Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 1 | ---------------------- |
| 2 | HAProxy how-to |
| 3 | ---------------------- |
Willy Tarreau | 991b478 | 2015-10-13 21:48:10 +0200 | [diff] [blame] | 4 | version 1.7 |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 5 | willy tarreau |
Willy Tarreau | 844028b | 2015-10-13 18:52:22 +0200 | [diff] [blame] | 6 | 2015/10/13 |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 7 | |
| 8 | |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 9 | 1) How to build it |
| 10 | ------------------ |
| 11 | |
Willy Tarreau | 991b478 | 2015-10-13 21:48:10 +0200 | [diff] [blame] | 12 | This is a development version, so it is expected to break from time to time, |
| 13 | to add and remove features without prior notification and it should not be used |
| 14 | in production. If you are not used to build from sources or if you are not used |
| 15 | to follow updates then it is recommended that instead you use the packages provided |
| 16 | by your software vendor or Linux distribution. Most of them are taking this task |
Willy Tarreau | 844028b | 2015-10-13 18:52:22 +0200 | [diff] [blame] | 17 | seriously and are doing a good job at backporting important fixes. If for any |
| 18 | reason you'd prefer a different version than the one packaged for your system, |
| 19 | you want to be certain to have all the fixes or to get some commercial support, |
| 20 | other choices are available at : |
Willy Tarreau | 869f351 | 2014-06-19 15:26:32 +0200 | [diff] [blame] | 21 | |
| 22 | http://www.haproxy.com/ |
| 23 | |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 24 | To build haproxy, you will need : |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 25 | - GNU make. Neither Solaris nor OpenBSD's make work with the GNU Makefile. |
Willy Tarreau | 3543cdb | 2014-05-10 09:12:46 +0200 | [diff] [blame] | 26 | If you get many syntax errors when running "make", you may want to retry |
| 27 | with "gmake" which is the name commonly used for GNU make on BSD systems. |
Willy Tarreau | 869f351 | 2014-06-19 15:26:32 +0200 | [diff] [blame] | 28 | - GCC between 2.95 and 4.8. Others may work, but not tested. |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 29 | - GNU ld |
| 30 | |
| 31 | Also, you might want to build with libpcre support, which will provide a very |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 32 | efficient regex implementation and will also fix some badness on Solaris' one. |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 33 | |
| 34 | To build haproxy, you have to choose your target OS amongst the following ones |
| 35 | and assign it to the TARGET variable : |
| 36 | |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 37 | - linux22 for Linux 2.2 |
| 38 | - linux24 for Linux 2.4 and above (default) |
| 39 | - linux24e for Linux 2.4 with support for a working epoll (> 0.21) |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 40 | - linux26 for Linux 2.6 and above |
Willy Tarreau | 869f351 | 2014-06-19 15:26:32 +0200 | [diff] [blame] | 41 | - linux2628 for Linux 2.6.28, 3.x, and above (enables splice and tproxy) |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 42 | - solaris for Solaris 8 or 10 (others untested) |
Willy Tarreau | 869f351 | 2014-06-19 15:26:32 +0200 | [diff] [blame] | 43 | - freebsd for FreeBSD 5 to 10 (others untested) |
Willy Tarreau | 844028b | 2015-10-13 18:52:22 +0200 | [diff] [blame] | 44 | - netbsd for NetBSD |
Willy Tarreau | 8624cab | 2013-04-02 08:17:43 +0200 | [diff] [blame] | 45 | - osx for Mac OS/X |
Daniel Jakots | 17d228b | 2015-07-29 08:03:08 +0200 | [diff] [blame] | 46 | - openbsd for OpenBSD 3.1 and above |
Willy Tarreau | 50abe30 | 2014-04-02 20:44:43 +0200 | [diff] [blame] | 47 | - aix51 for AIX 5.1 |
Willy Tarreau | 7dec965 | 2012-06-06 16:15:03 +0200 | [diff] [blame] | 48 | - aix52 for AIX 5.2 |
Yitzhak Sapir | 3208731 | 2009-06-14 18:27:54 +0200 | [diff] [blame] | 49 | - cygwin for Cygwin |
Willy Tarreau | 869f351 | 2014-06-19 15:26:32 +0200 | [diff] [blame] | 50 | - generic for any other OS or version. |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 51 | - custom to manually adjust every setting |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 52 | |
| 53 | You may also choose your CPU to benefit from some optimizations. This is |
| 54 | particularly important on UltraSparc machines. For this, you can assign |
