blob: d6a2df510e1fc2ff2f24c30bb54f95d8e2866dd5 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
Willy Tarreau8317b282014-04-23 01:49:41 +02002 HAProxy
Willy Tarreau6a06a402007-07-15 20:15:28 +02003 Configuration Manual
4 ----------------------
Willy Tarreau15480d72014-06-19 21:10:58 +02005 version 1.6
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau9229f122014-06-19 21:01:06 +02007 2014/06/19
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Willy Tarreau086fbf52012-09-24 20:34:51 +0200565. Bind and Server options
575.1. Bind options
585.2. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059
606. HTTP header manipulation
61
Willy Tarreau74ca5042013-06-11 23:12:07 +0200627. Using ACLs and fetching samples
637.1. ACL basics
647.1.1. Matching booleans
657.1.2. Matching integers
667.1.3. Matching strings
677.1.4. Matching regular expressions (regexes)
687.1.5. Matching arbitrary data blocks
697.1.6. Matching IPv4 and IPv6 addresses
707.2. Using ACLs to form conditions
717.3. Fetching samples
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200727.3.1. Converters
737.3.2. Fetching samples from internal states
747.3.3. Fetching samples at Layer 4
757.3.4. Fetching samples at Layer 5
767.3.5. Fetching samples from buffer contents (Layer 6)
777.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +0200787.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020079
808. Logging
818.1. Log levels
828.2. Log formats
838.2.1. Default log format
848.2.2. TCP log format
858.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100868.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +0100878.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200888.3. Advanced logging options
898.3.1. Disabling logging of external tests
908.3.2. Logging before waiting for the session to terminate
918.3.3. Raising log level upon errors
928.3.4. Disabling logging of successful connections
938.4. Timing events
948.5. Session state at disconnection
958.6. Non-printable characters
968.7. Capturing HTTP cookies
978.8. Capturing HTTP headers
988.9. Examples of logs
99
1009. Statistics and monitoring
1019.1. CSV format
1029.2. Unix Socket commands
103
104
1051. Quick reminder about HTTP
106----------------------------
107
108When haproxy is running in HTTP mode, both the request and the response are
109fully analyzed and indexed, thus it becomes possible to build matching criteria
110on almost anything found in the contents.
111
112However, it is important to understand how HTTP requests and responses are
113formed, and how HAProxy decomposes them. It will then become easier to write
114correct rules and to debug existing configurations.
115
116
1171.1. The HTTP transaction model
118-------------------------------
119
120The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100121to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200122from the client to the server, a request is sent by the client on the
123connection, the server responds and the connection is closed. A new request
124will involve a new connection :
125
126 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
127
128In this mode, called the "HTTP close" mode, there are as many connection
129establishments as there are HTTP transactions. Since the connection is closed
130by the server after the response, the client does not need to know the content
131length.
132
133Due to the transactional nature of the protocol, it was possible to improve it
134to avoid closing a connection between two subsequent transactions. In this mode
135however, it is mandatory that the server indicates the content length for each
136response so that the client does not wait indefinitely. For this, a special
137header is used: "Content-length". This mode is called the "keep-alive" mode :
138
139 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
140
141Its advantages are a reduced latency between transactions, and less processing
142power required on the server side. It is generally better than the close mode,
143but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200144a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200145
146A last improvement in the communications is the pipelining mode. It still uses
147keep-alive, but the client does not wait for the first response to send the
148second request. This is useful for fetching large number of images composing a
149page :
150
151 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
152
153This can obviously have a tremendous benefit on performance because the network
154latency is eliminated between subsequent requests. Many HTTP agents do not
155correctly support pipelining since there is no way to associate a response with
156the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100157server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200158
Willy Tarreau70dffda2014-01-30 03:07:23 +0100159By default HAProxy operates in keep-alive mode with regards to persistent
160connections: for each connection it processes each request and response, and
161leaves the connection idle on both sides between the end of a response and the
162start of a new request.
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200163
Willy Tarreau70dffda2014-01-30 03:07:23 +0100164HAProxy supports 5 connection modes :
165 - keep alive : all requests and responses are processed (default)
166 - tunnel : only the first request and response are processed,
167 everything else is forwarded with no analysis.
168 - passive close : tunnel with "Connection: close" added in both directions.
169 - server close : the server-facing connection is closed after the response.
170 - forced close : the connection is actively closed after end of response.
171
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200172
1731.2. HTTP request
174-----------------
175
176First, let's consider this HTTP request :
177
178 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100179 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200180 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
181 2 Host: www.mydomain.com
182 3 User-agent: my small browser
183 4 Accept: image/jpeg, image/gif
184 5 Accept: image/png
185
186
1871.2.1. The Request line
188-----------------------
189
190Line 1 is the "request line". It is always composed of 3 fields :
191
192 - a METHOD : GET
193 - a URI : /serv/login.php?lang=en&profile=2
194 - a version tag : HTTP/1.1
195
196All of them are delimited by what the standard calls LWS (linear white spaces),
197which are commonly spaces, but can also be tabs or line feeds/carriage returns
198followed by spaces/tabs. The method itself cannot contain any colon (':') and
199is limited to alphabetic letters. All those various combinations make it
200desirable that HAProxy performs the splitting itself rather than leaving it to
201the user to write a complex or inaccurate regular expression.
202
203The URI itself can have several forms :
204
205 - A "relative URI" :
206
207 /serv/login.php?lang=en&profile=2
208
209 It is a complete URL without the host part. This is generally what is
210 received by servers, reverse proxies and transparent proxies.
211
212 - An "absolute URI", also called a "URL" :
213
214 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
215
216 It is composed of a "scheme" (the protocol name followed by '://'), a host
217 name or address, optionally a colon (':') followed by a port number, then
218 a relative URI beginning at the first slash ('/') after the address part.
219 This is generally what proxies receive, but a server supporting HTTP/1.1
220 must accept this form too.
221
222 - a star ('*') : this form is only accepted in association with the OPTIONS
223 method and is not relayable. It is used to inquiry a next hop's
224 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100225
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200226 - an address:port combination : 192.168.0.12:80
227 This is used with the CONNECT method, which is used to establish TCP
228 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
229 other protocols too.
230
231In a relative URI, two sub-parts are identified. The part before the question
232mark is called the "path". It is typically the relative path to static objects
233on the server. The part after the question mark is called the "query string".
234It is mostly used with GET requests sent to dynamic scripts and is very
235specific to the language, framework or application in use.
236
237
2381.2.2. The request headers
239--------------------------
240
241The headers start at the second line. They are composed of a name at the
242beginning of the line, immediately followed by a colon (':'). Traditionally,
243an LWS is added after the colon but that's not required. Then come the values.
