp-response content - - X X
1746tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001747timeout check X - X X
1748timeout client X X X -
Willy Tarreau05cdd962014-05-10 14:30:07 +02001749timeout client-fin X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001750timeout clitimeout (deprecated) X X X -
1751timeout connect X - X X
1752timeout contimeout (deprecated) X - X X
1753timeout http-keep-alive X X X X
1754timeout http-request X X X X
1755timeout queue X - X X
1756timeout server X - X X
Willy Tarreau05cdd962014-05-10 14:30:07 +02001757timeout server-fin X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001758timeout srvtimeout (deprecated) X - X X
1759timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001760timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001761transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001762unique-id-format X X X -
1763unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001764use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001765use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001766------------------------------------+----------+----------+---------+---------
1767 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001768
Willy Tarreau0ba27502007-12-24 16:55:16 +01001769
Willy Tarreauc57f0e22009-05-10 13:12:33 +020017704.2. Alphabetically sorted keywords reference
1771---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001772
1773This section provides a description of each keyword and its usage.
1774
1775
1776acl <aclname> <criterion> [flags] [operator] <value> ...
1777 Declare or complete an access list.
1778 May be used in sections : defaults | frontend | listen | backend
1779 no | yes | yes | yes
1780 Example:
1781 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1782 acl invalid_src src_port 0:1023
1783 acl local_dst hdr(host) -i localhost
1784
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001785 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001786
1787
Cyril Bontéb21570a2009-11-29 20:04:48 +01001788appsession <cookie> len <length> timeout <holdtime>
1789 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001790 Define session stickiness on an existing application cookie.
1791 May be used in sections : defaults | frontend | listen | backend
1792 no | no | yes | yes
1793 Arguments :
1794 <cookie> this is the name of the cookie used by the application and which
1795 HAProxy will have to learn for each new session.
1796
Cyril Bontéb21570a2009-11-29 20:04:48 +01001797 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001798 checked in each cookie value.
1799
1800 <holdtime> this is the time after which the cookie will be removed from
1801 memory if unused. If no unit is specified, this time is in
1802 milliseconds.
1803
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001804 request-learn
1805 If this option is specified, then haproxy will be able to learn
1806 the cookie found in the request in case the server does not
1807 specify any in response. This is typically what happens with
1808 PHPSESSID cookies, or when haproxy's session expires before
1809 the application's session and the correct server is selected.
1810 It is recommended to specify this option to improve reliability.
1811
Cyril Bontéb21570a2009-11-29 20:04:48 +01001812 prefix When this option is specified, haproxy will match on the cookie
1813 prefix (or URL parameter prefix). The appsession value is the
1814 data following this prefix.
1815
1816 Example :
1817 appsession ASPSESSIONID len 64 timeout 3h prefix
1818
1819 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1820 the appsession value will be XXXX=XXXXX.
1821
1822 mode This option allows to change the URL parser mode.
1823 2 modes are currently supported :
1824 - path-parameters :
1825 The parser looks for the appsession in the path parameters
1826 part (each parameter is separated by a semi-colon), which is
1827 convenient for JSESSIONID for example.
1828 This is the default mode if the option is not set.
1829 - query-string :
1830 In this mode, the parser will look for the appsession in the
1831 query string.
1832
Willy Tarreau294d0f02015-08-10 19:40:12 +02001833 As of version 1.6, appsessions was removed. It is more flexible and more
1834 convenient to use stick-tables instead, and stick-tables support multi-master
1835 replication and data conservation across reloads, which appsessions did not.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001836
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001837 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1838 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001839
1840
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001841backlog <conns>
1842 Give hints to the system about the approximate listen backlog desired size
1843 May be used in sections : defaults | frontend | listen | backend
1844 yes | yes | yes | no
1845 Arguments :
1846 <conns> is the number of pending connections. Depending on the operating
1847 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001848 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001849
1850 In order to protect against SYN flood attacks, one solution is to increase
1851 the system's SYN backlog size. Depending on the system, sometimes it is just
1852 tunable via a system parameter, sometimes it is not adjustable at all, and
1853 sometimes the system relies on hints given by the application at the time of
1854 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1855 to the listen() syscall. On systems which can make use of this value, it can
1856 sometimes be useful to be able to specify a different value, hence this
1857 backlog parameter.
1858
1859 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1860 used as a hint and the system accepts up to the smallest greater power of
1861 two, and never more than some limits (usually 32768).
1862
1863 See also : "maxconn" and the target operating system's tuning guide.
1864
1865
Willy Tarreau0ba27502007-12-24 16:55:16 +01001866balance <algorithm> [ <arguments> ]
Willy Tarreau226071e2014-04-10 11:55:45 +02001867balance url_param <param> [check_post]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001868 Define the load balancing algorithm to be used in a backend.
1869 May be used in sections : defaults | frontend | listen | backend
1870 yes | no | yes | yes
1871 Arguments :
1872 <algorithm> is the algorithm used to select a server when doing load
1873 balancing. This only applies when no persistence information
1874 is available, or when a connection is redispatched to another
1875 server. <algorithm> may be one of the following :
1876
1877 roundrobin Each server is used in turns, according to their weights.
1878 This is the smoothest and fairest algorithm when the server's
1879 processing time remains equally distributed. This algorithm
1880 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001881 on the fly for slow starts for instance. It is limited by
Godbacha34bdc02013-07-22 07:44:53 +08001882 design to 4095 active servers per backend. Note that in some
Willy Tarreau9757a382009-10-03 12:56:50 +02001883 large farms, when a server becomes up after having been down
1884 for a very short time, it may sometimes take a few hundreds
1885 requests for it to be re-integrated into the farm and start
1886 receiving traffic. This is normal, though very rare. It is
1887 indicated here in case you would have the chance to observe
1888 it, so that you don't worry.
1889
1890 static-rr Each server is used in turns, according to their weights.
1891 This algorithm is as similar to roundrobin except that it is
1892 static, which means that changing a server's weight on the
1893 fly will have no effect. On the other hand, it has no design
1894 limitation on the number of servers, and when a server goes
1895 up, it is always immediately reintroduced into the farm, once
1896 the full map is recomputed. It also uses slightly less CPU to
1897 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001898
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001899 leastconn The server with the lowest number of connections receives the
1900 connection. Round-robin is performed within groups of servers
1901 of the same load to ensure that all servers will be used. Use
1902 of this algorithm is recommended where very long sessions are
1903 expected, such as LDAP, SQL, TSE, etc... but is not very well
1904 suited for protocols using short sessions such as HTTP. This
1905 algorithm is dynamic, which means that server weights may be
1906 adjusted on the fly for slow starts for instance.
1907
Willy Tarreauf09c6602012-02-13 17:12:08 +01001908 first The first server with available connection slots receives the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001909 connection. The servers are chosen from the lowest numeric
Willy Tarreauf09c6602012-02-13 17:12:08 +01001910 identifier to the highest (see server parameter "id"), which
1911 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001912 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001913 not make sense to use this algorithm without setting maxconn.
1914 The purpose of this algorithm is to always use the smallest
1915 number of servers so that extra servers can be powered off
1916 during non-intensive hours. This algorithm ignores the server
1917 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001918 or IMAP than HTTP, though it can be useful there too. In
1919 order to use this algorithm efficiently, it is recommended
1920 that a cloud controller regularly checks server usage to turn
1921 them off when unused, and regularly checks backend queue to
1922 turn new servers on when the queue inflates. Alternatively,
1923 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001924
Willy Tarreau0ba27502007-12-24 16:55:16 +01001925 source The source IP address is hashed and divided by the total
1926 weight of the running servers to designate which server will
1927 receive the request. This ensures that the same client IP
1928 address will always reach the same server as long as no
1929 server goes down or up. If the hash result changes due to the
1930 number of running servers changing, many clients will be
1931 directed to a different server. This algorithm is generally
1932 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001933 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001934 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001935 static by default, which means that changing a server's
1936 weight on the fly will have no effect, but this can be
1937 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001938
Oskar Stolc8dc41842012-05-19 10:19:54 +01001939 uri This algorithm hashes either the left part of the URI (before
1940 the question mark) or the whole URI (if the "whole" parameter
1941 is present) and divides the hash value by the total weight of
1942 the running servers. The result designates which server will
1943 receive the request. This ensures that the same URI will
1944 always be directed to the same server as long as no server
1945 goes up or down. This is used with proxy caches and
1946 anti-virus proxies in order to maximize the cache hit rate.
1947 Note that this algorithm may only be used in an HTTP backend.
1948 This algorithm is static by default, which means that
1949 changing a server's weight on the fly will have no effect,
1950 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001951
Oskar Stolc8dc41842012-05-19 10:19:54 +01001952 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001953 "depth", both followed by a positive integer number. These
1954 options may be helpful when it is needed to balance servers
1955 based on the beginning of the URI only. The "len" parameter
1956 indicates that the algorithm should only consider that many
1957 characters at the beginning of the URI to compute the hash.
1958 Note that having "len" set to 1 rarely makes sense since most
1959 URIs start with a leading "/".
1960
1961 The "depth" parameter indicates the maximum directory depth
1962 to be used to compute the hash. One level is counted for each
1963 slash in the request. If both parameters are specified, the
1964 evaluation stops when either is reached.
1965
Willy Tarreau0ba27502007-12-24 16:55:16 +01001966 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001967 the query string of each HTTP GET request.
1968
1969 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001970 request entity will be searched for the parameter argument,
1971 when it is not found in a query string after a question mark
Willy Tarreau226071e2014-04-10 11:55:45 +02001972 ('?') in the URL. The message body will only start to be
1973 analyzed once either the advertised amount of data has been
1974 received or the request buffer is full. In the unlikely event
1975 that chunked encoding is used, only the first chunk is
Cyril Bontédc4d9032012-04-08 21:57:39 +02001976 scanned. Parameter values separated by a chunk boundary, may
Willy Tarreau226071e2014-04-10 11:55:45 +02001977 be randomly balanced if at all. This keyword used to support
1978 an optional <max_wait> parameter which is now ignored.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001979
1980 If the parameter is found followed by an equal sign ('=') and
1981 a value, then the value is hashed and divided by the total
1982 weight of the running servers. The result designates which
1983 server will receive the request.
1984
1985 This is used to track user identifiers in requests and ensure
1986 that a same user ID will always be sent to the same server as
1987 long as no server goes up or down. If no value is found or if
1988 the parameter is not found, then a round robin algorithm is
1989 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001990 backend. This algorithm is static by default, which means
1991 that changing a server's weight on the fly will have no
1992 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001993
Cyril Bontédc4d9032012-04-08 21:57:39 +02001994 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1995 request. Just as with the equivalent ACL 'hdr()' function,
1996 the header name in parenthesis is not case sensitive. If the
1997 header is absent or if it does not contain any value, the
1998 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001999
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002000 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01002001 reducing the hash algorithm to the main domain part with some
2002 specific headers such as 'Host'. For instance, in the Host
2003 value "haproxy.1wt.eu", only "1wt" will be considered.
2004
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002005 This algorithm is static by default, which means that
2006 changing a server's weight on the fly will have no effect,
2007 but this can be changed using "hash-type".
2008
Emeric Brun736aa232009-06-30 17:56:00 +02002009 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02002010 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02002011 The RDP cookie <name> (or "mstshash" if omitted) will be
2012 looked up and hashed for each incoming TCP request. Just as
2013 with the equivalent ACL 'req_rdp_cookie()' function, the name
2014 is not case-sensitive. This mechanism is useful as a degraded
2015 persistence mode, as it makes it possible to always send the
2016 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002017 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02002018 used instead.
2019
2020 Note that for this to work, the frontend must ensure that an
2021 RDP cookie is already present in the request buffer. For this
2022 you must use 'tcp-request content accept' rule combined with
2023 a 'req_rdp_cookie_cnt' ACL.
2024
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002025 This algorithm is static by default, which means that
2026 changing a server's weight on the fly will have no effect,
2027 but this can be changed using "hash-type".
2028
Cyril Bontédc4d9032012-04-08 21:57:39 +02002029 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09002030
Willy Tarreau0ba27502007-12-24 16:55:16 +01002031 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02002032 algorithms. Right now, only "url_param" and "uri" support an
2033 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02002034
Willy Tarreau3cd9af22009-03-15 14:06:41 +01002035 The load balancing algorithm of a backend is set to roundrobin when no other
2036 algorithm, mode nor option have been set. The algorithm may only be set once
2037 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002038
2039 Examples :
2040 balance roundrobin
2041 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02002042 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01002043 balance hdr(User-Agent)
2044 balance hdr(host)
2045 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02002046
2047 Note: the following caveats and limitations on using the "check_post"
2048 extension with "url_param" must be considered :
2049
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002050 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02002051 to determine if the parameters will be found in the body or entity which
2052 may contain binary data. Therefore another method may be required to
2053 restrict consideration of POST requests that have no URL parameters in
2054 the body. (see acl reqideny http_end)
2055
2056 - using a <max_wait> value larger than the request buffer size does not
2057 make sense and is useless. The buffer size is set at build time, and
2058 defaults to 16 kB.
2059
2060 - Content-Encoding is not supported, the parameter search will probably
2061 fail; and load balancing will fall back to Round Robin.
2062
2063 - Expect: 100-continue is not supported, load balancing will fall back to
2064 Round Robin.
2065
2066 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
2067 If the entire parameter value is not present in the first chunk, the
2068 selection of server is undefined (actually, defined by how little
2069 actually appeared in the first chunk).
2070
2071 - This feature does not support generation of a 100, 411 or 501 response.
2072
2073 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002074 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02002075 white space or control characters are found, indicating the end of what
2076 might be a URL parameter list. This is probably not a concern with SGML
2077 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002078
Willy Tarreau294d0f02015-08-10 19:40:12 +02002079 See also : "dispatch", "cookie", "transparent", "hash-type" and "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002080
2081
Willy Tarreaub6205fd2012-09-24 12:27:33 +02002082bind [<address>]:<port_range> [, ...] [param*]
2083bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01002084 Define one or several listening addresses and/or ports in a frontend.
2085 May be used in sections : defaults | frontend | listen | backend
2086 no | yes | yes | no
2087 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01002088 <address> is optional and can be a host name, an IPv4 address, an IPv6
2089 address, or '*'. It designates the address the frontend will
2090 listen on. If unset, all IPv4 addresses of the system will be
2091 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01002092 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreau24709282013-03-10 21:32:12 +01002093 Optionally, an address family prefix may be used before the
2094 address to force the family regardless of the address format,
2095 which can be useful to specify a path to a unix socket with
2096 no slash ('/'). Currently supported prefixes are :
2097 - 'ipv4@' -> address is always IPv4
2098 - 'ipv6@' -> address is always IPv6
2099 - 'unix@' -> address is a path to a local unix socket
Willy Tarreau70f72e02014-07-08 00:37:50 +02002100 - 'abns@' -> address is in abstract namespace (Linux only).
2101 Note: since abstract sockets are not "rebindable", they
2102 do not cope well with multi-process mode during
2103 soft-restart, so it is better to avoid them if
2104 nbproc is greater than 1. The effect is that if the
2105 new process fails to start, only one of the old ones
2106 will be able to rebind to the socket.
Willy Tarreau40aa0702013-03-10 23:51:38 +01002107 - 'fd@<n>' -> use file descriptor <n> inherited from the
2108 parent. The fd must be bound and may or may not already
2109 be listening.
William Lallemandb2f07452015-05-12 14:27:13 +02002110 You may want to reference some environment variables in the
2111 address parameter, see section 2.3 about environment
2112 variables.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01002113
Willy Tarreauc5011ca2010-03-22 11:53:56 +01002114 <port_range> is either a unique TCP port, or a port range for which the
2115 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01002116 above. The port is mandatory for TCP listeners. Note that in
2117 the case of an IPv6 address, the port is always the number
2118 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01002119 - a numerical port (ex: '80')
2120 - a dash-delimited ports range explicitly stating the lower
2121 and upper bounds (ex: '2000-2100') which are included in
2122 the range.
2123
2124 Particular care must be taken against port ranges, because
2125 every <address:port> couple consumes one socket (= a file
2126 descriptor), so it's easy to consume lots of descriptors
2127 with a simple range, and to run out of sockets. Also, each
2128 <address:port> couple must be used only once among all
2129 instances running on a same system. Please note that binding
2130 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04002131 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01002132 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002133
Willy Tarreauceb24bc2010-11-09 12:46:41 +01002134 <path> is a UNIX socket path beginning with a slash ('/'). This is
2135 alternative to the TCP listening port. Haproxy will then
2136 receive UNIX connections on the socket located at this place.
2137 The path must begin with a slash and by default is absolute.
2138 It can be relative to the prefix defined by "unix-bind" in
2139 the global section. Note that the total length of the prefix
2140 followed by the socket path cannot exceed some system limits
2141 for UNIX sockets, which commonly are set to 107 characters.
2142
Willy Tarreaub6205fd2012-09-24 12:27:33 +02002143 <param*> is a list of parameters common to all sockets declared on the
2144 same line. These numerous parameters depend on OS and build
2145 options and have a complete section dedicated to them. Please
2146 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02002147
Willy Tarreau0ba27502007-12-24 16:55:16 +01002148 It is possible to specify a list of address:port combinations delimited by
2149 commas. The frontend will then listen on all of these addresses. There is no
2150 fixed limit to the number of addresses and ports which can be listened on in
2151 a frontend, as well as there is no limit to the number of "bind" statements
2152 in a frontend.
2153
2154 Example :
2155 listen http_proxy
2156 bind :80,:443
2157 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01002158 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01002159
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02002160 listen http_https_proxy
2161 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02002162 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02002163
Willy Tarreau24709282013-03-10 21:32:12 +01002164 listen http_https_proxy_explicit
2165 bind ipv6@:80
2166 bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem
2167 bind unix@ssl-frontend.sock user root mode 600 accept-proxy
2168
Willy Tarreaudad36a32013-03-11 01:20:04 +01002169 listen external_bind_app1
William Lallemandb2f07452015-05-12 14:27:13 +02002170 bind "fd@${FD_APP1}"
Willy Tarreaudad36a32013-03-11 01:20:04 +01002171
Willy Tarreauceb24bc2010-11-09 12:46:41 +01002172 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02002173 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002174
2175
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002176bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002177 Limit visibility of an instance to a certain set of processes numbers.
2178 May be used in sections : defaults | frontend | listen | backend
2179 yes | yes | yes | yes
2180 Arguments :
2181 all All process will see this instance. This is the default. It
2182 may be used to override a default value.
2183
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002184 odd This instance will be enabled on processes 1,3,5,...63. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002185 option may be combined with other numbers.
2186
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002187 even This instance will be enabled on processes 2,4,6,...64. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002188 option may be combined with other numbers. Do not use it
2189 with less than 2 processes otherwise some instances might be
2190 missing from all processes.
2191
Willy Tarreau110ecc12012-11-15 17:50:01 +01002192 number The instance will be enabled on this process number or range,
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002193 whose values must all be between 1 and 32 or 64 depending on
Willy Tarreau102df612014-05-07 23:56:38 +02002194 the machine's word size. If a proxy is bound to process
2195 numbers greater than the configured global.nbproc, it will
2196 either be forced to process #1 if a single process was
2197 specified, or to all processes otherwise.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002198
2199 This keyword limits binding of certain instances to certain processes. This
2200 is useful in order not to have too many processes listening to the same
2201 ports. For instance, on a dual-core machine, it might make sense to set
2202 'nbproc 2' in the global section, then distributes the listeners among 'odd'
2203 and 'even' instances.
2204
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002205 At the moment, it is not possible to reference more than 32 or 64 processes
2206 using this keyword, but this should be more than enough for most setups.
2207 Please note that 'all' really means all processes regardless of the machine's
2208 word size, and is not limited to the first 32 or 64.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002209
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02002210 Each "bind" line may further be limited to a subset of the proxy's processes,
2211 please consult the "process" bind keyword in section 5.1.
2212
Willy Tarreaub369a042014-09-16 13:21:03 +02002213 When a frontend has no explicit "bind-process" line, it tries to bind to all
2214 the processes referenced by its "bind" lines. That means that frontends can
2215 easily adapt to their listeners' processes.
2216
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002217 If some backends are referenced by frontends bound to other processes, the
2218 backend automatically inherits the frontend's processes.
2219
2220 Example :
2221 listen app_ip1
2222 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02002223 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002224
2225 listen app_ip2
2226 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02002227 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002228
2229 listen management
2230 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02002231 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002232
Willy Tarreau110ecc12012-11-15 17:50:01 +01002233 listen management
2234 bind 10.0.0.4:80
2235 bind-process 1-4
2236
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02002237 See also : "nbproc" in global section, and "process" in section 5.1.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002238
2239
Willy Tarreau0ba27502007-12-24 16:55:16 +01002240block { if | unless } <condition>
2241 Block a layer 7 request if/unless a condition is matched
2242 May be used in sections : defaults | frontend | listen | backend
2243 no | yes | yes | yes
2244
2245 The HTTP request will be blocked very early in the layer 7 processing
2246 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002247 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02002248 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01002249 conditions are met or not met. There is no fixed limit to the number of
2250 "block" statements per instance.
2251
2252 Example:
2253 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
2254 acl invalid_src src_port 0:1023
2255 acl local_dst hdr(host) -i localhost
2256 block if invalid_src || local_dst
2257
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002258 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002259
2260
2261capture cookie <name> len <length>
2262 Capture and log a cookie in the request and in the response.
2263 May be used in sections : defaults | frontend | listen | backend
2264 no | yes | yes | no
2265 Arguments :
2266 <name> is the beginning of the name of the cookie to capture. In order
2267 to match the exact name, simply suffix the name with an equal
2268 sign ('='). The full name will appear in the logs, which is
2269 useful with application servers which adjust both the cookie name
2270 and value (eg: ASPSESSIONXXXXX).
2271
2272 <length> is the maximum number of characters to report in the logs, which
2273 include the cookie name, the equal sign and the value, all in the
2274 standard "name=value" form. The string will be truncated on the
2275 right if it exceeds <length>.
2276
2277 Only the first cookie is captured. Both the "cookie" request headers and the
2278 "set-cookie" response headers are monitored. This is particularly useful to
2279 check for application bugs causing session crossing or stealing between
2280 users, because generally the user's cookies can only change on a login page.
2281
2282 When the cookie was not presented by the client, the associated log column
2283 will report "-". When a request does not cause a cookie to be assigned by the
2284 server, a "-" is reported in the response column.
2285
2286 The capture is performed in the frontend only because it is necessary that
2287 the log format does not change for a given frontend depending on the
2288 backends. This may change in the future. Note that there can be only one
Willy Tarreau193b8c62012-11-22 00:17:38 +01002289 "capture cookie" statement in a frontend. The maximum capture length is set
2290 by the global "tune.http.cookielen" setting and defaults to 63 characters. It
2291 is not possible to specify a capture in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002292
2293 Example:
2294 capture cookie ASPSESSION len 32
2295
2296 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002297 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002298
2299
2300capture request header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01002301 Capture and log the last occurrence of the specified request header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002302 May be used in sections : defaults | frontend | listen | backend
2303 no | yes | yes | no
2304 Arguments :
2305 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002306 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01002307 appear in the requests, with the first letter of each word in
2308 upper case. The header name will not appear in the logs, only the
2309 value is reported, but the position in the logs is respected.
2310
2311 <length> is the maximum number of characters to extract from the value and
2312 report in the logs. The string will be truncated on the right if
2313 it exceeds <length>.
2314
Willy Tarreau4460d032012-11-21 23:37:37 +01002315 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01002316 value will be added to the logs between braces ('{}'). If multiple headers
2317 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002318 in the same order they were declared in the configuration. Non-existent
2319 headers will be logged just as an empty string. Common uses for request
2320 header captures include the "Host" field in virtual hosting environments, the
2321 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002322 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002323 environments to find where the request came from.
2324
2325 Note that when capturing headers such as "User-agent", some spaces may be
2326 logged, making the log analysis more difficult. Thus be careful about what
2327 you log if you know your log parser is not smart enough to rely on the
2328 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002329
Willy Tarreau0900abb2012-11-22 00:21:46 +01002330 There is no limit to the number of captured request headers nor to their
2331 length, though it is wise to keep them low to limit memory usage per session.
2332 In order to keep log format consistent for a same frontend, header captures
2333 can only be declared in a frontend. It is not possible to specify a capture
2334 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002335
2336 Example:
2337 capture request header Host len 15
2338 capture request header X-Forwarded-For len 15
2339 capture request header Referrer len 15
2340
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002341 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002342 about logging.
2343
2344
2345capture response header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01002346 Capture and log the last occurrence of the specified response header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002347 May be used in sections : defaults | frontend | listen | backend
2348 no | yes | yes | no
2349 Arguments :
2350 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002351 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01002352 appear in the response, with the first letter of each word in
2353 upper case. The header name will not appear in the logs, only the
2354 value is reported, but the position in the logs is respected.
2355
2356 <length> is the maximum number of characters to extract from the value and
2357 report in the logs. The string will be truncated on the right if
2358 it exceeds <length>.
2359
Willy Tarreau4460d032012-11-21 23:37:37 +01002360 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01002361 result will be added to the logs between braces ('{}') after the captured
2362 request headers. If multiple headers are captured, they will be delimited by
2363 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002364 the configuration. Non-existent headers will be logged just as an empty
2365 string. Common uses for response header captures include the "Content-length"
2366 header which indicates how many bytes are expected to be returned, the
2367 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002368
Willy Tarreau0900abb2012-11-22 00:21:46 +01002369 There is no limit to the number of captured response headers nor to their
2370 length, though it is wise to keep them low to limit memory usage per session.
2371 In order to keep log format consistent for a same frontend, header captures
2372 can only be declared in a frontend. It is not possible to specify a capture
2373 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002374
2375 Example:
2376 capture response header Content-length len 9
2377 capture response header Location len 15
2378
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002379 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002380 about logging.
2381
2382
Cyril Bontéf0c60612010-02-06 14:44:47 +01002383clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002384 Set the maximum inactivity time on the client side.
2385 May be used in sections : defaults | frontend | listen | backend
2386 yes | yes | yes | no
2387 Arguments :
2388 <timeout> is the timeout value is specified in milliseconds by default, but
2389 can be in any other unit if the number is suffixed by the unit,
2390 as explained at the top of this document.
2391
2392 The inactivity timeout applies when the client is expected to acknowledge or
2393 send data. In HTTP mode, this timeout is particularly important to consider
2394 during the first phase, when the client sends the request, and during the
2395 response while it is reading data sent by the server. The value is specified
2396 in milliseconds by default, but can be in any other unit if the number is
2397 suffixed by the unit, as specified at the top of this document. In TCP mode
2398 (and to a lesser extent, in HTTP mode), it is highly recommended that the
2399 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002400 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01002401 losses by specifying timeouts that are slightly above multiples of 3 seconds
2402 (eg: 4 or 5 seconds).
2403
2404 This parameter is specific to frontends, but can be specified once for all in
2405 "defaults" sections. This is in fact one of the easiest solutions not to
2406 forget about it. An unspecified timeout results in an infinite timeout, which
2407 is not recommended. Such a usage is accepted and works but reports a warning
2408 during startup because it may results in accumulation of expired sessions in
2409 the system if the system's timeouts are not configured either.
2410
2411 This parameter is provided for compatibility but is currently deprecated.
2412 Please use "timeout client" instead.
2413
Willy Tarreau036fae02008-01-06 13:24:40 +01002414 See also : "timeout client", "timeout http-request", "timeout server", and
2415 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002416
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002417compression algo <algorithm> ...
2418compression type <mime type> ...
Willy Tarreau70737d12012-10-27 00:34:28 +02002419compression offload
William Lallemand82fe75c2012-10-23 10:25:10 +02002420 Enable HTTP compression.
2421 May be used in sections : defaults | frontend | listen | backend
2422 yes | yes | yes | yes
2423 Arguments :
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002424 algo is followed by the list of supported compression algorithms.
2425 type is followed by the list of MIME types that will be compressed.
2426 offload makes haproxy work as a compression offloader only (see notes).
2427
2428 The currently supported algorithms are :
Willy Tarreauc91840a2015-03-28 17:00:39 +01002429 identity this is mostly for debugging, and it was useful for developing
2430 the compression feature. Identity does not apply any change on
2431 data.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002432
Willy Tarreauc91840a2015-03-28 17:00:39 +01002433 gzip applies gzip compression. This setting is only available when
2434 support for zlib was built in.
2435
2436 deflate same as "gzip", but with deflate algorithm and zlib format.
2437 Note that this algorithm has ambiguous support on many
2438 browsers and no support at all from recent ones. It is
2439 strongly recommended not to use it for anything else than
2440 experimentation. This setting is only available when support
2441 for zlib was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002442
Willy Tarreauc91840a2015-03-28 17:00:39 +01002443 raw-deflate same as "deflate" without the zlib wrapper, and used as an
2444 alternative when the browser wants "deflate". All major
2445 browsers understand it and despite violating the standards,
2446 it is known to work better than "deflate", at least on MSIE
2447 and some versions of Safari. Do not use it in conjunction
2448 with "deflate", use either one or the other since both react
2449 to the same Accept-Encoding token. This setting is only
2450 available when support for zlib was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002451
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04002452 Compression will be activated depending on the Accept-Encoding request
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002453 header. With identity, it does not take care of that header.
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002454 If backend servers support HTTP compression, these directives
2455 will be no-op: haproxy will see the compressed response and will not
2456 compress again. If backend servers do not support HTTP compression and
2457 there is Accept-Encoding header in request, haproxy will compress the
2458 matching response.
Willy Tarreau70737d12012-10-27 00:34:28 +02002459
2460 The "offload" setting makes haproxy remove the Accept-Encoding header to
2461 prevent backend servers from compressing responses. It is strongly
2462 recommended not to do this because this means that all the compression work
2463 will be done on the single point where haproxy is located. However in some
2464 deployment scenarios, haproxy may be installed in front of a buggy gateway
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002465 with broken HTTP compression implementation which can't be turned off.
2466 In that case haproxy can be used to prevent that gateway from emitting
2467 invalid payloads. In this case, simply removing the header in the
2468 configuration does not work because it applies before the header is parsed,
2469 so that prevents haproxy from compressing. The "offload" setting should
Willy Tarreauffea9fd2014-07-12 16:37:02 +02002470 then be used for such scenarios. Note: for now, the "offload" setting is
2471 ignored when set in a defaults section.
William Lallemand82fe75c2012-10-23 10:25:10 +02002472
William Lallemand05097442012-11-20 12:14:28 +01002473 Compression is disabled when:
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002474 * the request does not advertise a supported compression algorithm in the
2475 "Accept-Encoding" header
2476 * the response message is not HTTP/1.1
William Lallemandd3002612012-11-26 14:34:47 +01002477 * HTTP status code is not 200
William Lallemand8bb4e342013-12-10 17:28:48 +01002478 * response header "Transfer-Encoding" contains "chunked" (Temporary
2479 Workaround)
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002480 * response contain neither a "Content-Length" header nor a
2481 "Transfer-Encoding" whose last value is "chunked"
2482 * response contains a "Content-Type" header whose first value starts with
2483 "multipart"
2484 * the response contains the "no-transform" value in the "Cache-control"
2485 header
2486 * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7
2487 and later
2488 * The response contains a "Content-Encoding" header, indicating that the
2489 response is already compressed (see compression offload)
William Lallemand05097442012-11-20 12:14:28 +01002490
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002491 Note: The compression does not rewrite Etag headers, and does not emit the
2492 Warning header.
William Lallemand05097442012-11-20 12:14:28 +01002493
William Lallemand82fe75c2012-10-23 10:25:10 +02002494 Examples :
2495 compression algo gzip
2496 compression type text/html text/plain
Willy Tarreau0ba27502007-12-24 16:55:16 +01002497
Cyril Bontéf0c60612010-02-06 14:44:47 +01002498contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002499 Set the maximum time to wait for a connection attempt to a server to succeed.
2500 May be used in sections : defaults | frontend | listen | backend
2501 yes | no | yes | yes
2502 Arguments :
2503 <timeout> is the timeout value is specified in milliseconds by default, but
2504 can be in any other unit if the number is suffixed by the unit,
2505 as explained at the top of this document.
2506
2507 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002508 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01002509 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01002510 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
2511 connect timeout also presets the queue timeout to the same value if this one
2512 has not been specified. Historically, the contimeout was also used to set the
2513 tarpit timeout in a listen section, which is not possible in a pure frontend.
2514
2515 This parameter is specific to backends, but can be specified once for all in
2516 "defaults" sections. This is in fact one of the easiest solutions not to
2517 forget about it. An unspecified timeout results in an infinite timeout, which
2518 is not recommended. Such a usage is accepted and works but reports a warning
2519 during startup because it may results in accumulation of failed sessions in
2520 the system if the system's timeouts are not configured either.
2521
2522 This parameter is provided for backwards compatibility but is currently
2523 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
2524 instead.
2525
2526 See also : "timeout connect", "timeout queue", "timeout tarpit",
2527 "timeout server", "contimeout".
2528
2529
Willy Tarreau55165fe2009-05-10 12:02:55 +02002530cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02002531 [ postonly ] [ preserve ] [ httponly ] [ secure ]
2532 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01002533 Enable cookie-based persistence in a backend.
2534 May be used in sections : defaults | frontend | listen | backend
2535 yes | no | yes | yes
2536 Arguments :
2537 <name> is the name of the cookie which will be monitored, modified or
2538 inserted in order to bring persistence. This cookie is sent to
2539 the client via a "Set-Cookie" header in the response, and is
2540 brought back by the client in a "Cookie" header in all requests.
2541 Special care should be taken to choose a name which does not
2542 conflict with any likely application cookie. Also, if the same
2543 backends are subject to be used by the same clients (eg:
2544 HTTP/HTTPS), care should be taken to use different cookie names
2545 between all backends if persistence between them is not desired.
2546
2547 rewrite This keyword indicates that the cookie will be provided by the
2548 server and that haproxy will have to modify its value to set the
2549 server's identifier in it. This mode is handy when the management
2550 of complex combinations of "Set-cookie" and "Cache-control"
2551 headers is left to the application. The application can then
2552 decide whether or not it is appropriate to emit a persistence
2553 cookie. Since all responses should be monitored, this mode only
2554 works in HTTP close mode. Unless the application behaviour is
2555 very complex and/or broken, it is advised not to start with this
2556 mode for new deployments. This keyword is incompatible with
2557 "insert" and "prefix".
2558
2559 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02002560 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002561
Willy Tarreaua79094d2010-08-31 22:54:15 +02002562 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002563 server. When used without the "preserve" option, if the server
2564 emits a cookie with the same name, it will be remove before
2565 processing. For this reason, this mode can be used to upgrade
2566 existing configurations running in the "rewrite" mode. The cookie
2567 will only be a session cookie and will not be stored on the
2568 client's disk. By default, unless the "indirect" option is added,
2569 the server will see the cookies emitted by the client. Due to
2570 caching effects, it is generally wise to add the "nocache" or
2571 "postonly" keywords (see below). The "insert" keyword is not
2572 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002573
2574 prefix This keyword indicates that instead of relying on a dedicated
2575 cookie for the persistence, an existing one will be completed.
2576 This may be needed in some specific environments where the client
2577 does not support more than one single cookie and the application
2578 already needs it. In this case, whenever the server sets a cookie
2579 named <name>, it will be prefixed with the server's identifier
2580 and a delimiter. The prefix will be removed from all client
2581 requests so that the server still finds the cookie it emitted.
2582 Since all requests and responses are subject to being modified,
2583 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02002584 not compatible with "rewrite" and "insert". Note: it is highly
2585 recommended not to use "indirect" with "prefix", otherwise server
2586 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002587
Willy Tarreaua79094d2010-08-31 22:54:15 +02002588 indirect When this option is specified, no cookie will be emitted to a
2589 client which already has a valid one for the server which has
2590 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002591 it will be removed, unless the "preserve" option is also set. In
2592 "insert" mode, this will additionally remove cookies from the
2593 requests transmitted to the server, making the persistence
2594 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02002595 Note: it is highly recommended not to use "indirect" with
2596 "prefix", otherwise server cookie updates would not be sent to
2597 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002598
2599 nocache This option is recommended in conjunction with the insert mode
2600 when there is a cache between the client and HAProxy, as it
2601 ensures that a cacheable response will be tagged non-cacheable if
2602 a cookie needs to be inserted. This is important because if all
2603 persistence cookies are added on a cacheable home page for
2604 instance, then all customers will then fetch the page from an
2605 outer cache and will all share the same persistence cookie,
2606 leading to one server receiving much more traffic than others.
2607 See also the "insert" and "postonly" options.
2608
2609 postonly This option ensures that cookie insertion will only be performed
2610 on responses to POST requests. It is an alternative to the
2611 "nocache" option, because POST responses are not cacheable, so
2612 this ensures that the persistence cookie will never get cached.
2613 Since most sites do not need any sort of persistence before the
2614 first POST which generally is a login request, this is a very
2615 efficient method to optimize caching without risking to find a
2616 persistence cookie in the cache.
2617 See also the "insert" and "nocache" options.
2618
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002619 preserve This option may only be used with "insert" and/or "indirect". It
2620 allows the server to emit the persistence cookie itself. In this
2621 case, if a cookie is found in the response, haproxy will leave it
2622 untouched. This is useful in order to end persistence after a
2623 logout request for instance. For this, the server just has to
2624 emit a cookie with an invalid value (eg: empty) or with a date in
2625 the past. By combining this mechanism with the "disable-on-404"
2626 check option, it is possible to perform a completely graceful
2627 shutdown because users will definitely leave the server after
2628 they logout.
2629
Willy Tarreau4992dd22012-05-31 21:02:17 +02002630 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
2631 when a cookie is inserted. This attribute is used so that a
2632 user agent doesn't share the cookie with non-HTTP components.
2633 Please check RFC6265 for more information on this attribute.
2634
2635 secure This option tells haproxy to add a "Secure" cookie attribute when
2636 a cookie is inserted. This attribute is used so that a user agent
2637 never emits this cookie over non-secure channels, which means
2638 that a cookie learned with this flag will be presented only over
2639 SSL/TLS connections. Please check RFC6265 for more information on
2640 this attribute.
2641
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002642 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002643 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01002644 name. If the domain begins with a dot, the browser is allowed to
2645 use it for any host ending with that name. It is also possible to
2646 specify several domain names by invoking this option multiple
2647 times. Some browsers might have small limits on the number of
2648 domains, so be careful when doing that. For the record, sending
2649 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002650
Willy Tarreau996a92c2010-10-13 19:30:47 +02002651 maxidle This option allows inserted cookies to be ignored after some idle
2652 time. It only works with insert-mode cookies. When a cookie is
2653 sent to the client, the date this cookie was emitted is sent too.
2654 Upon further presentations of this cookie, if the date is older
2655 than the delay indicated by the parameter (in seconds), it will
2656 be ignored. Otherwise, it will be refreshed if needed when the
2657 response is sent to the client. This is particularly useful to
2658 prevent users who never close their browsers from remaining for
2659 too long on the same server (eg: after a farm size change). When
2660 this option is set and a cookie has no date, it is always
2661 accepted, but gets refreshed in the response. This maintains the
2662 ability for admins to access their sites. Cookies that have a
2663 date in the future further than 24 hours are ignored. Doing so
2664 lets admins fix timezone issues without risking kicking users off
2665 the site.
2666
2667 maxlife This option allows inserted cookies to be ignored after some life
2668 time, whether they're in use or not. It only works with insert
2669 mode cookies. When a cookie is first sent to the client, the date
2670 this cookie was emitted is sent too. Upon further presentations
2671 of this cookie, if the date is older than the delay indicated by
2672 the parameter (in seconds), it will be ignored. If the cookie in
2673 the request has no date, it is accepted and a date will be set.
2674 Cookies that have a date in the future further than 24 hours are
2675 ignored. Doing so lets admins fix timezone issues without risking
2676 kicking users off the site. Contrary to maxidle, this value is
2677 not refreshed, only the first visit date counts. Both maxidle and
2678 maxlife may be used at the time. This is particularly useful to
2679 prevent users who never close their browsers from remaining for
2680 too long on the same server (eg: after a farm size change). This
2681 is stronger than the maxidle method in that it forces a
2682 redispatch after some absolute delay.
2683
Willy Tarreau0ba27502007-12-24 16:55:16 +01002684 There can be only one persistence cookie per HTTP backend, and it can be
2685 declared in a defaults section. The value of the cookie will be the value
2686 indicated after the "cookie" keyword in a "server" statement. If no cookie
2687 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002688
Willy Tarreau0ba27502007-12-24 16:55:16 +01002689 Examples :
2690 cookie JSESSIONID prefix
2691 cookie SRV insert indirect nocache
2692 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002693 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002694
Willy Tarreau294d0f02015-08-10 19:40:12 +02002695 See also : "balance source", "capture cookie", "server" and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002696
Willy Tarreau983e01e2010-01-11 18:42:06 +01002697
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02002698declare capture [ request | response ] len <length>
2699 Declares a capture slot.
2700 May be used in sections : defaults | frontend | listen | backend
2701 no | yes | yes | no
2702 Arguments:
2703 <length> is the length allowed for the capture.
2704
2705 This declaration is only available in the frontend or listen section, but the
2706 reserved slot can be used in the backends. The "request" keyword allocates a
2707 capture slot for use in the request, and "response" allocates a capture slot
2708 for use in the response.
2709
2710 See also: "capture-req", "capture-res" (sample converters),
2711 "http-request capture" and "http-response capture".
2712
2713
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002714default-server [param*]
2715 Change default options for a server in a backend
2716 May be used in sections : defaults | frontend | listen | backend
2717 yes | no | yes | yes
2718 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002719 <param*> is a list of parameters for this server. The "default-server"
2720 keyword accepts an important number of options and has a complete
2721 section dedicated to it. Please refer to section 5 for more
2722 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002723
Willy Tarreau983e01e2010-01-11 18:42:06 +01002724 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002725 default-server inter 1000 weight 13
2726
2727 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002728
Willy Tarreau983e01e2010-01-11 18:42:06 +01002729
Willy Tarreau0ba27502007-12-24 16:55:16 +01002730default_backend <backend>
2731 Specify the backend to use when no "use_backend" rule has been matched.
2732 May be used in sections : defaults | frontend | listen | backend
2733 yes | yes | yes | no
2734 Arguments :
2735 <backend> is the name of the backend to use.
2736
2737 When doing content-switching between frontend and backends using the
2738 "use_backend" keyword, it is often useful to indicate which backend will be
2739 used when no rule has matched. It generally is the dynamic backend which
2740 will catch all undetermined requests.
2741
Willy Tarreau0ba27502007-12-24 16:55:16 +01002742 Example :
2743
2744 use_backend dynamic if url_dyn
2745 use_backend static if url_css url_img extension_img
2746 default_backend dynamic
2747
Willy Tarreau98d04852015-05-26 12:18:29 +02002748 See also : "use_backend"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002749
Willy Tarreau0ba27502007-12-24 16:55:16 +01002750
Baptiste Assmann27f51342013-10-09 06:51:49 +02002751description <string>
2752 Describe a listen, frontend or backend.
2753 May be used in sections : defaults | frontend | listen | backend
2754 no | yes | yes | yes
2755 Arguments : string
2756
2757 Allows to add a sentence to describe the related object in the HAProxy HTML
2758 stats page. The description will be printed on the right of the object name
2759 it describes.
2760 No need to backslash spaces in the <string> arguments.
2761
2762
Willy Tarreau0ba27502007-12-24 16:55:16 +01002763disabled
2764 Disable a proxy, frontend or backend.
2765 May be used in sections : defaults | frontend | listen | backend
2766 yes | yes | yes | yes
2767 Arguments : none
2768
2769 The "disabled" keyword is used to disable an instance, mainly in order to
2770 liberate a listening port or to temporarily disable a service. The instance
2771 will still be created and its configuration will be checked, but it will be
2772 created in the "stopped" state and will appear as such in the statistics. It
2773 will not receive any traffic nor will it send any health-checks or logs. It
2774 is possible to disable many instances at once by adding the "disabled"
2775 keyword in a "defaults" section.
2776
2777 See also : "enabled"
2778
2779
Willy Tarreau5ce94572010-06-07 14:35:41 +02002780dispatch <address>:<port>
2781 Set a default server address
2782 May be used in sections : defaults | frontend | listen | backend
2783 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002784 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002785
2786 <address> is the IPv4 address of the default server. Alternatively, a
2787 resolvable hostname is supported, but this name will be resolved
2788 during start-up.
2789
2790 <ports> is a mandatory port specification. All connections will be sent
2791 to this port, and it is not permitted to use port offsets as is
2792 possible with normal servers.
2793
Willy Tarreau787aed52011-04-15 06:45:37 +02002794 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002795 server can take the connection. In the past it was used to forward non
2796 persistent connections to an auxiliary load balancer. Due to its simple
2797 syntax, it has also been used for simple TCP relays. It is recommended not to
2798 use it for more clarity, and to use the "server" directive instead.
2799
2800 See also : "server"
2801
2802
Willy Tarreau0ba27502007-12-24 16:55:16 +01002803enabled
2804 Enable a proxy, frontend or backend.
2805 May be used in sections : defaults | frontend | listen | backend
2806 yes | yes | yes | yes
2807 Arguments : none
2808
2809 The "enabled" keyword is used to explicitly enable an instance, when the
2810 defaults has been set to "disabled". This is very rarely used.
2811
2812 See also : "disabled"
2813
2814
2815errorfile <code> <file>
2816 Return a file contents instead of errors generated by HAProxy
2817 May be used in sections : defaults | frontend | listen | backend
2818 yes | yes | yes | yes
2819 Arguments :
2820 <code> is the HTTP status code. Currently, HAProxy is capable of
CJ Ess108b1dd2015-04-07 12:03:37 -04002821 generating codes 200, 400, 403, 405, 408, 429, 500, 502, 503, and
2822 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002823
2824 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002825 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002826 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002827 error pages, and to use absolute paths, since files are read
2828 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002829
2830 It is important to understand that this keyword is not meant to rewrite
2831 errors returned by the server, but errors detected and returned by HAProxy.
2832 This is why the list of supported errors is limited to a small set.
2833
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002834 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2835
Willy Tarreau0ba27502007-12-24 16:55:16 +01002836 The files are returned verbatim on the TCP socket. This allows any trick such
2837 as redirections to another URL or site, as well as tricks to clean cookies,
2838 force enable or disable caching, etc... The package provides default error
2839 files returning the same contents as default errors.
2840
Willy Tarreau59140a22009-02-22 12:02:30 +01002841 The files should not exceed the configured buffer size (BUFSIZE), which
2842 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2843 not to put any reference to local contents (eg: images) in order to avoid
2844 loops between the client and HAProxy when all servers are down, causing an
2845 error to be returned instead of an image. For better HTTP compliance, it is
2846 recommended that all header lines end with CR-LF and not LF alone.
2847
Willy Tarreau0ba27502007-12-24 16:55:16 +01002848 The files are read at the same time as the configuration and kept in memory.
2849 For this reason, the errors continue to be returned even when the process is
2850 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002851 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002852 403 status code and interrogating a blocked URL.
2853
2854 See also : "errorloc", "errorloc302", "errorloc303"
2855
Willy Tarreau59140a22009-02-22 12:02:30 +01002856 Example :
2857 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
Willy Tarreau2705a612014-05-23 17:38:34 +02002858 errorfile 408 /dev/null # workaround Chrome pre-connect bug
Willy Tarreau59140a22009-02-22 12:02:30 +01002859 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2860 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2861
Willy Tarreau2769aa02007-12-27 18:26:09 +01002862
2863errorloc <code> <url>
2864errorloc302 <code> <url>
2865 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2866 May be used in sections : defaults | frontend | listen | backend
2867 yes | yes | yes | yes
2868 Arguments :
2869 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002870 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002871
2872 <url> it is the exact contents of the "Location" header. It may contain
2873 either a relative URI to an error page hosted on the same site,
2874 or an absolute URI designating an error page on another site.
2875 Special care should be given to relative URIs to avoid redirect
2876 loops if the URI itself may generate the same error (eg: 500).
2877
2878 It is important to understand that this keyword is not meant to rewrite
2879 errors returned by the server, but errors detected and returned by HAProxy.
2880 This is why the list of supported errors is limited to a small set.
2881
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002882 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2883
Willy Tarreau2769aa02007-12-27 18:26:09 +01002884 Note that both keyword return the HTTP 302 status code, which tells the
2885 client to fetch the designated URL using the same HTTP method. This can be
2886 quite problematic in case of non-GET methods such as POST, because the URL
2887 sent to the client might not be allowed for something other than GET. To
2888 workaround this problem, please use "errorloc303" which send the HTTP 303
2889 status code, indicating to the client that the URL must be fetched with a GET
2890 request.
2891
2892 See also : "errorfile", "errorloc303"
2893
2894
2895errorloc303 <code> <url>
2896 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2897 May be used in sections : defaults | frontend | listen | backend
2898 yes | yes | yes | yes
2899 Arguments :
2900 <code> is the HTTP status code. Currently, HAProxy is capable of
2901 generating codes 400, 403, 408, 500, 502, 503, and 504.
2902
2903 <url> it is the exact contents of the "Location" header. It may contain
2904 either a relative URI to an error page hosted on the same site,
2905 or an absolute URI designating an error page on another site.
2906 Special care should be given to relative URIs to avoid redirect
2907 loops if the URI itself may generate the same error (eg: 500).
2908
2909 It is important to understand that this keyword is not meant to rewrite
2910 errors returned by the server, but errors detected and returned by HAProxy.
2911 This is why the list of supported errors is limited to a small set.
2912
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002913 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2914
Willy Tarreau2769aa02007-12-27 18:26:09 +01002915 Note that both keyword return the HTTP 303 status code, which tells the
2916 client to fetch the designated URL using the same HTTP GET method. This
2917 solves the usual problems associated with "errorloc" and the 302 code. It is
2918 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002919 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002920
2921 See also : "errorfile", "errorloc", "errorloc302"
2922
2923
Simon Horman51a1cf62015-02-03 13:00:44 +09002924email-alert from <emailaddr>
2925 Declare the from email address to be used in both the envelope and header
2926 of email alerts. This is the address that email alerts are sent from.
2927 May be used in sections: defaults | frontend | listen | backend
2928 yes | yes | yes | yes
2929
2930 Arguments :
2931
2932 <emailaddr> is the from email address to use when sending email alerts
2933
2934 Also requires "email-alert mailers" and "email-alert to" to be set
2935 and if so sending email alerts is enabled for the proxy.
2936
Simon Horman64e34162015-02-06 11:11:57 +09002937 See also : "email-alert level", "email-alert mailers",
2938 "email-alert myhostname", "email-alert to", section 3.6 about mailers.
2939
2940
2941email-alert level <level>
2942 Declare the maximum log level of messages for which email alerts will be
2943 sent. This acts as a filter on the sending of email alerts.
2944 May be used in sections: defaults | frontend | listen | backend
2945 yes | yes | yes | yes
2946
2947 Arguments :
2948
2949 <level> One of the 8 syslog levels:
2950 emerg alert crit err warning notice info debug
2951 The above syslog levels are ordered from lowest to highest.
2952
2953 By default level is alert
2954
2955 Also requires "email-alert from", "email-alert mailers" and
2956 "email-alert to" to be set and if so sending email alerts is enabled
2957 for the proxy.
2958
Simon Horman1421e212015-04-30 13:10:35 +09002959 Alerts are sent when :
2960
2961 * An un-paused server is marked as down and <level> is alert or lower
2962 * A paused server is marked as down and <level> is notice or lower
2963 * A server is marked as up or enters the drain state and <level>
2964 is notice or lower
2965 * "option log-health-checks" is enabled, <level> is info or lower,
2966 and a health check status update occurs
2967
Simon Horman64e34162015-02-06 11:11:57 +09002968 See also : "email-alert from", "email-alert mailers",
2969 "email-alert myhostname", "email-alert to",
Simon Horman51a1cf62015-02-03 13:00:44 +09002970 section 3.6 about mailers.
2971
2972
2973email-alert mailers <mailersect>
2974 Declare the mailers to be used when sending email alerts
2975 May be used in sections: defaults | frontend | listen | backend
2976 yes | yes | yes | yes
2977
2978 Arguments :
2979
2980 <mailersect> is the name of the mailers section to send email alerts.
2981
2982 Also requires "email-alert from" and "email-alert to" to be set
2983 and if so sending email alerts is enabled for the proxy.
2984
Simon Horman64e34162015-02-06 11:11:57 +09002985 See also : "email-alert from", "email-alert level", "email-alert myhostname",
2986 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09002987
2988
2989email-alert myhostname <hostname>
2990 Declare the to hostname address to be used when communicating with
2991 mailers.
2992 May be used in sections: defaults | frontend | listen | backend
2993 yes | yes | yes | yes
2994
2995 Arguments :
2996
2997 <emailaddr> is the to email address to use when sending email alerts
2998
2999 By default the systems hostname is used.
3000
3001 Also requires "email-alert from", "email-alert mailers" and
3002 "email-alert to" to be set and if so sending email alerts is enabled
3003 for the proxy.
3004
Simon Horman64e34162015-02-06 11:11:57 +09003005 See also : "email-alert from", "email-alert level", "email-alert mailers",
3006 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09003007
3008
3009email-alert to <emailaddr>
3010 Declare both the recipent address in the envelope and to address in the
3011 header of email alerts. This is the address that email alerts are sent to.
3012 May be used in sections: defaults | frontend | listen | backend
3013 yes | yes | yes | yes
3014
3015 Arguments :
3016
3017 <emailaddr> is the to email address to use when sending email alerts
3018
3019 Also requires "email-alert mailers" and "email-alert to" to be set
3020 and if so sending email alerts is enabled for the proxy.
3021
Simon Horman64e34162015-02-06 11:11:57 +09003022 See also : "email-alert from", "email-alert level", "email-alert mailers",
Simon Horman51a1cf62015-02-03 13:00:44 +09003023 "email-alert myhostname", section 3.6 about mailers.
3024
3025
Willy Tarreau4de91492010-01-22 19:10:05 +01003026force-persist { if | unless } <condition>
3027 Declare a condition to force persistence on down servers
3028 May be used in sections: defaults | frontend | listen | backend
3029 no | yes | yes | yes
3030
3031 By default, requests are not dispatched to down servers. It is possible to
3032 force this using "option persist", but it is unconditional and redispatches
3033 to a valid server if "option redispatch" is set. That leaves with very little
3034 possibilities to force some requests to reach a server which is artificially
3035 marked down for maintenance operations.
3036
3037 The "force-persist" statement allows one to declare various ACL-based
3038 conditions which, when met, will cause a request to ignore the down status of
3039 a server and still try to connect to it. That makes it possible to start a
3040 server, still replying an error to the health checks, and run a specially
3041 configured browser to test the service. Among the handy methods, one could
3042 use a specific source IP address, or a specific cookie. The cookie also has
3043 the advantage that it can easily be added/removed on the browser from a test
3044 page. Once the service is validated, it is then possible to open the service
3045 to the world by returning a valid response to health checks.
3046
3047 The forced persistence is enabled when an "if" condition is met, or unless an
3048 "unless" condition is met. The final redispatch is always disabled when this
3049 is used.
3050
Cyril Bonté0d4bf012010-04-25 23:21:46 +02003051 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02003052 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01003053
3054
Willy Tarreau2769aa02007-12-27 18:26:09 +01003055fullconn <conns>
3056 Specify at what backend load the servers will reach their maxconn
3057 May be used in sections : defaults | frontend | listen | backend
3058 yes | no | yes | yes
3059 Arguments :
3060 <conns> is the number of connections on the backend which will make the
3061 servers use the maximal number of connections.
3062
Willy Tarreau198a7442008-01-17 12:05:32 +01003063 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01003064 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01003065 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01003066 load. The server will then always accept at least <minconn> connections,
3067 never more than <maxconn>, and the limit will be on the ramp between both
3068 values when the backend has less than <conns> concurrent connections. This
3069 makes it possible to limit the load on the servers during normal loads, but
3070 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003071 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003072
Willy Tarreaufbb78422011-06-05 15:38:35 +02003073 Since it's hard to get this value right, haproxy automatically sets it to
3074 10% of the sum of the maxconns of all frontends that may branch to this
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01003075 backend (based on "use_backend" and "default_backend" rules). That way it's
3076 safe to leave it unset. However, "use_backend" involving dynamic names are
3077 not counted since there is no way to know if they could match or not.
Willy Tarreaufbb78422011-06-05 15:38:35 +02003078
Willy Tarreau2769aa02007-12-27 18:26:09 +01003079 Example :
3080 # The servers will accept between 100 and 1000 concurrent connections each
3081 # and the maximum of 1000 will be reached when the backend reaches 10000
3082 # connections.
3083 backend dynamic
3084 fullconn 10000
3085 server srv1 dyn1:80 minconn 100 maxconn 1000
3086 server srv2 dyn2:80 minconn 100 maxconn 1000
3087
3088 See also : "maxconn", "server"
3089
3090
3091grace <time>
3092 Maintain a proxy operational for some time after a soft stop
3093 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01003094 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01003095 Arguments :
3096 <time> is the time (by default in milliseconds) for which the instance
3097 will remain operational with the frontend sockets still listening
3098 when a soft-stop is received via the SIGUSR1 signal.
3099
3100 This may be used to ensure that the services disappear in a certain order.
3101 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003102 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01003103 needed by the equipment to detect the failure.
3104
3105 Note that currently, there is very little benefit in using this parameter,
3106 and it may in fact complicate the soft-reconfiguration process more than
3107 simplify it.
3108
Willy Tarreau0ba27502007-12-24 16:55:16 +01003109
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05003110hash-type <method> <function> <modifier>
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003111 Specify a method to use for mapping hashes to servers
3112 May be used in sections : defaults | frontend | listen | backend
3113 yes | no | yes | yes
3114 Arguments :
Bhaskar98634f02013-10-29 23:30:51 -04003115 <method> is the method used to select a server from the hash computed by
3116 the <function> :
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003117
Bhaskar98634f02013-10-29 23:30:51 -04003118 map-based the hash table is a static array containing all alive servers.
3119 The hashes will be very smooth, will consider weights, but
3120 will be static in that weight changes while a server is up
3121 will be ignored. This means that there will be no slow start.
3122 Also, since a server is selected by its position in the array,
3123 most mappings are changed when the server count changes. This
3124 means that when a server goes up or down, or when a server is
3125 added to a farm, most connections will be redistributed to
3126 different servers. This can be inconvenient with caches for
3127 instance.
Willy Tarreau798a39c2010-11-24 15:04:29 +01003128
Bhaskar98634f02013-10-29 23:30:51 -04003129 consistent the hash table is a tree filled with many occurrences of each
3130 server. The hash key is looked up in the tree and the closest
3131 server is chosen. This hash is dynamic, it supports changing
3132 weights while the servers are up, so it is compatible with the
3133 slow start feature. It has the advantage that when a server
3134 goes up or down, only its associations are moved. When a
3135 server is added to the farm, only a few part of the mappings
3136 are redistributed, making it an ideal method for caches.
3137 However, due to its principle, the distribution will never be
3138 very smooth and it may sometimes be necessary to adjust a
3139 server's weight or its ID to get a more balanced distribution.
3140 In order to get the same distribution on multiple load
3141 balancers, it is important that all servers have the exact
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05003142 same IDs. Note: consistent hash uses sdbm and avalanche if no
3143 hash function is specified.
Bhaskar98634f02013-10-29 23:30:51 -04003144
3145 <function> is the hash function to be used :
3146
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003147 sdbm this function was created initially for sdbm (a public-domain
Bhaskar98634f02013-10-29 23:30:51 -04003148 reimplementation of ndbm) database library. It was found to do
3149 well in scrambling bits, causing better distribution of the keys
3150 and fewer splits. It also happens to be a good general hashing
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05003151 function with good distribution, unless the total server weight
3152 is a multiple of 64, in which case applying the avalanche
3153 modifier may help.
Bhaskar98634f02013-10-29 23:30:51 -04003154
3155 djb2 this function was first proposed by Dan Bernstein many years ago
3156 on comp.lang.c. Studies have shown that for certain workload this
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05003157 function provides a better distribution than sdbm. It generally
3158 works well with text-based inputs though it can perform extremely
3159 poorly with numeric-only input or when the total server weight is
3160 a multiple of 33, unless the avalanche modifier is also used.
3161
Willy Tarreaua0f42712013-11-14 14:30:35 +01003162 wt6 this function was designed for haproxy while testing other
3163 functions in the past. It is not as smooth as the other ones, but
3164 is much less sensible to the input data set or to the number of
3165 servers. It can make sense as an alternative to sdbm+avalanche or
3166 djb2+avalanche for consistent hashing or when hashing on numeric
3167 data such as a source IP address or a visitor identifier in a URL
3168 parameter.
3169
Willy Tarreau324f07f2015-01-20 19:44:50 +01003170 crc32 this is the most common CRC32 implementation as used in Ethernet,
3171 gzip, PNG, etc. It is slower than the other ones but may provide
3172 a better distribution or less predictable results especially when
3173 used on strings.
3174
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05003175 <modifier> indicates an optional method applied after hashing the key :
3176
3177 avalanche This directive indicates that the result from the hash
3178 function above should not be used in its raw form but that
3179 a 4-byte full avalanche hash must be applied first. The
3180 purpose of this step is to mix the resulting bits from the
3181 previous hash in order to avoid any undesired effect when
3182 the input contains some limited values or when the number of
3183 servers is a multiple of one of the hash's components (64
3184 for SDBM, 33 for DJB2). Enabling avalanche tends to make the
3185 result less predictable, but it's also not as smooth as when
3186 using the original function. Some testing might be needed
3187 with some workloads. This hash is one of the many proposed
3188 by Bob Jenkins.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003189
Bhaskar98634f02013-10-29 23:30:51 -04003190 The default hash type is "map-based" and is recommended for most usages. The
3191 default function is "sdbm", the selection of a function should be based on
3192 the range of the values being hashed.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003193
3194 See also : "balance", "server"
3195
3196
Willy Tarreau0ba27502007-12-24 16:55:16 +01003197http-check disable-on-404
3198 Enable a maintenance mode upon HTTP/404 response to health-checks
3199 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01003200 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01003201 Arguments : none
3202
3203 When this option is set, a server which returns an HTTP code 404 will be
3204 excluded from further load-balancing, but will still receive persistent
3205 connections. This provides a very convenient method for Web administrators
3206 to perform a graceful shutdown of their servers. It is also important to note
3207 that a server which is detected as failed while it was in this mode will not
3208 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
3209 will immediately be reinserted into the farm. The status on the stats page
3210 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01003211 option only works in conjunction with the "httpchk" option. If this option
3212 is used with "http-check expect", then it has precedence over it so that 404
3213 responses will still be considered as soft-stop.
3214
3215 See also : "option httpchk", "http-check expect"
3216
3217
3218http-check expect [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003219 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01003220 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02003221 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01003222 Arguments :
3223 <match> is a keyword indicating how to look for a specific pattern in the
3224 response. The keyword may be one of "status", "rstatus",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003225 "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01003226 exclamation mark ("!") to negate the match. Spaces are allowed
3227 between the exclamation mark and the keyword. See below for more
3228 details on the supported keywords.
3229
3230 <pattern> is the pattern to look for. It may be a string or a regular
3231 expression. If the pattern contains spaces, they must be escaped
3232 with the usual backslash ('\').
3233
3234 By default, "option httpchk" considers that response statuses 2xx and 3xx
3235 are valid, and that others are invalid. When "http-check expect" is used,
3236 it defines what is considered valid or invalid. Only one "http-check"
3237 statement is supported in a backend. If a server fails to respond or times
3238 out, the check obviously fails. The available matches are :
3239
3240 status <string> : test the exact string match for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003241 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003242 response's status code is exactly this string. If the
3243 "status" keyword is prefixed with "!", then the response
3244 will be considered invalid if the status code matches.
3245
3246 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003247 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003248 response's status code matches the expression. If the
3249 "rstatus" keyword is prefixed with "!", then the response
3250 will be considered invalid if the status code matches.
3251 This is mostly used to check for multiple codes.
3252
3253 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003254 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003255 response's body contains this exact string. If the
3256 "string" keyword is prefixed with "!", then the response
3257 will be considered invalid if the body contains this
3258 string. This can be used to look for a mandatory word at
3259 the end of a dynamic page, or to detect a failure when a
3260 specific error appears on the check page (eg: a stack
3261 trace).
3262
3263 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003264 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003265 response's body matches this expression. If the "rstring"
3266 keyword is prefixed with "!", then the response will be
3267 considered invalid if the body matches the expression.
3268 This can be used to look for a mandatory word at the end
3269 of a dynamic page, or to detect a failure when a specific
3270 error appears on the check page (eg: a stack trace).
3271
3272 It is important to note that the responses will be limited to a certain size
3273 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
3274 Thus, too large responses may not contain the mandatory pattern when using
3275 "string" or "rstring". If a large response is absolutely required, it is
3276 possible to change the default max size by setting the global variable.
3277 However, it is worth keeping in mind that parsing very large responses can
3278 waste some CPU cycles, especially when regular expressions are used, and that
3279 it is always better to focus the checks on smaller resources.
3280
Cyril Bonté32602d22015-01-30 00:07:07 +01003281 Also "http-check expect" doesn't support HTTP keep-alive. Keep in mind that it
3282 will automatically append a "Connection: close" header, meaning that this
3283 header should not be present in the request provided by "option httpchk".
3284
Willy Tarreaubd741542010-03-16 18:46:54 +01003285 Last, if "http-check expect" is combined with "http-check disable-on-404",
3286 then this last one has precedence when the server responds with 404.
3287
3288 Examples :
3289 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003290 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01003291
3292 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003293 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01003294
3295 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003296 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01003297
3298 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003299 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01003300
Willy Tarreaubd741542010-03-16 18:46:54 +01003301 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003302
3303
Willy Tarreauef781042010-01-27 11:53:01 +01003304http-check send-state
3305 Enable emission of a state header with HTTP health checks
3306 May be used in sections : defaults | frontend | listen | backend
3307 yes | no | yes | yes
3308 Arguments : none
3309
3310 When this option is set, haproxy will systematically send a special header
3311 "X-Haproxy-Server-State" with a list of parameters indicating to each server
3312 how they are seen by haproxy. This can be used for instance when a server is
3313 manipulated without access to haproxy and the operator needs to know whether
3314 haproxy still sees it up or not, or if the server is the last one in a farm.
3315
3316 The header is composed of fields delimited by semi-colons, the first of which
3317 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
3318 checks on the total number before transition, just as appears in the stats
3319 interface. Next headers are in the form "<variable>=<value>", indicating in
3320 no specific order some values available in the stats interface :
Joseph Lynch514061c2015-01-15 17:52:59 -08003321 - a variable "address", containing the address of the backend server.
3322 This corresponds to the <address> field in the server declaration. For
3323 unix domain sockets, it will read "unix".
3324
3325 - a variable "port", containing the port of the backend server. This
3326 corresponds to the <port> field in the server declaration. For unix
3327 domain sockets, it will read "unix".
3328
Willy Tarreauef781042010-01-27 11:53:01 +01003329 - a variable "name", containing the name of the backend followed by a slash
3330 ("/") then the name of the server. This can be used when a server is
3331 checked in multiple backends.
3332
3333 - a variable "node" containing the name of the haproxy node, as set in the
3334 global "node" variable, otherwise the system's hostname if unspecified.
3335
3336 - a variable "weight" indicating the weight of the server, a slash ("/")
3337 and the total weight of the farm (just counting usable servers). This
3338 helps to know if other servers are available to handle the load when this
3339 one fails.
3340
3341 - a variable "scur" indicating the current number of concurrent connections
3342 on the server, followed by a slash ("/") then the total number of
3343 connections on all servers of the same backend.
3344
3345 - a variable "qcur" indicating the current number of requests in the
3346 server's queue.
3347
3348 Example of a header received by the application server :
3349 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
3350 scur=13/22; qcur=0
3351
3352 See also : "option httpchk", "http-check disable-on-404"
3353
Willy Tarreauccbcc372012-12-27 12:37:57 +01003354http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003355 add-header <name> <fmt> | set-header <name> <fmt> |
Thierry FOURNIER82bf70d2015-05-26 17:58:29 +02003356 capture <sample> [ len <length> | id <id> ] |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003357 del-header <name> | set-nice <nice> | set-log-level <level> |
Sasha Pachev218f0642014-06-16 12:05:59 -06003358 replace-header <name> <match-regex> <replace-fmt> |
3359 replace-value <name> <match-regex> <replace-fmt> |
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01003360 set-method <fmt> | set-path <fmt> | set-query <fmt> |
3361 set-uri <fmt> | set-tos <tos> | set-mark <mark> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003362 add-acl(<file name>) <key fmt> |
3363 del-acl(<file name>) <key fmt> |
3364 del-map(<file name>) <key fmt> |
Baptiste Assmannbb7e86a2014-09-03 18:29:47 +02003365 set-map(<file name>) <key fmt> <value fmt> |
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02003366 set-var(<var name>) <expr> |
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003367 { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] |
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02003368 sc-inc-gpc0(<sc-id>) |
Thierry FOURNIER236657b2015-08-19 08:25:14 +02003369 sc-set-gpt0(<sc-id>) <int> |
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003370 lua <function name>
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003371 }
Cyril Bontéf0c60612010-02-06 14:44:47 +01003372 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003373 Access control for Layer 7 requests
3374
3375 May be used in sections: defaults | frontend | listen | backend
3376 no | yes | yes | yes
3377
Willy Tarreau20b0de52012-12-24 15:45:22 +01003378 The http-request statement defines a set of rules which apply to layer 7
3379 processing. The rules are evaluated in their declaration order when they are
3380 met in a frontend, listen or backend section. Any rule may optionally be
3381 followed by an ACL-based condition, in which case it will only be evaluated
3382 if the condition is true.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003383
Willy Tarreau20b0de52012-12-24 15:45:22 +01003384 The first keyword is the rule's action. Currently supported actions include :
3385 - "allow" : this stops the evaluation of the rules and lets the request
3386 pass the check. No further "http-request" rules are evaluated.
3387
3388 - "deny" : this stops the evaluation of the rules and immediately rejects
3389 the request and emits an HTTP 403 error. No further "http-request" rules
3390 are evaluated.
3391
Willy Tarreauccbcc372012-12-27 12:37:57 +01003392 - "tarpit" : this stops the evaluation of the rules and immediately blocks
3393 the request without responding for a delay specified by "timeout tarpit"
3394 or "timeout connect" if the former is not set. After that delay, if the
3395 client is still connected, an HTTP error 500 is returned so that the
3396 client does not suspect it has been tarpitted. Logs will report the flags
3397 "PT". The goal of the tarpit rule is to slow down robots during an attack
3398 when they're limited on the number of concurrent requests. It can be very
3399 efficient against very dumb robots, and will significantly reduce the
3400 load on firewalls compared to a "deny" rule. But when facing "correctly"
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003401 developed robots, it can make things worse by forcing haproxy and the
Willy Tarreauccbcc372012-12-27 12:37:57 +01003402 front firewall to support insane number of concurrent connections.
3403
Willy Tarreau20b0de52012-12-24 15:45:22 +01003404 - "auth" : this stops the evaluation of the rules and immediately responds
3405 with an HTTP 401 or 407 error code to invite the user to present a valid
3406 user name and password. No further "http-request" rules are evaluated. An
3407 optional "realm" parameter is supported, it sets the authentication realm
3408 that is returned with the response (typically the application's name).
3409
Willy Tarreau81499eb2012-12-27 12:19:02 +01003410 - "redirect" : this performs an HTTP redirection based on a redirect rule.
3411 This is exactly the same as the "redirect" statement except that it
3412 inserts a redirect rule which can be processed in the middle of other
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01003413 "http-request" rules and that these rules use the "log-format" strings.
3414 See the "redirect" keyword for the rule's syntax.
Willy Tarreau81499eb2012-12-27 12:19:02 +01003415
Willy Tarreau20b0de52012-12-24 15:45:22 +01003416 - "add-header" appends an HTTP header field whose name is specified in
3417 <name> and whose value is defined by <fmt> which follows the log-format
3418 rules (see Custom Log Format in section 8.2.4). This is particularly
3419 useful to pass connection-specific information to the server (eg: the
3420 client's SSL certificate), or to combine several headers into one. This
3421 rule is not final, so it is possible to add other similar rules. Note
3422 that header addition is performed immediately, so one rule might reuse
3423 the resulting header from a previous rule.
3424
3425 - "set-header" does the same as "add-header" except that the header name
3426 is first removed if it existed. This is useful when passing security
3427 information to the server, where the header must not be manipulated by
Willy Tarreau85603282015-01-21 20:39:27 +01003428 external users. Note that the new value is computed before the removal so
3429 it is possible to concatenate a value to an existing header.
Willy Tarreau20b0de52012-12-24 15:45:22 +01003430
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003431 - "del-header" removes all HTTP header fields whose name is specified in
3432 <name>.
3433
Sasha Pachev218f0642014-06-16 12:05:59 -06003434 - "replace-header" matches the regular expression in all occurrences of
3435 header field <name> according to <match-regex>, and replaces them with
3436 the <replace-fmt> argument. Format characters are allowed in replace-fmt
3437 and work like in <fmt> arguments in "add-header". The match is only
3438 case-sensitive. It is important to understand that this action only
3439 considers whole header lines, regardless of the number of values they
3440 may contain. This usage is suited to headers naturally containing commas
3441 in their value, such as If-Modified-Since and so on.
3442
3443 Example:
3444
3445 http-request replace-header Cookie foo=([^;]*);(.*) foo=\1;ip=%bi;\2
3446
3447 applied to:
3448
3449 Cookie: foo=foobar; expires=Tue, 14-Jun-2016 01:40:45 GMT;
3450
3451 outputs:
3452
3453 Cookie: foo=foobar;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT;
3454
3455 assuming the backend IP is 192.168.1.20
3456
3457 - "replace-value" works like "replace-header" except that it matches the
3458 regex against every comma-delimited value of the header field <name>
3459 instead of the entire header. This is suited for all headers which are
3460 allowed to carry more than one value. An example could be the Accept
3461 header.
3462
3463 Example:
3464
3465 http-request replace-value X-Forwarded-For ^192\.168\.(.*)$ 172.16.\1
3466
3467 applied to:
3468
3469 X-Forwarded-For: 192.168.10.1, 192.168.13.24, 10.0.0.37
3470
3471 outputs:
3472
3473 X-Forwarded-For: 172.16.10.1, 172.16.13.24, 10.0.0.37
3474
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01003475 - "set-method" rewrites the request method with the result of the
3476 evaluation of format string <fmt>. There should be very few valid reasons
3477 for having to do so as this is more likely to break something than to fix
3478 it.
3479
3480 - "set-path" rewrites the request path with the result of the evaluation of
3481 format string <fmt>. The query string, if any, is left intact. If a
3482 scheme and authority is found before the path, they are left intact as
3483 well. If the request doesn't have a path ("*"), this one is replaced with
3484 the format. This can be used to prepend a directory component in front of
3485 a path for example. See also "set-query" and "set-uri".
3486
3487 Example :
3488 # prepend the host name before the path
3489 http-request set-path /%[hdr(host)]%[path]
3490
3491 - "set-query" rewrites the request's query string which appears after the
3492 first question mark ("?") with the result of the evaluation of format
3493 string <fmt>. The part prior to the question mark is left intact. If the
3494 request doesn't contain a question mark and the new value is not empty,
3495 then one is added at the end of the URI, followed by the new value. If
3496 a question mark was present, it will never be removed even if the value
3497 is empty. This can be used to add or remove parameters from the query
3498 string. See also "set-query" and "set-uri".
3499
3500 Example :
3501 # replace "%3D" with "=" in the query string
3502 http-request set-query %[query,regsub(%3D,=,g)]
3503
3504 - "set-uri" rewrites the request URI with the result of the evaluation of
3505 format string <fmt>. The scheme, authority, path and query string are all
3506 replaced at once. This can be used to rewrite hosts in front of proxies,
3507 or to perform complex modifications to the URI such as moving parts
3508 between the path and the query string. See also "set-path" and
3509 "set-query".
3510
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003511 - "set-nice" sets the "nice" factor of the current request being processed.
3512 It only has effect against the other requests being processed at the same
3513 time. The default value is 0, unless altered by the "nice" setting on the
3514 "bind" line. The accepted range is -1024..1024. The higher the value, the
3515 nicest the request will be. Lower values will make the request more
3516 important than other ones. This can be useful to improve the speed of
3517 some requests, or lower the priority of non-important requests. Using
3518 this setting without prior experimentation can cause some major slowdown.
3519
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003520 - "set-log-level" is used to change the log level of the current request
3521 when a certain condition is met. Valid levels are the 8 syslog levels
3522 (see the "log" keyword) plus the special level "silent" which disables
3523 logging for this request. This rule is not final so the last matching
3524 rule wins. This rule can be useful to disable health checks coming from
3525 another equipment.
3526
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003527 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3528 the client to the value passed in <tos> on platforms which support this.
3529 This value represents the whole 8 bits of the IP TOS field, and can be
3530 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3531 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3532 bits are always 0. This can be used to adjust some routing behaviour on
3533 border routers based on some information from the request. See RFC 2474,
3534 2597, 3260 and 4594 for more information.
3535
Willy Tarreau51347ed2013-06-11 19:34:13 +02003536 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3537 client to the value passed in <mark> on platforms which support it. This
3538 value is an unsigned 32 bit value which can be matched by netfilter and
3539 by the routing table. It can be expressed both in decimal or hexadecimal
3540 format (prefixed by "0x"). This can be useful to force certain packets to
3541 take a different route (for example a cheaper network path for bulk
3542 downloads). This works on Linux kernels 2.6.32 and above and requires
3543 admin privileges.
3544
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003545 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3546 from a file (even a dummy empty file). The file name of the ACL to be
3547 updated is passed between parentheses. It takes one argument: <key fmt>,
3548 which follows log-format rules, to collect content of the new entry. It
3549 performs a lookup in the ACL before insertion, to avoid duplicated (or
3550 more) values. This lookup is done by a linear search and can be expensive
3551 with large lists! It is the equivalent of the "add acl" command from the
3552 stats socket, but can be triggered by an HTTP request.
3553
3554 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3555 from a file (even a dummy empty file). The file name of the ACL to be
3556 updated is passed between parentheses. It takes one argument: <key fmt>,
3557 which follows log-format rules, to collect content of the entry to delete.
3558 It is the equivalent of the "del acl" command from the stats socket, but
3559 can be triggered by an HTTP request.
3560
3561 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3562 from a file (even a dummy empty file). The file name of the MAP to be
3563 updated is passed between parentheses. It takes one argument: <key fmt>,
3564 which follows log-format rules, to collect content of the entry to delete.
3565 It takes one argument: "file name" It is the equivalent of the "del map"
3566 command from the stats socket, but can be triggered by an HTTP request.
3567
3568 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3569 from a file (even a dummy empty file). The file name of the MAP to be
3570 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3571 which follows log-format rules, used to collect MAP key, and <value fmt>,
3572 which follows log-format rules, used to collect content for the new entry.
3573 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3574 more) values. This lookup is done by a linear search and can be expensive
3575 with large lists! It is the equivalent of the "set map" command from the
3576 stats socket, but can be triggered by an HTTP request.
3577
Thierry FOURNIER82bf70d2015-05-26 17:58:29 +02003578 - capture <sample> [ len <length> | id <id> ] :
Willy Tarreaua9083d02015-05-08 15:27:59 +02003579 captures sample expression <sample> from the request buffer, and converts
3580 it to a string of at most <len> characters. The resulting string is
3581 stored into the next request "capture" slot, so it will possibly appear
3582 next to some captured HTTP headers. It will then automatically appear in
3583 the logs, and it will be possible to extract it using sample fetch rules
3584 to feed it into headers or anything. The length should be limited given
3585 that this size will be allocated for each capture during the whole
3586 session life. Please check section 7.3 (Fetching samples) and "capture
3587 request header" for more information.