| 55 | one of the following choices to the CPU variable : |
| 56 | |
| 57 | - i686 for intel PentiumPro, Pentium 2 and above, AMD Athlon |
| 58 | - i586 for intel Pentium, AMD K6, VIA C3. |
| 59 | - ultrasparc : Sun UltraSparc I/II/III/IV processor |
Willy Tarreau | 817dad5 | 2014-07-10 20:24:25 +0200 | [diff] [blame] | 60 | - native : use the build machine's specific processor optimizations. Use with |
| 61 | extreme care, and never in virtualized environments (known to break). |
| 62 | - generic : any other processor or no CPU-specific optimization. (default) |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 63 | |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 64 | Alternatively, you may just set the CPU_CFLAGS value to the optimal GCC options |
| 65 | for your platform. |
| 66 | |
Willy Tarreau | ef7341d | 2009-04-11 19:45:50 +0200 | [diff] [blame] | 67 | You may want to build specific target binaries which do not match your native |
| 68 | compiler's target. This is particularly true on 64-bit systems when you want |
| 69 | to build a 32-bit binary. Use the ARCH variable for this purpose. Right now |
Willy Tarreau | a5899aa | 2010-11-28 07:41:00 +0100 | [diff] [blame] | 70 | it only knows about a few x86 variants (i386,i486,i586,i686,x86_64), two |
| 71 | generic ones (32,64) and sets -m32/-m64 as well as -march=<arch> accordingly. |
Willy Tarreau | ef7341d | 2009-04-11 19:45:50 +0200 | [diff] [blame] | 72 | |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 73 | If your system supports PCRE (Perl Compatible Regular Expressions), then you |
| 74 | really should build with libpcre which is between 2 and 10 times faster than |
| 75 | other libc implementations. Regex are used for header processing (deletion, |
| 76 | rewriting, allow, deny). The only inconvenient of libpcre is that it is not |
| 77 | yet widely spread, so if you build for other systems, you might get into |
| 78 | trouble if they don't have the dynamic library. In this situation, you should |
| 79 | statically link libpcre into haproxy so that it will not be necessary to |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 80 | install it on target systems. Available build options for PCRE are : |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 81 | |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 82 | - USE_PCRE=1 to use libpcre, in whatever form is available on your system |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 83 | (shared or static) |
| 84 | |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 85 | - USE_STATIC_PCRE=1 to use a static version of libpcre even if the dynamic |
| 86 | one is available. This will enhance portability. |
| 87 | |
Willy Tarreau | 663148c | 2012-12-12 00:38:22 +0100 | [diff] [blame] | 88 | - with no option, use your OS libc's standard regex implementation (default). |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 89 | Warning! group references on Solaris seem broken. Use static-pcre whenever |
| 90 | possible. |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 91 | |
Willy Tarreau | a8fc8a2 | 2015-09-28 22:36:21 +0200 | [diff] [blame] | 92 | If your system doesn't provide PCRE, you are encouraged to download it from |
| 93 | http://www.pcre.org/ and build it yourself, it's fast and easy. |
| 94 | |
Willy Tarreau | 64bc40b | 2011-03-23 20:00:53 +0100 | [diff] [blame] | 95 | Recent systems can resolve IPv6 host names using getaddrinfo(). This primitive |
| 96 | is not present in all libcs and does not work in all of them either. Support in |
| 97 | glibc was broken before 2.3. Some embedded libs may not properly work either, |
| 98 | thus, support is disabled by default, meaning that some host names which only |
| 99 | resolve as IPv6 addresses will not resolve and configs might emit an error |
| 100 | during parsing. If you know that your OS libc has reliable support for |
| 101 | getaddrinfo(), you can add USE_GETADDRINFO=1 on the make command line to enable |
| 102 | it. This is the recommended option for most Linux distro packagers since it's |
| 103 | working fine on all recent mainstream distros. It is automatically enabled on |
| 104 | Solaris 8 and above, as it's known to work. |
| 105 | |
Willy Tarreau | 3543cdb | 2014-05-10 09:12:46 +0200 | [diff] [blame] | 106 | It is possible to add native support for SSL using the GNU makefile, by passing |
| 107 | "USE_OPENSSL=1" on the make command line. The libssl and libcrypto will |