244Multiple identical headers may be folded into one single line, delimiting the
245values with commas, provided that their order is respected. This is commonly
246encountered in the "Cookie:" field. A header may span over multiple lines if
247the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
248define a total of 3 values for the "Accept:" header.
249
250Contrary to a common mis-conception, header names are not case-sensitive, and
251their values are not either if they refer to other header names (such as the
252"Connection:" header).
253
254The end of the headers is indicated by the first empty line. People often say
255that it's a double line feed, which is not exact, even if a double line feed
256is one valid form of empty line.
257
258Fortunately, HAProxy takes care of all these complex combinations when indexing
259headers, checking values and counting them, so there is no reason to worry
260about the way they could be written, but it is important not to accuse an
261application of being buggy if it does unusual, valid things.
262
263Important note:
264 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
265 in the middle of headers by LWS in order to join multi-line headers. This
266 is necessary for proper analysis and helps less capable HTTP parsers to work
267 correctly and not to be fooled by such complex constructs.
268
269
2701.3. HTTP response
271------------------
272
273An HTTP response looks very much like an HTTP request. Both are called HTTP
274messages. Let's consider this HTTP response :
275
276 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100277 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200278 1 HTTP/1.1 200 OK
279 2 Content-length: 350
280 3 Content-Type: text/html
281
Willy Tarreau816b9792009-09-15 21:25:21 +0200282As a special case, HTTP supports so called "Informational responses" as status
283codes 1xx. These messages are special in that they don't convey any part of the
284response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100285continue to post its request for instance. In the case of a status 100 response
286the requested information will be carried by the next non-100 response message
287following the informational one. This implies that multiple responses may be
288sent to a single request, and that this only works when keep-alive is enabled
289(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
290correctly forward and skip them, and only process the next non-100 response. As
291such, these messages are neither logged nor transformed, unless explicitly
292state otherwise. Status 101 messages indicate that the protocol is changing
293over the same connection and that haproxy must switch to tunnel mode, just as
294if a CONNECT had occurred. Then the Upgrade header would contain additional
295information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200296
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200297
2981.3.1. The Response line
299------------------------
300
301Line 1 is the "response line". It is always composed of 3 fields :
302
303 - a version tag : HTTP/1.1
304 - a status code : 200
305 - a reason : OK
306
307The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200308 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200309 - 2xx = OK, content is following (eg: 200, 206)
310 - 3xx = OK, no content following (eg: 302, 304)
311 - 4xx = error caused by the client (eg: 401, 403, 404)
312 - 5xx = error caused by the server (eg: 500, 502, 503)
313
314Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100315"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200316found there, but it's a common practice to respect the well-established
317messages. It can be composed of one or multiple words, such as "OK", "Found",
318or "Authentication Required".
319
320Haproxy may emit the following status codes by itself :
321
322 Code When / reason
323 200 access to stats page, and when replying to monitoring requests
324 301 when performing a redirection, depending on the configured code
325 302 when performing a redirection, depending on the configured code
326 303 when performing a redirection, depending on the configured code
Willy Tarreaub67fdc42013-03-29 19:28:11 +0100327 307 when performing a redirection, depending on the configured code
328 308 when performing a redirection, depending on the configured code
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200329 400 for an invalid or too large request
330 401 when an authentication is required to perform the action (when
331 accessing the stats page)
332 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
333 408 when the request timeout strikes before the request is complete
334 500 when haproxy encounters an unrecoverable internal error, such as a
335 memory allocation failure, which should never happen
336 502 when the server returns an empty, invalid or incomplete response, or
337 when an "rspdeny" filter blocks the response.
338 503 when no server was available to handle the request, or in response to
339 monitoring requests which match the "monitor fail" condition
340 504 when the response timeout strikes before the server responds
341
342The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3434.2).
344
345
3461.3.2. The response headers
347---------------------------
348
349Response headers work exactly like request headers, and as such, HAProxy uses
350the same parsing function for both. Please refer to paragraph 1.2.2 for more
351details.
352
353
3542. Configuring HAProxy
355----------------------
356
3572.1. Configuration file format
358------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200359
360HAProxy's configuration process involves 3 major sources of parameters :
361
362 - the arguments from the command-line, which always take precedence
363 - the "global" section, which sets process-wide parameters
364 - the proxies sections which can take form of "defaults", "listen",
365 "frontend" and "backend".
366
Willy Tarreau0ba27502007-12-24 16:55:16 +0100367The configuration file syntax consists in lines beginning with a keyword
368referenced in this manual, optionally followed by one or several parameters
369delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100370preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100371escaped by doubling them.
372
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200373
3742.2. Time format
375----------------
376
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100377Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100378values are generally expressed in milliseconds (unless explicitly stated
379otherwise) but may be expressed in any other unit by suffixing the unit to the
380numeric value. It is important to consider this because it will not be repeated
381for every keyword. Supported units are :
382
383 - us : microseconds. 1 microsecond = 1/1000000 second
384 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
385 - s : seconds. 1s = 1000ms
386 - m : minutes. 1m = 60s = 60000ms
387 - h : hours. 1h = 60m = 3600s = 3600000ms
388 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
389
390
Patrick Mezard35da19c2010-06-12 17:02:47 +02003912.3. Examples
392-------------
393
394 # Simple configuration for an HTTP proxy listening on port 80 on all
395 # interfaces and forwarding requests to a single backend "servers" with a
396 # single server "server1" listening on 127.0.0.1:8000
397 global
398 daemon
399 maxconn 256
400
401 defaults
402 mode http
403 timeout connect 5000ms
404 timeout client 50000ms
405 timeout server 50000ms
406
407 frontend http-in
408 bind *:80
409 default_backend servers
410
411 backend servers
412 server server1 127.0.0.1:8000 maxconn 32
413
414
415 # The same configuration defined with a single listen block. Shorter but
416 # less expressive, especially in HTTP mode.
417 global
418 daemon
419 maxconn 256
420
421 defaults
422 mode http
423 timeout connect 5000ms
424 timeout client 50000ms
425 timeout server 50000ms
426
427 listen http-in
428 bind *:80
429 server server1 127.0.0.1:8000 maxconn 32
430
431
432Assuming haproxy is in $PATH, test these configurations in a shell with:
433
Willy Tarreauccb289d2010-12-11 20:19:38 +0100434 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200435
436
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004373. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200438--------------------
439
440Parameters in the "global" section are process-wide and often OS-specific. They
441are generally set once for all and do not need being changed once correct. Some
442of them have command-line equivalents.