3588
Thierry FOURNIER82bf70d2015-05-26 17:58:29 +02003589 If the keyword "id" is used instead of "len", the action tries to store
3590 the captured string in a previously declared capture slot. This is useful
3591 to run captures in backends. The slot id can be declared by a previous
3592 directive "http-request capture" or with the "declare capture" keyword.
3593
Willy Tarreau09448f72014-06-25 18:12:15 +02003594 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
3595 enables tracking of sticky counters from current request. These rules
3596 do not stop evaluation and do not change default action. Three sets of
3597 counters may be simultaneously tracked by the same connection. The first
3598 "track-sc0" rule executed enables tracking of the counters of the
3599 specified table as the first set. The first "track-sc1" rule executed
3600 enables tracking of the counters of the specified table as the second
3601 set. The first "track-sc2" rule executed enables tracking of the
3602 counters of the specified table as the third set. It is a recommended
3603 practice to use the first set of counters for the per-frontend counters
3604 and the second set for the per-backend ones. But this is just a
3605 guideline, all may be used everywhere.
3606
3607 These actions take one or two arguments :
3608 <key> is mandatory, and is a sample expression rule as described
3609 in section 7.3. It describes what elements of the incoming
3610 request or connection will be analysed, extracted, combined,
3611 and used to select which table entry to update the counters.
3612
3613 <table> is an optional table to be used instead of the default one,
3614 which is the stick-table declared in the current proxy. All
3615 the counters for the matches and updates for the key will
3616 then be performed in that table until the session ends.
3617
3618 Once a "track-sc*" rule is executed, the key is looked up in the table
3619 and if it is not found, an entry is allocated for it. Then a pointer to
3620 that entry is kept during all the session's life, and this entry's
3621 counters are updated as often as possible, every time the session's
3622 counters are updated, and also systematically when the session ends.
3623 Counters are only updated for events that happen after the tracking has
3624 been started. As an exception, connection counters and request counters
3625 are systematically updated so that they reflect useful information.
3626
3627 If the entry tracks concurrent connection counters, one connection is
3628 counted for as long as the entry is tracked, and the entry will not
3629 expire during that time. Tracking counters also provides a performance
3630 advantage over just checking the keys, because only one table lookup is
3631 performed for all ACL checks that make use of it.
3632
Thierry FOURNIER236657b2015-08-19 08:25:14 +02003633 - sc-set-gpt0(<sc-id>) <int> :
3634 This action sets the GPT0 tag according to the sticky counter designated
3635 by <sc-id> and the value of <int>. The expected result is a boolean. If
3636 an error occurs, this action silently fails and the actions evaluation
3637 continues.
3638
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02003639 - sc-inc-gpc0(<sc-id>):
3640 This action increments the GPC0 counter according with the sticky counter
3641 designated by <sc-id>. If an error occurs, this action silently fails and
3642 the actions evaluation continues.
3643
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003644 - "lua" is used to run a Lua function if the action is executed. The single
3645 parameter is the name of the function to run. The prototype of the
3646 function is documented in the API documentation.
3647
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02003648 - set-var(<var-name>) <expr> :
3649 Is used to set the contents of a variable. The variable is declared
3650 inline.
3651
3652 <var-name> The name of the variable starts by an indication about its
3653 scope. The allowed scopes are:
3654 "sess" : the variable is shared with all the session,
3655 "txn" : the variable is shared with all the transaction
3656 (request and response)
3657 "req" : the variable is shared only during the request
3658 processing
3659 "res" : the variable is shared only during the response
3660 processing.
3661 This prefix is followed by a name. The separator is a '.'.
3662 The name may only contain characters 'a-z', 'A-Z', '0-9',
3663 and '_'.
3664
3665 <expr> Is a standard HAProxy expression formed by a sample-fetch
3666 followed by some converters.
3667
3668 Example:
3669
3670 http-request set-var(req.my_var) req.fhdr(user-agent),lower
3671
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02003672 - set-src <expr> :
3673 Is used to set the source IP address to the value of specified
3674 expression. Useful when a proxy in front of HAProxy rewrites source IP,
3675 but provides the correct IP in a HTTP header; or you want to mask
3676 source IP for privacy.
3677
3678 <expr> Is a standard HAProxy expression formed by a sample-fetch
3679 followed by some converters.
3680
3681 Example:
3682
3683 http-request set-src hdr(x-forwarded-for)
3684 http-request set-src src,ipmask(24)
3685
3686 When set-src is successful, the source port is set to 0.
3687
Willy Tarreau20b0de52012-12-24 15:45:22 +01003688 There is no limit to the number of http-request statements per instance.
3689
3690 It is important to know that http-request rules are processed very early in
3691 the HTTP processing, just after "block" rules and before "reqdel" or "reqrep"
3692 rules. That way, headers added by "add-header"/"set-header" are visible by
3693 almost all further ACL rules.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003694
3695 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01003696 acl nagios src 192.168.129.3
3697 acl local_net src 192.168.0.0/16
3698 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003699
Cyril Bonté78caf842010-03-10 22:41:43 +01003700 http-request allow if nagios
3701 http-request allow if local_net auth_ok
3702 http-request auth realm Gimme if local_net auth_ok
3703 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003704
Cyril Bonté78caf842010-03-10 22:41:43 +01003705 Example:
3706 acl auth_ok http_auth_group(L1) G1
Cyril Bonté78caf842010-03-10 22:41:43 +01003707 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003708
Willy Tarreau20b0de52012-12-24 15:45:22 +01003709 Example:
3710 http-request set-header X-Haproxy-Current-Date %T
3711 http-request set-header X-SSL %[ssl_fc]
Willy Tarreaufca42612015-08-27 17:15:05 +02003712 http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
Willy Tarreau20b0de52012-12-24 15:45:22 +01003713 http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
3714 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
3715 http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
3716 http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
3717 http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
3718 http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
3719
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003720 Example:
3721 acl key req.hdr(X-Add-Acl-Key) -m found
3722 acl add path /addacl
3723 acl del path /delacl
3724
3725 acl myhost hdr(Host) -f myhost.lst
3726
3727 http-request add-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key add
3728 http-request del-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key del
3729
3730 Example:
3731 acl value req.hdr(X-Value) -m found
3732 acl setmap path /setmap
3733 acl delmap path /delmap
3734
3735 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3736
3737 http-request set-map(map.lst) %[src] %[req.hdr(X-Value)] if setmap value
3738 http-request del-map(map.lst) %[src] if delmap
3739
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02003740 See also : "stats http-request", section 3.4 about userlists and section 7
3741 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01003742
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003743http-response { allow | deny | add-header <name> <fmt> | set-nice <nice> |
Willy Tarreau51d861a2015-05-22 17:30:48 +02003744 capture <sample> id <id> | redirect <rule> |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003745 set-header <name> <fmt> | del-header <name> |
Sasha Pachev218f0642014-06-16 12:05:59 -06003746 replace-header <name> <regex-match> <replace-fmt> |
3747 replace-value <name> <regex-match> <replace-fmt> |
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02003748 set-status <status> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003749 set-log-level <level> | set-mark <mark> | set-tos <tos> |
3750 add-acl(<file name>) <key fmt> |
3751 del-acl(<file name>) <key fmt> |
3752 del-map(<file name>) <key fmt> |
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003753 set-map(<file name>) <key fmt> <value fmt> |
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02003754 set-var(<var-name>) <expr> |
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02003755 sc-inc-gpc0(<sc-id>) |
Thierry FOURNIER236657b2015-08-19 08:25:14 +02003756 sc-set-gpt0(<sc-id>) <int> |
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003757 lua <function name>
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003758 }
Lukas Tribus2dd1d1a2013-06-19 23:34:41 +02003759 [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003760 Access control for Layer 7 responses
3761
3762 May be used in sections: defaults | frontend | listen | backend
3763 no | yes | yes | yes
3764
3765 The http-response statement defines a set of rules which apply to layer 7
3766 processing. The rules are evaluated in their declaration order when they are
3767 met in a frontend, listen or backend section. Any rule may optionally be
3768 followed by an ACL-based condition, in which case it will only be evaluated
3769 if the condition is true. Since these rules apply on responses, the backend
3770 rules are applied first, followed by the frontend's rules.
3771
3772 The first keyword is the rule's action. Currently supported actions include :
3773 - "allow" : this stops the evaluation of the rules and lets the response
3774 pass the check. No further "http-response" rules are evaluated for the
3775 current section.
3776
3777 - "deny" : this stops the evaluation of the rules and immediately rejects
3778 the response and emits an HTTP 502 error. No further "http-response"
3779 rules are evaluated.
3780
3781 - "add-header" appends an HTTP header field whose name is specified in
3782 <name> and whose value is defined by <fmt> which follows the log-format
3783 rules (see Custom Log Format in section 8.2.4). This may be used to send
3784 a cookie to a client for example, or to pass some internal information.
3785 This rule is not final, so it is possible to add other similar rules.
3786 Note that header addition is performed immediately, so one rule might
3787 reuse the resulting header from a previous rule.
3788
3789 - "set-header" does the same as "add-header" except that the header name
3790 is first removed if it existed. This is useful when passing security
3791 information to the server, where the header must not be manipulated by
3792 external users.
3793
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003794 - "del-header" removes all HTTP header fields whose name is specified in
3795 <name>.
3796
Sasha Pachev218f0642014-06-16 12:05:59 -06003797 - "replace-header" matches the regular expression in all occurrences of
3798 header field <name> according to <match-regex>, and replaces them with
3799 the <replace-fmt> argument. Format characters are allowed in replace-fmt
3800 and work like in <fmt> arguments in "add-header". The match is only
3801 case-sensitive. It is important to understand that this action only
3802 considers whole header lines, regardless of the number of values they
3803 may contain. This usage is suited to headers naturally containing commas
3804 in their value, such as Set-Cookie, Expires and so on.
3805
3806 Example:
3807
3808 http-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
3809
3810 applied to:
3811
3812 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
3813
3814 outputs:
3815
3816 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
3817
3818 assuming the backend IP is 192.168.1.20.
3819
3820 - "replace-value" works like "replace-header" except that it matches the
3821 regex against every comma-delimited value of the header field <name>
3822 instead of the entire header. This is suited for all headers which are
3823 allowed to carry more than one value. An example could be the Accept
3824 header.
3825
3826 Example:
3827
3828 http-response replace-value Cache-control ^public$ private
3829
3830 applied to:
3831
3832 Cache-Control: max-age=3600, public
3833
3834 outputs:
3835
3836 Cache-Control: max-age=3600, private
3837
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02003838 - "set-status" replaces the response status code with <status> which must
3839 be an integer between 100 and 999. Note that the reason is automatically
3840 adapted to the new code.
3841
3842 Example:
3843
3844 # return "431 Request Header Fields Too Large"
3845 http-response set-status 431
3846
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003847 - "set-nice" sets the "nice" factor of the current request being processed.
3848 It only has effect against the other requests being processed at the same
3849 time. The default value is 0, unless altered by the "nice" setting on the
3850 "bind" line. The accepted range is -1024..1024. The higher the value, the
3851 nicest the request will be. Lower values will make the request more
3852 important than other ones. This can be useful to improve the speed of
3853 some requests, or lower the priority of non-important requests. Using
3854 this setting without prior experimentation can cause some major slowdown.
3855
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003856 - "set-log-level" is used to change the log level of the current request
3857 when a certain condition is met. Valid levels are the 8 syslog levels
3858 (see the "log" keyword) plus the special level "silent" which disables
3859 logging for this request. This rule is not final so the last matching
3860 rule wins. This rule can be useful to disable health checks coming from
3861 another equipment.
3862
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003863 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3864 the client to the value passed in <tos> on platforms which support this.
3865 This value represents the whole 8 bits of the IP TOS field, and can be
3866 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3867 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3868 bits are always 0. This can be used to adjust some routing behaviour on
3869 border routers based on some information from the request. See RFC 2474,
3870 2597, 3260 and 4594 for more information.
3871
Willy Tarreau51347ed2013-06-11 19:34:13 +02003872 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3873 client to the value passed in <mark> on platforms which support it. This
3874 value is an unsigned 32 bit value which can be matched by netfilter and
3875 by the routing table. It can be expressed both in decimal or hexadecimal
3876 format (prefixed by "0x"). This can be useful to force certain packets to
3877 take a different route (for example a cheaper network path for bulk
3878 downloads). This works on Linux kernels 2.6.32 and above and requires
3879 admin privileges.
3880
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003881 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3882 from a file (even a dummy empty file). The file name of the ACL to be
3883 updated is passed between parentheses. It takes one argument: <key fmt>,
3884 which follows log-format rules, to collect content of the new entry. It
3885 performs a lookup in the ACL before insertion, to avoid duplicated (or
3886 more) values. This lookup is done by a linear search and can be expensive
3887 with large lists! It is the equivalent of the "add acl" command from the
3888 stats socket, but can be triggered by an HTTP response.
3889
3890 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3891 from a file (even a dummy empty file). The file name of the ACL to be
3892 updated is passed between parentheses. It takes one argument: <key fmt>,
3893 which follows log-format rules, to collect content of the entry to delete.
3894 It is the equivalent of the "del acl" command from the stats socket, but
3895 can be triggered by an HTTP response.
3896
3897 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3898 from a file (even a dummy empty file). The file name of the MAP to be
3899 updated is passed between parentheses. It takes one argument: <key fmt>,
3900 which follows log-format rules, to collect content of the entry to delete.
3901 It takes one argument: "file name" It is the equivalent of the "del map"
3902 command from the stats socket, but can be triggered by an HTTP response.
3903
3904 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3905 from a file (even a dummy empty file). The file name of the MAP to be
3906 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3907 which follows log-format rules, used to collect MAP key, and <value fmt>,
3908 which follows log-format rules, used to collect content for the new entry.
3909 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3910 more) values. This lookup is done by a linear search and can be expensive
3911 with large lists! It is the equivalent of the "set map" command from the
3912 stats socket, but can be triggered by an HTTP response.
3913
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003914 - "lua" is used to run a Lua function if the action is executed. The single
3915 parameter is the name of the function to run. The prototype of the
3916 function is documented in the API documentation.
3917
Thierry FOURNIERe80fada2015-05-26 18:06:31 +02003918 - capture <sample> id <id> :
3919 captures sample expression <sample> from the response buffer, and converts
3920 it to a string. The resulting string is stored into the next request
3921 "capture" slot, so it will possibly appear next to some captured HTTP
3922 headers. It will then automatically appear in the logs, and it will be
3923 possible to extract it using sample fetch rules to feed it into headers or
3924 anything. Please check section 7.3 (Fetching samples) and "capture
3925 response header" for more information.
3926
3927 The keyword "id" is the id of the capture slot which is used for storing
3928 the string. The capture slot must be defined in an associated frontend.
3929 This is useful to run captures in backends. The slot id can be declared by
3930 a previous directive "http-response capture" or with the "declare capture"
3931 keyword.
3932
Willy Tarreau51d861a2015-05-22 17:30:48 +02003933 - "redirect" : this performs an HTTP redirection based on a redirect rule.
3934 This supports a format string similarly to "http-request redirect" rules,
3935 with the exception that only the "location" type of redirect is possible
3936 on the response. See the "redirect" keyword for the rule's syntax. When
3937 a redirect rule is applied during a response, connections to the server
3938 are closed so that no data can be forwarded from the server to the client.
3939
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02003940 - set-var(<var-name>) expr:
3941 Is used to set the contents of a variable. The variable is declared
3942 inline.
3943
3944 <var-name> The name of the variable starts by an indication about its
3945 scope. The allowed scopes are:
3946 "sess" : the variable is shared with all the session,
3947 "txn" : the variable is shared with all the transaction
3948 (request and response)
3949 "req" : the variable is shared only during the request
3950 processing
3951 "res" : the variable is shared only during the response
3952 processing.
3953 This prefix is followed by a name. The separator is a '.'.
3954 The name may only contain characters 'a-z', 'A-Z', '0-9',
3955 and '_'.
3956
3957 <expr> Is a standard HAProxy expression formed by a sample-fetch
3958 followed by some converters.
3959
3960 Example:
3961
3962 http-response set-var(sess.last_redir) res.hdr(location)
3963
Thierry FOURNIER236657b2015-08-19 08:25:14 +02003964 - sc-set-gpt0(<sc-id>) <int> :
3965 This action sets the GPT0 tag according to the sticky counter designated
3966 by <sc-id> and the value of <int>. The expected result is a boolean. If
3967 an error occurs, this action silently fails and the actions evaluation
3968 continues.
3969
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02003970 - sc-inc-gpc0(<sc-id>):
3971 This action increments the GPC0 counter according with the sticky counter
3972 designated by <sc-id>. If an error occurs, this action silently fails and
3973 the actions evaluation continues.
3974
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003975 There is no limit to the number of http-response statements per instance.
3976
Godbach09250262013-07-02 01:19:15 +08003977 It is important to know that http-response rules are processed very early in
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003978 the HTTP processing, before "reqdel" or "reqrep" rules. That way, headers
3979 added by "add-header"/"set-header" are visible by almost all further ACL
3980 rules.
3981
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003982 Example:
3983 acl key_acl res.hdr(X-Acl-Key) -m found
3984
3985 acl myhost hdr(Host) -f myhost.lst
3986
3987 http-response add-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3988 http-response del-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3989
3990 Example:
3991 acl value res.hdr(X-Value) -m found
3992
3993 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3994
3995 http-response set-map(map.lst) %[src] %[res.hdr(X-Value)] if value
3996 http-response del-map(map.lst) %[src] if ! value
3997
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003998 See also : "http-request", section 3.4 about userlists and section 7 about
3999 ACL usage.
4000
Baptiste Assmann5ecb77f2013-10-06 23:24:13 +02004001
Willy Tarreau30631952015-08-06 15:05:24 +02004002http-reuse { never | safe | aggressive | always }
4003 Declare how idle HTTP connections may be shared between requests
4004
4005 May be used in sections: defaults | frontend | listen | backend
4006 yes | no | yes | yes
4007
4008 By default, a connection established between haproxy and the backend server
4009 belongs to the session that initiated it. The downside is that between the
4010 response and the next request, the connection remains idle and is not used.
4011 In many cases for performance reasons it is desirable to make it possible to
4012 reuse these idle connections to serve other requests from different sessions.
4013 This directive allows to tune this behaviour.
4014
4015 The argument indicates the desired connection reuse strategy :
4016
4017 - "never" : idle connections are never shared between sessions. This is
4018 the default choice. It may be enforced to cancel a different
4019 strategy inherited from a defaults section or for
4020 troubleshooting. For example, if an old bogus application
4021 considers that multiple requests over the same connection come
4022 from the same client and it is not possible to fix the
4023 application, it may be desirable to disable connection sharing
4024 in a single backend. An example of such an application could
4025 be an old haproxy using cookie insertion in tunnel mode and
4026 not checking any request past the first one.
4027
4028 - "safe" : this is the recommended strategy. The first request of a
4029 session is always sent over its own connection, and only
4030 subsequent requests may be dispatched over other existing
4031 connections. This ensures that in case the server closes the
4032 connection when the request is being sent, the browser can
4033 decide to silently retry it. Since it is exactly equivalent to
4034 regular keep-alive, there should be no side effects.
4035
4036 - "aggressive" : this mode may be useful in webservices environments where
4037 all servers are not necessarily known and where it would be
4038 appreciable to deliver most first requests over existing
4039 connections. In this case, first requests are only delivered
4040 over existing connections that have been reused at least once,
4041 proving that the server correctly supports connection reuse.
4042 It should only be used when it's sure that the client can
4043 retry a failed request once in a while and where the benefit
4044 of aggressive connection reuse significantly outweights the
4045 downsides of rare connection failures.
4046
4047 - "always" : this mode is only recommended when the path to the server is
4048 known for never breaking existing connections quickly after
4049 releasing them. It allows the first request of a session to be
4050 sent to an existing connection. This can provide a significant
4051 performance increase over the "safe" strategy when the backend
4052 is a cache farm, since such components tend to show a
4053 consistent behaviour and will benefit from the connection
4054 sharing. It is recommended that the "http-keep-alive" timeout
4055 remains low in this mode so that no dead connections remain
4056 usable. In most cases, this will lead to the same performance
4057 gains as "aggressive" but with more risks. It should only be
4058 used when it improves the situation over "aggressive".
4059
4060 When http connection sharing is enabled, a great care is taken to respect the
4061 connection properties and compatiblities. Specifically :
4062 - connections made with "usesrc" followed by a client-dependant value
4063 ("client", "clientip", "hdr_ip") are marked private and never shared ;
4064
4065 - connections sent to a server with a TLS SNI extension are marked private
4066 and are never shared ;
4067
4068 - connections receiving a status code 401 or 407 expect some authentication
4069 to be sent in return. Due to certain bogus authentication schemes (such
4070 as NTLM) relying on the connection, these connections are marked private
4071 and are never shared ;
4072
4073 No connection pool is involved, once a session dies, the last idle connection
4074 it was attached to is deleted at the same time. This ensures that connections
4075 may not last after all sessions are closed.
4076
4077 Note: connection reuse improves the accuracy of the "server maxconn" setting,
4078 because almost no new connection will be established while idle connections
4079 remain available. This is particularly true with the "always" strategy.
4080
4081 See also : "option http-keep-alive", "server maxconn"
4082
4083
Mark Lamourinec2247f02012-01-04 13:02:01 -05004084http-send-name-header [<header>]
4085 Add the server name to a request. Use the header string given by <header>
4086
4087 May be used in sections: defaults | frontend | listen | backend
4088 yes | no | yes | yes
4089
4090 Arguments :
4091
4092 <header> The header string to use to send the server name
4093
4094 The "http-send-name-header" statement causes the name of the target
4095 server to be added to the headers of an HTTP request. The name
4096 is added with the header string proved.
4097
4098 See also : "server"
4099
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01004100id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02004101 Set a persistent ID to a proxy.
4102 May be used in sections : defaults | frontend | listen | backend
4103 no | yes | yes | yes
4104 Arguments : none
4105
4106 Set a persistent ID for the proxy. This ID must be unique and positive.
4107 An unused ID will automatically be assigned if unset. The first assigned
4108 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01004109
4110
Cyril Bonté0d4bf012010-04-25 23:21:46 +02004111ignore-persist { if | unless } <condition>
4112 Declare a condition to ignore persistence
4113 May be used in sections: defaults | frontend | listen | backend
4114 no | yes | yes | yes
4115
4116 By default, when cookie persistence is enabled, every requests containing
4117 the cookie are unconditionally persistent (assuming the target server is up
4118 and running).
4119
4120 The "ignore-persist" statement allows one to declare various ACL-based
4121 conditions which, when met, will cause a request to ignore persistence.
4122 This is sometimes useful to load balance requests for static files, which
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004123 often don't require persistence. This can also be used to fully disable
Cyril Bonté0d4bf012010-04-25 23:21:46 +02004124 persistence for a specific User-Agent (for example, some web crawler bots).
4125
Cyril Bonté0d4bf012010-04-25 23:21:46 +02004126 The persistence is ignored when an "if" condition is met, or unless an
4127 "unless" condition is met.
4128
4129 See also : "force-persist", "cookie", and section 7 about ACL usage.
4130
4131
Willy Tarreau2769aa02007-12-27 18:26:09 +01004132log global
Willy Tarreau18324f52014-06-27 18:10:07 +02004133log <address> [len <length>] <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02004134no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01004135 Enable per-instance logging of events and traffic.
4136 May be used in sections : defaults | frontend | listen | backend
4137 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02004138
4139 Prefix :
4140 no should be used when the logger list must be flushed. For example,
4141 if you don't want to inherit from the default logger list. This
4142 prefix does not allow arguments.
4143
Willy Tarreau2769aa02007-12-27 18:26:09 +01004144 Arguments :
4145 global should be used when the instance's logging parameters are the
4146 same as the global ones. This is the most common usage. "global"
4147 replaces <address>, <facility> and <level> with those of the log
4148 entries found in the "global" section. Only one "log global"
4149 statement may be used per instance, and this form takes no other
4150 parameter.
4151
4152 <address> indicates where to send the logs. It takes the same format as
4153 for the "global" section's logs, and can be one of :
4154
4155 - An IPv4 address optionally followed by a colon (':') and a UDP
4156 port. If no port is specified, 514 is used by default (the
4157 standard syslog port).
4158
David du Colombier24bb5f52011-03-17 10:40:23 +01004159 - An IPv6 address followed by a colon (':') and optionally a UDP
4160 port. If no port is specified, 514 is used by default (the
4161 standard syslog port).
4162
Willy Tarreau2769aa02007-12-27 18:26:09 +01004163 - A filesystem path to a UNIX domain socket, keeping in mind
4164 considerations for chroot (be sure the path is accessible
4165 inside the chroot) and uid/gid (be sure the path is
4166 appropriately writeable).
4167
William Lallemandb2f07452015-05-12 14:27:13 +02004168 You may want to reference some environment variables in the
4169 address parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01004170
Willy Tarreau18324f52014-06-27 18:10:07 +02004171 <length> is an optional maximum line length. Log lines larger than this
4172 value will be truncated before being sent. The reason is that
4173 syslog servers act differently on log line length. All servers
4174 support the default value of 1024, but some servers simply drop
4175 larger lines while others do log them. If a server supports long
4176 lines, it may make sense to set this value here in order to avoid
4177 truncating long lines. Similarly, if a server drops long lines,
4178 it is preferable to truncate them before sending them. Accepted
4179 values are 80 to 65535 inclusive. The default value of 1024 is
4180 generally fine for all standard usages. Some specific cases of
4181 long captures or JSON-formated logs may require larger values.
4182
Willy Tarreau2769aa02007-12-27 18:26:09 +01004183 <facility> must be one of the 24 standard syslog facilities :
4184
4185 kern user mail daemon auth syslog lpr news
4186 uucp cron auth2 ftp ntp audit alert cron2
4187 local0 local1 local2 local3 local4 local5 local6 local7
4188
4189 <level> is optional and can be specified to filter outgoing messages. By
4190 default, all messages are sent. If a level is specified, only
4191 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02004192 will be sent. An optional minimum level can be specified. If it
4193 is set, logs emitted with a more severe level than this one will
4194 be capped to this level. This is used to avoid sending "emerg"
4195 messages on all terminals on some default syslog configurations.
4196 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01004197
4198 emerg alert crit err warning notice info debug
4199
William Lallemand0f99e342011-10-12 17:50:54 +02004200 It is important to keep in mind that it is the frontend which decides what to
4201 log from a connection, and that in case of content switching, the log entries
4202 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01004203
4204 However, backend log declaration define how and where servers status changes
4205 will be logged. Level "notice" will be used to indicate a server going up,
4206 "warning" will be used for termination signals and definitive service
4207 termination, and "alert" will be used for when a server goes down.
4208
4209 Note : According to RFC3164, messages are truncated to 1024 bytes before
4210 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004211
4212 Example :
4213 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02004214 log 127.0.0.1:514 local0 notice # only send important events
4215 log 127.0.0.1:514 local0 notice notice # same but limit output level
William Lallemandb2f07452015-05-12 14:27:13 +02004216 log "${LOCAL_SYSLOG}:514" local0 notice # send to local server
Willy Tarreaudad36a32013-03-11 01:20:04 +01004217
Willy Tarreau2769aa02007-12-27 18:26:09 +01004218
William Lallemand48940402012-01-30 16:47:22 +01004219log-format <string>
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01004220 Specifies the log format string to use for traffic logs
4221 May be used in sections: defaults | frontend | listen | backend
4222 yes | yes | yes | no
William Lallemand48940402012-01-30 16:47:22 +01004223
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01004224 This directive specifies the log format string that will be used for all logs
4225 resulting from traffic passing through the frontend using this line. If the
4226 directive is used in a defaults section, all subsequent frontends will use
4227 the same log format. Please see section 8.2.4 which covers the log format
4228 string in depth.
William Lallemand48940402012-01-30 16:47:22 +01004229
Willy Tarreau094af4e2015-01-07 15:03:42 +01004230log-tag <string>
4231 Specifies the log tag to use for all outgoing logs
4232 May be used in sections: defaults | frontend | listen | backend
4233 yes | yes | yes | yes
4234
4235 Sets the tag field in the syslog header to this string. It defaults to the
4236 log-tag set in the global section, otherwise the program name as launched
4237 from the command line, which usually is "haproxy". Sometimes it can be useful
4238 to differentiate between multiple processes running on the same host, or to
4239 differentiate customer instances running in the same process. In the backend,
4240 logs about servers up/down will use this tag. As a hint, it can be convenient
4241 to set a log-tag related to a hosted customer in a defaults section then put
4242 all the frontends and backends for that customer, then start another customer
4243 in a new defaults section. See also the global "log-tag" directive.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004244
Willy Tarreauc35362a2014-04-25 13:58:37 +02004245max-keep-alive-queue <value>
4246 Set the maximum server queue size for maintaining keep-alive connections
4247 May be used in sections: defaults | frontend | listen | backend
4248 yes | no | yes | yes
4249
4250 HTTP keep-alive tries to reuse the same server connection whenever possible,
4251 but sometimes it can be counter-productive, for example if a server has a lot
4252 of connections while other ones are idle. This is especially true for static
4253 servers.
4254
4255 The purpose of this setting is to set a threshold on the number of queued
4256 connections at which haproxy stops trying to reuse the same server and prefers
4257 to find another one. The default value, -1, means there is no limit. A value
4258 of zero means that keep-alive requests will never be queued. For very close
4259 servers which can be reached with a low latency and which are not sensible to
4260 breaking keep-alive, a low value is recommended (eg: local static server can
4261 use a value of 10 or less). For remote servers suffering from a high latency,
4262 higher values might be needed to cover for the latency and/or the cost of
4263 picking a different server.
4264
4265 Note that this has no impact on responses which are maintained to the same
4266 server consecutively to a 401 response. They will still go to the same server
4267 even if they have to be queued.
4268
4269 See also : "option http-server-close", "option prefer-last-server", server
4270 "maxconn" and cookie persistence.
4271
4272
Willy Tarreau2769aa02007-12-27 18:26:09 +01004273maxconn <conns>
4274 Fix the maximum number of concurrent connections on a frontend
4275 May be used in sections : defaults | frontend | listen | backend
4276 yes | yes | yes | no
4277 Arguments :
4278 <conns> is the maximum number of concurrent connections the frontend will
4279 accept to serve. Excess connections will be queued by the system
4280 in the socket's listen queue and will be served once a connection
4281 closes.
4282
4283 If the system supports it, it can be useful on big sites to raise this limit
4284 very high so that haproxy manages connection queues, instead of leaving the
4285 clients with unanswered connection attempts. This value should not exceed the
4286 global maxconn. Also, keep in mind that a connection contains two buffers
4287 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
4288 consumed per established connection. That means that a medium system equipped
4289 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
4290 properly tuned.
4291
4292 Also, when <conns> is set to large values, it is possible that the servers
4293 are not sized to accept such loads, and for this reason it is generally wise
4294 to assign them some reasonable connection limits.
4295
Vincent Bernat6341be52012-06-27 17:18:30 +02004296 By default, this value is set to 2000.
4297
Willy Tarreau2769aa02007-12-27 18:26:09 +01004298 See also : "server", global section's "maxconn", "fullconn"
4299
4300
4301mode { tcp|http|health }
4302 Set the running mode or protocol of the instance
4303 May be used in sections : defaults | frontend | listen | backend
4304 yes | yes | yes | yes
4305 Arguments :
4306 tcp The instance will work in pure TCP mode. A full-duplex connection
4307 will be established between clients and servers, and no layer 7
4308 examination will be performed. This is the default mode. It
4309 should be used for SSL, SSH, SMTP, ...
4310
4311 http The instance will work in HTTP mode. The client request will be
4312 analyzed in depth before connecting to any server. Any request
4313 which is not RFC-compliant will be rejected. Layer 7 filtering,
4314 processing and switching will be possible. This is the mode which
4315 brings HAProxy most of its value.
4316
4317 health The instance will work in "health" mode. It will just reply "OK"
Willy Tarreau82569f92012-09-27 23:48:56 +02004318 to incoming connections and close the connection. Alternatively,
4319 If the "httpchk" option is set, "HTTP/1.0 200 OK" will be sent
4320 instead. Nothing will be logged in either case. This mode is used
4321 to reply to external components health checks. This mode is
4322 deprecated and should not be used anymore as it is possible to do
4323 the same and even better by combining TCP or HTTP modes with the
4324 "monitor" keyword.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004325
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004326 When doing content switching, it is mandatory that the frontend and the
4327 backend are in the same mode (generally HTTP), otherwise the configuration
4328 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004329
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004330 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01004331 defaults http_instances
4332 mode http
4333
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004334 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004335
Willy Tarreau0ba27502007-12-24 16:55:16 +01004336
Cyril Bontéf0c60612010-02-06 14:44:47 +01004337monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01004338 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004339 May be used in sections : defaults | frontend | listen | backend
4340 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01004341 Arguments :
4342 if <cond> the monitor request will fail if the condition is satisfied,
4343 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004344 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01004345 are met, for instance a low number of servers both in a
4346 backend and its backup.
4347
4348 unless <cond> the monitor request will succeed only if the condition is
4349 satisfied, and will fail otherwise. Such a condition may be
4350 based on a test on the presence of a minimum number of active
4351 servers in a list of backends.
4352
4353 This statement adds a condition which can force the response to a monitor
4354 request to report a failure. By default, when an external component queries
4355 the URI dedicated to monitoring, a 200 response is returned. When one of the
4356 conditions above is met, haproxy will return 503 instead of 200. This is
4357 very useful to report a site failure to an external component which may base
4358 routing advertisements between multiple sites on the availability reported by
4359 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004360 criterion. Note that "monitor fail" only works in HTTP mode. Both status
4361 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004362
4363 Example:
4364 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01004365 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01004366 acl site_dead nbsrv(dynamic) lt 2
4367 acl site_dead nbsrv(static) lt 2
4368 monitor-uri /site_alive
4369 monitor fail if site_dead
4370
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004371 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004372
4373
4374monitor-net <source>
4375 Declare a source network which is limited to monitor requests
4376 May be used in sections : defaults | frontend | listen | backend
4377 yes | yes | yes | no
4378 Arguments :
4379 <source> is the source IPv4 address or network which will only be able to
4380 get monitor responses to any request. It can be either an IPv4
4381 address, a host name, or an address followed by a slash ('/')
4382 followed by a mask.
4383
4384 In TCP mode, any connection coming from a source matching <source> will cause
4385 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004386 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01004387 forwarding the connection to a remote server.
4388
4389 In HTTP mode, a connection coming from a source matching <source> will be
4390 accepted, the following response will be sent without waiting for a request,
4391 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
4392 enough for any front-end HTTP probe to detect that the service is UP and
Willy Tarreau82569f92012-09-27 23:48:56 +02004393 running without forwarding the request to a backend server. Note that this
4394 response is sent in raw format, without any transformation. This is important
4395 as it means that it will not be SSL-encrypted on SSL listeners.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004396
Willy Tarreau82569f92012-09-27 23:48:56 +02004397 Monitor requests are processed very early, just after tcp-request connection
4398 ACLs which are the only ones able to block them. These connections are short
4399 lived and never wait for any data from the client. They cannot be logged, and
4400 it is the intended purpose. They are only used to report HAProxy's health to
4401 an upper component, nothing more. Please note that "monitor fail" rules do
4402 not apply to connections intercepted by "monitor-net".
Willy Tarreau2769aa02007-12-27 18:26:09 +01004403
Willy Tarreau95cd2832010-03-04 23:36:33 +01004404 Last, please note that only one "monitor-net" statement can be specified in
4405 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004406
Willy Tarreau2769aa02007-12-27 18:26:09 +01004407 Example :
4408 # addresses .252 and .253 are just probing us.
4409 frontend www
4410 monitor-net 192.168.0.252/31
4411
4412 See also : "monitor fail", "monitor-uri"
4413
4414
4415monitor-uri <uri>
4416 Intercept a URI used by external components' monitor requests
4417 May be used in sections : defaults | frontend | listen | backend
4418 yes | yes | yes | no
4419 Arguments :
4420 <uri> is the exact URI which we want to intercept to return HAProxy's
4421 health status instead of forwarding the request.
4422
4423 When an HTTP request referencing <uri> will be received on a frontend,
4424 HAProxy will not forward it nor log it, but instead will return either
4425 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
4426 conditions defined with "monitor fail". This is normally enough for any
4427 front-end HTTP probe to detect that the service is UP and running without
4428 forwarding the request to a backend server. Note that the HTTP method, the
4429 version and all headers are ignored, but the request must at least be valid
4430 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
4431
4432 Monitor requests are processed very early. It is not possible to block nor
4433 divert them using ACLs. They cannot be logged either, and it is the intended
4434 purpose. They are only used to report HAProxy's health to an upper component,
4435 nothing more. However, it is possible to add any number of conditions using
4436 "monitor fail" and ACLs so that the result can be adjusted to whatever check
4437 can be imagined (most often the number of available servers in a backend).
4438
4439 Example :
4440 # Use /haproxy_test to report haproxy's status
4441 frontend www
4442 mode http
4443 monitor-uri /haproxy_test
4444
4445 See also : "monitor fail", "monitor-net"
4446
Willy Tarreau0ba27502007-12-24 16:55:16 +01004447
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004448option abortonclose
4449no option abortonclose
4450 Enable or disable early dropping of aborted requests pending in queues.
4451 May be used in sections : defaults | frontend | listen | backend
4452 yes | no | yes | yes
4453 Arguments : none
4454
4455 In presence of very high loads, the servers will take some time to respond.
4456 The per-instance connection queue will inflate, and the response time will
4457 increase respective to the size of the queue times the average per-session
4458 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01004459 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004460 the queue, and slowing down other users, and the servers as well, because the
4461 request will eventually be served, then aborted at the first error
4462 encountered while delivering the response.
4463
4464 As there is no way to distinguish between a full STOP and a simple output
4465 close on the client side, HTTP agents should be conservative and consider
4466 that the client might only have closed its output channel while waiting for
4467 the response. However, this introduces risks of congestion when lots of users
4468 do the same, and is completely useless nowadays because probably no client at
4469 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01004470 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004471 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01004472 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004473 of being the single component to break rare but valid traffic is extremely
4474 low, which adds to the temptation to be able to abort a session early while
4475 still not served and not pollute the servers.
4476
4477 In HAProxy, the user can choose the desired behaviour using the option
4478 "abortonclose". By default (without the option) the behaviour is HTTP
4479 compliant and aborted requests will be served. But when the option is
4480 specified, a session with an incoming channel closed will be aborted while
4481 it is still possible, either pending in the queue for a connection slot, or
4482 during the connection establishment if the server has not yet acknowledged
4483 the connection request. This considerably reduces the queue size and the load
4484 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01004485 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004486
4487 If this option has been enabled in a "defaults" section, it can be disabled
4488 in a specific instance by prepending the "no" keyword before it.
4489
4490 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
4491
4492
Willy Tarreau4076a152009-04-02 15:18:36 +02004493option accept-invalid-http-request
4494no option accept-invalid-http-request
4495 Enable or disable relaxing of HTTP request parsing
4496 May be used in sections : defaults | frontend | listen | backend
4497 yes | yes | yes | no
4498 Arguments : none
4499
Willy Tarreau91852eb2015-05-01 13:26:00 +02004500 By default, HAProxy complies with RFC7230 in terms of message parsing. This
Willy Tarreau4076a152009-04-02 15:18:36 +02004501 means that invalid characters in header names are not permitted and cause an
4502 error to be returned to the client. This is the desired behaviour as such
4503 forbidden characters are essentially used to build attacks exploiting server
4504 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
4505 server will emit invalid header names for whatever reason (configuration,
4506 implementation) and the issue will not be immediately fixed. In such a case,
4507 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01004508 even if that does not make sense, by specifying this option. Similarly, the
4509 list of characters allowed to appear in a URI is well defined by RFC3986, and
4510 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
4511 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
4512 not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
Willy Tarreau91852eb2015-05-01 13:26:00 +02004513 remaining ones are blocked by default unless this option is enabled. This
Willy Tarreau13317662015-05-01 13:47:08 +02004514 option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
4515 to pass through (no version specified) and multiple digits for both the major
4516 and the minor version.
Willy Tarreau4076a152009-04-02 15:18:36 +02004517
4518 This option should never be enabled by default as it hides application bugs
4519 and open security breaches. It should only be deployed after a problem has
4520 been confirmed.
4521
4522 When this option is enabled, erroneous header names will still be accepted in
4523 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01004524 analysis using the "show errors" request on the UNIX stats socket. Similarly,
4525 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02004526 also helps confirming that the issue has been solved.
4527
4528 If this option has been enabled in a "defaults" section, it can be disabled
4529 in a specific instance by prepending the "no" keyword before it.
4530
4531 See also : "option accept-invalid-http-response" and "show errors" on the
4532 stats socket.
4533
4534
4535option accept-invalid-http-response
4536no option accept-invalid-http-response
4537 Enable or disable relaxing of HTTP response parsing
4538 May be used in sections : defaults | frontend | listen | backend
4539 yes | no | yes | yes
4540 Arguments : none
4541
Willy Tarreau91852eb2015-05-01 13:26:00 +02004542 By default, HAProxy complies with RFC7230 in terms of message parsing. This
Willy Tarreau4076a152009-04-02 15:18:36 +02004543 means that invalid characters in header names are not permitted and cause an
4544 error to be returned to the client. This is the desired behaviour as such
4545 forbidden characters are essentially used to build attacks exploiting server
4546 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
4547 server will emit invalid header names for whatever reason (configuration,
4548 implementation) and the issue will not be immediately fixed. In such a case,
4549 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau91852eb2015-05-01 13:26:00 +02004550 even if that does not make sense, by specifying this option. This option also
4551 relaxes the test on the HTTP version format, it allows multiple digits for
4552 both the major and the minor version.
Willy Tarreau4076a152009-04-02 15:18:36 +02004553
4554 This option should never be enabled by default as it hides application bugs
4555 and open security breaches. It should only be deployed after a problem has
4556 been confirmed.
4557
4558 When this option is enabled, erroneous header names will still be accepted in
4559 responses, but the complete response will be captured in order to permit
4560 later analysis using the "show errors" request on the UNIX stats socket.
4561 Doing this also helps confirming that the issue has been solved.
4562
4563 If this option has been enabled in a "defaults" section, it can be disabled
4564 in a specific instance by prepending the "no" keyword before it.
4565
4566 See also : "option accept-invalid-http-request" and "show errors" on the
4567 stats socket.
4568
4569
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004570option allbackups
4571no option allbackups
4572 Use either all backup servers at a time or only the first one
4573 May be used in sections : defaults | frontend | listen | backend
4574 yes | no | yes | yes
4575 Arguments : none
4576
4577 By default, the first operational backup server gets all traffic when normal
4578 servers are all down. Sometimes, it may be preferred to use multiple backups
4579 at once, because one will not be enough. When "option allbackups" is enabled,
4580 the load balancing will be performed among all backup servers when all normal
4581 ones are unavailable. The same load balancing algorithm will be used and the
4582 servers' weights will be respected. Thus, there will not be any priority
4583 order between the backup servers anymore.
4584
4585 This option is mostly used with static server farms dedicated to return a
4586 "sorry" page when an application is completely offline.
4587
4588 If this option has been enabled in a "defaults" section, it can be disabled
4589 in a specific instance by prepending the "no" keyword before it.
4590
4591
4592option checkcache
4593no option checkcache
Godbach7056a352013-12-11 20:01:07 +08004594 Analyze all server responses and block responses with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004595 May be used in sections : defaults | frontend | listen | backend
4596 yes | no | yes | yes
4597 Arguments : none
4598
4599 Some high-level frameworks set application cookies everywhere and do not
4600 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004601 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004602 high risk of session crossing or stealing between users traversing the same
4603 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02004604 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004605
4606 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004607 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01004608 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004609 response to check if there's a risk of caching a cookie on a client-side
4610 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01004611 to the client are :
4612 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004613 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01004614 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004615 - all those that come from a POST request, provided that the server has not
4616 set a 'Cache-Control: public' header ;
4617 - those with a 'Pragma: no-cache' header
4618 - those with a 'Cache-control: private' header
4619 - those with a 'Cache-control: no-store' header
4620 - those with a 'Cache-control: max-age=0' header
4621 - those with a 'Cache-control: s-maxage=0' header
4622 - those with a 'Cache-control: no-cache' header
4623 - those with a 'Cache-control: no-cache="set-cookie"' header
4624 - those with a 'Cache-control: no-cache="set-cookie,' header
4625 (allowing other fields after set-cookie)
4626
4627 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01004628 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004629 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004630 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004631 that admins are informed that there's something to be fixed.
4632
4633 Due to the high impact on the application, the application should be tested
4634 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004635 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004636 production, as it will report potentially dangerous application behaviours.
4637
4638 If this option has been enabled in a "defaults" section, it can be disabled
4639 in a specific instance by prepending the "no" keyword before it.
4640
4641
4642option clitcpka
4643no option clitcpka
4644 Enable or disable the sending of TCP keepalive packets on the client side
4645 May be used in sections : defaults | frontend | listen | backend
4646 yes | yes | yes | no
4647 Arguments : none
4648
4649 When there is a firewall or any session-aware component between a client and
4650 a server, and when the protocol involves very long sessions with long idle
4651 periods (eg: remote desktops), there is a risk that one of the intermediate
4652 components decides to expire a session which has remained idle for too long.
4653
4654 Enabling socket-level TCP keep-alives makes the system regularly send packets
4655 to the other end of the connection, leaving it active. The delay between
4656 keep-alive probes is controlled by the system only and depends both on the
4657 operating system and its tuning parameters.
4658
4659 It is important to understand that keep-alive packets are neither emitted nor
4660 received at the application level. It is only the network stacks which sees
4661 them. For this reason, even if one side of the proxy already uses keep-alives
4662 to maintain its connection alive, those keep-alive packets will not be
4663 forwarded to the other side of the proxy.
4664
4665 Please note that this has nothing to do with HTTP keep-alive.
4666
4667 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
4668 client side of a connection, which should help when session expirations are
4669 noticed between HAProxy and a client.
4670
4671 If this option has been enabled in a "defaults" section, it can be disabled
4672 in a specific instance by prepending the "no" keyword before it.
4673
4674 See also : "option srvtcpka", "option tcpka"
4675
4676
Willy Tarreau0ba27502007-12-24 16:55:16 +01004677option contstats
4678 Enable continuous traffic statistics updates
4679 May be used in sections : defaults | frontend | listen | backend
4680 yes | yes | yes | no
4681 Arguments : none
4682
4683 By default, counters used for statistics calculation are incremented
4684 only when a session finishes. It works quite well when serving small
4685 objects, but with big ones (for example large images or archives) or
4686 with A/V streaming, a graph generated from haproxy counters looks like
4687 a hedgehog. With this option enabled counters get incremented continuously,
4688 during a whole session. Recounting touches a hotpath directly so
4689 it is not enabled by default, as it has small performance impact (~0.5%).
4690
4691
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004692option dontlog-normal
4693no option dontlog-normal
4694 Enable or disable logging of normal, successful connections
4695 May be used in sections : defaults | frontend | listen | backend
4696 yes | yes | yes | no
4697 Arguments : none
4698
4699 There are large sites dealing with several thousand connections per second
4700 and for which logging is a major pain. Some of them are even forced to turn
4701 logs off and cannot debug production issues. Setting this option ensures that
4702 normal connections, those which experience no error, no timeout, no retry nor
4703 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
4704 mode, the response status code is checked and return codes 5xx will still be
4705 logged.
4706
4707 It is strongly discouraged to use this option as most of the time, the key to
4708 complex issues is in the normal logs which will not be logged here. If you
4709 need to separate logs, see the "log-separate-errors" option instead.
4710
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004711 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004712 logging.
4713
4714
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004715option dontlognull
4716no option dontlognull
4717 Enable or disable logging of null connections
4718 May be used in sections : defaults | frontend | listen | backend
4719 yes | yes | yes | no
4720 Arguments : none
4721
4722 In certain environments, there are components which will regularly connect to
4723 various systems to ensure that they are still alive. It can be the case from
4724 another load balancer as well as from monitoring systems. By default, even a
4725 simple port probe or scan will produce a log. If those connections pollute
4726 the logs too much, it is possible to enable option "dontlognull" to indicate
4727 that a connection on which no data has been transferred will not be logged,
Willy Tarreau0f228a02015-05-01 15:37:53 +02004728 which typically corresponds to those probes. Note that errors will still be
4729 returned to the client and accounted for in the stats. If this is not what is
4730 desired, option http-ignore-probes can be used instead.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004731
4732 It is generally recommended not to use this option in uncontrolled
4733 environments (eg: internet), otherwise scans and other malicious activities
4734 would not be logged.
4735
4736 If this option has been enabled in a "defaults" section, it can be disabled
4737 in a specific instance by prepending the "no" keyword before it.
4738
Willy Tarreau0f228a02015-05-01 15:37:53 +02004739 See also : "log", "http-ignore-probes", "monitor-net", "monitor-uri", and
4740 section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004741
4742
4743option forceclose
4744no option forceclose
4745 Enable or disable active connection closing after response is transferred.
4746 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01004747 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004748 Arguments : none
4749
4750 Some HTTP servers do not necessarily close the connections when they receive
4751 the "Connection: close" set by "option httpclose", and if the client does not
4752 close either, then the connection remains open till the timeout expires. This
4753 causes high number of simultaneous connections on the servers and shows high
4754 global session times in the logs.
4755
4756 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01004757 actively close the outgoing server channel as soon as the server has finished
Cyril Bonté653dcd62014-02-20 00:13:15 +01004758 to respond and release some resources earlier than with "option httpclose".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004759
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004760 This option may also be combined with "option http-pretend-keepalive", which
4761 will disable sending of the "Connection: close" header, but will still cause
4762 the connection to be closed once the whole response is received.
4763
Cyril Bonté653dcd62014-02-20 00:13:15 +01004764 This option disables and replaces any previous "option httpclose", "option
4765 http-server-close", "option http-keep-alive", or "option http-tunnel".
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004766
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004767 If this option has been enabled in a "defaults" section, it can be disabled
4768 in a specific instance by prepending the "no" keyword before it.
4769
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004770 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004771
4772
Willy Tarreau87cf5142011-08-19 22:57:24 +02004773option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01004774 Enable insertion of the X-Forwarded-For header to requests sent to servers
4775 May be used in sections : defaults | frontend | listen | backend
4776 yes | yes | yes | yes
4777 Arguments :
4778 <network> is an optional argument used to disable this option for sources
4779 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02004780 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01004781 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004782
4783 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
4784 their client address. This is sometimes annoying when the client's IP address
4785 is expected in server logs. To solve this problem, the well-known HTTP header
4786 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
4787 This header contains a value representing the client's IP address. Since this
4788 header is always appended at the end of the existing header list, the server
4789 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02004790 the server's manual to find how to enable use of this standard header. Note
4791 that only the last occurrence of the header must be used, since it is really
4792 possible that the client has already brought one.
4793
Willy Tarreaud72758d2010-01-12 10:42:19 +01004794 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02004795 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01004796 have a "X-Forwarded-For" header from a different application (eg: stunnel),
4797 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02004798 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
4799 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01004800
4801 Sometimes, a same HAProxy instance may be shared between a direct client
4802 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
4803 used to decrypt HTTPS traffic). It is possible to disable the addition of the
4804 header for a known source address or network by adding the "except" keyword
4805 followed by the network address. In this case, any source IP matching the
4806 network will not cause an addition of this header. Most common uses are with
4807 private networks or 127.0.0.1.
4808
Willy Tarreau87cf5142011-08-19 22:57:24 +02004809 Alternatively, the keyword "if-none" states that the header will only be
4810 added if it is not present. This should only be used in perfectly trusted
4811 environment, as this might cause a security issue if headers reaching haproxy
4812 are under the control of the end-user.
4813
Willy Tarreauc27debf2008-01-06 08:57:02 +01004814 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02004815 least one of them uses it, the header will be added. Note that the backend's
4816 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02004817 both are defined. In the case of the "if-none" argument, if at least one of
4818 the frontend or the backend does not specify it, it wants the addition to be
4819 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004820
Ross Westaf72a1d2008-08-03 10:51:45 +02004821 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01004822 # Public HTTP address also used by stunnel on the same machine
4823 frontend www
4824 mode http
4825 option forwardfor except 127.0.0.1 # stunnel already adds the header
4826
Ross Westaf72a1d2008-08-03 10:51:45 +02004827 # Those servers want the IP Address in X-Client
4828 backend www
4829 mode http
4830 option forwardfor header X-Client
4831
Willy Tarreau87cf5142011-08-19 22:57:24 +02004832 See also : "option httpclose", "option http-server-close",
Willy Tarreau70dffda2014-01-30 03:07:23 +01004833 "option forceclose", "option http-keep-alive"
Willy Tarreauc27debf2008-01-06 08:57:02 +01004834
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004835
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02004836option http-buffer-request
4837no option http-buffer-request
4838 Enable or disable waiting for whole HTTP request body before proceeding
4839 May be used in sections : defaults | frontend | listen | backend
4840 yes | yes | yes | yes
4841 Arguments : none
4842
4843 It is sometimes desirable to wait for the body of an HTTP request before
4844 taking a decision. This is what is being done by "balance url_param" for
4845 example. The first use case is to buffer requests from slow clients before
4846 connecting to the server. Another use case consists in taking the routing
4847 decision based on the request body's contents. This option placed in a
4848 frontend or backend forces the HTTP processing to wait until either the whole
4849 body is received, or the request buffer is full, or the first chunk is
4850 complete in case of chunked encoding. It can have undesired side effects with
4851 some applications abusing HTTP by expecting unbufferred transmissions between
4852 the frontend and the backend, so this should definitely not be used by
4853 default.
4854
4855 See also : "option http-no-delay"
4856
4857
Willy Tarreau0f228a02015-05-01 15:37:53 +02004858option http-ignore-probes
4859no option http-ignore-probes
4860 Enable or disable logging of null connections and request timeouts
4861 May be used in sections : defaults | frontend | listen | backend
4862 yes | yes | yes | no
4863 Arguments : none
4864
4865 Recently some browsers started to implement a "pre-connect" feature
4866 consisting in speculatively connecting to some recently visited web sites
4867 just in case the user would like to visit them. This results in many
4868 connections being established to web sites, which end up in 408 Request
4869 Timeout if the timeout strikes first, or 400 Bad Request when the browser
4870 decides to close them first. These ones pollute the log and feed the error
4871 counters. There was already "option dontlognull" but it's insufficient in
4872 this case. Instead, this option does the following things :
4873 - prevent any 400/408 message from being sent to the client if nothing
4874 was received over a connection before it was closed ;
4875 - prevent any log from being emitted in this situation ;
4876 - prevent any error counter from being incremented
4877
4878 That way the empty connection is silently ignored. Note that it is better
4879 not to use this unless it is clear that it is needed, because it will hide
4880 real problems. The most common reason for not receiving a request and seeing
4881 a 408 is due to an MTU inconsistency between the client and an intermediary
4882 element such as a VPN, which blocks too large packets. These issues are
4883 generally seen with POST requests as well as GET with large cookies. The logs
4884 are often the only way to detect them.
4885
4886 If this option has been enabled in a "defaults" section, it can be disabled
4887 in a specific instance by prepending the "no" keyword before it.
4888
4889 See also : "log", "dontlognull", "errorfile", and section 8 about logging.
4890
4891
Willy Tarreau16bfb022010-01-16 19:48:41 +01004892option http-keep-alive
4893no option http-keep-alive
4894 Enable or disable HTTP keep-alive from client to server
4895 May be used in sections : defaults | frontend | listen | backend
4896 yes | yes | yes | yes
4897 Arguments : none
4898
Willy Tarreau70dffda2014-01-30 03:07:23 +01004899 By default HAProxy operates in keep-alive mode with regards to persistent
4900 connections: for each connection it processes each request and response, and
4901 leaves the connection idle on both sides between the end of a response and the
4902 start of a new request. This mode may be changed by several options such as
4903 "option http-server-close", "option forceclose", "option httpclose" or
4904 "option http-tunnel". This option allows to set back the keep-alive mode,
4905 which can be useful when another mode was used in a defaults section.
4906
4907 Setting "option http-keep-alive" enables HTTP keep-alive mode on the client-
4908 and server- sides. This provides the lowest latency on the client side (slow
Willy Tarreau16bfb022010-01-16 19:48:41 +01004909 network) and the fastest session reuse on the server side at the expense
4910 of maintaining idle connections to the servers. In general, it is possible
4911 with this option to achieve approximately twice the request rate that the
4912 "http-server-close" option achieves on small objects. There are mainly two
4913 situations where this option may be useful :
4914
4915 - when the server is non-HTTP compliant and authenticates the connection
4916 instead of requests (eg: NTLM authentication)
4917
4918 - when the cost of establishing the connection to the server is significant
4919 compared to the cost of retrieving the associated object from the server.
4920
4921 This last case can happen when the server is a fast static server of cache.
4922 In this case, the server will need to be properly tuned to support high enough
4923 connection counts because connections will last until the client sends another
4924 request.
4925
4926 If the client request has to go to another backend or another server due to
4927 content switching or the load balancing algorithm, the idle connection will
Willy Tarreau9420b122013-12-15 18:58:25 +01004928 immediately be closed and a new one re-opened. Option "prefer-last-server" is
4929 available to try optimize server selection so that if the server currently
4930 attached to an idle connection is usable, it will be used.
Willy Tarreau16bfb022010-01-16 19:48:41 +01004931
4932 In general it is preferred to use "option http-server-close" with application
4933 servers, and some static servers might benefit from "option http-keep-alive".
4934
4935 At the moment, logs will not indicate whether requests came from the same
4936 session or not. The accept date reported in the logs corresponds to the end
4937 of the previous request, and the request time corresponds to the time spent
4938 waiting for a new request. The keep-alive request time is still bound to the
4939 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
4940 not set.
4941
Cyril Bonté653dcd62014-02-20 00:13:15 +01004942 This option disables and replaces any previous "option httpclose", "option
4943 http-server-close", "option forceclose" or "option http-tunnel". When backend
Willy Tarreau70dffda2014-01-30 03:07:23 +01004944 and frontend options differ, all of these 4 options have precedence over
Cyril Bonté653dcd62014-02-20 00:13:15 +01004945 "option http-keep-alive".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004946
4947 See also : "option forceclose", "option http-server-close",
Willy Tarreau9420b122013-12-15 18:58:25 +01004948 "option prefer-last-server", "option http-pretend-keepalive",
4949 "option httpclose", and "1.1. The HTTP transaction model".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004950
4951
Willy Tarreau96e31212011-05-30 18:10:30 +02004952option http-no-delay
4953no option http-no-delay
4954 Instruct the system to favor low interactive delays over performance in HTTP
4955 May be used in sections : defaults | frontend | listen | backend
4956 yes | yes | yes | yes
4957 Arguments : none
4958
4959 In HTTP, each payload is unidirectional and has no notion of interactivity.
4960 Any agent is expected to queue data somewhat for a reasonably low delay.
4961 There are some very rare server-to-server applications that abuse the HTTP
4962 protocol and expect the payload phase to be highly interactive, with many
4963 interleaved data chunks in both directions within a single request. This is
4964 absolutely not supported by the HTTP specification and will not work across
4965 most proxies or servers. When such applications attempt to do this through
4966 haproxy, it works but they will experience high delays due to the network
4967 optimizations which favor performance by instructing the system to wait for
4968 enough data to be available in order to only send full packets. Typical
4969 delays are around 200 ms per round trip. Note that this only happens with
4970 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
4971 affected.
4972
4973 When "option http-no-delay" is present in either the frontend or the backend
4974 used by a connection, all such optimizations will be disabled in order to
4975 make the exchanges as fast as possible. Of course this offers no guarantee on
4976 the functionality, as it may break at any other place. But if it works via
4977 HAProxy, it will work as fast as possible. This option should never be used
4978 by default, and should never be used at all unless such a buggy application
4979 is discovered. The impact of using this option is an increase of bandwidth
4980 usage and CPU usage, which may significantly lower performance in high
4981 latency environments.
4982
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02004983 See also : "option http-buffer-request"
4984
Willy Tarreau96e31212011-05-30 18:10:30 +02004985
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004986option http-pretend-keepalive
4987no option http-pretend-keepalive
4988 Define whether haproxy will announce keepalive to the server or not
4989 May be used in sections : defaults | frontend | listen | backend
4990 yes | yes | yes | yes
4991 Arguments : none
4992
4993 When running with "option http-server-close" or "option forceclose", haproxy
4994 adds a "Connection: close" header to the request forwarded to the server.
4995 Unfortunately, when some servers see this header, they automatically refrain
4996 from using the chunked encoding for responses of unknown length, while this
4997 is totally unrelated. The immediate effect is that this prevents haproxy from
4998 maintaining the client connection alive. A second effect is that a client or
4999 a cache could receive an incomplete response without being aware of it, and
5000 consider the response complete.
5001
5002 By setting "option http-pretend-keepalive", haproxy will make the server
5003 believe it will keep the connection alive. The server will then not fall back
5004 to the abnormal undesired above. When haproxy gets the whole response, it
5005 will close the connection with the server just as it would do with the
5006 "forceclose" option. That way the client gets a normal response and the
5007 connection is correctly closed on the server side.
5008
5009 It is recommended not to enable this option by default, because most servers
5010 will more efficiently close the connection themselves after the last packet,
5011 and release its buffers slightly earlier. Also, the added packet on the
5012 network could slightly reduce the overall peak performance. However it is
5013 worth noting that when this option is enabled, haproxy will have slightly
5014 less work to do. So if haproxy is the bottleneck on the whole architecture,
5015 enabling this option might save a few CPU cycles.
5016
5017 This option may be set both in a frontend and in a backend. It is enabled if
5018 at least one of the frontend or backend holding a connection has it enabled.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005019 This option may be combined with "option httpclose", which will cause
Willy Tarreau22a95342010-09-29 14:31:41 +02005020 keepalive to be announced to the server and close to be announced to the
5021 client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02005022
5023 If this option has been enabled in a "defaults" section, it can be disabled
5024 in a specific instance by prepending the "no" keyword before it.
5025
Willy Tarreau16bfb022010-01-16 19:48:41 +01005026 See also : "option forceclose", "option http-server-close", and
5027 "option http-keep-alive"
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02005028
Willy Tarreauc27debf2008-01-06 08:57:02 +01005029
Willy Tarreaub608feb2010-01-02 22:47:18 +01005030option http-server-close
5031no option http-server-close
5032 Enable or disable HTTP connection closing on the server side
5033 May be used in sections : defaults | frontend | listen | backend
5034 yes | yes | yes | yes
5035 Arguments : none
5036
Willy Tarreau70dffda2014-01-30 03:07:23 +01005037 By default HAProxy operates in keep-alive mode with regards to persistent
5038 connections: for each connection it processes each request and response, and
5039 leaves the connection idle on both sides between the end of a response and
5040 the start of a new request. This mode may be changed by several options such
5041 as "option http-server-close", "option forceclose", "option httpclose" or
5042 "option http-tunnel". Setting "option http-server-close" enables HTTP
5043 connection-close mode on the server side while keeping the ability to support
5044 HTTP keep-alive and pipelining on the client side. This provides the lowest
5045 latency on the client side (slow network) and the fastest session reuse on
5046 the server side to save server resources, similarly to "option forceclose".
5047 It also permits non-keepalive capable servers to be served in keep-alive mode
5048 to the clients if they conform to the requirements of RFC2616. Please note
5049 that some servers do not always conform to those requirements when they see
5050 "Connection: close" in the request. The effect will be that keep-alive will
5051 never be used. A workaround consists in enabling "option
5052 http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01005053
5054 At the moment, logs will not indicate whether requests came from the same
5055 session or not. The accept date reported in the logs corresponds to the end
5056 of the previous request, and the request time corresponds to the time spent
5057 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01005058 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
5059 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01005060
5061 This option may be set both in a frontend and in a backend. It is enabled if
5062 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01005063 It disables and replaces any previous "option httpclose", "option forceclose",
5064 "option http-tunnel" or "option http-keep-alive". Please check section 4
Willy Tarreau70dffda2014-01-30 03:07:23 +01005065 ("Proxies") to see how this option combines with others when frontend and
5066 backend options differ.
Willy Tarreaub608feb2010-01-02 22:47:18 +01005067
5068 If this option has been enabled in a "defaults" section, it can be disabled
5069 in a specific instance by prepending the "no" keyword before it.
5070
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02005071 See also : "option forceclose", "option http-pretend-keepalive",
Willy Tarreau16bfb022010-01-16 19:48:41 +01005072 "option httpclose", "option http-keep-alive", and
5073 "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01005074
5075
Willy Tarreau02bce8b2014-01-30 00:15:28 +01005076option http-tunnel
5077no option http-tunnel
5078 Disable or enable HTTP connection processing after first transaction
5079 May be used in sections : defaults | frontend | listen | backend
5080 yes | yes | yes | yes
5081 Arguments : none
5082
Willy Tarreau70dffda2014-01-30 03:07:23 +01005083 By default HAProxy operates in keep-alive mode with regards to persistent
5084 connections: for each connection it processes each request and response, and
5085 leaves the connection idle on both sides between the end of a response and
5086 the start of a new request. This mode may be changed by several options such
5087 as "option http-server-close", "option forceclose", "option httpclose" or
5088 "option http-tunnel".
5089
5090 Option "http-tunnel" disables any HTTP processing past the first request and
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005091 the first response. This is the mode which was used by default in versions
Willy Tarreau70dffda2014-01-30 03:07:23 +01005092 1.0 to 1.5-dev21. It is the mode with the lowest processing overhead, which
5093 is normally not needed anymore unless in very specific cases such as when
5094 using an in-house protocol that looks like HTTP but is not compatible, or
5095 just to log one request per client in order to reduce log size. Note that
5096 everything which works at the HTTP level, including header parsing/addition,
5097 cookie processing or content switching will only work for the first request
5098 and will be ignored after the first response.
Willy Tarreau02bce8b2014-01-30 00:15:28 +01005099
5100 If this option has been enabled in a "defaults" section, it can be disabled
5101 in a specific instance by prepending the "no" keyword before it.
5102
5103 See also : "option forceclose", "option http-server-close",
5104 "option httpclose", "option http-keep-alive", and
5105 "1.1. The HTTP transaction model".
5106
5107
Willy Tarreau88d349d2010-01-25 12:15:43 +01005108option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01005109no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01005110 Make use of non-standard Proxy-Connection header instead of Connection
5111 May be used in sections : defaults | frontend | listen | backend
5112 yes | yes | yes | no
5113 Arguments : none
5114
5115 While RFC2616 explicitly states that HTTP/1.1 agents must use the
5116 Connection header to indicate their wish of persistent or non-persistent
5117 connections, both browsers and proxies ignore this header for proxied
5118 connections and make use of the undocumented, non-standard Proxy-Connection
5119 header instead. The issue begins when trying to put a load balancer between
5120 browsers and such proxies, because there will be a difference between what
5121 haproxy understands and what the client and the proxy agree on.
5122
5123 By setting this option in a frontend, haproxy can automatically switch to use
5124 that non-standard header if it sees proxied requests. A proxied request is
5125 defined here as one where the URI begins with neither a '/' nor a '*'. The
5126 choice of header only affects requests passing through proxies making use of
5127 one of the "httpclose", "forceclose" and "http-server-close" options. Note
5128 that this option can only be specified in a frontend and will affect the
5129 request along its whole life.
5130
Willy Tarreau844a7e72010-01-31 21:46:18 +01005131 Also, when this option is set, a request which requires authentication will
5132 automatically switch to use proxy authentication headers if it is itself a
5133 proxied request. That makes it possible to check or enforce authentication in
5134 front of an existing proxy.
5135
Willy Tarreau88d349d2010-01-25 12:15:43 +01005136 This option should normally never be used, except in front of a proxy.
5137
5138 See also : "option httpclose", "option forceclose" and "option
5139 http-server-close".
5140
5141
Willy Tarreaud63335a2010-02-26 12:56:52 +01005142option httpchk
5143option httpchk <uri>
5144option httpchk <method> <uri>
5145option httpchk <method> <uri> <version>
5146 Enable HTTP protocol to check on the servers health
5147 May be used in sections : defaults | frontend | listen | backend
5148 yes | no | yes | yes
5149 Arguments :
5150 <method> is the optional HTTP method used with the requests. When not set,
5151 the "OPTIONS" method is used, as it generally requires low server
5152 processing and is easy to filter out from the logs. Any method
5153 may be used, though it is not recommended to invent non-standard
5154 ones.
5155
5156 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
5157 which is accessible by default on almost any server, but may be
5158 changed to any other URI. Query strings are permitted.
5159
5160 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
5161 but some servers might behave incorrectly in HTTP 1.0, so turning
5162 it to HTTP/1.1 may sometimes help. Note that the Host field is
5163 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
5164 after "\r\n" following the version string.
5165
5166 By default, server health checks only consist in trying to establish a TCP
5167 connection. When "option httpchk" is specified, a complete HTTP request is
5168 sent once the TCP connection is established, and responses 2xx and 3xx are
5169 considered valid, while all other ones indicate a server failure, including
5170 the lack of any response.
5171
5172 The port and interval are specified in the server configuration.
5173
5174 This option does not necessarily require an HTTP backend, it also works with
5175 plain TCP backends. This is particularly useful to check simple scripts bound
5176 to some dedicated ports using the inetd daemon.
5177
5178 Examples :
5179 # Relay HTTPS traffic to Apache instance and check service availability
5180 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
5181 backend https_relay
5182 mode tcp
5183 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
5184 server apache1 192.168.1.1:443 check port 80
5185
Simon Hormanafc47ee2013-11-25 10:46:35 +09005186 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
5187 "option pgsql-check", "http-check" and the "check", "port" and
5188 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01005189
5190
Willy Tarreauc27debf2008-01-06 08:57:02 +01005191option httpclose
5192no option httpclose
5193 Enable or disable passive HTTP connection closing
5194 May be used in sections : defaults | frontend | listen | backend
5195 yes | yes | yes | yes
5196 Arguments : none
5197
Willy Tarreau70dffda2014-01-30 03:07:23 +01005198 By default HAProxy operates in keep-alive mode with regards to persistent
5199 connections: for each connection it processes each request and response, and
5200 leaves the connection idle on both sides between the end of a response and
5201 the start of a new request. This mode may be changed by several options such
Cyril Bonté653dcd62014-02-20 00:13:15 +01005202 as "option http-server-close", "option forceclose", "option httpclose" or
Willy Tarreau70dffda2014-01-30 03:07:23 +01005203 "option http-tunnel".
5204
5205 If "option httpclose" is set, HAProxy will work in HTTP tunnel mode and check
5206 if a "Connection: close" header is already set in each direction, and will
5207 add one if missing. Each end should react to this by actively closing the TCP
5208 connection after each transfer, thus resulting in a switch to the HTTP close
5209 mode. Any "Connection" header different from "close" will also be removed.
5210 Note that this option is deprecated since what it does is very cheap but not
5211 reliable. Using "option http-server-close" or "option forceclose" is strongly
5212 recommended instead.
Willy Tarreauc27debf2008-01-06 08:57:02 +01005213
5214 It seldom happens that some servers incorrectly ignore this header and do not
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005215 close the connection even though they reply "Connection: close". For this
Willy Tarreau0dfdf192010-01-05 11:33:11 +01005216 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
5217 it is possible to use the "option forceclose" which actively closes the
5218 request connection once the server responds. Option "forceclose" also
5219 releases the server connection earlier because it does not have to wait for
5220 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01005221
5222 This option may be set both in a frontend and in a backend. It is enabled if
5223 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01005224 It disables and replaces any previous "option http-server-close",
5225 "option forceclose", "option http-keep-alive" or "option http-tunnel". Please
Willy Tarreau70dffda2014-01-30 03:07:23 +01005226 check section 4 ("Proxies") to see how this option combines with others when
5227 frontend and backend options differ.
Willy Tarreauc27debf2008-01-06 08:57:02 +01005228
5229 If this option has been enabled in a "defaults" section, it can be disabled
5230 in a specific instance by prepending the "no" keyword before it.
5231
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02005232 See also : "option forceclose", "option http-server-close" and
5233 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01005234
5235
Emeric Brun3a058f32009-06-30 18:26:00 +02005236option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01005237 Enable logging of HTTP request, session state and timers
5238 May be used in sections : defaults | frontend | listen | backend
5239 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02005240 Arguments :
5241 clf if the "clf" argument is added, then the output format will be
5242 the CLF format instead of HAProxy's default HTTP format. You can
5243 use this when you need to feed HAProxy's logs through a specific
5244 log analyser which only support the CLF format and which is not
5245 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01005246
5247 By default, the log output format is very poor, as it only contains the
5248 source and destination addresses, and the instance name. By specifying
5249 "option httplog", each log line turns into a much richer format including,
5250 but not limited to, the HTTP request, the connection timers, the session
5251 status, the connections numbers, the captured headers and cookies, the
5252 frontend, backend and server name, and of course the source address and
5253 ports.
5254
5255 This option may be set either in the frontend or the backend.
5256
PiBa-NLbd556bf2014-12-11 21:31:54 +01005257 Specifying only "option httplog" will automatically clear the 'clf' mode
5258 if it was set by default.
Emeric Brun3a058f32009-06-30 18:26:00 +02005259
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005260 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01005261
Willy Tarreau55165fe2009-05-10 12:02:55 +02005262
5263option http_proxy
5264no option http_proxy
5265 Enable or disable plain HTTP proxy mode
5266 May be used in sections : defaults | frontend | listen | backend
5267 yes | yes | yes | yes
5268 Arguments : none
5269
5270 It sometimes happens that people need a pure HTTP proxy which understands
5271 basic proxy requests without caching nor any fancy feature. In this case,
5272 it may be worth setting up an HAProxy instance with the "option http_proxy"
5273 set. In this mode, no server is declared, and the connection is forwarded to
5274 the IP address and port found in the URL after the "http://" scheme.
5275
5276 No host address resolution is performed, so this only works when pure IP
5277 addresses are passed. Since this option's usage perimeter is rather limited,
5278 it will probably be used only by experts who know they need exactly it. Last,
5279 if the clients are susceptible of sending keep-alive requests, it will be
Cyril Bonté2409e682010-12-14 22:47:51 +01005280 needed to add "option httpclose" to ensure that all requests will correctly
Willy Tarreau55165fe2009-05-10 12:02:55 +02005281 be analyzed.
5282
5283 If this option has been enabled in a "defaults" section, it can be disabled
5284 in a specific instance by prepending the "no" keyword before it.
5285
5286 Example :
5287 # this backend understands HTTP proxy requests and forwards them directly.
5288 backend direct_forward
5289 option httpclose
5290 option http_proxy
5291
5292 See also : "option httpclose"
5293
Willy Tarreau211ad242009-10-03 21:45:07 +02005294
Jamie Gloudon801a0a32012-08-25 00:18:33 -04005295option independent-streams
5296no option independent-streams
5297 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02005298 May be used in sections : defaults | frontend | listen | backend
5299 yes | yes | yes | yes
5300 Arguments : none
5301
5302 By default, when data is sent over a socket, both the write timeout and the
5303 read timeout for that socket are refreshed, because we consider that there is
5304 activity on that socket, and we have no other means of guessing if we should
5305 receive data or not.
5306
5307 While this default behaviour is desirable for almost all applications, there
5308 exists a situation where it is desirable to disable it, and only refresh the
5309 read timeout if there are incoming data. This happens on sessions with large
5310 timeouts and low amounts of exchanged data such as telnet session. If the
5311 server suddenly disappears, the output data accumulates in the system's
5312 socket buffers, both timeouts are correctly refreshed, and there is no way
5313 to know the server does not receive them, so we don't timeout. However, when
5314 the underlying protocol always echoes sent data, it would be enough by itself
5315 to detect the issue using the read timeout. Note that this problem does not
5316 happen with more verbose protocols because data won't accumulate long in the
5317 socket buffers.
5318
5319 When this option is set on the frontend, it will disable read timeout updates
5320 on data sent to the client. There probably is little use of this case. When
5321 the option is set on the backend, it will disable read timeout updates on
5322 data sent to the server. Doing so will typically break large HTTP posts from
5323 slow lines, so use it with caution.
5324
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005325 Note: older versions used to call this setting "option independent-streams"
Jamie Gloudon801a0a32012-08-25 00:18:33 -04005326 with a spelling mistake. This spelling is still supported but
5327 deprecated.
5328
Willy Tarreauce887fd2012-05-12 12:50:00 +02005329 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02005330
5331
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02005332option ldap-check
5333 Use LDAPv3 health checks for server testing
5334 May be used in sections : defaults | frontend | listen | backend
5335 yes | no | yes | yes
5336 Arguments : none
5337
5338 It is possible to test that the server correctly talks LDAPv3 instead of just
5339 testing that it accepts the TCP connection. When this option is set, an
5340 LDAPv3 anonymous simple bind message is sent to the server, and the response
5341 is analyzed to find an LDAPv3 bind response message.
5342
5343 The server is considered valid only when the LDAP response contains success
5344 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
5345
5346 Logging of bind requests is server dependent see your documentation how to
5347 configure it.
5348
5349 Example :
5350 option ldap-check
5351
5352 See also : "option httpchk"
5353
5354
Simon Horman98637e52014-06-20 12:30:16 +09005355option external-check
5356 Use external processes for server health checks
5357 May be used in sections : defaults | frontend | listen | backend
5358 yes | no | yes | yes
5359
5360 It is possible to test the health of a server using an external command.
5361 This is achieved by running the executable set using "external-check
5362 command".
5363
5364 Requires the "external-check" global to be set.
5365
5366 See also : "external-check", "external-check command", "external-check path"
5367
5368
Willy Tarreau211ad242009-10-03 21:45:07 +02005369option log-health-checks
5370no option log-health-checks
Willy Tarreaubef1b322014-05-13 21:01:39 +02005371 Enable or disable logging of health checks status updates
Willy Tarreau211ad242009-10-03 21:45:07 +02005372 May be used in sections : defaults | frontend | listen | backend
5373 yes | no | yes | yes
5374 Arguments : none
5375
Willy Tarreaubef1b322014-05-13 21:01:39 +02005376 By default, failed health check are logged if server is UP and successful
5377 health checks are logged if server is DOWN, so the amount of additional
5378 information is limited.
Willy Tarreau211ad242009-10-03 21:45:07 +02005379
Willy Tarreaubef1b322014-05-13 21:01:39 +02005380 When this option is enabled, any change of the health check status or to
5381 the server's health will be logged, so that it becomes possible to know
5382 that a server was failing occasional checks before crashing, or exactly when
5383 it failed to respond a valid HTTP status, then when the port started to
5384 reject connections, then when the server stopped responding at all.
5385
5386 Note that status changes not caused by health checks (eg: enable/disable on
5387 the CLI) are intentionally not logged by this option.
Willy Tarreau211ad242009-10-03 21:45:07 +02005388
Willy Tarreaubef1b322014-05-13 21:01:39 +02005389 See also: "option httpchk", "option ldap-check", "option mysql-check",
5390 "option pgsql-check", "option redis-check", "option smtpchk",
5391 "option tcp-check", "log" and section 8 about logging.
Willy Tarreau211ad242009-10-03 21:45:07 +02005392
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02005393
5394option log-separate-errors
5395no option log-separate-errors
5396 Change log level for non-completely successful connections
5397 May be used in sections : defaults | frontend | listen | backend
5398 yes | yes | yes | no
5399 Arguments : none
5400
5401 Sometimes looking for errors in logs is not easy. This option makes haproxy
5402 raise the level of logs containing potentially interesting information such
5403 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
5404 level changes from "info" to "err". This makes it possible to log them
5405 separately to a different file with most syslog daemons. Be careful not to
5406 remove them from the original file, otherwise you would lose ordering which
5407 provides very important information.