| 108 | automatically be linked with haproxy. Some systems also require libz, so if the |
| 109 | build fails due to missing symbols such as deflateInit(), then try again with |
| 110 | "ADDLIB=-lz". |
Willy Tarreau | d450881 | 2012-09-10 09:07:41 +0200 | [diff] [blame] | 111 | |
Willy Tarreau | a8fc8a2 | 2015-09-28 22:36:21 +0200 | [diff] [blame] | 112 | Your are strongly encouraged to always use an up-to-date version of OpenSSL, as |
| 113 | found on https://www.openssl.org/ as vulnerabilities are occasionally found and |
| 114 | you don't want them on your systems. HAProxy is known to build correctly on all |
| 115 | currently supported branches (0.9.8, 1.0.0, 1.0.1 and 1.0.2 at the time of |
| 116 | writing). Branch 1.0.2 is recommended for the richest features. |
| 117 | |
Lukas Tribus | 3fe9f1e | 2013-05-19 16:28:17 +0200 | [diff] [blame] | 118 | To link OpenSSL statically against haproxy, build OpenSSL with the no-shared |
| 119 | keyword and install it to a local directory, so your system is not affected : |
| 120 | |
| 121 | $ export STATICLIBSSL=/tmp/staticlibssl |
| 122 | $ ./config --prefix=$STATICLIBSSL no-shared |
| 123 | $ make && make install_sw |
| 124 | |
Lukas Tribus | 130ddf7 | 2013-10-01 00:28:03 +0200 | [diff] [blame] | 125 | When building haproxy, pass that path via SSL_INC and SSL_LIB to make and |
| 126 | include additional libs with ADDLIB if needed (in this case for example libdl): |
Willy Tarreau | 3543cdb | 2014-05-10 09:12:46 +0200 | [diff] [blame] | 127 | |
Lukas Tribus | 130ddf7 | 2013-10-01 00:28:03 +0200 | [diff] [blame] | 128 | $ make TARGET=linux26 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB=-ldl |
Lukas Tribus | 3fe9f1e | 2013-05-19 16:28:17 +0200 | [diff] [blame] | 129 | |
Willy Tarreau | a8fc8a2 | 2015-09-28 22:36:21 +0200 | [diff] [blame] | 130 | It is also possible to include native support for zlib to benefit from HTTP |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 131 | compression. For this, pass "USE_ZLIB=1" on the "make" command line and ensure |
Willy Tarreau | 418b8c0 | 2015-03-29 03:32:06 +0200 | [diff] [blame] | 132 | that zlib is present on the system. Alternatively it is possible to use libslz |
| 133 | for a faster, memory less, but slightly less efficient compression, by passing |
| 134 | "USE_SLZ=1". |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 135 | |
Willy Tarreau | a8fc8a2 | 2015-09-28 22:36:21 +0200 | [diff] [blame] | 136 | Zlib is commonly found on most systems, otherwise updates can be retrieved from |
| 137 | http://www.zlib.net/. It is easy and fast to build. Libslz can be downloaded |
| 138 | from http://1wt.eu/projects/libslz/ and is even easier to build. |
| 139 | |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 140 | By default, the DEBUG variable is set to '-g' to enable debug symbols. It is |
| 141 | not wise to disable it on uncommon systems, because it's often the only way to |
| 142 | get a complete core when you need one. Otherwise, you can set DEBUG to '-s' to |
| 143 | strip the binary. |
| 144 | |
| 145 | For example, I use this to build for Solaris 8 : |
| 146 | |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 147 | $ make TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1 |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 148 | |
Willy Tarreau | 83b30c1 | 2008-05-25 10:32:50 +0200 | [diff] [blame] | 149 | And I build it this way on OpenBSD or FreeBSD : |
willy tarreau | d38e72d | 2006-03-19 20:56:52 +0100 | [diff] [blame] | 150 | |
Willy Tarreau | 3543cdb | 2014-05-10 09:12:46 +0200 | [diff] [blame] | 151 | $ gmake TARGET=freebsd USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 |
willy tarreau | d38e72d | 2006-03-19 20:56:52 +0100 | [diff] [blame] | 152 | |
Willy Tarreau | 663148c | 2012-12-12 00:38:22 +0100 | [diff] [blame] | 153 | And on a classic Linux with SSL and ZLIB support (eg: Red Hat 5.x) : |
| 154 | |
Willy Tarreau | 817dad5 | 2014-07-10 20:24:25 +0200 | [diff] [blame] | 155 | $ make TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 |
Willy Tarreau | 663148c | 2012-12-12 00:38:22 +0100 | [diff] [blame] | 156 | |
| 157 | And on a recent Linux >= 2.6.28 with SSL and ZLIB support : |
Willy Tarreau | d450881 | 2012-09-10 09:07:41 +0200 | [diff] [blame] | 158 | |
Willy Tarreau | 817dad5 | 2014-07-10 20:24:25 +0200 | [diff] [blame] | 159 | $ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 |