443
444The following keywords are supported in the "global" section :
445
446 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200447 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200448 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200449 - crt-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200450 - daemon
Simon Horman98637e52014-06-20 12:30:16 +0900451 - external-check
Willy Tarreau6a06a402007-07-15 20:15:28 +0200452 - gid
453 - group
454 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100455 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200456 - nbproc
457 - pidfile
458 - uid
459 - ulimit-n
460 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200461 - stats
Emeric Brun850efd52014-01-29 12:24:34 +0100462 - ssl-server-verify
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200463 - node
464 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100465 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100466
Willy Tarreau6a06a402007-07-15 20:15:28 +0200467 * Performance tuning
Willy Tarreau1746eec2014-04-25 10:46:47 +0200468 - max-spread-checks
Willy Tarreau6a06a402007-07-15 20:15:28 +0200469 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200470 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +0100471 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +0100472 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100473 - maxpipes
Willy Tarreau93e7c002013-10-07 18:51:07 +0200474 - maxsessrate
Willy Tarreau403edff2012-09-06 11:58:37 +0200475 - maxsslconn
Willy Tarreaue43d5322013-10-07 20:01:52 +0200476 - maxsslrate
Willy Tarreau6a06a402007-07-15 20:15:28 +0200477 - noepoll
478 - nokqueue
479 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100480 - nosplice
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300481 - nogetaddrinfo
Willy Tarreaufe255b72007-10-14 23:09:26 +0200482 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200483 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200484 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +0100485 - tune.comp.maxlevel
Willy Tarreau193b8c62012-11-22 00:17:38 +0100486 - tune.http.cookielen
Willy Tarreauac1932d2011-10-24 19:14:41 +0200487 - tune.http.maxhdr
Willy Tarreau7e312732014-02-12 16:35:14 +0100488 - tune.idletimer
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100489 - tune.maxaccept
490 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200491 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200492 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100493 - tune.rcvbuf.client
494 - tune.rcvbuf.server
495 - tune.sndbuf.client
496 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100497 - tune.ssl.cachesize
Willy Tarreaubfd59462013-02-21 07:46:09 +0100498 - tune.ssl.lifetime
Emeric Brun8dc60392014-05-09 13:52:00 +0200499 - tune.ssl.force-private-cache
Willy Tarreaubfd59462013-02-21 07:46:09 +0100500 - tune.ssl.maxrecord
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200501 - tune.ssl.default-dh-param
William Lallemanda509e4c2012-11-07 16:54:34 +0100502 - tune.zlib.memlevel
503 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +0100504
Willy Tarreau6a06a402007-07-15 20:15:28 +0200505 * Debugging
506 - debug
507 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200508
509
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005103.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200511------------------------------------
512
Emeric Brunc8e8d122012-10-02 18:42:10 +0200513ca-base <dir>
514 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emeric Brunfd33a262012-10-11 16:28:27 +0200515 relative path is used with "ca-file" or "crl-file" directives. Absolute
516 locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200517
Willy Tarreau6a06a402007-07-15 20:15:28 +0200518chroot <jail dir>
519 Changes current directory to <jail dir> and performs a chroot() there before
520 dropping privileges. This increases the security level in case an unknown
521 vulnerability would be exploited, since it would make it very hard for the
522 attacker to exploit the system. This only works when the process is started
523 with superuser privileges. It is important to ensure that <jail_dir> is both
524 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100525
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100526cpu-map <"all"|"odd"|"even"|process_num> <cpu-set>...
527 On Linux 2.6 and above, it is possible to bind a process to a specific CPU
528 set. This means that the process will never run on other CPUs. The "cpu-map"
529 directive specifies CPU sets for process sets. The first argument is the
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100530 process number to bind. This process must have a number between 1 and 32 or
531 64, depending on the machine's word size, and any process IDs above nbproc
532 are ignored. It is possible to specify all processes at once using "all",
533 only odd numbers using "odd" or even numbers using "even", just like with the
534 "bind-process" directive. The second and forthcoming arguments are CPU sets.
535 Each CPU set is either a unique number between 0 and 31 or 63 or a range with
536 two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges
537 may be specified, and the processes will be allowed to bind to all of them.
538 Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map"
539 directive will replace the previous ones when they overlap.
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100540
Emeric Brunc8e8d122012-10-02 18:42:10 +0200541crt-base <dir>
542 Assigns a default directory to fetch SSL certificates from when a relative
543 path is used with "crtfile" directives. Absolute locations specified after
544 "crtfile" prevail and ignore "crt-base".
545
Willy Tarreau6a06a402007-07-15 20:15:28 +0200546daemon
547 Makes the process fork into background. This is the recommended mode of
548 operation. It is equivalent to the command line "-D" argument. It can be
549 disabled by the command line "-db" argument.
550
Simon Horman98637e52014-06-20 12:30:16 +0900551external-check
552 Allows the use of an external agent to perform health checks.
553 This is disabled by default as a security precaution.
554 See "option external-check".
555
Willy Tarreau6a06a402007-07-15 20:15:28 +0200556gid <number>
557 Changes the process' group ID to <number>. It is recommended that the group
558 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
559 be started with a user belonging to this group, or with superuser privileges.
Michael Schererab012dd2013-01-12 18:35:19 +0100560 Note that if haproxy is started from a user having supplementary groups, it
561 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200562 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100563
Willy Tarreau6a06a402007-07-15 20:15:28 +0200564group <group name>
565 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
566 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100567
Willy Tarreau18324f52014-06-27 18:10:07 +0200568log <address> [len <length>] <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200569 Adds a global syslog server. Up to two global servers can be defined. They
570 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100571 configured with "log global".
572
573 <address> can be one of:
574
Willy Tarreau2769aa02007-12-27 18:26:09 +0100575 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100576 no port is specified, 514 is used by default (the standard syslog
577 port).
578
David du Colombier24bb5f52011-03-17 10:40:23 +0100579 - An IPv6 address followed by a colon and optionally a UDP port. If
580 no port is specified, 514 is used by default (the standard syslog
581 port).
582
Robert Tsai81ae1952007-12-05 10:47:29 +0100583 - A filesystem path to a UNIX domain socket, keeping in mind
584 considerations for chroot (be sure the path is accessible inside
585 the chroot) and uid/gid (be sure the path is appropriately
586 writeable).
587
Willy Tarreaudad36a32013-03-11 01:20:04 +0100588 Any part of the address string may reference any number of environment
589 variables by preceding their name with a dollar sign ('$') and
590 optionally enclosing them with braces ('{}'), similarly to what is done
591 in Bourne shell.