5408
5409 Using this option, large sites dealing with several thousand connections per
5410 second may log normal traffic to a rotating buffer and only archive smaller
5411 error logs.
5412
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005413 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02005414 logging.
5415
Willy Tarreauc27debf2008-01-06 08:57:02 +01005416
5417option logasap
5418no option logasap
5419 Enable or disable early logging of HTTP requests
5420 May be used in sections : defaults | frontend | listen | backend
5421 yes | yes | yes | no
5422 Arguments : none
5423
5424 By default, HTTP requests are logged upon termination so that the total
5425 transfer time and the number of bytes appear in the logs. When large objects
5426 are being transferred, it may take a while before the request appears in the
5427 logs. Using "option logasap", the request gets logged as soon as the server
5428 sends the complete headers. The only missing information in the logs will be
5429 the total number of bytes which will indicate everything except the amount
5430 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005431 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01005432 "Content-Length" response header so that the logs at least indicate how many
5433 bytes are expected to be transferred.
5434
Willy Tarreaucc6c8912009-02-22 10:53:55 +01005435 Examples :
5436 listen http_proxy 0.0.0.0:80
5437 mode http
5438 option httplog
5439 option logasap
5440 log 192.168.2.200 local3
5441
5442 >>> Feb 6 12:14:14 localhost \
5443 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
5444 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
5445 "GET /image.iso HTTP/1.0"
5446
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005447 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01005448 logging.
5449
5450
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02005451option mysql-check [ user <username> [ post-41 ] ]
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02005452 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005453 May be used in sections : defaults | frontend | listen | backend
5454 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02005455 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005456 <username> This is the username which will be used when connecting to MySQL
5457 server.
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02005458 post-41 Send post v4.1 client compatible checks
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02005459
5460 If you specify a username, the check consists of sending two MySQL packet,
5461 one Client Authentication packet, and one QUIT packet, to correctly close
5462 MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
5463 Error packet. It is a basic but useful test which does not produce error nor
5464 aborted connect on the server. However, it requires adding an authorization
5465 in the MySQL table, like this :
5466
5467 USE mysql;
5468 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
5469 FLUSH PRIVILEGES;
5470
5471 If you don't specify a username (it is deprecated and not recommended), the
5472 check only consists in parsing the Mysql Handshake Initialisation packet or
5473 Error packet, we don't send anything in this mode. It was reported that it
5474 can generate lockout if check is too frequent and/or if there is not enough
5475 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
5476 value as if a connection is established successfully within fewer than MySQL
5477 "max_connect_errors" attempts after a previous connection was interrupted,
5478 the error count for the host is cleared to zero. If HAProxy's server get
5479 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
5480
5481 Remember that this does not check database presence nor database consistency.
5482 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005483
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02005484 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005485
5486 Most often, an incoming MySQL server needs to see the client's IP address for
5487 various purposes, including IP privilege matching and connection logging.
5488 When possible, it is often wise to masquerade the client's IP address when
5489 connecting to the server using the "usesrc" argument of the "source" keyword,
Willy Tarreau29fbe512015-08-20 19:35:14 +02005490 which requires the transparent proxy feature to be compiled in, and the MySQL
5491 server to route the client via the machine hosting haproxy.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005492
5493 See also: "option httpchk"
5494
5495
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005496option nolinger
5497no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005498 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005499 May be used in sections: defaults | frontend | listen | backend
5500 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005501 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005502
5503 When clients or servers abort connections in a dirty way (eg: they are
5504 physically disconnected), the session timeouts triggers and the session is
5505 closed. But it will remain in FIN_WAIT1 state for some time in the system,
5506 using some resources and possibly limiting the ability to establish newer
5507 connections.
5508
5509 When this happens, it is possible to activate "option nolinger" which forces
5510 the system to immediately remove any socket's pending data on close. Thus,
5511 the session is instantly purged from the system's tables. This usually has
5512 side effects such as increased number of TCP resets due to old retransmits
5513 getting immediately rejected. Some firewalls may sometimes complain about
5514 this too.
5515
5516 For this reason, it is not recommended to use this option when not absolutely
5517 needed. You know that you need it when you have thousands of FIN_WAIT1
5518 sessions on your system (TIME_WAIT ones do not count).
5519
5520 This option may be used both on frontends and backends, depending on the side
5521 where it is required. Use it on the frontend for clients, and on the backend
5522 for servers.
5523
5524 If this option has been enabled in a "defaults" section, it can be disabled
5525 in a specific instance by prepending the "no" keyword before it.
5526
5527
Willy Tarreau55165fe2009-05-10 12:02:55 +02005528option originalto [ except <network> ] [ header <name> ]
5529 Enable insertion of the X-Original-To header to requests sent to servers
5530 May be used in sections : defaults | frontend | listen | backend
5531 yes | yes | yes | yes
5532 Arguments :
5533 <network> is an optional argument used to disable this option for sources
5534 matching <network>
5535 <name> an optional argument to specify a different "X-Original-To"
5536 header name.
5537
5538 Since HAProxy can work in transparent mode, every request from a client can
5539 be redirected to the proxy and HAProxy itself can proxy every request to a
5540 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
5541 be lost. This is annoying when you want access rules based on destination ip
5542 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
5543 added by HAProxy to all requests sent to the server. This header contains a
5544 value representing the original destination IP address. Since this must be
5545 configured to always use the last occurrence of this header only. Note that
5546 only the last occurrence of the header must be used, since it is really
5547 possible that the client has already brought one.
5548
5549 The keyword "header" may be used to supply a different header name to replace
5550 the default "X-Original-To". This can be useful where you might already
5551 have a "X-Original-To" header from a different application, and you need
5552 preserve it. Also if your backend server doesn't use the "X-Original-To"
5553 header and requires different one.
5554
5555 Sometimes, a same HAProxy instance may be shared between a direct client
5556 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
5557 used to decrypt HTTPS traffic). It is possible to disable the addition of the
5558 header for a known source address or network by adding the "except" keyword
5559 followed by the network address. In this case, any source IP matching the
5560 network will not cause an addition of this header. Most common uses are with
5561 private networks or 127.0.0.1.
5562
5563 This option may be specified either in the frontend or in the backend. If at
5564 least one of them uses it, the header will be added. Note that the backend's
5565 setting of the header subargument takes precedence over the frontend's if
5566 both are defined.
5567
Willy Tarreau55165fe2009-05-10 12:02:55 +02005568 Examples :
5569 # Original Destination address
5570 frontend www
5571 mode http
5572 option originalto except 127.0.0.1
5573
5574 # Those servers want the IP Address in X-Client-Dst
5575 backend www
5576 mode http
5577 option originalto header X-Client-Dst
5578
Willy Tarreau87cf5142011-08-19 22:57:24 +02005579 See also : "option httpclose", "option http-server-close",
5580 "option forceclose"
Willy Tarreau55165fe2009-05-10 12:02:55 +02005581
5582
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005583option persist
5584no option persist
5585 Enable or disable forced persistence on down servers
5586 May be used in sections: defaults | frontend | listen | backend
5587 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005588 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005589
5590 When an HTTP request reaches a backend with a cookie which references a dead
5591 server, by default it is redispatched to another server. It is possible to
5592 force the request to be sent to the dead server first using "option persist"
5593 if absolutely needed. A common use case is when servers are under extreme
5594 load and spend their time flapping. In this case, the users would still be
5595 directed to the server they opened the session on, in the hope they would be
5596 correctly served. It is recommended to use "option redispatch" in conjunction
5597 with this option so that in the event it would not be possible to connect to
5598 the server at all (server definitely dead), the client would finally be
5599 redirected to another valid server.
5600
5601 If this option has been enabled in a "defaults" section, it can be disabled
5602 in a specific instance by prepending the "no" keyword before it.
5603
Willy Tarreau4de91492010-01-22 19:10:05 +01005604 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005605
5606
Willy Tarreau0c122822013-12-15 18:49:01 +01005607option pgsql-check [ user <username> ]
5608 Use PostgreSQL health checks for server testing
5609 May be used in sections : defaults | frontend | listen | backend
5610 yes | no | yes | yes
5611 Arguments :
5612 <username> This is the username which will be used when connecting to
5613 PostgreSQL server.
5614
5615 The check sends a PostgreSQL StartupMessage and waits for either
5616 Authentication request or ErrorResponse message. It is a basic but useful
5617 test which does not produce error nor aborted connect on the server.
5618 This check is identical with the "mysql-check".
5619
5620 See also: "option httpchk"
5621
5622
Willy Tarreau9420b122013-12-15 18:58:25 +01005623option prefer-last-server
5624no option prefer-last-server
5625 Allow multiple load balanced requests to remain on the same server
5626 May be used in sections: defaults | frontend | listen | backend
5627 yes | no | yes | yes
5628 Arguments : none
5629
5630 When the load balancing algorithm in use is not deterministic, and a previous
5631 request was sent to a server to which haproxy still holds a connection, it is
5632 sometimes desirable that subsequent requests on a same session go to the same
5633 server as much as possible. Note that this is different from persistence, as
5634 we only indicate a preference which haproxy tries to apply without any form
5635 of warranty. The real use is for keep-alive connections sent to servers. When
5636 this option is used, haproxy will try to reuse the same connection that is
5637 attached to the server instead of rebalancing to another server, causing a
5638 close of the connection. This can make sense for static file servers. It does
Willy Tarreau068621e2013-12-23 15:11:25 +01005639 not make much sense to use this in combination with hashing algorithms. Note,
5640 haproxy already automatically tries to stick to a server which sends a 401 or
5641 to a proxy which sends a 407 (authentication required). This is mandatory for
5642 use with the broken NTLM authentication challenge, and significantly helps in
5643 troubleshooting some faulty applications. Option prefer-last-server might be
5644 desirable in these environments as well, to avoid redistributing the traffic
5645 after every other response.
Willy Tarreau9420b122013-12-15 18:58:25 +01005646
5647 If this option has been enabled in a "defaults" section, it can be disabled
5648 in a specific instance by prepending the "no" keyword before it.
5649
5650 See also: "option http-keep-alive"
5651
5652
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005653option redispatch
Joseph Lynch726ab712015-05-11 23:25:34 -07005654option redispatch <interval>
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005655no option redispatch
5656 Enable or disable session redistribution in case of connection failure
5657 May be used in sections: defaults | frontend | listen | backend
5658 yes | no | yes | yes
Joseph Lynch726ab712015-05-11 23:25:34 -07005659 Arguments :
5660 <interval> The optional integer value that controls how often redispatches
5661 occur when retrying connections. Positive value P indicates a
5662 redispatch is desired on every Pth retry, and negative value
5663 N indicate a redispath is desired on the Nth retry prior to the
5664 last retry. For example, the default of -1 preserves the
5665 historical behaviour of redispatching on the last retry, a
5666 positive value of 1 would indicate a redispatch on every retry,
5667 and a positive value of 3 would indicate a redispatch on every
5668 third retry. You can disable redispatches with a value of 0.
5669
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005670
5671 In HTTP mode, if a server designated by a cookie is down, clients may
5672 definitely stick to it because they cannot flush the cookie, so they will not
5673 be able to access the service anymore.
5674
5675 Specifying "option redispatch" will allow the proxy to break their
5676 persistence and redistribute them to a working server.
5677
Joseph Lynch726ab712015-05-11 23:25:34 -07005678 It also allows to retry connections to another server in case of multiple
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005679 connection failures. Of course, it requires having "retries" set to a nonzero
5680 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005681
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005682 This form is the preferred form, which replaces both the "redispatch" and
5683 "redisp" keywords.
5684
5685 If this option has been enabled in a "defaults" section, it can be disabled
5686 in a specific instance by prepending the "no" keyword before it.
5687
Willy Tarreau4de91492010-01-22 19:10:05 +01005688 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005689
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005690
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02005691option redis-check
5692 Use redis health checks for server testing
5693 May be used in sections : defaults | frontend | listen | backend
5694 yes | no | yes | yes
5695 Arguments : none
5696
5697 It is possible to test that the server correctly talks REDIS protocol instead
5698 of just testing that it accepts the TCP connection. When this option is set,
5699 a PING redis command is sent to the server, and the response is analyzed to
5700 find the "+PONG" response message.
5701
5702 Example :
5703 option redis-check
5704
5705 See also : "option httpchk"
5706
5707
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005708option smtpchk
5709option smtpchk <hello> <domain>
5710 Use SMTP health checks for server testing
5711 May be used in sections : defaults | frontend | listen | backend
5712 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01005713 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005714 <hello> is an optional argument. It is the "hello" command to use. It can
5715 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
5716 values will be turned into the default command ("HELO").
5717
5718 <domain> is the domain name to present to the server. It may only be
5719 specified (and is mandatory) if the hello command has been
5720 specified. By default, "localhost" is used.
5721
5722 When "option smtpchk" is set, the health checks will consist in TCP
5723 connections followed by an SMTP command. By default, this command is
5724 "HELO localhost". The server's return code is analyzed and only return codes
5725 starting with a "2" will be considered as valid. All other responses,
5726 including a lack of response will constitute an error and will indicate a
5727 dead server.
5728
5729 This test is meant to be used with SMTP servers or relays. Depending on the
5730 request, it is possible that some servers do not log each connection attempt,
5731 so you may want to experiment to improve the behaviour. Using telnet on port
5732 25 is often easier than adjusting the configuration.
5733
5734 Most often, an incoming SMTP server needs to see the client's IP address for
5735 various purposes, including spam filtering, anti-spoofing and logging. When
5736 possible, it is often wise to masquerade the client's IP address when
5737 connecting to the server using the "usesrc" argument of the "source" keyword,
Willy Tarreau29fbe512015-08-20 19:35:14 +02005738 which requires the transparent proxy feature to be compiled in.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005739
5740 Example :
5741 option smtpchk HELO mydomain.org
5742
5743 See also : "option httpchk", "source"
5744
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005745
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02005746option socket-stats
5747no option socket-stats
5748
5749 Enable or disable collecting & providing separate statistics for each socket.
5750 May be used in sections : defaults | frontend | listen | backend
5751 yes | yes | yes | no
5752
5753 Arguments : none
5754
5755
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005756option splice-auto
5757no option splice-auto
5758 Enable or disable automatic kernel acceleration on sockets in both directions
5759 May be used in sections : defaults | frontend | listen | backend
5760 yes | yes | yes | yes
5761 Arguments : none
5762
5763 When this option is enabled either on a frontend or on a backend, haproxy
5764 will automatically evaluate the opportunity to use kernel tcp splicing to
5765 forward data between the client and the server, in either direction. Haproxy
5766 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005767 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005768 are not much aggressive in order to limit excessive use of splicing. This
5769 option requires splicing to be enabled at compile time, and may be globally
5770 disabled with the global option "nosplice". Since splice uses pipes, using it
5771 requires that there are enough spare pipes.
5772
5773 Important note: kernel-based TCP splicing is a Linux-specific feature which
5774 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
5775 transfer data between sockets without copying these data to user-space, thus
5776 providing noticeable performance gains and CPU cycles savings. Since many
5777 early implementations are buggy, corrupt data and/or are inefficient, this
5778 feature is not enabled by default, and it should be used with extreme care.
5779 While it is not possible to detect the correctness of an implementation,
5780 2.6.29 is the first version offering a properly working implementation. In
5781 case of doubt, splicing may be globally disabled using the global "nosplice"
5782 keyword.
5783
5784 Example :
5785 option splice-auto
5786
5787 If this option has been enabled in a "defaults" section, it can be disabled
5788 in a specific instance by prepending the "no" keyword before it.
5789
5790 See also : "option splice-request", "option splice-response", and global
5791 options "nosplice" and "maxpipes"
5792
5793
5794option splice-request
5795no option splice-request
5796 Enable or disable automatic kernel acceleration on sockets for requests
5797 May be used in sections : defaults | frontend | listen | backend
5798 yes | yes | yes | yes
5799 Arguments : none
5800
5801 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005802 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005803 the client to the server. It might still use the recv/send scheme if there
5804 are no spare pipes left. This option requires splicing to be enabled at
5805 compile time, and may be globally disabled with the global option "nosplice".
5806 Since splice uses pipes, using it requires that there are enough spare pipes.
5807
5808 Important note: see "option splice-auto" for usage limitations.
5809
5810 Example :
5811 option splice-request
5812
5813 If this option has been enabled in a "defaults" section, it can be disabled
5814 in a specific instance by prepending the "no" keyword before it.
5815
5816 See also : "option splice-auto", "option splice-response", and global options
5817 "nosplice" and "maxpipes"
5818
5819
5820option splice-response
5821no option splice-response
5822 Enable or disable automatic kernel acceleration on sockets for responses
5823 May be used in sections : defaults | frontend | listen | backend
5824 yes | yes | yes | yes
5825 Arguments : none
5826
5827 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005828 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005829 the server to the client. It might still use the recv/send scheme if there
5830 are no spare pipes left. This option requires splicing to be enabled at
5831 compile time, and may be globally disabled with the global option "nosplice".
5832 Since splice uses pipes, using it requires that there are enough spare pipes.
5833
5834 Important note: see "option splice-auto" for usage limitations.
5835
5836 Example :
5837 option splice-response
5838
5839 If this option has been enabled in a "defaults" section, it can be disabled
5840 in a specific instance by prepending the "no" keyword before it.
5841
5842 See also : "option splice-auto", "option splice-request", and global options
5843 "nosplice" and "maxpipes"
5844
5845
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005846option srvtcpka
5847no option srvtcpka
5848 Enable or disable the sending of TCP keepalive packets on the server side
5849 May be used in sections : defaults | frontend | listen | backend
5850 yes | no | yes | yes
5851 Arguments : none
5852
5853 When there is a firewall or any session-aware component between a client and
5854 a server, and when the protocol involves very long sessions with long idle
5855 periods (eg: remote desktops), there is a risk that one of the intermediate
5856 components decides to expire a session which has remained idle for too long.
5857
5858 Enabling socket-level TCP keep-alives makes the system regularly send packets
5859 to the other end of the connection, leaving it active. The delay between
5860 keep-alive probes is controlled by the system only and depends both on the
5861 operating system and its tuning parameters.
5862
5863 It is important to understand that keep-alive packets are neither emitted nor
5864 received at the application level. It is only the network stacks which sees
5865 them. For this reason, even if one side of the proxy already uses keep-alives
5866 to maintain its connection alive, those keep-alive packets will not be
5867 forwarded to the other side of the proxy.
5868
5869 Please note that this has nothing to do with HTTP keep-alive.
5870
5871 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
5872 server side of a connection, which should help when session expirations are
5873 noticed between HAProxy and a server.
5874
5875 If this option has been enabled in a "defaults" section, it can be disabled
5876 in a specific instance by prepending the "no" keyword before it.
5877
5878 See also : "option clitcpka", "option tcpka"
5879
5880
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005881option ssl-hello-chk
5882 Use SSLv3 client hello health checks for server testing
5883 May be used in sections : defaults | frontend | listen | backend
5884 yes | no | yes | yes
5885 Arguments : none
5886
5887 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
5888 possible to test that the server correctly talks SSL instead of just testing
5889 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
5890 SSLv3 client hello messages are sent once the connection is established to
5891 the server, and the response is analyzed to find an SSL server hello message.
5892 The server is considered valid only when the response contains this server
5893 hello message.
5894
5895 All servers tested till there correctly reply to SSLv3 client hello messages,
5896 and most servers tested do not even log the requests containing only hello
5897 messages, which is appreciable.
5898
Willy Tarreau763a95b2012-10-04 23:15:39 +02005899 Note that this check works even when SSL support was not built into haproxy
5900 because it forges the SSL message. When SSL support is available, it is best
5901 to use native SSL health checks instead of this one.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005902
Willy Tarreau763a95b2012-10-04 23:15:39 +02005903 See also: "option httpchk", "check-ssl"
5904
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005905
Willy Tarreaued179852013-12-16 01:07:00 +01005906option tcp-check
5907 Perform health checks using tcp-check send/expect sequences
5908 May be used in sections: defaults | frontend | listen | backend
5909 yes | no | yes | yes
5910
5911 This health check method is intended to be combined with "tcp-check" command
5912 lists in order to support send/expect types of health check sequences.
5913
5914 TCP checks currently support 4 modes of operations :
5915 - no "tcp-check" directive : the health check only consists in a connection
5916 attempt, which remains the default mode.
5917
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005918 - "tcp-check send" or "tcp-check send-binary" only is mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005919 used to send a string along with a connection opening. With some
5920 protocols, it helps sending a "QUIT" message for example that prevents
5921 the server from logging a connection error for each health check. The
5922 check result will still be based on the ability to open the connection
5923 only.
5924
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005925 - "tcp-check expect" only is mentioned : this is used to test a banner.
Willy Tarreaued179852013-12-16 01:07:00 +01005926 The connection is opened and haproxy waits for the server to present some
5927 contents which must validate some rules. The check result will be based
5928 on the matching between the contents and the rules. This is suited for
5929 POP, IMAP, SMTP, FTP, SSH, TELNET.
5930
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005931 - both "tcp-check send" and "tcp-check expect" are mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005932 used to test a hello-type protocol. Haproxy sends a message, the server
5933 responds and its response is analysed. the check result will be based on
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005934 the matching between the response contents and the rules. This is often
Willy Tarreaued179852013-12-16 01:07:00 +01005935 suited for protocols which require a binding or a request/response model.
5936 LDAP, MySQL, Redis and SSL are example of such protocols, though they
5937 already all have their dedicated checks with a deeper understanding of
5938 the respective protocols.
5939 In this mode, many questions may be sent and many answers may be
5940 analysed.
5941
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005942 A fifth mode can be used to insert comments in different steps of the
5943 script.
5944
5945 For each tcp-check rule you create, you can add a "comment" directive,
5946 followed by a string. This string will be reported in the log and stderr
5947 in debug mode. It is useful to make user-friendly error reporting.
5948 The "comment" is of course optional.
5949
5950
Willy Tarreaued179852013-12-16 01:07:00 +01005951 Examples :
5952 # perform a POP check (analyse only server's banner)
5953 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005954 tcp-check expect string +OK\ POP3\ ready comment POP\ protocol
Willy Tarreaued179852013-12-16 01:07:00 +01005955
5956 # perform an IMAP check (analyse only server's banner)
5957 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005958 tcp-check expect string *\ OK\ IMAP4\ ready comment IMAP\ protocol
Willy Tarreaued179852013-12-16 01:07:00 +01005959
5960 # look for the redis master server after ensuring it speaks well
5961 # redis protocol, then it exits properly.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005962 # (send a command then analyse the response 3 times)
Willy Tarreaued179852013-12-16 01:07:00 +01005963 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005964 tcp-check comment PING\ phase
Willy Tarreaued179852013-12-16 01:07:00 +01005965 tcp-check send PING\r\n
Baptiste Assmanna3322992015-08-04 10:12:18 +02005966 tcp-check expect string +PONG
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005967 tcp-check comment role\ check
Willy Tarreaued179852013-12-16 01:07:00 +01005968 tcp-check send info\ replication\r\n
5969 tcp-check expect string role:master
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005970 tcp-check comment QUIT\ phase
Willy Tarreaued179852013-12-16 01:07:00 +01005971 tcp-check send QUIT\r\n
5972 tcp-check expect string +OK
5973
5974 forge a HTTP request, then analyse the response
5975 (send many headers before analyzing)
5976 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005977 tcp-check comment forge\ and\ send\ HTTP\ request
Willy Tarreaued179852013-12-16 01:07:00 +01005978 tcp-check send HEAD\ /\ HTTP/1.1\r\n
5979 tcp-check send Host:\ www.mydomain.com\r\n
5980 tcp-check send User-Agent:\ HAProxy\ tcpcheck\r\n
5981 tcp-check send \r\n
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02005982 tcp-check expect rstring HTTP/1\..\ (2..|3..) comment check\ HTTP\ response
Willy Tarreaued179852013-12-16 01:07:00 +01005983
5984
5985 See also : "tcp-check expect", "tcp-check send"
5986
5987
Willy Tarreau9ea05a72009-06-14 12:07:01 +02005988option tcp-smart-accept
5989no option tcp-smart-accept
5990 Enable or disable the saving of one ACK packet during the accept sequence
5991 May be used in sections : defaults | frontend | listen | backend
5992 yes | yes | yes | no
5993 Arguments : none
5994
5995 When an HTTP connection request comes in, the system acknowledges it on
5996 behalf of HAProxy, then the client immediately sends its request, and the
5997 system acknowledges it too while it is notifying HAProxy about the new
5998 connection. HAProxy then reads the request and responds. This means that we
5999 have one TCP ACK sent by the system for nothing, because the request could
6000 very well be acknowledged by HAProxy when it sends its response.
6001
6002 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
6003 sending this useless ACK on platforms which support it (currently at least
6004 Linux). It must not cause any problem, because the system will send it anyway
6005 after 40 ms if the response takes more time than expected to come.
6006
6007 During complex network debugging sessions, it may be desirable to disable
6008 this optimization because delayed ACKs can make troubleshooting more complex
6009 when trying to identify where packets are delayed. It is then possible to
6010 fall back to normal behaviour by specifying "no option tcp-smart-accept".
6011
6012 It is also possible to force it for non-HTTP proxies by simply specifying
6013 "option tcp-smart-accept". For instance, it can make sense with some services
6014 such as SMTP where the server speaks first.
6015
6016 It is recommended to avoid forcing this option in a defaults section. In case
6017 of doubt, consider setting it back to automatic values by prepending the
6018 "default" keyword before it, or disabling it using the "no" keyword.
6019
Willy Tarreaud88edf22009-06-14 15:48:17 +02006020 See also : "option tcp-smart-connect"
6021
6022
6023option tcp-smart-connect
6024no option tcp-smart-connect
6025 Enable or disable the saving of one ACK packet during the connect sequence
6026 May be used in sections : defaults | frontend | listen | backend
6027 yes | no | yes | yes
6028 Arguments : none
6029
6030 On certain systems (at least Linux), HAProxy can ask the kernel not to
6031 immediately send an empty ACK upon a connection request, but to directly
6032 send the buffer request instead. This saves one packet on the network and
6033 thus boosts performance. It can also be useful for some servers, because they
6034 immediately get the request along with the incoming connection.
6035
6036 This feature is enabled when "option tcp-smart-connect" is set in a backend.
6037 It is not enabled by default because it makes network troubleshooting more
6038 complex.
6039
6040 It only makes sense to enable it with protocols where the client speaks first
6041 such as HTTP. In other situations, if there is no data to send in place of
6042 the ACK, a normal ACK is sent.
6043
6044 If this option has been enabled in a "defaults" section, it can be disabled
6045 in a specific instance by prepending the "no" keyword before it.
6046
6047 See also : "option tcp-smart-accept"
6048
Willy Tarreau9ea05a72009-06-14 12:07:01 +02006049
Willy Tarreaubf1f8162007-12-28 17:42:56 +01006050option tcpka
6051 Enable or disable the sending of TCP keepalive packets on both sides
6052 May be used in sections : defaults | frontend | listen | backend
6053 yes | yes | yes | yes
6054 Arguments : none
6055
6056 When there is a firewall or any session-aware component between a client and
6057 a server, and when the protocol involves very long sessions with long idle
6058 periods (eg: remote desktops), there is a risk that one of the intermediate
6059 components decides to expire a session which has remained idle for too long.
6060
6061 Enabling socket-level TCP keep-alives makes the system regularly send packets
6062 to the other end of the connection, leaving it active. The delay between
6063 keep-alive probes is controlled by the system only and depends both on the
6064 operating system and its tuning parameters.
6065
6066 It is important to understand that keep-alive packets are neither emitted nor
6067 received at the application level. It is only the network stacks which sees
6068 them. For this reason, even if one side of the proxy already uses keep-alives
6069 to maintain its connection alive, those keep-alive packets will not be
6070 forwarded to the other side of the proxy.
6071
6072 Please note that this has nothing to do with HTTP keep-alive.
6073
6074 Using option "tcpka" enables the emission of TCP keep-alive probes on both
6075 the client and server sides of a connection. Note that this is meaningful
6076 only in "defaults" or "listen" sections. If this option is used in a
6077 frontend, only the client side will get keep-alives, and if this option is
6078 used in a backend, only the server side will get keep-alives. For this
6079 reason, it is strongly recommended to explicitly use "option clitcpka" and
6080 "option srvtcpka" when the configuration is split between frontends and
6081 backends.
6082
6083 See also : "option clitcpka", "option srvtcpka"
6084
Willy Tarreau844e3c52008-01-11 16:28:18 +01006085
6086option tcplog
6087 Enable advanced logging of TCP connections with session state and timers
6088 May be used in sections : defaults | frontend | listen | backend
6089 yes | yes | yes | yes
6090 Arguments : none
6091
6092 By default, the log output format is very poor, as it only contains the
6093 source and destination addresses, and the instance name. By specifying
6094 "option tcplog", each log line turns into a much richer format including, but
6095 not limited to, the connection timers, the session status, the connections
6096 numbers, the frontend, backend and server name, and of course the source
6097 address and ports. This option is useful for pure TCP proxies in order to
6098 find which of the client or server disconnects or times out. For normal HTTP
6099 proxies, it's better to use "option httplog" which is even more complete.
6100
6101 This option may be set either in the frontend or the backend.
6102
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006103 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006104
6105
Willy Tarreau844e3c52008-01-11 16:28:18 +01006106option transparent
6107no option transparent
6108 Enable client-side transparent proxying
6109 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01006110 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01006111 Arguments : none
6112
6113 This option was introduced in order to provide layer 7 persistence to layer 3
6114 load balancers. The idea is to use the OS's ability to redirect an incoming
6115 connection for a remote address to a local process (here HAProxy), and let
6116 this process know what address was initially requested. When this option is
6117 used, sessions without cookies will be forwarded to the original destination
6118 IP address of the incoming request (which should match that of another
6119 equipment), while requests with cookies will still be forwarded to the
6120 appropriate server.
6121
6122 Note that contrary to a common belief, this option does NOT make HAProxy
6123 present the client's IP to the server when establishing the connection.
6124
Willy Tarreaua1146052011-03-01 09:51:54 +01006125 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006126 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006127
Willy Tarreaubf1f8162007-12-28 17:42:56 +01006128
Simon Horman98637e52014-06-20 12:30:16 +09006129external-check command <command>
6130 Executable to run when performing an external-check
6131 May be used in sections : defaults | frontend | listen | backend
6132 yes | no | yes | yes
6133
6134 Arguments :
6135 <command> is the external command to run
6136
Simon Horman98637e52014-06-20 12:30:16 +09006137 The arguments passed to the to the command are:
6138
Cyril Bonté777be862014-12-02 21:21:35 +01006139 <proxy_address> <proxy_port> <server_address> <server_port>
Simon Horman98637e52014-06-20 12:30:16 +09006140
Cyril Bonté777be862014-12-02 21:21:35 +01006141 The <proxy_address> and <proxy_port> are derived from the first listener
6142 that is either IPv4, IPv6 or a UNIX socket. In the case of a UNIX socket
6143 listener the proxy_address will be the path of the socket and the
6144 <proxy_port> will be the string "NOT_USED". In a backend section, it's not
6145 possible to determine a listener, and both <proxy_address> and <proxy_port>
6146 will have the string value "NOT_USED".
Simon Horman98637e52014-06-20 12:30:16 +09006147
Cyril Bonté72cda2a2014-12-27 22:28:39 +01006148 Some values are also provided through environment variables.
6149
6150 Environment variables :
6151 HAPROXY_PROXY_ADDR The first bind address if available (or empty if not
6152 applicable, for example in a "backend" section).
6153
6154 HAPROXY_PROXY_ID The backend id.
6155
6156 HAPROXY_PROXY_NAME The backend name.
6157
6158 HAPROXY_PROXY_PORT The first bind port if available (or empty if not
6159 applicable, for example in a "backend" section or
6160 for a UNIX socket).
6161
6162 HAPROXY_SERVER_ADDR The server address.
6163
6164 HAPROXY_SERVER_CURCONN The current number of connections on the server.
6165
6166 HAPROXY_SERVER_ID The server id.
6167
6168 HAPROXY_SERVER_MAXCONN The server max connections.
6169
6170 HAPROXY_SERVER_NAME The server name.
6171
6172 HAPROXY_SERVER_PORT The server port if available (or empty for a UNIX
6173 socket).
6174
6175 PATH The PATH environment variable used when executing
6176 the command may be set using "external-check path".
6177
Simon Horman98637e52014-06-20 12:30:16 +09006178 If the command executed and exits with a zero status then the check is
6179 considered to have passed, otherwise the check is considered to have
6180 failed.
6181
6182 Example :
6183 external-check command /bin/true
6184
6185 See also : "external-check", "option external-check", "external-check path"
6186
6187
6188external-check path <path>
6189 The value of the PATH environment variable used when running an external-check
6190 May be used in sections : defaults | frontend | listen | backend
6191 yes | no | yes | yes
6192
6193 Arguments :
6194 <path> is the path used when executing external command to run
6195
6196 The default path is "".
6197
6198 Example :
6199 external-check path "/usr/bin:/bin"
6200
6201 See also : "external-check", "option external-check",
6202 "external-check command"
6203
6204
Emeric Brun647caf12009-06-30 17:57:00 +02006205persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02006206persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02006207 Enable RDP cookie-based persistence
6208 May be used in sections : defaults | frontend | listen | backend
6209 yes | no | yes | yes
6210 Arguments :
6211 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02006212 default cookie name "msts" will be used. There currently is no
6213 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02006214
6215 This statement enables persistence based on an RDP cookie. The RDP cookie
6216 contains all information required to find the server in the list of known
6217 servers. So when this option is set in the backend, the request is analysed
6218 and if an RDP cookie is found, it is decoded. If it matches a known server
6219 which is still UP (or if "option persist" is set), then the connection is
6220 forwarded to this server.
6221
6222 Note that this only makes sense in a TCP backend, but for this to work, the
6223 frontend must have waited long enough to ensure that an RDP cookie is present
6224 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006225 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02006226 a single "listen" section.
6227
Willy Tarreau61e28f22010-05-16 22:31:05 +02006228 Also, it is important to understand that the terminal server will emit this
6229 RDP cookie only if it is configured for "token redirection mode", which means
6230 that the "IP address redirection" option is disabled.
6231
Emeric Brun647caf12009-06-30 17:57:00 +02006232 Example :
6233 listen tse-farm
6234 bind :3389
6235 # wait up to 5s for an RDP cookie in the request
6236 tcp-request inspect-delay 5s
6237 tcp-request content accept if RDP_COOKIE
6238 # apply RDP cookie persistence
6239 persist rdp-cookie
6240 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02006241 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02006242 balance rdp-cookie
6243 server srv1 1.1.1.1:3389
6244 server srv2 1.1.1.2:3389
6245
Simon Hormanab814e02011-06-24 14:50:20 +09006246 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
6247 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02006248
6249
Willy Tarreau3a7d2072009-03-05 23:48:25 +01006250rate-limit sessions <rate>
6251 Set a limit on the number of new sessions accepted per second on a frontend
6252 May be used in sections : defaults | frontend | listen | backend
6253 yes | yes | yes | no
6254 Arguments :
6255 <rate> The <rate> parameter is an integer designating the maximum number
6256 of new sessions per second to accept on the frontend.
6257
6258 When the frontend reaches the specified number of new sessions per second, it
6259 stops accepting new connections until the rate drops below the limit again.
6260 During this time, the pending sessions will be kept in the socket's backlog
6261 (in system buffers) and haproxy will not even be aware that sessions are
6262 pending. When applying very low limit on a highly loaded service, it may make
6263 sense to increase the socket's backlog using the "backlog" keyword.
6264
6265 This feature is particularly efficient at blocking connection-based attacks
6266 or service abuse on fragile servers. Since the session rate is measured every
6267 millisecond, it is extremely accurate. Also, the limit applies immediately,
6268 no delay is needed at all to detect the threshold.
6269
6270 Example : limit the connection rate on SMTP to 10 per second max
6271 listen smtp
6272 mode tcp
6273 bind :25
6274 rate-limit sessions 10
6275 server 127.0.0.1:1025
6276
Willy Tarreaua17c2d92011-07-25 08:16:20 +02006277 Note : when the maximum rate is reached, the frontend's status is not changed
6278 but its sockets appear as "WAITING" in the statistics if the
6279 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01006280
6281 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
6282
6283
Willy Tarreau2e1dca82012-09-12 08:43:15 +02006284redirect location <loc> [code <code>] <option> [{if | unless} <condition>]
6285redirect prefix <pfx> [code <code>] <option> [{if | unless} <condition>]
6286redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02006287 Return an HTTP redirection if/unless a condition is matched
6288 May be used in sections : defaults | frontend | listen | backend
6289 no | yes | yes | yes
6290
6291 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01006292 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02006293
Willy Tarreau0140f252008-11-19 21:07:09 +01006294 Arguments :
Willy Tarreau2e1dca82012-09-12 08:43:15 +02006295 <loc> With "redirect location", the exact value in <loc> is placed into
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01006296 the HTTP "Location" header. When used in an "http-request" rule,
6297 <loc> value follows the log-format rules and can include some
6298 dynamic values (see Custom Log Format in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02006299
6300 <pfx> With "redirect prefix", the "Location" header is built from the
6301 concatenation of <pfx> and the complete URI path, including the
6302 query string, unless the "drop-query" option is specified (see
6303 below). As a special case, if <pfx> equals exactly "/", then
6304 nothing is inserted before the original URI. It allows one to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01006305 redirect to the same URL (for instance, to insert a cookie). When
6306 used in an "http-request" rule, <pfx> value follows the log-format
6307 rules and can include some dynamic values (see Custom Log Format
6308 in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02006309
6310 <sch> With "redirect scheme", then the "Location" header is built by
6311 concatenating <sch> with "://" then the first occurrence of the
6312 "Host" header, and then the URI path, including the query string
6313 unless the "drop-query" option is specified (see below). If no
6314 path is found or if the path is "*", then "/" is used instead. If
6315 no "Host" header is found, then an empty host component will be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03006316 returned, which most recent browsers interpret as redirecting to
Willy Tarreau2e1dca82012-09-12 08:43:15 +02006317 the same host. This directive is mostly used to redirect HTTP to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01006318 HTTPS. When used in an "http-request" rule, <sch> value follows
6319 the log-format rules and can include some dynamic values (see
6320 Custom Log Format in section 8.2.4).
Willy Tarreau0140f252008-11-19 21:07:09 +01006321
6322 <code> The code is optional. It indicates which type of HTTP redirection
Willy Tarreaub67fdc42013-03-29 19:28:11 +01006323 is desired. Only codes 301, 302, 303, 307 and 308 are supported,
6324 with 302 used by default if no code is specified. 301 means
6325 "Moved permanently", and a browser may cache the Location. 302
Baptiste Assmannea849c02015-08-03 11:42:50 +02006326 means "Moved temporarily" and means that the browser should not
Willy Tarreaub67fdc42013-03-29 19:28:11 +01006327 cache the redirection. 303 is equivalent to 302 except that the
6328 browser will fetch the location with a GET method. 307 is just
6329 like 302 but makes it clear that the same method must be reused.
6330 Likewise, 308 replaces 301 if the same method must be used.
Willy Tarreau0140f252008-11-19 21:07:09 +01006331
6332 <option> There are several options which can be specified to adjust the
6333 expected behaviour of a redirection :
6334
6335 - "drop-query"
6336 When this keyword is used in a prefix-based redirection, then the
6337 location will be set without any possible query-string, which is useful
6338 for directing users to a non-secure page for instance. It has no effect
6339 with a location-type redirect.
6340
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01006341 - "append-slash"
6342 This keyword may be used in conjunction with "drop-query" to redirect
6343 users who use a URL not ending with a '/' to the same one with the '/'.
6344 It can be useful to ensure that search engines will only see one URL.
6345 For this, a return code 301 is preferred.
6346
Willy Tarreau0140f252008-11-19 21:07:09 +01006347 - "set-cookie NAME[=value]"
6348 A "Set-Cookie" header will be added with NAME (and optionally "=value")
6349 to the response. This is sometimes used to indicate that a user has
6350 been seen, for instance to protect against some types of DoS. No other
6351 cookie option is added, so the cookie will be a session cookie. Note
6352 that for a browser, a sole cookie name without an equal sign is
6353 different from a cookie with an equal sign.
6354
6355 - "clear-cookie NAME[=]"
6356 A "Set-Cookie" header will be added with NAME (and optionally "="), but
6357 with the "Max-Age" attribute set to zero. This will tell the browser to
6358 delete this cookie. It is useful for instance on logout pages. It is
6359 important to note that clearing the cookie "NAME" will not remove a
6360 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
6361 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02006362
6363 Example: move the login URL only to HTTPS.
6364 acl clear dst_port 80
6365 acl secure dst_port 8080
6366 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01006367 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01006368 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01006369 acl cookie_set hdr_sub(cookie) SEEN=1
6370
6371 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01006372 redirect prefix https://mysite.com if login_page !secure
6373 redirect prefix http://mysite.com drop-query if login_page !uid_given
6374 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01006375 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02006376
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01006377 Example: send redirects for request for articles without a '/'.
6378 acl missing_slash path_reg ^/article/[^/]*$
6379 redirect code 301 prefix / drop-query append-slash if missing_slash
6380
Willy Tarreau2e1dca82012-09-12 08:43:15 +02006381 Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
David BERARDe7153042012-11-03 00:11:31 +01006382 redirect scheme https if !{ ssl_fc }
Willy Tarreau2e1dca82012-09-12 08:43:15 +02006383
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01006384 Example: append 'www.' prefix in front of all hosts not having it
6385 http-request redirect code 301 location www.%[hdr(host)]%[req.uri] \
6386 unless { hdr_beg(host) -i www }
6387
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006388 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02006389
6390
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01006391redisp (deprecated)
6392redispatch (deprecated)
6393 Enable or disable session redistribution in case of connection failure
6394 May be used in sections: defaults | frontend | listen | backend
6395 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006396 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01006397
6398 In HTTP mode, if a server designated by a cookie is down, clients may
6399 definitely stick to it because they cannot flush the cookie, so they will not
6400 be able to access the service anymore.
6401
6402 Specifying "redispatch" will allow the proxy to break their persistence and
6403 redistribute them to a working server.
6404
6405 It also allows to retry last connection to another server in case of multiple
6406 connection failures. Of course, it requires having "retries" set to a nonzero
6407 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01006408
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01006409 This form is deprecated, do not use it in any new configuration, use the new
6410 "option redispatch" instead.
6411
6412 See also : "option redispatch"
6413
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006414
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01006415reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01006416 Add a header at the end of the HTTP request
6417 May be used in sections : defaults | frontend | listen | backend
6418 no | yes | yes | yes
6419 Arguments :
6420 <string> is the complete line to be added. Any space or known delimiter
6421 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006422 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006423
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01006424 <cond> is an optional matching condition built from ACLs. It makes it
6425 possible to ignore this rule when other conditions are not met.
6426
Willy Tarreau303c0352008-01-17 19:01:39 +01006427 A new line consisting in <string> followed by a line feed will be added after
6428 the last header of an HTTP request.
6429
6430 Header transformations only apply to traffic which passes through HAProxy,
6431 and not to traffic generated by HAProxy, such as health-checks or error
6432 responses.
6433
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01006434 Example : add "X-Proto: SSL" to requests coming via port 81
6435 acl is-ssl dst_port 81
6436 reqadd X-Proto:\ SSL if is-ssl
6437
6438 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
6439 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006440
6441
Willy Tarreau5321c422010-01-28 20:35:13 +01006442reqallow <search> [{if | unless} <cond>]
6443reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006444 Definitely allow an HTTP request if a line matches a regular expression
6445 May be used in sections : defaults | frontend | listen | backend
6446 no | yes | yes | yes
6447 Arguments :
6448 <search> is the regular expression applied to HTTP headers and to the
6449 request line. This is an extended regular expression. Parenthesis
6450 grouping is supported and no preliminary backslash is required.
6451 Any space or known delimiter must be escaped using a backslash
6452 ('\'). The pattern applies to a full line at a time. The
6453 "reqallow" keyword strictly matches case while "reqiallow"
6454 ignores case.
6455
Willy Tarreau5321c422010-01-28 20:35:13 +01006456 <cond> is an optional matching condition built from ACLs. It makes it
6457 possible to ignore this rule when other conditions are not met.
6458
Willy Tarreau303c0352008-01-17 19:01:39 +01006459 A request containing any line which matches extended regular expression
6460 <search> will mark the request as allowed, even if any later test would
6461 result in a deny. The test applies both to the request line and to request
6462 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01006463 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01006464
6465 It is easier, faster and more powerful to use ACLs to write access policies.
6466 Reqdeny, reqallow and reqpass should be avoided in new designs.
6467
6468 Example :
6469 # allow www.* but refuse *.local
6470 reqiallow ^Host:\ www\.
6471 reqideny ^Host:\ .*\.local
6472
Willy Tarreau5321c422010-01-28 20:35:13 +01006473 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
6474 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006475
6476
Willy Tarreau5321c422010-01-28 20:35:13 +01006477reqdel <search> [{if | unless} <cond>]
6478reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006479 Delete all headers matching a regular expression in an HTTP request
6480 May be used in sections : defaults | frontend | listen | backend
6481 no | yes | yes | yes
6482 Arguments :
6483 <search> is the regular expression applied to HTTP headers and to the
6484 request line. This is an extended regular expression. Parenthesis
6485 grouping is supported and no preliminary backslash is required.
6486 Any space or known delimiter must be escaped using a backslash
6487 ('\'). The pattern applies to a full line at a time. The "reqdel"
6488 keyword strictly matches case while "reqidel" ignores case.
6489
Willy Tarreau5321c422010-01-28 20:35:13 +01006490 <cond> is an optional matching condition built from ACLs. It makes it
6491 possible to ignore this rule when other conditions are not met.
6492
Willy Tarreau303c0352008-01-17 19:01:39 +01006493 Any header line matching extended regular expression <search> in the request
6494 will be completely deleted. Most common use of this is to remove unwanted
6495 and/or dangerous headers or cookies from a request before passing it to the
6496 next servers.
6497
6498 Header transformations only apply to traffic which passes through HAProxy,
6499 and not to traffic generated by HAProxy, such as health-checks or error
6500 responses. Keep in mind that header names are not case-sensitive.
6501
6502 Example :
6503 # remove X-Forwarded-For header and SERVER cookie
6504 reqidel ^X-Forwarded-For:.*
6505 reqidel ^Cookie:.*SERVER=
6506
Willy Tarreau5321c422010-01-28 20:35:13 +01006507 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
6508 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006509
6510
Willy Tarreau5321c422010-01-28 20:35:13 +01006511reqdeny <search> [{if | unless} <cond>]
6512reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006513 Deny an HTTP request if a line matches a regular expression
6514 May be used in sections : defaults | frontend | listen | backend
6515 no | yes | yes | yes
6516 Arguments :
6517 <search> is the regular expression applied to HTTP headers and to the
6518 request line. This is an extended regular expression. Parenthesis
6519 grouping is supported and no preliminary backslash is required.
6520 Any space or known delimiter must be escaped using a backslash
6521 ('\'). The pattern applies to a full line at a time. The
6522 "reqdeny" keyword strictly matches case while "reqideny" ignores
6523 case.
6524
Willy Tarreau5321c422010-01-28 20:35:13 +01006525 <cond> is an optional matching condition built from ACLs. It makes it
6526 possible to ignore this rule when other conditions are not met.
6527
Willy Tarreau303c0352008-01-17 19:01:39 +01006528 A request containing any line which matches extended regular expression
6529 <search> will mark the request as denied, even if any later test would
6530 result in an allow. The test applies both to the request line and to request
6531 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01006532 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01006533
Willy Tarreauced27012008-01-17 20:35:34 +01006534 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006535 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01006536 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01006537
Willy Tarreau303c0352008-01-17 19:01:39 +01006538 It is easier, faster and more powerful to use ACLs to write access policies.
6539 Reqdeny, reqallow and reqpass should be avoided in new designs.
6540
6541 Example :
6542 # refuse *.local, then allow www.*
6543 reqideny ^Host:\ .*\.local
6544 reqiallow ^Host:\ www\.
6545
Willy Tarreau5321c422010-01-28 20:35:13 +01006546 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
6547 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006548
6549
Willy Tarreau5321c422010-01-28 20:35:13 +01006550reqpass <search> [{if | unless} <cond>]
6551reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006552 Ignore any HTTP request line matching a regular expression in next rules
6553 May be used in sections : defaults | frontend | listen | backend
6554 no | yes | yes | yes
6555 Arguments :
6556 <search> is the regular expression applied to HTTP headers and to the
6557 request line. This is an extended regular expression. Parenthesis
6558 grouping is supported and no preliminary backslash is required.
6559 Any space or known delimiter must be escaped using a backslash
6560 ('\'). The pattern applies to a full line at a time. The
6561 "reqpass" keyword strictly matches case while "reqipass" ignores
6562 case.
6563
Willy Tarreau5321c422010-01-28 20:35:13 +01006564 <cond> is an optional matching condition built from ACLs. It makes it
6565 possible to ignore this rule when other conditions are not met.
6566
Willy Tarreau303c0352008-01-17 19:01:39 +01006567 A request containing any line which matches extended regular expression
6568 <search> will skip next rules, without assigning any deny or allow verdict.
6569 The test applies both to the request line and to request headers. Keep in
6570 mind that URLs in request line are case-sensitive while header names are not.
6571
6572 It is easier, faster and more powerful to use ACLs to write access policies.
6573 Reqdeny, reqallow and reqpass should be avoided in new designs.
6574
6575 Example :
6576 # refuse *.local, then allow www.*, but ignore "www.private.local"
6577 reqipass ^Host:\ www.private\.local
6578 reqideny ^Host:\ .*\.local
6579 reqiallow ^Host:\ www\.
6580
Willy Tarreau5321c422010-01-28 20:35:13 +01006581 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
6582 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006583
6584
Willy Tarreau5321c422010-01-28 20:35:13 +01006585reqrep <search> <string> [{if | unless} <cond>]
6586reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006587 Replace a regular expression with a string in an HTTP request line
6588 May be used in sections : defaults | frontend | listen | backend
6589 no | yes | yes | yes
6590 Arguments :
6591 <search> is the regular expression applied to HTTP headers and to the
6592 request line. This is an extended regular expression. Parenthesis
6593 grouping is supported and no preliminary backslash is required.
6594 Any space or known delimiter must be escaped using a backslash
6595 ('\'). The pattern applies to a full line at a time. The "reqrep"
6596 keyword strictly matches case while "reqirep" ignores case.
6597
6598 <string> is the complete line to be added. Any space or known delimiter
6599 must be escaped using a backslash ('\'). References to matched
6600 pattern groups are possible using the common \N form, with N
6601 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006602 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006603
Willy Tarreau5321c422010-01-28 20:35:13 +01006604 <cond> is an optional matching condition built from ACLs. It makes it
6605 possible to ignore this rule when other conditions are not met.
6606
Willy Tarreau303c0352008-01-17 19:01:39 +01006607 Any line matching extended regular expression <search> in the request (both
6608 the request line and header lines) will be completely replaced with <string>.
6609 Most common use of this is to rewrite URLs or domain names in "Host" headers.
6610
6611 Header transformations only apply to traffic which passes through HAProxy,
6612 and not to traffic generated by HAProxy, such as health-checks or error
6613 responses. Note that for increased readability, it is suggested to add enough
6614 spaces between the request and the response. Keep in mind that URLs in
6615 request line are case-sensitive while header names are not.
6616
6617 Example :
6618 # replace "/static/" with "/" at the beginning of any request path.
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006619 reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2
Willy Tarreau303c0352008-01-17 19:01:39 +01006620 # replace "www.mydomain.com" with "www" in the host name.
6621 reqirep ^Host:\ www.mydomain.com Host:\ www
6622
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04006623 See also: "reqadd", "reqdel", "rsprep", "tune.bufsize", section 6 about
6624 HTTP header manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006625
6626
Willy Tarreau5321c422010-01-28 20:35:13 +01006627reqtarpit <search> [{if | unless} <cond>]
6628reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006629 Tarpit an HTTP request containing a line matching a regular expression
6630 May be used in sections : defaults | frontend | listen | backend
6631 no | yes | yes | yes
6632 Arguments :
6633 <search> is the regular expression applied to HTTP headers and to the
6634 request line. This is an extended regular expression. Parenthesis
6635 grouping is supported and no preliminary backslash is required.
6636 Any space or known delimiter must be escaped using a backslash
6637 ('\'). The pattern applies to a full line at a time. The
6638 "reqtarpit" keyword strictly matches case while "reqitarpit"
6639 ignores case.
6640
Willy Tarreau5321c422010-01-28 20:35:13 +01006641 <cond> is an optional matching condition built from ACLs. It makes it
6642 possible to ignore this rule when other conditions are not met.
6643
Willy Tarreau303c0352008-01-17 19:01:39 +01006644 A request containing any line which matches extended regular expression
6645 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01006646 be kept open for a pre-defined time, then will return an HTTP error 500 so
6647 that the attacker does not suspect it has been tarpitted. The status 500 will
6648 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01006649 delay is defined by "timeout tarpit", or "timeout connect" if the former is
6650 not set.
6651
6652 The goal of the tarpit is to slow down robots attacking servers with
6653 identifiable requests. Many robots limit their outgoing number of connections
6654 and stay connected waiting for a reply which can take several minutes to
6655 come. Depending on the environment and attack, it may be particularly
6656 efficient at reducing the load on the network and firewalls.
6657
Willy Tarreau5321c422010-01-28 20:35:13 +01006658 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01006659 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
6660 # block all others.
6661 reqipass ^User-Agent:\.*(Mozilla|MSIE)
6662 reqitarpit ^User-Agent:
6663
Willy Tarreau5321c422010-01-28 20:35:13 +01006664 # block bad guys
6665 acl badguys src 10.1.0.3 172.16.13.20/28
6666 reqitarpit . if badguys
6667
6668 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
6669 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006670
6671
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02006672retries <value>
6673 Set the number of retries to perform on a server after a connection failure
6674 May be used in sections: defaults | frontend | listen | backend
6675 yes | no | yes | yes
6676 Arguments :
6677 <value> is the number of times a connection attempt should be retried on
6678 a server when a connection either is refused or times out. The
6679 default value is 3.
6680
6681 It is important to understand that this value applies to the number of
6682 connection attempts, not full requests. When a connection has effectively
6683 been established to a server, there will be no more retry.
6684
6685 In order to avoid immediate reconnections to a server which is restarting,
Joseph Lynch726ab712015-05-11 23:25:34 -07006686 a turn-around timer of min("timeout connect", one second) is applied before
6687 a retry occurs.
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02006688
6689 When "option redispatch" is set, the last retry may be performed on another
6690 server even if a cookie references a different server.
6691
6692 See also : "option redispatch"
6693
6694
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006695rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01006696 Add a header at the end of the HTTP response
6697 May be used in sections : defaults | frontend | listen | backend
6698 no | yes | yes | yes
6699 Arguments :
6700 <string> is the complete line to be added. Any space or known delimiter
6701 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006702 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006703
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006704 <cond> is an optional matching condition built from ACLs. It makes it
6705 possible to ignore this rule when other conditions are not met.
6706
Willy Tarreau303c0352008-01-17 19:01:39 +01006707 A new line consisting in <string> followed by a line feed will be added after
6708 the last header of an HTTP response.
6709
6710 Header transformations only apply to traffic which passes through HAProxy,
6711 and not to traffic generated by HAProxy, such as health-checks or error
6712 responses.
6713
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006714 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
6715 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006716
6717
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006718rspdel <search> [{if | unless} <cond>]
6719rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006720 Delete all headers matching a regular expression in an HTTP response
6721 May be used in sections : defaults | frontend | listen | backend
6722 no | yes | yes | yes
6723 Arguments :
6724 <search> is the regular expression applied to HTTP headers and to the
6725 response line. This is an extended regular expression, so
6726 parenthesis grouping is supported and no preliminary backslash
6727 is required. Any space or known delimiter must be escaped using
6728 a backslash ('\'). The pattern applies to a full line at a time.
6729 The "rspdel" keyword strictly matches case while "rspidel"
6730 ignores case.
6731
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006732 <cond> is an optional matching condition built from ACLs. It makes it
6733 possible to ignore this rule when other conditions are not met.
6734
Willy Tarreau303c0352008-01-17 19:01:39 +01006735 Any header line matching extended regular expression <search> in the response
6736 will be completely deleted. Most common use of this is to remove unwanted
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02006737 and/or sensitive headers or cookies from a response before passing it to the
Willy Tarreau303c0352008-01-17 19:01:39 +01006738 client.
6739
6740 Header transformations only apply to traffic which passes through HAProxy,
6741 and not to traffic generated by HAProxy, such as health-checks or error
6742 responses. Keep in mind that header names are not case-sensitive.
6743
6744 Example :
6745 # remove the Server header from responses
Willy Tarreau5e80e022013-05-25 08:31:25 +02006746 rspidel ^Server:.*
Willy Tarreau303c0352008-01-17 19:01:39 +01006747
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006748 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
6749 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006750
6751
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006752rspdeny <search> [{if | unless} <cond>]
6753rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006754 Block an HTTP response if a line matches a regular expression
6755 May be used in sections : defaults | frontend | listen | backend
6756 no | yes | yes | yes
6757 Arguments :
6758 <search> is the regular expression applied to HTTP headers and to the
6759 response line. This is an extended regular expression, so
6760 parenthesis grouping is supported and no preliminary backslash
6761 is required. Any space or known delimiter must be escaped using
6762 a backslash ('\'). The pattern applies to a full line at a time.
6763 The "rspdeny" keyword strictly matches case while "rspideny"
6764 ignores case.
6765
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006766 <cond> is an optional matching condition built from ACLs. It makes it
6767 possible to ignore this rule when other conditions are not met.
6768
Willy Tarreau303c0352008-01-17 19:01:39 +01006769 A response containing any line which matches extended regular expression
6770 <search> will mark the request as denied. The test applies both to the
6771 response line and to response headers. Keep in mind that header names are not
6772 case-sensitive.
6773
6774 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01006775 block the response before it reaches the client. If a response is denied, it
6776 will be replaced with an HTTP 502 error so that the client never retrieves
6777 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01006778
6779 It is easier, faster and more powerful to use ACLs to write access policies.
6780 Rspdeny should be avoided in new designs.
6781
6782 Example :
6783 # Ensure that no content type matching ms-word will leak
6784 rspideny ^Content-type:\.*/ms-word
6785
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006786 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
6787 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006788
6789
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006790rsprep <search> <string> [{if | unless} <cond>]
6791rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006792 Replace a regular expression with a string in an HTTP response line
6793 May be used in sections : defaults | frontend | listen | backend
6794 no | yes | yes | yes
6795 Arguments :
6796 <search> is the regular expression applied to HTTP headers and to the
6797 response line. This is an extended regular expression, so
6798 parenthesis grouping is supported and no preliminary backslash
6799 is required. Any space or known delimiter must be escaped using
6800 a backslash ('\'). The pattern applies to a full line at a time.
6801 The "rsprep" keyword strictly matches case while "rspirep"
6802 ignores case.
6803
6804 <string> is the complete line to be added. Any space or known delimiter
6805 must be escaped using a backslash ('\'). References to matched
6806 pattern groups are possible using the common \N form, with N
6807 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006808 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006809
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006810 <cond> is an optional matching condition built from ACLs. It makes it
6811 possible to ignore this rule when other conditions are not met.
6812
Willy Tarreau303c0352008-01-17 19:01:39 +01006813 Any line matching extended regular expression <search> in the response (both
6814 the response line and header lines) will be completely replaced with
6815 <string>. Most common use of this is to rewrite Location headers.
6816
6817 Header transformations only apply to traffic which passes through HAProxy,
6818 and not to traffic generated by HAProxy, such as health-checks or error
6819 responses. Note that for increased readability, it is suggested to add enough
6820 spaces between the request and the response. Keep in mind that header names
6821 are not case-sensitive.
6822
6823 Example :
6824 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
6825 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
6826
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006827 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
6828 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006829
6830
David du Colombier486df472011-03-17 10:40:26 +01006831server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006832 Declare a server in a backend
6833 May be used in sections : defaults | frontend | listen | backend
6834 no | no | yes | yes
6835 Arguments :
6836 <name> is the internal name assigned to this server. This name will
Cyril Bonté941a0c62012-10-15 19:44:24 +02006837 appear in logs and alerts. If "http-send-name-header" is
Mark Lamourinec2247f02012-01-04 13:02:01 -05006838 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006839
David du Colombier486df472011-03-17 10:40:26 +01006840 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
6841 resolvable hostname is supported, but this name will be resolved
6842 during start-up. Address "0.0.0.0" or "*" has a special meaning.
6843 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02006844 address as the one from the client connection. This is useful in
6845 transparent proxy architectures where the client's connection is
6846 intercepted and haproxy must forward to the original destination
6847 address. This is more or less what the "transparent" keyword does
6848 except that with a server it's possible to limit concurrency and
Willy Tarreau24709282013-03-10 21:32:12 +01006849 to report statistics. Optionally, an address family prefix may be
6850 used before the address to force the family regardless of the
6851 address format, which can be useful to specify a path to a unix
6852 socket with no slash ('/'). Currently supported prefixes are :
6853 - 'ipv4@' -> address is always IPv4
6854 - 'ipv6@' -> address is always IPv6
6855 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02006856 - 'abns@' -> address is in abstract namespace (Linux only)
William Lallemandb2f07452015-05-12 14:27:13 +02006857 You may want to reference some environment variables in the
6858 address parameter, see section 2.3 about environment
6859 variables.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006860
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006861 <port> is an optional port specification. If set, all connections will
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006862 be sent to this port. If unset, the same port the client
6863 connected to will be used. The port may also be prefixed by a "+"
6864 or a "-". In this case, the server's port will be determined by
6865 adding this value to the client's port.
6866
6867 <param*> is a list of parameters for this server. The "server" keywords
6868 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006869 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006870
6871 Examples :
6872 server first 10.1.1.1:1080 cookie first check inter 1000
6873 server second 10.1.1.2:1080 cookie second check inter 1000
Willy Tarreau24709282013-03-10 21:32:12 +01006874 server transp ipv4@
William Lallemandb2f07452015-05-12 14:27:13 +02006875 server backup "${SRV_BACKUP}:1080" backup
6876 server www1_dc1 "${LAN_DC1}.101:80"
6877 server www1_dc2 "${LAN_DC2}.101:80"
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006878
Mark Lamourinec2247f02012-01-04 13:02:01 -05006879 See also: "default-server", "http-send-name-header" and section 5 about
6880 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006881
6882
6883source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02006884source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01006885source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006886 Set the source address for outgoing connections
6887 May be used in sections : defaults | frontend | listen | backend
6888 yes | no | yes | yes
6889 Arguments :
6890 <addr> is the IPv4 address HAProxy will bind to before connecting to a
6891 server. This address is also used as a source for health checks.
Willy Tarreau24709282013-03-10 21:32:12 +01006892
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006893 The default value of 0.0.0.0 means that the system will select
Willy Tarreau24709282013-03-10 21:32:12 +01006894 the most appropriate address to reach its destination. Optionally
6895 an address family prefix may be used before the address to force
6896 the family regardless of the address format, which can be useful
6897 to specify a path to a unix socket with no slash ('/'). Currently
6898 supported prefixes are :
6899 - 'ipv4@' -> address is always IPv4
6900 - 'ipv6@' -> address is always IPv6
6901 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02006902 - 'abns@' -> address is in abstract namespace (Linux only)
William Lallemandb2f07452015-05-12 14:27:13 +02006903 You may want to reference some environment variables in the address
6904 parameter, see section 2.3 about environment variables.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006905
6906 <port> is an optional port. It is normally not needed but may be useful
6907 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006908 the system will select a free port. Note that port ranges are not
6909 supported in the backend. If you want to force port ranges, you
6910 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006911
6912 <addr2> is the IP address to present to the server when connections are
6913 forwarded in full transparent proxy mode. This is currently only
6914 supported on some patched Linux kernels. When this address is
6915 specified, clients connecting to the server will be presented
6916 with this address, while health checks will still use the address
6917 <addr>.
6918
6919 <port2> is the optional port to present to the server when connections
6920 are forwarded in full transparent proxy mode (see <addr2> above).
6921 The default value of zero means the system will select a free
6922 port.
6923
Willy Tarreaubce70882009-09-07 11:51:47 +02006924 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
6925 This is the name of a comma-separated header list which can
6926 contain multiple IP addresses. By default, the last occurrence is
6927 used. This is designed to work with the X-Forwarded-For header
Baptiste Assmannea3e73b2013-02-02 23:47:49 +01006928 and to automatically bind to the client's IP address as seen
Willy Tarreaubce70882009-09-07 11:51:47 +02006929 by previous proxy, typically Stunnel. In order to use another
6930 occurrence from the last one, please see the <occ> parameter
6931 below. When the header (or occurrence) is not found, no binding
6932 is performed so that the proxy's default IP address is used. Also
6933 keep in mind that the header name is case insensitive, as for any
6934 HTTP header.
6935
6936 <occ> is the occurrence number of a value to be used in a multi-value
6937 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006938 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +02006939 address. Positive values indicate a position from the first
6940 occurrence, 1 being the first one. Negative values indicate
6941 positions relative to the last one, -1 being the last one. This
6942 is helpful for situations where an X-Forwarded-For header is set
6943 at the entry point of an infrastructure and must be used several
6944 proxy layers away. When this value is not specified, -1 is
6945 assumed. Passing a zero here disables the feature.
6946
Willy Tarreaud53f96b2009-02-04 18:46:54 +01006947 <name> is an optional interface name to which to bind to for outgoing
6948 traffic. On systems supporting this features (currently, only
6949 Linux), this allows one to bind all traffic to the server to
6950 this interface even if it is not the one the system would select
6951 based on routing tables. This should be used with extreme care.
6952 Note that using this option requires root privileges.
6953
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006954 The "source" keyword is useful in complex environments where a specific
6955 address only is allowed to connect to the servers. It may be needed when a
6956 private address must be used through a public gateway for instance, and it is
6957 known that the system cannot determine the adequate source address by itself.
6958
6959 An extension which is available on certain patched Linux kernels may be used
6960 through the "usesrc" optional keyword. It makes it possible to connect to the
6961 servers with an IP address which does not belong to the system itself. This
6962 is called "full transparent proxy mode". For this to work, the destination
6963 servers have to route their traffic back to this address through the machine
6964 running HAProxy, and IP forwarding must generally be enabled on this machine.
6965
6966 In this "full transparent proxy" mode, it is possible to force a specific IP
6967 address to be presented to the servers. This is not much used in fact. A more
6968 common use is to tell HAProxy to present the client's IP address. For this,
6969 there are two methods :
6970
6971 - present the client's IP and port addresses. This is the most transparent
6972 mode, but it can cause problems when IP connection tracking is enabled on
6973 the machine, because a same connection may be seen twice with different
6974 states. However, this solution presents the huge advantage of not
6975 limiting the system to the 64k outgoing address+port couples, because all
6976 of the client ranges may be used.
6977
6978 - present only the client's IP address and select a spare port. This
6979 solution is still quite elegant but slightly less transparent (downstream
6980 firewalls logs will not match upstream's). It also presents the downside
6981 of limiting the number of concurrent connections to the usual 64k ports.
6982 However, since the upstream and downstream ports are different, local IP
6983 connection tracking on the machine will not be upset by the reuse of the
6984 same session.
6985
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006986 This option sets the default source for all servers in the backend. It may
6987 also be specified in a "defaults" section. Finer source address specification
6988 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006989 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006990
Baptiste Assmann91bd3372015-07-17 21:59:42 +02006991 In order to work, "usesrc" requires root privileges.
6992
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006993 Examples :
6994 backend private
6995 # Connect to the servers using our 192.168.1.200 source address
6996 source 192.168.1.200
6997
6998 backend transparent_ssl1
6999 # Connect to the SSL farm from the client's source address
7000 source 192.168.1.200 usesrc clientip
7001
7002 backend transparent_ssl2
7003 # Connect to the SSL farm from the client's source address and port
7004 # not recommended if IP conntrack is present on the local machine.
7005 source 192.168.1.200 usesrc client
7006
7007 backend transparent_ssl3
7008 # Connect to the SSL farm from the client's source address. It
7009 # is more conntrack-friendly.
7010 source 192.168.1.200 usesrc clientip
7011
7012 backend transparent_smtp
7013 # Connect to the SMTP farm from the client's source address/port
7014 # with Tproxy version 4.
7015 source 0.0.0.0 usesrc clientip
7016
Willy Tarreaubce70882009-09-07 11:51:47 +02007017 backend transparent_http
7018 # Connect to the servers using the client's IP as seen by previous
7019 # proxy.
7020 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
7021
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007022 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007023 the Linux kernel on www.balabit.com, the "bind" keyword.
7024
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01007025
Willy Tarreau844e3c52008-01-11 16:28:18 +01007026srvtimeout <timeout> (deprecated)
7027 Set the maximum inactivity time on the server side.
7028 May be used in sections : defaults | frontend | listen | backend
7029 yes | no | yes | yes
7030 Arguments :
7031 <timeout> is the timeout value specified in milliseconds by default, but
7032 can be in any other unit if the number is suffixed by the unit,
7033 as explained at the top of this document.
7034
7035 The inactivity timeout applies when the server is expected to acknowledge or
7036 send data. In HTTP mode, this timeout is particularly important to consider
7037 during the first phase of the server's response, when it has to send the
7038 headers, as it directly represents the server's processing time for the
7039 request. To find out what value to put there, it's often good to start with
7040 what would be considered as unacceptable response times, then check the logs
7041 to observe the response time distribution, and adjust the value accordingly.
7042
7043 The value is specified in milliseconds by default, but can be in any other
7044 unit if the number is suffixed by the unit, as specified at the top of this
7045 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
7046 recommended that the client timeout remains equal to the server timeout in
7047 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007048 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01007049 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01007050 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01007051
7052 This parameter is specific to backends, but can be specified once for all in
7053 "defaults" sections. This is in fact one of the easiest solutions not to
7054 forget about it. An unspecified timeout results in an infinite timeout, which
7055 is not recommended. Such a usage is accepted and works but reports a warning
7056 during startup because it may results in accumulation of expired sessions in
7057 the system if the system's timeouts are not configured either.
7058
7059 This parameter is provided for compatibility but is currently deprecated.
7060 Please use "timeout server" instead.
7061
Willy Tarreauce887fd2012-05-12 12:50:00 +02007062 See also : "timeout server", "timeout tunnel", "timeout client" and
7063 "clitimeout".
Willy Tarreau844e3c52008-01-11 16:28:18 +01007064
7065
Cyril Bonté66c327d2010-10-12 00:14:37 +02007066stats admin { if | unless } <cond>
7067 Enable statistics admin level if/unless a condition is matched
7068 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007069 no | yes | yes | yes
Cyril Bonté66c327d2010-10-12 00:14:37 +02007070
7071 This statement enables the statistics admin level if/unless a condition is
7072 matched.
7073
7074 The admin level allows to enable/disable servers from the web interface. By
7075 default, statistics page is read-only for security reasons.
7076
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007077 Note : Consider not using this feature in multi-process mode (nbproc > 1)
7078 unless you know what you do : memory is not shared between the
7079 processes, which can result in random behaviours.
7080
Cyril Bonté23b39d92011-02-10 22:54:44 +01007081 Currently, the POST request is limited to the buffer size minus the reserved
7082 buffer space, which means that if the list of servers is too long, the
7083 request won't be processed. It is recommended to alter few servers at a
7084 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02007085
7086 Example :
7087 # statistics admin level only for localhost
7088 backend stats_localhost
7089 stats enable
7090 stats admin if LOCALHOST
7091
7092 Example :
7093 # statistics admin level always enabled because of the authentication
7094 backend stats_auth
7095 stats enable
7096 stats auth admin:AdMiN123
7097 stats admin if TRUE
7098
7099 Example :
7100 # statistics admin level depends on the authenticated user
7101 userlist stats-auth
7102 group admin users admin
7103 user admin insecure-password AdMiN123
7104 group readonly users haproxy
7105 user haproxy insecure-password haproxy
7106
7107 backend stats_auth
7108 stats enable
7109 acl AUTH http_auth(stats-auth)
7110 acl AUTH_ADMIN http_auth_group(stats-auth) admin
7111 stats http-request auth unless AUTH
7112 stats admin if AUTH_ADMIN
7113
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007114 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
7115 "bind-process", section 3.4 about userlists and section 7 about
7116 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02007117
7118
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007119stats auth <user>:<passwd>
7120 Enable statistics with authentication and grant access to an account
7121 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007122 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007123 Arguments :
7124 <user> is a user name to grant access to
7125
7126 <passwd> is the cleartext password associated to this user
7127
7128 This statement enables statistics with default settings, and restricts access
7129 to declared users only. It may be repeated as many times as necessary to
7130 allow as many users as desired. When a user tries to access the statistics
7131 without a valid account, a "401 Forbidden" response will be returned so that
7132 the browser asks the user to provide a valid user and password. The real
7133 which will be returned to the browser is configurable using "stats realm".
7134
7135 Since the authentication method is HTTP Basic Authentication, the passwords
7136 circulate in cleartext on the network. Thus, it was decided that the
7137 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02007138 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007139
7140 It is also possible to reduce the scope of the proxies which appear in the
7141 report using "stats scope".
7142
7143 Though this statement alone is enough to enable statistics reporting, it is
7144 recommended to set all other settings in order to avoid relying on default
7145 unobvious parameters.
7146
7147 Example :
7148 # public access (limited to this backend only)
7149 backend public_www
7150 server srv1 192.168.0.1:80
7151 stats enable
7152 stats hide-version
7153 stats scope .
7154 stats uri /admin?stats
7155 stats realm Haproxy\ Statistics
7156 stats auth admin1:AdMiN123
7157 stats auth admin2:AdMiN321
7158
7159 # internal monitoring access (unlimited)
7160 backend private_monitoring
7161 stats enable
7162 stats uri /admin?stats
7163 stats refresh 5s
7164
7165 See also : "stats enable", "stats realm", "stats scope", "stats uri"
7166
7167
7168stats enable
7169 Enable statistics reporting with default settings
7170 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007171 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007172 Arguments : none
7173
7174 This statement enables statistics reporting with default settings defined
7175 at build time. Unless stated otherwise, these settings are used :
7176 - stats uri : /haproxy?stats
7177 - stats realm : "HAProxy Statistics"
7178 - stats auth : no authentication
7179 - stats scope : no restriction
7180
7181 Though this statement alone is enough to enable statistics reporting, it is
7182 recommended to set all other settings in order to avoid relying on default
7183 unobvious parameters.
7184
7185 Example :
7186 # public access (limited to this backend only)
7187 backend public_www
7188 server srv1 192.168.0.1:80
7189 stats enable
7190 stats hide-version
7191 stats scope .
7192 stats uri /admin?stats
7193 stats realm Haproxy\ Statistics
7194 stats auth admin1:AdMiN123
7195 stats auth admin2:AdMiN321
7196
7197 # internal monitoring access (unlimited)
7198 backend private_monitoring
7199 stats enable
7200 stats uri /admin?stats
7201 stats refresh 5s
7202
7203 See also : "stats auth", "stats realm", "stats uri"
7204
7205
Willy Tarreaud63335a2010-02-26 12:56:52 +01007206stats hide-version
7207 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02007208 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007209 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01007210 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02007211
Willy Tarreaud63335a2010-02-26 12:56:52 +01007212 By default, the stats page reports some useful status information along with
7213 the statistics. Among them is HAProxy's version. However, it is generally
7214 considered dangerous to report precise version to anyone, as it can help them
7215 target known weaknesses with specific attacks. The "stats hide-version"
7216 statement removes the version from the statistics report. This is recommended
7217 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02007218
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02007219 Though this statement alone is enough to enable statistics reporting, it is
7220 recommended to set all other settings in order to avoid relying on default
7221 unobvious parameters.
7222
Willy Tarreaud63335a2010-02-26 12:56:52 +01007223 Example :
7224 # public access (limited to this backend only)
7225 backend public_www
7226 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02007227 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01007228 stats hide-version
7229 stats scope .
7230 stats uri /admin?stats
7231 stats realm Haproxy\ Statistics
7232 stats auth admin1:AdMiN123
7233 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02007234
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02007235 # internal monitoring access (unlimited)
7236 backend private_monitoring
7237 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01007238 stats uri /admin?stats
7239 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01007240
Willy Tarreaud63335a2010-02-26 12:56:52 +01007241 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02007242
Willy Tarreau983e01e2010-01-11 18:42:06 +01007243
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02007244stats http-request { allow | deny | auth [realm <realm>] }
7245 [ { if | unless } <condition> ]
7246 Access control for statistics
7247
7248 May be used in sections: defaults | frontend | listen | backend
7249 no | no | yes | yes
7250
7251 As "http-request", these set of options allow to fine control access to
7252 statistics. Each option may be followed by if/unless and acl.
7253 First option with matched condition (or option without condition) is final.
7254 For "deny" a 403 error will be returned, for "allow" normal processing is
7255 performed, for "auth" a 401/407 error code is returned so the client
7256 should be asked to enter a username and password.
7257
7258 There is no fixed limit to the number of http-request statements per
7259 instance.
7260
7261 See also : "http-request", section 3.4 about userlists and section 7
7262 about ACL usage.
7263
7264
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007265stats realm <realm>
7266 Enable statistics and set authentication realm
7267 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007268 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007269 Arguments :
7270 <realm> is the name of the HTTP Basic Authentication realm reported to
7271 the browser. The browser uses it to display it in the pop-up
7272 inviting the user to enter a valid username and password.
7273
7274 The realm is read as a single word, so any spaces in it should be escaped
7275 using a backslash ('\').
7276
7277 This statement is useful only in conjunction with "stats auth" since it is
7278 only related to authentication.
7279
7280 Though this statement alone is enough to enable statistics reporting, it is
7281 recommended to set all other settings in order to avoid relying on default
7282 unobvious parameters.
7283
7284 Example :
7285 # public access (limited to this backend only)
7286 backend public_www
7287 server srv1 192.168.0.1:80
7288 stats enable
7289 stats hide-version
7290 stats scope .
7291 stats uri /admin?stats
7292 stats realm Haproxy\ Statistics
7293 stats auth admin1:AdMiN123
7294 stats auth admin2:AdMiN321
7295
7296 # internal monitoring access (unlimited)
7297 backend private_monitoring
7298 stats enable
7299 stats uri /admin?stats
7300 stats refresh 5s
7301
7302 See also : "stats auth", "stats enable", "stats uri"
7303
7304
7305stats refresh <delay>
7306 Enable statistics with automatic refresh
7307 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007308 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007309 Arguments :
7310 <delay> is the suggested refresh delay, specified in seconds, which will
7311 be returned to the browser consulting the report page. While the
7312 browser is free to apply any delay, it will generally respect it
7313 and refresh the page this every seconds. The refresh interval may
7314 be specified in any other non-default time unit, by suffixing the
7315 unit after the value, as explained at the top of this document.
7316
7317 This statement is useful on monitoring displays with a permanent page
7318 reporting the load balancer's activity. When set, the HTML report page will
7319 include a link "refresh"/"stop refresh" so that the user can select whether
7320 he wants automatic refresh of the page or not.
7321
7322 Though this statement alone is enough to enable statistics reporting, it is
7323 recommended to set all other settings in order to avoid relying on default
7324 unobvious parameters.
7325
7326 Example :
7327 # public access (limited to this backend only)
7328 backend public_www
7329 server srv1 192.168.0.1:80
7330 stats enable
7331 stats hide-version
7332 stats scope .
7333 stats uri /admin?stats
7334 stats realm Haproxy\ Statistics
7335 stats auth admin1:AdMiN123
7336 stats auth admin2:AdMiN321
7337
7338 # internal monitoring access (unlimited)
7339 backend private_monitoring
7340 stats enable
7341 stats uri /admin?stats
7342 stats refresh 5s
7343
7344 See also : "stats auth", "stats enable", "stats realm", "stats uri"
7345
7346
7347stats scope { <name> | "." }
7348 Enable statistics and limit access scope
7349 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007350 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007351 Arguments :
7352 <name> is the name of a listen, frontend or backend section to be
7353 reported. The special name "." (a single dot) designates the
7354 section in which the statement appears.