Willy Tarreau | d450881 | 2012-09-10 09:07:41 +0200 | [diff] [blame] | 160 | |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 161 | In order to build a 32-bit binary on an x86_64 Linux system with SSL support |
| 162 | without support for compression but when OpenSSL requires ZLIB anyway : |
Willy Tarreau | ef7341d | 2009-04-11 19:45:50 +0200 | [diff] [blame] | 163 | |
Willy Tarreau | d450881 | 2012-09-10 09:07:41 +0200 | [diff] [blame] | 164 | $ make TARGET=linux26 ARCH=i386 USE_OPENSSL=1 ADDLIB=-lz |
Willy Tarreau | ef7341d | 2009-04-11 19:45:50 +0200 | [diff] [blame] | 165 | |
Willy Tarreau | b1efede | 2014-05-09 00:44:48 +0200 | [diff] [blame] | 166 | The SSL stack supports session cache synchronization between all running |
| 167 | processes. This involves some atomic operations and synchronization operations |
| 168 | which come in multiple flavors depending on the system and architecture : |
| 169 | |
| 170 | Atomic operations : |
| 171 | - internal assembler versions for x86/x86_64 architectures |
| 172 | |
| 173 | - gcc builtins for other architectures. Some architectures might not |
| 174 | be fully supported or might require a more recent version of gcc. |
| 175 | If your architecture is not supported, you willy have to either use |
| 176 | pthread if supported, or to disable the shared cache. |
| 177 | |
| 178 | - pthread (posix threads). Pthreads are very common but inter-process |
| 179 | support is not that common, and some older operating systems did not |
| 180 | report an error when enabling multi-process mode, so they used to |
| 181 | silently fail, possibly causing crashes. Linux's implementation is |
| 182 | fine. OpenBSD doesn't support them and doesn't build. FreeBSD 9 builds |
| 183 | and reports an error at runtime, while certain older versions might |
| 184 | silently fail. Pthreads are enabled using USE_PTHREAD_PSHARED=1. |
| 185 | |
| 186 | Synchronization operations : |
| 187 | - internal spinlock : this mode is OS-independant, light but will not |
| 188 | scale well to many processes. However, accesses to the session cache |
| 189 | are rare enough that this mode could certainly always be used. This |
| 190 | is the default mode. |
| 191 | |
| 192 | - Futexes, which are Linux-specific highly scalable light weight mutexes |
| 193 | implemented in user-space with some limited assistance from the kernel. |
| 194 | This is the default on Linux 2.6 and above and is enabled by passing |
| 195 | USE_FUTEX=1 |
| 196 | |
| 197 | - pthread (posix threads). See above. |
| 198 | |
| 199 | If none of these mechanisms is supported by your platform, you may need to |
| 200 | build with USE_PRIVATE_CACHE=1 to totally disable SSL cache sharing. Then |
| 201 | it is better not to run SSL on multiple processes. |
| 202 | |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 203 | If you need to pass other defines, includes, libraries, etc... then please |
| 204 | check the Makefile to see which ones will be available in your case, and |
Willy Tarreau | 3543cdb | 2014-05-10 09:12:46 +0200 | [diff] [blame] | 205 | use the USE_* variables in the Makefile. |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 206 | |
Willy Tarreau | 97ec969 | 2010-01-28 20:52:05 +0100 | [diff] [blame] | 207 | AIX 5.3 is known to work with the generic target. However, for the binary to |
| 208 | also run on 5.2 or earlier, you need to build with DEFINE="-D_MSGQSUPPORT", |
Willy Tarreau | 869f351 | 2014-06-19 15:26:32 +0200 | [diff] [blame] | 209 | otherwise __fd_select() will be used while not being present in the libc, but |
| 210 | this is easily addressed using the "aix52" target. If you get build errors |
| 211 | because of strange symbols or section mismatches, simply remove -g from |
| 212 | DEBUG_CFLAGS. |
Willy Tarreau | 97ec969 | 2010-01-28 20:52:05 +0100 | [diff] [blame] | 213 | |
Willy Tarreau | 32e65ef | 2013-04-02 08:14:29 +0200 | [diff] [blame] | 214 | You can easily define your own target with the GNU Makefile. Unknown targets |
| 215 | are processed with no default option except USE_POLL=default. So you can very |
| 216 | well use that property to define your own set of options. USE_POLL can even be |
| 217 | disabled by setting USE_POLL="". For example : |
| 218 | |
| 219 | $ gmake TARGET=tiny USE_POLL="" TARGET_CFLAGS=-fomit-frame-pointer |
| 220 | |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 221 | |