592
Willy Tarreau18324f52014-06-27 18:10:07 +0200593 <length> is an optional maximum line length. Log lines larger than this value
594 will be truncated before being sent. The reason is that syslog
595 servers act differently on log line length. All servers support the
596 default value of 1024, but some servers simply drop larger lines
597 while others do log them. If a server supports long lines, it may
598 make sense to set this value here in order to avoid truncating long
599 lines. Similarly, if a server drops long lines, it is preferable to
600 truncate them before sending them. Accepted values are 80 to 65535
601 inclusive. The default value of 1024 is generally fine for all
602 standard usages. Some specific cases of long captures or
603 JSON-formated logs may require larger values.
604
Robert Tsai81ae1952007-12-05 10:47:29 +0100605 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200606
607 kern user mail daemon auth syslog lpr news
608 uucp cron auth2 ftp ntp audit alert cron2
609 local0 local1 local2 local3 local4 local5 local6 local7
610
611 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200612 all messages are sent. If a maximum level is specified, only messages with a
613 severity at least as important as this level will be sent. An optional minimum
614 level can be specified. If it is set, logs emitted with a more severe level
615 than this one will be capped to this level. This is used to avoid sending
616 "emerg" messages on all terminals on some default syslog configurations.
617 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200618
Cyril Bontédc4d9032012-04-08 21:57:39 +0200619 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200620
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100621log-send-hostname [<string>]
622 Sets the hostname field in the syslog header. If optional "string" parameter
623 is set the header is set to the string contents, otherwise uses the hostname
624 of the system. Generally used if one is not relaying logs through an
625 intermediate syslog server or for simply customizing the hostname printed in
626 the logs.
627
Kevinm48936af2010-12-22 16:08:21 +0000628log-tag <string>
629 Sets the tag field in the syslog header to this string. It defaults to the
630 program name as launched from the command line, which usually is "haproxy".
631 Sometimes it can be useful to differentiate between multiple processes
Willy Tarreau094af4e2015-01-07 15:03:42 +0100632 running on the same host. See also the per-proxy "log-tag" directive.
Kevinm48936af2010-12-22 16:08:21 +0000633
Willy Tarreau6a06a402007-07-15 20:15:28 +0200634nbproc <number>
635 Creates <number> processes when going daemon. This requires the "daemon"
636 mode. By default, only one process is created, which is the recommended mode
637 of operation. For systems limited to small sets of file descriptors per
638 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
639 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
640
641pidfile <pidfile>
642 Writes pids of all daemons into file <pidfile>. This option is equivalent to
643 the "-p" command line argument. The file must be accessible to the user
644 starting the process. See also "daemon".
645
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100646stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +0200647 Limits the stats socket to a certain set of processes numbers. By default the
648 stats socket is bound to all processes, causing a warning to be emitted when
649 nbproc is greater than 1 because there is no way to select the target process
650 when connecting. However, by using this setting, it becomes possible to pin
651 the stats socket to a specific set of processes, typically the first one. The
652 warning will automatically be disabled when this setting is used, whatever
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100653 the number of processes used. The maximum process ID depends on the machine's
Willy Tarreauae302532014-05-07 19:22:24 +0200654 word size (32 or 64). A better option consists in using the "process" setting
655 of the "stats socket" line to force the process on each line.
Willy Tarreau35b7b162012-10-22 23:17:18 +0200656
Willy Tarreau610f04b2014-02-13 11:36:41 +0100657ssl-default-bind-ciphers <ciphers>
658 This setting is only available when support for OpenSSL was built in. It sets
659 the default string describing the list of cipher algorithms ("cipher suite")
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300660 that are negotiated during the SSL/TLS handshake for all "bind" lines which
Willy Tarreau610f04b2014-02-13 11:36:41 +0100661 do not explicitly define theirs. The format of the string is defined in
662 "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
663 as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
664 "bind" keyword for more information.
665
Emeric Brun2c86cbf2014-10-30 15:56:50 +0100666ssl-default-bind-options [<option>]...
667 This setting is only available when support for OpenSSL was built in. It sets
668 default ssl-options to force on all "bind" lines. Please check the "bind"
669 keyword to see available options.
670
671 Example:
672 global
673 ssl-default-bind-options no-sslv3 no-tls-tickets
674
Willy Tarreau610f04b2014-02-13 11:36:41 +0100675ssl-default-server-ciphers <ciphers>
676 This setting is only available when support for OpenSSL was built in. It
677 sets the default string describing the list of cipher algorithms that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300678 negotiated during the SSL/TLS handshake with the server, for all "server"
Willy Tarreau610f04b2014-02-13 11:36:41 +0100679 lines which do not explicitly define theirs. The format of the string is
680 defined in "man 1 ciphers". Please check the "server" keyword for more
681 information.
682
Emeric Brun2c86cbf2014-10-30 15:56:50 +0100683ssl-default-server-options [<option>]...
684 This setting is only available when support for OpenSSL was built in. It sets
685 default ssl-options to force on all "server" lines. Please check the "server"
686 keyword to see available options.
687
Emeric Brun850efd52014-01-29 12:24:34 +0100688ssl-server-verify [none|required]
689 The default behavior for SSL verify on servers side. If specified to 'none',
690 servers certificates are not verified. The default is 'required' except if
691 forced using cmdline option '-dV'.
692
Willy Tarreauabb175f2012-09-24 12:43:26 +0200693stats socket [<address:port>|<path>] [param*]
694 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
695 Connections to this socket will return various statistics outputs and even
696 allow some commands to be issued to change some runtime settings. Please
697 consult section 9.2 "Unix Socket commands" for more details.
Willy Tarreau6162db22009-10-10 17:13:00 +0200698
Willy Tarreauabb175f2012-09-24 12:43:26 +0200699 All parameters supported by "bind" lines are supported, for instance to
700 restrict access to some users or their access rights. Please consult
701 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200702
703stats timeout <timeout, in milliseconds>
704 The default timeout on the stats socket is set to 10 seconds. It is possible
705 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100706 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200707
708stats maxconn <connections>
709 By default, the stats socket is limited to 10 concurrent connections. It is
710 possible to change this value with "stats maxconn".
711
Willy Tarreau6a06a402007-07-15 20:15:28 +0200712uid <number>
713 Changes the process' user ID to <number>. It is recommended that the user ID
714 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
715 be started with superuser privileges in order to be able to switch to another
716 one. See also "gid" and "user".
717
718ulimit-n <number>
719 Sets the maximum number of per-process file-descriptors to <number>. By
720 default, it is automatically computed, so it is recommended not to use this
721 option.
722
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100723unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
724 [ group <group> ] [ gid <gid> ]
725
726 Fixes common settings to UNIX listening sockets declared in "bind" statements.
727 This is mainly used to simplify declaration of those UNIX sockets and reduce
728 the risk of errors, since those settings are most commonly required but are
729 also process-specific. The <prefix> setting can be used to force all socket
730 path to be relative to that directory. This might be needed to access another
731 component's chroot. Note that those paths are resolved before haproxy chroots
732 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
733 all have the same meaning as their homonyms used by the "bind" statement. If
734 both are specified, the "bind" statement has priority, meaning that the
735 "unix-bind" settings may be seen as process-wide default settings.