7355
7356 When this statement is specified, only the sections enumerated with this
7357 statement will appear in the report. All other ones will be hidden. This
7358 statement may appear as many times as needed if multiple sections need to be
7359 reported. Please note that the name checking is performed as simple string
7360 comparisons, and that it is never checked that a give section name really
7361 exists.
7362
7363 Though this statement alone is enough to enable statistics reporting, it is
7364 recommended to set all other settings in order to avoid relying on default
7365 unobvious parameters.
7366
7367 Example :
7368 # public access (limited to this backend only)
7369 backend public_www
7370 server srv1 192.168.0.1:80
7371 stats enable
7372 stats hide-version
7373 stats scope .
7374 stats uri /admin?stats
7375 stats realm Haproxy\ Statistics
7376 stats auth admin1:AdMiN123
7377 stats auth admin2:AdMiN321
7378
7379 # internal monitoring access (unlimited)
7380 backend private_monitoring
7381 stats enable
7382 stats uri /admin?stats
7383 stats refresh 5s
7384
7385 See also : "stats auth", "stats enable", "stats realm", "stats uri"
7386
Willy Tarreaud63335a2010-02-26 12:56:52 +01007387
Willy Tarreauc9705a12010-07-27 20:05:50 +02007388stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01007389 Enable reporting of a description on the statistics page.
7390 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007391 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01007392
Willy Tarreauc9705a12010-07-27 20:05:50 +02007393 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01007394 description from global section is automatically used instead.
7395
7396 This statement is useful for users that offer shared services to their
7397 customers, where node or description should be different for each customer.
7398
7399 Though this statement alone is enough to enable statistics reporting, it is
7400 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04007401 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +01007402
7403 Example :
7404 # internal monitoring access (unlimited)
7405 backend private_monitoring
7406 stats enable
7407 stats show-desc Master node for Europe, Asia, Africa
7408 stats uri /admin?stats
7409 stats refresh 5s
7410
7411 See also: "show-node", "stats enable", "stats uri" and "description" in
7412 global section.
7413
7414
7415stats show-legends
Willy Tarreaued2119c2014-04-24 22:10:39 +02007416 Enable reporting additional information on the statistics page
7417 May be used in sections : defaults | frontend | listen | backend
7418 yes | yes | yes | yes
7419 Arguments : none
7420
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03007421 Enable reporting additional information on the statistics page :
Willy Tarreaud63335a2010-02-26 12:56:52 +01007422 - cap: capabilities (proxy)
7423 - mode: one of tcp, http or health (proxy)
7424 - id: SNMP ID (proxy, socket, server)
7425 - IP (socket, server)
7426 - cookie (backend, server)
7427
7428 Though this statement alone is enough to enable statistics reporting, it is
7429 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04007430 unobvious parameters. Default behaviour is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +01007431
7432 See also: "stats enable", "stats uri".
7433
7434
7435stats show-node [ <name> ]
7436 Enable reporting of a host name on the statistics page.
7437 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007438 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01007439 Arguments:
7440 <name> is an optional name to be reported. If unspecified, the
7441 node name from global section is automatically used instead.
7442
7443 This statement is useful for users that offer shared services to their
7444 customers, where node or description might be different on a stats page
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04007445 provided for each customer. Default behaviour is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +01007446
7447 Though this statement alone is enough to enable statistics reporting, it is
7448 recommended to set all other settings in order to avoid relying on default
7449 unobvious parameters.
7450
7451 Example:
7452 # internal monitoring access (unlimited)
7453 backend private_monitoring
7454 stats enable
7455 stats show-node Europe-1
7456 stats uri /admin?stats
7457 stats refresh 5s
7458
7459 See also: "show-desc", "stats enable", "stats uri", and "node" in global
7460 section.
7461
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007462
7463stats uri <prefix>
7464 Enable statistics and define the URI prefix to access them
7465 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02007466 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007467 Arguments :
7468 <prefix> is the prefix of any URI which will be redirected to stats. This
7469 prefix may contain a question mark ('?') to indicate part of a
7470 query string.
7471
7472 The statistics URI is intercepted on the relayed traffic, so it appears as a
7473 page within the normal application. It is strongly advised to ensure that the
7474 selected URI will never appear in the application, otherwise it will never be
7475 possible to reach it in the application.
7476
7477 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007478 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007479 It is generally a good idea to include a question mark in the URI so that
7480 intermediate proxies refrain from caching the results. Also, since any string
7481 beginning with the prefix will be accepted as a stats request, the question
7482 mark helps ensuring that no valid URI will begin with the same words.
7483
7484 It is sometimes very convenient to use "/" as the URI prefix, and put that
7485 statement in a "listen" instance of its own. That makes it easy to dedicate
7486 an address or a port to statistics only.
7487
7488 Though this statement alone is enough to enable statistics reporting, it is
7489 recommended to set all other settings in order to avoid relying on default
7490 unobvious parameters.
7491
7492 Example :
7493 # public access (limited to this backend only)
7494 backend public_www
7495 server srv1 192.168.0.1:80
7496 stats enable
7497 stats hide-version
7498 stats scope .
7499 stats uri /admin?stats
7500 stats realm Haproxy\ Statistics
7501 stats auth admin1:AdMiN123
7502 stats auth admin2:AdMiN321
7503
7504 # internal monitoring access (unlimited)
7505 backend private_monitoring
7506 stats enable
7507 stats uri /admin?stats
7508 stats refresh 5s
7509
7510 See also : "stats auth", "stats enable", "stats realm"
7511
7512
Willy Tarreaud63335a2010-02-26 12:56:52 +01007513stick match <pattern> [table <table>] [{if | unless} <cond>]
7514 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007515 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01007516 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007517
7518 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007519 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007520 describes what elements of the incoming request or connection
7521 will be analysed in the hope to find a matching entry in a
7522 stickiness table. This rule is mandatory.
7523
7524 <table> is an optional stickiness table name. If unspecified, the same
7525 backend's table is used. A stickiness table is declared using
7526 the "stick-table" statement.
7527
7528 <cond> is an optional matching condition. It makes it possible to match
7529 on a certain criterion only when other conditions are met (or
7530 not met). For instance, it could be used to match on a source IP
7531 address except when a request passes through a known proxy, in
7532 which case we'd match on a header containing that IP address.
7533
7534 Some protocols or applications require complex stickiness rules and cannot
7535 always simply rely on cookies nor hashing. The "stick match" statement
7536 describes a rule to extract the stickiness criterion from an incoming request
7537 or connection. See section 7 for a complete list of possible patterns and
7538 transformation rules.
7539
7540 The table has to be declared using the "stick-table" statement. It must be of
7541 a type compatible with the pattern. By default it is the one which is present
7542 in the same backend. It is possible to share a table with other backends by
7543 referencing it using the "table" keyword. If another table is referenced,
7544 the server's ID inside the backends are used. By default, all server IDs
7545 start at 1 in each backend, so the server ordering is enough. But in case of
7546 doubt, it is highly recommended to force server IDs using their "id" setting.
7547
7548 It is possible to restrict the conditions where a "stick match" statement
7549 will apply, using "if" or "unless" followed by a condition. See section 7 for
7550 ACL based conditions.
7551
7552 There is no limit on the number of "stick match" statements. The first that
7553 applies and matches will cause the request to be directed to the same server
7554 as was used for the request which created the entry. That way, multiple
7555 matches can be used as fallbacks.
7556
7557 The stick rules are checked after the persistence cookies, so they will not
7558 affect stickiness if a cookie has already been used to select a server. That
7559 way, it becomes very easy to insert cookies and match on IP addresses in
7560 order to maintain stickiness between HTTP and HTTPS.
7561
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007562 Note : Consider not using this feature in multi-process mode (nbproc > 1)
7563 unless you know what you do : memory is not shared between the
7564 processes, which can result in random behaviours.
7565
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007566 Example :
7567 # forward SMTP users to the same server they just used for POP in the
7568 # last 30 minutes
7569 backend pop
7570 mode tcp
7571 balance roundrobin
7572 stick store-request src
7573 stick-table type ip size 200k expire 30m
7574 server s1 192.168.1.1:110
7575 server s2 192.168.1.1:110
7576
7577 backend smtp
7578 mode tcp
7579 balance roundrobin
7580 stick match src table pop
7581 server s1 192.168.1.1:25
7582 server s2 192.168.1.1:25
7583
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007584 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02007585 about ACLs and samples fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007586
7587
7588stick on <pattern> [table <table>] [{if | unless} <condition>]
7589 Define a request pattern to associate a user to a server
7590 May be used in sections : defaults | frontend | listen | backend
7591 no | no | yes | yes
7592
7593 Note : This form is exactly equivalent to "stick match" followed by
7594 "stick store-request", all with the same arguments. Please refer
7595 to both keywords for details. It is only provided as a convenience
7596 for writing more maintainable configurations.
7597
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007598 Note : Consider not using this feature in multi-process mode (nbproc > 1)
7599 unless you know what you do : memory is not shared between the
7600 processes, which can result in random behaviours.
7601
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007602 Examples :
7603 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01007604 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007605
7606 # ...is strictly equivalent to this one :
7607 stick match src table pop if !localhost
7608 stick store-request src table pop if !localhost
7609
7610
7611 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
7612 # well as HTTP without cookie. Share the same table between both accesses.
7613 backend http
7614 mode http
7615 balance roundrobin
7616 stick on src table https
7617 cookie SRV insert indirect nocache
7618 server s1 192.168.1.1:80 cookie s1
7619 server s2 192.168.1.1:80 cookie s2
7620
7621 backend https
7622 mode tcp
7623 balance roundrobin
7624 stick-table type ip size 200k expire 30m
7625 stick on src
7626 server s1 192.168.1.1:443
7627 server s2 192.168.1.1:443
7628
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007629 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007630
7631
7632stick store-request <pattern> [table <table>] [{if | unless} <condition>]
7633 Define a request pattern used to create an entry in a stickiness table
7634 May be used in sections : defaults | frontend | listen | backend
7635 no | no | yes | yes
7636
7637 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007638 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007639 describes what elements of the incoming request or connection
7640 will be analysed, extracted and stored in the table once a
7641 server is selected.
7642
7643 <table> is an optional stickiness table name. If unspecified, the same
7644 backend's table is used. A stickiness table is declared using
7645 the "stick-table" statement.
7646
7647 <cond> is an optional storage condition. It makes it possible to store
7648 certain criteria only when some conditions are met (or not met).
7649 For instance, it could be used to store the source IP address
7650 except when the request passes through a known proxy, in which
7651 case we'd store a converted form of a header containing that IP
7652 address.
7653
7654 Some protocols or applications require complex stickiness rules and cannot
7655 always simply rely on cookies nor hashing. The "stick store-request" statement
7656 describes a rule to decide what to extract from the request and when to do
7657 it, in order to store it into a stickiness table for further requests to
7658 match it using the "stick match" statement. Obviously the extracted part must
7659 make sense and have a chance to be matched in a further request. Storing a
7660 client's IP address for instance often makes sense. Storing an ID found in a
7661 URL parameter also makes sense. Storing a source port will almost never make
7662 any sense because it will be randomly matched. See section 7 for a complete
7663 list of possible patterns and transformation rules.
7664
7665 The table has to be declared using the "stick-table" statement. It must be of
7666 a type compatible with the pattern. By default it is the one which is present
7667 in the same backend. It is possible to share a table with other backends by
7668 referencing it using the "table" keyword. If another table is referenced,
7669 the server's ID inside the backends are used. By default, all server IDs
7670 start at 1 in each backend, so the server ordering is enough. But in case of
7671 doubt, it is highly recommended to force server IDs using their "id" setting.
7672
7673 It is possible to restrict the conditions where a "stick store-request"
7674 statement will apply, using "if" or "unless" followed by a condition. This
7675 condition will be evaluated while parsing the request, so any criteria can be
7676 used. See section 7 for ACL based conditions.
7677
7678 There is no limit on the number of "stick store-request" statements, but
7679 there is a limit of 8 simultaneous stores per request or response. This
7680 makes it possible to store up to 8 criteria, all extracted from either the
7681 request or the response, regardless of the number of rules. Only the 8 first
7682 ones which match will be kept. Using this, it is possible to feed multiple
7683 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01007684 another protocol or access method. Using multiple store-request rules with
7685 the same table is possible and may be used to find the best criterion to rely
7686 on, by arranging the rules by decreasing preference order. Only the first
7687 extracted criterion for a given table will be stored. All subsequent store-
7688 request rules referencing the same table will be skipped and their ACLs will
7689 not be evaluated.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007690
7691 The "store-request" rules are evaluated once the server connection has been
7692 established, so that the table will contain the real server that processed
7693 the request.
7694
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007695 Note : Consider not using this feature in multi-process mode (nbproc > 1)
7696 unless you know what you do : memory is not shared between the
7697 processes, which can result in random behaviours.
7698
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007699 Example :
7700 # forward SMTP users to the same server they just used for POP in the
7701 # last 30 minutes
7702 backend pop
7703 mode tcp
7704 balance roundrobin
7705 stick store-request src
7706 stick-table type ip size 200k expire 30m
7707 server s1 192.168.1.1:110
7708 server s2 192.168.1.1:110
7709
7710 backend smtp
7711 mode tcp
7712 balance roundrobin
7713 stick match src table pop
7714 server s1 192.168.1.1:25
7715 server s2 192.168.1.1:25
7716
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007717 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02007718 about ACLs and sample fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007719
7720
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007721stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +02007722 size <size> [expire <expire>] [nopurge] [peers <peersect>]
7723 [store <data_type>]*
Godbach64cef792013-12-04 16:08:22 +08007724 Configure the stickiness table for the current section
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007725 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02007726 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007727
7728 Arguments :
7729 ip a table declared with "type ip" will only store IPv4 addresses.
7730 This form is very compact (about 50 bytes per entry) and allows
7731 very fast entry lookup and stores with almost no overhead. This
7732 is mainly used to store client source IP addresses.
7733
David du Colombier9a6d3c92011-03-17 10:40:24 +01007734 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
7735 This form is very compact (about 60 bytes per entry) and allows
7736 very fast entry lookup and stores with almost no overhead. This
7737 is mainly used to store client source IP addresses.
7738
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007739 integer a table declared with "type integer" will store 32bit integers
7740 which can represent a client identifier found in a request for
7741 instance.
7742
7743 string a table declared with "type string" will store substrings of up
7744 to <len> characters. If the string provided by the pattern
7745 extractor is larger than <len>, it will be truncated before
7746 being stored. During matching, at most <len> characters will be
7747 compared between the string in the table and the extracted
7748 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007749 to 32 characters.
7750
7751 binary a table declared with "type binary" will store binary blocks
7752 of <len> bytes. If the block provided by the pattern
7753 extractor is larger than <len>, it will be truncated before
Willy Tarreaube722a22014-06-13 16:31:59 +02007754 being stored. If the block provided by the sample expression
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007755 is shorter than <len>, it will be padded by 0. When not
7756 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007757
7758 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007759 "string" type table (See type "string" above). Or the number
7760 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007761 changing this parameter as memory usage will proportionally
7762 increase.
7763
7764 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01007765 value directly impacts memory usage. Count approximately
7766 50 bytes per entry, plus the size of a string if any. The size
7767 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007768
7769 [nopurge] indicates that we refuse to purge older entries when the table
7770 is full. When not specified and the table is full when haproxy
7771 wants to store an entry in it, it will flush a few of the oldest
7772 entries in order to release some space for the new ones. This is
7773 most often the desired behaviour. In some specific cases, it
7774 be desirable to refuse new entries instead of purging the older
7775 ones. That may be the case when the amount of data to store is
7776 far above the hardware limits and we prefer not to offer access
7777 to new clients than to reject the ones already connected. When
7778 using this parameter, be sure to properly set the "expire"
7779 parameter (see below).
7780
Emeric Brunf099e792010-09-27 12:05:28 +02007781 <peersect> is the name of the peers section to use for replication. Entries
7782 which associate keys to server IDs are kept synchronized with
7783 the remote peers declared in this section. All entries are also
7784 automatically learned from the local peer (old process) during a
7785 soft restart.
7786
Willy Tarreau1abc6732015-05-01 19:21:02 +02007787 NOTE : each peers section may be referenced only by tables
7788 belonging to the same unique process.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007789
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007790 <expire> defines the maximum duration of an entry in the table since it
7791 was last created, refreshed or matched. The expiration delay is
7792 defined using the standard time format, similarly as the various
7793 timeouts. The maximum duration is slightly above 24 days. See
7794 section 2.2 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +02007795 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007796 be removed once full. Be sure not to use the "nopurge" parameter
7797 if not expiration delay is specified.
7798
Willy Tarreau08d5f982010-06-06 13:34:54 +02007799 <data_type> is used to store additional information in the stick-table. This
7800 may be used by ACLs in order to control various criteria related
7801 to the activity of the client matching the stick-table. For each
7802 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02007803 that the additional data can fit. Several data types may be
7804 stored with an entry. Multiple data types may be specified after
7805 the "store" keyword, as a comma-separated list. Alternatively,
7806 it is possible to repeat the "store" keyword followed by one or
7807 several data types. Except for the "server_id" type which is
7808 automatically detected and enabled, all data types must be
7809 explicitly declared to be stored. If an ACL references a data
7810 type which is not stored, the ACL will simply not match. Some
7811 data types require an argument which must be passed just after
7812 the type between parenthesis. See below for the supported data
7813 types and their arguments.
7814
7815 The data types that can be stored with an entry are the following :
7816 - server_id : this is an integer which holds the numeric ID of the server a
7817 request was assigned to. It is used by the "stick match", "stick store",
7818 and "stick on" rules. It is automatically enabled when referenced.
7819
7820 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
7821 integer which may be used for anything. Most of the time it will be used
7822 to put a special tag on some entries, for instance to note that a
7823 specific behaviour was detected and must be known for future matches.
7824
Willy Tarreauba2ffd12013-05-29 15:54:14 +02007825 - gpc0_rate(<period>) : increment rate of the first General Purpose Counter
7826 over a period. It is a positive 32-bit integer integer which may be used
7827 for anything. Just like <gpc0>, it counts events, but instead of keeping
7828 a cumulative count, it maintains the rate at which the counter is
7829 incremented. Most of the time it will be used to measure the frequency of
7830 occurrence of certain events (eg: requests to a specific URL).
7831
Willy Tarreauc9705a12010-07-27 20:05:50 +02007832 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
7833 the absolute number of connections received from clients which matched
7834 this entry. It does not mean the connections were accepted, just that
7835 they were received.
7836
7837 - conn_cur : Current Connections. It is a positive 32-bit integer which
7838 stores the concurrent connection counts for the entry. It is incremented
7839 once an incoming connection matches the entry, and decremented once the
7840 connection leaves. That way it is possible to know at any time the exact
7841 number of concurrent connections for an entry.
7842
7843 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7844 integer parameter <period> which indicates in milliseconds the length
7845 of the period over which the average is measured. It reports the average
7846 incoming connection rate over that period, in connections per period. The
7847 result is an integer which can be matched using ACLs.
7848
7849 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
7850 the absolute number of sessions received from clients which matched this
7851 entry. A session is a connection that was accepted by the layer 4 rules.
7852
7853 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7854 integer parameter <period> which indicates in milliseconds the length
7855 of the period over which the average is measured. It reports the average
7856 incoming session rate over that period, in sessions per period. The
7857 result is an integer which can be matched using ACLs.
7858
7859 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
7860 counts the absolute number of HTTP requests received from clients which
7861 matched this entry. It does not matter whether they are valid requests or
7862 not. Note that this is different from sessions when keep-alive is used on
7863 the client side.
7864
7865 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7866 integer parameter <period> which indicates in milliseconds the length
7867 of the period over which the average is measured. It reports the average
7868 HTTP request rate over that period, in requests per period. The result is
7869 an integer which can be matched using ACLs. It does not matter whether
7870 they are valid requests or not. Note that this is different from sessions
7871 when keep-alive is used on the client side.
7872
7873 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
7874 counts the absolute number of HTTP requests errors induced by clients
7875 which matched this entry. Errors are counted on invalid and truncated
7876 requests, as well as on denied or tarpitted requests, and on failed
7877 authentications. If the server responds with 4xx, then the request is
7878 also counted as an error since it's an error triggered by the client
7879 (eg: vulnerability scan).
7880
7881 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7882 integer parameter <period> which indicates in milliseconds the length
7883 of the period over which the average is measured. It reports the average
7884 HTTP request error rate over that period, in requests per period (see
7885 http_err_cnt above for what is accounted as an error). The result is an
7886 integer which can be matched using ACLs.
7887
7888 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
7889 integer which counts the cumulated amount of bytes received from clients
7890 which matched this entry. Headers are included in the count. This may be
7891 used to limit abuse of upload features on photo or video servers.
7892
7893 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7894 integer parameter <period> which indicates in milliseconds the length
7895 of the period over which the average is measured. It reports the average
7896 incoming bytes rate over that period, in bytes per period. It may be used
7897 to detect users which upload too much and too fast. Warning: with large
7898 uploads, it is possible that the amount of uploaded data will be counted
7899 once upon termination, thus causing spikes in the average transfer speed
7900 instead of having a smooth one. This may partially be smoothed with
7901 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
7902 recommended for better fairness.
7903
7904 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
7905 integer which counts the cumulated amount of bytes sent to clients which
7906 matched this entry. Headers are included in the count. This may be used
7907 to limit abuse of bots sucking the whole site.
7908
7909 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
7910 an integer parameter <period> which indicates in milliseconds the length
7911 of the period over which the average is measured. It reports the average
7912 outgoing bytes rate over that period, in bytes per period. It may be used
7913 to detect users which download too much and too fast. Warning: with large
7914 transfers, it is possible that the amount of transferred data will be
7915 counted once upon termination, thus causing spikes in the average
7916 transfer speed instead of having a smooth one. This may partially be
7917 smoothed with "option contstats" though this is not perfect yet. Use of
7918 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02007919
Willy Tarreauc00cdc22010-06-06 16:48:26 +02007920 There is only one stick-table per proxy. At the moment of writing this doc,
7921 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007922 to be required, simply create a dummy backend with a stick-table in it and
7923 reference it.
7924
7925 It is important to understand that stickiness based on learning information
7926 has some limitations, including the fact that all learned associations are
7927 lost upon restart. In general it can be good as a complement but not always
7928 as an exclusive stickiness.
7929
Willy Tarreauc9705a12010-07-27 20:05:50 +02007930 Last, memory requirements may be important when storing many data types.
7931 Indeed, storing all indicators above at once in each entry requires 116 bytes
7932 per entry, or 116 MB for a 1-million entries table. This is definitely not
7933 something that can be ignored.
7934
7935 Example:
7936 # Keep track of counters of up to 1 million IP addresses over 5 minutes
7937 # and store a general purpose counter and the average connection rate
7938 # computed over a sliding window of 30 seconds.
7939 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
7940
7941 See also : "stick match", "stick on", "stick store-request", section 2.2
David du Colombiera13d1b92011-03-17 10:40:22 +01007942 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007943
7944
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007945stick store-response <pattern> [table <table>] [{if | unless} <condition>]
7946 Define a request pattern used to create an entry in a stickiness table
7947 May be used in sections : defaults | frontend | listen | backend
7948 no | no | yes | yes
7949
7950 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007951 <pattern> is a sample expression rule as described in section 7.3. It
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007952 describes what elements of the response or connection will
7953 be analysed, extracted and stored in the table once a
7954 server is selected.
7955
7956 <table> is an optional stickiness table name. If unspecified, the same
7957 backend's table is used. A stickiness table is declared using
7958 the "stick-table" statement.
7959
7960 <cond> is an optional storage condition. It makes it possible to store
7961 certain criteria only when some conditions are met (or not met).
7962 For instance, it could be used to store the SSL session ID only
7963 when the response is a SSL server hello.
7964
7965 Some protocols or applications require complex stickiness rules and cannot
7966 always simply rely on cookies nor hashing. The "stick store-response"
7967 statement describes a rule to decide what to extract from the response and
7968 when to do it, in order to store it into a stickiness table for further
7969 requests to match it using the "stick match" statement. Obviously the
7970 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007971 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007972 See section 7 for a complete list of possible patterns and transformation
7973 rules.
7974
7975 The table has to be declared using the "stick-table" statement. It must be of
7976 a type compatible with the pattern. By default it is the one which is present
7977 in the same backend. It is possible to share a table with other backends by
7978 referencing it using the "table" keyword. If another table is referenced,
7979 the server's ID inside the backends are used. By default, all server IDs
7980 start at 1 in each backend, so the server ordering is enough. But in case of
7981 doubt, it is highly recommended to force server IDs using their "id" setting.
7982
7983 It is possible to restrict the conditions where a "stick store-response"
7984 statement will apply, using "if" or "unless" followed by a condition. This
7985 condition will be evaluated while parsing the response, so any criteria can
7986 be used. See section 7 for ACL based conditions.
7987
7988 There is no limit on the number of "stick store-response" statements, but
7989 there is a limit of 8 simultaneous stores per request or response. This
7990 makes it possible to store up to 8 criteria, all extracted from either the
7991 request or the response, regardless of the number of rules. Only the 8 first
7992 ones which match will be kept. Using this, it is possible to feed multiple
7993 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01007994 another protocol or access method. Using multiple store-response rules with
7995 the same table is possible and may be used to find the best criterion to rely
7996 on, by arranging the rules by decreasing preference order. Only the first
7997 extracted criterion for a given table will be stored. All subsequent store-
7998 response rules referencing the same table will be skipped and their ACLs will
7999 not be evaluated. However, even if a store-request rule references a table, a
8000 store-response rule may also use the same table. This means that each table
8001 may learn exactly one element from the request and one element from the
8002 response at once.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008003
8004 The table will contain the real server that processed the request.
8005
8006 Example :
8007 # Learn SSL session ID from both request and response and create affinity.
8008 backend https
8009 mode tcp
8010 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +02008011 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008012 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008013
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008014 acl clienthello req_ssl_hello_type 1
8015 acl serverhello rep_ssl_hello_type 2
8016
8017 # use tcp content accepts to detects ssl client and server hello.
8018 tcp-request inspect-delay 5s
8019 tcp-request content accept if clienthello
8020
8021 # no timeout on response inspect delay by default.
8022 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008023
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008024 # SSL session ID (SSLID) may be present on a client or server hello.
8025 # Its length is coded on 1 byte at offset 43 and its value starts
8026 # at offset 44.
8027
8028 # Match and learn on request if client hello.
8029 stick on payload_lv(43,1) if clienthello
8030
8031 # Learn on response if server hello.
8032 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +02008033
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008034 server s1 192.168.1.1:443
8035 server s2 192.168.1.1:443
8036
8037 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
8038 extraction.
8039
8040
Willy Tarreau938c7fe2014-04-25 14:21:39 +02008041tcp-check connect [params*]
8042 Opens a new connection
8043 May be used in sections: defaults | frontend | listen | backend
8044 no | no | yes | yes
8045
8046 When an application lies on more than a single TCP port or when HAProxy
8047 load-balance many services in a single backend, it makes sense to probe all
8048 the services individually before considering a server as operational.
8049
8050 When there are no TCP port configured on the server line neither server port
8051 directive, then the 'tcp-check connect port <port>' must be the first step
8052 of the sequence.
8053
8054 In a tcp-check ruleset a 'connect' is required, it is also mandatory to start
8055 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
8056 do.
8057
8058 Parameters :
8059 They are optional and can be used to describe how HAProxy should open and
8060 use the TCP connection.
8061
8062 port if not set, check port or server port is used.
8063 It tells HAProxy where to open the connection to.
8064 <port> must be a valid TCP port source integer, from 1 to 65535.
8065
8066 send-proxy send a PROXY protocol string
8067
8068 ssl opens a ciphered connection
8069
8070 Examples:
8071 # check HTTP and HTTPs services on a server.
8072 # first open port 80 thanks to server line port directive, then
8073 # tcp-check opens port 443, ciphered and run a request on it:
8074 option tcp-check
8075 tcp-check connect
8076 tcp-check send GET\ /\ HTTP/1.0\r\n
8077 tcp-check send Host:\ haproxy.1wt.eu\r\n
8078 tcp-check send \r\n
8079 tcp-check expect rstring (2..|3..)
8080 tcp-check connect port 443 ssl
8081 tcp-check send GET\ /\ HTTP/1.0\r\n
8082 tcp-check send Host:\ haproxy.1wt.eu\r\n
8083 tcp-check send \r\n
8084 tcp-check expect rstring (2..|3..)
8085 server www 10.0.0.1 check port 80
8086
8087 # check both POP and IMAP from a single server:
8088 option tcp-check
8089 tcp-check connect port 110
8090 tcp-check expect string +OK\ POP3\ ready
8091 tcp-check connect port 143
8092 tcp-check expect string *\ OK\ IMAP4\ ready
8093 server mail 10.0.0.1 check
8094
8095 See also : "option tcp-check", "tcp-check send", "tcp-check expect"
8096
8097
8098tcp-check expect [!] <match> <pattern>
8099 Specify data to be collected and analysed during a generic health check
8100 May be used in sections: defaults | frontend | listen | backend
8101 no | no | yes | yes
8102
8103 Arguments :
8104 <match> is a keyword indicating how to look for a specific pattern in the
8105 response. The keyword may be one of "string", "rstring" or
8106 binary.
8107 The keyword may be preceded by an exclamation mark ("!") to negate
8108 the match. Spaces are allowed between the exclamation mark and the
8109 keyword. See below for more details on the supported keywords.
8110
8111 <pattern> is the pattern to look for. It may be a string or a regular
8112 expression. If the pattern contains spaces, they must be escaped
8113 with the usual backslash ('\').
8114 If the match is set to binary, then the pattern must be passed as
8115 a serie of hexadecimal digits in an even number. Each sequence of
8116 two digits will represent a byte. The hexadecimal digits may be
8117 used upper or lower case.
8118
8119
8120 The available matches are intentionally similar to their http-check cousins :
8121
8122 string <string> : test the exact string matches in the response buffer.
8123 A health check response will be considered valid if the
8124 response's buffer contains this exact string. If the
8125 "string" keyword is prefixed with "!", then the response
8126 will be considered invalid if the body contains this
8127 string. This can be used to look for a mandatory pattern
8128 in a protocol response, or to detect a failure when a
8129 specific error appears in a protocol banner.
8130
8131 rstring <regex> : test a regular expression on the response buffer.
8132 A health check response will be considered valid if the
8133 response's buffer matches this expression. If the
8134 "rstring" keyword is prefixed with "!", then the response
8135 will be considered invalid if the body matches the
8136 expression.
8137
8138 binary <hexstring> : test the exact string in its hexadecimal form matches
8139 in the response buffer. A health check response will
8140 be considered valid if the response's buffer contains
8141 this exact hexadecimal string.
8142 Purpose is to match data on binary protocols.
8143
8144 It is important to note that the responses will be limited to a certain size
8145 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
8146 Thus, too large responses may not contain the mandatory pattern when using
8147 "string", "rstring" or binary. If a large response is absolutely required, it
8148 is possible to change the default max size by setting the global variable.
8149 However, it is worth keeping in mind that parsing very large responses can
8150 waste some CPU cycles, especially when regular expressions are used, and that
8151 it is always better to focus the checks on smaller resources. Also, in its
8152 current state, the check will not find any string nor regex past a null
8153 character in the response. Similarly it is not possible to request matching
8154 the null character.
8155
8156 Examples :
8157 # perform a POP check
8158 option tcp-check
8159 tcp-check expect string +OK\ POP3\ ready
8160
8161 # perform an IMAP check
8162 option tcp-check
8163 tcp-check expect string *\ OK\ IMAP4\ ready
8164
8165 # look for the redis master server
8166 option tcp-check
8167 tcp-check send PING\r\n
Baptiste Assmanna3322992015-08-04 10:12:18 +02008168 tcp-check expect string +PONG
Willy Tarreau938c7fe2014-04-25 14:21:39 +02008169 tcp-check send info\ replication\r\n
8170 tcp-check expect string role:master
8171 tcp-check send QUIT\r\n
8172 tcp-check expect string +OK
8173
8174
8175 See also : "option tcp-check", "tcp-check connect", "tcp-check send",
8176 "tcp-check send-binary", "http-check expect", tune.chksize
8177
8178
8179tcp-check send <data>
8180 Specify a string to be sent as a question during a generic health check
8181 May be used in sections: defaults | frontend | listen | backend
8182 no | no | yes | yes
8183
8184 <data> : the data to be sent as a question during a generic health check
8185 session. For now, <data> must be a string.
8186
8187 Examples :
8188 # look for the redis master server
8189 option tcp-check
8190 tcp-check send info\ replication\r\n
8191 tcp-check expect string role:master
8192
8193 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
8194 "tcp-check send-binary", tune.chksize
8195
8196
8197tcp-check send-binary <hexastring>
8198 Specify an hexa digits string to be sent as a binary question during a raw
8199 tcp health check
8200 May be used in sections: defaults | frontend | listen | backend
8201 no | no | yes | yes
8202
8203 <data> : the data to be sent as a question during a generic health check
8204 session. For now, <data> must be a string.
8205 <hexastring> : test the exact string in its hexadecimal form matches in the
8206 response buffer. A health check response will be considered
8207 valid if the response's buffer contains this exact
8208 hexadecimal string.
8209 Purpose is to send binary data to ask on binary protocols.
8210
8211 Examples :
8212 # redis check in binary
8213 option tcp-check
8214 tcp-check send-binary 50494e470d0a # PING\r\n
8215 tcp-check expect binary 2b504F4e47 # +PONG
8216
8217
8218 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
8219 "tcp-check send", tune.chksize
8220
8221
Willy Tarreaue9656522010-08-17 15:40:09 +02008222tcp-request connection <action> [{if | unless} <condition>]
8223 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02008224 May be used in sections : defaults | frontend | listen | backend
8225 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02008226 Arguments :
8227 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008228 actions include : "accept", "reject", "track-sc0", "track-sc1",
8229 "track-sc2", and "expect-proxy". See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02008230
Willy Tarreaue9656522010-08-17 15:40:09 +02008231 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008232
8233 Immediately after acceptance of a new incoming connection, it is possible to
8234 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02008235 or dropped or have its counters tracked. Those conditions cannot make use of
8236 any data contents because the connection has not been read from yet, and the
8237 buffers are not yet allocated. This is used to selectively and very quickly
8238 accept or drop connections from various sources with a very low overhead. If
8239 some contents need to be inspected in order to take the decision, the
8240 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008241
Willy Tarreaue9656522010-08-17 15:40:09 +02008242 The "tcp-request connection" rules are evaluated in their exact declaration
8243 order. If no rule matches or if there is no rule, the default action is to
8244 accept the incoming connection. There is no specific limit to the number of
8245 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008246
Willy Tarreaua9083d02015-05-08 15:27:59 +02008247 Four types of actions are supported :
Willy Tarreaue9656522010-08-17 15:40:09 +02008248 - accept :
8249 accepts the connection if the condition is true (when used with "if")
8250 or false (when used with "unless"). The first such rule executed ends
8251 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008252
Willy Tarreaue9656522010-08-17 15:40:09 +02008253 - reject :
8254 rejects the connection if the condition is true (when used with "if")
8255 or false (when used with "unless"). The first such rule executed ends
8256 the rules evaluation. Rejected connections do not even become a
8257 session, which is why they are accounted separately for in the stats,
8258 as "denied connections". They are not considered for the session
8259 rate-limit and are not logged either. The reason is that these rules
8260 should only be used to filter extremely high connection rates such as
8261 the ones encountered during a massive DDoS attack. Under these extreme
8262 conditions, the simple action of logging each event would make the
8263 system collapse and would considerably lower the filtering capacity. If
8264 logging is absolutely desired, then "tcp-request content" rules should
8265 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008266
Willy Tarreau4f0d9192013-06-11 20:40:55 +02008267 - expect-proxy layer4 :
8268 configures the client-facing connection to receive a PROXY protocol
8269 header before any byte is read from the socket. This is equivalent to
8270 having the "accept-proxy" keyword on the "bind" line, except that using
8271 the TCP rule allows the PROXY protocol to be accepted only for certain
8272 IP address ranges using an ACL. This is convenient when multiple layers
8273 of load balancers are passed through by traffic coming from public
8274 hosts.
8275
Willy Tarreau18bf01e2014-06-13 16:18:52 +02008276 - capture <sample> len <length> :
8277 This only applies to "tcp-request content" rules. It captures sample
8278 expression <sample> from the request buffer, and converts it to a
8279 string of at most <len> characters. The resulting string is stored into
8280 the next request "capture" slot, so it will possibly appear next to
8281 some captured HTTP headers. It will then automatically appear in the
8282 logs, and it will be possible to extract it using sample fetch rules to
8283 feed it into headers or anything. The length should be limited given
8284 that this size will be allocated for each capture during the whole
Willy Tarreaua9083d02015-05-08 15:27:59 +02008285 session life. Please check section 7.3 (Fetching samples) and "capture
8286 request header" for more information.
Willy Tarreau18bf01e2014-06-13 16:18:52 +02008287
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008288 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
Willy Tarreaue9656522010-08-17 15:40:09 +02008289 enables tracking of sticky counters from current connection. These
Willy Tarreau09448f72014-06-25 18:12:15 +02008290 rules do not stop evaluation and do not change default action. 3 sets
Willy Tarreaue9656522010-08-17 15:40:09 +02008291 of counters may be simultaneously tracked by the same connection. The
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008292 first "track-sc0" rule executed enables tracking of the counters of the
8293 specified table as the first set. The first "track-sc1" rule executed
Willy Tarreaue9656522010-08-17 15:40:09 +02008294 enables tracking of the counters of the specified table as the second
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008295 set. The first "track-sc2" rule executed enables tracking of the
8296 counters of the specified table as the third set. It is a recommended
8297 practice to use the first set of counters for the per-frontend counters
8298 and the second set for the per-backend ones. But this is just a
8299 guideline, all may be used everywhere.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008300
Willy Tarreaue9656522010-08-17 15:40:09 +02008301 These actions take one or two arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02008302 <key> is mandatory, and is a sample expression rule as described
Willy Tarreau74ca5042013-06-11 23:12:07 +02008303 in section 7.3. It describes what elements of the incoming
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01008304 request or connection will be analysed, extracted, combined,
8305 and used to select which table entry to update the counters.
8306 Note that "tcp-request connection" cannot use content-based
8307 fetches.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008308
Willy Tarreaue9656522010-08-17 15:40:09 +02008309 <table> is an optional table to be used instead of the default one,
8310 which is the stick-table declared in the current proxy. All
8311 the counters for the matches and updates for the key will
8312 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008313
Willy Tarreaue9656522010-08-17 15:40:09 +02008314 Once a "track-sc*" rule is executed, the key is looked up in the table
8315 and if it is not found, an entry is allocated for it. Then a pointer to
8316 that entry is kept during all the session's life, and this entry's
8317 counters are updated as often as possible, every time the session's
8318 counters are updated, and also systematically when the session ends.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01008319 Counters are only updated for events that happen after the tracking has
8320 been started. For example, connection counters will not be updated when
8321 tracking layer 7 information, since the connection event happens before
8322 layer7 information is extracted.
8323
Willy Tarreaue9656522010-08-17 15:40:09 +02008324 If the entry tracks concurrent connection counters, one connection is
8325 counted for as long as the entry is tracked, and the entry will not
8326 expire during that time. Tracking counters also provides a performance
8327 advantage over just checking the keys, because only one table lookup is
8328 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008329
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02008330 - sc-inc-gpc0(<sc-id>):
8331 The "sc-inc-gpc0" increments the GPC0 counter according to the sticky
8332 counter designated by <sc-id>. If an error occurs, this action silently
8333 fails and the actions evaluation continues.
8334
Thierry FOURNIER236657b2015-08-19 08:25:14 +02008335 - sc-set-gpt0(<sc-id>) <int>:
8336 This action sets the GPT0 tag according to the sticky counter designated
8337 by <sc-id> and the value of <int>. The expected result is a boolean. If
8338 an error occurs, this action silently fails and the actions evaluation
8339 continues.
8340
Willy Tarreaue9656522010-08-17 15:40:09 +02008341 Note that the "if/unless" condition is optional. If no condition is set on
8342 the action, it is simply performed unconditionally. That can be useful for
8343 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008344
Willy Tarreaue9656522010-08-17 15:40:09 +02008345 Example: accept all connections from white-listed hosts, reject too fast
8346 connection without counting them, and track accepted connections.
8347 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008348
Willy Tarreaue9656522010-08-17 15:40:09 +02008349 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008350 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008351 tcp-request connection track-sc0 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008352
Willy Tarreaue9656522010-08-17 15:40:09 +02008353 Example: accept all connections from white-listed hosts, count all other
8354 connections and reject too fast ones. This results in abusive ones
8355 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008356
Willy Tarreaue9656522010-08-17 15:40:09 +02008357 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008358 tcp-request connection track-sc0 src
8359 tcp-request connection reject if { sc0_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008360
Willy Tarreau4f0d9192013-06-11 20:40:55 +02008361 Example: enable the PROXY protocol for traffic coming from all known proxies.
8362
8363 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
8364
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008365 See section 7 about ACL usage.
8366
Willy Tarreaue9656522010-08-17 15:40:09 +02008367 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008368
8369
Willy Tarreaue9656522010-08-17 15:40:09 +02008370tcp-request content <action> [{if | unless} <condition>]
8371 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02008372 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02008373 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02008374 Arguments :
8375 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008376 actions include : "accept", "reject", "track-sc0", "track-sc1",
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02008377 "track-sc2", "sc-inc-gpc0", "sc-set-gpt0", "capture" and "lua".
8378 See "tcp-request connection" above for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02008379
Willy Tarreaue9656522010-08-17 15:40:09 +02008380 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02008381
Willy Tarreaue9656522010-08-17 15:40:09 +02008382 A request's contents can be analysed at an early stage of request processing
8383 called "TCP content inspection". During this stage, ACL-based rules are
8384 evaluated every time the request contents are updated, until either an
8385 "accept" or a "reject" rule matches, or the TCP request inspection delay
8386 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02008387
Willy Tarreaue9656522010-08-17 15:40:09 +02008388 The first difference between these rules and "tcp-request connection" rules
8389 is that "tcp-request content" rules can make use of contents to take a
8390 decision. Most often, these decisions will consider a protocol recognition or
8391 validity. The second difference is that content-based rules can be used in
Willy Tarreauf3338342014-01-28 21:40:28 +01008392 both frontends and backends. In case of HTTP keep-alive with the client, all
8393 tcp-request content rules are evaluated again, so haproxy keeps a record of
8394 what sticky counters were assigned by a "tcp-request connection" versus a
8395 "tcp-request content" rule, and flushes all the content-related ones after
8396 processing an HTTP request, so that they may be evaluated again by the rules
8397 being evaluated again for the next request. This is of particular importance
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008398 when the rule tracks some L7 information or when it is conditioned by an
Willy Tarreauf3338342014-01-28 21:40:28 +01008399 L7-based ACL, since tracking may change between requests.
Willy Tarreau62644772008-07-16 18:36:06 +02008400
Willy Tarreaue9656522010-08-17 15:40:09 +02008401 Content-based rules are evaluated in their exact declaration order. If no
8402 rule matches or if there is no rule, the default action is to accept the
8403 contents. There is no specific limit to the number of rules which may be
8404 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02008405
Thierry FOURNIER236657b2015-08-19 08:25:14 +02008406 Several types of actions are supported :
Willy Tarreau18bf01e2014-06-13 16:18:52 +02008407 - accept : the request is accepted
8408 - reject : the request is rejected and the connection is closed
8409 - capture : the specified sample expression is captured
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008410 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02008411 - sc-inc-gpc0(<sc-id>)
Thierry FOURNIER236657b2015-08-19 08:25:14 +02008412 - set-gpt0(<sc-id>) <int>
Thierry FOURNIER69717b42015-06-04 12:23:41 +02008413 - lua <function>
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02008414 - set-var(<var-name>) <expr>
Willy Tarreau62644772008-07-16 18:36:06 +02008415
Willy Tarreaue9656522010-08-17 15:40:09 +02008416 They have the same meaning as their counter-parts in "tcp-request connection"
8417 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02008418
Willy Tarreauf3338342014-01-28 21:40:28 +01008419 While there is nothing mandatory about it, it is recommended to use the
8420 track-sc0 in "tcp-request connection" rules, track-sc1 for "tcp-request
8421 content" rules in the frontend, and track-sc2 for "tcp-request content"
8422 rules in the backend, because that makes the configuration more readable
8423 and easier to troubleshoot, but this is just a guideline and all counters
8424 may be used everywhere.
Willy Tarreau62644772008-07-16 18:36:06 +02008425
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008426 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02008427 the action, it is simply performed unconditionally. That can be useful for
8428 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02008429
Willy Tarreaue9656522010-08-17 15:40:09 +02008430 It is perfectly possible to match layer 7 contents with "tcp-request content"
Willy Tarreauc0239e02012-04-16 14:42:55 +02008431 rules, since HTTP-specific ACL matches are able to preliminarily parse the
8432 contents of a buffer before extracting the required data. If the buffered
8433 contents do not parse as a valid HTTP message, then the ACL does not match.
8434 The parser which is involved there is exactly the same as for all other HTTP
Willy Tarreauf3338342014-01-28 21:40:28 +01008435 processing, so there is no risk of parsing something differently. In an HTTP
8436 backend connected to from an HTTP frontend, it is guaranteed that HTTP
8437 contents will always be immediately present when the rule is evaluated first.
Willy Tarreau62644772008-07-16 18:36:06 +02008438
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01008439 Tracking layer7 information is also possible provided that the information
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02008440 are present when the rule is processed. The rule processing engine is able to
8441 wait until the inspect delay expires when the data to be tracked is not yet
8442 available.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01008443
Thierry FOURNIER90da1912015-03-05 11:17:06 +01008444 The "lua" keyword is followed by a Lua function name. It is used to run a Lua
8445 function if the action is executed. The single parameter is the name of the
8446 function to run. The prototype of the function is documented in the API
8447 documentation.
8448
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02008449 The "set-var" is used to set the content of a variable. The variable is
8450 declared inline.
8451
8452 <var-name> The name of the variable starts by an indication about its scope.
8453 The allowed scopes are:
8454 "sess" : the variable is shared with all the session,
8455 "txn" : the variable is shared with all the transaction
8456 (request and response)
8457 "req" : the variable is shared only during the request
8458 processing
8459 "res" : the variable is shared only during the response
8460 processing.
8461 This prefix is followed by a name. The separator is a '.'.
8462 The name may only contain characters 'a-z', 'A-Z', '0-9' and '_'.
8463
8464 <expr> Is a standard HAProxy expression formed by a sample-fetch
8465 followed by some converters.
8466
8467 Example:
8468
8469 tcp-request content set-var(sess.my_var) src
8470
Willy Tarreau62644772008-07-16 18:36:06 +02008471 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02008472 # Accept HTTP requests containing a Host header saying "example.com"
8473 # and reject everything else.
8474 acl is_host_com hdr(Host) -i example.com
8475 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +02008476 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +02008477 tcp-request content reject
8478
8479 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02008480 # reject SMTP connection if client speaks first
8481 tcp-request inspect-delay 30s
8482 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008483 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02008484
8485 # Forward HTTPS connection only if client speaks
8486 tcp-request inspect-delay 30s
8487 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02008488 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02008489 tcp-request content reject
8490
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01008491 Example:
8492 # Track the last IP from X-Forwarded-For
8493 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02008494 tcp-request content track-sc0 hdr(x-forwarded-for,-1)
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01008495
8496 Example:
8497 # track request counts per "base" (concatenation of Host+URL)
8498 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02008499 tcp-request content track-sc0 base table req-rate
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01008500
Willy Tarreaue9656522010-08-17 15:40:09 +02008501 Example: track per-frontend and per-backend counters, block abusers at the
8502 frontend when the backend detects abuse.
8503
8504 frontend http
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008505 # Use General Purpose Couter 0 in SC0 as a global abuse counter
Willy Tarreaue9656522010-08-17 15:40:09 +02008506 # protecting all our sites
8507 stick-table type ip size 1m expire 5m store gpc0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008508 tcp-request connection track-sc0 src
8509 tcp-request connection reject if { sc0_get_gpc0 gt 0 }
Willy Tarreaue9656522010-08-17 15:40:09 +02008510 ...
8511 use_backend http_dynamic if { path_end .php }
8512
8513 backend http_dynamic
8514 # if a source makes too fast requests to this dynamic site (tracked
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008515 # by SC1), block it globally in the frontend.
Willy Tarreaue9656522010-08-17 15:40:09 +02008516 stick-table type ip size 1m expire 5m store http_req_rate(10s)
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02008517 acl click_too_fast sc1_http_req_rate gt 10
8518 acl mark_as_abuser sc0_inc_gpc0 gt 0
8519 tcp-request content track-sc1 src
Willy Tarreaue9656522010-08-17 15:40:09 +02008520 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02008521
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008522 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02008523
Willy Tarreaue9656522010-08-17 15:40:09 +02008524 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02008525
8526
8527tcp-request inspect-delay <timeout>
8528 Set the maximum allowed time to wait for data during content inspection
8529 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02008530 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02008531 Arguments :
8532 <timeout> is the timeout value specified in milliseconds by default, but
8533 can be in any other unit if the number is suffixed by the unit,
8534 as explained at the top of this document.
8535
8536 People using haproxy primarily as a TCP relay are often worried about the
8537 risk of passing any type of protocol to a server without any analysis. In
8538 order to be able to analyze the request contents, we must first withhold
8539 the data then analyze them. This statement simply enables withholding of
8540 data for at most the specified amount of time.
8541
Willy Tarreaufb356202010-08-03 14:02:05 +02008542 TCP content inspection applies very early when a connection reaches a
8543 frontend, then very early when the connection is forwarded to a backend. This
8544 means that a connection may experience a first delay in the frontend and a
8545 second delay in the backend if both have tcp-request rules.
8546
Willy Tarreau62644772008-07-16 18:36:06 +02008547 Note that when performing content inspection, haproxy will evaluate the whole
8548 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008549 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02008550 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01008551 contents are definitive. If no delay is set, haproxy will not wait at all
8552 and will immediately apply a verdict based on the available information.
8553 Obviously this is unlikely to be very useful and might even be racy, so such
8554 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02008555
8556 As soon as a rule matches, the request is released and continues as usual. If
8557 the timeout is reached and no rule matches, the default policy will be to let
8558 it pass through unaffected.
8559
8560 For most protocols, it is enough to set it to a few seconds, as most clients
8561 send the full request immediately upon connection. Add 3 or more seconds to
8562 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01008563 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02008564 before the server (eg: SMTP), or to wait for a client to talk before passing
8565 data to the server (eg: SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +02008566 least the inspection delay, otherwise it will expire first. If the client
8567 closes the connection or if the buffer is full, the delay immediately expires
8568 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +02008569
Willy Tarreau55165fe2009-05-10 12:02:55 +02008570 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02008571 "timeout client".
8572
8573
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008574tcp-response content <action> [{if | unless} <condition>]
8575 Perform an action on a session response depending on a layer 4-7 condition
8576 May be used in sections : defaults | frontend | listen | backend
8577 no | no | yes | yes
8578 Arguments :
8579 <action> defines the action to perform if the condition applies. Valid
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02008580 actions include : "accept", "close", "reject", "lua",
8581 "sc-inc-gpc0" and "sc-set-gpt0".
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008582
8583 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
8584
8585 Response contents can be analysed at an early stage of response processing
8586 called "TCP content inspection". During this stage, ACL-based rules are
8587 evaluated every time the response contents are updated, until either an
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02008588 "accept", "close" or a "reject" rule matches, or a TCP response inspection
8589 delay is set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008590
8591 Most often, these decisions will consider a protocol recognition or validity.
8592
8593 Content-based rules are evaluated in their exact declaration order. If no
8594 rule matches or if there is no rule, the default action is to accept the
8595 contents. There is no specific limit to the number of rules which may be
8596 inserted.
8597
Thierry FOURNIER236657b2015-08-19 08:25:14 +02008598 Several types of actions are supported :
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008599 - accept :
8600 accepts the response if the condition is true (when used with "if")
8601 or false (when used with "unless"). The first such rule executed ends
8602 the rules evaluation.
8603
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02008604 - close :
8605 immediately closes the connection with the server if the condition is
8606 true (when used with "if"), or false (when used with "unless"). The
8607 first such rule executed ends the rules evaluation. The main purpose of
8608 this action is to force a connection to be finished between a client
8609 and a server after an exchange when the application protocol expects
8610 some long time outs to elapse first. The goal is to eliminate idle
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008611 connections which take significant resources on servers with certain
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02008612 protocols.
8613
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008614 - reject :
8615 rejects the response if the condition is true (when used with "if")
8616 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008617 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008618
Thierry FOURNIER69717b42015-06-04 12:23:41 +02008619 - lua <function>
8620 Executes Lua.
8621
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02008622 - set-var(<var-name>) <expr>
8623 Sets a variable.
8624
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02008625 - sc-inc-gpc0(<sc-id>):
8626 This action increments the GPC0 counter according to the sticky
8627 counter designated by <sc-id>. If an error occurs, this action fails
8628 silently and the actions evaluation continues.
8629
Thierry FOURNIER236657b2015-08-19 08:25:14 +02008630 - sc-set-gpt0(<sc-id>) <int> :
8631 This action sets the GPT0 tag according to the sticky counter designated
8632 by <sc-id> and the value of <int>. The expected result is a boolean. If
8633 an error occurs, this action silently fails and the actions evaluation
8634 continues.
8635
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008636 Note that the "if/unless" condition is optional. If no condition is set on
8637 the action, it is simply performed unconditionally. That can be useful for
8638 for changing the default action to a reject.
8639
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008640 It is perfectly possible to match layer 7 contents with "tcp-response
8641 content" rules, but then it is important to ensure that a full response has
8642 been buffered, otherwise no contents will match. In order to achieve this,
8643 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008644 period.
8645
Thierry FOURNIER90da1912015-03-05 11:17:06 +01008646 The "lua" keyword is followed by a Lua function name. It is used to run a Lua
8647 function if the action is executed. The single parameter is the name of the
8648 function to run. The prototype of the function is documented in the API
8649 documentation.
8650
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02008651 The "set-var" is used to set the content of a variable. The variable is
8652 declared inline.
8653
8654 <var-name> The name of the variable starts by an indication about its scope.
8655 The allowed scopes are:
8656 "sess" : the variable is shared with all the session,
8657 "txn" : the variable is shared with all the transaction
8658 (request and response)
8659 "req" : the variable is shared only during the request
8660 processing
8661 "res" : the variable is shared only during the response
8662 processing.
8663 This prefix is followed by a name. The separator is a '.'.
8664 The name may only contain characters 'a-z', 'A-Z', '0-9' and '_'.
8665
8666 <expr> Is a standard HAProxy expression formed by a sample-fetch
8667 followed by some converters.
8668
8669 Example:
8670
8671 tcp-request content set-var(sess.my_var) src
8672
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008673 See section 7 about ACL usage.
8674
8675 See also : "tcp-request content", "tcp-response inspect-delay"
8676
8677
8678tcp-response inspect-delay <timeout>
8679 Set the maximum allowed time to wait for a response during content inspection
8680 May be used in sections : defaults | frontend | listen | backend
8681 no | no | yes | yes
8682 Arguments :
8683 <timeout> is the timeout value specified in milliseconds by default, but
8684 can be in any other unit if the number is suffixed by the unit,
8685 as explained at the top of this document.
8686
8687 See also : "tcp-response content", "tcp-request inspect-delay".
8688
8689
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008690timeout check <timeout>
8691 Set additional check timeout, but only after a connection has been already
8692 established.
8693
8694 May be used in sections: defaults | frontend | listen | backend
8695 yes | no | yes | yes
8696 Arguments:
8697 <timeout> is the timeout value specified in milliseconds by default, but
8698 can be in any other unit if the number is suffixed by the unit,
8699 as explained at the top of this document.
8700
8701 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
8702 for check and "timeout check" as an additional read timeout. The "min" is
8703 used so that people running with *very* long "timeout connect" (eg. those
8704 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01008705 (Please also note that there is no valid reason to have such long connect
8706 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
8707 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008708
8709 If "timeout check" is not set haproxy uses "inter" for complete check
8710 timeout (connect + read) exactly like all <1.3.15 version.
8711
8712 In most cases check request is much simpler and faster to handle than normal
8713 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01008714 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008715
8716 This parameter is specific to backends, but can be specified once for all in
8717 "defaults" sections. This is in fact one of the easiest solutions not to
8718 forget about it.
8719
Willy Tarreau41a340d2008-01-22 12:25:31 +01008720 See also: "timeout connect", "timeout queue", "timeout server",
8721 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008722
8723
Willy Tarreau0ba27502007-12-24 16:55:16 +01008724timeout client <timeout>
8725timeout clitimeout <timeout> (deprecated)
8726 Set the maximum inactivity time on the client side.
8727 May be used in sections : defaults | frontend | listen | backend
8728 yes | yes | yes | no
8729 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01008730 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01008731 can be in any other unit if the number is suffixed by the unit,
8732 as explained at the top of this document.
8733
8734 The inactivity timeout applies when the client is expected to acknowledge or
8735 send data. In HTTP mode, this timeout is particularly important to consider
8736 during the first phase, when the client sends the request, and during the
8737 response while it is reading data sent by the server. The value is specified
8738 in milliseconds by default, but can be in any other unit if the number is
8739 suffixed by the unit, as specified at the top of this document. In TCP mode
8740 (and to a lesser extent, in HTTP mode), it is highly recommended that the
8741 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008742 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01008743 losses by specifying timeouts that are slightly above multiples of 3 seconds
Willy Tarreauce887fd2012-05-12 12:50:00 +02008744 (eg: 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
8745 sessions (eg: WebSocket and HTTP), it's worth considering "timeout tunnel",
Willy Tarreau05cdd962014-05-10 14:30:07 +02008746 which overrides "timeout client" and "timeout server" for tunnels, as well as
8747 "timeout client-fin" for half-closed connections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008748
8749 This parameter is specific to frontends, but can be specified once for all in
8750 "defaults" sections. This is in fact one of the easiest solutions not to
8751 forget about it. An unspecified timeout results in an infinite timeout, which
8752 is not recommended. Such a usage is accepted and works but reports a warning
8753 during startup because it may results in accumulation of expired sessions in
8754 the system if the system's timeouts are not configured either.
8755
8756 This parameter replaces the old, deprecated "clitimeout". It is recommended
8757 to use it to write new configurations. The form "timeout clitimeout" is
8758 provided only by backwards compatibility but its use is strongly discouraged.
8759
Willy Tarreauce887fd2012-05-12 12:50:00 +02008760 See also : "clitimeout", "timeout server", "timeout tunnel".
Willy Tarreau0ba27502007-12-24 16:55:16 +01008761
8762
Willy Tarreau05cdd962014-05-10 14:30:07 +02008763timeout client-fin <timeout>
8764 Set the inactivity timeout on the client side for half-closed connections.
8765 May be used in sections : defaults | frontend | listen | backend
8766 yes | yes | yes | no
8767 Arguments :
8768 <timeout> is the timeout value specified in milliseconds by default, but
8769 can be in any other unit if the number is suffixed by the unit,
8770 as explained at the top of this document.
8771
8772 The inactivity timeout applies when the client is expected to acknowledge or
8773 send data while one direction is already shut down. This timeout is different
8774 from "timeout client" in that it only applies to connections which are closed
8775 in one direction. This is particularly useful to avoid keeping connections in
8776 FIN_WAIT state for too long when clients do not disconnect cleanly. This
8777 problem is particularly common long connections such as RDP or WebSocket.
8778 Note that this timeout can override "timeout tunnel" when a connection shuts
8779 down in one direction.
8780
8781 This parameter is specific to frontends, but can be specified once for all in
8782 "defaults" sections. By default it is not set, so half-closed connections
8783 will use the other timeouts (timeout.client or timeout.tunnel).
8784
8785 See also : "timeout client", "timeout server-fin", and "timeout tunnel".
8786
8787
Willy Tarreau0ba27502007-12-24 16:55:16 +01008788timeout connect <timeout>
8789timeout contimeout <timeout> (deprecated)
8790 Set the maximum time to wait for a connection attempt to a server to succeed.
8791 May be used in sections : defaults | frontend | listen | backend
8792 yes | no | yes | yes
8793 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01008794 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01008795 can be in any other unit if the number is suffixed by the unit,
8796 as explained at the top of this document.
8797
8798 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008799 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01008800 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01008801 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008802 connect timeout also presets both queue and tarpit timeouts to the same value
8803 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008804
8805 This parameter is specific to backends, but can be specified once for all in
8806 "defaults" sections. This is in fact one of the easiest solutions not to
8807 forget about it. An unspecified timeout results in an infinite timeout, which
8808 is not recommended. Such a usage is accepted and works but reports a warning
8809 during startup because it may results in accumulation of failed sessions in
8810 the system if the system's timeouts are not configured either.
8811
8812 This parameter replaces the old, deprecated "contimeout". It is recommended
8813 to use it to write new configurations. The form "timeout contimeout" is
8814 provided only by backwards compatibility but its use is strongly discouraged.
8815
Willy Tarreau41a340d2008-01-22 12:25:31 +01008816 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
8817 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01008818
8819
Willy Tarreaub16a5742010-01-10 14:46:16 +01008820timeout http-keep-alive <timeout>
8821 Set the maximum allowed time to wait for a new HTTP request to appear
8822 May be used in sections : defaults | frontend | listen | backend
8823 yes | yes | yes | yes
8824 Arguments :
8825 <timeout> is the timeout value specified in milliseconds by default, but
8826 can be in any other unit if the number is suffixed by the unit,
8827 as explained at the top of this document.
8828
8829 By default, the time to wait for a new request in case of keep-alive is set
8830 by "timeout http-request". However this is not always convenient because some
8831 people want very short keep-alive timeouts in order to release connections
8832 faster, and others prefer to have larger ones but still have short timeouts
8833 once the request has started to present itself.
8834
8835 The "http-keep-alive" timeout covers these needs. It will define how long to
8836 wait for a new HTTP request to start coming after a response was sent. Once
8837 the first byte of request has been seen, the "http-request" timeout is used
8838 to wait for the complete request to come. Note that empty lines prior to a
8839 new request do not refresh the timeout and are not counted as a new request.
8840
8841 There is also another difference between the two timeouts : when a connection
8842 expires during timeout http-keep-alive, no error is returned, the connection
8843 just closes. If the connection expires in "http-request" while waiting for a
8844 connection to complete, a HTTP 408 error is returned.
8845
8846 In general it is optimal to set this value to a few tens to hundreds of
8847 milliseconds, to allow users to fetch all objects of a page at once but
8848 without waiting for further clicks. Also, if set to a very small value (eg:
8849 1 millisecond) it will probably only accept pipelined requests but not the
8850 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02008851 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01008852
8853 If this parameter is not set, the "http-request" timeout applies, and if both
8854 are not set, "timeout client" still applies at the lower level. It should be
8855 set in the frontend to take effect, unless the frontend is in TCP mode, in
8856 which case the HTTP backend's timeout will be used.
8857
8858 See also : "timeout http-request", "timeout client".
8859
8860
Willy Tarreau036fae02008-01-06 13:24:40 +01008861timeout http-request <timeout>
8862 Set the maximum allowed time to wait for a complete HTTP request
8863 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02008864 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01008865 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01008866 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01008867 can be in any other unit if the number is suffixed by the unit,
8868 as explained at the top of this document.
8869
8870 In order to offer DoS protection, it may be required to lower the maximum
8871 accepted time to receive a complete HTTP request without affecting the client
8872 timeout. This helps protecting against established connections on which
8873 nothing is sent. The client timeout cannot offer a good protection against
8874 this abuse because it is an inactivity timeout, which means that if the
8875 attacker sends one character every now and then, the timeout will not
8876 trigger. With the HTTP request timeout, no matter what speed the client
Willy Tarreau2705a612014-05-23 17:38:34 +02008877 types, the request will be aborted if it does not complete in time. When the
8878 timeout expires, an HTTP 408 response is sent to the client to inform it
8879 about the problem, and the connection is closed. The logs will report
8880 termination codes "cR". Some recent browsers are having problems with this
8881 standard, well-documented behaviour, so it might be needed to hide the 408
Willy Tarreau0f228a02015-05-01 15:37:53 +02008882 code using "option http-ignore-probes" or "errorfile 408 /dev/null". See
8883 more details in the explanations of the "cR" termination code in section 8.5.
Willy Tarreau036fae02008-01-06 13:24:40 +01008884
8885 Note that this timeout only applies to the header part of the request, and
8886 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01008887 used anymore. It is used again on keep-alive connections to wait for a second
8888 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01008889
8890 Generally it is enough to set it to a few seconds, as most clients send the
8891 full request immediately upon connection. Add 3 or more seconds to cover TCP
8892 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
8893 generally work on local networks as long as there are no packet losses. This
8894 will prevent people from sending bare HTTP requests using telnet.
8895
8896 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02008897 chunk of the incoming request. It should be set in the frontend to take
8898 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
8899 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01008900
Willy Tarreau0f228a02015-05-01 15:37:53 +02008901 See also : "errorfile", "http-ignore-probes", "timeout http-keep-alive", and
8902 "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01008903
Willy Tarreau844e3c52008-01-11 16:28:18 +01008904
8905timeout queue <timeout>
8906 Set the maximum time to wait in the queue for a connection slot to be free
8907 May be used in sections : defaults | frontend | listen | backend
8908 yes | no | yes | yes
8909 Arguments :
8910 <timeout> is the timeout value specified in milliseconds by default, but
8911 can be in any other unit if the number is suffixed by the unit,
8912 as explained at the top of this document.
8913
8914 When a server's maxconn is reached, connections are left pending in a queue
8915 which may be server-specific or global to the backend. In order not to wait
8916 indefinitely, a timeout is applied to requests pending in the queue. If the
8917 timeout is reached, it is considered that the request will almost never be
8918 served, so it is dropped and a 503 error is returned to the client.
8919
8920 The "timeout queue" statement allows to fix the maximum time for a request to
8921 be left pending in a queue. If unspecified, the same value as the backend's
8922 connection timeout ("timeout connect") is used, for backwards compatibility
8923 with older versions with no "timeout queue" parameter.
8924
8925 See also : "timeout connect", "contimeout".
8926
8927
8928timeout server <timeout>
8929timeout srvtimeout <timeout> (deprecated)
8930 Set the maximum inactivity time on the server side.
8931 May be used in sections : defaults | frontend | listen | backend
8932 yes | no | yes | yes
8933 Arguments :
8934 <timeout> is the timeout value specified in milliseconds by default, but
8935 can be in any other unit if the number is suffixed by the unit,
8936 as explained at the top of this document.
8937
8938 The inactivity timeout applies when the server is expected to acknowledge or
8939 send data. In HTTP mode, this timeout is particularly important to consider
8940 during the first phase of the server's response, when it has to send the
8941 headers, as it directly represents the server's processing time for the
8942 request. To find out what value to put there, it's often good to start with
8943 what would be considered as unacceptable response times, then check the logs
8944 to observe the response time distribution, and adjust the value accordingly.
8945
8946 The value is specified in milliseconds by default, but can be in any other
8947 unit if the number is suffixed by the unit, as specified at the top of this
8948 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
8949 recommended that the client timeout remains equal to the server timeout in
8950 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008951 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01008952 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreauce887fd2012-05-12 12:50:00 +02008953 seconds (eg: 4 or 5 seconds minimum). If some long-lived sessions are mixed
8954 with short-lived sessions (eg: WebSocket and HTTP), it's worth considering
8955 "timeout tunnel", which overrides "timeout client" and "timeout server" for
8956 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008957
8958 This parameter is specific to backends, but can be specified once for all in
8959 "defaults" sections. This is in fact one of the easiest solutions not to
8960 forget about it. An unspecified timeout results in an infinite timeout, which
8961 is not recommended. Such a usage is accepted and works but reports a warning
8962 during startup because it may results in accumulation of expired sessions in
8963 the system if the system's timeouts are not configured either.
8964
8965 This parameter replaces the old, deprecated "srvtimeout". It is recommended
8966 to use it to write new configurations. The form "timeout srvtimeout" is
8967 provided only by backwards compatibility but its use is strongly discouraged.
8968
Willy Tarreauce887fd2012-05-12 12:50:00 +02008969 See also : "srvtimeout", "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +01008970
Willy Tarreau05cdd962014-05-10 14:30:07 +02008971
8972timeout server-fin <timeout>
8973 Set the inactivity timeout on the server side for half-closed connections.
8974 May be used in sections : defaults | frontend | listen | backend
8975 yes | no | yes | yes
8976 Arguments :
8977 <timeout> is the timeout value specified in milliseconds by default, but
8978 can be in any other unit if the number is suffixed by the unit,
8979 as explained at the top of this document.
8980
8981 The inactivity timeout applies when the server is expected to acknowledge or
8982 send data while one direction is already shut down. This timeout is different
8983 from "timeout server" in that it only applies to connections which are closed
8984 in one direction. This is particularly useful to avoid keeping connections in
8985 FIN_WAIT state for too long when a remote server does not disconnect cleanly.
8986 This problem is particularly common long connections such as RDP or WebSocket.
8987 Note that this timeout can override "timeout tunnel" when a connection shuts
8988 down in one direction. This setting was provided for completeness, but in most
8989 situations, it should not be needed.
8990
8991 This parameter is specific to backends, but can be specified once for all in
8992 "defaults" sections. By default it is not set, so half-closed connections
8993 will use the other timeouts (timeout.server or timeout.tunnel).
8994
8995 See also : "timeout client-fin", "timeout server", and "timeout tunnel".
8996
Willy Tarreau844e3c52008-01-11 16:28:18 +01008997
8998timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01008999 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01009000 May be used in sections : defaults | frontend | listen | backend
9001 yes | yes | yes | yes
9002 Arguments :
9003 <timeout> is the tarpit duration specified in milliseconds by default, but
9004 can be in any other unit if the number is suffixed by the unit,
9005 as explained at the top of this document.
9006
9007 When a connection is tarpitted using "reqtarpit", it is maintained open with
9008 no activity for a certain amount of time, then closed. "timeout tarpit"
9009 defines how long it will be maintained open.
9010
9011 The value is specified in milliseconds by default, but can be in any other
9012 unit if the number is suffixed by the unit, as specified at the top of this
9013 document. If unspecified, the same value as the backend's connection timeout
9014 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01009015 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009016
9017 See also : "timeout connect", "contimeout".
9018
9019
Willy Tarreauce887fd2012-05-12 12:50:00 +02009020timeout tunnel <timeout>
9021 Set the maximum inactivity time on the client and server side for tunnels.
9022 May be used in sections : defaults | frontend | listen | backend
9023 yes | no | yes | yes
9024 Arguments :
9025 <timeout> is the timeout value specified in milliseconds by default, but
9026 can be in any other unit if the number is suffixed by the unit,
9027 as explained at the top of this document.
9028
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009029 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +02009030 between a client and a server, and the connection remains inactive in both
9031 directions. This timeout supersedes both the client and server timeouts once
9032 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
9033 analyser remains attached to either connection (eg: tcp content rules are
9034 accepted). In HTTP, this timeout is used when a connection is upgraded (eg:
9035 when switching to the WebSocket protocol, or forwarding a CONNECT request
9036 to a proxy), or after the first response when no keepalive/close option is
9037 specified.
9038
Willy Tarreau05cdd962014-05-10 14:30:07 +02009039 Since this timeout is usually used in conjunction with long-lived connections,
9040 it usually is a good idea to also set "timeout client-fin" to handle the
9041 situation where a client suddenly disappears from the net and does not
9042 acknowledge a close, or sends a shutdown and does not acknowledge pending
9043 data anymore. This can happen in lossy networks where firewalls are present,
9044 and is detected by the presence of large amounts of sessions in a FIN_WAIT
9045 state.
9046
Willy Tarreauce887fd2012-05-12 12:50:00 +02009047 The value is specified in milliseconds by default, but can be in any other
9048 unit if the number is suffixed by the unit, as specified at the top of this
9049 document. Whatever the expected normal idle time, it is a good practice to
9050 cover at least one or several TCP packet losses by specifying timeouts that
9051 are slightly above multiples of 3 seconds (eg: 4 or 5 seconds minimum).
9052
9053 This parameter is specific to backends, but can be specified once for all in
9054 "defaults" sections. This is in fact one of the easiest solutions not to
9055 forget about it.
9056
9057 Example :
9058 defaults http
9059 option http-server-close
9060 timeout connect 5s
9061 timeout client 30s
Willy Tarreau05cdd962014-05-10 14:30:07 +02009062 timeout client-fin 30s
Willy Tarreauce887fd2012-05-12 12:50:00 +02009063 timeout server 30s
9064 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
9065
Willy Tarreau05cdd962014-05-10 14:30:07 +02009066 See also : "timeout client", "timeout client-fin", "timeout server".
Willy Tarreauce887fd2012-05-12 12:50:00 +02009067
9068
Willy Tarreau844e3c52008-01-11 16:28:18 +01009069transparent (deprecated)
9070 Enable client-side transparent proxying
9071 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01009072 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01009073 Arguments : none
9074
9075 This keyword was introduced in order to provide layer 7 persistence to layer
9076 3 load balancers. The idea is to use the OS's ability to redirect an incoming
9077 connection for a remote address to a local process (here HAProxy), and let
9078 this process know what address was initially requested. When this option is
9079 used, sessions without cookies will be forwarded to the original destination
9080 IP address of the incoming request (which should match that of another
9081 equipment), while requests with cookies will still be forwarded to the
9082 appropriate server.
9083
9084 The "transparent" keyword is deprecated, use "option transparent" instead.
9085
9086 Note that contrary to a common belief, this option does NOT make HAProxy
9087 present the client's IP to the server when establishing the connection.
9088
Willy Tarreau844e3c52008-01-11 16:28:18 +01009089 See also: "option transparent"
9090
William Lallemanda73203e2012-03-12 12:48:57 +01009091unique-id-format <string>
9092 Generate a unique ID for each request.
9093 May be used in sections : defaults | frontend | listen | backend
9094 yes | yes | yes | no
9095 Arguments :
9096 <string> is a log-format string.
9097
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009098 This keyword creates a ID for each request using the custom log format. A
9099 unique ID is useful to trace a request passing through many components of
9100 a complex infrastructure. The newly created ID may also be logged using the
9101 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +01009102
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009103 The format should be composed from elements that are guaranteed to be
9104 unique when combined together. For instance, if multiple haproxy instances
9105 are involved, it might be important to include the node name. It is often
9106 needed to log the incoming connection's source and destination addresses
9107 and ports. Note that since multiple requests may be performed over the same
9108 connection, including a request counter may help differentiate them.
9109 Similarly, a timestamp may protect against a rollover of the counter.
9110 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +01009111
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009112 It is recommended to use hexadecimal notation for many fields since it
9113 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +01009114
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009115 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01009116
Julien Vehentf21be322014-03-07 08:27:34 -05009117 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01009118
9119 will generate:
9120
9121 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
9122
9123 See also: "unique-id-header"
9124
9125unique-id-header <name>
9126 Add a unique ID header in the HTTP request.
9127 May be used in sections : defaults | frontend | listen | backend
9128 yes | yes | yes | no
9129 Arguments :
9130 <name> is the name of the header.
9131
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009132 Add a unique-id header in the HTTP request sent to the server, using the
9133 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +01009134
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009135 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01009136
Julien Vehentf21be322014-03-07 08:27:34 -05009137 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01009138 unique-id-header X-Unique-ID
9139
9140 will generate:
9141
9142 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
9143
9144 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +01009145
Willy Tarreauf51658d2014-04-23 01:21:56 +02009146use_backend <backend> [{if | unless} <condition>]
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02009147 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009148 May be used in sections : defaults | frontend | listen | backend
9149 no | yes | yes | no
9150 Arguments :
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01009151 <backend> is the name of a valid backend or "listen" section, or a
9152 "log-format" string resolving to a backend name.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009153
Willy Tarreauf51658d2014-04-23 01:21:56 +02009154 <condition> is a condition composed of ACLs, as described in section 7. If
9155 it is omitted, the rule is unconditionally applied.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009156
9157 When doing content-switching, connections arrive on a frontend and are then
9158 dispatched to various backends depending on a number of conditions. The
9159 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02009160 "use_backend" keyword. While it is normally used with HTTP processing, it can
9161 also be used in pure TCP, either without content using stateless ACLs (eg:
9162 source address validation) or combined with a "tcp-request" rule to wait for
9163 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009164
9165 There may be as many "use_backend" rules as desired. All of these rules are
9166 evaluated in their declaration order, and the first one which matches will
9167 assign the backend.
9168
9169 In the first form, the backend will be used if the condition is met. In the
9170 second form, the backend will be used if the condition is not met. If no
9171 condition is valid, the backend defined with "default_backend" will be used.
9172 If no default backend is defined, either the servers in the same section are
9173 used (in case of a "listen" section) or, in case of a frontend, no server is
9174 used and a 503 service unavailable response is returned.
9175
Willy Tarreau51aecc72009-07-12 09:47:04 +02009176 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009177 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02009178 and backend processing will immediately follow, or the backend will wait for
9179 a complete HTTP request to get in. This feature is useful when a frontend
9180 must decode several protocols on a unique port, one of them being HTTP.
9181
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01009182 When <backend> is a simple name, it is resolved at configuration time, and an
9183 error is reported if the specified backend does not exist. If <backend> is
9184 a log-format string instead, no check may be done at configuration time, so
9185 the backend name is resolved dynamically at run time. If the resulting
9186 backend name does not correspond to any valid backend, no other rule is
9187 evaluated, and the default_backend directive is applied instead. Note that
9188 when using dynamic backend names, it is highly recommended to use a prefix
9189 that no other backend uses in order to ensure that an unauthorized backend
9190 cannot be forced from the request.
9191
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009192 It is worth mentioning that "use_backend" rules with an explicit name are
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01009193 used to detect the association between frontends and backends to compute the
9194 backend's "fullconn" setting. This cannot be done for dynamic names.
9195
9196 See also: "default_backend", "tcp-request", "fullconn", "log-format", and
9197 section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01009198
Willy Tarreau036fae02008-01-06 13:24:40 +01009199
Willy Tarreau4a5cade2012-04-05 21:09:48 +02009200use-server <server> if <condition>
9201use-server <server> unless <condition>
9202 Only use a specific server if/unless an ACL-based condition is matched.
9203 May be used in sections : defaults | frontend | listen | backend
9204 no | no | yes | yes
9205 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009206 <server> is the name of a valid server in the same backend section.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02009207
9208 <condition> is a condition composed of ACLs, as described in section 7.
9209
9210 By default, connections which arrive to a backend are load-balanced across
9211 the available servers according to the configured algorithm, unless a
9212 persistence mechanism such as a cookie is used and found in the request.
9213
9214 Sometimes it is desirable to forward a particular request to a specific
9215 server without having to declare a dedicated backend for this server. This
9216 can be achieved using the "use-server" rules. These rules are evaluated after
9217 the "redirect" rules and before evaluating cookies, and they have precedence
9218 on them. There may be as many "use-server" rules as desired. All of these
9219 rules are evaluated in their declaration order, and the first one which
9220 matches will assign the server.
9221
9222 If a rule designates a server which is down, and "option persist" is not used
9223 and no force-persist rule was validated, it is ignored and evaluation goes on
9224 with the next rules until one matches.
9225
9226 In the first form, the server will be used if the condition is met. In the
9227 second form, the server will be used if the condition is not met. If no
9228 condition is valid, the processing continues and the server will be assigned
9229 according to other persistence mechanisms.
9230
9231 Note that even if a rule is matched, cookie processing is still performed but
9232 does not assign the server. This allows prefixed cookies to have their prefix
9233 stripped.