David Carlier | b5efa01 | 2015-06-01 14:21:47 +0200 | [diff] [blame] | 222 | 1.1) DeviceAtlas Device Detection |
| 223 | --------------------------------- |
| 224 | |
| 225 | In order to add DeviceAtlas Device Detection support, you would need to download |
| 226 | the API source code from https://deviceatlas.com/deviceatlas-haproxy-module and |
| 227 | once extracted : |
| 228 | |
Willy Tarreau | 82bd42e | 2015-06-02 14:10:28 +0200 | [diff] [blame] | 229 | $ make TARGET=<target> USE_PCRE=1 USE_DEVICEATLAS=1 DEVICEATLAS_SRC=<path to the API root folder> |
| 230 | |
| 231 | Optionally DEVICEATLAS_INC and DEVICEATLAS_LIB may be set to override the path |
| 232 | to the include files and libraries respectively if they're not in the source |
| 233 | directory. |
David Carlier | b5efa01 | 2015-06-01 14:21:47 +0200 | [diff] [blame] | 234 | |
| 235 | These are supported DeviceAtlas directives (see doc/configuration.txt) : |
| 236 | - deviceatlas-json-file <path to the DeviceAtlas JSON data file>. |
| 237 | - deviceatlas-log-level <number> (0 to 3, level of information returned by |
| 238 | the API, 0 by default). |
| 239 | - deviceatlas-property-separator <character> (character used to separate the |
| 240 | properties produced by the API, | by default). |
| 241 | |
| 242 | Sample configuration : |
| 243 | |
| 244 | global |
| 245 | deviceatlas-json-file <path to json file> |
| 246 | |
| 247 | ... |
| 248 | frontend |
| 249 | bind *:8881 |
| 250 | default_backend servers |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 251 | |
| 252 | There are two distinct methods available, one which leverages all HTTP headers |
| 253 | and one which uses only a single HTTP header for the detection. The former |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 254 | method is highly recommended and more accurate. There are several possible use |
| 255 | cases. |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 256 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 257 | # To transmit the DeviceAtlas data downstream to the target application |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 258 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 259 | All HTTP headers via the sample / fetch |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 260 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 261 | http-request set-header X-DeviceAtlas-Data %[da-csv-fetch(primaryHardwareType,osName,osVersion,browserName,browserVersion)] |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 262 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 263 | Single HTTP header (e.g. User-Agent) via the convertor |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 264 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 265 | http-request set-header X-DeviceAtlas-Data %[req.fhdr(User-Agent),da-csv-conv(primaryHardwareType,osName,osVersion,browserName,browserVersion)] |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 266 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 267 | # Mobile content switching with ACL |
| 268 | |
| 269 | All HTTP headers |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 270 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 271 | acl is_mobile da-csv-fetch(mobileDevice) 1 |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 272 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 273 | Single HTTP header |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 274 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 275 | acl device_type_tablet req.fhdr(User-Agent),da-csv-conv(primaryHardwareType) "Tablet" |
| 276 | |
David Carlier | b5efa01 | 2015-06-01 14:21:47 +0200 | [diff] [blame] | 277 | |
David Carlier | 00d7d61 | 2015-09-25 14:06:08 +0100 | [diff] [blame] | 278 | Please find more information about DeviceAtlas and the detection methods at https://deviceatlas.com/resources . |
David Carlier | b5efa01 | 2015-06-01 14:21:47 +0200 | [diff] [blame] | 279 | |
David Carlier | a124693 | 2015-10-28 11:08:15 +0000 | [diff] [blame] | 280 | |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 281 | 1.2) 51Degrees Device Detection |
| 282 | ------------------------------- |
| 283 | |
| 284 | You can also include 51Degrees for inbuilt device detection enabling attributes |
| 285 | such as screen size (physical & pixels), supported input methods, release date, |
| 286 | hardware vendor and model, browser information, and device price among many |