736
Willy Tarreau6a06a402007-07-15 20:15:28 +0200737user <user name>
738 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
739 See also "uid" and "group".
740
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200741node <name>
742 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
743
744 This statement is useful in HA configurations where two or more processes or
745 servers share the same IP address. By setting a different node-name on all
746 nodes, it becomes easy to immediately spot what server is handling the
747 traffic.
748
749description <text>
750 Add a text that describes the instance.
751
752 Please note that it is required to escape certain characters (# for example)
753 and this text is inserted into a html page so you should avoid using
754 "<" and ">" characters.
755
Willy Tarreau6a06a402007-07-15 20:15:28 +0200756
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007573.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200758-----------------------
759
Willy Tarreau1746eec2014-04-25 10:46:47 +0200760max-spread-checks <delay in milliseconds>
761 By default, haproxy tries to spread the start of health checks across the
762 smallest health check interval of all the servers in a farm. The principle is
763 to avoid hammering services running on the same server. But when using large
764 check intervals (10 seconds or more), the last servers in the farm take some
765 time before starting to be tested, which can be a problem. This parameter is
766 used to enforce an upper bound on delay between the first and the last check,
767 even if the servers' check intervals are larger. When servers run with
768 shorter intervals, their intervals will be respected though.
769
Willy Tarreau6a06a402007-07-15 20:15:28 +0200770maxconn <number>
771 Sets the maximum per-process number of concurrent connections to <number>. It
772 is equivalent to the command-line argument "-n". Proxies will stop accepting
773 connections when this limit is reached. The "ulimit-n" parameter is
Willy Tarreau8274e102014-06-19 15:31:25 +0200774 automatically adjusted according to this value. See also "ulimit-n". Note:
775 the "select" poller cannot reliably use more than 1024 file descriptors on
776 some platforms. If your platform only supports select and reports "select
777 FAILED" on startup, you need to reduce maxconn until it works (slightly
778 below 500 in general).
Willy Tarreau6a06a402007-07-15 20:15:28 +0200779
Willy Tarreau81c25d02011-09-07 15:17:21 +0200780maxconnrate <number>
781 Sets the maximum per-process number of connections per second to <number>.
782 Proxies will stop accepting connections when this limit is reached. It can be
783 used to limit the global capacity regardless of each frontend capacity. It is
784 important to note that this can only be used as a service protection measure,
785 as there will not necessarily be a fair share between frontends when the
786 limit is reached, so it's a good idea to also limit each frontend to some
787 value close to its expected share. Also, lowering tune.maxaccept can improve
788 fairness.
789
William Lallemandd85f9172012-11-09 17:05:39 +0100790maxcomprate <number>
791 Sets the maximum per-process input compression rate to <number> kilobytes
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300792 per second. For each session, if the maximum is reached, the compression
William Lallemandd85f9172012-11-09 17:05:39 +0100793 level will be decreased during the session. If the maximum is reached at the
794 beginning of a session, the session will not compress at all. If the maximum
795 is not reached, the compression level will be increased up to
796 tune.comp.maxlevel. A value of zero means there is no limit, this is the
797 default value.
798
William Lallemand072a2bf2012-11-20 17:01:01 +0100799maxcompcpuusage <number>
800 Sets the maximum CPU usage HAProxy can reach before stopping the compression
801 for new requests or decreasing the compression level of current requests.
802 It works like 'maxcomprate' but measures CPU usage instead of incoming data
803 bandwidth. The value is expressed in percent of the CPU used by haproxy. In
804 case of multiple processes (nbproc > 1), each process manages its individual
805 usage. A value of 100 disable the limit. The default value is 100. Setting
806 a lower value will prevent the compression work from slowing the whole
807 process down and from introducing high latencies.
808
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100809maxpipes <number>
810 Sets the maximum per-process number of pipes to <number>. Currently, pipes
811 are only used by kernel-based tcp splicing. Since a pipe contains two file
812 descriptors, the "ulimit-n" value will be increased accordingly. The default
813 value is maxconn/4, which seems to be more than enough for most heavy usages.
814 The splice code dynamically allocates and releases pipes, and can fall back
815 to standard copy, so setting this value too low may only impact performance.
816
Willy Tarreau93e7c002013-10-07 18:51:07 +0200817maxsessrate <number>
818 Sets the maximum per-process number of sessions per second to <number>.
819 Proxies will stop accepting connections when this limit is reached. It can be
820 used to limit the global capacity regardless of each frontend capacity. It is
821 important to note that this can only be used as a service protection measure,
822 as there will not necessarily be a fair share between frontends when the
823 limit is reached, so it's a good idea to also limit each frontend to some
824 value close to its expected share. Also, lowering tune.maxaccept can improve
825 fairness.
826
Willy Tarreau403edff2012-09-06 11:58:37 +0200827maxsslconn <number>
828 Sets the maximum per-process number of concurrent SSL connections to
829 <number>. By default there is no SSL-specific limit, which means that the
830 global maxconn setting will apply to all connections. Setting this limit
831 avoids having openssl use too much memory and crash when malloc returns NULL
832 (since it unfortunately does not reliably check for such conditions). Note
833 that the limit applies both to incoming and outgoing connections, so one
834 connection which is deciphered then ciphered accounts for 2 SSL connections.
835
Willy Tarreaue43d5322013-10-07 20:01:52 +0200836maxsslrate <number>
837 Sets the maximum per-process number of SSL sessions per second to <number>.
838 SSL listeners will stop accepting connections when this limit is reached. It
839 can be used to limit the global SSL CPU usage regardless of each frontend
840 capacity. It is important to note that this can only be used as a service
841 protection measure, as there will not necessarily be a fair share between
842 frontends when the limit is reached, so it's a good idea to also limit each
843 frontend to some value close to its expected share. It is also important to
844 note that the sessions are accounted before they enter the SSL stack and not
845 after, which also protects the stack against bad handshakes. Also, lowering
846 tune.maxaccept can improve fairness.
847
William Lallemand9d5f5482012-11-07 16:12:57 +0100848maxzlibmem <number>
849 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
850 When the maximum amount is reached, future sessions will not compress as long
851 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +0100852 The default value is 0. The value is available in bytes on the UNIX socket
853 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
854 "ZlibMemUsage" in bytes.
855
Willy Tarreau6a06a402007-07-15 20:15:28 +0200856noepoll
857 Disables the use of the "epoll" event polling system on Linux. It is
858 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100859 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200860
861nokqueue
862 Disables the use of the "kqueue" event polling system on BSD. It is
863 equivalent to the command-line argument "-dk". The next polling system
864 used will generally be "poll". See also "nopoll".