9234
9235 The "use-server" statement works both in HTTP and TCP mode. This makes it
9236 suitable for use with content-based inspection. For instance, a server could
9237 be selected in a farm according to the TLS SNI field. And if these servers
9238 have their weight set to zero, they will not be used for other traffic.
9239
9240 Example :
9241 # intercept incoming TLS requests based on the SNI field
9242 use-server www if { req_ssl_sni -i www.example.com }
9243 server www 192.168.0.1:443 weight 0
9244 use-server mail if { req_ssl_sni -i mail.example.com }
9245 server mail 192.168.0.1:587 weight 0
9246 use-server imap if { req_ssl_sni -i imap.example.com }
9247 server mail 192.168.0.1:993 weight 0
9248 # all the rest is forwarded to this server
9249 server default 192.168.0.2:443 check
9250
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009251 See also: "use_backend", section 5 about server and section 7 about ACLs.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02009252
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009253
92545. Bind and Server options
9255--------------------------
9256
9257The "bind", "server" and "default-server" keywords support a number of settings
9258depending on some build options and on the system HAProxy was built on. These
9259settings generally each consist in one word sometimes followed by a value,
9260written on the same line as the "bind" or "server" line. All these options are
9261described in this section.
9262
9263
92645.1. Bind options
9265-----------------
9266
9267The "bind" keyword supports a certain number of settings which are all passed
9268as arguments on the same line. The order in which those arguments appear makes
9269no importance, provided that they appear after the bind address. All of these
9270parameters are optional. Some of them consist in a single words (booleans),
9271while other ones expect a value after them. In this case, the value must be
9272provided immediately after the setting name.
9273
9274The currently supported settings are the following ones.
9275
9276accept-proxy
9277 Enforces the use of the PROXY protocol over any connection accepted by any of
Willy Tarreau77992672014-06-14 11:06:17 +02009278 the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol
9279 are supported and correctly detected. The PROXY protocol dictates the layer
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009280 3/4 addresses of the incoming connection to be used everywhere an address is
9281 used, with the only exception of "tcp-request connection" rules which will
9282 only see the real connection address. Logs will reflect the addresses
9283 indicated in the protocol, unless it is violated, in which case the real
9284 address will still be used. This keyword combined with support from external
9285 components can be used as an efficient and reliable alternative to the
9286 X-Forwarded-For mechanism which is not always reliable and not even always
Willy Tarreau4f0d9192013-06-11 20:40:55 +02009287 usable. See also "tcp-request connection expect-proxy" for a finer-grained
9288 setting of which client is allowed to use the protocol.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009289
Willy Tarreauab861d32013-04-02 02:30:41 +02009290alpn <protocols>
9291 This enables the TLS ALPN extension and advertises the specified protocol
9292 list as supported on top of ALPN. The protocol list consists in a comma-
9293 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
9294 quotes). This requires that the SSL library is build with support for TLS
9295 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
9296 initial NPN extension.
9297
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009298backlog <backlog>
9299 Sets the socket's backlog to this value. If unspecified, the frontend's
9300 backlog is used instead, which generally defaults to the maxconn value.
9301
Emeric Brun7fb34422012-09-28 15:26:15 +02009302ecdhe <named curve>
9303 This setting is only available when support for OpenSSL was built in. It sets
Emeric Brun6924ef82013-03-06 14:08:53 +01009304 the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
9305 used named curve is prime256v1.
Emeric Brun7fb34422012-09-28 15:26:15 +02009306
Emeric Brunfd33a262012-10-11 16:28:27 +02009307ca-file <cafile>
Emeric Brun1a073b42012-09-28 17:07:34 +02009308 This setting is only available when support for OpenSSL was built in. It
9309 designates a PEM file from which to load CA certificates used to verify
9310 client's certificate.
9311
Emeric Brunb6dc9342012-09-28 17:55:37 +02009312ca-ignore-err [all|<errorID>,...]
9313 This setting is only available when support for OpenSSL was built in.
9314 Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
9315 If set to 'all', all errors are ignored. SSL handshake is not aborted if an
9316 error is ignored.
9317
Christopher Faulet31af49d2015-06-09 17:29:50 +02009318ca-sign-file <cafile>
9319 This setting is only available when support for OpenSSL was built in. It
9320 designates a PEM file containing both the CA certificate and the CA private
9321 key used to create and sign server's certificates. This is a mandatory
9322 setting when the dynamic generation of certificates is enabled. See
9323 'generate-certificates' for details.
9324
9325ca-sign-passphrase <passphrase>
9326 This setting is only available when support for OpenSSL was built in. It is
9327 the CA private key passphrase. This setting is optional and used only when
9328 the dynamic generation of certificates is enabled. See
9329 'generate-certificates' for details.
9330
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009331ciphers <ciphers>
9332 This setting is only available when support for OpenSSL was built in. It sets
9333 the string describing the list of cipher algorithms ("cipher suite") that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009334 negotiated during the SSL/TLS handshake. The format of the string is defined
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009335 in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
9336 such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
9337
Emeric Brunfd33a262012-10-11 16:28:27 +02009338crl-file <crlfile>
Emeric Brun1a073b42012-09-28 17:07:34 +02009339 This setting is only available when support for OpenSSL was built in. It
9340 designates a PEM file from which to load certificate revocation list used
9341 to verify client's certificate.
9342
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009343crt <cert>
Alex Davies0fbf0162013-03-02 16:04:50 +00009344 This setting is only available when support for OpenSSL was built in. It
9345 designates a PEM file containing both the required certificates and any
9346 associated private keys. This file can be built by concatenating multiple
9347 PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
9348 requires an intermediate certificate, this can also be concatenated into this
9349 file.
9350
9351 If the OpenSSL used supports Diffie-Hellman, parameters present in this file
9352 are loaded.
9353
9354 If a directory name is used instead of a PEM file, then all files found in
Cyril Bonté3180f7b2015-01-25 00:16:08 +01009355 that directory will be loaded in alphabetic order unless their name ends with
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +01009356 '.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be
9357 specified multiple times in order to load certificates from multiple files or
9358 directories. The certificates will be presented to clients who provide a
9359 valid TLS Server Name Indication field matching one of their CN or alt
9360 subjects. Wildcards are supported, where a wildcard character '*' is used
9361 instead of the first hostname component (eg: *.example.org matches
9362 www.example.org but not www.sub.example.org).
Alex Davies0fbf0162013-03-02 16:04:50 +00009363
9364 If no SNI is provided by the client or if the SSL library does not support
9365 TLS extensions, or if the client provides an SNI hostname which does not
9366 match any certificate, then the first loaded certificate will be presented.
9367 This means that when loading certificates from a directory, it is highly
Cyril Bonté3180f7b2015-01-25 00:16:08 +01009368 recommended to load the default one first as a file or to ensure that it will
9369 always be the first one in the directory.
Alex Davies0fbf0162013-03-02 16:04:50 +00009370
Emeric Brune032bfa2012-09-28 13:01:45 +02009371 Note that the same cert may be loaded multiple times without side effects.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009372
Alex Davies0fbf0162013-03-02 16:04:50 +00009373 Some CAs (such as Godaddy) offer a drop down list of server types that do not
9374 include HAProxy when obtaining a certificate. If this happens be sure to
Godbach8bf60a12014-04-21 21:42:41 +08009375 choose a webserver that the CA believes requires an intermediate CA (for
Alex Davies0fbf0162013-03-02 16:04:50 +00009376 Godaddy, selection Apache Tomcat will get the correct bundle, but many
9377 others, e.g. nginx, result in a wrong bundle that will not work for some
9378 clients).
9379
Emeric Brun4147b2e2014-06-16 18:36:30 +02009380 For each PEM file, haproxy checks for the presence of file at the same path
9381 suffixed by ".ocsp". If such file is found, support for the TLS Certificate
9382 Status Request extension (also known as "OCSP stapling") is automatically
9383 enabled. The content of this file is optional. If not empty, it must contain
9384 a valid OCSP Response in DER format. In order to be valid an OCSP Response
9385 must comply with the following rules: it has to indicate a good status,
9386 it has to be a single response for the certificate of the PEM file, and it
9387 has to be valid at the moment of addition. If these rules are not respected
9388 the OCSP Response is ignored and a warning is emitted. In order to identify
9389 which certificate an OCSP Response applies to, the issuer's certificate is
9390 necessary. If the issuer's certificate is not found in the PEM file, it will
9391 be loaded from a file at the same path as the PEM file suffixed by ".issuer"
9392 if it exists otherwise it will fail with an error.
9393
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +01009394 For each PEM file, haproxy also checks for the presence of file at the same
9395 path suffixed by ".sctl". If such file is found, support for Certificate
9396 Transparency (RFC6962) TLS extension is enabled. The file must contain a
9397 valid Signed Certificate Timestamp List, as described in RFC. File is parsed
9398 to check basic syntax, but no signatures are verified.
9399
Emeric Brunb6dc9342012-09-28 17:55:37 +02009400crt-ignore-err <errors>
Alex Davies0fbf0162013-03-02 16:04:50 +00009401 This setting is only available when support for OpenSSL was built in. Sets a
9402 comma separated list of errorIDs to ignore during verify at depth == 0. If
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009403 set to 'all', all errors are ignored. SSL handshake is not aborted if an error
Alex Davies0fbf0162013-03-02 16:04:50 +00009404 is ignored.
Emeric Brunb6dc9342012-09-28 17:55:37 +02009405
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01009406crt-list <file>
9407 This setting is only available when support for OpenSSL was built in. It
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02009408 designates a list of PEM file with an optional list of SNI filter per
9409 certificate, with the following format for each line :
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01009410
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02009411 <crtfile> [[!]<snifilter> ...]
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01009412
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02009413 Wildcards are supported in the SNI filter. Negative filter are also supported,
9414 only useful in combination with a wildcard filter to exclude a particular SNI.
9415 The certificates will be presented to clients who provide a valid TLS Server
9416 Name Indication field matching one of the SNI filters. If no SNI filter is
9417 specified, the CN and alt subjects are used. This directive may be specified
9418 multiple times. See the "crt" option for more information. The default
9419 certificate is still needed to meet OpenSSL expectations. If it is not used,
9420 the 'strict-sni' option may be used.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01009421
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009422defer-accept
9423 Is an optional keyword which is supported only on certain Linux kernels. It
9424 states that a connection will only be accepted once some data arrive on it,
9425 or at worst after the first retransmit. This should be used only on protocols
9426 for which the client talks first (eg: HTTP). It can slightly improve
9427 performance by ensuring that most of the request is already available when
9428 the connection is accepted. On the other hand, it will not be able to detect
9429 connections which don't talk. It is important to note that this option is
9430 broken in all kernels up to 2.6.31, as the connection is never accepted until
9431 the client talks. This can cause issues with front firewalls which would see
9432 an established connection while the proxy will only see it in SYN_RECV. This
9433 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
9434
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009435force-sslv3
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009436 This option enforces use of SSLv3 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009437 this listener. SSLv3 is generally less expensive than the TLS counterparts
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009438 for high connection rates. This option is also available on global statement
9439 "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009440
9441force-tlsv10
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009442 This option enforces use of TLSv1.0 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009443 this listener. This option is also available on global statement
9444 "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009445
9446force-tlsv11
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009447 This option enforces use of TLSv1.1 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009448 this listener. This option is also available on global statement
9449 "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009450
9451force-tlsv12
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009452 This option enforces use of TLSv1.2 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009453 this listener. This option is also available on global statement
9454 "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009455
Christopher Faulet31af49d2015-06-09 17:29:50 +02009456generate-certificates
9457 This setting is only available when support for OpenSSL was built in. It
9458 enables the dynamic SSL certificates generation. A CA certificate and its
9459 private key are necessary (see 'ca-sign-file'). When HAProxy is configured as
9460 a transparent forward proxy, SSL requests generate errors because of a common
9461 name mismatch on the certificate presented to the client. With this option
9462 enabled, HAProxy will try to forge a certificate using the SNI hostname
9463 indicated by the client. This is done only if no certificate matches the SNI
9464 hostname (see 'crt-list'). If an error occurs, the default certificate is
9465 used, else the 'strict-sni' option is set.
9466 It can also be used when HAProxy is configured as a reverse proxy to ease the
9467 deployment of an architecture with many backends.
9468
9469 Creating a SSL certificate is an expensive operation, so a LRU cache is used
9470 to store forged certificates (see 'tune.ssl.ssl-ctx-cache-size'). It
9471 increases the HAProxy's memroy footprint to reduce latency when the same
9472 certificate is used many times.
9473
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009474gid <gid>
9475 Sets the group of the UNIX sockets to the designated system gid. It can also
9476 be set by default in the global section's "unix-bind" statement. Note that
9477 some platforms simply ignore this. This setting is equivalent to the "group"
9478 setting except that the group ID is used instead of its name. This setting is
9479 ignored by non UNIX sockets.
9480
9481group <group>
9482 Sets the group of the UNIX sockets to the designated system group. It can
9483 also be set by default in the global section's "unix-bind" statement. Note
9484 that some platforms simply ignore this. This setting is equivalent to the
9485 "gid" setting except that the group name is used instead of its gid. This
9486 setting is ignored by non UNIX sockets.
9487
9488id <id>
9489 Fixes the socket ID. By default, socket IDs are automatically assigned, but
9490 sometimes it is more convenient to fix them to ease monitoring. This value
9491 must be strictly positive and unique within the listener/frontend. This
9492 option can only be used when defining only a single socket.
9493
9494interface <interface>
Lukas Tribusfce2e962013-02-12 22:13:19 +01009495 Restricts the socket to a specific interface. When specified, only packets
9496 received from that particular interface are processed by the socket. This is
9497 currently only supported on Linux. The interface must be a primary system
9498 interface, not an aliased interface. It is also possible to bind multiple
9499 frontends to the same address if they are bound to different interfaces. Note
9500 that binding to a network interface requires root privileges. This parameter
9501 is only compatible with TCPv4/TCPv6 sockets.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009502
Willy Tarreauabb175f2012-09-24 12:43:26 +02009503level <level>
9504 This setting is used with the stats sockets only to restrict the nature of
9505 the commands that can be issued on the socket. It is ignored by other
9506 sockets. <level> can be one of :
9507 - "user" is the least privileged level ; only non-sensitive stats can be
9508 read, and no change is allowed. It would make sense on systems where it
9509 is not easy to restrict access to the socket.
9510 - "operator" is the default level and fits most common uses. All data can
9511 be read, and only non-sensitive changes are permitted (eg: clear max
9512 counters).
9513 - "admin" should be used with care, as everything is permitted (eg: clear
9514 all counters).
9515
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009516maxconn <maxconn>
9517 Limits the sockets to this number of concurrent connections. Extraneous
9518 connections will remain in the system's backlog until a connection is
9519 released. If unspecified, the limit will be the same as the frontend's
9520 maxconn. Note that in case of port ranges or multiple addresses, the same
9521 value will be applied to each socket. This setting enables different
9522 limitations on expensive sockets, for instance SSL entries which may easily
9523 eat all memory.
9524
9525mode <mode>
9526 Sets the octal mode used to define access permissions on the UNIX socket. It
9527 can also be set by default in the global section's "unix-bind" statement.
9528 Note that some platforms simply ignore this. This setting is ignored by non
9529 UNIX sockets.
9530
9531mss <maxseg>
9532 Sets the TCP Maximum Segment Size (MSS) value to be advertised on incoming
9533 connections. This can be used to force a lower MSS for certain specific
9534 ports, for instance for connections passing through a VPN. Note that this
9535 relies on a kernel feature which is theoretically supported under Linux but
9536 was buggy in all versions prior to 2.6.28. It may or may not work on other
9537 operating systems. It may also not change the advertised value but change the
9538 effective size of outgoing segments. The commonly advertised value for TCPv4
9539 over Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
9540 positive, it will be used as the advertised MSS. If it is negative, it will
9541 indicate by how much to reduce the incoming connection's advertised MSS for
9542 outgoing segments. This parameter is only compatible with TCP v4/v6 sockets.
9543
9544name <name>
9545 Sets an optional name for these sockets, which will be reported on the stats
9546 page.
9547
9548nice <nice>
9549 Sets the 'niceness' of connections initiated from the socket. Value must be
9550 in the range -1024..1024 inclusive, and defaults to zero. Positive values
9551 means that such connections are more friendly to others and easily offer
9552 their place in the scheduler. On the opposite, negative values mean that
9553 connections want to run with a higher priority than others. The difference
9554 only happens under high loads when the system is close to saturation.
9555 Negative values are appropriate for low-latency or administration services,
9556 and high values are generally recommended for CPU intensive tasks such as SSL
9557 processing or bulk transfers which are less sensible to latency. For example,
9558 it may make sense to use a positive value for an SMTP socket and a negative
9559 one for an RDP socket.
9560
Emeric Brun9b3009b2012-10-05 11:55:06 +02009561no-sslv3
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009562 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009563 disables support for SSLv3 on any sockets instantiated from the listener when
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009564 SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009565 be enabled using any configuration option. This option is also available on
9566 global statement "ssl-default-bind-options". See also "force-tls*",
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009567 and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009568
Emeric Brun90ad8722012-10-02 14:00:59 +02009569no-tls-tickets
9570 This setting is only available when support for OpenSSL was built in. It
9571 disables the stateless session resumption (RFC 5077 TLS Ticket
9572 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009573 session resumption is more expensive in CPU usage. This option is also
9574 available on global statement "ssl-default-bind-options".
Emeric Brun90ad8722012-10-02 14:00:59 +02009575
Emeric Brun9b3009b2012-10-05 11:55:06 +02009576no-tlsv10
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009577 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009578 disables support for TLSv1.0 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009579 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009580 cannot be enabled using any configuration option. This option is also
9581 available on global statement "ssl-default-bind-options". See also
9582 "force-tlsv*", and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009583
Emeric Brun9b3009b2012-10-05 11:55:06 +02009584no-tlsv11
Emeric Brunf5da4932012-09-28 19:42:54 +02009585 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009586 disables support for TLSv1.1 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009587 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009588 cannot be enabled using any configuration option. This option is also
9589 available on global statement "ssl-default-bind-options". See also
9590 "force-tlsv*", and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02009591
Emeric Brun9b3009b2012-10-05 11:55:06 +02009592no-tlsv12
Emeric Brunf5da4932012-09-28 19:42:54 +02009593 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009594 disables support for TLSv1.2 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02009595 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009596 cannot be enabled using any configuration option. This option is also
9597 available on global statement "ssl-default-bind-options". See also
9598 "force-tlsv*", and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02009599
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02009600npn <protocols>
9601 This enables the NPN TLS extension and advertises the specified protocol list
9602 as supported on top of NPN. The protocol list consists in a comma-delimited
9603 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
9604 This requires that the SSL library is build with support for TLS extensions
Willy Tarreauab861d32013-04-02 02:30:41 +02009605 enabled (check with haproxy -vv). Note that the NPN extension has been
9606 replaced with the ALPN extension (see the "alpn" keyword).
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02009607
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02009608process [ all | odd | even | <number 1-64>[-<number 1-64>] ]
9609 This restricts the list of processes on which this listener is allowed to
9610 run. It does not enforce any process but eliminates those which do not match.
9611 If the frontend uses a "bind-process" setting, the intersection between the
9612 two is applied. If in the end the listener is not allowed to run on any
9613 remaining process, a warning is emitted, and the listener will either run on
9614 the first process of the listener if a single process was specified, or on
9615 all of its processes if multiple processes were specified. For the unlikely
Willy Tarreauae302532014-05-07 19:22:24 +02009616 case where several ranges are needed, this directive may be repeated. The
9617 main purpose of this directive is to be used with the stats sockets and have
9618 one different socket per process. The second purpose is to have multiple bind
9619 lines sharing the same IP:port but not the same process in a listener, so
9620 that the system can distribute the incoming connections into multiple queues
9621 and allow a smoother inter-process load balancing. Currently Linux 3.9 and
9622 above is known for supporting this. See also "bind-process" and "nbproc".
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02009623
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009624ssl
9625 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009626 enables SSL deciphering on connections instantiated from this listener. A
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009627 certificate is necessary (see "crt" above). All contents in the buffers will
9628 appear in clear text, so that ACLs and HTTP processing will only have access
9629 to deciphered contents.
9630
Emmanuel Hocdet65623372013-01-24 17:17:15 +01009631strict-sni
9632 This setting is only available when support for OpenSSL was built in. The
9633 SSL/TLS negotiation is allow only if the client provided an SNI which match
9634 a certificate. The default certificate is not used.
9635 See the "crt" option for more information.
9636
Willy Tarreau2af207a2015-02-04 00:45:58 +01009637tcp-ut <delay>
9638 Sets the TCP User Timeout for all incoming connections instanciated from this
9639 listening socket. This option is available on Linux since version 2.6.37. It
9640 allows haproxy to configure a timeout for sockets which contain data not
9641 receiving an acknoledgement for the configured delay. This is especially
9642 useful on long-lived connections experiencing long idle periods such as
9643 remote terminals or database connection pools, where the client and server
9644 timeouts must remain high to allow a long period of idle, but where it is
9645 important to detect that the client has disappeared in order to release all
9646 resources associated with its connection (and the server's session). The
9647 argument is a delay expressed in milliseconds by default. This only works
9648 for regular TCP connections, and is ignored for other protocols.
9649
Willy Tarreau1c862c52012-10-05 16:21:00 +02009650tfo
Lukas Tribus0defb902013-02-13 23:35:39 +01009651 Is an optional keyword which is supported only on Linux kernels >= 3.7. It
Willy Tarreau1c862c52012-10-05 16:21:00 +02009652 enables TCP Fast Open on the listening socket, which means that clients which
9653 support this feature will be able to send a request and receive a response
9654 during the 3-way handshake starting from second connection, thus saving one
9655 round-trip after the first connection. This only makes sense with protocols
9656 that use high connection rates and where each round trip matters. This can
9657 possibly cause issues with many firewalls which do not accept data on SYN
9658 packets, so this option should only be enabled once well tested. This option
Lukas Tribus0999f762013-04-02 16:43:24 +02009659 is only supported on TCPv4/TCPv6 sockets and ignored by other ones. You may
9660 need to build HAProxy with USE_TFO=1 if your libc doesn't define
9661 TCP_FASTOPEN.
Willy Tarreau1c862c52012-10-05 16:21:00 +02009662
Nenad Merdanovic188ad3e2015-02-27 19:56:50 +01009663tls-ticket-keys <keyfile>
9664 Sets the TLS ticket keys file to load the keys from. The keys need to be 48
9665 bytes long, encoded with base64 (ex. openssl rand -base64 48). Number of keys
9666 is specified by the TLS_TICKETS_NO build option (default 3) and at least as
9667 many keys need to be present in the file. Last TLS_TICKETS_NO keys will be
9668 used for decryption and the penultimate one for encryption. This enables easy
9669 key rotation by just appending new key to the file and reloading the process.
9670 Keys must be periodically rotated (ex. every 12h) or Perfect Forward Secrecy
9671 is compromised. It is also a good idea to keep the keys off any permanent
9672 storage such as hard drives (hint: use tmpfs and don't swap those files).
9673 Lifetime hint can be changed using tune.ssl.timeout.
9674
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009675transparent
9676 Is an optional keyword which is supported only on certain Linux kernels. It
9677 indicates that the addresses will be bound even if they do not belong to the
9678 local machine, and that packets targeting any of these addresses will be
9679 intercepted just as if the addresses were locally configured. This normally
9680 requires that IP forwarding is enabled. Caution! do not use this with the
9681 default address '*', as it would redirect any traffic for the specified port.
9682 This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1.
9683 This parameter is only compatible with TCPv4 and TCPv6 sockets, depending on
9684 kernel version. Some distribution kernels include backports of the feature,
9685 so check for support with your vendor.
9686
Willy Tarreau77e3af92012-11-24 15:07:23 +01009687v4v6
9688 Is an optional keyword which is supported only on most recent systems
9689 including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
9690 and IPv6 when it uses the default address. Doing so is sometimes necessary
9691 on systems which bind to IPv6 only by default. It has no effect on non-IPv6
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009692 sockets, and is overridden by the "v6only" option.
Willy Tarreau77e3af92012-11-24 15:07:23 +01009693
Willy Tarreau9b6700f2012-11-24 11:55:28 +01009694v6only
9695 Is an optional keyword which is supported only on most recent systems
9696 including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
9697 when it uses the default address. Doing so is sometimes preferred to doing it
Willy Tarreau77e3af92012-11-24 15:07:23 +01009698 system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
9699 has precedence over the "v4v6" option.
Willy Tarreau9b6700f2012-11-24 11:55:28 +01009700
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009701uid <uid>
9702 Sets the owner of the UNIX sockets to the designated system uid. It can also
9703 be set by default in the global section's "unix-bind" statement. Note that
9704 some platforms simply ignore this. This setting is equivalent to the "user"
9705 setting except that the user numeric ID is used instead of its name. This
9706 setting is ignored by non UNIX sockets.
9707
9708user <user>
9709 Sets the owner of the UNIX sockets to the designated system user. It can also
9710 be set by default in the global section's "unix-bind" statement. Note that
9711 some platforms simply ignore this. This setting is equivalent to the "uid"
9712 setting except that the user name is used instead of its uid. This setting is
9713 ignored by non UNIX sockets.
9714
Emeric Brun1a073b42012-09-28 17:07:34 +02009715verify [none|optional|required]
9716 This setting is only available when support for OpenSSL was built in. If set
9717 to 'none', client certificate is not requested. This is the default. In other
9718 cases, a client certificate is requested. If the client does not provide a
9719 certificate after the request and if 'verify' is set to 'required', then the
9720 handshake is aborted, while it would have succeeded if set to 'optional'. The
Emeric Brunfd33a262012-10-11 16:28:27 +02009721 certificate provided by the client is always verified using CAs from
9722 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
9723 is aborted, regardless of the 'verify' option, unless the error code exactly
9724 matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02009725
Willy Tarreaub6205fd2012-09-24 12:27:33 +020097265.2. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01009727------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02009728
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01009729The "server" and "default-server" keywords support a certain number of settings
9730which are all passed as arguments on the server line. The order in which those
9731arguments appear does not count, and they are all optional. Some of those
9732settings are single words (booleans) while others expect one or several values
9733after them. In this case, the values must immediately follow the setting name.
9734Except default-server, all those settings must be specified after the server's
9735address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02009736
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009737 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01009738 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02009739
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009740The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01009741
Willy Tarreauceb4ac92012-04-28 00:41:46 +02009742addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009743 Using the "addr" parameter, it becomes possible to use a different IP address
9744 to send health-checks. On some servers, it may be desirable to dedicate an IP
9745 address to specific component able to perform complex tests which are more
9746 suitable to health-checks than the application. This parameter is ignored if
9747 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009748
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009749 Supported in default-server: No
9750
Simon Hormand60d6912013-11-25 10:46:36 +09009751agent-check
9752 Enable an auxiliary agent check which is run independently of a regular
Willy Tarreau81f5d942013-12-09 20:51:51 +01009753 health check. An agent health check is performed by making a TCP connection
9754 to the port set by the "agent-port" parameter and reading an ASCII string.
9755 The string is made of a series of words delimited by spaces, tabs or commas
9756 in any order, optionally terminated by '\r' and/or '\n', each consisting of :
Simon Hormand60d6912013-11-25 10:46:36 +09009757
Willy Tarreau81f5d942013-12-09 20:51:51 +01009758 - An ASCII representation of a positive integer percentage, e.g. "75%".
Simon Hormand60d6912013-11-25 10:46:36 +09009759 Values in this format will set the weight proportional to the initial
Willy Tarreauc5af3a62014-10-07 15:27:33 +02009760 weight of a server as configured when haproxy starts. Note that a zero
9761 weight is reported on the stats page as "DRAIN" since it has the same
9762 effect on the server (it's removed from the LB farm).
Simon Hormand60d6912013-11-25 10:46:36 +09009763
Willy Tarreau81f5d942013-12-09 20:51:51 +01009764 - The word "ready". This will turn the server's administrative state to the
9765 READY mode, thus cancelling any DRAIN or MAINT state
Simon Hormand60d6912013-11-25 10:46:36 +09009766
Willy Tarreau81f5d942013-12-09 20:51:51 +01009767 - The word "drain". This will turn the server's administrative state to the
9768 DRAIN mode, thus it will not accept any new connections other than those
9769 that are accepted via persistence.
Simon Hormand60d6912013-11-25 10:46:36 +09009770
Willy Tarreau81f5d942013-12-09 20:51:51 +01009771 - The word "maint". This will turn the server's administrative state to the
9772 MAINT mode, thus it will not accept any new connections at all, and health
9773 checks will be stopped.
Simon Hormand60d6912013-11-25 10:46:36 +09009774
Willy Tarreau81f5d942013-12-09 20:51:51 +01009775 - The words "down", "failed", or "stopped", optionally followed by a
9776 description string after a sharp ('#'). All of these mark the server's
9777 operating state as DOWN, but since the word itself is reported on the stats
9778 page, the difference allows an administrator to know if the situation was
9779 expected or not : the service may intentionally be stopped, may appear up
9780 but fail some validity tests, or may be seen as down (eg: missing process,
9781 or port not responding).
Simon Hormand60d6912013-11-25 10:46:36 +09009782
Willy Tarreau81f5d942013-12-09 20:51:51 +01009783 - The word "up" sets back the server's operating state as UP if health checks
9784 also report that the service is accessible.
Simon Hormand60d6912013-11-25 10:46:36 +09009785
Willy Tarreau81f5d942013-12-09 20:51:51 +01009786 Parameters which are not advertised by the agent are not changed. For
9787 example, an agent might be designed to monitor CPU usage and only report a
9788 relative weight and never interact with the operating status. Similarly, an
9789 agent could be designed as an end-user interface with 3 radio buttons
9790 allowing an administrator to change only the administrative state. However,
9791 it is important to consider that only the agent may revert its own actions,
9792 so if a server is set to DRAIN mode or to DOWN state using the agent, the
9793 agent must implement the other equivalent actions to bring the service into
9794 operations again.
Simon Hormand60d6912013-11-25 10:46:36 +09009795
Simon Horman2f1f9552013-11-25 10:46:37 +09009796 Failure to connect to the agent is not considered an error as connectivity
9797 is tested by the regular health check which is enabled by the "check"
Willy Tarreau81f5d942013-12-09 20:51:51 +01009798 parameter. Warning though, it is not a good idea to stop an agent after it
9799 reports "down", since only an agent reporting "up" will be able to turn the
9800 server up again. Note that the CLI on the Unix stats socket is also able to
9801 force an agent's result in order to workaround a bogus agent if needed.
Simon Horman2f1f9552013-11-25 10:46:37 +09009802
Willy Tarreau81f5d942013-12-09 20:51:51 +01009803 Requires the "agent-port" parameter to be set. See also the "agent-inter"
9804 parameter.
Simon Hormand60d6912013-11-25 10:46:36 +09009805
9806 Supported in default-server: No
9807
9808agent-inter <delay>
9809 The "agent-inter" parameter sets the interval between two agent checks
9810 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
9811
9812 Just as with every other time-based parameter, it may be entered in any
9813 other explicit unit among { us, ms, s, m, h, d }. The "agent-inter"
9814 parameter also serves as a timeout for agent checks "timeout check" is
9815 not set. In order to reduce "resonance" effects when multiple servers are
9816 hosted on the same hardware, the agent and health checks of all servers
9817 are started with a small time offset between them. It is also possible to
9818 add some random noise in the agent and health checks interval using the
9819 global "spread-checks" keyword. This makes sense for instance when a lot
9820 of backends use the same servers.
9821
9822 See also the "agent-check" and "agent-port" parameters.
9823
9824 Supported in default-server: Yes
9825
9826agent-port <port>
9827 The "agent-port" parameter sets the TCP port used for agent checks.
9828
9829 See also the "agent-check" and "agent-inter" parameters.
9830
9831 Supported in default-server: Yes
9832
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009833backup
9834 When "backup" is present on a server line, the server is only used in load
9835 balancing when all other non-backup servers are unavailable. Requests coming
9836 with a persistence cookie referencing the server will always be served
9837 though. By default, only the first operational backup server is used, unless
9838 the "allbackups" option is set in the backend. See also the "allbackups"
9839 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009840
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009841 Supported in default-server: No
9842
Emeric Brunef42d922012-10-11 16:11:36 +02009843ca-file <cafile>
9844 This setting is only available when support for OpenSSL was built in. It
9845 designates a PEM file from which to load CA certificates used to verify
9846 server's certificate.
9847
9848 Supported in default-server: No
9849
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009850check
9851 This option enables health checks on the server. By default, a server is
Patrick Mézardb7aeec62012-01-22 16:01:22 +01009852 always considered available. If "check" is set, the server is available when
9853 accepting periodic TCP connections, to ensure that it is really able to serve
9854 requests. The default address and port to send the tests to are those of the
9855 server, and the default source is the same as the one defined in the
9856 backend. It is possible to change the address using the "addr" parameter, the
9857 port using the "port" parameter, the source address using the "source"
9858 address, and the interval and timers using the "inter", "rise" and "fall"
Simon Hormanafc47ee2013-11-25 10:46:35 +09009859 parameters. The request method is define in the backend using the "httpchk",
9860 "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
9861 refer to those options and parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009862
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009863 Supported in default-server: No
9864
Willy Tarreau6c16adc2012-10-05 00:04:16 +02009865check-send-proxy
9866 This option forces emission of a PROXY protocol line with outgoing health
9867 checks, regardless of whether the server uses send-proxy or not for the
9868 normal traffic. By default, the PROXY protocol is enabled for health checks
9869 if it is already enabled for normal traffic and if no "port" nor "addr"
9870 directive is present. However, if such a directive is present, the
9871 "check-send-proxy" option needs to be used to force the use of the
9872 protocol. See also the "send-proxy" option for more information.
9873
9874 Supported in default-server: No
9875
Willy Tarreau763a95b2012-10-04 23:15:39 +02009876check-ssl
9877 This option forces encryption of all health checks over SSL, regardless of
9878 whether the server uses SSL or not for the normal traffic. This is generally
9879 used when an explicit "port" or "addr" directive is specified and SSL health
9880 checks are not inherited. It is important to understand that this option
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009881 inserts an SSL transport layer below the checks, so that a simple TCP connect
Willy Tarreau763a95b2012-10-04 23:15:39 +02009882 check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
9883 common use is to send HTTPS checks by combining "httpchk" with SSL checks.
9884 All SSL settings are common to health checks and traffic (eg: ciphers).
9885 See the "ssl" option for more information.
9886
9887 Supported in default-server: No
9888
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009889ciphers <ciphers>
9890 This option sets the string describing the list of cipher algorithms that is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009891 is negotiated during the SSL/TLS handshake with the server. The format of the
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009892 string is defined in "man 1 ciphers". When SSL is used to communicate with
9893 servers on the local network, it is common to see a weaker set of algorithms
9894 than what is used over the internet. Doing so reduces CPU usage on both the
9895 server and haproxy while still keeping it compatible with deployed software.
9896 Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
9897 is needed and just connectivity, using DES can be appropriate.
9898
Willy Tarreau763a95b2012-10-04 23:15:39 +02009899 Supported in default-server: No
9900
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009901cookie <value>
9902 The "cookie" parameter sets the cookie value assigned to the server to
9903 <value>. This value will be checked in incoming requests, and the first
9904 operational server possessing the same value will be selected. In return, in
9905 cookie insertion or rewrite modes, this value will be assigned to the cookie
9906 sent to the client. There is nothing wrong in having several servers sharing
9907 the same cookie value, and it is in fact somewhat common between normal and
9908 backup servers. See also the "cookie" keyword in backend section.
9909
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009910 Supported in default-server: No
9911
Emeric Brunef42d922012-10-11 16:11:36 +02009912crl-file <crlfile>
9913 This setting is only available when support for OpenSSL was built in. It
9914 designates a PEM file from which to load certificate revocation list used
9915 to verify server's certificate.
9916
9917 Supported in default-server: No
9918
Emeric Bruna7aa3092012-10-26 12:58:00 +02009919crt <cert>
9920 This setting is only available when support for OpenSSL was built in.
9921 It designates a PEM file from which to load both a certificate and the
9922 associated private key. This file can be built by concatenating both PEM
9923 files into one. This certificate will be sent if the server send a client
9924 certificate request.
9925
9926 Supported in default-server: No
9927
Willy Tarreau96839092010-03-29 10:02:24 +02009928disabled
9929 The "disabled" keyword starts the server in the "disabled" state. That means
9930 that it is marked down in maintenance mode, and no connection other than the
9931 ones allowed by persist mode will reach it. It is very well suited to setup
9932 new servers, because normal traffic will never reach them, while it is still
9933 possible to test the service by making use of the force-persist mechanism.
9934
9935 Supported in default-server: No
9936
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009937error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01009938 If health observing is enabled, the "error-limit" parameter specifies the
9939 number of consecutive errors that triggers event selected by the "on-error"
9940 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009941
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009942 Supported in default-server: Yes
9943
9944 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009945
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009946fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009947 The "fall" parameter states that a server will be considered as dead after
9948 <count> consecutive unsuccessful health checks. This value defaults to 3 if
9949 unspecified. See also the "check", "inter" and "rise" parameters.
9950
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009951 Supported in default-server: Yes
9952
Emeric Brun8694b9a2012-10-05 14:39:07 +02009953force-sslv3
9954 This option enforces use of SSLv3 only when SSL is used to communicate with
9955 the server. SSLv3 is generally less expensive than the TLS counterparts for
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009956 high connection rates. This option is also available on global statement
9957 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009958
9959 Supported in default-server: No
9960
9961force-tlsv10
9962 This option enforces use of TLSv1.0 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009963 the server. This option is also available on global statement
9964 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009965
9966 Supported in default-server: No
9967
9968force-tlsv11
9969 This option enforces use of TLSv1.1 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009970 the server. This option is also available on global statement
9971 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009972
9973 Supported in default-server: No
9974
9975force-tlsv12
9976 This option enforces use of TLSv1.2 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009977 the server. This option is also available on global statement
9978 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009979
9980 Supported in default-server: No
9981
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009982id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02009983 Set a persistent ID for the server. This ID must be positive and unique for
9984 the proxy. An unused ID will automatically be assigned if unset. The first
9985 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009986
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009987 Supported in default-server: No
9988
9989inter <delay>
9990fastinter <delay>
9991downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009992 The "inter" parameter sets the interval between two consecutive health checks
9993 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
9994 It is also possible to use "fastinter" and "downinter" to optimize delays
9995 between checks depending on the server state :
9996
Pieter Baauw44fc9df2015-09-17 21:30:46 +02009997 Server state | Interval used
9998 ----------------------------------------+----------------------------------
9999 UP 100% (non-transitional) | "inter"
10000 ----------------------------------------+----------------------------------
10001 Transitionally UP (going down "fall"), | "fastinter" if set,
10002 Transitionally DOWN (going up "rise"), | "inter" otherwise.
10003 or yet unchecked. |
10004 ----------------------------------------+----------------------------------
10005 DOWN 100% (non-transitional) | "downinter" if set,
10006 | "inter" otherwise.
10007 ----------------------------------------+----------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +010010008
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010009 Just as with every other time-based parameter, they can be entered in any
10010 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
10011 serves as a timeout for health checks sent to servers if "timeout check" is
10012 not set. In order to reduce "resonance" effects when multiple servers are
Simon Hormand60d6912013-11-25 10:46:36 +090010013 hosted on the same hardware, the agent and health checks of all servers
10014 are started with a small time offset between them. It is also possible to
10015 add some random noise in the agent and health checks interval using the
10016 global "spread-checks" keyword. This makes sense for instance when a lot
10017 of backends use the same servers.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010018
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010019 Supported in default-server: Yes
10020
10021maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010022 The "maxconn" parameter specifies the maximal number of concurrent
10023 connections that will be sent to this server. If the number of incoming
10024 concurrent requests goes higher than this value, they will be queued, waiting
10025 for a connection to be released. This parameter is very important as it can
10026 save fragile servers from going down under extreme loads. If a "minconn"
10027 parameter is specified, the limit becomes dynamic. The default value is "0"
10028 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
10029 the backend's "fullconn" keyword.
10030
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010031 Supported in default-server: Yes
10032
10033maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010034 The "maxqueue" parameter specifies the maximal number of connections which
10035 will wait in the queue for this server. If this limit is reached, next
10036 requests will be redispatched to other servers instead of indefinitely
10037 waiting to be served. This will break persistence but may allow people to
10038 quickly re-log in when the server they try to connect to is dying. The
10039 default value is "0" which means the queue is unlimited. See also the
10040 "maxconn" and "minconn" parameters.
10041
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010042 Supported in default-server: Yes
10043
10044minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010045 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
10046 limit following the backend's load. The server will always accept at least
10047 <minconn> connections, never more than <maxconn>, and the limit will be on
10048 the ramp between both values when the backend has less than <fullconn>
10049 concurrent connections. This makes it possible to limit the load on the
10050 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010051 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010052 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010010053
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010054 Supported in default-server: Yes
10055
Willy Tarreau2a3fb1c2015-02-05 16:47:07 +010010056no-ssl-reuse
10057 This option disables SSL session reuse when SSL is used to communicate with
10058 the server. It will force the server to perform a full handshake for every
10059 new connection. It's probably only useful for benchmarking, troubleshooting,
10060 and for paranoid users.
10061
10062 Supported in default-server: No
10063
Emeric Brun9b3009b2012-10-05 11:55:06 +020010064no-sslv3
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020010065 This option disables support for SSLv3 when SSL is used to communicate with
10066 the server. Note that SSLv2 is disabled in the code and cannot be enabled
Emeric Brun8694b9a2012-10-05 14:39:07 +020010067 using any configuration option. See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020010068
Willy Tarreau763a95b2012-10-04 23:15:39 +020010069 Supported in default-server: No
10070
Emeric Brunf9c5c472012-10-11 15:28:34 +020010071no-tls-tickets
10072 This setting is only available when support for OpenSSL was built in. It
10073 disables the stateless session resumption (RFC 5077 TLS Ticket
10074 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +010010075 session resumption is more expensive in CPU usage for servers. This option
10076 is also available on global statement "ssl-default-server-options".
Emeric Brunf9c5c472012-10-11 15:28:34 +020010077
10078 Supported in default-server: No
10079
Emeric Brun9b3009b2012-10-05 11:55:06 +020010080no-tlsv10
Emeric Brun8694b9a2012-10-05 14:39:07 +020010081 This option disables support for TLSv1.0 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +020010082 the server. Note that SSLv2 is disabled in the code and cannot be enabled
10083 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010010084 often makes sense to disable it when communicating with local servers. This
10085 option is also available on global statement "ssl-default-server-options".
10086 See also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +020010087
Willy Tarreau763a95b2012-10-04 23:15:39 +020010088 Supported in default-server: No
10089
Emeric Brun9b3009b2012-10-05 11:55:06 +020010090no-tlsv11
Emeric Brun8694b9a2012-10-05 14:39:07 +020010091 This option disables support for TLSv1.1 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +020010092 the server. Note that SSLv2 is disabled in the code and cannot be enabled
10093 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010010094 often makes sense to disable it when communicating with local servers. This
10095 option is also available on global statement "ssl-default-server-options".
10096 See also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +020010097
Willy Tarreau763a95b2012-10-04 23:15:39 +020010098 Supported in default-server: No
10099
Emeric Brun9b3009b2012-10-05 11:55:06 +020010100no-tlsv12
Emeric Brun8694b9a2012-10-05 14:39:07 +020010101 This option disables support for TLSv1.2 when SSL is used to communicate with
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020010102 the server. Note that SSLv2 is disabled in the code and cannot be enabled
10103 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010010104 often makes sense to disable it when communicating with local servers. This
10105 option is also available on global statement "ssl-default-server-options".
10106 See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020010107
Willy Tarreau763a95b2012-10-04 23:15:39 +020010108 Supported in default-server: No
10109
Simon Hormanfa461682011-06-25 09:39:49 +090010110non-stick
10111 Never add connections allocated to this sever to a stick-table.
10112 This may be used in conjunction with backup to ensure that
10113 stick-table persistence is disabled for backup servers.
10114
Willy Tarreau763a95b2012-10-04 23:15:39 +020010115 Supported in default-server: No
10116
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010010117observe <mode>
10118 This option enables health adjusting based on observing communication with
10119 the server. By default this functionality is disabled and enabling it also
10120 requires to enable health checks. There are two supported modes: "layer4" and
10121 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
10122 significant. In layer7, which is only allowed for http proxies, responses
10123 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +010010124 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010010125
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010126 Supported in default-server: No
10127
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010010128 See also the "check", "on-error" and "error-limit".
10129
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010130on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010010131 Select what should happen when enough consecutive errors are detected.
10132 Currently, four modes are available:
10133 - fastinter: force fastinter
10134 - fail-check: simulate a failed check, also forces fastinter (default)
10135 - sudden-death: simulate a pre-fatal failed health check, one more failed
10136 check will mark a server down, forces fastinter
10137 - mark-down: mark the server immediately down and force fastinter
10138
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010139 Supported in default-server: Yes
10140
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010010141 See also the "check", "observe" and "error-limit".
10142
Simon Hormane0d1bfb2011-06-21 14:34:58 +090010143on-marked-down <action>
10144 Modify what occurs when a server is marked down.
10145 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070010146 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
10147 all connections to the server are immediately terminated when the server
10148 goes down. It might be used if the health check detects more complex cases
10149 than a simple connection status, and long timeouts would cause the service
10150 to remain unresponsive for too long a time. For instance, a health check
10151 might detect that a database is stuck and that there's no chance to reuse
10152 existing connections anymore. Connections killed this way are logged with
10153 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +090010154
10155 Actions are disabled by default
10156
10157 Supported in default-server: Yes
10158
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070010159on-marked-up <action>
10160 Modify what occurs when a server is marked up.
10161 Currently one action is available:
10162 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
10163 done only if the server is not in backup state and if it is not disabled
10164 (it must have an effective weight > 0). This can be used sometimes to force
10165 an active server to take all the traffic back after recovery when dealing
10166 with long sessions (eg: LDAP, SQL, ...). Doing this can cause more trouble
10167 than it tries to solve (eg: incomplete transactions), so use this feature
10168 with extreme care. Sessions killed because a server comes up are logged
10169 with an 'U' termination code (for "Up").
10170
10171 Actions are disabled by default
10172
10173 Supported in default-server: Yes
10174
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010175port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010176 Using the "port" parameter, it becomes possible to use a different port to
10177 send health-checks. On some servers, it may be desirable to dedicate a port
10178 to a specific component able to perform complex tests which are more suitable
10179 to health-checks than the application. It is common to run a simple script in
10180 inetd for instance. This parameter is ignored if the "check" parameter is not
10181 set. See also the "addr" parameter.
10182
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010183 Supported in default-server: Yes
10184
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010185redir <prefix>
10186 The "redir" parameter enables the redirection mode for all GET and HEAD
10187 requests addressing this server. This means that instead of having HAProxy
10188 forward the request to the server, it will send an "HTTP 302" response with
10189 the "Location" header composed of this prefix immediately followed by the
10190 requested URI beginning at the leading '/' of the path component. That means
10191 that no trailing slash should be used after <prefix>. All invalid requests
10192 will be rejected, and all non-GET or HEAD requests will be normally served by
10193 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010194 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010195 requests are still analysed, making this solution completely usable to direct
10196 users to a remote location in case of local disaster. Main use consists in
10197 increasing bandwidth for static servers by having the clients directly
10198 connect to them. Note: never use a relative location here, it would cause a
10199 loop between the client and HAProxy!
10200
10201 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
10202
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010203 Supported in default-server: No
10204
10205rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010206 The "rise" parameter states that a server will be considered as operational
10207 after <count> consecutive successful health checks. This value defaults to 2
10208 if unspecified. See also the "check", "inter" and "fall" parameters.
10209
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010210 Supported in default-server: Yes
10211
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010212resolve-prefer <family>
10213 When DNS resolution is enabled for a server and multiple IP addresses from
10214 different families are returned, HAProxy will prefer using an IP address
10215 from the family mentioned in the "resolve-prefer" parameter.
10216 Available families: "ipv4" and "ipv6"
10217
Baptiste Assmannc4aabae2015-08-04 22:43:06 +020010218 Default value: ipv6
10219
10220 Supported in default-server: Yes
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010221
10222 Example: server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6
10223
10224resolvers <id>
10225 Points to an existing "resolvers" section to resolve current server's
10226 hostname.
Baptiste Assmann62b75b42015-09-09 01:11:36 +020010227 In order to be operational, DNS resolution requires that health check is
10228 enabled on the server. Actually, health checks triggers the DNS resolution.
10229 You must precise one 'resolvers' parameter on each server line where DNS
10230 resolution is required.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010231
Baptiste Assmann62b75b42015-09-09 01:11:36 +020010232 Supported in default-server: No
10233
10234 Example: server s1 app1.domain.com:80 check resolvers mydns
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010235
10236 See also chapter 5.3
10237
Willy Tarreau5ab04ec2011-03-20 10:32:26 +010010238send-proxy
10239 The "send-proxy" parameter enforces use of the PROXY protocol over any
10240 connection established to this server. The PROXY protocol informs the other
10241 end about the layer 3/4 addresses of the incoming connection, so that it can
10242 know the client's address or the public address it accessed to, whatever the
10243 upper layer protocol. For connections accepted by an "accept-proxy" listener,
10244 the advertised address will be used. Only TCPv4 and TCPv6 address families
10245 are supported. Other families such as Unix sockets, will report an UNKNOWN
10246 family. Servers using this option can fully be chained to another instance of
10247 haproxy listening with an "accept-proxy" setting. This setting must not be
Willy Tarreau6c16adc2012-10-05 00:04:16 +020010248 used if the server isn't aware of the protocol. When health checks are sent
10249 to the server, the PROXY protocol is automatically used when this option is
10250 set, unless there is an explicit "port" or "addr" directive, in which case an
10251 explicit "check-send-proxy" directive would also be needed to use the PROXY
10252 protocol. See also the "accept-proxy" option of the "bind" keyword.
Willy Tarreau5ab04ec2011-03-20 10:32:26 +010010253
10254 Supported in default-server: No
10255
David Safb76832014-05-08 23:42:08 -040010256send-proxy-v2
10257 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2
10258 over any connection established to this server. The PROXY protocol informs
10259 the other end about the layer 3/4 addresses of the incoming connection, so
10260 that it can know the client's address or the public address it accessed to,
10261 whatever the upper layer protocol. This setting must not be used if the
10262 server isn't aware of this version of the protocol. See also the "send-proxy"
10263 option of the "bind" keyword.
10264
10265 Supported in default-server: No
10266
10267send-proxy-v2-ssl
10268 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
10269 2 over any connection established to this server. The PROXY protocol informs
10270 the other end about the layer 3/4 addresses of the incoming connection, so
10271 that it can know the client's address or the public address it accessed to,
10272 whatever the upper layer protocol. In addition, the SSL information extension
10273 of the PROXY protocol is added to the PROXY protocol header. This setting
10274 must not be used if the server isn't aware of this version of the protocol.
10275 See also the "send-proxy-v2" option of the "bind" keyword.
10276
10277 Supported in default-server: No
10278
10279send-proxy-v2-ssl-cn
10280 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
10281 2 over any connection established to this server. The PROXY protocol informs
10282 the other end about the layer 3/4 addresses of the incoming connection, so
10283 that it can know the client's address or the public address it accessed to,
10284 whatever the upper layer protocol. In addition, the SSL information extension
10285 of the PROXY protocol, along along with the Common Name from the subject of
10286 the client certificate (if any), is added to the PROXY protocol header. This
10287 setting must not be used if the server isn't aware of this version of the
10288 protocol. See also the "send-proxy-v2" option of the "bind" keyword.
10289
10290 Supported in default-server: No
10291
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010292slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010293 The "slowstart" parameter for a server accepts a value in milliseconds which
10294 indicates after how long a server which has just come back up will run at
10295 full speed. Just as with every other time-based parameter, it can be entered
10296 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
10297 linearly from 0 to 100% during this time. The limitation applies to two
10298 parameters :
10299
10300 - maxconn: the number of connections accepted by the server will grow from 1
10301 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
10302
10303 - weight: when the backend uses a dynamic weighted algorithm, the weight
10304 grows linearly from 1 to 100%. In this case, the weight is updated at every
10305 health-check. For this reason, it is important that the "inter" parameter
10306 is smaller than the "slowstart", in order to maximize the number of steps.
10307
10308 The slowstart never applies when haproxy starts, otherwise it would cause
10309 trouble to running servers. It only applies when a server has been previously
10310 seen as failed.
10311
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010312 Supported in default-server: Yes
10313
Willy Tarreau732eac42015-07-09 11:40:25 +020010314sni <expression>
10315 The "sni" parameter evaluates the sample fetch expression, converts it to a
10316 string and uses the result as the host name sent in the SNI TLS extension to
10317 the server. A typical use case is to send the SNI received from the client in
10318 a bridged HTTPS scenario, using the "ssl_fc_sni" sample fetch for the
10319 expression, though alternatives such as req.hdr(host) can also make sense.
10320
10321 Supported in default-server: no
10322
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020010323source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +020010324source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020010325source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010326 The "source" parameter sets the source address which will be used when
10327 connecting to the server. It follows the exact same parameters and principle
10328 as the backend "source" keyword, except that it only applies to the server
10329 referencing it. Please consult the "source" keyword for details.
10330
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020010331 Additionally, the "source" statement on a server line allows one to specify a
10332 source port range by indicating the lower and higher bounds delimited by a
10333 dash ('-'). Some operating systems might require a valid IP address when a
10334 source port range is specified. It is permitted to have the same IP/range for
10335 several servers. Doing so makes it possible to bypass the maximum of 64k
10336 total concurrent connections. The limit will then reach 64k connections per
10337 server.
10338
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010339 Supported in default-server: No
10340
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020010341ssl
Willy Tarreau44f65392013-06-25 07:56:20 +020010342 This option enables SSL ciphering on outgoing connections to the server. It
10343 is critical to verify server certificates using "verify" when using SSL to
10344 connect to servers, otherwise the communication is prone to trivial man in
10345 the-middle attacks rendering SSL useless. When this option is used, health
10346 checks are automatically sent in SSL too unless there is a "port" or an
10347 "addr" directive indicating the check should be sent to a different location.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010348 See the "check-ssl" option to force SSL health checks.
Willy Tarreau763a95b2012-10-04 23:15:39 +020010349
10350 Supported in default-server: No
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020010351
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010352track [<proxy>/]<server>
Willy Tarreau32091232014-05-16 13:52:00 +020010353 This option enables ability to set the current state of the server by tracking
10354 another one. It is possible to track a server which itself tracks another
10355 server, provided that at the end of the chain, a server has health checks
10356 enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010357 used, it has to be enabled on both proxies.
10358
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010359 Supported in default-server: No
10360
Emeric Brunef42d922012-10-11 16:11:36 +020010361verify [none|required]
10362 This setting is only available when support for OpenSSL was built in. If set
Emeric Brun850efd52014-01-29 12:24:34 +010010363 to 'none', server certificate is not verified. In the other case, The
10364 certificate provided by the server is verified using CAs from 'ca-file'
10365 and optional CRLs from 'crl-file'. If 'ssl_server_verify' is not specified
10366 in global section, this is the default. On verify failure the handshake
Willy Tarreau44f65392013-06-25 07:56:20 +020010367 is aborted. It is critically important to verify server certificates when
10368 using SSL to connect to servers, otherwise the communication is prone to
10369 trivial man-in-the-middle attacks rendering SSL totally useless.
Emeric Brunef42d922012-10-11 16:11:36 +020010370
10371 Supported in default-server: No
10372
Evan Broderbe554312013-06-27 00:05:25 -070010373verifyhost <hostname>
10374 This setting is only available when support for OpenSSL was built in, and
10375 only takes effect if 'verify required' is also specified. When set, the
10376 hostnames in the subject and subjectAlternateNames of the certificate
10377 provided by the server are checked. If none of the hostnames in the
10378 certificate match the specified hostname, the handshake is aborted. The
10379 hostnames in the server-provided certificate may include wildcards.
10380
10381 Supported in default-server: No
10382
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010383weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010384 The "weight" parameter is used to adjust the server's weight relative to
10385 other servers. All servers will receive a load proportional to their weight
10386 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +020010387 load. The default weight is 1, and the maximal value is 256. A value of 0
10388 means the server will not participate in load-balancing but will still accept
10389 persistent connections. If this parameter is used to distribute the load
10390 according to server's capacity, it is recommended to start with values which
10391 can both grow and shrink, for instance between 10 and 100 to leave enough
10392 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010393
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010010394 Supported in default-server: Yes
10395
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010396
Cyril Bonté46175dd2015-07-02 22:45:32 +0200103975.3. Server IP address resolution using DNS
10398-------------------------------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010399
Baptiste Assmann62b75b42015-09-09 01:11:36 +020010400HAProxy allows using a host name on the server line to retrieve its IP address
10401using name servers. By default, HAProxy resolves the name when parsing the
10402configuration file, at startup and cache the result for the process' life.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010403This is not sufficient in some cases, such as in Amazon where a server's IP
10404can change after a reboot or an ELB Virtual IP can change based on current
10405workload.
10406This chapter describes how HAProxy can be configured to process server's name
10407resolution at run time.
10408Whether run time server name resolution has been enable or not, HAProxy will
10409carry on doing the first resolution when parsing the configuration.
10410
Baptiste Assmann62b75b42015-09-09 01:11:36 +020010411Bear in mind that DNS resolution is triggered by health checks. This makes
10412health checks mandatory to allow DNS resolution.
10413
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010414
Cyril Bonté46175dd2015-07-02 22:45:32 +0200104155.3.1. Global overview
10416----------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010417
10418As we've seen in introduction, name resolution in HAProxy occurs at two
10419different steps of the process life:
10420
10421 1. when starting up, HAProxy parses the server line definition and matches a
10422 host name. It uses libc functions to get the host name resolved. This
10423 resolution relies on /etc/resolv.conf file.
10424
10425 2. at run time, when HAProxy gets prepared to run a health check on a server,
10426 it verifies if the current name resolution is still considered as valid.
10427 If not, it processes a new resolution, in parallel of the health check.
10428
10429A few other events can trigger a name resolution at run time:
10430 - when a server's health check ends up in a connection timeout: this may be
10431 because the server has a new IP address. So we need to trigger a name
10432 resolution to know this new IP.
10433
10434A few things important to notice:
10435 - all the name servers are queried in the mean time. HAProxy will process the
10436 first valid response.
10437
10438 - a resolution is considered as invalid (NX, timeout, refused), when all the
10439 servers return an error.
10440
10441
Cyril Bonté46175dd2015-07-02 22:45:32 +0200104425.3.2. The resolvers section
10443----------------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010444
10445This section is dedicated to host information related to name resolution in
10446HAProxy.
10447There can be as many as resolvers section as needed. Each section can contain
10448many name servers.
10449
Baptiste Assmann62b75b42015-09-09 01:11:36 +020010450When multiple name servers are configured in a resolvers section, then HAProxy
10451uses the first valid response. In case of invalid responses, only the last one
10452is treated. Purpose is to give the chance to a slow server to deliver a valid
10453answer after a fast faulty or outdated server.
10454
10455When each server returns a different error type, then only the last error is
10456used by HAProxy to decide what type of behavior to apply.
10457
10458Two types of behavior can be applied:
10459 1. stop DNS resolution
10460 2. replay the DNS query with a new query type
10461 In such case, the following types are applied in this exact order:
10462 1. ANY query type
10463 2. query type corresponding to family pointed by resolve-prefer
10464 server's parameter
10465 3. remaining family type
10466
10467HAProxy stops DNS resolution when the following errors occur:
10468 - invalid DNS response packet
10469 - wrong name in the query section of the response
10470 - NX domain
10471 - Query refused by server
10472 - CNAME not pointing to an IP address
10473
10474HAProxy tries a new query type when the following errors occur:
10475 - no Answer records in the response
10476 - DNS response truncated
10477 - Error in DNS response
10478 - No expected DNS records found in the response
10479 - name server timeout
10480
10481For example, with 2 name servers configured in a resolvers section:
10482 - first response is valid and is applied directly, second response is ignored
10483 - first response is invalid and second one is valid, then second response is
10484 applied;
10485 - first response is a NX domain and second one a truncated response, then
10486 HAProxy replays the query with a new type;
10487 - first response is truncated and second one is a NX Domain, then HAProxy
10488 stops resolution.
10489
10490
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010491resolvers <resolvers id>
10492 Creates a new name server list labelled <resolvers id>
10493
10494A resolvers section accept the following parameters:
10495
10496nameserver <id> <ip>:<port>
10497 DNS server description:
10498 <id> : label of the server, should be unique
10499 <ip> : IP address of the server
10500 <port> : port where the DNS service actually runs
10501
10502hold <status> <period>
10503 Defines <period> during which the last name resolution should be kept based
10504 on last resolution <status>
10505 <status> : last name resolution status. Only "valid" is accepted for now.
10506 <period> : interval between two successive name resolution when the last
10507 answer was in <status>. It follows the HAProxy time format.
10508 <period> is in milliseconds by default.
10509
10510 Default value is 10s for "valid".
10511
10512 Note: since the name resolution is triggered by the health checks, a new
10513 resolution is triggered after <period> modulo the <inter> parameter of
10514 the healch check.
10515
10516resolve_retries <nb>
10517 Defines the number <nb> of queries to send to resolve a server name before
10518 giving up.
10519 Default value: 3
10520
Baptiste Assmann62b75b42015-09-09 01:11:36 +020010521 A retry occurs on name server timeout or when the full sequence of DNS query
10522 type failover is over and we need to start up from the default ANY query
10523 type.
10524
Baptiste Assmann1fa66662015-04-14 00:28:47 +020010525timeout <event> <time>
10526 Defines timeouts related to name resolution
10527 <event> : the event on which the <time> timeout period applies to.
10528 events available are:
10529 - retry: time between two DNS queries, when no response have
10530 been received.
10531 Default value: 1s
10532 <time> : time related to the event. It follows the HAProxy time format.
10533 <time> is expressed in milliseconds.
10534
10535Example of a resolvers section (with default values):
10536
10537 resolvers mydns
10538 nameserver dns1 10.0.0.1:53
10539 nameserver dns2 10.0.0.2:53
10540 resolve_retries 3
10541 timeout retry 1s
10542 hold valid 10s
10543
10544
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200105456. HTTP header manipulation
10546---------------------------
10547
10548In HTTP mode, it is possible to rewrite, add or delete some of the request and
10549response headers based on regular expressions. It is also possible to block a
10550request or a response if a particular header matches a regular expression,
10551which is enough to stop most elementary protocol attacks, and to protect
Willy Tarreau70dffda2014-01-30 03:07:23 +010010552against information leak from the internal network.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010553
Willy Tarreau70dffda2014-01-30 03:07:23 +010010554If HAProxy encounters an "Informational Response" (status code 1xx), it is able
10555to process all rsp* rules which can allow, deny, rewrite or delete a header,
10556but it will refuse to add a header to any such messages as this is not
10557HTTP-compliant. The reason for still processing headers in such responses is to
10558stop and/or fix any possible information leak which may happen, for instance
10559because another downstream equipment would unconditionally add a header, or if
10560a server name appears there. When such messages are seen, normal processing
10561still occurs on the next non-informational messages.
Willy Tarreau816b9792009-09-15 21:25:21 +020010562
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010563This section covers common usage of the following keywords, described in detail
10564in section 4.2 :
10565
10566 - reqadd <string>
10567 - reqallow <search>
10568 - reqiallow <search>
10569 - reqdel <search>
10570 - reqidel <search>
10571 - reqdeny <search>
10572 - reqideny <search>
10573 - reqpass <search>
10574 - reqipass <search>
10575 - reqrep <search> <replace>
10576 - reqirep <search> <replace>
10577 - reqtarpit <search>
10578 - reqitarpit <search>
10579 - rspadd <string>
10580 - rspdel <search>
10581 - rspidel <search>
10582 - rspdeny <search>
10583 - rspideny <search>
10584 - rsprep <search> <replace>
10585 - rspirep <search> <replace>
10586
10587With all these keywords, the same conventions are used. The <search> parameter
10588is a POSIX extended regular expression (regex) which supports grouping through
10589parenthesis (without the backslash). Spaces and other delimiters must be
10590prefixed with a backslash ('\') to avoid confusion with a field delimiter.
10591Other characters may be prefixed with a backslash to change their meaning :
10592
10593 \t for a tab
10594 \r for a carriage return (CR)
10595 \n for a new line (LF)
10596 \ to mark a space and differentiate it from a delimiter
10597 \# to mark a sharp and differentiate it from a comment
10598 \\ to use a backslash in a regex
10599 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
10600 \xXX to write the ASCII hex code XX as in the C language
10601
10602The <replace> parameter contains the string to be used to replace the largest
10603portion of text matching the regex. It can make use of the special characters
10604above, and can reference a substring which is delimited by parenthesis in the
10605regex, by writing a backslash ('\') immediately followed by one digit from 0 to
106069 indicating the group position (0 designating the entire line). This practice
10607is very common to users of the "sed" program.
10608
10609The <string> parameter represents the string which will systematically be added
10610after the last header line. It can also use special character sequences above.
10611
10612Notes related to these keywords :
10613---------------------------------
10614 - these keywords are not always convenient to allow/deny based on header
10615 contents. It is strongly recommended to use ACLs with the "block" keyword
10616 instead, resulting in far more flexible and manageable rules.
10617
10618 - lines are always considered as a whole. It is not possible to reference
10619 a header name only or a value only. This is important because of the way
10620 headers are written (notably the number of spaces after the colon).
10621
10622 - the first line is always considered as a header, which makes it possible to
10623 rewrite or filter HTTP requests URIs or response codes, but in turn makes
10624 it harder to distinguish between headers and request line. The regex prefix
10625 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
10626 ^[^ \t:]*: matches any header name followed by a colon.
10627
10628 - for performances reasons, the number of characters added to a request or to
10629 a response is limited at build time to values between 1 and 4 kB. This
10630 should normally be far more than enough for most usages. If it is too short
10631 on occasional usages, it is possible to gain some space by removing some
10632 useless headers before adding new ones.
10633
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010634 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010635 without the 'i' letter except that they ignore case when matching patterns.
10636
10637 - when a request passes through a frontend then a backend, all req* rules
10638 from the frontend will be evaluated, then all req* rules from the backend
10639 will be evaluated. The reverse path is applied to responses.
10640
10641 - req* statements are applied after "block" statements, so that "block" is
10642 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +010010643 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010644
10645
Willy Tarreau74ca5042013-06-11 23:12:07 +0200106467. Using ACLs and fetching samples
10647----------------------------------
10648
10649Haproxy is capable of extracting data from request or response streams, from
10650client or server information, from tables, environmental information etc...
10651The action of extracting such data is called fetching a sample. Once retrieved,
10652these samples may be used for various purposes such as a key to a stick-table,
10653but most common usages consist in matching them against predefined constant
10654data called patterns.
10655
10656
106577.1. ACL basics
10658---------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010659
10660The use of Access Control Lists (ACL) provides a flexible solution to perform
10661content switching and generally to take decisions based on content extracted
10662from the request, the response or any environmental status. The principle is
10663simple :
10664
Willy Tarreau74ca5042013-06-11 23:12:07 +020010665 - extract a data sample from a stream, table or the environment
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010666 - optionally apply some format conversion to the extracted sample
Willy Tarreau74ca5042013-06-11 23:12:07 +020010667 - apply one or multiple pattern matching methods on this sample
10668 - perform actions only when a pattern matches the sample
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010669
Willy Tarreau74ca5042013-06-11 23:12:07 +020010670The actions generally consist in blocking a request, selecting a backend, or
10671adding a header.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010672
10673In order to define a test, the "acl" keyword is used. The syntax is :
10674
Willy Tarreau74ca5042013-06-11 23:12:07 +020010675 acl <aclname> <criterion> [flags] [operator] [<value>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010676
10677This creates a new ACL <aclname> or completes an existing one with new tests.
10678Those tests apply to the portion of request/response specified in <criterion>
10679and may be adjusted with optional flags [flags]. Some criteria also support
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010680an operator which may be specified before the set of values. Optionally some
10681conversion operators may be applied to the sample, and they will be specified
10682as a comma-delimited list of keywords just after the first keyword. The values
10683are of the type supported by the criterion, and are separated by spaces.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010684
10685ACL names must be formed from upper and lower case letters, digits, '-' (dash),
10686'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
10687which means that "my_acl" and "My_Acl" are two different ACLs.
10688
10689There is no enforced limit to the number of ACLs. The unused ones do not affect
10690performance, they just consume a small amount of memory.
10691
Willy Tarreau74ca5042013-06-11 23:12:07 +020010692The criterion generally is the name of a sample fetch method, or one of its ACL
10693specific declinations. The default test method is implied by the output type of
10694this sample fetch method. The ACL declinations can describe alternate matching
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010695methods of a same sample fetch method. The sample fetch methods are the only
10696ones supporting a conversion.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010697
10698Sample fetch methods return data which can be of the following types :
10699 - boolean
10700 - integer (signed or unsigned)
10701 - IPv4 or IPv6 address
10702 - string
10703 - data block
10704
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010705Converters transform any of these data into any of these. For example, some
10706converters might convert a string to a lower-case string while other ones
10707would turn a string to an IPv4 address, or apply a netmask to an IP address.
10708The resulting sample is of the type of the last converter applied to the list,
10709which defaults to the type of the sample fetch method.
10710
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010711Each sample or converter returns data of a specific type, specified with its
10712keyword in this documentation. When an ACL is declared using a standard sample
10713fetch method, certain types automatically involved a default matching method
10714which are summarized in the table below :
10715
10716 +---------------------+-----------------+
10717 | Sample or converter | Default |
10718 | output type | matching method |
10719 +---------------------+-----------------+
10720 | boolean | bool |
10721 +---------------------+-----------------+
10722 | integer | int |
10723 +---------------------+-----------------+
10724 | ip | ip |
10725 +---------------------+-----------------+
10726 | string | str |
10727 +---------------------+-----------------+
10728 | binary | none, use "-m" |
10729 +---------------------+-----------------+
10730
10731Note that in order to match a binary samples, it is mandatory to specify a
10732matching method, see below.
10733
Willy Tarreau74ca5042013-06-11 23:12:07 +020010734The ACL engine can match these types against patterns of the following types :
10735 - boolean
10736 - integer or integer range
10737 - IP address / network
10738 - string (exact, substring, suffix, prefix, subdir, domain)
10739 - regular expression
10740 - hex block
10741
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010742The following ACL flags are currently supported :
10743
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010744 -i : ignore case during matching of all subsequent patterns.
10745 -f : load patterns from a file.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010746 -m : use a specific pattern matching method
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010010747 -n : forbid the DNS resolutions
Thierry FOURNIER9860c412014-01-29 14:23:29 +010010748 -M : load the file pointed by -f like a map file.
Thierry FOURNIER3534d882014-01-20 17:01:44 +010010749 -u : force the unique id of the ACL
Willy Tarreau6a06a402007-07-15 20:15:28 +020010750 -- : force end of flags. Useful when a string looks like one of the flags.
10751
Willy Tarreau74ca5042013-06-11 23:12:07 +020010752The "-f" flag is followed by the name of a file from which all lines will be
10753read as individual values. It is even possible to pass multiple "-f" arguments
10754if the patterns are to be loaded from multiple files. Empty lines as well as
10755lines beginning with a sharp ('#') will be ignored. All leading spaces and tabs
10756will be stripped. If it is absolutely necessary to insert a valid pattern
10757beginning with a sharp, just prefix it with a space so that it is not taken for
10758a comment. Depending on the data type and match method, haproxy may load the
10759lines into a binary tree, allowing very fast lookups. This is true for IPv4 and
10760exact string matching. In this case, duplicates will automatically be removed.
10761
Thierry FOURNIER9860c412014-01-29 14:23:29 +010010762The "-M" flag allows an ACL to use a map file. If this flag is set, the file is
10763parsed as two column file. The first column contains the patterns used by the
10764ACL, and the second column contain the samples. The sample can be used later by
10765a map. This can be useful in some rare cases where an ACL would just be used to
10766check for the existence of a pattern in a map before a mapping is applied.
10767
Thierry FOURNIER3534d882014-01-20 17:01:44 +010010768The "-u" flag forces the unique id of the ACL. This unique id is used with the
10769socket interface to identify ACL and dynamically change its values. Note that a
10770file is always identified by its name even if an id is set.
10771
Willy Tarreau74ca5042013-06-11 23:12:07 +020010772Also, note that the "-i" flag applies to subsequent entries and not to entries
10773loaded from files preceding it. For instance :
10774
10775 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
10776
10777In this example, each line of "exact-ua.lst" will be exactly matched against
10778the "user-agent" header of the request. Then each line of "generic-ua" will be
10779case-insensitively matched. Then the word "test" will be insensitively matched
10780as well.
10781
10782The "-m" flag is used to select a specific pattern matching method on the input
10783sample. All ACL-specific criteria imply a pattern matching method and generally
10784do not need this flag. However, this flag is useful with generic sample fetch
10785methods to describe how they're going to be matched against the patterns. This
10786is required for sample fetches which return data type for which there is no
10787obvious matching method (eg: string or binary). When "-m" is specified and
10788followed by a pattern matching method name, this method is used instead of the
10789default one for the criterion. This makes it possible to match contents in ways
10790that were not initially planned, or with sample fetch methods which return a
10791string. The matching method also affects the way the patterns are parsed.
10792
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010010793The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
10794By default, if the parser cannot parse ip address it considers that the parsed
10795string is maybe a domain name and try dns resolution. The flag "-n" disable this
10796resolution. It is useful for detecting malformed ip lists. Note that if the DNS
10797server is not reachable, the haproxy configuration parsing may last many minutes
10798waiting fir the timeout. During this time no error messages are displayed. The
10799flag "-n" disable this behavior. Note also that during the runtime, this
10800function is disabled for the dynamic acl modifications.
10801
Willy Tarreau74ca5042013-06-11 23:12:07 +020010802There are some restrictions however. Not all methods can be used with all
10803sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
10804be placed first. The pattern matching method must be one of the following :
Willy Tarreau5adeda12013-03-31 22:13:34 +020010805
10806 - "found" : only check if the requested sample could be found in the stream,
10807 but do not compare it against any pattern. It is recommended not
Willy Tarreau74ca5042013-06-11 23:12:07 +020010808 to pass any pattern to avoid confusion. This matching method is
10809 particularly useful to detect presence of certain contents such
10810 as headers, cookies, etc... even if they are empty and without
10811 comparing them to anything nor counting them.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010812
10813 - "bool" : check the value as a boolean. It can only be applied to fetches
10814 which return a boolean or integer value, and takes no pattern.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010815 Value zero or false does not match, all other values do match.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010816
10817 - "int" : match the value as an integer. It can be used with integer and
Willy Tarreau74ca5042013-06-11 23:12:07 +020010818 boolean samples. Boolean false is integer 0, true is integer 1.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010819
10820 - "ip" : match the value as an IPv4 or IPv6 address. It is compatible
Willy Tarreau74ca5042013-06-11 23:12:07 +020010821 with IP address samples only, so it is implied and never needed.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010822
10823 - "bin" : match the contents against an hexadecimal string representing a
10824 binary sequence. This may be used with binary or string samples.
10825
10826 - "len" : match the sample's length as an integer. This may be used with
10827 binary or string samples.
10828
Willy Tarreau74ca5042013-06-11 23:12:07 +020010829 - "str" : exact match : match the contents against a string. This may be
10830 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010831
Willy Tarreau74ca5042013-06-11 23:12:07 +020010832 - "sub" : substring match : check that the contents contain at least one of
10833 the provided string patterns. This may be used with binary or
10834 string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010835
Willy Tarreau74ca5042013-06-11 23:12:07 +020010836 - "reg" : regex match : match the contents against a list of regular
10837 expressions. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010838
Willy Tarreau74ca5042013-06-11 23:12:07 +020010839 - "beg" : prefix match : check that the contents begin like the provided
10840 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010841
Willy Tarreau74ca5042013-06-11 23:12:07 +020010842 - "end" : suffix match : check that the contents end like the provided
10843 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010844
Willy Tarreau74ca5042013-06-11 23:12:07 +020010845 - "dir" : subdir match : check that a slash-delimited portion of the
10846 contents exactly matches one of the provided string patterns.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010847 This may be used with binary or string samples.
10848
Willy Tarreau74ca5042013-06-11 23:12:07 +020010849 - "dom" : domain match : check that a dot-delimited portion of the contents
10850 exactly match one of the provided string patterns. This may be
10851 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010852
10853For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
10854request, it is possible to do :
10855
10856 acl jsess_present cook(JSESSIONID) -m found
10857
10858In order to apply a regular expression on the 500 first bytes of data in the
10859buffer, one would use the following acl :
10860
10861 acl script_tag payload(0,500) -m reg -i <script>
10862
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010863On systems where the regex library is much slower when using "-i", it is
10864possible to convert the sample to lowercase before matching, like this :
10865
10866 acl script_tag payload(0,500),lower -m reg <script>
10867
Willy Tarreau74ca5042013-06-11 23:12:07 +020010868All ACL-specific criteria imply a default matching method. Most often, these
10869criteria are composed by concatenating the name of the original sample fetch
10870method and the matching method. For example, "hdr_beg" applies the "beg" match
10871to samples retrieved using the "hdr" fetch method. Since all ACL-specific
10872criteria rely on a sample fetch method, it is always possible instead to use
10873the original sample fetch method and the explicit matching method using "-m".
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010874
Willy Tarreau74ca5042013-06-11 23:12:07 +020010875If an alternate match is specified using "-m" on an ACL-specific criterion,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010876the matching method is simply applied to the underlying sample fetch method.
10877For example, all ACLs below are exact equivalent :
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010878
Willy Tarreau74ca5042013-06-11 23:12:07 +020010879 acl short_form hdr_beg(host) www.
10880 acl alternate1 hdr_beg(host) -m beg www.
10881 acl alternate2 hdr_dom(host) -m beg www.
10882 acl alternate3 hdr(host) -m beg www.
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010883
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010884
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010885The table below summarizes the compatibility matrix between sample or converter
10886types and the pattern types to fetch against. It indicates for each compatible
10887combination the name of the matching method to be used, surrounded with angle
10888brackets ">" and "<" when the method is the default one and will work by
10889default without "-m".
Willy Tarreau0ba27502007-12-24 16:55:16 +010010890
Willy Tarreau74ca5042013-06-11 23:12:07 +020010891 +-------------------------------------------------+
10892 | Input sample type |
10893 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010894 | pattern type | boolean | integer | ip | string | binary |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010895 +----------------------+---------+---------+---------+---------+---------+
10896 | none (presence only) | found | found | found | found | found |
10897 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010898 | none (boolean value) |> bool <| bool | | bool | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010899 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010900 | integer (value) | int |> int <| int | int | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010901 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010902 | integer (length) | len | len | len | len | len |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010903 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010904 | IP address | | |> ip <| ip | ip |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010905 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010906 | exact string | str | str | str |> str <| str |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010907 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010908 | prefix | beg | beg | beg | beg | beg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010909 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010910 | suffix | end | end | end | end | end |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010911 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010912 | substring | sub | sub | sub | sub | sub |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010913 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010914 | subdir | dir | dir | dir | dir | dir |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010915 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010916 | domain | dom | dom | dom | dom | dom |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010917 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010918 | regex | reg | reg | reg | reg | reg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010919 +----------------------+---------+---------+---------+---------+---------+
10920 | hex block | | | | bin | bin |
10921 +----------------------+---------+---------+---------+---------+---------+
Willy Tarreau6a06a402007-07-15 20:15:28 +020010922
10923
Willy Tarreau74ca5042013-06-11 23:12:07 +0200109247.1.1. Matching booleans
10925------------------------
10926
10927In order to match a boolean, no value is needed and all values are ignored.