| 287 | others. Such information can be used to improve the user experience of a web |
| 288 | site by tailoring the page content, layout and business processes to the |
| 289 | precise characteristics of the device. Such customisations improve profit by |
| 290 | making it easier for customers to get to the information or services they |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 291 | need. Attributes of the device making a web request can be added to HTTP |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 292 | headers as configurable parameters. |
| 293 | |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 294 | In order to enable 51Degrees download the 51Degrees source code from the |
| 295 | official github repository : |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 296 | |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 297 | git clone https://github.com/51Degrees/Device-Detection |
Willy Tarreau | c7203c7 | 2015-06-01 11:12:35 +0200 | [diff] [blame] | 298 | |
| 299 | then run 'make' with USE_51DEGREES and 51DEGREES_SRC set. Both 51DEGREES_INC |
| 300 | and 51DEGREES_LIB may additionally be used to force specific different paths |
| 301 | for .o and .h, but will default to 51DEGREES_SRC. Make sure to replace |
| 302 | '51D_REPO_PATH' with the path to the 51Degrees repository. |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 303 | |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 304 | 51Degrees provide 2 different detection algorithms: |
| 305 | |
Willy Tarreau | c7203c7 | 2015-06-01 11:12:35 +0200 | [diff] [blame] | 306 | 1. Pattern - balances main memory usage and CPU. |
| 307 | 2. Trie - a very high performance detection solution which uses more main |
| 308 | memory than Pattern. |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 309 | |
| 310 | To make with 51Degrees Pattern algorithm use the following command line. |
| 311 | |
Willy Tarreau | c7203c7 | 2015-06-01 11:12:35 +0200 | [diff] [blame] | 312 | $ make TARGET=linux26 USE_51DEGREES=1 51DEGREES_SRC='51D_REPO_PATH'/src/pattern |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 313 | |
| 314 | To use the 51Degrees Trie algorithm use the following command line. |
| 315 | |
Willy Tarreau | c7203c7 | 2015-06-01 11:12:35 +0200 | [diff] [blame] | 316 | $ make TARGET=linux26 USE_51DEGREES=1 51DEGREES_SRC='51D_REPO_PATH'/src/trie |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 317 | |
| 318 | A data file containing information about devices, browsers, operating systems |
| 319 | and their associated signatures is then needed. 51Degrees provide a free |
| 320 | database with Github repo for this purpose. These free data files are located |
| 321 | in '51D_REPO_PATH'/data with the extensions .dat for Pattern data and .trie for |
| 322 | Trie data. |
| 323 | |
| 324 | The configuration file needs to set the following parameters: |
| 325 | |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 326 | 51degrees-data-file path to the Pattern or Trie data file |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 327 | 51degrees-property-name-list list of 51Degrees properties to detect |
Dragan Dosen | 93b38d9 | 2015-06-29 16:43:25 +0200 | [diff] [blame] | 328 | 51degrees-property-separator separator to use between values |
Dragan Dosen | ae6d39a | 2015-06-29 16:43:27 +0200 | [diff] [blame] | 329 | 51degrees-cache-size LRU-based cache size (disabled by default) |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 330 | |
| 331 | The following is an example of the settings for Pattern. |
| 332 | |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 333 | 51degrees-data-file '51D_REPO_PATH'/data/51Degrees-LiteV3.2.dat |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 334 | 51degrees-property-name-list IsTablet DeviceType IsMobile |
Dragan Dosen | 93b38d9 | 2015-06-29 16:43:25 +0200 | [diff] [blame] | 335 | 51degrees-property-separator , |
Dragan Dosen | ae6d39a | 2015-06-29 16:43:27 +0200 | [diff] [blame] | 336 | 51degrees-cache-size 10000 |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 337 | |
| 338 | HAProxy needs a way to pass device information to the backend servers. This is |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 339 | done by using the 51d converter or fetch method, which intercepts the HTTP |
| 340 | headers and creates some new headers. This is controlled in the frontend |
| 341 | http-in section. |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 342 | |