865
866nopoll
867 Disables the use of the "poll" event polling system. It is equivalent to the
868 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100869 It should never be needed to disable "poll" since it's available on all
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100870 platforms supported by HAProxy. See also "nokqueue" and "noepoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200871
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100872nosplice
873 Disables the use of kernel tcp splicing between sockets on Linux. It is
874 equivalent to the command line argument "-dS". Data will then be copied
875 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100876 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100877 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
878 be used. This option makes it easier to globally disable kernel splicing in
879 case of doubt. See also "option splice-auto", "option splice-request" and
880 "option splice-response".
881
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300882nogetaddrinfo
883 Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
884 the command line argument "-dG". Deprecated gethostbyname(3) will be used.
885
Willy Tarreaufe255b72007-10-14 23:09:26 +0200886spread-checks <0..50, in percent>
Simon Hormand60d6912013-11-25 10:46:36 +0900887 Sometimes it is desirable to avoid sending agent and health checks to
888 servers at exact intervals, for instance when many logical servers are
889 located on the same physical server. With the help of this parameter, it
890 becomes possible to add some randomness in the check interval between 0
891 and +/- 50%. A value between 2 and 5 seems to show good results. The
892 default value remains at 0.
Willy Tarreaufe255b72007-10-14 23:09:26 +0200893
Willy Tarreau33cb0652014-12-23 22:52:37 +0100894tune.buffers.limit <number>
895 Sets a hard limit on the number of buffers which may be allocated per process.
896 The default value is zero which means unlimited. The minimum non-zero value
897 will always be greater than "tune.buffers.reserve" and should ideally always
898 be about twice as large. Forcing this value can be particularly useful to
899 limit the amount of memory a process may take, while retaining a sane
900 behaviour. When this limit is reached, sessions which need a buffer wait for
901 another one to be released by another session. Since buffers are dynamically
902 allocated and released, the waiting time is very short and not perceptible
903 provided that limits remain reasonable. In fact sometimes reducing the limit
904 may even increase performance by increasing the CPU cache's efficiency. Tests
905 have shown good results on average HTTP traffic with a limit to 1/10 of the
906 expected global maxconn setting, which also significantly reduces memory
907 usage. The memory savings come from the fact that a number of connections
908 will not allocate 2*tune.bufsize. It is best not to touch this value unless
909 advised to do so by an haproxy core developer.
910
Willy Tarreau1058ae72014-12-23 22:40:40 +0100911tune.buffers.reserve <number>
912 Sets the number of buffers which are pre-allocated and reserved for use only
913 during memory shortage conditions resulting in failed memory allocations. The
914 minimum value is 2 and is also the default. There is no reason a user would
915 want to change this value, it's mostly aimed at haproxy core developers.
916
Willy Tarreau27a674e2009-08-17 07:23:33 +0200917tune.bufsize <number>
918 Sets the buffer size to this size (in bytes). Lower values allow more
919 sessions to coexist in the same amount of RAM, and higher values allow some
920 applications with very large cookies to work. The default value is 16384 and
921 can be changed at build time. It is strongly recommended not to change this
922 from the default value, as very low values will break some services such as
923 statistics, and values larger than default size will increase memory usage,
924 possibly causing the system to run out of memory. At least the global maxconn
925 parameter should be decreased by the same factor as this one is increased.
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +0400926 If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
927 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
928 than this size, haproxy will return HTTP 502 (Bad Gateway).
Willy Tarreau27a674e2009-08-17 07:23:33 +0200929
Willy Tarreau43961d52010-10-04 20:39:20 +0200930tune.chksize <number>
931 Sets the check buffer size to this size (in bytes). Higher values may help
932 find string or regex patterns in very large pages, though doing so may imply
933 more memory and CPU usage. The default value is 16384 and can be changed at
934 build time. It is not recommended to change this value, but to use better
935 checks whenever possible.
936
William Lallemandf3747832012-11-09 12:33:10 +0100937tune.comp.maxlevel <number>
938 Sets the maximum compression level. The compression level affects CPU
939 usage during compression. This value affects CPU usage during compression.
940 Each session using compression initializes the compression algorithm with
941 this value. The default value is 1.
942
Willy Tarreau193b8c62012-11-22 00:17:38 +0100943tune.http.cookielen <number>
944 Sets the maximum length of captured cookies. This is the maximum value that
945 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
946 will automatically be truncated to this one. It is important not to set too
947 high a value because all cookie captures still allocate this size whatever
948 their configured value (they share a same pool). This value is per request
949 per response, so the memory allocated is twice this value per connection.
950 When not specified, the limit is set to 63 characters. It is recommended not
951 to change this value.
952
Willy Tarreauac1932d2011-10-24 19:14:41 +0200953tune.http.maxhdr <number>
954 Sets the maximum number of headers in a request. When a request comes with a
955 number of headers greater than this value (including the first line), it is
956 rejected with a "400 Bad Request" status code. Similarly, too large responses
957 are blocked with "502 Bad Gateway". The default value is 101, which is enough
958 for all usages, considering that the widely deployed Apache server uses the
959 same limit. It can be useful to push this limit further to temporarily allow
960 a buggy application to work by the time it gets fixed. Keep in mind that each
961 new header consumes 32bits of memory for each session, so don't push this
962 limit too high.
963
Willy Tarreau7e312732014-02-12 16:35:14 +0100964tune.idletimer <timeout>
965 Sets the duration after which haproxy will consider that an empty buffer is
966 probably associated with an idle stream. This is used to optimally adjust
967 some packet sizes while forwarding large and small data alternatively. The
968 decision to use splice() or to send large buffers in SSL is modulated by this
969 parameter. The value is in milliseconds between 0 and 65535. A value of zero
970 means that haproxy will not try to detect idle streams. The default is 1000,
971 which seems to correctly detect end user pauses (eg: read a page before
972 clicking). There should be not reason for changing this value. Please check
973 tune.ssl.maxrecord below.
974
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100975tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +0100976 Sets the maximum number of consecutive connections a process may accept in a
977 row before switching to other work. In single process mode, higher numbers
978 give better performance at high connection rates. However in multi-process
979 modes, keeping a bit of fairness between processes generally is better to
980 increase performance. This value applies individually to each listener, so
981 that the number of processes a listener is bound to is taken into account.
982 This value defaults to 64. In multi-process mode, it is divided by twice
983 the number of processes the listener is bound to. Setting this value to -1
984 completely disables the limitation. It should normally not be needed to tweak
985 this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100986
987tune.maxpollevents <number>
988 Sets the maximum amount of events that can be processed at once in a call to
989 the polling system. The default value is adapted to the operating system. It
990 has been noticed that reducing it below 200 tends to slightly decrease
991 latency at the expense of network bandwidth, and increasing it above 200
992 tends to trade latency for slightly increased bandwidth.