10928Boolean matching is used by default for all fetch methods of type "boolean".
10929When boolean matching is used, the fetched value is returned as-is, which means
10930that a boolean "true" will always match and a boolean "false" will never match.
10931
10932Boolean matching may also be enforced using "-m bool" on fetch methods which
10933return an integer value. Then, integer value 0 is converted to the boolean
10934"false" and all other values are converted to "true".
10935
Willy Tarreau6a06a402007-07-15 20:15:28 +020010936
Willy Tarreau74ca5042013-06-11 23:12:07 +0200109377.1.2. Matching integers
10938------------------------
10939
10940Integer matching applies by default to integer fetch methods. It can also be
10941enforced on boolean fetches using "-m int". In this case, "false" is converted
10942to the integer 0, and "true" is converted to the integer 1.
10943
10944Integer matching also supports integer ranges and operators. Note that integer
10945matching only applies to positive values. A range is a value expressed with a
10946lower and an upper bound separated with a colon, both of which may be omitted.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010947
10948For instance, "1024:65535" is a valid range to represent a range of
10949unprivileged ports, and "1024:" would also work. "0:1023" is a valid
10950representation of privileged ports, and ":1023" would also work.
10951
Willy Tarreau62644772008-07-16 18:36:06 +020010952As a special case, some ACL functions support decimal numbers which are in fact
10953two integers separated by a dot. This is used with some version checks for
10954instance. All integer properties apply to those decimal numbers, including
10955ranges and operators.
10956
Willy Tarreau6a06a402007-07-15 20:15:28 +020010957For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +010010958operators with ranges does not make much sense and is strongly discouraged.
10959Similarly, it does not make much sense to perform order comparisons with a set
10960of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010961
Willy Tarreau0ba27502007-12-24 16:55:16 +010010962Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +020010963
10964 eq : true if the tested value equals at least one value
10965 ge : true if the tested value is greater than or equal to at least one value
10966 gt : true if the tested value is greater than at least one value
10967 le : true if the tested value is less than or equal to at least one value
10968 lt : true if the tested value is less than at least one value
10969
Willy Tarreau0ba27502007-12-24 16:55:16 +010010970For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +020010971
10972 acl negative-length hdr_val(content-length) lt 0
10973
Willy Tarreau62644772008-07-16 18:36:06 +020010974This one matches SSL versions between 3.0 and 3.1 (inclusive) :
10975
10976 acl sslv3 req_ssl_ver 3:3.1
10977
Willy Tarreau6a06a402007-07-15 20:15:28 +020010978
Willy Tarreau74ca5042013-06-11 23:12:07 +0200109797.1.3. Matching strings
10980-----------------------
10981
10982String matching applies to string or binary fetch methods, and exists in 6
10983different forms :
10984
10985 - exact match (-m str) : the extracted string must exactly match the
10986 patterns ;
10987
10988 - substring match (-m sub) : the patterns are looked up inside the
10989 extracted string, and the ACL matches if any of them is found inside ;
10990
10991 - prefix match (-m beg) : the patterns are compared with the beginning of
10992 the extracted string, and the ACL matches if any of them matches.
10993
10994 - suffix match (-m end) : the patterns are compared with the end of the
10995 extracted string, and the ACL matches if any of them matches.
10996
10997 - subdir match (-m sub) : the patterns are looked up inside the extracted
10998 string, delimited with slashes ("/"), and the ACL matches if any of them
10999 matches.
11000
11001 - domain match (-m dom) : the patterns are looked up inside the extracted
11002 string, delimited with dots ("."), and the ACL matches if any of them
11003 matches.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011004
11005String matching applies to verbatim strings as they are passed, with the
11006exception of the backslash ("\") which makes it possible to escape some
11007characters such as the space. If the "-i" flag is passed before the first
11008string, then the matching will be performed ignoring the case. In order
11009to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +010011010before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020011011
11012
Willy Tarreau74ca5042013-06-11 23:12:07 +0200110137.1.4. Matching regular expressions (regexes)
11014---------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020011015
11016Just like with string matching, regex matching applies to verbatim strings as
11017they are passed, with the exception of the backslash ("\") which makes it
11018possible to escape some characters such as the space. If the "-i" flag is
11019passed before the first regex, then the matching will be performed ignoring
11020the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +010011021the "--" flag before the first string. Same principle applies of course to
11022match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020011023
11024
Willy Tarreau74ca5042013-06-11 23:12:07 +0200110257.1.5. Matching arbitrary data blocks
11026-------------------------------------
11027
11028It is possible to match some extracted samples against a binary block which may
11029not safely be represented as a string. For this, the patterns must be passed as
11030a series of hexadecimal digits in an even number, when the match method is set
11031to binary. Each sequence of two digits will represent a byte. The hexadecimal
11032digits may be used upper or lower case.
11033
11034Example :
11035 # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
11036 acl hello payload(0,6) -m bin 48656c6c6f0a
11037
11038
110397.1.6. Matching IPv4 and IPv6 addresses
11040---------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020011041
11042IPv4 addresses values can be specified either as plain addresses or with a
11043netmask appended, in which case the IPv4 address matches whenever it is
11044within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010011045host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +010011046difficult to read and debug configurations. If hostnames are used, you should
11047at least ensure that they are present in /etc/hosts so that the configuration
11048does not depend on any random DNS match at the moment the configuration is
11049parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011050
Willy Tarreauceb4ac92012-04-28 00:41:46 +020011051IPv6 may be entered in their usual form, with or without a netmask appended.
11052Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
11053trouble with randomly resolved IP addresses, host names are never allowed in
11054IPv6 patterns.
11055
11056HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
11057following situations :
11058 - tested address is IPv4, pattern address is IPv4, the match applies
11059 in IPv4 using the supplied mask if any.
11060 - tested address is IPv6, pattern address is IPv6, the match applies
11061 in IPv6 using the supplied mask if any.
11062 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
11063 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
11064 ::IPV4 or ::ffff:IPV4, otherwise it fails.
11065 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
11066 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
11067 applied in IPv6 using the supplied IPv6 mask.
11068
Willy Tarreau74ca5042013-06-11 23:12:07 +020011069
110707.2. Using ACLs to form conditions
11071----------------------------------
11072
11073Some actions are only performed upon a valid condition. A condition is a
11074combination of ACLs with operators. 3 operators are supported :
11075
11076 - AND (implicit)
11077 - OR (explicit with the "or" keyword or the "||" operator)
11078 - Negation with the exclamation mark ("!")
Willy Tarreau6a06a402007-07-15 20:15:28 +020011079
Willy Tarreau74ca5042013-06-11 23:12:07 +020011080A condition is formed as a disjunctive form:
Willy Tarreau6a06a402007-07-15 20:15:28 +020011081
Willy Tarreau74ca5042013-06-11 23:12:07 +020011082 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreaubef91e72013-03-31 23:14:46 +020011083
Willy Tarreau74ca5042013-06-11 23:12:07 +020011084Such conditions are generally used after an "if" or "unless" statement,
11085indicating when the condition will trigger the action.
Willy Tarreaubef91e72013-03-31 23:14:46 +020011086
Willy Tarreau74ca5042013-06-11 23:12:07 +020011087For instance, to block HTTP requests to the "*" URL with methods other than
11088"OPTIONS", as well as POST requests without content-length, and GET or HEAD
11089requests with a content-length greater than 0, and finally every request which
11090is not either GET/HEAD/POST/OPTIONS !
11091
11092 acl missing_cl hdr_cnt(Content-length) eq 0
11093 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
11094 block if METH_GET HTTP_CONTENT
11095 block unless METH_GET or METH_POST or METH_OPTIONS
11096
11097To select a different backend for requests to static contents on the "www" site
11098and to every request on the "img", "video", "download" and "ftp" hosts :
11099
11100 acl url_static path_beg /static /images /img /css
11101 acl url_static path_end .gif .png .jpg .css .js
11102 acl host_www hdr_beg(host) -i www
11103 acl host_static hdr_beg(host) -i img. video. download. ftp.
11104
11105 # now use backend "static" for all static-only hosts, and for static urls
11106 # of host "www". Use backend "www" for the rest.
11107 use_backend static if host_static or host_www url_static
11108 use_backend www if host_www
11109
11110It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
11111expressions that are built on the fly without needing to be declared. They must
11112be enclosed between braces, with a space before and after each brace (because
11113the braces must be seen as independent words). Example :
11114
11115 The following rule :
11116
11117 acl missing_cl hdr_cnt(Content-length) eq 0
11118 block if METH_POST missing_cl
11119
11120 Can also be written that way :
11121
11122 block if METH_POST { hdr_cnt(Content-length) eq 0 }
11123
11124It is generally not recommended to use this construct because it's a lot easier
11125to leave errors in the configuration when written that way. However, for very
11126simple rules matching only one source IP address for instance, it can make more
11127sense to use them than to declare ACLs with random names. Another example of
11128good use is the following :
11129
11130 With named ACLs :
11131
11132 acl site_dead nbsrv(dynamic) lt 2
11133 acl site_dead nbsrv(static) lt 2
11134 monitor fail if site_dead
11135
11136 With anonymous ACLs :
11137
11138 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
11139
11140See section 4.2 for detailed help on the "block" and "use_backend" keywords.
11141
11142
111437.3. Fetching samples
11144---------------------
11145
11146Historically, sample fetch methods were only used to retrieve data to match
11147against patterns using ACLs. With the arrival of stick-tables, a new class of
11148sample fetch methods was created, most often sharing the same syntax as their
11149ACL counterpart. These sample fetch methods are also known as "fetches". As
11150of now, ACLs and fetches have converged. All ACL fetch methods have been made
11151available as fetch methods, and ACLs may use any sample fetch method as well.
11152
11153This section details all available sample fetch methods and their output type.
11154Some sample fetch methods have deprecated aliases that are used to maintain
11155compatibility with existing configurations. They are then explicitly marked as
11156deprecated and should not be used in new setups.
11157
11158The ACL derivatives are also indicated when available, with their respective
11159matching methods. These ones all have a well defined default pattern matching
11160method, so it is never necessary (though allowed) to pass the "-m" option to
11161indicate how the sample will be matched using ACLs.
11162
11163As indicated in the sample type versus matching compatibility matrix above,
11164when using a generic sample fetch method in an ACL, the "-m" option is
11165mandatory unless the sample type is one of boolean, integer, IPv4 or IPv6. When
11166the same keyword exists as an ACL keyword and as a standard fetch method, the
11167ACL engine will automatically pick the ACL-only one by default.
11168
11169Some of these keywords support one or multiple mandatory arguments, and one or
11170multiple optional arguments. These arguments are strongly typed and are checked
11171when the configuration is parsed so that there is no risk of running with an
11172incorrect argument (eg: an unresolved backend name). Fetch function arguments
11173are passed between parenthesis and are delimited by commas. When an argument
11174is optional, it will be indicated below between square brackets ('[ ]'). When
11175all arguments are optional, the parenthesis may be omitted.
11176
11177Thus, the syntax of a standard sample fetch method is one of the following :
11178 - name
11179 - name(arg1)
11180 - name(arg1,arg2)
11181
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011182
111837.3.1. Converters
11184-----------------
11185
Willy Tarreaue6b11e42013-11-26 19:02:32 +010011186Sample fetch methods may be combined with transformations to be applied on top
11187of the fetched sample (also called "converters"). These combinations form what
11188is called "sample expressions" and the result is a "sample". Initially this
11189was only supported by "stick on" and "stick store-request" directives but this
11190has now be extended to all places where samples may be used (acls, log-format,
11191unique-id-format, add-header, ...).
11192
11193These transformations are enumerated as a series of specific keywords after the
11194sample fetch method. These keywords may equally be appended immediately after
11195the fetch keyword's argument, delimited by a comma. These keywords can also
11196support some arguments (eg: a netmask) which must be passed in parenthesis.
Willy Tarreau0ba27502007-12-24 16:55:16 +010011197
Willy Tarreau97707872015-01-27 15:12:13 +010011198A certain category of converters are bitwise and arithmetic operators which
11199support performing basic operations on integers. Some bitwise operations are
11200supported (and, or, xor, cpl) and some arithmetic operations are supported
11201(add, sub, mul, div, mod, neg). Some comparators are provided (odd, even, not,
11202bool) which make it possible to report a match without having to write an ACL.
11203
Willy Tarreau74ca5042013-06-11 23:12:07 +020011204The currently available list of transformation keywords include :
Willy Tarreau0ba27502007-12-24 16:55:16 +010011205
Willy Tarreau97707872015-01-27 15:12:13 +010011206add(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011207 Adds <value> to the input value of type signed integer, and returns the
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011208 result as a signed integer. <value> can be a numeric value or a variable
11209 name. The name of the variable starts by an indication about its scope. The
11210 allowed scopes are:
11211 "sess" : the variable is shared with all the session,
11212 "txn" : the variable is shared with all the transaction (request and
11213 response),
11214 "req" : the variable is shared only during the request processing,
11215 "res" : the variable is shared only during the response processing.
11216 This prefix is followed by a name. The separator is a '.'. The name may only
11217 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011218
11219and(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011220 Performs a bitwise "AND" between <value> and the input value of type signed
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011221 integer, and returns the result as an signed integer. <value> can be a
11222 numeric value or a variable name. The name of the variable starts by an
11223 indication about its scope. The allowed scopes are:
11224 "sess" : the variable is shared with all the session,
11225 "txn" : the variable is shared with all the transaction (request and
11226 response),
11227 "req" : the variable is shared only during the request processing,
11228 "res" : the variable is shared only during the response processing.
11229 This prefix is followed by a name. The separator is a '.'. The name may only
11230 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011231
Emeric Brun53d1a982014-04-30 18:21:37 +020011232base64
11233 Converts a binary input sample to a base64 string. It is used to log or
11234 transfer binary content in a way that can be reliably transferred (eg:
11235 an SSL ID can be copied in a header).
11236
Willy Tarreau97707872015-01-27 15:12:13 +010011237bool
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011238 Returns a boolean TRUE if the input value of type signed integer is
Willy Tarreau97707872015-01-27 15:12:13 +010011239 non-null, otherwise returns FALSE. Used in conjunction with and(), it can be
11240 used to report true/false for bit testing on input values (eg: verify the
11241 presence of a flag).
11242
Emeric Brun54c4ac82014-11-03 15:32:43 +010011243bytes(<offset>[,<length>])
11244 Extracts some bytes from an input binary sample. The result is a binary
11245 sample starting at an offset (in bytes) of the original sample and
11246 optionnaly truncated at the given length.
11247
Willy Tarreau97707872015-01-27 15:12:13 +010011248cpl
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011249 Takes the input value of type signed integer, applies a ones-complement
11250 (flips all bits) and returns the result as an signed integer.
Willy Tarreau97707872015-01-27 15:12:13 +010011251
Willy Tarreau80599772015-01-20 19:35:24 +010011252crc32([<avalanche>])
11253 Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32
11254 hash function. Optionally, it is possible to apply a full avalanche hash
11255 function to the output if the optional <avalanche> argument equals 1. This
11256 converter uses the same functions as used by the various hash-based load
11257 balancing algorithms, so it will provide exactly the same results. It is
11258 provided for compatibility with other software which want a CRC32 to be
11259 computed on some input keys, so it follows the most common implementation as
11260 found in Ethernet, Gzip, PNG, etc... It is slower than the other algorithms
11261 but may provide a better or at least less predictable distribution. It must
11262 not be used for security purposes as a 32-bit hash is trivial to break. See
11263 also "djb2", "sdbm", "wt6" and the "hash-type" directive.
11264
David Carlier4542b102015-06-01 13:54:29 +020011265da-csv(<prop>[,<prop>*])
11266 Asks the DeviceAtlas converter to identify the User Agent string passed on
11267 input, and to emit a string made of the concatenation of the properties
11268 enumerated in argument, delimited by the separator defined by the global
11269 keyword "deviceatlas-property-separator", or by default the pipe character
11270 ('|'). There's a limit of 5 different properties imposed by the haproxy
11271 configuration language.
11272
11273 Example:
11274 frontend www
11275 bind *:8881
11276 default_backend servers
11277 http-request set-header X-DeviceAtlas-Data %[req.fhdr(User-Agent),da-csv(primaryHardwareType,osName,osVersion,browserName,browserVersion)]
11278
Thierry FOURNIER9687c772015-05-07 15:46:29 +020011279debug
11280 This converter is used as debug tool. It dumps on screen the content and the
11281 type of the input sample. The sample is returned as is on its output. This
11282 converter only exists when haproxy was built with debugging enabled.
11283
Willy Tarreau97707872015-01-27 15:12:13 +010011284div(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011285 Divides the input value of type signed integer by <value>, and returns the
11286 result as an signed integer. If <value> is null, the largest unsigned
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011287 integer is returned (typically 2^63-1). <value> can be a numeric value or a
11288 variable name. The name of the variable starts by an indication about it
11289 scope. The scope allowed are:
11290 "sess" : the variable is shared with all the session,
11291 "txn" : the variable is shared with all the transaction (request and
11292 response),
11293 "req" : the variable is shared only during the request processing,
11294 "res" : the variable is shared only during the response processing.
11295 This prefix is followed by a name. The separator is a '.'. The name may only
11296 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011297
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020011298djb2([<avalanche>])
11299 Hashes a binary input sample into an unsigned 32-bit quantity using the DJB2
11300 hash function. Optionally, it is possible to apply a full avalanche hash
11301 function to the output if the optional <avalanche> argument equals 1. This
11302 converter uses the same functions as used by the various hash-based load
11303 balancing algorithms, so it will provide exactly the same results. It is
11304 mostly intended for debugging, but can be used as a stick-table entry to
11305 collect rough statistics. It must not be used for security purposes as a
Willy Tarreau80599772015-01-20 19:35:24 +010011306 32-bit hash is trivial to break. See also "crc32", "sdbm", "wt6" and the
11307 "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020011308
Willy Tarreau97707872015-01-27 15:12:13 +010011309even
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011310 Returns a boolean TRUE if the input value of type signed integer is even
Willy Tarreau97707872015-01-27 15:12:13 +010011311 otherwise returns FALSE. It is functionally equivalent to "not,and(1),bool".
11312
Emeric Brunf399b0d2014-11-03 17:07:03 +010011313field(<index>,<delimiters>)
11314 Extracts the substring at the given index considering given delimiters from
11315 an input string. Indexes start at 1 and delimiters are a string formatted
11316 list of chars.
11317
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011318hex
11319 Converts a binary input sample to an hex string containing two hex digits per
11320 input byte. It is used to log or transfer hex dumps of some binary input data
11321 in a way that can be reliably transferred (eg: an SSL ID can be copied in a
11322 header).
Thierry FOURNIER2f49d6d2014-03-12 15:01:52 +010011323
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011324http_date([<offset>])
11325 Converts an integer supposed to contain a date since epoch to a string
11326 representing this date in a format suitable for use in HTTP header fields. If
11327 an offset value is specified, then it is a number of seconds that is added to
11328 the date before the conversion is operated. This is particularly useful to
11329 emit Date header fields, Expires values in responses when combined with a
11330 positive offset, or Last-Modified values when the offset is negative.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011331
Willy Tarreaud9f316a2014-07-10 14:03:38 +020011332in_table(<table>)
11333 Uses the string representation of the input sample to perform a look up in
11334 the specified table. If the key is not found in the table, a boolean false
11335 is returned. Otherwise a boolean true is returned. This can be used to verify
11336 the presence of a certain key in a table tracking some elements (eg: whether
11337 or not a source IP address or an Authorization header was already seen).
11338
Willy Tarreauffcb2e42014-07-10 16:29:08 +020011339ipmask(<mask>)
11340 Apply a mask to an IPv4 address, and use the result for lookups and storage.
11341 This can be used to make all hosts within a certain mask to share the same
11342 table entries and as such use the same server. The mask can be passed in
11343 dotted form (eg: 255.255.255.0) or in CIDR form (eg: 24).
11344
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020011345json([<input-code>])
11346 Escapes the input string and produces an ASCII ouput string ready to use as a
11347 JSON string. The converter tries to decode the input string according to the
11348 <input-code> parameter. It can be "ascii", "utf8", "utf8s", "utf8"" or
11349 "utf8ps". The "ascii" decoder never fails. The "utf8" decoder detects 3 types
11350 of errors:
11351 - bad UTF-8 sequence (lone continuation byte, bad number of continuation
11352 bytes, ...)
11353 - invalid range (the decoded value is within a UTF-8 prohibited range),
11354 - code overlong (the value is encoded with more bytes than necessary).
11355
11356 The UTF-8 JSON encoding can produce a "too long value" error when the UTF-8
11357 character is greater than 0xffff because the JSON string escape specification
11358 only authorizes 4 hex digits for the value encoding. The UTF-8 decoder exists
11359 in 4 variants designated by a combination of two suffix letters : "p" for
11360 "permissive" and "s" for "silently ignore". The behaviors of the decoders
11361 are :
11362 - "ascii" : never fails ;
11363 - "utf8" : fails on any detected errors ;
11364 - "utf8s" : never fails, but removes characters corresponding to errors ;
11365 - "utf8p" : accepts and fixes the overlong errors, but fails on any other
11366 error ;
11367 - "utf8ps" : never fails, accepts and fixes the overlong errors, but removes
11368 characters corresponding to the other errors.
11369
11370 This converter is particularly useful for building properly escaped JSON for
11371 logging to servers which consume JSON-formated traffic logs.
11372
11373 Example:
11374 capture request header user-agent len 150
11375 capture request header Host len 15
11376 log-format {"ip":"%[src]","user-agent":"%[capture.req.hdr(1),json]"}
11377
11378 Input request from client 127.0.0.1:
11379 GET / HTTP/1.0
11380 User-Agent: Very "Ugly" UA 1/2
11381
11382 Output log:
11383 {"ip":"127.0.0.1","user-agent":"Very \"Ugly\" UA 1\/2"}
11384
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011385language(<value>[,<default>])
11386 Returns the value with the highest q-factor from a list as extracted from the
11387 "accept-language" header using "req.fhdr". Values with no q-factor have a
11388 q-factor of 1. Values with a q-factor of 0 are dropped. Only values which
11389 belong to the list of semi-colon delimited <values> will be considered. The
11390 argument <value> syntax is "lang[;lang[;lang[;...]]]". If no value matches the
11391 given list and a default value is provided, it is returned. Note that language
11392 names may have a variant after a dash ('-'). If this variant is present in the
11393 list, it will be matched, but if it is not, only the base language is checked.
11394 The match is case-sensitive, and the output string is always one of those
11395 provided in arguments. The ordering of arguments is meaningless, only the
11396 ordering of the values in the request counts, as the first value among
11397 multiple sharing the same q-factor is used.
Thierry FOURNIERad903512014-04-11 17:51:01 +020011398
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011399 Example :
Thierry FOURNIERad903512014-04-11 17:51:01 +020011400
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011401 # this configuration switches to the backend matching a
11402 # given language based on the request :
Thierry FOURNIERad903512014-04-11 17:51:01 +020011403
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011404 acl es req.fhdr(accept-language),language(es;fr;en) -m str es
11405 acl fr req.fhdr(accept-language),language(es;fr;en) -m str fr
11406 acl en req.fhdr(accept-language),language(es;fr;en) -m str en
11407 use_backend spanish if es
11408 use_backend french if fr
11409 use_backend english if en
11410 default_backend choose_your_language
Thierry FOURNIERad903512014-04-11 17:51:01 +020011411
Willy Tarreauffcb2e42014-07-10 16:29:08 +020011412lower
11413 Convert a string sample to lower case. This can only be placed after a string
11414 sample fetch function or after a transformation keyword returning a string
11415 type. The result is of type string.
11416
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020011417ltime(<format>[,<offset>])
11418 Converts an integer supposed to contain a date since epoch to a string
11419 representing this date in local time using a format defined by the <format>
11420 string using strftime(3). The purpose is to allow any date format to be used
11421 in logs. An optional <offset> in seconds may be applied to the input date
11422 (positive or negative). See the strftime() man page for the format supported
11423 by your operating system. See also the utime converter.
11424
11425 Example :
11426
11427 # Emit two colons, one with the local time and another with ip:port
11428 # Eg: 20140710162350 127.0.0.1:57325
11429 log-format %[date,ltime(%Y%m%d%H%M%S)]\ %ci:%cp
11430
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011431map(<map_file>[,<default_value>])
11432map_<match_type>(<map_file>[,<default_value>])
11433map_<match_type>_<output_type>(<map_file>[,<default_value>])
11434 Search the input value from <map_file> using the <match_type> matching method,
11435 and return the associated value converted to the type <output_type>. If the
11436 input value cannot be found in the <map_file>, the converter returns the
11437 <default_value>. If the <default_value> is not set, the converter fails and
11438 acts as if no input value could be fetched. If the <match_type> is not set, it
11439 defaults to "str". Likewise, if the <output_type> is not set, it defaults to
11440 "str". For convenience, the "map" keyword is an alias for "map_str" and maps a
11441 string to another string.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010011442
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011443 It is important to avoid overlapping between the keys : IP addresses and
11444 strings are stored in trees, so the first of the finest match will be used.
11445 Other keys are stored in lists, so the first matching occurrence will be used.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010011446
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011447 The following array contains the list of all map functions avalaible sorted by
11448 input type, match type and output type.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010011449
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011450 input type | match method | output type str | output type int | output type ip
11451 -----------+--------------+-----------------+-----------------+---------------
11452 str | str | map_str | map_str_int | map_str_ip
11453 -----------+--------------+-----------------+-----------------+---------------
Willy Tarreau787a4c02014-05-10 07:55:30 +020011454 str | beg | map_beg | map_beg_int | map_end_ip
11455 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011456 str | sub | map_sub | map_sub_int | map_sub_ip
11457 -----------+--------------+-----------------+-----------------+---------------
11458 str | dir | map_dir | map_dir_int | map_dir_ip
11459 -----------+--------------+-----------------+-----------------+---------------
11460 str | dom | map_dom | map_dom_int | map_dom_ip
11461 -----------+--------------+-----------------+-----------------+---------------
11462 str | end | map_end | map_end_int | map_end_ip
11463 -----------+--------------+-----------------+-----------------+---------------
11464 str | reg | map_reg | map_reg_int | map_reg_ip
11465 -----------+--------------+-----------------+-----------------+---------------
11466 int | int | map_int | map_int_int | map_int_ip
11467 -----------+--------------+-----------------+-----------------+---------------
11468 ip | ip | map_ip | map_ip_int | map_ip_ip
11469 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010011470
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011471 The file contains one key + value per line. Lines which start with '#' are
11472 ignored, just like empty lines. Leading tabs and spaces are stripped. The key
11473 is then the first "word" (series of non-space/tabs characters), and the value
11474 is what follows this series of space/tab till the end of the line excluding
11475 trailing spaces/tabs.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010011476
Thierry FOURNIER060762e2014-04-23 13:29:15 +020011477 Example :
11478
11479 # this is a comment and is ignored
11480 2.22.246.0/23 United Kingdom \n
11481 <-><-----------><--><------------><---->
11482 | | | | `- trailing spaces ignored
11483 | | | `---------- value
11484 | | `-------------------- middle spaces ignored
11485 | `---------------------------- key
11486 `------------------------------------ leading spaces ignored
11487
Willy Tarreau97707872015-01-27 15:12:13 +010011488mod(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011489 Divides the input value of type signed integer by <value>, and returns the
11490 remainder as an signed integer. If <value> is null, then zero is returned.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011491 <value> can be a numeric value or a variable name. The name of the variable
11492 starts by an indication about its scope. The allowed scopes are:
11493 "sess" : the variable is shared with all the session,
11494 "txn" : the variable is shared with all the transaction (request and
11495 response),
11496 "req" : the variable is shared only during the request processing,
11497 "res" : the variable is shared only during the response processing.
11498 This prefix is followed by a name. The separator is a '.'. The name may only
11499 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011500
11501mul(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011502 Multiplies the input value of type signed integer by <value>, and returns
Thierry FOURNIER00c005c2015-07-08 01:10:21 +020011503 the product as an signed integer. In case of overflow, the largest possible
11504 value for the sign is returned so that the operation doesn't wrap around.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011505 <value> can be a numeric value or a variable name. The name of the variable
11506 starts by an indication about its scope. The allowed scopes are:
11507 "sess" : the variable is shared with all the session,
11508 "txn" : the variable is shared with all the transaction (request and
11509 response),
11510 "req" : the variable is shared only during the request processing,
11511 "res" : the variable is shared only during the response processing.
11512 This prefix is followed by a name. The separator is a '.'. The name may only
11513 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011514
11515neg
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011516 Takes the input value of type signed integer, computes the opposite value,
11517 and returns the remainder as an signed integer. 0 is identity. This operator
11518 is provided for reversed subtracts : in order to subtract the input from a
11519 constant, simply perform a "neg,add(value)".
Willy Tarreau97707872015-01-27 15:12:13 +010011520
11521not
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011522 Returns a boolean FALSE if the input value of type signed integer is
Willy Tarreau97707872015-01-27 15:12:13 +010011523 non-null, otherwise returns TRUE. Used in conjunction with and(), it can be
11524 used to report true/false for bit testing on input values (eg: verify the
11525 absence of a flag).
11526
11527odd
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011528 Returns a boolean TRUE if the input value of type signed integer is odd
Willy Tarreau97707872015-01-27 15:12:13 +010011529 otherwise returns FALSE. It is functionally equivalent to "and(1),bool".
11530
11531or(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011532 Performs a bitwise "OR" between <value> and the input value of type signed
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011533 integer, and returns the result as an signed integer. <value> can be a
11534 numeric value or a variable name. The name of the variable starts by an
11535 indication about its scope. The allowed scopes are:
11536 "sess" : the variable is shared with all the session,
11537 "txn" : the variable is shared with all the transaction (request and
11538 response),
11539 "req" : the variable is shared only during the request processing,
11540 "res" : the variable is shared only during the response processing.
11541 This prefix is followed by a name. The separator is a '.'. The name may only
11542 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011543
Willy Tarreauc4dc3502015-01-23 20:39:28 +010011544regsub(<regex>,<subst>[,<flags>])
Willy Tarreau7eda8492015-01-20 19:47:06 +010011545 Applies a regex-based substitution to the input string. It does the same
11546 operation as the well-known "sed" utility with "s/<regex>/<subst>/". By
11547 default it will replace in the input string the first occurrence of the
11548 largest part matching the regular expression <regex> with the substitution
11549 string <subst>. It is possible to replace all occurrences instead by adding
11550 the flag "g" in the third argument <flags>. It is also possible to make the
11551 regex case insensitive by adding the flag "i" in <flags>. Since <flags> is a
11552 string, it is made up from the concatenation of all desired flags. Thus if
11553 both "i" and "g" are desired, using "gi" or "ig" will have the same effect.
11554 It is important to note that due to the current limitations of the
11555 configuration parser, some characters such as closing parenthesis or comma
11556 are not possible to use in the arguments. The first use of this converter is
11557 to replace certain characters or sequence of characters with other ones.
11558
11559 Example :
11560
11561 # de-duplicate "/" in header "x-path".
11562 # input: x-path: /////a///b/c/xzxyz/
11563 # output: x-path: /a/b/c/xzxyz/
11564 http-request set-header x-path %[hdr(x-path),regsub(/+,/,g)]
11565
Thierry FOURNIER35ab2752015-05-28 13:22:03 +020011566capture-req(<id>)
11567 Capture the string entry in the request slot <id> and returns the entry as
11568 is. If the slot doesn't exist, the capture fails silently.
11569
11570 See also: "declare capture", "http-request capture",
11571 "http-response capture", "req.hdr.capture" and
11572 "res.hdr.capture" (sample fetches).
11573
11574capture-res(<id>)
11575 Capture the string entry in the response slot <id> and returns the entry as
11576 is. If the slot doesn't exist, the capture fails silently.
11577
11578 See also: "declare capture", "http-request capture",
11579 "http-response capture", "req.hdr.capture" and
11580 "res.hdr.capture" (sample fetches).
11581
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020011582sdbm([<avalanche>])
11583 Hashes a binary input sample into an unsigned 32-bit quantity using the SDBM
11584 hash function. Optionally, it is possible to apply a full avalanche hash
11585 function to the output if the optional <avalanche> argument equals 1. This
11586 converter uses the same functions as used by the various hash-based load
11587 balancing algorithms, so it will provide exactly the same results. It is
11588 mostly intended for debugging, but can be used as a stick-table entry to
11589 collect rough statistics. It must not be used for security purposes as a
Willy Tarreau80599772015-01-20 19:35:24 +010011590 32-bit hash is trivial to break. See also "crc32", "djb2", "wt6" and the
11591 "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020011592
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020011593set-var(<var name>)
11594 Sets a variable with the input content and return the content on the output as
11595 is. The variable keep the value and the associated input type. The name of the
11596 variable starts by an indication about it scope. The scope allowed are:
11597 "sess" : the variable is shared with all the session,
11598 "txn" : the variable is shared with all the transaction (request and
11599 response),
11600 "req" : the variable is shared only during the request processing,
11601 "res" : the variable is shared only during the response processing.
11602 This prefix is followed by a name. The separator is a '.'. The name may only
11603 contain characters 'a-z', 'A-Z', '0-9' and '_'.
11604
Willy Tarreau97707872015-01-27 15:12:13 +010011605sub(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011606 Subtracts <value> from the input value of type signed integer, and returns
11607 the result as an signed integer. Note: in order to subtract the input from
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011608 a constant, simply perform a "neg,add(value)". <value> can be a numeric value
11609 or a variable name. The name of the variable starts by an indication about its
11610 scope. The allowed scopes are:
11611 "sess" : the variable is shared with all the session,
11612 "txn" : the variable is shared with all the transaction (request and
11613 response),
11614 "req" : the variable is shared only during the request processing,
11615 "res" : the variable is shared only during the response processing.
11616 This prefix is followed by a name. The separator is a '.'. The name may only
11617 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011618
Willy Tarreaud9f316a2014-07-10 14:03:38 +020011619table_bytes_in_rate(<table>)
11620 Uses the string representation of the input sample to perform a look up in
11621 the specified table. If the key is not found in the table, integer value zero
11622 is returned. Otherwise the converter returns the average client-to-server
11623 bytes rate associated with the input sample in the designated table, measured
11624 in amount of bytes over the period configured in the table. See also the
11625 sc_bytes_in_rate sample fetch keyword.
11626
11627
11628table_bytes_out_rate(<table>)
11629 Uses the string representation of the input sample to perform a look up in
11630 the specified table. If the key is not found in the table, integer value zero
11631 is returned. Otherwise the converter returns the average server-to-client
11632 bytes rate associated with the input sample in the designated table, measured
11633 in amount of bytes over the period configured in the table. See also the
11634 sc_bytes_out_rate sample fetch keyword.
11635
11636table_conn_cnt(<table>)
11637 Uses the string representation of the input sample to perform a look up in
11638 the specified table. If the key is not found in the table, integer value zero
11639 is returned. Otherwise the converter returns the cumulated amount of incoming
11640 connections associated with the input sample in the designated table. See
11641 also the sc_conn_cnt sample fetch keyword.
11642
11643table_conn_cur(<table>)
11644 Uses the string representation of the input sample to perform a look up in
11645 the specified table. If the key is not found in the table, integer value zero
11646 is returned. Otherwise the converter returns the current amount of concurrent
11647 tracked connections associated with the input sample in the designated table.
11648 See also the sc_conn_cur sample fetch keyword.
11649
11650table_conn_rate(<table>)
11651 Uses the string representation of the input sample to perform a look up in
11652 the specified table. If the key is not found in the table, integer value zero
11653 is returned. Otherwise the converter returns the average incoming connection
11654 rate associated with the input sample in the designated table. See also the
11655 sc_conn_rate sample fetch keyword.
11656
Thierry FOURNIER236657b2015-08-19 08:25:14 +020011657table_gpt0(<table>)
11658 Uses the string representation of the input sample to perform a look up in
11659 the specified table. If the key is not found in the table, boolean value zero
11660 is returned. Otherwise the converter returns the current value of the first
11661 general purpose tag associated with the input sample in the designated table.
11662 See also the sc_get_gpt0 sample fetch keyword.
11663
Willy Tarreaud9f316a2014-07-10 14:03:38 +020011664table_gpc0(<table>)
11665 Uses the string representation of the input sample to perform a look up in
11666 the specified table. If the key is not found in the table, integer value zero
11667 is returned. Otherwise the converter returns the current value of the first
11668 general purpose counter associated with the input sample in the designated
11669 table. See also the sc_get_gpc0 sample fetch keyword.
11670
11671table_gpc0_rate(<table>)
11672 Uses the string representation of the input sample to perform a look up in
11673 the specified table. If the key is not found in the table, integer value zero
11674 is returned. Otherwise the converter returns the frequency which the gpc0
11675 counter was incremented over the configured period in the table, associated
11676 with the input sample in the designated table. See also the sc_get_gpc0_rate
11677 sample fetch keyword.
11678
11679table_http_err_cnt(<table>)
11680 Uses the string representation of the input sample to perform a look up in
11681 the specified table. If the key is not found in the table, integer value zero
11682 is returned. Otherwise the converter returns the cumulated amount of HTTP
11683 errors associated with the input sample in the designated table. See also the
11684 sc_http_err_cnt sample fetch keyword.
11685
11686table_http_err_rate(<table>)
11687 Uses the string representation of the input sample to perform a look up in
11688 the specified table. If the key is not found in the table, integer value zero
11689 is returned. Otherwise the average rate of HTTP errors associated with the
11690 input sample in the designated table, measured in amount of errors over the
11691 period configured in the table. See also the sc_http_err_rate sample fetch
11692 keyword.
11693
11694table_http_req_cnt(<table>)
11695 Uses the string representation of the input sample to perform a look up in
11696 the specified table. If the key is not found in the table, integer value zero
11697 is returned. Otherwise the converter returns the cumulated amount of HTTP
11698 requests associated with the input sample in the designated table. See also
11699 the sc_http_req_cnt sample fetch keyword.
11700
11701table_http_req_rate(<table>)
11702 Uses the string representation of the input sample to perform a look up in
11703 the specified table. If the key is not found in the table, integer value zero
11704 is returned. Otherwise the average rate of HTTP requests associated with the
11705 input sample in the designated table, measured in amount of requests over the
11706 period configured in the table. See also the sc_http_req_rate sample fetch
11707 keyword.
11708
11709table_kbytes_in(<table>)
11710 Uses the string representation of the input sample to perform a look up in
11711 the specified table. If the key is not found in the table, integer value zero
11712 is returned. Otherwise the converter returns the cumulated amount of client-
11713 to-server data associated with the input sample in the designated table,
11714 measured in kilobytes. The test is currently performed on 32-bit integers,
11715 which limits values to 4 terabytes. See also the sc_kbytes_in sample fetch
11716 keyword.
11717
11718table_kbytes_out(<table>)
11719 Uses the string representation of the input sample to perform a look up in
11720 the specified table. If the key is not found in the table, integer value zero
11721 is returned. Otherwise the converter returns the cumulated amount of server-
11722 to-client data associated with the input sample in the designated table,
11723 measured in kilobytes. The test is currently performed on 32-bit integers,
11724 which limits values to 4 terabytes. See also the sc_kbytes_out sample fetch
11725 keyword.
11726
11727table_server_id(<table>)
11728 Uses the string representation of the input sample to perform a look up in
11729 the specified table. If the key is not found in the table, integer value zero
11730 is returned. Otherwise the converter returns the server ID associated with
11731 the input sample in the designated table. A server ID is associated to a
11732 sample by a "stick" rule when a connection to a server succeeds. A server ID
11733 zero means that no server is associated with this key.
11734
11735table_sess_cnt(<table>)
11736 Uses the string representation of the input sample to perform a look up in
11737 the specified table. If the key is not found in the table, integer value zero
11738 is returned. Otherwise the converter returns the cumulated amount of incoming
11739 sessions associated with the input sample in the designated table. Note that
11740 a session here refers to an incoming connection being accepted by the
11741 "tcp-request connection" rulesets. See also the sc_sess_cnt sample fetch
11742 keyword.
11743
11744table_sess_rate(<table>)
11745 Uses the string representation of the input sample to perform a look up in
11746 the specified table. If the key is not found in the table, integer value zero
11747 is returned. Otherwise the converter returns the average incoming session
11748 rate associated with the input sample in the designated table. Note that a
11749 session here refers to an incoming connection being accepted by the
11750 "tcp-request connection" rulesets. See also the sc_sess_rate sample fetch
11751 keyword.
11752
11753table_trackers(<table>)
11754 Uses the string representation of the input sample to perform a look up in
11755 the specified table. If the key is not found in the table, integer value zero
11756 is returned. Otherwise the converter returns the current amount of concurrent
11757 connections tracking the same key as the input sample in the designated
11758 table. It differs from table_conn_cur in that it does not rely on any stored
11759 information but on the table's reference count (the "use" value which is
11760 returned by "show table" on the CLI). This may sometimes be more suited for
11761 layer7 tracking. It can be used to tell a server how many concurrent
11762 connections there are from a given address for example. See also the
11763 sc_trackers sample fetch keyword.
11764
Willy Tarreauffcb2e42014-07-10 16:29:08 +020011765upper
11766 Convert a string sample to upper case. This can only be placed after a string
11767 sample fetch function or after a transformation keyword returning a string
11768 type. The result is of type string.
11769
Thierry FOURNIER82ff3c92015-05-07 15:46:20 +020011770url_dec
11771 Takes an url-encoded string provided as input and returns the decoded
11772 version as output. The input and the output are of type string.
11773
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020011774utime(<format>[,<offset>])
11775 Converts an integer supposed to contain a date since epoch to a string
11776 representing this date in UTC time using a format defined by the <format>
11777 string using strftime(3). The purpose is to allow any date format to be used
11778 in logs. An optional <offset> in seconds may be applied to the input date
11779 (positive or negative). See the strftime() man page for the format supported
11780 by your operating system. See also the ltime converter.
11781
11782 Example :
11783
11784 # Emit two colons, one with the UTC time and another with ip:port
11785 # Eg: 20140710162350 127.0.0.1:57325
11786 log-format %[date,utime(%Y%m%d%H%M%S)]\ %ci:%cp
11787
Emeric Brunc9a0f6d2014-11-25 14:09:01 +010011788word(<index>,<delimiters>)
11789 Extracts the nth word considering given delimiters from an input string.
11790 Indexes start at 1 and delimiters are a string formatted list of chars.
11791
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020011792wt6([<avalanche>])
11793 Hashes a binary input sample into an unsigned 32-bit quantity using the WT6
11794 hash function. Optionally, it is possible to apply a full avalanche hash
11795 function to the output if the optional <avalanche> argument equals 1. This
11796 converter uses the same functions as used by the various hash-based load
11797 balancing algorithms, so it will provide exactly the same results. It is
11798 mostly intended for debugging, but can be used as a stick-table entry to
11799 collect rough statistics. It must not be used for security purposes as a
Willy Tarreau80599772015-01-20 19:35:24 +010011800 32-bit hash is trivial to break. See also "crc32", "djb2", "sdbm", and the
11801 "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020011802
Willy Tarreau97707872015-01-27 15:12:13 +010011803xor(<value>)
11804 Performs a bitwise "XOR" (exclusive OR) between <value> and the input value
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011805 of type signed integer, and returns the result as an signed integer.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020011806 <value> can be a numeric value or a variable name. The name of the variable
11807 starts by an indication about its scope. The allowed scopes are:
11808 "sess" : the variable is shared with all the session,
11809 "txn" : the variable is shared with all the transaction (request and
11810 response),
11811 "req" : the variable is shared only during the request processing,
11812 "res" : the variable is shared only during the response processing.
11813 This prefix is followed by a name. The separator is a '.'. The name may only
11814 contain characters 'a-z', 'A-Z', '0-9' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010011815
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010011816
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200118177.3.2. Fetching samples from internal states
Willy Tarreau74ca5042013-06-11 23:12:07 +020011818--------------------------------------------
11819
11820A first set of sample fetch methods applies to internal information which does
11821not even relate to any client information. These ones are sometimes used with
11822"monitor-fail" directives to report an internal status to external watchers.
11823The sample fetch methods described in this section are usable anywhere.
11824
11825always_false : boolean
11826 Always returns the boolean "false" value. It may be used with ACLs as a
11827 temporary replacement for another one when adjusting configurations.
11828
11829always_true : boolean
11830 Always returns the boolean "true" value. It may be used with ACLs as a
11831 temporary replacement for another one when adjusting configurations.
11832
11833avg_queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010011834 Returns the total number of queued connections of the designated backend
Willy Tarreau74ca5042013-06-11 23:12:07 +020011835 divided by the number of active servers. The current backend is used if no
11836 backend is specified. This is very similar to "queue" except that the size of
11837 the farm is considered, in order to give a more accurate measurement of the
11838 time it may take for a new connection to be processed. The main usage is with
11839 ACL to return a sorry page to new users when it becomes certain they will get
11840 a degraded service, or to pass to the backend servers in a header so that
11841 they decide to work in degraded mode or to disable some functions to speed up
11842 the processing a bit. Note that in the event there would not be any active
11843 server anymore, twice the number of queued connections would be considered as
11844 the measured value. This is a fair estimate, as we expect one server to get
11845 back soon anyway, but we still prefer to send new traffic to another backend
11846 if in better shape. See also the "queue", "be_conn", and "be_sess_rate"
11847 sample fetches.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +010011848
Willy Tarreau74ca5042013-06-11 23:12:07 +020011849be_conn([<backend>]) : integer
Willy Tarreaua36af912009-10-10 12:02:45 +020011850 Applies to the number of currently established connections on the backend,
11851 possibly including the connection being evaluated. If no backend name is
11852 specified, the current one is used. But it is also possible to check another
11853 backend. It can be used to use a specific farm when the nominal one is full.
11854 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011855
Willy Tarreau74ca5042013-06-11 23:12:07 +020011856be_sess_rate([<backend>]) : integer
11857 Returns an integer value corresponding to the sessions creation rate on the
11858 backend, in number of new sessions per second. This is used with ACLs to
11859 switch to an alternate backend when an expensive or fragile one reaches too
11860 high a session rate, or to limit abuse of service (eg. prevent sucking of an
11861 online dictionary). It can also be useful to add this element to logs using a
11862 log-format directive.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011863
11864 Example :
11865 # Redirect to an error page if the dictionary is requested too often
11866 backend dynamic
11867 mode http
11868 acl being_scanned be_sess_rate gt 100
11869 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +010011870
Thierry FOURNIERcc103292015-06-06 19:30:17 +020011871bin(<hexa>) : bin
11872 Returns a binary chain. The input is the hexadecimal representation
11873 of the string.
11874
11875bool(<bool>) : bool
11876 Returns a boolean value. <bool> can be 'true', 'false', '1' or '0'.
11877 'false' and '0' are the same. 'true' and '1' are the same.
11878
Willy Tarreau74ca5042013-06-11 23:12:07 +020011879connslots([<backend>]) : integer
11880 Returns an integer value corresponding to the number of connection slots
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011881 still available in the backend, by totaling the maximum amount of
Willy Tarreau74ca5042013-06-11 23:12:07 +020011882 connections on all servers and the maximum queue size. This is probably only
11883 used with ACLs.
Tait Clarridge7896d522012-12-05 21:39:31 -050011884
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080011885 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +020011886 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080011887 usage; see "use_backend" keyword) can be redirected to a different backend.
11888
Willy Tarreau55165fe2009-05-10 12:02:55 +020011889 'connslots' = number of available server connection slots, + number of
11890 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080011891
Willy Tarreaua36af912009-10-10 12:02:45 +020011892 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +020011893 useful when you have a case of traffic going to one single ip, splitting into
Willy Tarreau74ca5042013-06-11 23:12:07 +020011894 multiple backends (perhaps using ACLs to do name-based load balancing) and
Willy Tarreau55165fe2009-05-10 12:02:55 +020011895 you want to be able to differentiate between different backends, and their
11896 available "connslots". Also, whereas "nbsrv" only measures servers that are
Willy Tarreau74ca5042013-06-11 23:12:07 +020011897 actually *down*, this fetch is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +020011898 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080011899
Willy Tarreau55165fe2009-05-10 12:02:55 +020011900 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
11901 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
Willy Tarreau74ca5042013-06-11 23:12:07 +020011902 then this fetch clearly does not make sense, in which case the value returned
Willy Tarreau55165fe2009-05-10 12:02:55 +020011903 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080011904
Willy Tarreau6236d3a2013-07-25 14:28:25 +020011905date([<offset>]) : integer
11906 Returns the current date as the epoch (number of seconds since 01/01/1970).
11907 If an offset value is specified, then it is a number of seconds that is added
11908 to the current date before returning the value. This is particularly useful
11909 to compute relative dates, as both positive and negative offsets are allowed.
Willy Tarreau276fae92013-07-25 14:36:01 +020011910 It is useful combined with the http_date converter.
11911
11912 Example :
11913
11914 # set an expires header to now+1 hour in every response
11915 http-response set-header Expires %[date(3600),http_date]
Willy Tarreau6236d3a2013-07-25 14:28:25 +020011916
Willy Tarreau595ec542013-06-12 21:34:28 +020011917env(<name>) : string
11918 Returns a string containing the value of environment variable <name>. As a
11919 reminder, environment variables are per-process and are sampled when the
11920 process starts. This can be useful to pass some information to a next hop
11921 server, or with ACLs to take specific action when the process is started a
11922 certain way.
11923
11924 Examples :
11925 # Pass the Via header to next hop with the local hostname in it
11926 http-request add-header Via 1.1\ %[env(HOSTNAME)]
11927
11928 # reject cookie-less requests when the STOP environment variable is set
11929 http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
11930
Willy Tarreau74ca5042013-06-11 23:12:07 +020011931fe_conn([<frontend>]) : integer
11932 Returns the number of currently established connections on the frontend,
Willy Tarreaud63335a2010-02-26 12:56:52 +010011933 possibly including the connection being evaluated. If no frontend name is
11934 specified, the current one is used. But it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020011935 frontend. It can be used to return a sorry page before hard-blocking, or to
11936 use a specific backend to drain new requests when the farm is considered
11937 full. This is mostly used with ACLs but can also be used to pass some
11938 statistics to servers in HTTP headers. See also the "dst_conn", "be_conn",
11939 "fe_sess_rate" fetches.
Willy Tarreaua36af912009-10-10 12:02:45 +020011940
Willy Tarreau74ca5042013-06-11 23:12:07 +020011941fe_sess_rate([<frontend>]) : integer
11942 Returns an integer value corresponding to the sessions creation rate on the
11943 frontend, in number of new sessions per second. This is used with ACLs to
11944 limit the incoming session rate to an acceptable range in order to prevent
11945 abuse of service at the earliest moment, for example when combined with other
11946 layer 4 ACLs in order to force the clients to wait a bit for the rate to go
11947 down below the limit. It can also be useful to add this element to logs using
11948 a log-format directive. See also the "rate-limit sessions" directive for use
11949 in frontends.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010011950
11951 Example :
11952 # This frontend limits incoming mails to 10/s with a max of 100
11953 # concurrent connections. We accept any connection below 10/s, and
11954 # force excess clients to wait for 100 ms. Since clients are limited to
11955 # 100 max, there cannot be more than 10 incoming mails per second.
11956 frontend mail
11957 bind :25
11958 mode tcp
11959 maxconn 100
11960 acl too_fast fe_sess_rate ge 10
11961 tcp-request inspect-delay 100ms
11962 tcp-request content accept if ! too_fast
11963 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +010011964
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020011965int(<integer>) : signed integer
11966 Returns a signed integer.
11967
Thierry FOURNIERcc103292015-06-06 19:30:17 +020011968ipv4(<ipv4>) : ipv4
11969 Returns an ipv4.
11970
11971ipv6(<ipv6>) : ipv6
11972 Returns an ipv6.
11973
11974meth(<method>) : method
11975 Returns a method.
11976
Willy Tarreau0f30d262014-11-24 16:02:05 +010011977nbproc : integer
11978 Returns an integer value corresponding to the number of processes that were
11979 started (it equals the global "nbproc" setting). This is useful for logging
11980 and debugging purposes.
11981
Willy Tarreau74ca5042013-06-11 23:12:07 +020011982nbsrv([<backend>]) : integer
11983 Returns an integer value corresponding to the number of usable servers of
11984 either the current backend or the named backend. This is mostly used with
11985 ACLs but can also be useful when added to logs. This is normally used to
Willy Tarreaud63335a2010-02-26 12:56:52 +010011986 switch to an alternate backend when the number of servers is too low to
11987 to handle some load. It is useful to report a failure when combined with
11988 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +010011989
Willy Tarreau0f30d262014-11-24 16:02:05 +010011990proc : integer
11991 Returns an integer value corresponding to the position of the process calling
11992 the function, between 1 and global.nbproc. This is useful for logging and
11993 debugging purposes.
11994
Willy Tarreau74ca5042013-06-11 23:12:07 +020011995queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010011996 Returns the total number of queued connections of the designated backend,
11997 including all the connections in server queues. If no backend name is
11998 specified, the current one is used, but it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020011999 one. This is useful with ACLs or to pass statistics to backend servers. This
12000 can be used to take actions when queuing goes above a known level, generally
12001 indicating a surge of traffic or a massive slowdown on the servers. One
12002 possible action could be to reject new users but still accept old ones. See
12003 also the "avg_queue", "be_conn", and "be_sess_rate" fetches.
12004
Willy Tarreau84310e22014-02-14 11:59:04 +010012005rand([<range>]) : integer
12006 Returns a random integer value within a range of <range> possible values,
12007 starting at zero. If the range is not specified, it defaults to 2^32, which
12008 gives numbers between 0 and 4294967295. It can be useful to pass some values
12009 needed to take some routing decisions for example, or just for debugging
12010 purposes. This random must not be used for security purposes.
12011
Willy Tarreau74ca5042013-06-11 23:12:07 +020012012srv_conn([<backend>/]<server>) : integer
12013 Returns an integer value corresponding to the number of currently established
12014 connections on the designated server, possibly including the connection being
12015 evaluated. If <backend> is omitted, then the server is looked up in the
12016 current backend. It can be used to use a specific farm when one server is
12017 full, or to inform the server about our view of the number of active
12018 connections with it. See also the "fe_conn", "be_conn" and "queue" fetch
12019 methods.
12020
12021srv_is_up([<backend>/]<server>) : boolean
12022 Returns true when the designated server is UP, and false when it is either
12023 DOWN or in maintenance mode. If <backend> is omitted, then the server is
12024 looked up in the current backend. It is mainly used to take action based on
12025 an external status reported via a health check (eg: a geographical site's
12026 availability). Another possible use which is more of a hack consists in
12027 using dummy servers as boolean variables that can be enabled or disabled from
12028 the CLI, so that rules depending on those ACLs can be tweaked in realtime.
12029
12030srv_sess_rate([<backend>/]<server>) : integer
12031 Returns an integer corresponding to the sessions creation rate on the
12032 designated server, in number of new sessions per second. If <backend> is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012033 omitted, then the server is looked up in the current backend. This is mostly
Willy Tarreau74ca5042013-06-11 23:12:07 +020012034 used with ACLs but can make sense with logs too. This is used to switch to an
12035 alternate backend when an expensive or fragile one reaches too high a session
12036 rate, or to limit abuse of service (eg. prevent latent requests from
12037 overloading servers).
12038
12039 Example :
12040 # Redirect to a separate back
12041 acl srv1_full srv_sess_rate(be1/srv1) gt 50
12042 acl srv2_full srv_sess_rate(be1/srv2) gt 50
12043 use_backend be2 if srv1_full or srv2_full
12044
Willy Tarreau0f30d262014-11-24 16:02:05 +010012045stopping : boolean
12046 Returns TRUE if the process calling the function is currently stopping. This
12047 can be useful for logging, or for relaxing certain checks or helping close
12048 certain connections upon graceful shutdown.
12049
Thierry FOURNIERcc103292015-06-06 19:30:17 +020012050str(<string>) : string
12051 Returns a string.
12052
Willy Tarreau74ca5042013-06-11 23:12:07 +020012053table_avl([<table>]) : integer
12054 Returns the total number of available entries in the current proxy's
12055 stick-table or in the designated stick-table. See also table_cnt.
12056
12057table_cnt([<table>]) : integer
12058 Returns the total number of entries currently in use in the current proxy's
12059 stick-table or in the designated stick-table. See also src_conn_cnt and
12060 table_avl for other entry counting methods.
12061
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012062var(<var-name>) : undefined
12063 Returns a variable with the stored type. If the variable is not set, the
12064 sample fetch fails. The name of the variable starts by an indication about its
12065 scope. The scope allowed are:
12066 "sess" : the variable is shared with all the session,
12067 "txn" : the variable is shared with all the transaction (request and
12068 response),
12069 "req" : the variable is shared only during the request processing,
12070 "res" : the variable is shared only during the response processing.
12071 This prefix is followed by a name. The separator is a '.'. The name may only
12072 contain characters 'a-z', 'A-Z', '0-9' and '_'.
12073
Willy Tarreau74ca5042013-06-11 23:12:07 +020012074
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200120757.3.3. Fetching samples at Layer 4
Willy Tarreau74ca5042013-06-11 23:12:07 +020012076----------------------------------
12077
12078The layer 4 usually describes just the transport layer which in haproxy is
12079closest to the connection, where no content is yet made available. The fetch
12080methods described here are usable as low as the "tcp-request connection" rule
12081sets unless they require some future information. Those generally include
12082TCP/IP addresses and ports, as well as elements from stick-tables related to
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012083the incoming connection. For retrieving a value from a sticky counters, the
12084counter number can be explicitly set as 0, 1, or 2 using the pre-defined
12085"sc0_", "sc1_", or "sc2_" prefix, or it can be specified as the first integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012086argument when using the "sc_" prefix. An optional table may be specified with
12087the "sc*" form, in which case the currently tracked key will be looked up into
12088this alternate table instead of the table currently being tracked.
Willy Tarreau74ca5042013-06-11 23:12:07 +020012089
12090be_id : integer
12091 Returns an integer containing the current backend's id. It can be used in
12092 frontends with responses to check which backend processed the request.
12093
12094dst : ip
12095 This is the destination IPv4 address of the connection on the client side,
12096 which is the address the client connected to. It can be useful when running
12097 in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
12098 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
12099 RFC 4291.
12100
12101dst_conn : integer
12102 Returns an integer value corresponding to the number of currently established
12103 connections on the same socket including the one being evaluated. It is
12104 normally used with ACLs but can as well be used to pass the information to
12105 servers in an HTTP header or in logs. It can be used to either return a sorry
12106 page before hard-blocking, or to use a specific backend to drain new requests
12107 when the socket is considered saturated. This offers the ability to assign
12108 different limits to different listening ports or addresses. See also the
12109 "fe_conn" and "be_conn" fetches.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012110
Willy Tarreau74ca5042013-06-11 23:12:07 +020012111dst_port : integer
12112 Returns an integer value corresponding to the destination TCP port of the
12113 connection on the client side, which is the port the client connected to.
12114 This might be used when running in transparent mode, when assigning dynamic
12115 ports to some clients for a whole application session, to stick all users to
12116 a same server, or to pass the destination port information to a server using
12117 an HTTP header.
12118
12119fe_id : integer
12120 Returns an integer containing the current frontend's id. It can be used in
12121 backends to check from which backend it was called, or to stick all users
12122 coming via a same frontend to the same server.
12123
Cyril Bonté62ba8702014-04-22 23:52:25 +020012124sc_bytes_in_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012125sc0_bytes_in_rate([<table>]) : integer
12126sc1_bytes_in_rate([<table>]) : integer
12127sc2_bytes_in_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012128 Returns the average client-to-server bytes rate from the currently tracked
12129 counters, measured in amount of bytes over the period configured in the
12130 table. See also src_bytes_in_rate.
12131
Cyril Bonté62ba8702014-04-22 23:52:25 +020012132sc_bytes_out_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012133sc0_bytes_out_rate([<table>]) : integer
12134sc1_bytes_out_rate([<table>]) : integer
12135sc2_bytes_out_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012136 Returns the average server-to-client bytes rate from the currently tracked
12137 counters, measured in amount of bytes over the period configured in the
12138 table. See also src_bytes_out_rate.
12139
Cyril Bonté62ba8702014-04-22 23:52:25 +020012140sc_clr_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012141sc0_clr_gpc0([<table>]) : integer
12142sc1_clr_gpc0([<table>]) : integer
12143sc2_clr_gpc0([<table>]) : integer
Willy Tarreauf73cd112011-08-13 01:45:16 +020012144 Clears the first General Purpose Counter associated to the currently tracked
12145 counters, and returns its previous value. Before the first invocation, the
Willy Tarreau869948b2013-01-04 14:14:57 +010012146 stored value is zero, so first invocation will always return zero. This is
12147 typically used as a second ACL in an expression in order to mark a connection
12148 when a first ACL was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020012149
12150 # block if 5 consecutive requests continue to come faster than 10 sess
12151 # per second, and reset the counter as soon as the traffic slows down.
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012152 acl abuse sc0_http_req_rate gt 10
12153 acl kill sc0_inc_gpc0 gt 5
12154 acl save sc0_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020012155 tcp-request connection accept if !abuse save
12156 tcp-request connection reject if abuse kill
12157
Cyril Bonté62ba8702014-04-22 23:52:25 +020012158sc_conn_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012159sc0_conn_cnt([<table>]) : integer
12160sc1_conn_cnt([<table>]) : integer
12161sc2_conn_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012162 Returns the cumulated number of incoming connections from currently tracked
12163 counters. See also src_conn_cnt.
12164
Cyril Bonté62ba8702014-04-22 23:52:25 +020012165sc_conn_cur(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012166sc0_conn_cur([<table>]) : integer
12167sc1_conn_cur([<table>]) : integer
12168sc2_conn_cur([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012169 Returns the current amount of concurrent connections tracking the same
12170 tracked counters. This number is automatically incremented when tracking
12171 begins and decremented when tracking stops. See also src_conn_cur.
12172
Cyril Bonté62ba8702014-04-22 23:52:25 +020012173sc_conn_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012174sc0_conn_rate([<table>]) : integer
12175sc1_conn_rate([<table>]) : integer
12176sc2_conn_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012177 Returns the average connection rate from the currently tracked counters,
12178 measured in amount of connections over the period configured in the table.
12179 See also src_conn_rate.
12180
Cyril Bonté62ba8702014-04-22 23:52:25 +020012181sc_get_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012182sc0_get_gpc0([<table>]) : integer
12183sc1_get_gpc0([<table>]) : integer
12184sc2_get_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012185 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012186 currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020012187
Thierry FOURNIER236657b2015-08-19 08:25:14 +020012188sc_get_gpt0(<ctr>[,<table>]) : integer
12189sc0_get_gpt0([<table>]) : integer
12190sc1_get_gpt0([<table>]) : integer
12191sc2_get_gpt0([<table>]) : integer
12192 Returns the value of the first General Purpose Tag associated to the
12193 currently tracked counters. See also src_get_gpt0.
12194
Cyril Bonté62ba8702014-04-22 23:52:25 +020012195sc_gpc0_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012196sc0_gpc0_rate([<table>]) : integer
12197sc1_gpc0_rate([<table>]) : integer
12198sc2_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020012199 Returns the average increment rate of the first General Purpose Counter
12200 associated to the currently tracked counters. It reports the frequency
12201 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012202 src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
12203 that the "gpc0_rate" counter must be stored in the stick-table for a value to
12204 be returned, as "gpc0" only holds the event count.
Willy Tarreaue9656522010-08-17 15:40:09 +020012205
Cyril Bonté62ba8702014-04-22 23:52:25 +020012206sc_http_err_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012207sc0_http_err_cnt([<table>]) : integer
12208sc1_http_err_cnt([<table>]) : integer
12209sc2_http_err_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012210 Returns the cumulated number of HTTP errors from the currently tracked
12211 counters. This includes the both request errors and 4xx error responses.
12212 See also src_http_err_cnt.
12213
Cyril Bonté62ba8702014-04-22 23:52:25 +020012214sc_http_err_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012215sc0_http_err_rate([<table>]) : integer
12216sc1_http_err_rate([<table>]) : integer
12217sc2_http_err_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012218 Returns the average rate of HTTP errors from the currently tracked counters,
12219 measured in amount of errors over the period configured in the table. This
12220 includes the both request errors and 4xx error responses. See also
12221 src_http_err_rate.
12222
Cyril Bonté62ba8702014-04-22 23:52:25 +020012223sc_http_req_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012224sc0_http_req_cnt([<table>]) : integer
12225sc1_http_req_cnt([<table>]) : integer
12226sc2_http_req_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012227 Returns the cumulated number of HTTP requests from the currently tracked
12228 counters. This includes every started request, valid or not. See also
12229 src_http_req_cnt.
12230
Cyril Bonté62ba8702014-04-22 23:52:25 +020012231sc_http_req_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012232sc0_http_req_rate([<table>]) : integer
12233sc1_http_req_rate([<table>]) : integer
12234sc2_http_req_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012235 Returns the average rate of HTTP requests from the currently tracked
12236 counters, measured in amount of requests over the period configured in
12237 the table. This includes every started request, valid or not. See also
12238 src_http_req_rate.
12239
Cyril Bonté62ba8702014-04-22 23:52:25 +020012240sc_inc_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012241sc0_inc_gpc0([<table>]) : integer
12242sc1_inc_gpc0([<table>]) : integer
12243sc2_inc_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012244 Increments the first General Purpose Counter associated to the currently
Willy Tarreau869948b2013-01-04 14:14:57 +010012245 tracked counters, and returns its new value. Before the first invocation,
12246 the stored value is zero, so first invocation will increase it to 1 and will
12247 return 1. This is typically used as a second ACL in an expression in order
12248 to mark a connection when a first ACL was verified :
Willy Tarreaue9656522010-08-17 15:40:09 +020012249
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012250 acl abuse sc0_http_req_rate gt 10
12251 acl kill sc0_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020012252 tcp-request connection reject if abuse kill
12253
Cyril Bonté62ba8702014-04-22 23:52:25 +020012254sc_kbytes_in(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012255sc0_kbytes_in([<table>]) : integer
12256sc1_kbytes_in([<table>]) : integer
12257sc2_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020012258 Returns the total amount of client-to-server data from the currently tracked
12259 counters, measured in kilobytes. The test is currently performed on 32-bit
12260 integers, which limits values to 4 terabytes. See also src_kbytes_in.
Willy Tarreaue9656522010-08-17 15:40:09 +020012261
Cyril Bonté62ba8702014-04-22 23:52:25 +020012262sc_kbytes_out(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012263sc0_kbytes_out([<table>]) : integer
12264sc1_kbytes_out([<table>]) : integer
12265sc2_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020012266 Returns the total amount of server-to-client data from the currently tracked
12267 counters, measured in kilobytes. The test is currently performed on 32-bit
12268 integers, which limits values to 4 terabytes. See also src_kbytes_out.
Willy Tarreaue9656522010-08-17 15:40:09 +020012269
Cyril Bonté62ba8702014-04-22 23:52:25 +020012270sc_sess_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012271sc0_sess_cnt([<table>]) : integer
12272sc1_sess_cnt([<table>]) : integer
12273sc2_sess_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012274 Returns the cumulated number of incoming connections that were transformed
12275 into sessions, which means that they were accepted by a "tcp-request
12276 connection" rule, from the currently tracked counters. A backend may count
12277 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012278 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +020012279 with the client. See also src_sess_cnt.
12280
Cyril Bonté62ba8702014-04-22 23:52:25 +020012281sc_sess_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012282sc0_sess_rate([<table>]) : integer
12283sc1_sess_rate([<table>]) : integer
12284sc2_sess_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020012285 Returns the average session rate from the currently tracked counters,
12286 measured in amount of sessions over the period configured in the table. A
12287 session is a connection that got past the early "tcp-request connection"
12288 rules. A backend may count more sessions than connections because each
12289 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012290 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +020012291
Cyril Bonté62ba8702014-04-22 23:52:25 +020012292sc_tracked(<ctr>[,<table>]) : boolean
Willy Tarreau0f791d42013-07-23 19:56:43 +020012293sc0_tracked([<table>]) : boolean
12294sc1_tracked([<table>]) : boolean
12295sc2_tracked([<table>]) : boolean
Willy Tarreau6f1615f2013-06-03 15:15:22 +020012296 Returns true if the designated session counter is currently being tracked by
12297 the current session. This can be useful when deciding whether or not we want
12298 to set some values in a header passed to the server.
12299
Cyril Bonté62ba8702014-04-22 23:52:25 +020012300sc_trackers(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020012301sc0_trackers([<table>]) : integer
12302sc1_trackers([<table>]) : integer
12303sc2_trackers([<table>]) : integer
Willy Tarreau2406db42012-12-09 12:16:43 +010012304 Returns the current amount of concurrent connections tracking the same
12305 tracked counters. This number is automatically incremented when tracking
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012306 begins and decremented when tracking stops. It differs from sc0_conn_cur in
Willy Tarreau2406db42012-12-09 12:16:43 +010012307 that it does not rely on any stored information but on the table's reference
12308 count (the "use" value which is returned by "show table" on the CLI). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020012309 may sometimes be more suited for layer7 tracking. It can be used to tell a
12310 server how many concurrent connections there are from a given address for
12311 example.
Willy Tarreau2406db42012-12-09 12:16:43 +010012312
Willy Tarreau74ca5042013-06-11 23:12:07 +020012313so_id : integer
12314 Returns an integer containing the current listening socket's id. It is useful
12315 in frontends involving many "bind" lines, or to stick all users coming via a
12316 same socket to the same server.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012317
Willy Tarreau74ca5042013-06-11 23:12:07 +020012318src : ip
12319 This is the source IPv4 address of the client of the session. It is of type
12320 IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
12321 mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
12322 TCP-level source address which is used, and not the address of a client
12323 behind a proxy. However if the "accept-proxy" bind directive is used, it can
12324 be the address of a client behind another PROXY-protocol compatible component
12325 for all rule sets except "tcp-request connection" which sees the real address.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012326
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010012327 Example:
12328 # add an HTTP header in requests with the originating address' country
12329 http-request set-header X-Country %[src,map_ip(geoip.lst)]
12330
Willy Tarreau74ca5042013-06-11 23:12:07 +020012331src_bytes_in_rate([<table>]) : integer
12332 Returns the average bytes rate from the incoming connection's source address
12333 in the current proxy's stick-table or in the designated stick-table, measured
12334 in amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012335 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012336
Willy Tarreau74ca5042013-06-11 23:12:07 +020012337src_bytes_out_rate([<table>]) : integer
12338 Returns the average bytes rate to the incoming connection's source address in
12339 the current proxy's stick-table or in the designated stick-table, measured in
Willy Tarreauc9705a12010-07-27 20:05:50 +020012340 amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012341 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012342
Willy Tarreau74ca5042013-06-11 23:12:07 +020012343src_clr_gpc0([<table>]) : integer
12344 Clears the first General Purpose Counter associated to the incoming
12345 connection's source address in the current proxy's stick-table or in the
12346 designated stick-table, and returns its previous value. If the address is not
12347 found, an entry is created and 0 is returned. This is typically used as a
12348 second ACL in an expression in order to mark a connection when a first ACL
12349 was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020012350
12351 # block if 5 consecutive requests continue to come faster than 10 sess
12352 # per second, and reset the counter as soon as the traffic slows down.
12353 acl abuse src_http_req_rate gt 10
12354 acl kill src_inc_gpc0 gt 5
Willy Tarreau869948b2013-01-04 14:14:57 +010012355 acl save src_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020012356 tcp-request connection accept if !abuse save
12357 tcp-request connection reject if abuse kill
12358
Willy Tarreau74ca5042013-06-11 23:12:07 +020012359src_conn_cnt([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020012360 Returns the cumulated number of connections initiated from the current
Willy Tarreau74ca5042013-06-11 23:12:07 +020012361 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020012362 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012363 See also sc/sc0/sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012364
Willy Tarreau74ca5042013-06-11 23:12:07 +020012365src_conn_cur([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020012366 Returns the current amount of concurrent connections initiated from the
Willy Tarreau74ca5042013-06-11 23:12:07 +020012367 current incoming connection's source address in the current proxy's
12368 stick-table or in the designated stick-table. If the address is not found,
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012369 zero is returned. See also sc/sc0/sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012370
Willy Tarreau74ca5042013-06-11 23:12:07 +020012371src_conn_rate([<table>]) : integer
12372 Returns the average connection rate from the incoming connection's source
12373 address in the current proxy's stick-table or in the designated stick-table,
12374 measured in amount of connections over the period configured in the table. If
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012375 the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012376
Willy Tarreau74ca5042013-06-11 23:12:07 +020012377src_get_gpc0([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020012378 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau74ca5042013-06-11 23:12:07 +020012379 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020012380 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012381 See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012382
Thierry FOURNIER236657b2015-08-19 08:25:14 +020012383src_get_gpt0([<table>]) : integer
12384 Returns the value of the first General Purpose Tag associated to the
12385 incoming connection's source address in the current proxy's stick-table or in
12386 the designated stick-table. If the address is not found, zero is returned.
12387 See also sc/sc0/sc1/sc2_get_gpt0.
12388
Willy Tarreau74ca5042013-06-11 23:12:07 +020012389src_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020012390 Returns the average increment rate of the first General Purpose Counter
Willy Tarreau74ca5042013-06-11 23:12:07 +020012391 associated to the incoming connection's source address in the current proxy's
Willy Tarreauba2ffd12013-05-29 15:54:14 +020012392 stick-table or in the designated stick-table. It reports the frequency
12393 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012394 sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
12395 that the "gpc0_rate" counter must be stored in the stick-table for a value to
12396 be returned, as "gpc0" only holds the event count.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020012397
Willy Tarreau74ca5042013-06-11 23:12:07 +020012398src_http_err_cnt([<table>]) : integer
12399 Returns the cumulated number of HTTP errors from the incoming connection's
12400 source address in the current proxy's stick-table or in the designated
Willy Tarreauc9705a12010-07-27 20:05:50 +020012401 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012402 See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is
Willy Tarreau74ca5042013-06-11 23:12:07 +020012403 returned.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012404
Willy Tarreau74ca5042013-06-11 23:12:07 +020012405src_http_err_rate([<table>]) : integer
12406 Returns the average rate of HTTP errors from the incoming connection's source
12407 address in the current proxy's stick-table or in the designated stick-table,
12408 measured in amount of errors over the period configured in the table. This
12409 includes the both request errors and 4xx error responses. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012410 not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012411
Willy Tarreau74ca5042013-06-11 23:12:07 +020012412src_http_req_cnt([<table>]) : integer
12413 Returns the cumulated number of HTTP requests from the incoming connection's
12414 source address in the current proxy's stick-table or in the designated stick-
12415 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012416 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012417
Willy Tarreau74ca5042013-06-11 23:12:07 +020012418src_http_req_rate([<table>]) : integer
12419 Returns the average rate of HTTP requests from the incoming connection's
12420 source address in the current proxy's stick-table or in the designated stick-
12421 table, measured in amount of requests over the period configured in the
Willy Tarreauc9705a12010-07-27 20:05:50 +020012422 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012423 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012424
Willy Tarreau74ca5042013-06-11 23:12:07 +020012425src_inc_gpc0([<table>]) : integer
12426 Increments the first General Purpose Counter associated to the incoming
12427 connection's source address in the current proxy's stick-table or in the
12428 designated stick-table, and returns its new value. If the address is not
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012429 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0.
Willy Tarreau74ca5042013-06-11 23:12:07 +020012430 This is typically used as a second ACL in an expression in order to mark a
12431 connection when a first ACL was verified :
Willy Tarreauc9705a12010-07-27 20:05:50 +020012432
12433 acl abuse src_http_req_rate gt 10
Willy Tarreau869948b2013-01-04 14:14:57 +010012434 acl kill src_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020012435 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +020012436
Willy Tarreau74ca5042013-06-11 23:12:07 +020012437src_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020012438 Returns the total amount of data received from the incoming connection's
12439 source address in the current proxy's stick-table or in the designated
12440 stick-table, measured in kilobytes. If the address is not found, zero is
12441 returned. The test is currently performed on 32-bit integers, which limits
12442 values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012443
Willy Tarreau74ca5042013-06-11 23:12:07 +020012444src_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020012445 Returns the total amount of data sent to the incoming connection's source
12446 address in the current proxy's stick-table or in the designated stick-table,
12447 measured in kilobytes. If the address is not found, zero is returned. The
12448 test is currently performed on 32-bit integers, which limits values to 4
12449 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020012450
Willy Tarreau74ca5042013-06-11 23:12:07 +020012451src_port : integer
12452 Returns an integer value corresponding to the TCP source port of the
12453 connection on the client side, which is the port the client connected from.
12454 Usage of this function is very limited as modern protocols do not care much
12455 about source ports nowadays.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010012456
Willy Tarreau74ca5042013-06-11 23:12:07 +020012457src_sess_cnt([<table>]) : integer
12458 Returns the cumulated number of connections initiated from the incoming
Willy Tarreauc9705a12010-07-27 20:05:50 +020012459 connection's source IPv4 address in the current proxy's stick-table or in the
12460 designated stick-table, that were transformed into sessions, which means that
12461 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012462 is returned. See also sc/sc0/sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012463
Willy Tarreau74ca5042013-06-11 23:12:07 +020012464src_sess_rate([<table>]) : integer
12465 Returns the average session rate from the incoming connection's source
12466 address in the current proxy's stick-table or in the designated stick-table,
12467 measured in amount of sessions over the period configured in the table. A
12468 session is a connection that went past the early "tcp-request" rules. If the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020012469 address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020012470
Willy Tarreau74ca5042013-06-11 23:12:07 +020012471src_updt_conn_cnt([<table>]) : integer
12472 Creates or updates the entry associated to the incoming connection's source
12473 address in the current proxy's stick-table or in the designated stick-table.
12474 This table must be configured to store the "conn_cnt" data type, otherwise
12475 the match will be ignored. The current count is incremented by one, and the
12476 expiration timer refreshed. The updated count is returned, so this match
12477 can't return zero. This was used to reject service abusers based on their
12478 source address. Note: it is recommended to use the more complete "track-sc*"
12479 actions in "tcp-request" rules instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020012480
12481 Example :
12482 # This frontend limits incoming SSH connections to 3 per 10 second for
12483 # each source address, and rejects excess connections until a 10 second
12484 # silence is observed. At most 20 addresses are tracked.
12485 listen ssh
12486 bind :22
12487 mode tcp
12488 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +020012489 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreau74ca5042013-06-11 23:12:07 +020012490 tcp-request content reject if { src_updt_conn_cnt gt 3 }
Willy Tarreaua975b8f2010-06-05 19:13:27 +020012491 server local 127.0.0.1:22
12492
Willy Tarreau74ca5042013-06-11 23:12:07 +020012493srv_id : integer
12494 Returns an integer containing the server's id when processing the response.
12495 While it's almost only used with ACLs, it may be used for logging or
12496 debugging.
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +020012497
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +010012498
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200124997.3.4. Fetching samples at Layer 5
Willy Tarreau74ca5042013-06-11 23:12:07 +020012500----------------------------------
Willy Tarreau0b1cd942010-05-16 22:18:27 +020012501
Willy Tarreau74ca5042013-06-11 23:12:07 +020012502The layer 5 usually describes just the session layer which in haproxy is
12503closest to the session once all the connection handshakes are finished, but
12504when no content is yet made available. The fetch methods described here are
12505usable as low as the "tcp-request content" rule sets unless they require some
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012506future information. Those generally include the results of SSL negotiations.
Willy Tarreauc735a072011-03-29 00:57:02 +020012507
Emeric Brun645ae792014-04-30 14:21:06 +020012508ssl_bc : boolean
12509 Returns true when the back connection was made via an SSL/TLS transport
12510 layer and is locally deciphered. This means the outgoing connection was made
12511 other a server with the "ssl" option.
12512
12513ssl_bc_alg_keysize : integer
12514 Returns the symmetric cipher key size supported in bits when the outgoing
12515 connection was made over an SSL/TLS transport layer.