| 343 | The following is an example which adds two new HTTP headers prefixed X-51D- |
| 344 | |
| 345 | frontend http-in |
| 346 | bind *:8081 |
| 347 | default_backend servers |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 348 | http-request set-header X-51D-DeviceTypeMobileTablet %[51d.all(DeviceType,IsMobile,IsTablet)] |
| 349 | http-request set-header X-51D-Tablet %[51d.all(IsTablet)] |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 350 | |
| 351 | Here, two headers are created with 51Degrees data, X-51D-DeviceTypeMobileTablet |
| 352 | and X-51D-Tablet. Any number of headers can be created this way and can be |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 353 | named anything. 51d.all( ) invokes the 51degrees fetch. It can be passed up to |
| 354 | five property names of values to return. Values will be returned in the same |
| 355 | order, seperated by the 51-degrees-property-separator configured earlier. If a |
| 356 | property name can't be found the value 'NoData' is returned instead. |
| 357 | |
| 358 | In addition to the device properties three additional properties related to the |
| 359 | validity of the result can be returned when used with the Pattern method. The |
| 360 | following example shows how Method, Difference and Rank could be included as one |
| 361 | new HTTP header X-51D-Stats. |
| 362 | |
| 363 | http-request set-header X-51D-Stats %[51d.all(Method,Difference,Rank)] |
| 364 | |
| 365 | These values indicate how confident 51Degrees is in the result that that was |
| 366 | returned. More information is available on the 51Degrees web site at: |
| 367 | |
| 368 | https://51degrees.com/support/documentation/pattern |
| 369 | |
| 370 | The above 51d.all fetch method uses all available HTTP headers for detection. A |
| 371 | modest performance improvement can be obtained by only passing one HTTP header |
| 372 | to the detection method with the 51d.single converter. The following example |
| 373 | uses the User-Agent HTTP header only for detection. |
| 374 | |
| 375 | http-request set-header X-51D-DeviceTypeMobileTablet %[req.fhdr(User-Agent),51d.single(DeviceType,IsMobile,IsTablet)] |
| 376 | |
| 377 | Any HTTP header could be used inplace of User-Agent by changing the parameter |
| 378 | provided to req.fhdr. |
| 379 | |
| 380 | When compiled to use the Trie detection method the trie format data file needs |
| 381 | to be provided. Changing the extension of the data file from dat to trie will |
| 382 | use the correct data. |
| 383 | |
| 384 | 51degrees-data-file '51D_REPO_PATH'/data/51Degrees-LiteV3.2.trie |
| 385 | |
| 386 | When used with Trie the Method, Difference and Rank properties are not |
| 387 | available. |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 388 | |
| 389 | The free Lite data file contains information about screen size in pixels and |
| 390 | whether the device is a mobile. A full list of available properties is located |
| 391 | on the 51Degrees web site at: |
| 392 | |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 393 | https://51degrees.com/resources/property-dictionary |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 394 | |
| 395 | Some properties are only available in the paid for Premium and Enterprise |
James Rosewell | a0c4c69 | 2015-09-18 17:21:37 +0100 | [diff] [blame] | 396 | versions of 51Degrees. These data sets not only contain more properties but |
Thomas Holmes | f95aaf6 | 2015-05-29 15:21:42 +0100 | [diff] [blame] | 397 | are updated weekly and daily and contain signatures for 100,000s of different |
| 398 | device combinations. For more information see the data options comparison web |
| 399 | page: |
| 400 | |
| 401 | https://51degrees.com/compare-data-options |
| 402 | |
| 403 | |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 404 | 2) How to install it |
| 405 | -------------------- |
| 406 | |
| 407 | To install haproxy, you can either copy the single resulting binary to the |
| 408 | place you want, or run : |
| 409 | |
| 410 | $ sudo make install |
| 411 | |
| 412 | If you're packaging it for another system, you can specify its root directory |
| 413 | in the usual DESTDIR variable. |
| 414 | |
| 415 | |
| 416 | 3) How to set it up |
| 417 | ------------------- |
| 418 | |
| 419 | There is some documentation in the doc/ directory : |
| 420 | |
Willy Tarreau | d8e42b6 | 2015-08-18 21:51:36 +0200 | [diff] [blame] | 421 | - intro.txt : this is an introduction to haproxy, it explains what it is |