993
Willy Tarreau27a674e2009-08-17 07:23:33 +0200994tune.maxrewrite <number>
995 Sets the reserved buffer space to this size in bytes. The reserved space is
996 used for header rewriting or appending. The first reads on sockets will never
997 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
998 bufsize, though that does not make much sense since there are rarely large
999 numbers of headers to add. Setting it too high prevents processing of large
1000 requests or responses. Setting it too low prevents addition of new headers
1001 to already large requests or to POST requests. It is generally wise to set it
1002 to about 1024. It is automatically readjusted to half of bufsize if it is
1003 larger than that. This means you don't have to worry about it when changing
1004 bufsize.
1005
Willy Tarreaubd9a0a72011-10-23 21:14:29 +02001006tune.pipesize <number>
1007 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
1008 are the default size for the system. But sometimes when using TCP splicing,
1009 it can improve performance to increase pipe sizes, especially if it is
1010 suspected that pipes are not filled and that many calls to splice() are
1011 performed. This has an impact on the kernel's memory footprint, so this must
1012 not be changed if impacts are not understood.
1013
Willy Tarreaue803de22010-01-21 17:43:04 +01001014tune.rcvbuf.client <number>
1015tune.rcvbuf.server <number>
1016 Forces the kernel socket receive buffer size on the client or the server side
1017 to the specified value in bytes. This value applies to all TCP/HTTP frontends
1018 and backends. It should normally never be set, and the default size (0) lets
1019 the kernel autotune this value depending on the amount of available memory.
1020 However it can sometimes help to set it to very low values (eg: 4096) in
1021 order to save kernel memory by preventing it from buffering too large amounts
1022 of received data. Lower values will significantly increase CPU usage though.
1023
1024tune.sndbuf.client <number>
1025tune.sndbuf.server <number>
1026 Forces the kernel socket send buffer size on the client or the server side to
1027 the specified value in bytes. This value applies to all TCP/HTTP frontends
1028 and backends. It should normally never be set, and the default size (0) lets
1029 the kernel autotune this value depending on the amount of available memory.
1030 However it can sometimes help to set it to very low values (eg: 4096) in
1031 order to save kernel memory by preventing it from buffering too large amounts
1032 of received data. Lower values will significantly increase CPU usage though.
1033 Another use case is to prevent write timeouts with extremely slow clients due
1034 to the kernel waiting for a large part of the buffer to be read before
1035 notifying haproxy again.
1036
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001037tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +01001038 Sets the size of the global SSL session cache, in a number of blocks. A block
1039 is large enough to contain an encoded session without peer certificate.
1040 An encoded session with peer certificate is stored in multiple blocks
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001041 depending on the size of the peer certificate. A block uses approximately
Emeric Brunaf9619d2012-11-28 18:47:52 +01001042 200 bytes of memory. The default value may be forced at build time, otherwise
1043 defaults to 20000. When the cache is full, the most idle entries are purged
1044 and reassigned. Higher values reduce the occurrence of such a purge, hence
1045 the number of CPU-intensive SSL handshakes by ensuring that all users keep
1046 their session as long as possible. All entries are pre-allocated upon startup
Emeric Brun22890a12012-12-28 14:41:32 +01001047 and are shared between all processes if "nbproc" is greater than 1. Setting
1048 this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001049
Emeric Brun8dc60392014-05-09 13:52:00 +02001050tune.ssl.force-private-cache
1051 This boolean disables SSL session cache sharing between all processes. It
1052 should normally not be used since it will force many renegotiations due to
1053 clients hitting a random process. But it may be required on some operating
1054 systems where none of the SSL cache synchronization method may be used. In
1055 this case, adding a first layer of hash-based load balancing before the SSL
1056 layer might limit the impact of the lack of session sharing.
1057
Emeric Brun4f65bff2012-11-16 15:11:00 +01001058tune.ssl.lifetime <timeout>
1059 Sets how long a cached SSL session may remain valid. This time is expressed
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001060 in seconds and defaults to 300 (5 min). It is important to understand that it
Emeric Brun4f65bff2012-11-16 15:11:00 +01001061 does not guarantee that sessions will last that long, because if the cache is
1062 full, the longest idle sessions will be purged despite their configured
1063 lifetime. The real usefulness of this setting is to prevent sessions from
1064 being used for too long.
1065
Willy Tarreaubfd59462013-02-21 07:46:09 +01001066tune.ssl.maxrecord <number>
1067 Sets the maximum amount of bytes passed to SSL_write() at a time. Default
1068 value 0 means there is no limit. Over SSL/TLS, the client can decipher the
1069 data only once it has received a full record. With large records, it means
1070 that clients might have to download up to 16kB of data before starting to
1071 process them. Limiting the value can improve page load times on browsers
1072 located over high latency or low bandwidth networks. It is suggested to find
1073 optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over
1074 Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled),
1075 keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and
1076 2859 gave good results during tests. Use "strace -e trace=write" to find the
Willy Tarreau7e312732014-02-12 16:35:14 +01001077 best value. Haproxy will automatically switch to this setting after an idle
1078 stream has been detected (see tune.idletimer above).
Willy Tarreaubfd59462013-02-21 07:46:09 +01001079
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001080tune.ssl.default-dh-param <number>
1081 Sets the maximum size of the Diffie-Hellman parameters used for generating
1082 the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
1083 final size will try to match the size of the server's RSA (or DSA) key (e.g,
1084 a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
1085 this maximum value. Default value if 1024. Only 1024 or higher values are
1086 allowed. Higher values will increase the CPU load, and values greater than
1087 1024 bits are not supported by Java 7 and earlier clients. This value is not
1088 used if static Diffie-Hellman parameters are supplied via the certificate file.
1089
William Lallemanda509e4c2012-11-07 16:54:34 +01001090tune.zlib.memlevel <number>
1091 Sets the memLevel parameter in zlib initialization for each session. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001092 defines how much memory should be allocated for the internal compression
William Lallemanda509e4c2012-11-07 16:54:34 +01001093 state. A value of 1 uses minimum memory but is slow and reduces compression
1094 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
1095 between 1 and 9. The default value is 8.
1096
1097tune.zlib.windowsize <number>
1098 Sets the window size (the size of the history buffer) as a parameter of the
1099 zlib initialization for each session. Larger values of this parameter result
1100 in better compression at the expense of memory usage. Can be a value between
1101 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001102
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011033.3. Debugging
1104--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02001105
1106debug
1107 Enables debug mode which dumps to stdout all exchanges, and disables forking
1108 into background. It is the equivalent of the command-line argument "-d". It
1109 should never be used in a production configuration since it may prevent full
1110 system startup.
1111
1112quiet
1113 Do not display any message during startup. It is equivalent to the command-
1114 line argument "-q".