12516
12517ssl_bc_cipher : string
12518 Returns the name of the used cipher when the outgoing connection was made
12519 over an SSL/TLS transport layer.
12520
12521ssl_bc_protocol : string
12522 Returns the name of the used protocol when the outgoing connection was made
12523 over an SSL/TLS transport layer.
12524
Emeric Brunb73a9b02014-04-30 18:49:19 +020012525ssl_bc_unique_id : binary
Emeric Brun645ae792014-04-30 14:21:06 +020012526 When the outgoing connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020012527 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
12528 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
Emeric Brun645ae792014-04-30 14:21:06 +020012529
12530ssl_bc_session_id : binary
12531 Returns the SSL ID of the back connection when the outgoing connection was
12532 made over an SSL/TLS transport layer. It is useful to log if we want to know
12533 if session was reused or not.
12534
12535ssl_bc_use_keysize : integer
12536 Returns the symmetric cipher key size used in bits when the outgoing
12537 connection was made over an SSL/TLS transport layer.
12538
Willy Tarreau74ca5042013-06-11 23:12:07 +020012539ssl_c_ca_err : integer
12540 When the incoming connection was made over an SSL/TLS transport layer,
12541 returns the ID of the first error detected during verification of the client
12542 certificate at depth > 0, or 0 if no error was encountered during this
12543 verification process. Please refer to your SSL library's documentation to
12544 find the exhaustive list of error codes.
Willy Tarreauc735a072011-03-29 00:57:02 +020012545
Willy Tarreau74ca5042013-06-11 23:12:07 +020012546ssl_c_ca_err_depth : integer
12547 When the incoming connection was made over an SSL/TLS transport layer,
12548 returns the depth in the CA chain of the first error detected during the
12549 verification of the client certificate. If no error is encountered, 0 is
12550 returned.
Willy Tarreau0ba27502007-12-24 16:55:16 +010012551
Emeric Brun43e79582014-10-29 19:03:26 +010012552ssl_c_der : binary
12553 Returns the DER formatted certificate presented by the client when the
12554 incoming connection was made over an SSL/TLS transport layer. When used for
12555 an ACL, the value(s) to match against can be passed in hexadecimal form.
12556
Willy Tarreau74ca5042013-06-11 23:12:07 +020012557ssl_c_err : integer
12558 When the incoming connection was made over an SSL/TLS transport layer,
12559 returns the ID of the first error detected during verification at depth 0, or
12560 0 if no error was encountered during this verification process. Please refer
12561 to your SSL library's documentation to find the exhaustive list of error
12562 codes.
Willy Tarreau62644772008-07-16 18:36:06 +020012563
Willy Tarreau74ca5042013-06-11 23:12:07 +020012564ssl_c_i_dn([<entry>[,<occ>]]) : string
12565 When the incoming connection was made over an SSL/TLS transport layer,
12566 returns the full distinguished name of the issuer of the certificate
12567 presented by the client when no <entry> is specified, or the value of the
12568 first given entry found from the beginning of the DN. If a positive/negative
12569 occurrence number is specified as the optional second argument, it returns
12570 the value of the nth given entry value from the beginning/end of the DN.
12571 For instance, "ssl_c_i_dn(OU,2)" the second organization unit, and
12572 "ssl_c_i_dn(CN)" retrieves the common name.
Willy Tarreau62644772008-07-16 18:36:06 +020012573
Willy Tarreau74ca5042013-06-11 23:12:07 +020012574ssl_c_key_alg : string
12575 Returns the name of the algorithm used to generate the key of the certificate
12576 presented by the client when the incoming connection was made over an SSL/TLS
12577 transport layer.
Willy Tarreau62644772008-07-16 18:36:06 +020012578
Willy Tarreau74ca5042013-06-11 23:12:07 +020012579ssl_c_notafter : string
12580 Returns the end date presented by the client as a formatted string
12581 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
12582 transport layer.
Emeric Brunbede3d02009-06-30 17:54:00 +020012583
Willy Tarreau74ca5042013-06-11 23:12:07 +020012584ssl_c_notbefore : string
12585 Returns the start date presented by the client as a formatted string
12586 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
12587 transport layer.
Willy Tarreaub6672b52011-12-12 17:23:41 +010012588
Willy Tarreau74ca5042013-06-11 23:12:07 +020012589ssl_c_s_dn([<entry>[,<occ>]]) : string
12590 When the incoming connection was made over an SSL/TLS transport layer,
12591 returns the full distinguished name of the subject of the certificate
12592 presented by the client when no <entry> is specified, or the value of the
12593 first given entry found from the beginning of the DN. If a positive/negative
12594 occurrence number is specified as the optional second argument, it returns
12595 the value of the nth given entry value from the beginning/end of the DN.
12596 For instance, "ssl_c_s_dn(OU,2)" the second organization unit, and
12597 "ssl_c_s_dn(CN)" retrieves the common name.
Willy Tarreaub6672b52011-12-12 17:23:41 +010012598
Willy Tarreau74ca5042013-06-11 23:12:07 +020012599ssl_c_serial : binary
12600 Returns the serial of the certificate presented by the client when the
12601 incoming connection was made over an SSL/TLS transport layer. When used for
12602 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun2525b6b2012-10-18 15:59:43 +020012603
Willy Tarreau74ca5042013-06-11 23:12:07 +020012604ssl_c_sha1 : binary
12605 Returns the SHA-1 fingerprint of the certificate presented by the client when
12606 the incoming connection was made over an SSL/TLS transport layer. This can be
12607 used to stick a client to a server, or to pass this information to a server.
Willy Tarreau2d0caa32014-07-02 19:01:22 +020012608 Note that the output is binary, so if you want to pass that signature to the
12609 server, you need to encode it in hex or base64, such as in the example below:
12610
12611 http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]
Emeric Brun2525b6b2012-10-18 15:59:43 +020012612
Willy Tarreau74ca5042013-06-11 23:12:07 +020012613ssl_c_sig_alg : string
12614 Returns the name of the algorithm used to sign the certificate presented by
12615 the client when the incoming connection was made over an SSL/TLS transport
12616 layer.
Emeric Brun87855892012-10-17 17:39:35 +020012617
Willy Tarreau74ca5042013-06-11 23:12:07 +020012618ssl_c_used : boolean
12619 Returns true if current SSL session uses a client certificate even if current
12620 connection uses SSL session resumption. See also "ssl_fc_has_crt".
Emeric Brun7f56e742012-10-19 18:15:40 +020012621
Willy Tarreau74ca5042013-06-11 23:12:07 +020012622ssl_c_verify : integer
12623 Returns the verify result error ID when the incoming connection was made over
12624 an SSL/TLS transport layer, otherwise zero if no error is encountered. Please
12625 refer to your SSL library's documentation for an exhaustive list of error
12626 codes.
Emeric Brunce5ad802012-10-22 14:11:22 +020012627
Willy Tarreau74ca5042013-06-11 23:12:07 +020012628ssl_c_version : integer
12629 Returns the version of the certificate presented by the client when the
12630 incoming connection was made over an SSL/TLS transport layer.
Emeric Brunce5ad802012-10-22 14:11:22 +020012631
Emeric Brun43e79582014-10-29 19:03:26 +010012632ssl_f_der : binary
12633 Returns the DER formatted certificate presented by the frontend when the
12634 incoming connection was made over an SSL/TLS transport layer. When used for
12635 an ACL, the value(s) to match against can be passed in hexadecimal form.
12636
Willy Tarreau74ca5042013-06-11 23:12:07 +020012637ssl_f_i_dn([<entry>[,<occ>]]) : string
12638 When the incoming connection was made over an SSL/TLS transport layer,
12639 returns the full distinguished name of the issuer of the certificate
12640 presented by the frontend when no <entry> is specified, or the value of the
12641 first given entry found from the beginning of the DN. If a positive/negative
Emeric Brun87855892012-10-17 17:39:35 +020012642 occurrence number is specified as the optional second argument, it returns
Willy Tarreau74ca5042013-06-11 23:12:07 +020012643 the value of the nth given entry value from the beginning/end of the DN.
12644 For instance, "ssl_f_i_dn(OU,2)" the second organization unit, and
12645 "ssl_f_i_dn(CN)" retrieves the common name.
Emeric Brun87855892012-10-17 17:39:35 +020012646
Willy Tarreau74ca5042013-06-11 23:12:07 +020012647ssl_f_key_alg : string
12648 Returns the name of the algorithm used to generate the key of the certificate
12649 presented by the frontend when the incoming connection was made over an
12650 SSL/TLS transport layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020012651
Willy Tarreau74ca5042013-06-11 23:12:07 +020012652ssl_f_notafter : string
12653 Returns the end date presented by the frontend as a formatted string
12654 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
12655 transport layer.
Emeric Brun2525b6b2012-10-18 15:59:43 +020012656
Willy Tarreau74ca5042013-06-11 23:12:07 +020012657ssl_f_notbefore : string
12658 Returns the start date presented by the frontend as a formatted string
12659 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
12660 transport layer.
Emeric Brun87855892012-10-17 17:39:35 +020012661
Willy Tarreau74ca5042013-06-11 23:12:07 +020012662ssl_f_s_dn([<entry>[,<occ>]]) : string
12663 When the incoming connection was made over an SSL/TLS transport layer,
12664 returns the full distinguished name of the subject of the certificate
12665 presented by the frontend when no <entry> is specified, or the value of the
12666 first given entry found from the beginning of the DN. If a positive/negative
12667 occurrence number is specified as the optional second argument, it returns
12668 the value of the nth given entry value from the beginning/end of the DN.
12669 For instance, "ssl_f_s_dn(OU,2)" the second organization unit, and
12670 "ssl_f_s_dn(CN)" retrieves the common name.
Emeric Brunce5ad802012-10-22 14:11:22 +020012671
Willy Tarreau74ca5042013-06-11 23:12:07 +020012672ssl_f_serial : binary
12673 Returns the serial of the certificate presented by the frontend when the
12674 incoming connection was made over an SSL/TLS transport layer. When used for
12675 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun87855892012-10-17 17:39:35 +020012676
Emeric Brun55f4fa82014-04-30 17:11:25 +020012677ssl_f_sha1 : binary
12678 Returns the SHA-1 fingerprint of the certificate presented by the frontend
12679 when the incoming connection was made over an SSL/TLS transport layer. This
12680 can be used to know which certificate was chosen using SNI.
12681
Willy Tarreau74ca5042013-06-11 23:12:07 +020012682ssl_f_sig_alg : string
12683 Returns the name of the algorithm used to sign the certificate presented by
12684 the frontend when the incoming connection was made over an SSL/TLS transport
12685 layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020012686
Willy Tarreau74ca5042013-06-11 23:12:07 +020012687ssl_f_version : integer
12688 Returns the version of the certificate presented by the frontend when the
12689 incoming connection was made over an SSL/TLS transport layer.
12690
12691ssl_fc : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020012692 Returns true when the front connection was made via an SSL/TLS transport
12693 layer and is locally deciphered. This means it has matched a socket declared
12694 with a "bind" line having the "ssl" option.
12695
Willy Tarreau74ca5042013-06-11 23:12:07 +020012696 Example :
12697 # This passes "X-Proto: https" to servers when client connects over SSL
12698 listen http-https
12699 bind :80
12700 bind :443 ssl crt /etc/haproxy.pem
12701 http-request add-header X-Proto https if { ssl_fc }
12702
12703ssl_fc_alg_keysize : integer
12704 Returns the symmetric cipher key size supported in bits when the incoming
12705 connection was made over an SSL/TLS transport layer.
12706
12707ssl_fc_alpn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012708 This extracts the Application Layer Protocol Negotiation field from an
Willy Tarreau74ca5042013-06-11 23:12:07 +020012709 incoming connection made via a TLS transport layer and locally deciphered by
12710 haproxy. The result is a string containing the protocol name advertised by
12711 the client. The SSL library must have been built with support for TLS
12712 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
12713 not advertised unless the "alpn" keyword on the "bind" line specifies a
12714 protocol list. Also, nothing forces the client to pick a protocol from this
12715 list, any other one may be requested. The TLS ALPN extension is meant to
12716 replace the TLS NPN extension. See also "ssl_fc_npn".
12717
Willy Tarreau74ca5042013-06-11 23:12:07 +020012718ssl_fc_cipher : string
12719 Returns the name of the used cipher when the incoming connection was made
12720 over an SSL/TLS transport layer.
Willy Tarreauab861d32013-04-02 02:30:41 +020012721
Willy Tarreau74ca5042013-06-11 23:12:07 +020012722ssl_fc_has_crt : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020012723 Returns true if a client certificate is present in an incoming connection over
12724 SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Emeric Brun9143d372012-12-20 15:44:16 +010012725 Note: on SSL session resumption with Session ID or TLS ticket, client
12726 certificate is not present in the current connection but may be retrieved
12727 from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
12728 current SSL session uses a client certificate.
Emeric Brun2525b6b2012-10-18 15:59:43 +020012729
Willy Tarreau74ca5042013-06-11 23:12:07 +020012730ssl_fc_has_sni : boolean
12731 This checks for the presence of a Server Name Indication TLS extension (SNI)
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020012732 in an incoming connection was made over an SSL/TLS transport layer. Returns
12733 true when the incoming connection presents a TLS SNI field. This requires
12734 that the SSL library is build with support for TLS extensions enabled (check
12735 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +020012736
Nenad Merdanovic26ea8222015-05-18 02:28:57 +020012737ssl_fc_is_resumed: boolean
12738 Returns true if the SSL/TLS session has been resumed through the use of
12739 SSL session cache or TLS tickets.
12740
Willy Tarreau74ca5042013-06-11 23:12:07 +020012741ssl_fc_npn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012742 This extracts the Next Protocol Negotiation field from an incoming connection
Willy Tarreau74ca5042013-06-11 23:12:07 +020012743 made via a TLS transport layer and locally deciphered by haproxy. The result
12744 is a string containing the protocol name advertised by the client. The SSL
12745 library must have been built with support for TLS extensions enabled (check
12746 haproxy -vv). Note that the TLS NPN extension is not advertised unless the
12747 "npn" keyword on the "bind" line specifies a protocol list. Also, nothing
12748 forces the client to pick a protocol from this list, any other one may be
12749 requested. Please note that the TLS NPN extension was replaced with ALPN.
Willy Tarreaua33c6542012-10-15 13:19:06 +020012750
Willy Tarreau74ca5042013-06-11 23:12:07 +020012751ssl_fc_protocol : string
12752 Returns the name of the used protocol when the incoming connection was made
12753 over an SSL/TLS transport layer.
Willy Tarreau7875d092012-09-10 08:20:03 +020012754
Emeric Brunb73a9b02014-04-30 18:49:19 +020012755ssl_fc_unique_id : binary
David Sc1ad52e2014-04-08 18:48:47 -040012756 When the incoming connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020012757 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
12758 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
David Sc1ad52e2014-04-08 18:48:47 -040012759
Willy Tarreau74ca5042013-06-11 23:12:07 +020012760ssl_fc_session_id : binary
12761 Returns the SSL ID of the front connection when the incoming connection was
12762 made over an SSL/TLS transport layer. It is useful to stick a given client to
12763 a server. It is important to note that some browsers refresh their session ID
12764 every few minutes.
Willy Tarreau7875d092012-09-10 08:20:03 +020012765
Willy Tarreau74ca5042013-06-11 23:12:07 +020012766ssl_fc_sni : string
12767 This extracts the Server Name Indication TLS extension (SNI) field from an
12768 incoming connection made via an SSL/TLS transport layer and locally
12769 deciphered by haproxy. The result (when present) typically is a string
12770 matching the HTTPS host name (253 chars or less). The SSL library must have
12771 been built with support for TLS extensions enabled (check haproxy -vv).
12772
12773 This fetch is different from "req_ssl_sni" above in that it applies to the
12774 connection being deciphered by haproxy and not to SSL contents being blindly
12775 forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +020012776 requires that the SSL library is build with support for TLS extensions
12777 enabled (check haproxy -vv).
Willy Tarreau62644772008-07-16 18:36:06 +020012778
Willy Tarreau74ca5042013-06-11 23:12:07 +020012779 ACL derivatives :
Willy Tarreau74ca5042013-06-11 23:12:07 +020012780 ssl_fc_sni_end : suffix match
12781 ssl_fc_sni_reg : regex match
Emeric Brun589fcad2012-10-16 14:13:26 +020012782
Willy Tarreau74ca5042013-06-11 23:12:07 +020012783ssl_fc_use_keysize : integer
12784 Returns the symmetric cipher key size used in bits when the incoming
12785 connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020012786
Willy Tarreaub6fb4202008-07-20 11:18:28 +020012787
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200127887.3.5. Fetching samples from buffer contents (Layer 6)
Willy Tarreau74ca5042013-06-11 23:12:07 +020012789------------------------------------------------------
Willy Tarreaub6fb4202008-07-20 11:18:28 +020012790
Willy Tarreau74ca5042013-06-11 23:12:07 +020012791Fetching samples from buffer contents is a bit different from the previous
12792sample fetches above because the sampled data are ephemeral. These data can
12793only be used when they're available and will be lost when they're forwarded.
12794For this reason, samples fetched from buffer contents during a request cannot
12795be used in a response for example. Even while the data are being fetched, they
12796can change. Sometimes it is necessary to set some delays or combine multiple
12797sample fetch methods to ensure that the expected data are complete and usable,
12798for example through TCP request content inspection. Please see the "tcp-request
12799content" keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +020012800
Willy Tarreau74ca5042013-06-11 23:12:07 +020012801payload(<offset>,<length>) : binary (deprecated)
12802 This is an alias for "req.payload" when used in the context of a request (eg:
12803 "stick on", "stick match"), and for "res.payload" when used in the context of
12804 a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010012805
Willy Tarreau74ca5042013-06-11 23:12:07 +020012806payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated)
12807 This is an alias for "req.payload_lv" when used in the context of a request
12808 (eg: "stick on", "stick match"), and for "res.payload_lv" when used in the
12809 context of a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010012810
Willy Tarreau74ca5042013-06-11 23:12:07 +020012811req.len : integer
12812req_len : integer (deprecated)
12813 Returns an integer value corresponding to the number of bytes present in the
12814 request buffer. This is mostly used in ACL. It is important to understand
12815 that this test does not return false as long as the buffer is changing. This
12816 means that a check with equality to zero will almost always immediately match
12817 at the beginning of the session, while a test for more data will wait for
12818 that data to come in and return false only when haproxy is certain that no
12819 more data will come in. This test was designed to be used with TCP request
12820 content inspection.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012821
Willy Tarreau74ca5042013-06-11 23:12:07 +020012822req.payload(<offset>,<length>) : binary
12823 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020012824 in the request buffer. As a special case, if the <length> argument is zero,
12825 the the whole buffer from <offset> to the end is extracted. This can be used
12826 with ACLs in order to check for the presence of some content in a buffer at
12827 any location.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012828
Willy Tarreau74ca5042013-06-11 23:12:07 +020012829 ACL alternatives :
12830 payload(<offset>,<length>) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012831
Willy Tarreau74ca5042013-06-11 23:12:07 +020012832req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
12833 This extracts a binary block whose size is specified at <offset1> for <length>
12834 bytes, and which starts at <offset2> if specified or just after the length in
12835 the request buffer. The <offset2> parameter also supports relative offsets if
12836 prepended with a '+' or '-' sign.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012837
Willy Tarreau74ca5042013-06-11 23:12:07 +020012838 ACL alternatives :
12839 payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012840
Willy Tarreau74ca5042013-06-11 23:12:07 +020012841 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012842
Willy Tarreau74ca5042013-06-11 23:12:07 +020012843req.proto_http : boolean
12844req_proto_http : boolean (deprecated)
12845 Returns true when data in the request buffer look like HTTP and correctly
12846 parses as such. It is the same parser as the common HTTP request parser which
12847 is used so there should be no surprises. The test does not match until the
12848 request is complete, failed or timed out. This test may be used to report the
12849 protocol in TCP logs, but the biggest use is to block TCP request analysis
12850 until a complete HTTP request is present in the buffer, for example to track
12851 a header.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012852
Willy Tarreau74ca5042013-06-11 23:12:07 +020012853 Example:
12854 # track request counts per "base" (concatenation of Host+URL)
12855 tcp-request inspect-delay 10s
12856 tcp-request content reject if !HTTP
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012857 tcp-request content track-sc0 base table req-rate
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020012858
Willy Tarreau74ca5042013-06-11 23:12:07 +020012859req.rdp_cookie([<name>]) : string
12860rdp_cookie([<name>]) : string (deprecated)
12861 When the request buffer looks like the RDP protocol, extracts the RDP cookie
12862 <name>, or any cookie if unspecified. The parser only checks for the first
12863 cookie, as illustrated in the RDP protocol specification. The cookie name is
12864 case insensitive. Generally the "MSTS" cookie name will be used, as it can
12865 contain the user name of the client connecting to the server if properly
12866 configured on the client. The "MSTSHASH" cookie is often used as well for
12867 session stickiness to servers.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012868
Willy Tarreau74ca5042013-06-11 23:12:07 +020012869 This differs from "balance rdp-cookie" in that any balancing algorithm may be
12870 used and thus the distribution of clients to backend servers is not linked to
12871 a hash of the RDP cookie. It is envisaged that using a balancing algorithm
12872 such as "balance roundrobin" or "balance leastconn" will lead to a more even
12873 distribution of clients to backend servers than the hash used by "balance
12874 rdp-cookie".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012875
Willy Tarreau74ca5042013-06-11 23:12:07 +020012876 ACL derivatives :
12877 req_rdp_cookie([<name>]) : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012878
Willy Tarreau74ca5042013-06-11 23:12:07 +020012879 Example :
12880 listen tse-farm
12881 bind 0.0.0.0:3389
12882 # wait up to 5s for an RDP cookie in the request
12883 tcp-request inspect-delay 5s
12884 tcp-request content accept if RDP_COOKIE
12885 # apply RDP cookie persistence
12886 persist rdp-cookie
12887 # Persist based on the mstshash cookie
12888 # This is only useful makes sense if
12889 # balance rdp-cookie is not used
12890 stick-table type string size 204800
12891 stick on req.rdp_cookie(mstshash)
12892 server srv1 1.1.1.1:3389
12893 server srv1 1.1.1.2:3389
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012894
Willy Tarreau74ca5042013-06-11 23:12:07 +020012895 See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
12896 "req_rdp_cookie" ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012897
Willy Tarreau74ca5042013-06-11 23:12:07 +020012898req.rdp_cookie_cnt([name]) : integer
12899rdp_cookie_cnt([name]) : integer (deprecated)
12900 Tries to parse the request buffer as RDP protocol, then returns an integer
12901 corresponding to the number of RDP cookies found. If an optional cookie name
12902 is passed, only cookies matching this name are considered. This is mostly
12903 used in ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012904
Willy Tarreau74ca5042013-06-11 23:12:07 +020012905 ACL derivatives :
12906 req_rdp_cookie_cnt([<name>]) : integer match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012907
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +020012908req.ssl_ec_ext : boolean
12909 Returns a boolean identifying if client sent the Supported Elliptic Curves
12910 Extension as defined in RFC4492, section 5.1. within the SSL ClientHello
12911 message. This can be used to present ECC compatible clients with EC certificate
12912 and to use RSA for all others, on the same IP address. Note that this only
12913 applies to raw contents found in the request buffer and not to contents
12914 deciphered via an SSL data layer, so this will not work with "bind" lines
12915 having the "ssl" option.
12916
Willy Tarreau74ca5042013-06-11 23:12:07 +020012917req.ssl_hello_type : integer
12918req_ssl_hello_type : integer (deprecated)
12919 Returns an integer value containing the type of the SSL hello message found
12920 in the request buffer if the buffer contains data that parse as a complete
12921 SSL (v3 or superior) client hello message. Note that this only applies to raw
12922 contents found in the request buffer and not to contents deciphered via an
12923 SSL data layer, so this will not work with "bind" lines having the "ssl"
12924 option. This is mostly used in ACL to detect presence of an SSL hello message
12925 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012926
Willy Tarreau74ca5042013-06-11 23:12:07 +020012927req.ssl_sni : string
12928req_ssl_sni : string (deprecated)
12929 Returns a string containing the value of the Server Name TLS extension sent
12930 by a client in a TLS stream passing through the request buffer if the buffer
12931 contains data that parse as a complete SSL (v3 or superior) client hello
12932 message. Note that this only applies to raw contents found in the request
12933 buffer and not to contents deciphered via an SSL data layer, so this will not
12934 work with "bind" lines having the "ssl" option. SNI normally contains the
12935 name of the host the client tries to connect to (for recent browsers). SNI is
12936 useful for allowing or denying access to certain hosts when SSL/TLS is used
12937 by the client. This test was designed to be used with TCP request content
12938 inspection. If content switching is needed, it is recommended to first wait
12939 for a complete client hello (type 1), like in the example below. See also
12940 "ssl_fc_sni".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012941
Willy Tarreau74ca5042013-06-11 23:12:07 +020012942 ACL derivatives :
12943 req_ssl_sni : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012944
Willy Tarreau74ca5042013-06-11 23:12:07 +020012945 Examples :
12946 # Wait for a client hello for at most 5 seconds
12947 tcp-request inspect-delay 5s
12948 tcp-request content accept if { req_ssl_hello_type 1 }
12949 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
12950 default_backend bk_sorry_page
Willy Tarreau04aa6a92012-04-06 18:57:55 +020012951
Willy Tarreau74ca5042013-06-11 23:12:07 +020012952res.ssl_hello_type : integer
12953rep_ssl_hello_type : integer (deprecated)
12954 Returns an integer value containing the type of the SSL hello message found
12955 in the response buffer if the buffer contains data that parses as a complete
12956 SSL (v3 or superior) hello message. Note that this only applies to raw
12957 contents found in the response buffer and not to contents deciphered via an
12958 SSL data layer, so this will not work with "server" lines having the "ssl"
12959 option. This is mostly used in ACL to detect presence of an SSL hello message
12960 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau51539362012-05-08 12:46:28 +020012961
Willy Tarreau74ca5042013-06-11 23:12:07 +020012962req.ssl_ver : integer
12963req_ssl_ver : integer (deprecated)
12964 Returns an integer value containing the version of the SSL/TLS protocol of a
12965 stream present in the request buffer. Both SSLv2 hello messages and SSLv3
12966 messages are supported. TLSv1 is announced as SSL version 3.1. The value is
12967 composed of the major version multiplied by 65536, added to the minor
12968 version. Note that this only applies to raw contents found in the request
12969 buffer and not to contents deciphered via an SSL data layer, so this will not
12970 work with "bind" lines having the "ssl" option. The ACL version of the test
12971 matches against a decimal notation in the form MAJOR.MINOR (eg: 3.1). This
12972 fetch is mostly used in ACL.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012973
Willy Tarreau74ca5042013-06-11 23:12:07 +020012974 ACL derivatives :
12975 req_ssl_ver : decimal match
Willy Tarreaud63335a2010-02-26 12:56:52 +010012976
Willy Tarreau47e8eba2013-09-11 23:28:46 +020012977res.len : integer
12978 Returns an integer value corresponding to the number of bytes present in the
12979 response buffer. This is mostly used in ACL. It is important to understand
12980 that this test does not return false as long as the buffer is changing. This
12981 means that a check with equality to zero will almost always immediately match
12982 at the beginning of the session, while a test for more data will wait for
12983 that data to come in and return false only when haproxy is certain that no
12984 more data will come in. This test was designed to be used with TCP response
12985 content inspection.
12986
Willy Tarreau74ca5042013-06-11 23:12:07 +020012987res.payload(<offset>,<length>) : binary
12988 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020012989 in the response buffer. As a special case, if the <length> argument is zero,
12990 the the whole buffer from <offset> to the end is extracted. This can be used
12991 with ACLs in order to check for the presence of some content in a buffer at
12992 any location.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012993
Willy Tarreau74ca5042013-06-11 23:12:07 +020012994res.payload_lv(<offset1>,<length>[,<offset2>]) : binary
12995 This extracts a binary block whose size is specified at <offset1> for <length>
12996 bytes, and which starts at <offset2> if specified or just after the length in
12997 the response buffer. The <offset2> parameter also supports relative offsets
12998 if prepended with a '+' or '-' sign.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012999
Willy Tarreau74ca5042013-06-11 23:12:07 +020013000 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013001
Willy Tarreau74ca5042013-06-11 23:12:07 +020013002wait_end : boolean
13003 This fetch either returns true when the inspection period is over, or does
13004 not fetch. It is only used in ACLs, in conjunction with content analysis to
13005 avoid returning a wrong verdict early. It may also be used to delay some
13006 actions, such as a delayed reject for some special addresses. Since it either
13007 stops the rules evaluation or immediately returns true, it is recommended to
13008 use this acl as the last one in a rule. Please note that the default ACL
13009 "WAIT_END" is always usable without prior declaration. This test was designed
13010 to be used with TCP request content inspection.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013011
Willy Tarreau74ca5042013-06-11 23:12:07 +020013012 Examples :
13013 # delay every incoming request by 2 seconds
13014 tcp-request inspect-delay 2s
13015 tcp-request content accept if WAIT_END
Willy Tarreaud63335a2010-02-26 12:56:52 +010013016
Willy Tarreau74ca5042013-06-11 23:12:07 +020013017 # don't immediately tell bad guys they are rejected
13018 tcp-request inspect-delay 10s
13019 acl goodguys src 10.0.0.0/24
13020 acl badguys src 10.0.1.0/24
13021 tcp-request content accept if goodguys
13022 tcp-request content reject if badguys WAIT_END
13023 tcp-request content reject
13024
13025
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200130267.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +020013027--------------------------------------
13028
13029It is possible to fetch samples from HTTP contents, requests and responses.
13030This application layer is also called layer 7. It is only possible to fetch the
13031data in this section when a full HTTP request or response has been parsed from
13032its respective request or response buffer. This is always the case with all
13033HTTP specific rules and for sections running with "mode http". When using TCP
13034content inspection, it may be necessary to support an inspection delay in order
13035to let the request or response come in first. These fetches may require a bit
13036more CPU resources than the layer 4 ones, but not much since the request and
13037response are indexed.
13038
13039base : string
13040 This returns the concatenation of the first Host header and the path part of
13041 the request, which starts at the first slash and ends before the question
13042 mark. It can be useful in virtual hosted environments to detect URL abuses as
13043 well as to improve shared caches efficiency. Using this with a limited size
13044 stick table also allows one to collect statistics about most commonly
13045 requested objects by host/path. With ACLs it can allow simple content
13046 switching rules involving the host and the path at the same time, such as
13047 "www.example.com/favicon.ico". See also "path" and "uri".
13048
13049 ACL derivatives :
13050 base : exact string match
13051 base_beg : prefix match
13052 base_dir : subdir match
13053 base_dom : domain match
13054 base_end : suffix match
13055 base_len : length match
13056 base_reg : regex match
13057 base_sub : substring match
13058
13059base32 : integer
13060 This returns a 32-bit hash of the value returned by the "base" fetch method
13061 above. This is useful to track per-URL activity on high traffic sites without
13062 having to store all URLs. Instead a shorter hash is stored, saving a lot of
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020013063 memory. The output type is an unsigned integer. The hash function used is
13064 SDBM with full avalanche on the output. Technically, base32 is exactly equal
13065 to "base,sdbm(1)".
Willy Tarreau74ca5042013-06-11 23:12:07 +020013066
13067base32+src : binary
13068 This returns the concatenation of the base32 fetch above and the src fetch
13069 below. The resulting type is of type binary, with a size of 8 or 20 bytes
13070 depending on the source address family. This can be used to track per-IP,
13071 per-URL counters.
13072
William Lallemand65ad6e12014-01-31 15:08:02 +010013073capture.req.hdr(<idx>) : string
13074 This extracts the content of the header captured by the "capture request
13075 header", idx is the position of the capture keyword in the configuration.
13076 The first entry is an index of 0. See also: "capture request header".
13077
13078capture.req.method : string
13079 This extracts the METHOD of an HTTP request. It can be used in both request
13080 and response. Unlike "method", it can be used in both request and response
13081 because it's allocated.
13082
13083capture.req.uri : string
13084 This extracts the request's URI, which starts at the first slash and ends
13085 before the first space in the request (without the host part). Unlike "path"
13086 and "url", it can be used in both request and response because it's
13087 allocated.
13088
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020013089capture.req.ver : string
13090 This extracts the request's HTTP version and returns either "HTTP/1.0" or
13091 "HTTP/1.1". Unlike "req.ver", it can be used in both request, response, and
13092 logs because it relies on a persistent flag.
13093
William Lallemand65ad6e12014-01-31 15:08:02 +010013094capture.res.hdr(<idx>) : string
13095 This extracts the content of the header captured by the "capture response
13096 header", idx is the position of the capture keyword in the configuration.
13097 The first entry is an index of 0.
13098 See also: "capture response header"
13099
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020013100capture.res.ver : string
13101 This extracts the response's HTTP version and returns either "HTTP/1.0" or
13102 "HTTP/1.1". Unlike "res.ver", it can be used in logs because it relies on a
13103 persistent flag.
13104
Willy Tarreaua5910cc2015-05-02 00:46:08 +020013105req.body : binary
13106 This returns the HTTP request's available body as a block of data. It
13107 requires that the request body has been buffered made available using
13108 "option http-buffer-request". In case of chunked-encoded body, currently only
13109 the first chunk is analyzed.
13110
Thierry FOURNIER9826c772015-05-20 15:50:54 +020013111req.body_param([<name>) : string
13112 This fetch assumes that the body of the POST request is url-encoded. The user
13113 can check if the "content-type" contains the value
13114 "application/x-www-form-urlencoded". This extracts the first occurrence of the
13115 parameter <name> in the body, which ends before '&'. The parameter name is
13116 case-sensitive. If no name is given, any parameter will match, and the first
13117 one will be returned. The result is a string corresponding to the value of the
13118 parameter <name> as presented in the request body (no URL decoding is
13119 performed). Note that the ACL version of this fetch iterates over multiple
13120 parameters and will iteratively report all parameters values if no name is
13121 given.
13122
Willy Tarreaua5910cc2015-05-02 00:46:08 +020013123req.body_len : integer
13124 This returns the length of the HTTP request's available body in bytes. It may
13125 be lower than the advertised length if the body is larger than the buffer. It
13126 requires that the request body has been buffered made available using
13127 "option http-buffer-request".
13128
13129req.body_size : integer
13130 This returns the advertised length of the HTTP request's body in bytes. It
13131 will represent the advertised Content-Length header, or the size of the first
13132 chunk in case of chunked encoding. In order to parse the chunks, it requires
13133 that the request body has been buffered made available using
13134 "option http-buffer-request".
13135
Willy Tarreau74ca5042013-06-11 23:12:07 +020013136req.cook([<name>]) : string
13137cook([<name>]) : string (deprecated)
13138 This extracts the last occurrence of the cookie name <name> on a "Cookie"
13139 header line from the request, and returns its value as string. If no name is
13140 specified, the first cookie value is returned. When used with ACLs, all
13141 matching cookies are evaluated. Spaces around the name and the value are
13142 ignored as requested by the Cookie header specification (RFC6265). The cookie
13143 name is case-sensitive. Empty cookies are valid, so an empty cookie may very
13144 well return an empty value if it is present. Use the "found" match to detect
13145 presence. Use the res.cook() variant for response cookies sent by the server.
13146
13147 ACL derivatives :
13148 cook([<name>]) : exact string match
13149 cook_beg([<name>]) : prefix match
13150 cook_dir([<name>]) : subdir match
13151 cook_dom([<name>]) : domain match
13152 cook_end([<name>]) : suffix match
13153 cook_len([<name>]) : length match
13154 cook_reg([<name>]) : regex match
13155 cook_sub([<name>]) : substring match
Willy Tarreaud63335a2010-02-26 12:56:52 +010013156
Willy Tarreau74ca5042013-06-11 23:12:07 +020013157req.cook_cnt([<name>]) : integer
13158cook_cnt([<name>]) : integer (deprecated)
13159 Returns an integer value representing the number of occurrences of the cookie
13160 <name> in the request, or all cookies if <name> is not specified.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013161
Willy Tarreau74ca5042013-06-11 23:12:07 +020013162req.cook_val([<name>]) : integer
13163cook_val([<name>]) : integer (deprecated)
13164 This extracts the last occurrence of the cookie name <name> on a "Cookie"
13165 header line from the request, and converts its value to an integer which is
13166 returned. If no name is specified, the first cookie value is returned. When
13167 used in ACLs, all matching names are iterated over until a value matches.
Willy Tarreau0e698542011-09-16 08:32:32 +020013168
Willy Tarreau74ca5042013-06-11 23:12:07 +020013169cookie([<name>]) : string (deprecated)
13170 This extracts the last occurrence of the cookie name <name> on a "Cookie"
13171 header line from the request, or a "Set-Cookie" header from the response, and
13172 returns its value as a string. A typical use is to get multiple clients
13173 sharing a same profile use the same server. This can be similar to what
Willy Tarreau294d0f02015-08-10 19:40:12 +020013174 "appsession" did with the "request-learn" statement, but with support for
Willy Tarreau74ca5042013-06-11 23:12:07 +020013175 multi-peer synchronization and state keeping across restarts. If no name is
13176 specified, the first cookie value is returned. This fetch should not be used
13177 anymore and should be replaced by req.cook() or res.cook() instead as it
13178 ambiguously uses the direction based on the context where it is used.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013179
Willy Tarreau74ca5042013-06-11 23:12:07 +020013180hdr([<name>[,<occ>]]) : string
13181 This is equivalent to req.hdr() when used on requests, and to res.hdr() when
13182 used on responses. Please refer to these respective fetches for more details.
13183 In case of doubt about the fetch direction, please use the explicit ones.
13184 Note that contrary to the hdr() sample fetch method, the hdr_* ACL keywords
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013185 unambiguously apply to the request headers.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013186
Willy Tarreau74ca5042013-06-11 23:12:07 +020013187req.fhdr(<name>[,<occ>]) : string
13188 This extracts the last occurrence of header <name> in an HTTP request. When
13189 used from an ACL, all occurrences are iterated over until a match is found.
13190 Optionally, a specific occurrence might be specified as a position number.
13191 Positive values indicate a position from the first occurrence, with 1 being
13192 the first one. Negative values indicate positions relative to the last one,
13193 with -1 being the last one. It differs from req.hdr() in that any commas
13194 present in the value are returned and are not used as delimiters. This is
13195 sometimes useful with headers such as User-Agent.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013196
Willy Tarreau74ca5042013-06-11 23:12:07 +020013197req.fhdr_cnt([<name>]) : integer
13198 Returns an integer value representing the number of occurrences of request
13199 header field name <name>, or the total number of header fields if <name> is
13200 not specified. Contrary to its req.hdr_cnt() cousin, this function returns
13201 the number of full line headers and does not stop on commas.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013202
Willy Tarreau74ca5042013-06-11 23:12:07 +020013203req.hdr([<name>[,<occ>]]) : string
13204 This extracts the last occurrence of header <name> in an HTTP request. When
13205 used from an ACL, all occurrences are iterated over until a match is found.
13206 Optionally, a specific occurrence might be specified as a position number.
13207 Positive values indicate a position from the first occurrence, with 1 being
13208 the first one. Negative values indicate positions relative to the last one,
13209 with -1 being the last one. A typical use is with the X-Forwarded-For header
13210 once converted to IP, associated with an IP stick-table. The function
13211 considers any comma as a delimiter for distinct values. If full-line headers
13212 are desired instead, use req.fhdr(). Please carefully check RFC2616 to know
13213 how certain headers are supposed to be parsed. Also, some of them are case
13214 insensitive (eg: Connection).
Willy Tarreaud63335a2010-02-26 12:56:52 +010013215
Willy Tarreau74ca5042013-06-11 23:12:07 +020013216 ACL derivatives :
13217 hdr([<name>[,<occ>]]) : exact string match
13218 hdr_beg([<name>[,<occ>]]) : prefix match
13219 hdr_dir([<name>[,<occ>]]) : subdir match
13220 hdr_dom([<name>[,<occ>]]) : domain match
13221 hdr_end([<name>[,<occ>]]) : suffix match
13222 hdr_len([<name>[,<occ>]]) : length match
13223 hdr_reg([<name>[,<occ>]]) : regex match
13224 hdr_sub([<name>[,<occ>]]) : substring match
13225
13226req.hdr_cnt([<name>]) : integer
13227hdr_cnt([<header>]) : integer (deprecated)
13228 Returns an integer value representing the number of occurrences of request
13229 header field name <name>, or the total number of header field values if
13230 <name> is not specified. It is important to remember that one header line may
13231 count as several headers if it has several values. The function considers any
13232 comma as a delimiter for distinct values. If full-line headers are desired
13233 instead, req.fhdr_cnt() should be used instead. With ACLs, it can be used to
13234 detect presence, absence or abuse of a specific header, as well as to block
13235 request smuggling attacks by rejecting requests which contain more than one
13236 of certain headers. See "req.hdr" for more information on header matching.
13237
13238req.hdr_ip([<name>[,<occ>]]) : ip
13239hdr_ip([<name>[,<occ>]]) : ip (deprecated)
13240 This extracts the last occurrence of header <name> in an HTTP request,
13241 converts it to an IPv4 or IPv6 address and returns this address. When used
13242 with ACLs, all occurrences are checked, and if <name> is omitted, every value
13243 of every header is checked. Optionally, a specific occurrence might be
13244 specified as a position number. Positive values indicate a position from the
13245 first occurrence, with 1 being the first one. Negative values indicate
13246 positions relative to the last one, with -1 being the last one. A typical use
13247 is with the X-Forwarded-For and X-Client-IP headers.
13248
13249req.hdr_val([<name>[,<occ>]]) : integer
13250hdr_val([<name>[,<occ>]]) : integer (deprecated)
13251 This extracts the last occurrence of header <name> in an HTTP request, and
13252 converts it to an integer value. When used with ACLs, all occurrences are
13253 checked, and if <name> is omitted, every value of every header is checked.
13254 Optionally, a specific occurrence might be specified as a position number.
13255 Positive values indicate a position from the first occurrence, with 1 being
13256 the first one. Negative values indicate positions relative to the last one,
13257 with -1 being the last one. A typical use is with the X-Forwarded-For header.
13258
13259http_auth(<userlist>) : boolean
13260 Returns a boolean indicating whether the authentication data received from
13261 the client match a username & password stored in the specified userlist. This
13262 fetch function is not really useful outside of ACLs. Currently only http
13263 basic auth is supported.
13264
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010013265http_auth_group(<userlist>) : string
13266 Returns a string corresponding to the user name found in the authentication
13267 data received from the client if both the user name and password are valid
13268 according to the specified userlist. The main purpose is to use it in ACLs
13269 where it is then checked whether the user belongs to any group within a list.
Willy Tarreau74ca5042013-06-11 23:12:07 +020013270 This fetch function is not really useful outside of ACLs. Currently only http
13271 basic auth is supported.
13272
13273 ACL derivatives :
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010013274 http_auth_group(<userlist>) : group ...
13275 Returns true when the user extracted from the request and whose password is
13276 valid according to the specified userlist belongs to at least one of the
13277 groups.
Willy Tarreau74ca5042013-06-11 23:12:07 +020013278
13279http_first_req : boolean
Willy Tarreau7f18e522010-10-22 20:04:13 +020013280 Returns true when the request being processed is the first one of the
13281 connection. This can be used to add or remove headers that may be missing
Willy Tarreau74ca5042013-06-11 23:12:07 +020013282 from some requests when a request is not the first one, or to help grouping
13283 requests in the logs.
Willy Tarreau7f18e522010-10-22 20:04:13 +020013284
Willy Tarreau74ca5042013-06-11 23:12:07 +020013285method : integer + string
13286 Returns an integer value corresponding to the method in the HTTP request. For
13287 example, "GET" equals 1 (check sources to establish the matching). Value 9
13288 means "other method" and may be converted to a string extracted from the
13289 stream. This should not be used directly as a sample, this is only meant to
13290 be used from ACLs, which transparently convert methods from patterns to these
13291 integer + string values. Some predefined ACL already check for most common
13292 methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013293
Willy Tarreau74ca5042013-06-11 23:12:07 +020013294 ACL derivatives :
13295 method : case insensitive method match
Willy Tarreau6a06a402007-07-15 20:15:28 +020013296
Willy Tarreau74ca5042013-06-11 23:12:07 +020013297 Example :
13298 # only accept GET and HEAD requests
13299 acl valid_method method GET HEAD
13300 http-request deny if ! valid_method
Willy Tarreau6a06a402007-07-15 20:15:28 +020013301
Willy Tarreau74ca5042013-06-11 23:12:07 +020013302path : string
13303 This extracts the request's URL path, which starts at the first slash and
13304 ends before the question mark (without the host part). A typical use is with
13305 prefetch-capable caches, and with portals which need to aggregate multiple
13306 information from databases and keep them in caches. Note that with outgoing
13307 caches, it would be wiser to use "url" instead. With ACLs, it's typically
13308 used to match exact file names (eg: "/login.php"), or directory parts using
13309 the derivative forms. See also the "url" and "base" fetch methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013310
Willy Tarreau74ca5042013-06-11 23:12:07 +020013311 ACL derivatives :
13312 path : exact string match
13313 path_beg : prefix match
13314 path_dir : subdir match
13315 path_dom : domain match
13316 path_end : suffix match
13317 path_len : length match
13318 path_reg : regex match
13319 path_sub : substring match
Willy Tarreau6a06a402007-07-15 20:15:28 +020013320
Willy Tarreau49ad95c2015-01-19 15:06:26 +010013321query : string
13322 This extracts the request's query string, which starts after the first
13323 question mark. If no question mark is present, this fetch returns nothing. If
13324 a question mark is present but nothing follows, it returns an empty string.
13325 This means it's possible to easily know whether a query string is present
13326 using the "found" matching method. This fetch is the completemnt of "path"
13327 which stops before the question mark.
13328
Willy Tarreaueb27ec72015-02-20 13:55:29 +010013329req.hdr_names([<delim>]) : string
13330 This builds a string made from the concatenation of all header names as they
13331 appear in the request when the rule is evaluated. The default delimiter is
13332 the comma (',') but it may be overridden as an optional argument <delim>. In
13333 this case, only the first character of <delim> is considered.
13334
Willy Tarreau74ca5042013-06-11 23:12:07 +020013335req.ver : string
13336req_ver : string (deprecated)
13337 Returns the version string from the HTTP request, for example "1.1". This can
13338 be useful for logs, but is mostly there for ACL. Some predefined ACL already
13339 check for versions 1.0 and 1.1.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013340
Willy Tarreau74ca5042013-06-11 23:12:07 +020013341 ACL derivatives :
13342 req_ver : exact string match
Willy Tarreau0e698542011-09-16 08:32:32 +020013343
Willy Tarreau74ca5042013-06-11 23:12:07 +020013344res.comp : boolean
13345 Returns the boolean "true" value if the response has been compressed by
13346 HAProxy, otherwise returns boolean "false". This may be used to add
13347 information in the logs.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013348
Willy Tarreau74ca5042013-06-11 23:12:07 +020013349res.comp_algo : string
13350 Returns a string containing the name of the algorithm used if the response
13351 was compressed by HAProxy, for example : "deflate". This may be used to add
13352 some information in the logs.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013353
Willy Tarreau74ca5042013-06-11 23:12:07 +020013354res.cook([<name>]) : string
13355scook([<name>]) : string (deprecated)
13356 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
13357 header line from the response, and returns its value as string. If no name is
13358 specified, the first cookie value is returned.
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020013359
Willy Tarreau74ca5042013-06-11 23:12:07 +020013360 ACL derivatives :
13361 scook([<name>] : exact string match
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020013362
Willy Tarreau74ca5042013-06-11 23:12:07 +020013363res.cook_cnt([<name>]) : integer
13364scook_cnt([<name>]) : integer (deprecated)
13365 Returns an integer value representing the number of occurrences of the cookie
13366 <name> in the response, or all cookies if <name> is not specified. This is
13367 mostly useful when combined with ACLs to detect suspicious responses.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013368
Willy Tarreau74ca5042013-06-11 23:12:07 +020013369res.cook_val([<name>]) : integer
13370scook_val([<name>]) : integer (deprecated)
13371 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
13372 header line from the response, and converts its value to an integer which is
13373 returned. If no name is specified, the first cookie value is returned.
Willy Tarreaud63335a2010-02-26 12:56:52 +010013374
Willy Tarreau74ca5042013-06-11 23:12:07 +020013375res.fhdr([<name>[,<occ>]]) : string
13376 This extracts the last occurrence of header <name> in an HTTP response, or of
13377 the last header if no <name> is specified. Optionally, a specific occurrence
13378 might be specified as a position number. Positive values indicate a position
13379 from the first occurrence, with 1 being the first one. Negative values
13380 indicate positions relative to the last one, with -1 being the last one. It
13381 differs from res.hdr() in that any commas present in the value are returned
13382 and are not used as delimiters. If this is not desired, the res.hdr() fetch
13383 should be used instead. This is sometimes useful with headers such as Date or
13384 Expires.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013385
Willy Tarreau74ca5042013-06-11 23:12:07 +020013386res.fhdr_cnt([<name>]) : integer
13387 Returns an integer value representing the number of occurrences of response
13388 header field name <name>, or the total number of header fields if <name> is
13389 not specified. Contrary to its res.hdr_cnt() cousin, this function returns
13390 the number of full line headers and does not stop on commas. If this is not
13391 desired, the res.hdr_cnt() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013392
Willy Tarreau74ca5042013-06-11 23:12:07 +020013393res.hdr([<name>[,<occ>]]) : string
13394shdr([<name>[,<occ>]]) : string (deprecated)
13395 This extracts the last occurrence of header <name> in an HTTP response, or of
13396 the last header if no <name> is specified. Optionally, a specific occurrence
13397 might be specified as a position number. Positive values indicate a position
13398 from the first occurrence, with 1 being the first one. Negative values
13399 indicate positions relative to the last one, with -1 being the last one. This
13400 can be useful to learn some data into a stick-table. The function considers
13401 any comma as a delimiter for distinct values. If this is not desired, the
13402 res.fhdr() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013403
Willy Tarreau74ca5042013-06-11 23:12:07 +020013404 ACL derivatives :
13405 shdr([<name>[,<occ>]]) : exact string match
13406 shdr_beg([<name>[,<occ>]]) : prefix match
13407 shdr_dir([<name>[,<occ>]]) : subdir match
13408 shdr_dom([<name>[,<occ>]]) : domain match
13409 shdr_end([<name>[,<occ>]]) : suffix match
13410 shdr_len([<name>[,<occ>]]) : length match
13411 shdr_reg([<name>[,<occ>]]) : regex match
13412 shdr_sub([<name>[,<occ>]]) : substring match
13413
13414res.hdr_cnt([<name>]) : integer
13415shdr_cnt([<name>]) : integer (deprecated)
13416 Returns an integer value representing the number of occurrences of response
13417 header field name <name>, or the total number of header fields if <name> is
13418 not specified. The function considers any comma as a delimiter for distinct
13419 values. If this is not desired, the res.fhdr_cnt() fetch should be used
13420 instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013421
Willy Tarreau74ca5042013-06-11 23:12:07 +020013422res.hdr_ip([<name>[,<occ>]]) : ip
13423shdr_ip([<name>[,<occ>]]) : ip (deprecated)
13424 This extracts the last occurrence of header <name> in an HTTP response,
13425 convert it to an IPv4 or IPv6 address and returns this address. Optionally, a
13426 specific occurrence might be specified as a position number. Positive values
13427 indicate a position from the first occurrence, with 1 being the first one.
13428 Negative values indicate positions relative to the last one, with -1 being
13429 the last one. This can be useful to learn some data into a stick table.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013430
Willy Tarreaueb27ec72015-02-20 13:55:29 +010013431res.hdr_names([<delim>]) : string
13432 This builds a string made from the concatenation of all header names as they
13433 appear in the response when the rule is evaluated. The default delimiter is
13434 the comma (',') but it may be overridden as an optional argument <delim>. In
13435 this case, only the first character of <delim> is considered.
13436
Willy Tarreau74ca5042013-06-11 23:12:07 +020013437res.hdr_val([<name>[,<occ>]]) : integer
13438shdr_val([<name>[,<occ>]]) : integer (deprecated)
13439 This extracts the last occurrence of header <name> in an HTTP response, and
13440 converts it to an integer value. Optionally, a specific occurrence might be
13441 specified as a position number. Positive values indicate a position from the
13442 first occurrence, with 1 being the first one. Negative values indicate
13443 positions relative to the last one, with -1 being the last one. This can be
13444 useful to learn some data into a stick table.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010013445
Willy Tarreau74ca5042013-06-11 23:12:07 +020013446res.ver : string
13447resp_ver : string (deprecated)
13448 Returns the version string from the HTTP response, for example "1.1". This
13449 can be useful for logs, but is mostly there for ACL.
Willy Tarreau0e698542011-09-16 08:32:32 +020013450
Willy Tarreau74ca5042013-06-11 23:12:07 +020013451 ACL derivatives :
13452 resp_ver : exact string match
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010013453
Willy Tarreau74ca5042013-06-11 23:12:07 +020013454set-cookie([<name>]) : string (deprecated)
13455 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
13456 header line from the response and uses the corresponding value to match. This
Willy Tarreau294d0f02015-08-10 19:40:12 +020013457 can be comparable to what "appsession" did with default options, but with
Willy Tarreau74ca5042013-06-11 23:12:07 +020013458 support for multi-peer synchronization and state keeping across restarts.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010013459
Willy Tarreau74ca5042013-06-11 23:12:07 +020013460 This fetch function is deprecated and has been superseded by the "res.cook"
13461 fetch. This keyword will disappear soon.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010013462
Willy Tarreau74ca5042013-06-11 23:12:07 +020013463status : integer
13464 Returns an integer containing the HTTP status code in the HTTP response, for
13465 example, 302. It is mostly used within ACLs and integer ranges, for example,
13466 to remove any Location header if the response is not a 3xx.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013467
Willy Tarreau74ca5042013-06-11 23:12:07 +020013468url : string
13469 This extracts the request's URL as presented in the request. A typical use is
13470 with prefetch-capable caches, and with portals which need to aggregate
13471 multiple information from databases and keep them in caches. With ACLs, using
13472 "path" is preferred over using "url", because clients may send a full URL as
13473 is normally done with proxies. The only real use is to match "*" which does
13474 not match in "path", and for which there is already a predefined ACL. See
13475 also "path" and "base".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013476
Willy Tarreau74ca5042013-06-11 23:12:07 +020013477 ACL derivatives :
13478 url : exact string match
13479 url_beg : prefix match
13480 url_dir : subdir match
13481 url_dom : domain match
13482 url_end : suffix match
13483 url_len : length match
13484 url_reg : regex match
13485 url_sub : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013486
Willy Tarreau74ca5042013-06-11 23:12:07 +020013487url_ip : ip
13488 This extracts the IP address from the request's URL when the host part is
13489 presented as an IP address. Its use is very limited. For instance, a
13490 monitoring system might use this field as an alternative for the source IP in
13491 order to test what path a given source address would follow, or to force an
13492 entry in a table for a given source address. With ACLs it can be used to
13493 restrict access to certain systems through a proxy, for example when combined
13494 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013495
Willy Tarreau74ca5042013-06-11 23:12:07 +020013496url_port : integer
13497 This extracts the port part from the request's URL. Note that if the port is
13498 not specified in the request, port 80 is assumed. With ACLs it can be used to
13499 restrict access to certain systems through a proxy, for example when combined
13500 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013501
Willy Tarreau1ede1da2015-05-07 16:06:18 +020013502urlp([<name>[,<delim>]]) : string
13503url_param([<name>[,<delim>]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020013504 This extracts the first occurrence of the parameter <name> in the query
13505 string, which begins after either '?' or <delim>, and which ends before '&',
Willy Tarreau1ede1da2015-05-07 16:06:18 +020013506 ';' or <delim>. The parameter name is case-sensitive. If no name is given,
13507 any parameter will match, and the first one will be returned. The result is
13508 a string corresponding to the value of the parameter <name> as presented in
13509 the request (no URL decoding is performed). This can be used for session
Willy Tarreau74ca5042013-06-11 23:12:07 +020013510 stickiness based on a client ID, to extract an application cookie passed as a
13511 URL parameter, or in ACLs to apply some checks. Note that the ACL version of
Willy Tarreau1ede1da2015-05-07 16:06:18 +020013512 this fetch iterates over multiple parameters and will iteratively report all
13513 parameters values if no name is given
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013514
Willy Tarreau74ca5042013-06-11 23:12:07 +020013515 ACL derivatives :
13516 urlp(<name>[,<delim>]) : exact string match
13517 urlp_beg(<name>[,<delim>]) : prefix match
13518 urlp_dir(<name>[,<delim>]) : subdir match
13519 urlp_dom(<name>[,<delim>]) : domain match
13520 urlp_end(<name>[,<delim>]) : suffix match
13521 urlp_len(<name>[,<delim>]) : length match
13522 urlp_reg(<name>[,<delim>]) : regex match
13523 urlp_sub(<name>[,<delim>]) : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013524
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013525
Willy Tarreau74ca5042013-06-11 23:12:07 +020013526 Example :
13527 # match http://example.com/foo?PHPSESSIONID=some_id
13528 stick on urlp(PHPSESSIONID)
13529 # match http://example.com/foo;JSESSIONID=some_id
13530 stick on urlp(JSESSIONID,;)
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020013531
Willy Tarreau1ede1da2015-05-07 16:06:18 +020013532urlp_val([<name>[,<delim>])] : integer
Willy Tarreau74ca5042013-06-11 23:12:07 +020013533 See "urlp" above. This one extracts the URL parameter <name> in the request
13534 and converts it to an integer value. This can be used for session stickiness
13535 based on a user ID for example, or with ACLs to match a page number or price.
Willy Tarreaua9fddca2012-07-31 07:51:48 +020013536
Willy Tarreau198a7442008-01-17 12:05:32 +010013537
Willy Tarreau74ca5042013-06-11 23:12:07 +0200135387.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013539---------------------
Willy Tarreauced27012008-01-17 20:35:34 +010013540
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013541Some predefined ACLs are hard-coded so that they do not have to be declared in
13542every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +020013543order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +010013544
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013545ACL name Equivalent to Usage
13546---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013547FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +020013548HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013549HTTP_1.0 req_ver 1.0 match HTTP version 1.0
13550HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +010013551HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
13552HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
13553HTTP_URL_SLASH url_beg / match URL beginning with "/"
13554HTTP_URL_STAR url * match URL equal to "*"
13555LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013556METH_CONNECT method CONNECT match HTTP CONNECT method
13557METH_GET method GET HEAD match HTTP GET or HEAD method
13558METH_HEAD method HEAD match HTTP HEAD method
13559METH_OPTIONS method OPTIONS match HTTP OPTIONS method
13560METH_POST method POST match HTTP POST method
13561METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +020013562RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013563REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +010013564TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013565WAIT_END wait_end wait for end of content analysis
13566---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +010013567
Willy Tarreaub937b7e2010-01-12 15:27:54 +010013568
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200135698. Logging
13570----------
Willy Tarreau844e3c52008-01-11 16:28:18 +010013571
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013572One of HAProxy's strong points certainly lies is its precise logs. It probably
13573provides the finest level of information available for such a product, which is
13574very important for troubleshooting complex environments. Standard information
13575provided in logs include client ports, TCP/HTTP state timers, precise session
13576state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013577to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013578headers.
13579
13580In order to improve administrators reactivity, it offers a great transparency
13581about encountered problems, both internal and external, and it is possible to
13582send logs to different sources at the same time with different level filters :
13583
13584 - global process-level logs (system errors, start/stop, etc..)
13585 - per-instance system and internal errors (lack of resource, bugs, ...)
13586 - per-instance external troubles (servers up/down, max connections)
13587 - per-instance activity (client connections), either at the establishment or
13588 at the termination.
Jim Freeman9e8714b2015-05-26 09:16:34 -060013589 - per-request control of log-level, eg:
13590 http-request set-log-level silent if sensitive_request
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013591
13592The ability to distribute different levels of logs to different log servers
13593allow several production teams to interact and to fix their problems as soon
13594as possible. For example, the system team might monitor system-wide errors,
13595while the application team might be monitoring the up/down for their servers in
13596real time, and the security team might analyze the activity logs with one hour
13597delay.
13598
13599
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200136008.1. Log levels
13601---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013602
Simon Hormandf791f52011-05-29 15:01:10 +090013603TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013604source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +090013605HTTP request, HTTP return code, number of bytes transmitted, conditions
13606in which the session ended, and even exchanged cookies values. For example
13607track a particular user's problems. All messages may be sent to up to two
13608syslog servers. Check the "log" keyword in section 4.2 for more information
13609about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013610
13611
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200136128.2. Log formats
13613----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013614
William Lallemand48940402012-01-30 16:47:22 +010013615HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +090013616and will be detailed in the following sections. A few of them may vary
13617slightly with the configuration, due to indicators specific to certain
13618options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013619
13620 - the default format, which is very basic and very rarely used. It only
13621 provides very basic information about the incoming connection at the moment
13622 it is accepted : source IP:port, destination IP:port, and frontend-name.
13623 This mode will eventually disappear so it will not be described to great
13624 extents.
13625
13626 - the TCP format, which is more advanced. This format is enabled when "option
13627 tcplog" is set on the frontend. HAProxy will then usually wait for the
13628 connection to terminate before logging. This format provides much richer
13629 information, such as timers, connection counts, queue size, etc... This
13630 format is recommended for pure TCP proxies.
13631
13632 - the HTTP format, which is the most advanced for HTTP proxying. This format
13633 is enabled when "option httplog" is set on the frontend. It provides the
13634 same information as the TCP format with some HTTP-specific fields such as
13635 the request, the status code, and captures of headers and cookies. This
13636 format is recommended for HTTP proxies.
13637
Emeric Brun3a058f32009-06-30 18:26:00 +020013638 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
13639 fields arranged in the same order as the CLF format. In this mode, all
13640 timers, captures, flags, etc... appear one per field after the end of the
13641 common fields, in the same order they appear in the standard HTTP format.
13642
William Lallemand48940402012-01-30 16:47:22 +010013643 - the custom log format, allows you to make your own log line.
13644
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013645Next sections will go deeper into details for each of these formats. Format
13646specification will be performed on a "field" basis. Unless stated otherwise, a
13647field is a portion of text delimited by any number of spaces. Since syslog
13648servers are susceptible of inserting fields at the beginning of a line, it is
13649always assumed that the first field is the one containing the process name and
13650identifier.
13651
13652Note : Since log lines may be quite long, the log examples in sections below
13653 might be broken into multiple lines. The example log lines will be
13654 prefixed with 3 closing angle brackets ('>>>') and each time a log is
13655 broken into multiple lines, each non-final line will end with a
13656 backslash ('\') and the next line will start indented by two characters.
13657
13658
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200136598.2.1. Default log format
13660-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013661
13662This format is used when no specific option is set. The log is emitted as soon
13663as the connection is accepted. One should note that this currently is the only
13664format which logs the request's destination IP and ports.
13665
13666 Example :
13667 listen www
13668 mode http
13669 log global
13670 server srv1 127.0.0.1:8000
13671
13672 >>> Feb 6 12:12:09 localhost \
13673 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
13674 (www/HTTP)
13675
13676 Field Format Extract from the example above
13677 1 process_name '[' pid ']:' haproxy[14385]:
13678 2 'Connect from' Connect from
13679 3 source_ip ':' source_port 10.0.1.2:33312
13680 4 'to' to
13681 5 destination_ip ':' destination_port 10.0.3.31:8012
13682 6 '(' frontend_name '/' mode ')' (www/HTTP)
13683
13684Detailed fields description :
13685 - "source_ip" is the IP address of the client which initiated the connection.
13686 - "source_port" is the TCP port of the client which initiated the connection.
13687 - "destination_ip" is the IP address the client connected to.
13688 - "destination_port" is the TCP port the client connected to.
13689 - "frontend_name" is the name of the frontend (or listener) which received
13690 and processed the connection.
13691 - "mode is the mode the frontend is operating (TCP or HTTP).
13692
Willy Tarreauceb24bc2010-11-09 12:46:41 +010013693In case of a UNIX socket, the source and destination addresses are marked as
13694"unix:" and the ports reflect the internal ID of the socket which accepted the
13695connection (the same ID as reported in the stats).
13696
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013697It is advised not to use this deprecated format for newer installations as it
13698will eventually disappear.
13699
13700
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200137018.2.2. TCP log format
13702---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013703
13704The TCP format is used when "option tcplog" is specified in the frontend, and
13705is the recommended format for pure TCP proxies. It provides a lot of precious
13706information for troubleshooting. Since this format includes timers and byte
13707counts, the log is normally emitted at the end of the session. It can be
13708emitted earlier if "option logasap" is specified, which makes sense in most
13709environments with long sessions such as remote terminals. Sessions which match
13710the "monitor" rules are never logged. It is also possible not to emit logs for
13711sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020013712specifying "option dontlognull" in the frontend. Successful connections will
13713not be logged if "option dontlog-normal" is specified in the frontend. A few
13714fields may slightly vary depending on some configuration options, those are
13715marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013716
13717 Example :
13718 frontend fnt
13719 mode tcp
13720 option tcplog
13721 log global
13722 default_backend bck
13723
13724 backend bck
13725 server srv1 127.0.0.1:8000
13726
13727 >>> Feb 6 12:12:56 localhost \
13728 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
13729 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
13730
13731 Field Format Extract from the example above
13732 1 process_name '[' pid ']:' haproxy[14387]:
13733 2 client_ip ':' client_port 10.0.1.2:33313
13734 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
13735 4 frontend_name fnt
13736 5 backend_name '/' server_name bck/srv1
13737 6 Tw '/' Tc '/' Tt* 0/0/5007
13738 7 bytes_read* 212
13739 8 termination_state --
13740 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
13741 10 srv_queue '/' backend_queue 0/0
13742
13743Detailed fields description :
13744 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010013745 connection to haproxy. If the connection was accepted on a UNIX socket
13746 instead, the IP address would be replaced with the word "unix". Note that
13747 when the connection is accepted on a socket configured with "accept-proxy"
13748 and the PROXY protocol is correctly used, then the logs will reflect the
13749 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013750
13751 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010013752 If the connection was accepted on a UNIX socket instead, the port would be
13753 replaced with the ID of the accepting socket, which is also reported in the
13754 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013755
13756 - "accept_date" is the exact date when the connection was received by haproxy
13757 (which might be very slightly different from the date observed on the
13758 network if there was some queuing in the system's backlog). This is usually
13759 the same date which may appear in any upstream firewall's log.
13760
13761 - "frontend_name" is the name of the frontend (or listener) which received
13762 and processed the connection.
13763
13764 - "backend_name" is the name of the backend (or listener) which was selected
13765 to manage the connection to the server. This will be the same as the
13766 frontend if no switching rule has been applied, which is common for TCP
13767 applications.
13768
13769 - "server_name" is the name of the last server to which the connection was
13770 sent, which might differ from the first one if there were connection errors
13771 and a redispatch occurred. Note that this server belongs to the backend
13772 which processed the request. If the connection was aborted before reaching
13773 a server, "<NOSRV>" is indicated instead of a server name.
13774
13775 - "Tw" is the total time in milliseconds spent waiting in the various queues.
13776 It can be "-1" if the connection was aborted before reaching the queue.
13777 See "Timers" below for more details.
13778
13779 - "Tc" is the total time in milliseconds spent waiting for the connection to
13780 establish to the final server, including retries. It can be "-1" if the
13781 connection was aborted before a connection could be established. See
13782 "Timers" below for more details.
13783
13784 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013785 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013786 "option logasap" was specified, then the time counting stops at the moment
13787 the log is emitted. In this case, a '+' sign is prepended before the value,
13788 indicating that the final one will be larger. See "Timers" below for more
13789 details.
13790
13791 - "bytes_read" is the total number of bytes transmitted from the server to
13792 the client when the log is emitted. If "option logasap" is specified, the
13793 this value will be prefixed with a '+' sign indicating that the final one
13794 may be larger. Please note that this value is a 64-bit counter, so log
13795 analysis tools must be able to handle it without overflowing.
13796
13797 - "termination_state" is the condition the session was in when the session
13798 ended. This indicates the session state, which side caused the end of
13799 session to happen, and for what reason (timeout, error, ...). The normal
13800 flags should be "--", indicating the session was closed by either end with
13801 no data remaining in buffers. See below "Session state at disconnection"
13802 for more details.
13803
13804 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040013805 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013806 limits have been reached. For instance, if actconn is close to 512 when
13807 multiple connection errors occur, chances are high that the system limits
13808 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013809 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013810
13811 - "feconn" is the total number of concurrent connections on the frontend when
13812 the session was logged. It is useful to estimate the amount of resource
13813 required to sustain high loads, and to detect when the frontend's "maxconn"
13814 has been reached. Most often when this value increases by huge jumps, it is
13815 because there is congestion on the backend servers, but sometimes it can be
13816 caused by a denial of service attack.
13817
13818 - "beconn" is the total number of concurrent connections handled by the
13819 backend when the session was logged. It includes the total number of
13820 concurrent connections active on servers as well as the number of
13821 connections pending in queues. It is useful to estimate the amount of
13822 additional servers needed to support high loads for a given application.
13823 Most often when this value increases by huge jumps, it is because there is
13824 congestion on the backend servers, but sometimes it can be caused by a
13825 denial of service attack.
13826
13827 - "srv_conn" is the total number of concurrent connections still active on
13828 the server when the session was logged. It can never exceed the server's
13829 configured "maxconn" parameter. If this value is very often close or equal
13830 to the server's "maxconn", it means that traffic regulation is involved a
13831 lot, meaning that either the server's maxconn value is too low, or that
13832 there aren't enough servers to process the load with an optimal response
13833 time. When only one of the server's "srv_conn" is high, it usually means
13834 that this server has some trouble causing the connections to take longer to
13835 be processed than on other servers.
13836
13837 - "retries" is the number of connection retries experienced by this session
13838 when trying to connect to the server. It must normally be zero, unless a
13839 server is being stopped at the same moment the connection was attempted.
13840 Frequent retries generally indicate either a network problem between
13841 haproxy and the server, or a misconfigured system backlog on the server
13842 preventing new connections from being queued. This field may optionally be
13843 prefixed with a '+' sign, indicating that the session has experienced a
13844 redispatch after the maximal retry count has been reached on the initial
13845 server. In this case, the server name appearing in the log is the one the
13846 connection was redispatched to, and not the first one, though both may
13847 sometimes be the same in case of hashing for instance. So as a general rule
13848 of thumb, when a '+' is present in front of the retry count, this count
13849 should not be attributed to the logged server.
13850
13851 - "srv_queue" is the total number of requests which were processed before
13852 this one in the server queue. It is zero when the request has not gone
13853 through the server queue. It makes it possible to estimate the approximate
13854 server's response time by dividing the time spent in queue by the number of
13855 requests in the queue. It is worth noting that if a session experiences a
13856 redispatch and passes through two server queues, their positions will be
13857 cumulated. A request should not pass through both the server queue and the
13858 backend queue unless a redispatch occurs.
13859
13860 - "backend_queue" is the total number of requests which were processed before
13861 this one in the backend's global queue. It is zero when the request has not
13862 gone through the global queue. It makes it possible to estimate the average
13863 queue length, which easily translates into a number of missing servers when
13864 divided by a server's "maxconn" parameter. It is worth noting that if a
13865 session experiences a redispatch, it may pass twice in the backend's queue,
13866 and then both positions will be cumulated. A request should not pass
13867 through both the server queue and the backend queue unless a redispatch
13868 occurs.
13869
13870
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200138718.2.3. HTTP log format
13872----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013873
13874The HTTP format is the most complete and the best suited for HTTP proxies. It
13875is enabled by when "option httplog" is specified in the frontend. It provides
13876the same level of information as the TCP format with additional features which
13877are specific to the HTTP protocol. Just like the TCP format, the log is usually
13878emitted at the end of the session, unless "option logasap" is specified, which
13879generally only makes sense for download sites. A session which matches the
13880"monitor" rules will never logged. It is also possible not to log sessions for
13881which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020013882frontend. Successful connections will not be logged if "option dontlog-normal"
13883is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013884
13885Most fields are shared with the TCP log, some being different. A few fields may
13886slightly vary depending on some configuration options. Those ones are marked
13887with a star ('*') after the field name below.
13888
13889 Example :
13890 frontend http-in
13891 mode http
13892 option httplog
13893 log global
13894 default_backend bck
13895
13896 backend static
13897 server srv1 127.0.0.1:8000
13898
13899 >>> Feb 6 12:14:14 localhost \
13900 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
13901 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013902 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013903
13904 Field Format Extract from the example above
13905 1 process_name '[' pid ']:' haproxy[14389]:
13906 2 client_ip ':' client_port 10.0.1.2:33317
13907 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
13908 4 frontend_name http-in
13909 5 backend_name '/' server_name static/srv1
13910 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
13911 7 status_code 200
13912 8 bytes_read* 2750
13913 9 captured_request_cookie -
13914 10 captured_response_cookie -
13915 11 termination_state ----
13916 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
13917 13 srv_queue '/' backend_queue 0/0
13918 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
13919 15 '{' captured_response_headers* '}' {}
13920 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +010013921
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013922
13923Detailed fields description :
13924 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010013925 connection to haproxy. If the connection was accepted on a UNIX socket
13926 instead, the IP address would be replaced with the word "unix". Note that
13927 when the connection is accepted on a socket configured with "accept-proxy"
13928 and the PROXY protocol is correctly used, then the logs will reflect the
13929 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013930
13931 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010013932 If the connection was accepted on a UNIX socket instead, the port would be
13933 replaced with the ID of the accepting socket, which is also reported in the
13934 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013935
13936 - "accept_date" is the exact date when the TCP connection was received by
13937 haproxy (which might be very slightly different from the date observed on
13938 the network if there was some queuing in the system's backlog). This is
13939 usually the same date which may appear in any upstream firewall's log. This
13940 does not depend on the fact that the client has sent the request or not.
13941
13942 - "frontend_name" is the name of the frontend (or listener) which received
13943 and processed the connection.
13944
13945 - "backend_name" is the name of the backend (or listener) which was selected
13946 to manage the connection to the server. This will be the same as the
13947 frontend if no switching rule has been applied.
13948
13949 - "server_name" is the name of the last server to which the connection was
13950 sent, which might differ from the first one if there were connection errors
13951 and a redispatch occurred. Note that this server belongs to the backend
13952 which processed the request. If the request was aborted before reaching a
13953 server, "<NOSRV>" is indicated instead of a server name. If the request was
13954 intercepted by the stats subsystem, "<STATS>" is indicated instead.
13955
13956 - "Tq" is the total time in milliseconds spent waiting for the client to send
13957 a full HTTP request, not counting data. It can be "-1" if the connection
13958 was aborted before a complete request could be received. It should always
13959 be very small because a request generally fits in one single packet. Large
13960 times here generally indicate network trouble between the client and
13961 haproxy. See "Timers" below for more details.
13962
13963 - "Tw" is the total time in milliseconds spent waiting in the various queues.
13964 It can be "-1" if the connection was aborted before reaching the queue.
13965 See "Timers" below for more details.
13966
13967 - "Tc" is the total time in milliseconds spent waiting for the connection to
13968 establish to the final server, including retries. It can be "-1" if the
13969 request was aborted before a connection could be established. See "Timers"
13970 below for more details.
13971
13972 - "Tr" is the total time in milliseconds spent waiting for the server to send
13973 a full HTTP response, not counting data. It can be "-1" if the request was
13974 aborted before a complete response could be received. It generally matches
13975 the server's processing time for the request, though it may be altered by
13976 the amount of data sent by the client to the server. Large times here on
13977 "GET" requests generally indicate an overloaded server. See "Timers" below
13978 for more details.
13979
13980 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013981 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013982 "option logasap" was specified, then the time counting stops at the moment
13983 the log is emitted. In this case, a '+' sign is prepended before the value,
13984 indicating that the final one will be larger. See "Timers" below for more
13985 details.
13986
13987 - "status_code" is the HTTP status code returned to the client. This status
13988 is generally set by the server, but it might also be set by haproxy when
13989 the server cannot be reached or when its response is blocked by haproxy.
13990
13991 - "bytes_read" is the total number of bytes transmitted to the client when
13992 the log is emitted. This does include HTTP headers. If "option logasap" is
13993 specified, the this value will be prefixed with a '+' sign indicating that
13994 the final one may be larger. Please note that this value is a 64-bit
13995 counter, so log analysis tools must be able to handle it without
13996 overflowing.
13997
13998 - "captured_request_cookie" is an optional "name=value" entry indicating that
13999 the client had this cookie in the request. The cookie name and its maximum
14000 length are defined by the "capture cookie" statement in the frontend
14001 configuration. The field is a single dash ('-') when the option is not
14002 set. Only one cookie may be captured, it is generally used to track session
14003 ID exchanges between a client and a server to detect session crossing
14004 between clients due to application bugs. For more details, please consult
14005 the section "Capturing HTTP headers and cookies" below.
14006
14007 - "captured_response_cookie" is an optional "name=value" entry indicating
14008 that the server has returned a cookie with its response. The cookie name
14009 and its maximum length are defined by the "capture cookie" statement in the
14010 frontend configuration. The field is a single dash ('-') when the option is
14011 not set. Only one cookie may be captured, it is generally used to track
14012 session ID exchanges between a client and a server to detect session
14013 crossing between clients due to application bugs. For more details, please
14014 consult the section "Capturing HTTP headers and cookies" below.
14015
14016 - "termination_state" is the condition the session was in when the session
14017 ended. This indicates the session state, which side caused the end of
14018 session to happen, for what reason (timeout, error, ...), just like in TCP
14019 logs, and information about persistence operations on cookies in the last
14020 two characters. The normal flags should begin with "--", indicating the
14021 session was closed by either end with no data remaining in buffers. See
14022 below "Session state at disconnection" for more details.
14023
14024 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040014025 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014026 limits have been reached. For instance, if actconn is close to 512 or 1024
14027 when multiple connection errors occur, chances are high that the system
14028 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014029 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014030 system.
14031
14032 - "feconn" is the total number of concurrent connections on the frontend when
14033 the session was logged. It is useful to estimate the amount of resource
14034 required to sustain high loads, and to detect when the frontend's "maxconn"
14035 has been reached. Most often when this value increases by huge jumps, it is
14036 because there is congestion on the backend servers, but sometimes it can be
14037 caused by a denial of service attack.
14038
14039 - "beconn" is the total number of concurrent connections handled by the
14040 backend when the session was logged. It includes the total number of
14041 concurrent connections active on servers as well as the number of
14042 connections pending in queues. It is useful to estimate the amount of
14043 additional servers needed to support high loads for a given application.
14044 Most often when this value increases by huge jumps, it is because there is
14045 congestion on the backend servers, but sometimes it can be caused by a
14046 denial of service attack.
14047
14048 - "srv_conn" is the total number of concurrent connections still active on
14049 the server when the session was logged. It can never exceed the server's
14050 configured "maxconn" parameter. If this value is very often close or equal
14051 to the server's "maxconn", it means that traffic regulation is involved a
14052 lot, meaning that either the server's maxconn value is too low, or that
14053 there aren't enough servers to process the load with an optimal response
14054 time. When only one of the server's "srv_conn" is high, it usually means
14055 that this server has some trouble causing the requests to take longer to be
14056 processed than on other servers.
14057
14058 - "retries" is the number of connection retries experienced by this session
14059 when trying to connect to the server. It must normally be zero, unless a
14060 server is being stopped at the same moment the connection was attempted.