| 422 | what it is not. Useful for beginners or to re-discover it when planning |
| 423 | for an upgrade. |
| 424 | |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 425 | - architecture.txt : this is the architecture manual. It is quite old and |
| 426 | does not tell about the nice new features, but it's still a good starting |
| 427 | point when you know what you want but don't know how to do it. |
| 428 | |
| 429 | - configuration.txt : this is the configuration manual. It recalls a few |
| 430 | essential HTTP basic concepts, and details all the configuration file |
| 431 | syntax (keywords, units). It also describes the log and stats format. It |
| 432 | is normally always up to date. If you see that something is missing from |
Willy Tarreau | 74774c0 | 2014-04-23 00:57:08 +0200 | [diff] [blame] | 433 | it, please report it as this is a bug. Please note that this file is |
| 434 | huge and that it's generally more convenient to review Cyril Bonté's |
| 435 | HTML translation online here : |
| 436 | |
Willy Tarreau | 844028b | 2015-10-13 18:52:22 +0200 | [diff] [blame] | 437 | http://cbonte.github.io/haproxy-dconv/configuration-1.6.html |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 438 | |
Willy Tarreau | 373933d | 2015-10-13 16:32:20 +0200 | [diff] [blame] | 439 | - management.txt : it explains how to start haproxy, how to manage it at |
| 440 | runtime, how to manage it on multiple nodes, how to proceed with seamless |
| 441 | upgrades. |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 442 | |
| 443 | - gpl.txt / lgpl.txt : the copy of the licenses covering the software. See |
| 444 | the 'LICENSE' file at the top for more information. |
| 445 | |
| 446 | - the rest is mainly for developers. |
| 447 | |
| 448 | There are also a number of nice configuration examples in the "examples" |
| 449 | directory as well as on several sites and articles on the net which are linked |
| 450 | to from the haproxy web site. |
| 451 | |
| 452 | |
| 453 | 4) How to report a bug |
| 454 | ---------------------- |
| 455 | |
| 456 | It is possible that from time to time you'll find a bug. A bug is a case where |
| 457 | what you see is not what is documented. Otherwise it can be a misdesign. If you |
| 458 | find that something is stupidly design, please discuss it on the list (see the |
| 459 | "how to contribute" section below). If you feel like you're proceeding right |
| 460 | and haproxy doesn't obey, then first ask yourself if it is possible that nobody |
| 461 | before you has even encountered this issue. If it's unlikely, the you probably |
| 462 | have an issue in your setup. Just in case of doubt, please consult the mailing |
| 463 | list archives : |
| 464 | |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 465 | http://marc.info/?l=haproxy |
| 466 | |
| 467 | Otherwise, please try to gather the maximum amount of information to help |
| 468 | reproduce the issue and send that to the mailing list : |
| 469 | |
| 470 | haproxy@formilux.org |
| 471 | |
| 472 | Please include your configuration and logs. You can mask your IP addresses and |
| 473 | passwords, we don't need them. But it's essential that you post your config if |
| 474 | you want people to guess what is happening. |
| 475 | |
| 476 | Also, keep in mind that haproxy is designed to NEVER CRASH. If you see it die |
| 477 | without any reason, then it definitely is a critical bug that must be reported |
| 478 | and urgently fixed. It has happened a couple of times in the past, essentially |
| 479 | on development versions running on new architectures. If you think your setup |
| 480 | is fairly common, then it is possible that the issue is totally unrelated. |
| 481 | Anyway, if that happens, feel free to contact me directly, as I will give you |
| 482 | instructions on how to collect a usable core file, and will probably ask for |
| 483 | other captures that you'll not want to share with the list. |
| 484 | |
| 485 | |
| 486 | 5) How to contribute |
| 487 | -------------------- |
| 488 | |
Willy Tarreau | 11e334d9 | 2015-09-20 22:31:42 +0200 | [diff] [blame] | 489 | Please carefully read the CONTRIBUTING file that comes with the sources. It is |
| 490 | mandatory. |
Willy Tarreau | b1a34b6 | 2010-05-09 22:37:12 +0200 | [diff] [blame] | 491 | |
willy tarreau | 7834533 | 2005-12-18 01:33:16 +0100 | [diff] [blame] | 492 | -- end |