14061 Frequent retries generally indicate either a network problem between
14062 haproxy and the server, or a misconfigured system backlog on the server
14063 preventing new connections from being queued. This field may optionally be
14064 prefixed with a '+' sign, indicating that the session has experienced a
14065 redispatch after the maximal retry count has been reached on the initial
14066 server. In this case, the server name appearing in the log is the one the
14067 connection was redispatched to, and not the first one, though both may
14068 sometimes be the same in case of hashing for instance. So as a general rule
14069 of thumb, when a '+' is present in front of the retry count, this count
14070 should not be attributed to the logged server.
14071
14072 - "srv_queue" is the total number of requests which were processed before
14073 this one in the server queue. It is zero when the request has not gone
14074 through the server queue. It makes it possible to estimate the approximate
14075 server's response time by dividing the time spent in queue by the number of
14076 requests in the queue. It is worth noting that if a session experiences a
14077 redispatch and passes through two server queues, their positions will be
14078 cumulated. A request should not pass through both the server queue and the
14079 backend queue unless a redispatch occurs.
14080
14081 - "backend_queue" is the total number of requests which were processed before
14082 this one in the backend's global queue. It is zero when the request has not
14083 gone through the global queue. It makes it possible to estimate the average
14084 queue length, which easily translates into a number of missing servers when
14085 divided by a server's "maxconn" parameter. It is worth noting that if a
14086 session experiences a redispatch, it may pass twice in the backend's queue,
14087 and then both positions will be cumulated. A request should not pass
14088 through both the server queue and the backend queue unless a redispatch
14089 occurs.
14090
14091 - "captured_request_headers" is a list of headers captured in the request due
14092 to the presence of the "capture request header" statement in the frontend.
14093 Multiple headers can be captured, they will be delimited by a vertical bar
14094 ('|'). When no capture is enabled, the braces do not appear, causing a
14095 shift of remaining fields. It is important to note that this field may
14096 contain spaces, and that using it requires a smarter log parser than when
14097 it's not used. Please consult the section "Capturing HTTP headers and
14098 cookies" below for more details.
14099
14100 - "captured_response_headers" is a list of headers captured in the response
14101 due to the presence of the "capture response header" statement in the
14102 frontend. Multiple headers can be captured, they will be delimited by a
14103 vertical bar ('|'). When no capture is enabled, the braces do not appear,
14104 causing a shift of remaining fields. It is important to note that this
14105 field may contain spaces, and that using it requires a smarter log parser
14106 than when it's not used. Please consult the section "Capturing HTTP headers
14107 and cookies" below for more details.
14108
14109 - "http_request" is the complete HTTP request line, including the method,
14110 request and HTTP version string. Non-printable characters are encoded (see
14111 below the section "Non-printable characters"). This is always the last
14112 field, and it is always delimited by quotes and is the only one which can
14113 contain quotes. If new fields are added to the log format, they will be
14114 added before this field. This field might be truncated if the request is
14115 huge and does not fit in the standard syslog buffer (1024 characters). This
14116 is the reason why this field must always remain the last one.
14117
14118
Cyril Bontédc4d9032012-04-08 21:57:39 +0200141198.2.4. Custom log format
14120------------------------
William Lallemand48940402012-01-30 16:47:22 +010014121
Willy Tarreau2beef582012-12-20 17:22:52 +010014122The directive log-format allows you to customize the logs in http mode and tcp
William Lallemandbddd4fd2012-02-27 11:23:10 +010014123mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +010014124
14125HAproxy understands some log format variables. % precedes log format variables.
14126Variables can take arguments using braces ('{}'), and multiple arguments are
14127separated by commas within the braces. Flags may be added or removed by
14128prefixing them with a '+' or '-' sign.
14129
14130Special variable "%o" may be used to propagate its flags to all other
14131variables on the same format string. This is particularly handy with quoted
14132string formats ("Q").
14133
Willy Tarreauc8368452012-12-21 00:09:23 +010014134If a variable is named between square brackets ('[' .. ']') then it is used
Willy Tarreaube722a22014-06-13 16:31:59 +020014135as a sample expression rule (see section 7.3). This it useful to add some
Willy Tarreauc8368452012-12-21 00:09:23 +010014136less common information such as the client's SSL certificate's DN, or to log
14137the key that would be used to store an entry into a stick table.
14138
William Lallemand48940402012-01-30 16:47:22 +010014139Note: spaces must be escaped. A space character is considered as a separator.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030014140In order to emit a verbatim '%', it must be preceded by another '%' resulting
Willy Tarreau06d97f92013-12-02 17:45:48 +010014141in '%%'. HAProxy will automatically merge consecutive separators.
William Lallemand48940402012-01-30 16:47:22 +010014142
14143Flags are :
14144 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -040014145 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
William Lallemand48940402012-01-30 16:47:22 +010014146
14147 Example:
14148
14149 log-format %T\ %t\ Some\ Text
14150 log-format %{+Q}o\ %t\ %s\ %{-Q}r
14151
14152At the moment, the default HTTP format is defined this way :
14153
Willy Tarreau2beef582012-12-20 17:22:52 +010014154 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ \
14155 %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
William Lallemand48940402012-01-30 16:47:22 +010014156
William Lallemandbddd4fd2012-02-27 11:23:10 +010014157the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +010014158
Willy Tarreau2beef582012-12-20 17:22:52 +010014159 log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ \
Willy Tarreau773d65f2012-10-12 14:56:11 +020014160 %ms\ %ft\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \
Willy Tarreau2beef582012-12-20 17:22:52 +010014161 %bc\ %sc\ %rc\ %sq\ %bq\ %CC\ %CS\ \%hrl\ %hsl
William Lallemand48940402012-01-30 16:47:22 +010014162
William Lallemandbddd4fd2012-02-27 11:23:10 +010014163and the default TCP format is defined this way :
14164
Willy Tarreau2beef582012-12-20 17:22:52 +010014165 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ \
William Lallemandbddd4fd2012-02-27 11:23:10 +010014166 %ac/%fc/%bc/%sc/%rc\ %sq/%bq
14167
William Lallemand48940402012-01-30 16:47:22 +010014168Please refer to the table below for currently defined variables :
14169
William Lallemandbddd4fd2012-02-27 11:23:10 +010014170 +---+------+-----------------------------------------------+-------------+
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020014171 | R | var | field name (8.2.2 and 8.2.3 for description) | type |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014172 +---+------+-----------------------------------------------+-------------+
14173 | | %o | special variable, apply flags on all next var | |
14174 +---+------+-----------------------------------------------+-------------+
Willy Tarreau2beef582012-12-20 17:22:52 +010014175 | | %B | bytes_read (from server to client) | numeric |
14176 | H | %CC | captured_request_cookie | string |
14177 | H | %CS | captured_response_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +020014178 | | %H | hostname | string |
Andrew Hayworth0ebc55f2015-04-27 21:37:03 +000014179 | H | %HM | HTTP method (ex: POST) | string |
14180 | H | %HP | HTTP request URI without query string (path) | string |
Andrew Hayworthe63ac872015-07-31 16:14:16 +000014181 | H | %HQ | HTTP request URI query string (ex: ?bar=baz) | string |
Andrew Hayworth0ebc55f2015-04-27 21:37:03 +000014182 | H | %HU | HTTP request URI (ex: /foo?bar=baz) | string |
14183 | H | %HV | HTTP version (ex: HTTP/1.0) | string |
William Lallemanda73203e2012-03-12 12:48:57 +010014184 | | %ID | unique-id | string |
Willy Tarreau4bf99632014-06-13 12:21:40 +020014185 | | %ST | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020014186 | | %T | gmt_date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014187 | | %Tc | Tc | numeric |
Yuxans Yao4e25b012012-10-19 10:36:09 +080014188 | | %Tl | local_date_time | date |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020014189 | H | %Tq | Tq | numeric |
14190 | H | %Tr | Tr | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020014191 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014192 | | %Tt | Tt | numeric |
14193 | | %Tw | Tw | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010014194 | | %U | bytes_uploaded (from client to server) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014195 | | %ac | actconn | numeric |
14196 | | %b | backend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010014197 | | %bc | beconn (backend concurrent connections) | numeric |
14198 | | %bi | backend_source_ip (connecting address) | IP |
14199 | | %bp | backend_source_port (connecting address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014200 | | %bq | backend_queue | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010014201 | | %ci | client_ip (accepted address) | IP |
14202 | | %cp | client_port (accepted address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014203 | | %f | frontend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010014204 | | %fc | feconn (frontend concurrent connections) | numeric |
14205 | | %fi | frontend_ip (accepting address) | IP |
14206 | | %fp | frontend_port (accepting address) | numeric |
Willy Tarreau773d65f2012-10-12 14:56:11 +020014207 | | %ft | frontend_name_transport ('~' suffix for SSL) | string |
Willy Tarreau7346acb2014-08-28 15:03:15 +020014208 | | %lc | frontend_log_counter | numeric |
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020014209 | | %hr | captured_request_headers default style | string |
14210 | | %hrl | captured_request_headers CLF style | string list |
14211 | | %hs | captured_response_headers default style | string |
14212 | | %hsl | captured_response_headers CLF style | string list |
Willy Tarreau812c88e2015-08-09 10:56:35 +020014213 | | %ms | accept date milliseconds (left-padded with 0) | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020014214 | | %pid | PID | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020014215 | H | %r | http_request | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014216 | | %rc | retries | numeric |
Willy Tarreau1f0da242014-01-25 11:01:50 +010014217 | | %rt | request_counter (HTTP req or TCP session) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014218 | | %s | server_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010014219 | | %sc | srv_conn (server concurrent connections) | numeric |
14220 | | %si | server_IP (target address) | IP |
14221 | | %sp | server_port (target address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014222 | | %sq | srv_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020014223 | S | %sslc| ssl_ciphers (ex: AES-SHA) | string |
14224 | S | %sslv| ssl_version (ex: TLSv1) | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010014225 | | %t | date_time (with millisecond resolution) | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014226 | | %ts | termination_state | string |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020014227 | H | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010014228 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +010014229
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020014230 R = Restrictions : H = mode http only ; S = SSL only
William Lallemand48940402012-01-30 16:47:22 +010014231
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010014232
142338.2.5. Error log format
14234-----------------------
14235
14236When an incoming connection fails due to an SSL handshake or an invalid PROXY
14237protocol header, haproxy will log the event using a shorter, fixed line format.
14238By default, logs are emitted at the LOG_INFO level, unless the option
14239"log-separate-errors" is set in the backend, in which case the LOG_ERR level
14240will be used. Connections on which no data are exchanged (eg: probes) are not
14241logged if the "dontlognull" option is set.
14242
14243The format looks like this :
14244
14245 >>> Dec 3 18:27:14 localhost \
14246 haproxy[6103]: 127.0.0.1:56059 [03/Dec/2012:17:35:10.380] frt/f1: \
14247 Connection error during SSL handshake
14248
14249 Field Format Extract from the example above
14250 1 process_name '[' pid ']:' haproxy[6103]:
14251 2 client_ip ':' client_port 127.0.0.1:56059
14252 3 '[' accept_date ']' [03/Dec/2012:17:35:10.380]
14253 4 frontend_name "/" bind_name ":" frt/f1:
14254 5 message Connection error during SSL handshake
14255
14256These fields just provide minimal information to help debugging connection
14257failures.
14258
14259
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200142608.3. Advanced logging options
14261-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014262
14263Some advanced logging options are often looked for but are not easy to find out
14264just by looking at the various options. Here is an entry point for the few
14265options which can enable better logging. Please refer to the keywords reference
14266for more information about their usage.
14267
14268
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200142698.3.1. Disabling logging of external tests
14270------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014271
14272It is quite common to have some monitoring tools perform health checks on
14273haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
14274commercial load-balancer, and sometimes it will simply be a more complete
14275monitoring system such as Nagios. When the tests are very frequent, users often
14276ask how to disable logging for those checks. There are three possibilities :
14277
14278 - if connections come from everywhere and are just TCP probes, it is often
14279 desired to simply disable logging of connections without data exchange, by
14280 setting "option dontlognull" in the frontend. It also disables logging of
14281 port scans, which may or may not be desired.
14282
14283 - if the connection come from a known source network, use "monitor-net" to
14284 declare this network as monitoring only. Any host in this network will then
14285 only be able to perform health checks, and their requests will not be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030014286 logged. This is generally appropriate to designate a list of equipment
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014287 such as other load-balancers.
14288
14289 - if the tests are performed on a known URI, use "monitor-uri" to declare
14290 this URI as dedicated to monitoring. Any host sending this request will
14291 only get the result of a health-check, and the request will not be logged.
14292
14293
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200142948.3.2. Logging before waiting for the session to terminate
14295----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014296
14297The problem with logging at end of connection is that you have no clue about
14298what is happening during very long sessions, such as remote terminal sessions
14299or large file downloads. This problem can be worked around by specifying
14300"option logasap" in the frontend. Haproxy will then log as soon as possible,
14301just before data transfer begins. This means that in case of TCP, it will still
14302log the connection status to the server, and in case of HTTP, it will log just
14303after processing the server headers. In this case, the number of bytes reported
14304is the number of header bytes sent to the client. In order to avoid confusion
14305with normal logs, the total time field and the number of bytes are prefixed
14306with a '+' sign which means that real numbers are certainly larger.
14307
14308
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200143098.3.3. Raising log level upon errors
14310------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020014311
14312Sometimes it is more convenient to separate normal traffic from errors logs,
14313for instance in order to ease error monitoring from log files. When the option
14314"log-separate-errors" is used, connections which experience errors, timeouts,
14315retries, redispatches or HTTP status codes 5xx will see their syslog level
14316raised from "info" to "err". This will help a syslog daemon store the log in
14317a separate file. It is very important to keep the errors in the normal traffic
14318file too, so that log ordering is not altered. You should also be careful if
14319you already have configured your syslog daemon to store all logs higher than
14320"notice" in an "admin" file, because the "err" level is higher than "notice".
14321
14322
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200143238.3.4. Disabling logging of successful connections
14324--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020014325
14326Although this may sound strange at first, some large sites have to deal with
14327multiple thousands of logs per second and are experiencing difficulties keeping
14328them intact for a long time or detecting errors within them. If the option
14329"dontlog-normal" is set on the frontend, all normal connections will not be
14330logged. In this regard, a normal connection is defined as one without any
14331error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
14332and a response with a status 5xx is not considered normal and will be logged
14333too. Of course, doing is is really discouraged as it will remove most of the
14334useful information from the logs. Do this only if you have no other
14335alternative.
14336
14337
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200143388.4. Timing events
14339------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014340
14341Timers provide a great help in troubleshooting network problems. All values are
14342reported in milliseconds (ms). These timers should be used in conjunction with
14343the session termination flags. In TCP mode with "option tcplog" set on the
14344frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
14345mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
14346
14347 - Tq: total time to get the client request (HTTP mode only). It's the time
14348 elapsed between the moment the client connection was accepted and the
14349 moment the proxy received the last HTTP header. The value "-1" indicates
14350 that the end of headers (empty line) has never been seen. This happens when
14351 the client closes prematurely or times out.
14352
14353 - Tw: total time spent in the queues waiting for a connection slot. It
14354 accounts for backend queue as well as the server queues, and depends on the
14355 queue size, and the time needed for the server to complete previous
14356 requests. The value "-1" means that the request was killed before reaching
14357 the queue, which is generally what happens with invalid or denied requests.
14358
14359 - Tc: total time to establish the TCP connection to the server. It's the time
14360 elapsed between the moment the proxy sent the connection request, and the
14361 moment it was acknowledged by the server, or between the TCP SYN packet and
14362 the matching SYN/ACK packet in return. The value "-1" means that the
14363 connection never established.
14364
14365 - Tr: server response time (HTTP mode only). It's the time elapsed between
14366 the moment the TCP connection was established to the server and the moment
14367 the server sent its complete response headers. It purely shows its request
14368 processing time, without the network overhead due to the data transmission.
14369 It is worth noting that when the client has data to send to the server, for
14370 instance during a POST request, the time already runs, and this can distort
14371 apparent response time. For this reason, it's generally wise not to trust
14372 too much this field for POST requests initiated from clients behind an
14373 untrusted network. A value of "-1" here means that the last the response
14374 header (empty line) was never seen, most likely because the server timeout
14375 stroke before the server managed to process the request.
14376
14377 - Tt: total session duration time, between the moment the proxy accepted it
14378 and the moment both ends were closed. The exception is when the "logasap"
14379 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
14380 prefixed with a '+' sign. From this field, we can deduce "Td", the data
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030014381 transmission time, by subtracting other timers when valid :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014382
14383 Td = Tt - (Tq + Tw + Tc + Tr)
14384
14385 Timers with "-1" values have to be excluded from this equation. In TCP
14386 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
14387 negative.
14388
14389These timers provide precious indications on trouble causes. Since the TCP
14390protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
14391that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014392due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014393close to a timeout value specified in the configuration, it often means that a
14394session has been aborted on timeout.
14395
14396Most common cases :
14397
14398 - If "Tq" is close to 3000, a packet has probably been lost between the
14399 client and the proxy. This is very rare on local networks but might happen
14400 when clients are on far remote networks and send large requests. It may
14401 happen that values larger than usual appear here without any network cause.
14402 Sometimes, during an attack or just after a resource starvation has ended,
14403 haproxy may accept thousands of connections in a few milliseconds. The time
14404 spent accepting these connections will inevitably slightly delay processing
14405 of other connections, and it can happen that request times in the order of
14406 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +020014407 connections have been accepted at once. Setting "option http-server-close"
14408 may display larger request times since "Tq" also measures the time spent
14409 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014410
14411 - If "Tc" is close to 3000, a packet has probably been lost between the
14412 server and the proxy during the server connection phase. This value should
14413 always be very low, such as 1 ms on local networks and less than a few tens
14414 of ms on remote networks.
14415
Willy Tarreau55165fe2009-05-10 12:02:55 +020014416 - If "Tr" is nearly always lower than 3000 except some rare values which seem
14417 to be the average majored by 3000, there are probably some packets lost
14418 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014419
14420 - If "Tt" is large even for small byte counts, it generally is because
14421 neither the client nor the server decides to close the connection, for
14422 instance because both have agreed on a keep-alive connection mode. In order
14423 to solve this issue, it will be needed to specify "option httpclose" on
14424 either the frontend or the backend. If the problem persists, it means that
14425 the server ignores the "close" connection mode and expects the client to
14426 close. Then it will be required to use "option forceclose". Having the
14427 smallest possible 'Tt' is important when connection regulation is used with
14428 the "maxconn" option on the servers, since no new connection will be sent
14429 to the server until another one is released.
14430
14431Other noticeable HTTP log cases ('xx' means any value to be ignored) :
14432
14433 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
14434 was emitted before the data phase. All the timers are valid
14435 except "Tt" which is shorter than reality.
14436
14437 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
14438 or it aborted too early. Check the session termination flags
14439 then "timeout http-request" and "timeout client" settings.
14440
14441 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
14442 servers were out of order, because the request was invalid
14443 or forbidden by ACL rules. Check the session termination
14444 flags.
14445
14446 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
14447 actively refused it or it timed out after Tt-(Tq+Tw) ms.
14448 Check the session termination flags, then check the
14449 "timeout connect" setting. Note that the tarpit action might
14450 return similar-looking patterns, with "Tw" equal to the time
14451 the client connection was maintained open.
14452
14453 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030014454 a complete response in time, or it closed its connection
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014455 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
14456 termination flags, then check the "timeout server" setting.
14457
14458
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200144598.5. Session state at disconnection
14460-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014461
14462TCP and HTTP logs provide a session termination indicator in the
14463"termination_state" field, just before the number of active connections. It is
144642-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
14465each of which has a special meaning :
14466
14467 - On the first character, a code reporting the first event which caused the
14468 session to terminate :
14469
14470 C : the TCP session was unexpectedly aborted by the client.
14471
14472 S : the TCP session was unexpectedly aborted by the server, or the
14473 server explicitly refused it.
14474
14475 P : the session was prematurely aborted by the proxy, because of a
14476 connection limit enforcement, because a DENY filter was matched,
14477 because of a security check which detected and blocked a dangerous
14478 error in server response which might have caused information leak
Willy Tarreau570f2212013-06-10 16:42:09 +020014479 (eg: cacheable cookie).
14480
14481 L : the session was locally processed by haproxy and was not passed to
14482 a server. This is what happens for stats and redirects.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014483
14484 R : a resource on the proxy has been exhausted (memory, sockets, source
14485 ports, ...). Usually, this appears during the connection phase, and
14486 system logs should contain a copy of the precise error. If this
14487 happens, it must be considered as a very serious anomaly which
14488 should be fixed as soon as possible by any means.
14489
14490 I : an internal error was identified by the proxy during a self-check.
14491 This should NEVER happen, and you are encouraged to report any log
14492 containing this, because this would almost certainly be a bug. It
14493 would be wise to preventively restart the process after such an
14494 event too, in case it would be caused by memory corruption.
14495
Simon Horman752dc4a2011-06-21 14:34:59 +090014496 D : the session was killed by haproxy because the server was detected
14497 as down and was configured to kill all connections when going down.
14498
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070014499 U : the session was killed by haproxy on this backup server because an
14500 active server was detected as up and was configured to kill all
14501 backup connections when going up.
14502
Willy Tarreaua2a64e92011-09-07 23:01:56 +020014503 K : the session was actively killed by an admin operating on haproxy.
14504
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014505 c : the client-side timeout expired while waiting for the client to
14506 send or receive data.
14507
14508 s : the server-side timeout expired while waiting for the server to
14509 send or receive data.
14510
14511 - : normal session completion, both the client and the server closed
14512 with nothing left in the buffers.
14513
14514 - on the second character, the TCP or HTTP session state when it was closed :
14515
Willy Tarreauf7b30a92010-12-06 22:59:17 +010014516 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014517 (HTTP mode only). Nothing was sent to any server.
14518
14519 Q : the proxy was waiting in the QUEUE for a connection slot. This can
14520 only happen when servers have a 'maxconn' parameter set. It can
14521 also happen in the global queue after a redispatch consecutive to
14522 a failed attempt to connect to a dying server. If no redispatch is
14523 reported, then no connection attempt was made to any server.
14524
14525 C : the proxy was waiting for the CONNECTION to establish on the
14526 server. The server might at most have noticed a connection attempt.
14527
14528 H : the proxy was waiting for complete, valid response HEADERS from the
14529 server (HTTP only).
14530
14531 D : the session was in the DATA phase.
14532
14533 L : the proxy was still transmitting LAST data to the client while the
14534 server had already finished. This one is very rare as it can only
14535 happen when the client dies while receiving the last packets.
14536
14537 T : the request was tarpitted. It has been held open with the client
14538 during the whole "timeout tarpit" duration or until the client
14539 closed, both of which will be reported in the "Tw" timer.
14540
14541 - : normal session completion after end of data transfer.
14542
14543 - the third character tells whether the persistence cookie was provided by
14544 the client (only in HTTP mode) :
14545
14546 N : the client provided NO cookie. This is usually the case for new
14547 visitors, so counting the number of occurrences of this flag in the
14548 logs generally indicate a valid trend for the site frequentation.
14549
14550 I : the client provided an INVALID cookie matching no known server.
14551 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +020014552 cookies between HTTP/HTTPS sites, persistence conditionally
14553 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014554
14555 D : the client provided a cookie designating a server which was DOWN,
14556 so either "option persist" was used and the client was sent to
14557 this server, or it was not set and the client was redispatched to
14558 another server.
14559
Willy Tarreau996a92c2010-10-13 19:30:47 +020014560 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014561 server.
14562
Willy Tarreau996a92c2010-10-13 19:30:47 +020014563 E : the client provided a valid cookie, but with a last date which was
14564 older than what is allowed by the "maxidle" cookie parameter, so
14565 the cookie is consider EXPIRED and is ignored. The request will be
14566 redispatched just as if there was no cookie.
14567
14568 O : the client provided a valid cookie, but with a first date which was
14569 older than what is allowed by the "maxlife" cookie parameter, so
14570 the cookie is consider too OLD and is ignored. The request will be
14571 redispatched just as if there was no cookie.
14572
Willy Tarreauc89ccb62012-04-05 21:18:22 +020014573 U : a cookie was present but was not used to select the server because
14574 some other server selection mechanism was used instead (typically a
14575 "use-server" rule).
14576
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014577 - : does not apply (no cookie set in configuration).
14578
14579 - the last character reports what operations were performed on the persistence
14580 cookie returned by the server (only in HTTP mode) :
14581
14582 N : NO cookie was provided by the server, and none was inserted either.
14583
14584 I : no cookie was provided by the server, and the proxy INSERTED one.
14585 Note that in "cookie insert" mode, if the server provides a cookie,
14586 it will still be overwritten and reported as "I" here.
14587
Willy Tarreau996a92c2010-10-13 19:30:47 +020014588 U : the proxy UPDATED the last date in the cookie that was presented by
14589 the client. This can only happen in insert mode with "maxidle". It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030014590 happens every time there is activity at a different date than the
Willy Tarreau996a92c2010-10-13 19:30:47 +020014591 date indicated in the cookie. If any other change happens, such as
14592 a redispatch, then the cookie will be marked as inserted instead.
14593
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014594 P : a cookie was PROVIDED by the server and transmitted as-is.
14595
14596 R : the cookie provided by the server was REWRITTEN by the proxy, which
14597 happens in "cookie rewrite" or "cookie prefix" modes.
14598
14599 D : the cookie provided by the server was DELETED by the proxy.
14600
14601 - : does not apply (no cookie set in configuration).
14602
Willy Tarreau996a92c2010-10-13 19:30:47 +020014603The combination of the two first flags gives a lot of information about what
14604was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014605helpful to detect server saturation, network troubles, local system resource
14606starvation, attacks, etc...
14607
14608The most common termination flags combinations are indicated below. They are
14609alphabetically sorted, with the lowercase set just after the upper case for
14610easier finding and understanding.
14611
14612 Flags Reason
14613
14614 -- Normal termination.
14615
14616 CC The client aborted before the connection could be established to the
14617 server. This can happen when haproxy tries to connect to a recently
14618 dead (or unchecked) server, and the client aborts while haproxy is
14619 waiting for the server to respond or for "timeout connect" to expire.
14620
14621 CD The client unexpectedly aborted during data transfer. This can be
14622 caused by a browser crash, by an intermediate equipment between the
14623 client and haproxy which decided to actively break the connection,
14624 by network routing issues between the client and haproxy, or by a
14625 keep-alive session between the server and the client terminated first
14626 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +010014627
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014628 cD The client did not send nor acknowledge any data for as long as the
14629 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +020014630 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014631
14632 CH The client aborted while waiting for the server to start responding.
14633 It might be the server taking too long to respond or the client
14634 clicking the 'Stop' button too fast.
14635
14636 cH The "timeout client" stroke while waiting for client data during a
14637 POST request. This is sometimes caused by too large TCP MSS values
14638 for PPPoE networks which cannot transport full-sized packets. It can
14639 also happen when client timeout is smaller than server timeout and
14640 the server takes too long to respond.
14641
14642 CQ The client aborted while its session was queued, waiting for a server
14643 with enough empty slots to accept it. It might be that either all the
14644 servers were saturated or that the assigned server was taking too
14645 long a time to respond.
14646
14647 CR The client aborted before sending a full HTTP request. Most likely
14648 the request was typed by hand using a telnet client, and aborted
14649 too early. The HTTP status code is likely a 400 here. Sometimes this
14650 might also be caused by an IDS killing the connection between haproxy
Willy Tarreau0f228a02015-05-01 15:37:53 +020014651 and the client. "option http-ignore-probes" can be used to ignore
14652 connections without any data transfer.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014653
14654 cR The "timeout http-request" stroke before the client sent a full HTTP
14655 request. This is sometimes caused by too large TCP MSS values on the
14656 client side for PPPoE networks which cannot transport full-sized
14657 packets, or by clients sending requests by hand and not typing fast
14658 enough, or forgetting to enter the empty line at the end of the
Willy Tarreau2705a612014-05-23 17:38:34 +020014659 request. The HTTP status code is likely a 408 here. Note: recently,
Willy Tarreau0f228a02015-05-01 15:37:53 +020014660 some browsers started to implement a "pre-connect" feature consisting
14661 in speculatively connecting to some recently visited web sites just
14662 in case the user would like to visit them. This results in many
14663 connections being established to web sites, which end up in 408
14664 Request Timeout if the timeout strikes first, or 400 Bad Request when
14665 the browser decides to close them first. These ones pollute the log
14666 and feed the error counters. Some versions of some browsers have even
14667 been reported to display the error code. It is possible to work
14668 around the undesirable effects of this behaviour by adding "option
14669 http-ignore-probes" in the frontend, resulting in connections with
14670 zero data transfer to be totally ignored. This will definitely hide
14671 the errors of people experiencing connectivity issues though.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014672
14673 CT The client aborted while its session was tarpitted. It is important to
14674 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +020014675 wrong tarpit rules have been written. If a lot of them happen, it
14676 might make sense to lower the "timeout tarpit" value to something
14677 closer to the average reported "Tw" timer, in order not to consume
14678 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014679
Willy Tarreau570f2212013-06-10 16:42:09 +020014680 LR The request was intercepted and locally handled by haproxy. Generally
14681 it means that this was a redirect or a stats request.
14682
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014683 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014684 the TCP connection (the proxy received a TCP RST or an ICMP message
14685 in return). Under some circumstances, it can also be the network
14686 stack telling the proxy that the server is unreachable (eg: no route,
14687 or no ARP response on local network). When this happens in HTTP mode,
14688 the status code is likely a 502 or 503 here.
14689
14690 sC The "timeout connect" stroke before a connection to the server could
14691 complete. When this happens in HTTP mode, the status code is likely a
14692 503 or 504 here.
14693
14694 SD The connection to the server died with an error during the data
14695 transfer. This usually means that haproxy has received an RST from
14696 the server or an ICMP message from an intermediate equipment while
14697 exchanging data with the server. This can be caused by a server crash
14698 or by a network issue on an intermediate equipment.
14699
14700 sD The server did not send nor acknowledge any data for as long as the
14701 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014702 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014703 load-balancers, ...), as well as keep-alive sessions maintained
14704 between the client and the server expiring first on haproxy.
14705
14706 SH The server aborted before sending its full HTTP response headers, or
14707 it crashed while processing the request. Since a server aborting at
14708 this moment is very rare, it would be wise to inspect its logs to
14709 control whether it crashed and why. The logged request may indicate a
14710 small set of faulty requests, demonstrating bugs in the application.
14711 Sometimes this might also be caused by an IDS killing the connection
14712 between haproxy and the server.
14713
14714 sH The "timeout server" stroke before the server could return its
14715 response headers. This is the most common anomaly, indicating too
14716 long transactions, probably caused by server or database saturation.
14717 The immediate workaround consists in increasing the "timeout server"
14718 setting, but it is important to keep in mind that the user experience
14719 will suffer from these long response times. The only long term
14720 solution is to fix the application.
14721
14722 sQ The session spent too much time in queue and has been expired. See
14723 the "timeout queue" and "timeout connect" settings to find out how to
14724 fix this if it happens too often. If it often happens massively in
14725 short periods, it may indicate general problems on the affected
14726 servers due to I/O or database congestion, or saturation caused by
14727 external attacks.
14728
14729 PC The proxy refused to establish a connection to the server because the
14730 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +020014731 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014732 so that it does not happen anymore. This status is very rare and
14733 might happen when the global "ulimit-n" parameter is forced by hand.
14734
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010014735 PD The proxy blocked an incorrectly formatted chunked encoded message in
14736 a request or a response, after the server has emitted its headers. In
14737 most cases, this will indicate an invalid message from the server to
Willy Tarreauf3a3e132013-08-31 08:16:26 +020014738 the client. Haproxy supports chunk sizes of up to 2GB - 1 (2147483647
14739 bytes). Any larger size will be considered as an error.
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010014740
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014741 PH The proxy blocked the server's response, because it was invalid,
14742 incomplete, dangerous (cache control), or matched a security filter.
14743 In any case, an HTTP 502 error is sent to the client. One possible
14744 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010014745 containing unauthorized characters. It is also possible but quite
14746 rare, that the proxy blocked a chunked-encoding request from the
14747 client due to an invalid syntax, before the server responded. In this
14748 case, an HTTP 400 error is sent to the client and reported in the
14749 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014750
14751 PR The proxy blocked the client's HTTP request, either because of an
14752 invalid HTTP syntax, in which case it returned an HTTP 400 error to
14753 the client, or because a deny filter matched, in which case it
14754 returned an HTTP 403 error.
14755
14756 PT The proxy blocked the client's request and has tarpitted its
14757 connection before returning it a 500 server error. Nothing was sent
14758 to the server. The connection was maintained open for as long as
14759 reported by the "Tw" timer field.
14760
14761 RC A local resource has been exhausted (memory, sockets, source ports)
14762 preventing the connection to the server from establishing. The error
14763 logs will tell precisely what was missing. This is very rare and can
14764 only be solved by proper system tuning.
14765
Willy Tarreau996a92c2010-10-13 19:30:47 +020014766The combination of the two last flags gives a lot of information about how
14767persistence was handled by the client, the server and by haproxy. This is very
14768important to troubleshoot disconnections, when users complain they have to
14769re-authenticate. The commonly encountered flags are :
14770
14771 -- Persistence cookie is not enabled.
14772
14773 NN No cookie was provided by the client, none was inserted in the
14774 response. For instance, this can be in insert mode with "postonly"
14775 set on a GET request.
14776
14777 II A cookie designating an invalid server was provided by the client,
14778 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040014779 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +020014780 value can be presented by a client when no other server knows it.
14781
14782 NI No cookie was provided by the client, one was inserted in the
14783 response. This typically happens for first requests from every user
14784 in "insert" mode, which makes it an easy way to count real users.
14785
14786 VN A cookie was provided by the client, none was inserted in the
14787 response. This happens for most responses for which the client has
14788 already got a cookie.
14789
14790 VU A cookie was provided by the client, with a last visit date which is
14791 not completely up-to-date, so an updated cookie was provided in
14792 response. This can also happen if there was no date at all, or if
14793 there was a date but the "maxidle" parameter was not set, so that the
14794 cookie can be switched to unlimited time.
14795
14796 EI A cookie was provided by the client, with a last visit date which is
14797 too old for the "maxidle" parameter, so the cookie was ignored and a
14798 new cookie was inserted in the response.
14799
14800 OI A cookie was provided by the client, with a first visit date which is
14801 too old for the "maxlife" parameter, so the cookie was ignored and a
14802 new cookie was inserted in the response.
14803
14804 DI The server designated by the cookie was down, a new server was
14805 selected and a new cookie was emitted in the response.
14806
14807 VI The server designated by the cookie was not marked dead but could not
14808 be reached. A redispatch happened and selected another one, which was
14809 then advertised in the response.
14810
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014811
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200148128.6. Non-printable characters
14813-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014814
14815In order not to cause trouble to log analysis tools or terminals during log
14816consulting, non-printable characters are not sent as-is into log files, but are
14817converted to the two-digits hexadecimal representation of their ASCII code,
14818prefixed by the character '#'. The only characters that can be logged without
14819being escaped are comprised between 32 and 126 (inclusive). Obviously, the
14820escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
14821is the same for the character '"' which becomes "#22", as well as '{', '|' and
14822'}' when logging headers.
14823
14824Note that the space character (' ') is not encoded in headers, which can cause
14825issues for tools relying on space count to locate fields. A typical header
14826containing spaces is "User-Agent".
14827
14828Last, it has been observed that some syslog daemons such as syslog-ng escape
14829the quote ('"') with a backslash ('\'). The reverse operation can safely be
14830performed since no quote may appear anywhere else in the logs.
14831
14832
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200148338.7. Capturing HTTP cookies
14834---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014835
14836Cookie capture simplifies the tracking a complete user session. This can be
14837achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014838section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014839cookie will simultaneously be checked in the request ("Cookie:" header) and in
14840the response ("Set-Cookie:" header). The respective values will be reported in
14841the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014842locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014843not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
14844user switches to a new session for example, because the server will reassign it
14845a new cookie. It is also possible to detect if a server unexpectedly sets a
14846wrong cookie to a client, leading to session crossing.
14847
14848 Examples :
14849 # capture the first cookie whose name starts with "ASPSESSION"
14850 capture cookie ASPSESSION len 32
14851
14852 # capture the first cookie whose name is exactly "vgnvisitor"
14853 capture cookie vgnvisitor= len 32
14854
14855
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200148568.8. Capturing HTTP headers
14857---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014858
14859Header captures are useful to track unique request identifiers set by an upper
14860proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
14861the response, one can search for information about the response length, how the
14862server asked the cache to behave, or an object location during a redirection.
14863
14864Header captures are performed using the "capture request header" and "capture
14865response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014866section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014867
14868It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014869time. Non-existent headers are logged as empty strings, and if one header
14870appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014871are grouped within braces '{' and '}' in the same order as they were declared,
14872and delimited with a vertical bar '|' without any space. Response headers
14873follow the same representation, but are displayed after a space following the
14874request headers block. These blocks are displayed just before the HTTP request
14875in the logs.
14876
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020014877As a special case, it is possible to specify an HTTP header capture in a TCP
14878frontend. The purpose is to enable logging of headers which will be parsed in
14879an HTTP backend if the request is then switched to this HTTP backend.
14880
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014881 Example :
14882 # This instance chains to the outgoing proxy
14883 listen proxy-out
14884 mode http
14885 option httplog
14886 option logasap
14887 log global
14888 server cache1 192.168.1.1:3128
14889
14890 # log the name of the virtual server
14891 capture request header Host len 20
14892
14893 # log the amount of data uploaded during a POST
14894 capture request header Content-Length len 10
14895
14896 # log the beginning of the referrer
14897 capture request header Referer len 20
14898
14899 # server name (useful for outgoing proxies only)
14900 capture response header Server len 20
14901
14902 # logging the content-length is useful with "option logasap"
14903 capture response header Content-Length len 10
14904
14905 # log the expected cache behaviour on the response
14906 capture response header Cache-Control len 8
14907
14908 # the Via header will report the next proxy's name
14909 capture response header Via len 20
14910
14911 # log the URL location during a redirection
14912 capture response header Location len 20
14913
14914 >>> Aug 9 20:26:09 localhost \
14915 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
14916 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
14917 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
14918 "GET http://fr.adserver.yahoo.com/"
14919
14920 >>> Aug 9 20:30:46 localhost \
14921 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
14922 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
14923 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010014924 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014925
14926 >>> Aug 9 20:30:46 localhost \
14927 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
14928 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
14929 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
14930 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010014931 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014932
14933
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200149348.9. Examples of logs
14935---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014936
14937These are real-world examples of logs accompanied with an explanation. Some of
14938them have been made up by hand. The syslog part has been removed for better
14939reading. Their sole purpose is to explain how to decipher them.
14940
14941 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
14942 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
14943 "HEAD / HTTP/1.0"
14944
14945 => long request (6.5s) entered by hand through 'telnet'. The server replied
14946 in 147 ms, and the session ended normally ('----')
14947
14948 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
14949 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
14950 0/9 "HEAD / HTTP/1.0"
14951
14952 => Idem, but the request was queued in the global queue behind 9 other
14953 requests, and waited there for 1230 ms.
14954
14955 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
14956 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
14957 "GET /image.iso HTTP/1.0"
14958
14959 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014960 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014961 14 ms, 243 bytes of headers were sent to the client, and total time from
14962 accept to first data byte is 30 ms.
14963
14964 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
14965 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
14966 "GET /cgi-bin/bug.cgi? HTTP/1.0"
14967
14968 => the proxy blocked a server response either because of an "rspdeny" or
14969 "rspideny" filter, or because the response was improperly formatted and
Willy Tarreau3c92c5f2011-08-28 09:45:47 +020014970 not HTTP-compliant, or because it blocked sensitive information which
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014971 risked being cached. In this case, the response is replaced with a "502
14972 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
14973 to return the 502 and not the server.
14974
14975 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +010014976 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014977
14978 => the client never completed its request and aborted itself ("C---") after
14979 8.5s, while the proxy was waiting for the request headers ("-R--").
14980 Nothing was sent to any server.
14981
14982 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
14983 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
14984
14985 => The client never completed its request, which was aborted by the
14986 time-out ("c---") after 50s, while the proxy was waiting for the request
14987 headers ("-R--"). Nothing was sent to any server, but the proxy could
14988 send a 408 return code to the client.
14989
14990 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
14991 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
14992
14993 => This log was produced with "option tcplog". The client timed out after
14994 5 seconds ("c----").
14995
14996 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
14997 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +010014998 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010014999
15000 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015001 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +010015002 (config says 'retries 3'), and no redispatch (otherwise we would have
15003 seen "/+3"). Status code 503 was returned to the client. There were 115
15004 connections on this server, 202 connections on this proxy, and 205 on
15005 the global process. It is possible that the server refused the
15006 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010015007
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010015008
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200150099. Statistics and monitoring
15010----------------------------
15011
15012It is possible to query HAProxy about its status. The most commonly used
15013mechanism is the HTTP statistics page. This page also exposes an alternative
15014CSV output format for monitoring tools. The same format is provided on the
15015Unix socket.
15016
15017
150189.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010015019---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010015020
Willy Tarreau7f062c42009-03-05 18:43:00 +010015021The statistics may be consulted either from the unix socket or from the HTTP
Willy Tarreaua3310dc2014-06-16 15:43:21 +020015022page. Both means provide a CSV format whose fields follow. The first line
15023begins with a sharp ('#') and has one word per comma-delimited field which
15024represents the title of the column. All other lines starting at the second one
15025use a classical CSV format using a comma as the delimiter, and the double quote
15026('"') as an optional text delimiter, but only if the enclosed text is ambiguous
15027(if it contains a quote or a comma). The double-quote character ('"') in the
15028text is doubled ('""'), which is the format that most tools recognize. Please
15029do not insert any column before these ones in order not to break tools which
15030use hard-coded column positions.
Willy Tarreau7f062c42009-03-05 18:43:00 +010015031
James Westbyebe62d62014-07-08 10:14:57 -040015032In brackets after each field name are the types which may have a value for
15033that field. The types are L (Listeners), F (Frontends), B (Backends), and
15034S (Servers).
15035
15036 0. pxname [LFBS]: proxy name
15037 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend,
15038 any name for server/listener)
15039 2. qcur [..BS]: current queued requests. For the backend this reports the
15040 number queued without a server assigned.
15041 3. qmax [..BS]: max value of qcur
15042 4. scur [LFBS]: current sessions
15043 5. smax [LFBS]: max sessions
15044 6. slim [LFBS]: configured session limit
15045 7. stot [LFBS]: cumulative number of connections
15046 8. bin [LFBS]: bytes in
15047 9. bout [LFBS]: bytes out
15048 10. dreq [LFB.]: requests denied because of security concerns.
15049 - For tcp this is because of a matched tcp-request content rule.
15050 - For http this is because of a matched http-request or tarpit rule.
15051 11. dresp [LFBS]: responses denied because of security concerns.
15052 - For http this is because of a matched http-request rule, or
15053 "option checkcache".
15054 12. ereq [LF..]: request errors. Some of the possible causes are:
15055 - early termination from the client, before the request has been sent.
15056 - read error from the client
15057 - client timeout
15058 - client closed connection
15059 - various bad requests from the client.
15060 - request was tarpitted.
15061 13. econ [..BS]: number of requests that encountered an error trying to
15062 connect to a backend server. The backend stat is the sum of the stat
15063 for all servers of that backend, plus any connection errors not
15064 associated with a particular server (such as the backend having no
15065 active servers).
15066 14. eresp [..BS]: response errors. srv_abrt will be counted here also.
15067 Some other errors are:
15068 - write error on the client socket (won't be counted for the server stat)
15069 - failure applying filters to the response.
15070 15. wretr [..BS]: number of times a connection to a server was retried.
15071 16. wredis [..BS]: number of times a request was redispatched to another
15072 server. The server value counts the number of times that server was
15073 switched away from.
15074 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Pavlos Parissis1f673c72015-05-02 20:30:44 +020015075 18. weight [..BS]: total weight (backend), server weight (server)
15076 19. act [..BS]: number of active servers (backend), server is active (server)
15077 20. bck [..BS]: number of backup servers (backend), server is backup (server)
James Westbyebe62d62014-07-08 10:14:57 -040015078 21. chkfail [...S]: number of failed checks. (Only counts checks failed when
15079 the server is up.)
15080 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
15081 transitions to the whole backend being down, rather than the sum of the
15082 counters for each server.
15083 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition
15084 24. downtime [..BS]: total downtime (in seconds). The value for the backend
15085 is the downtime for the whole backend, not the sum of the server downtime.
15086 25. qlimit [...S]: configured maxqueue for the server, or nothing in the
15087 value is 0 (default, meaning no limit)
15088 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...)
15089 27. iid [LFBS]: unique proxy id
15090 28. sid [L..S]: server id (unique inside a proxy)
15091 29. throttle [...S]: current throttle percentage for the server, when
15092 slowstart is active, or no value if not in slowstart.
15093 30. lbtot [..BS]: total number of times a server was selected, either for new
15094 sessions, or when re-dispatching. The server counter is the number
15095 of times that server was selected.
15096 31. tracked [...S]: id of proxy/server if tracking is enabled.
15097 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener)
15098 33. rate [.FBS]: number of sessions per second over last elapsed second
15099 34. rate_lim [.F..]: configured limit on new sessions per second
15100 35. rate_max [.FBS]: max number of new sessions per second
15101 36. check_status [...S]: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +010015102 UNK -> unknown
15103 INI -> initializing
15104 SOCKERR -> socket error
15105 L4OK -> check passed on layer 4, no upper layers testing enabled
Jason Harvey83104802015-04-16 11:13:21 -080015106 L4TOUT -> layer 1-4 timeout
Cyril Bontéf0c60612010-02-06 14:44:47 +010015107 L4CON -> layer 1-4 connection problem, for example
15108 "Connection refused" (tcp rst) or "No route to host" (icmp)
15109 L6OK -> check passed on layer 6
15110 L6TOUT -> layer 6 (SSL) timeout
15111 L6RSP -> layer 6 invalid response - protocol error
15112 L7OK -> check passed on layer 7
15113 L7OKC -> check conditionally passed on layer 7, for example 404 with
15114 disable-on-404
15115 L7TOUT -> layer 7 (HTTP/SMTP) timeout
15116 L7RSP -> layer 7 invalid response - protocol error
15117 L7STS -> layer 7 response error, for example HTTP 5xx
James Westbyebe62d62014-07-08 10:14:57 -040015118 37. check_code [...S]: layer5-7 code, if available
15119 38. check_duration [...S]: time in ms took to finish last health check
15120 39. hrsp_1xx [.FBS]: http responses with 1xx code
15121 40. hrsp_2xx [.FBS]: http responses with 2xx code
15122 41. hrsp_3xx [.FBS]: http responses with 3xx code
15123 42. hrsp_4xx [.FBS]: http responses with 4xx code
15124 43. hrsp_5xx [.FBS]: http responses with 5xx code
15125 44. hrsp_other [.FBS]: http responses with other codes (protocol error)
15126 45. hanafail [...S]: failed health checks details
15127 46. req_rate [.F..]: HTTP requests per second over last elapsed second
15128 47. req_rate_max [.F..]: max number of HTTP requests per second observed
15129 48. req_tot [.F..]: total number of HTTP requests received
15130 49. cli_abrt [..BS]: number of data transfers aborted by the client
15131 50. srv_abrt [..BS]: number of data transfers aborted by the server
15132 (inc. in eresp)
15133 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor
15134 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor
15135 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor
15136 (CPU/BW limit)
15137 54. comp_rsp [.FB.]: number of HTTP responses that were compressed
15138 55. lastsess [..BS]: number of seconds since last session assigned to
15139 server/backend
15140 56. last_chk [...S]: last health check contents or textual error
15141 57. last_agt [...S]: last agent check contents or textual error
15142 58. qtime [..BS]: the average queue time in ms over the 1024 last requests
15143 59. ctime [..BS]: the average connect time in ms over the 1024 last requests
15144 60. rtime [..BS]: the average response time in ms over the 1024 last requests
15145 (0 for TCP)
15146 61. ttime [..BS]: the average total session time in ms over the 1024 last
15147 requests
Willy Tarreau844e3c52008-01-11 16:28:18 +010015148
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010015149
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200151509.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010015151-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010015152
Willy Tarreau468f4932013-08-01 16:50:16 +020015153The stats socket is not enabled by default. In order to enable it, it is
15154necessary to add one line in the global section of the haproxy configuration.
15155A second line is recommended to set a larger timeout, always appreciated when
15156issuing commands by hand :
15157
15158 global
15159 stats socket /var/run/haproxy.sock mode 600 level admin
15160 stats timeout 2m
15161
15162It is also possible to add multiple instances of the stats socket by repeating
15163the line, and make them listen to a TCP port instead of a UNIX socket. This is
15164never done by default because this is dangerous, but can be handy in some
15165situations :
15166
15167 global
15168 stats socket /var/run/haproxy.sock mode 600 level admin
15169 stats socket ipv4@192.168.0.1:9999 level admin
15170 stats timeout 2m
15171
15172To access the socket, an external utility such as "socat" is required. Socat is a
15173swiss-army knife to connect anything to anything. We use it to connect terminals
15174to the socket, or a couple of stdin/stdout pipes to it for scripts. The two main
15175syntaxes we'll use are the following :
15176
15177 # socat /var/run/haproxy.sock stdio
15178 # socat /var/run/haproxy.sock readline
15179
15180The first one is used with scripts. It is possible to send the output of a
15181script to haproxy, and pass haproxy's output to another script. That's useful
15182for retrieving counters or attack traces for example.
15183
15184The second one is only useful for issuing commands by hand. It has the benefit
15185that the terminal is handled by the readline library which supports line
15186editing and history, which is very convenient when issuing repeated commands
15187(eg: watch a counter).
15188
15189The socket supports two operation modes :
15190 - interactive
15191 - non-interactive
15192
15193The non-interactive mode is the default when socat connects to the socket. In
15194this mode, a single line may be sent. It is processed as a whole, responses are
15195sent back, and the connection closes after the end of the response. This is the
15196mode that scripts and monitoring tools use. It is possible to send multiple
15197commands in this mode, they need to be delimited by a semi-colon (';'). For
15198example :
15199
15200 # echo "show info;show stat;show table" | socat /var/run/haproxy stdio
15201
15202The interactive mode displays a prompt ('>') and waits for commands to be
15203entered on the line, then processes them, and displays the prompt again to wait
15204for a new command. This mode is entered via the "prompt" command which must be
15205sent on the first line in non-interactive mode. The mode is a flip switch, if
15206"prompt" is sent in interactive mode, it is disabled and the connection closes
15207after processing the last command of the same line.
15208
15209For this reason, when debugging by hand, it's quite common to start with the
15210"prompt" command :
15211
15212 # socat /var/run/haproxy readline
15213 prompt
15214 > show info
15215 ...
15216 >
15217
15218Since multiple commands may be issued at once, haproxy uses the empty line as a
15219delimiter to mark an end of output for each command, and takes care of ensuring
15220that no command can emit an empty line on output. A script can thus easily
15221parse the output even when multiple commands were pipelined on a single line.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010015222
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015223It is important to understand that when multiple haproxy processes are started
15224on the same sockets, any process may pick up the request and will output its
15225own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010015226
Willy Tarreau468f4932013-08-01 16:50:16 +020015227The list of commands currently supported on the stats socket is provided below.
15228If an unknown command is sent, haproxy displays the usage message which reminds
15229all supported commands. Some commands support a more complex syntax, generally
15230it will explain what part of the command is invalid when this happens.
15231
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015232add acl <acl> <pattern>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015233 Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
15234 "show acl". This command does not verify if the entry already exists. This
15235 command cannot be used if the reference <acl> is a file also used with a map.
15236 In this case, you must use the command "add map" in place of "add acl".
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015237
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010015238add map <map> <key> <value>
15239 Add an entry into the map <map> to associate the value <value> to the key
15240 <key>. This command does not verify if the entry already exists. It is
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015241 mainly used to fill a map after a clear operation. Note that if the reference
15242 <map> is a file and is shared with a map, this map will contain also a new
15243 pattern entry.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010015244
Willy Tarreaud63335a2010-02-26 12:56:52 +010015245clear counters
15246 Clear the max values of the statistics counters in each proxy (frontend &
15247 backend) and in each server. The cumulated counters are not affected. This
15248 can be used to get clean counters after an incident, without having to
15249 restart nor to clear traffic counters. This command is restricted and can
15250 only be issued on sockets configured for levels "operator" or "admin".
15251
15252clear counters all
15253 Clear all statistics counters in each proxy (frontend & backend) and in each
15254 server. This has the same effect as restarting. This command is restricted
15255 and can only be issued on sockets configured for level "admin".
15256
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015257clear acl <acl>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015258 Remove all entries from the acl <acl>. <acl> is the #<id> or the <file>
15259 returned by "show acl". Note that if the reference <acl> is a file and is
15260 shared with a map, this map will be also cleared.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015261
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010015262clear map <map>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015263 Remove all entries from the map <map>. <map> is the #<id> or the <file>
15264 returned by "show map". Note that if the reference <map> is a file and is
15265 shared with a acl, this acl will be also cleared.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010015266
Simon Hormanc88b8872011-06-15 15:18:49 +090015267clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
15268 Remove entries from the stick-table <table>.
15269
15270 This is typically used to unblock some users complaining they have been
15271 abusively denied access to a service, but this can also be used to clear some
15272 stickiness entries matching a server that is going to be replaced (see "show
15273 table" below for details). Note that sometimes, removal of an entry will be
15274 refused because it is currently tracked by a session. Retrying a few seconds
15275 later after the session ends is usual enough.
15276
15277 In the case where no options arguments are given all entries will be removed.
15278
15279 When the "data." form is used entries matching a filter applied using the
15280 stored data (see "stick-table" in section 4.2) are removed. A stored data
15281 type must be specified in <type>, and this data type must be stored in the
15282 table otherwise an error is reported. The data is compared according to
15283 <operator> with the 64-bit integer <value>. Operators are the same as with
15284 the ACLs :
15285
15286 - eq : match entries whose data is equal to this value
15287 - ne : match entries whose data is not equal to this value
15288 - le : match entries whose data is less than or equal to this value
15289 - ge : match entries whose data is greater than or equal to this value
15290 - lt : match entries whose data is less than this value
15291 - gt : match entries whose data is greater than this value
15292
15293 When the key form is used the entry <key> is removed. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090015294 same type as the table, which currently is limited to IPv4, IPv6, integer and
15295 string.
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015296
15297 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020015298 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020015299 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020015300 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
15301 bytes_out_rate(60000)=187
15302 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
15303 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015304
15305 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
15306
15307 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020015308 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau62a36c42010-08-17 15:53:10 +020015309 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
15310 bytes_out_rate(60000)=191
Simon Hormanc88b8872011-06-15 15:18:49 +090015311 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
15312 $ echo "show table http_proxy" | socat stdio /tmp/sock1
15313 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015314
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015315del acl <acl> [<key>|#<ref>]
15316 Delete all the acl entries from the acl <acl> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015317 <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used,
15318 this command delete only the listed reference. The reference can be found with
15319 listing the content of the acl. Note that if the reference <acl> is a file and
15320 is shared with a map, the entry will be also deleted in the map.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015321
15322del map <map> [<key>|#<ref>]
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010015323 Delete all the map entries from the map <map> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015324 <map> is the #<id> or the <file> returned by "show map". If the <ref> is used,
15325 this command delete only the listed reference. The reference can be found with
15326 listing the content of the map. Note that if the reference <map> is a file and
15327 is shared with a acl, the entry will be also deleted in the map.
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010015328
15329disable agent <backend>/<server>
Simon Horman671b6f02013-11-25 10:46:39 +090015330 Mark the auxiliary agent check as temporarily stopped.
15331
15332 In the case where an agent check is being run as a auxiliary check, due
15333 to the agent-check parameter of a server directive, new checks are only
15334 initialised when the agent is in the enabled. Thus, disable agent will
15335 prevent any new agent checks from begin initiated until the agent
15336 re-enabled using enable agent.
15337
15338 When an agent is disabled the processing of an auxiliary agent check that
15339 was initiated while the agent was set as enabled is as follows: All
15340 results that would alter the weight, specifically "drain" or a weight
15341 returned by the agent, are ignored. The processing of agent check is
15342 otherwise unchanged.
15343
15344 The motivation for this feature is to allow the weight changing effects
15345 of the agent checks to be paused to allow the weight of a server to be
15346 configured using set weight without being overridden by the agent.
15347
15348 This command is restricted and can only be issued on sockets configured for
15349 level "admin".
15350
Willy Tarreau532a4502011-09-07 22:37:44 +020015351disable frontend <frontend>
15352 Mark the frontend as temporarily stopped. This corresponds to the mode which
15353 is used during a soft restart : the frontend releases the port but can be
15354 enabled again if needed. This should be used with care as some non-Linux OSes
15355 are unable to enable it back. This is intended to be used in environments
15356 where stopping a proxy is not even imaginable but a misconfigured proxy must
15357 be fixed. That way it's possible to release the port and bind it into another
15358 process to restore operations. The frontend will appear with status "STOP"
15359 on the stats page.
15360
15361 The frontend may be specified either by its name or by its numeric ID,
15362 prefixed with a sharp ('#').
15363
15364 This command is restricted and can only be issued on sockets configured for
15365 level "admin".
15366
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020015367disable health <backend>/<server>
15368 Mark the primary health check as temporarily stopped. This will disable
15369 sending of health checks, and the last health check result will be ignored.
15370 The server will be in unchecked state and considered UP unless an auxiliary
15371 agent check forces it down.
15372
15373 This command is restricted and can only be issued on sockets configured for
15374 level "admin".
15375
Willy Tarreaud63335a2010-02-26 12:56:52 +010015376disable server <backend>/<server>
15377 Mark the server DOWN for maintenance. In this mode, no more checks will be
15378 performed on the server until it leaves maintenance.
15379 If the server is tracked by other servers, those servers will be set to DOWN
15380 during the maintenance.
15381
15382 In the statistics page, a server DOWN for maintenance will appear with a
15383 "MAINT" status, its tracking servers with the "MAINT(via)" one.
15384
15385 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020015386 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010015387
15388 This command is restricted and can only be issued on sockets configured for
15389 level "admin".
15390
Simon Horman671b6f02013-11-25 10:46:39 +090015391enable agent <backend>/<server>
15392 Resume auxiliary agent check that was temporarily stopped.
15393
15394 See "disable agent" for details of the effect of temporarily starting
15395 and stopping an auxiliary agent.
15396
15397 This command is restricted and can only be issued on sockets configured for
15398 level "admin".
15399
Willy Tarreau532a4502011-09-07 22:37:44 +020015400enable frontend <frontend>
15401 Resume a frontend which was temporarily stopped. It is possible that some of
15402 the listening ports won't be able to bind anymore (eg: if another process
15403 took them since the 'disable frontend' operation). If this happens, an error
15404 is displayed. Some operating systems might not be able to resume a frontend
15405 which was disabled.
15406
15407 The frontend may be specified either by its name or by its numeric ID,
15408 prefixed with a sharp ('#').
15409
15410 This command is restricted and can only be issued on sockets configured for
15411 level "admin".
15412
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020015413enable health <backend>/<server>
15414 Resume a primary health check that was temporarily stopped. This will enable
15415 sending of health checks again. Please see "disable health" for details.
15416
15417 This command is restricted and can only be issued on sockets configured for
15418 level "admin".
15419
Willy Tarreaud63335a2010-02-26 12:56:52 +010015420enable server <backend>/<server>
15421 If the server was previously marked as DOWN for maintenance, this marks the
15422 server UP and checks are re-enabled.
15423
15424 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020015425 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010015426
15427 This command is restricted and can only be issued on sockets configured for
15428 level "admin".
15429
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010015430get map <map> <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015431get acl <acl> <value>
15432 Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl>
15433 are the #<id> or the <file> returned by "show map" or "show acl". This command
15434 returns all the matching patterns associated with this map. This is useful for
15435 debugging maps and ACLs. The output format is composed by one line par
15436 matching type. Each line is composed by space-delimited series of words.
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010015437
15438 The first two words are:
15439
15440 <match method>: The match method applied. It can be "found", "bool",
15441 "int", "ip", "bin", "len", "str", "beg", "sub", "dir",
15442 "dom", "end" or "reg".
15443
15444 <match result>: The result. Can be "match" or "no-match".
15445
15446 The following words are returned only if the pattern matches an entry.
15447
15448 <index type>: "tree" or "list". The internal lookup algorithm.
15449
15450 <case>: "case-insensitive" or "case-sensitive". The
15451 interpretation of the case.
15452
15453 <entry matched>: match="<entry>". Return the matched pattern. It is
15454 useful with regular expressions.
15455
15456 The two last word are used to show the returned value and its type. With the
15457 "acl" case, the pattern doesn't exist.
15458
15459 return=nothing: No return because there are no "map".
15460 return="<value>": The value returned in the string format.
15461 return=cannot-display: The value cannot be converted as string.
15462
15463 type="<type>": The type of the returned sample.
15464
Willy Tarreaud63335a2010-02-26 12:56:52 +010015465get weight <backend>/<server>
15466 Report the current weight and the initial weight of server <server> in
15467 backend <backend> or an error if either doesn't exist. The initial weight is
15468 the one that appears in the configuration file. Both are normally equal
15469 unless the current weight has been changed. Both the backend and the server
15470 may be specified either by their name or by their numeric ID, prefixed with a
Willy Tarreauf5f31922011-08-02 11:32:07 +020015471 sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010015472
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015473help
15474 Print the list of known keywords and their basic usage. The same help screen
15475 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010015476
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015477prompt
15478 Toggle the prompt at the beginning of the line and enter or leave interactive
15479 mode. In interactive mode, the connection is not closed after a command
15480 completes. Instead, the prompt will appear again, indicating the user that
15481 the interpreter is waiting for a new command. The prompt consists in a right
15482 angle bracket followed by a space "> ". This mode is particularly convenient
15483 when one wants to periodically check information such as stats or errors.
15484 It is also a good idea to enter interactive mode before issuing a "help"
15485 command.
15486
15487quit
15488 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010015489
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015490set map <map> [<key>|#<ref>] <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015491 Modify the value corresponding to each key <key> in a map <map>. <map> is the
15492 #<id> or <file> returned by "show map". If the <ref> is used in place of
15493 <key>, only the entry pointed by <ref> is changed. The new value is <value>.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010015494
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020015495set maxconn frontend <frontend> <value>
Willy Tarreau3c7a79d2012-09-26 21:07:15 +020015496 Dynamically change the specified frontend's maxconn setting. Any positive
15497 value is allowed including zero, but setting values larger than the global
15498 maxconn does not make much sense. If the limit is increased and connections
15499 were pending, they will immediately be accepted. If it is lowered to a value
15500 below the current number of connections, new connections acceptation will be
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020015501 delayed until the threshold is reached. The frontend might be specified by
15502 either its name or its numeric ID prefixed with a sharp ('#').
15503
Willy Tarreau91886b62011-09-07 14:38:31 +020015504set maxconn global <maxconn>
15505 Dynamically change the global maxconn setting within the range defined by the
15506 initial global maxconn setting. If it is increased and connections were
15507 pending, they will immediately be accepted. If it is lowered to a value below
15508 the current number of connections, new connections acceptation will be
15509 delayed until the threshold is reached. A value of zero restores the initial
15510 setting.
15511
Willy Tarreauf5b22872011-09-07 16:13:44 +020015512set rate-limit connections global <value>
15513 Change the process-wide connection rate limit, which is set by the global
15514 'maxconnrate' setting. A value of zero disables the limitation. This limit
15515 applies to all frontends and the change has an immediate effect. The value
15516 is passed in number of connections per second.
15517
William Lallemandd85f9172012-11-09 17:05:39 +010015518set rate-limit http-compression global <value>
15519 Change the maximum input compression rate, which is set by the global
15520 'maxcomprate' setting. A value of zero disables the limitation. The value is
William Lallemand096f5542012-11-19 17:26:05 +010015521 passed in number of kilobytes per second. The value is available in the "show
15522 info" on the line "CompressBpsRateLim" in bytes.
William Lallemandd85f9172012-11-09 17:05:39 +010015523
Willy Tarreau93e7c002013-10-07 18:51:07 +020015524set rate-limit sessions global <value>
15525 Change the process-wide session rate limit, which is set by the global
15526 'maxsessrate' setting. A value of zero disables the limitation. This limit
15527 applies to all frontends and the change has an immediate effect. The value
15528 is passed in number of sessions per second.
15529
Willy Tarreaue43d5322013-10-07 20:01:52 +020015530set rate-limit ssl-sessions global <value>
15531 Change the process-wide SSL session rate limit, which is set by the global
15532 'maxsslrate' setting. A value of zero disables the limitation. This limit
15533 applies to all frontends and the change has an immediate effect. The value
15534 is passed in number of sessions per second sent to the SSL stack. It applies
15535 before the handshake in order to protect the stack against handshake abuses.
15536
Baptiste Assmann3d8f8312015-04-13 22:54:33 +020015537set server <backend>/<server> addr <ip4 or ip6 address>
15538 Replace the current IP address of a server by the one provided.
15539
Willy Tarreau2a4b70f2014-05-22 18:42:35 +020015540set server <backend>/<server> agent [ up | down ]
15541 Force a server's agent to a new state. This can be useful to immediately
15542 switch a server's state regardless of some slow agent checks for example.
15543 Note that the change is propagated to tracking servers if any.
15544
15545set server <backend>/<server> health [ up | stopping | down ]
15546 Force a server's health to a new state. This can be useful to immediately
15547 switch a server's state regardless of some slow health checks for example.
15548 Note that the change is propagated to tracking servers if any.
15549
15550set server <backend>/<server> state [ ready | drain | maint ]
15551 Force a server's administrative state to a new state. This can be useful to
15552 disable load balancing and/or any traffic to a server. Setting the state to
15553 "ready" puts the server in normal mode, and the command is the equivalent of
15554 the "enable server" command. Setting the state to "maint" disables any traffic
15555 to the server as well as any health checks. This is the equivalent of the
15556 "disable server" command. Setting the mode to "drain" only removes the server
15557 from load balancing but still allows it to be checked and to accept new
15558 persistent connections. Changes are propagated to tracking servers if any.
15559
15560set server <backend>/<server> weight <weight>[%]
15561 Change a server's weight to the value passed in argument. This is the exact
15562 equivalent of the "set weight" command below.
15563
Emeric Brun4147b2e2014-06-16 18:36:30 +020015564set ssl ocsp-response <response>
15565 This command is used to update an OCSP Response for a certificate (see "crt"
15566 on "bind" lines). Same controls are performed as during the initial loading of
15567 the response. The <response> must be passed as a base64 encoded string of the
15568 DER encoded response from the OCSP server.
15569
15570 Example:
15571 openssl ocsp -issuer issuer.pem -cert server.pem \
15572 -host ocsp.issuer.com:80 -respout resp.der
15573 echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
15574 socat stdio /var/run/haproxy.stat
15575
Nenad Merdanovicc6985f02015-05-09 08:46:02 +020015576set ssl tls-key <id> <tlskey>
15577 Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
15578 ultimate key, while the penultimate one is used for encryption (others just
15579 decrypt). The oldest TLS key present is overwritten. <id> is either a numeric
15580 #<id> or <file> returned by "show tls-keys". <tlskey> is a base64 encoded 48
15581 bit TLS ticket key (ex. openssl rand -base64 48).
15582
Willy Tarreau47060b62013-08-01 21:11:42 +020015583set table <table> key <key> [data.<data_type> <value>]*
Willy Tarreau654694e2012-06-07 01:03:16 +020015584 Create or update a stick-table entry in the table. If the key is not present,
15585 an entry is inserted. See stick-table in section 4.2 to find all possible
15586 values for <data_type>. The most likely use consists in dynamically entering
15587 entries for source IP addresses, with a flag in gpc0 to dynamically block an
Willy Tarreau47060b62013-08-01 21:11:42 +020015588 IP address or affect its quality of service. It is possible to pass multiple
15589 data_types in a single call.
Willy Tarreau654694e2012-06-07 01:03:16 +020015590
Willy Tarreaud63335a2010-02-26 12:56:52 +010015591set timeout cli <delay>
15592 Change the CLI interface timeout for current connection. This can be useful
15593 during long debugging sessions where the user needs to constantly inspect
15594 some indicators without being disconnected. The delay is passed in seconds.
15595
15596set weight <backend>/<server> <weight>[%]
15597 Change a server's weight to the value passed in argument. If the value ends
15598 with the '%' sign, then the new weight will be relative to the initially
Simon Horman58b5d292013-02-12 10:45:52 +090015599 configured weight. Absolute weights are permitted between 0 and 256.
15600 Relative weights must be positive with the resulting absolute weight is
15601 capped at 256. Servers which are part of a farm running a static
15602 load-balancing algorithm have stricter limitations because the weight
15603 cannot change once set. Thus for these servers, the only accepted values
15604 are 0 and 100% (or 0 and the initial weight). Changes take effect
15605 immediately, though certain LB algorithms require a certain amount of
15606 requests to consider changes. A typical usage of this command is to
15607 disable a server during an update by setting its weight to zero, then to
15608 enable it again after the update by setting it back to 100%. This command
15609 is restricted and can only be issued on sockets configured for level
15610 "admin". Both the backend and the server may be specified either by their
15611 name or by their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010015612
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010015613show errors [<iid>]
15614 Dump last known request and response errors collected by frontends and
15615 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +020015616 either frontend or backend whose ID is <iid>. This command is restricted
15617 and can only be issued on sockets configured for levels "operator" or
15618 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010015619
15620 The errors which may be collected are the last request and response errors
15621 caused by protocol violations, often due to invalid characters in header
15622 names. The report precisely indicates what exact character violated the
15623 protocol. Other important information such as the exact date the error was
15624 detected, frontend and backend names, the server name (when known), the
15625 internal session ID and the source address which has initiated the session
15626 are reported too.
15627
15628 All characters are returned, and non-printable characters are encoded. The
15629 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
15630 letter following a backslash. The backslash itself is encoded as '\\' to
15631 avoid confusion. Other non-printable characters are encoded '\xNN' where
15632 NN is the two-digits hexadecimal representation of the character's ASCII
15633 code.
15634
15635 Lines are prefixed with the position of their first character, starting at 0
15636 for the beginning of the buffer. At most one input line is printed per line,
15637 and large lines will be broken into multiple consecutive output lines so that
15638 the output never goes beyond 79 characters wide. It is easy to detect if a
15639 line was broken, because it will not end with '\n' and the next line's offset
15640 will be followed by a '+' sign, indicating it is a continuation of previous
15641 line.
15642
15643 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020015644 $ echo "show errors" | socat stdio /tmp/sock1
15645 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010015646 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
15647 response length 213 bytes, error at position 23:
15648
15649 00000 HTTP/1.0 200 OK\r\n
15650 00017 header/bizarre:blah\r\n
15651 00038 Location: blah\r\n
15652 00054 Long-line: this is a very long line which should b
15653 00104+ e broken into multiple lines on the output buffer,
15654 00154+ otherwise it would be too large to print in a ter
15655 00204+ minal\r\n
15656 00211 \r\n
15657
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015658 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010015659 ID 2 has blocked an invalid response from its server s2 which has internal
15660 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
15661 received by frontend fe-eth0 whose ID is 1. The total response length was
15662 213 bytes when the error was detected, and the error was at byte 23. This
15663 is the slash ('/') in header name "header/bizarre", which is not a valid
15664 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010015665
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015666show info
15667 Dump info about haproxy status on current process.
15668
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010015669show map [<map>]
15670 Dump info about map converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015671 maps is returned. If a <map> is specified, its contents are dumped. <map> is
15672 the #<id> or <file>. The first column is a unique identifier. It can be used
15673 as reference for the operation "del map" and "set map". The second column is
15674 the pattern and the third column is the sample if available. The data returned
15675 are not directly a list of available maps, but are the list of all patterns
15676 composing any map. Many of these patterns can be shared with ACL.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010015677
15678show acl [<acl>]
15679 Dump info about acl converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010015680 acls is returned. If a <acl> is specified, its contents are dumped. <acl> if
15681 the #<id> or <file>. The dump format is the same than the map even for the
15682 sample value. The data returned are not a list of available ACL, but are the
15683 list of all patterns composing any ACL. Many of these patterns can be shared
15684 with maps.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010015685
Willy Tarreau12833bb2014-01-28 16:49:56 +010015686show pools
15687 Dump the status of internal memory pools. This is useful to track memory
15688 usage when suspecting a memory leak for example. It does exactly the same
15689 as the SIGQUIT when running in foreground except that it does not flush
15690 the pools.
15691
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015692show sess
15693 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +020015694 be huge. This command is restricted and can only be issued on sockets
15695 configured for levels "operator" or "admin".
15696
Willy Tarreau66dc20a2010-03-05 17:53:32 +010015697show sess <id>
15698 Display a lot of internal information about the specified session identifier.
15699 This identifier is the first field at the beginning of the lines in the dumps
15700 of "show sess" (it corresponds to the session pointer). Those information are
15701 useless to most users but may be used by haproxy developers to troubleshoot a
15702 complex bug. The output format is intentionally not documented so that it can
Olivierce31e6e2014-09-05 18:49:10 +020015703 freely evolve depending on demands. You may find a description of all fields
15704 returned in src/dumpstats.c
15705
15706 The special id "all" dumps the states of all sessions, which must be avoided
15707 as much as possible as it is highly CPU intensive and can take a lot of time.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015708
15709show stat [<iid> <type> <sid>]
15710 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
15711 possible to dump only selected items :
15712 - <iid> is a proxy ID, -1 to dump everything
15713 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
15714 backends, 4 for servers, -1 for everything. These values can be ORed,
15715 for example:
15716 1 + 2 = 3 -> frontend + backend.
15717 1 + 2 + 4 = 7 -> frontend + backend + server.
15718 - <sid> is a server ID, -1 to dump everything from the selected proxy.
15719
15720 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020015721 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
15722 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015723 Version: 1.4-dev2-49
15724 Release_date: 2009/09/23
15725 Nbproc: 1
15726 Process_num: 1
15727 (...)
15728
15729 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
15730 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
15731 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
15732 (...)
15733 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
15734
15735 $
15736
15737 Here, two commands have been issued at once. That way it's easy to find
15738 which process the stats apply to in multi-process mode. Notice the empty
15739 line after the information output which marks the end of the first block.
15740 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010015741 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020015742
Baptiste Assmann3863f972015-05-17 00:33:24 +020015743show stat resolvers <resolvers section id>
15744 Dump statistics for the given resolvers section.
15745 For each name server, the following counters are reported:
15746 sent: number of DNS requests sent to this server
15747 valid: number of DNS valid responses received from this server
15748 update: number of DNS responses used to update the server's IP address
15749 cname: number of CNAME responses
15750 cname_error: CNAME errors encountered with this server
15751 any_err: number of empty response (IE: server does not support ANY type)
15752 nx: non existent domain response received from this server
15753 timeout: how many time this server did not answer in time
15754 refused: number of requests refused by this server
15755 other: any other DNS errors
15756 invalid: invalid DNS response (from a protocol point of view)
15757 too_big: too big response
15758 outdated: number of response arrived too late (after an other name server)
15759
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015760show table
15761 Dump general information on all known stick-tables. Their name is returned
15762 (the name of the proxy which holds them), their type (currently zero, always
15763 IP), their size in maximum possible number of entries, and the number of
15764 entries currently in use.
15765
15766 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020015767 $ echo "show table" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090015768 >>> # table: front_pub, type: ip, size:204800, used:171454
15769 >>> # table: back_rdp, type: ip, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015770
Simon Horman17bce342011-06-15 15:18:47 +090015771show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015772 Dump contents of stick-table <name>. In this mode, a first line of generic
15773 information about the table is reported as with "show table", then all
15774 entries are dumped. Since this can be quite heavy, it is possible to specify
Simon Horman17bce342011-06-15 15:18:47 +090015775 a filter in order to specify what entries to display.
15776
15777 When the "data." form is used the filter applies to the stored data (see
15778 "stick-table" in section 4.2). A stored data type must be specified
15779 in <type>, and this data type must be stored in the table otherwise an
15780 error is reported. The data is compared according to <operator> with the
15781 64-bit integer <value>. Operators are the same as with the ACLs :
15782
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015783 - eq : match entries whose data is equal to this value
15784 - ne : match entries whose data is not equal to this value
15785 - le : match entries whose data is less than or equal to this value
15786 - ge : match entries whose data is greater than or equal to this value
15787 - lt : match entries whose data is less than this value
15788 - gt : match entries whose data is greater than this value
15789
Simon Hormanc88b8872011-06-15 15:18:49 +090015790
15791 When the key form is used the entry <key> is shown. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090015792 same type as the table, which currently is limited to IPv4, IPv6, integer,
15793 and string.
Simon Horman17bce342011-06-15 15:18:47 +090015794
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015795 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020015796 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090015797 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020015798 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
15799 bytes_out_rate(60000)=187
15800 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
15801 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015802
Willy Tarreau62a36c42010-08-17 15:53:10 +020015803 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090015804 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020015805 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
15806 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015807
Willy Tarreau62a36c42010-08-17 15:53:10 +020015808 $ echo "show table http_proxy data.conn_rate gt 5" | \
15809 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090015810 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020015811 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
15812 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015813
Simon Horman17bce342011-06-15 15:18:47 +090015814 $ echo "show table http_proxy key 127.0.0.2" | \
15815 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090015816 >>> # table: http_proxy, type: ip, size:204800, used:2
Simon Horman17bce342011-06-15 15:18:47 +090015817 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
15818 bytes_out_rate(60000)=191
15819
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015820 When the data criterion applies to a dynamic value dependent on time such as
15821 a bytes rate, the value is dynamically computed during the evaluation of the
15822 entry in order to decide whether it has to be dumped or not. This means that
15823 such a filter could match for some time then not match anymore because as
15824 time goes, the average event rate drops.
15825
15826 It is possible to use this to extract lists of IP addresses abusing the
15827 service, in order to monitor them or even blacklist them in a firewall.
15828 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020015829 $ echo "show table http_proxy data.gpc0 gt 0" \
15830 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020015831 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
15832 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +020015833
Nenad Merdanovicc6985f02015-05-09 08:46:02 +020015834show tls-keys
15835 Dump all loaded TLS ticket keys. The TLS ticket key reference ID and the
15836 file from which the keys have been loaded is shown. Both of those can be
15837 used to update the TLS keys using "set ssl tls-key".
15838
Willy Tarreau532a4502011-09-07 22:37:44 +020015839shutdown frontend <frontend>
15840 Completely delete the specified frontend. All the ports it was bound to will
15841 be released. It will not be possible to enable the frontend anymore after
15842 this operation. This is intended to be used in environments where stopping a
15843 proxy is not even imaginable but a misconfigured proxy must be fixed. That
15844 way it's possible to release the port and bind it into another process to
15845 restore operations. The frontend will not appear at all on the stats page
15846 once it is terminated.
15847
15848 The frontend may be specified either by its name or by its numeric ID,
15849 prefixed with a sharp ('#').
15850
15851 This command is restricted and can only be issued on sockets configured for
15852 level "admin".
15853
Willy Tarreaua295edc2011-09-07 23:21:03 +020015854shutdown session <id>
15855 Immediately terminate the session matching the specified session identifier.
15856 This identifier is the first field at the beginning of the lines in the dumps
15857 of "show sess" (it corresponds to the session pointer). This can be used to
15858 terminate a long-running session without waiting for a timeout or when an
15859 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
15860 flag in the logs.
15861
Cyril Bontée63a1eb2014-07-12 18:22:42 +020015862shutdown sessions server <backend>/<server>
Willy Tarreau52b2d222011-09-07 23:48:48 +020015863 Immediately terminate all the sessions attached to the specified server. This
15864 can be used to terminate long-running sessions after a server is put into
15865 maintenance mode, for instance. Such terminated sessions are reported with a
15866 'K' flag in the logs.
15867
Willy Tarreau0ba27502007-12-24 16:55:16 +010015868/*
15869 * Local variables:
15870 * fill-column: 79
15871 * End:
15872 */