1115
Emeric Brunf099e792010-09-27 12:05:28 +02001116
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010011173.4. Userlists
1118--------------
1119It is possible to control access to frontend/backend/listen sections or to
1120http stats by allowing only authenticated and authorized users. To do this,
1121it is required to create at least one userlist and to define users.
1122
1123userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +01001124 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001125 used to store authentication & authorization data for independent customers.
1126
1127group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +01001128 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001129 attach users to this group by using a comma separated list of names
1130 proceeded by "users" keyword.
1131
Cyril Bontéf0c60612010-02-06 14:44:47 +01001132user <username> [password|insecure-password <password>]
1133 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001134 Adds user <username> to the current userlist. Both secure (encrypted) and
1135 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +01001136 evaluated using the crypt(3) function so depending of the system's
1137 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001138 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001139 DES-based method of encrypting passwords.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001140
1141
1142 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +01001143 userlist L1
1144 group G1 users tiger,scott
1145 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001146
Cyril Bontéf0c60612010-02-06 14:44:47 +01001147 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
1148 user scott insecure-password elgato
1149 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001150
Cyril Bontéf0c60612010-02-06 14:44:47 +01001151 userlist L2
1152 group G1
1153 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001154
Cyril Bontéf0c60612010-02-06 14:44:47 +01001155 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
1156 user scott insecure-password elgato groups G1,G2
1157 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001158
1159 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001160
Emeric Brunf099e792010-09-27 12:05:28 +02001161
11623.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +02001163----------
Emeric Brunf099e792010-09-27 12:05:28 +02001164It is possible to synchronize server entries in stick tables between several
1165haproxy instances over TCP connections in a multi-master fashion. Each instance
1166pushes its local updates and insertions to remote peers. Server IDs are used to
1167identify servers remotely, so it is important that configurations look similar
1168or at least that the same IDs are forced on each server on all participants.
1169Interrupted exchanges are automatically detected and recovered from the last
1170known point. In addition, during a soft restart, the old process connects to
1171the new one using such a TCP connection to push all its entries before the new
1172process tries to connect to other peers. That ensures very fast replication
1173during a reload, it typically takes a fraction of a second even for large
1174tables.
1175
1176peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001177 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +02001178 which is referenced by one or more stick-tables.
1179
1180peer <peername> <ip>:<port>
1181 Defines a peer inside a peers section.
1182 If <peername> is set to the local peer name (by default hostname, or forced
1183 using "-L" command line option), haproxy will listen for incoming remote peer
1184 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
1185 to join the remote peer, and <peername> is used at the protocol level to
1186 identify and validate the remote peer on the server side.
1187
1188 During a soft restart, local peer <ip>:<port> is used by the old instance to
1189 connect the new one and initiate a complete replication (teaching process).
1190
1191 It is strongly recommended to have the exact same peers declaration on all
1192 peers and to only rely on the "-L" command line argument to change the local
1193 peer name. This makes it easier to maintain coherent configuration files
1194 across all peers.
1195
Willy Tarreaudad36a32013-03-11 01:20:04 +01001196 Any part of the address string may reference any number of environment
1197 variables by preceding their name with a dollar sign ('$') and optionally
1198 enclosing them with braces ('{}'), similarly to what is done in Bourne shell.
1199
Cyril Bontédc4d9032012-04-08 21:57:39 +02001200 Example:
Emeric Brunf099e792010-09-27 12:05:28 +02001201 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001202 peer haproxy1 192.168.0.1:1024
1203 peer haproxy2 192.168.0.2:1024
1204 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02001205
1206 backend mybackend
1207 mode tcp
1208 balance roundrobin
1209 stick-table type ip size 20k peers mypeers
1210 stick on src
1211
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001212 server srv1 192.168.0.30:80
1213 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02001214
1215
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012164. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02001217----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001218
Willy Tarreau6a06a402007-07-15 20:15:28 +02001219Proxy configuration can be located in a set of sections :
1220 - defaults <name>
1221 - frontend <name>
1222 - backend <name>
1223 - listen <name>
1224
1225A "defaults" section sets default parameters for all other sections following
1226its declaration. Those default parameters are reset by the next "defaults"
1227section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001228section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001229
1230A "frontend" section describes a set of listening sockets accepting client
1231connections.
1232
1233A "backend" section describes a set of servers to which the proxy will connect
1234to forward incoming connections.
1235
1236A "listen" section defines a complete proxy with its frontend and backend
1237parts combined in one section. It is generally useful for TCP-only traffic.
1238
Willy Tarreau0ba27502007-12-24 16:55:16 +01001239All proxy names must be formed from upper and lower case letters, digits,
1240'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
1241case-sensitive, which means that "www" and "WWW" are two different proxies.
1242
1243Historically, all proxy names could overlap, it just caused troubles in the
1244logs. Since the introduction of content switching, it is mandatory that two
1245proxies with overlapping capabilities (frontend/backend) have different names.
1246However, it is still permitted that a frontend and a backend share the same
1247name, as this configuration seems to be commonly encountered.
1248
1249Right now, two major proxy modes are supported : "tcp", also known as layer 4,
1250and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001251bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001252protocol, and can interact with it by allowing, blocking, switching, adding,
1253modifying, or removing arbitrary contents in requests or responses, based on
1254arbitrary criteria.
1255
Willy Tarreau70dffda2014-01-30 03:07:23 +01001256In HTTP mode, the processing applied to requests and responses flowing over
1257a connection depends in the combination of the frontend's HTTP options and
1258the backend's. HAProxy supports 5 connection modes :
1259
1260 - KAL : keep alive ("option http-keep-alive") which is the default mode : all
1261 requests and responses are processed, and connections remain open but idle
1262 between responses and new requests.
1263
1264 - TUN: tunnel ("option http-tunnel") : this was the default mode for versions
1265 1.0 to 1.5-dev21 : only the first request and response are processed, and
1266 everything else is forwarded with no analysis at all. This mode should not
1267 be used as it creates lots of trouble with logging and HTTP processing.
1268
1269 - PCL: passive close ("option httpclose") : exactly the same as tunnel mode,
1270 but with "Connection: close" appended in both directions to try to make
1271 both ends close after the first request/response exchange.
1272
1273 - SCL: server close ("option http-server-close") : the server-facing
1274 connection is closed after the end of the response is received, but the
1275 client-facing connection remains open.
1276
1277 - FCL: forced close ("option forceclose") : the connection is actively closed
1278 after the end of the response.
1279
1280The effective mode that will be applied to a connection passing through a
1281frontend and a backend can be determined by both proxy modes according to the
1282following matrix, but in short, the modes are symmetric, keep-alive is the
1283weakest option and force close is the strongest.
1284
1285 Backend mode
1286
1287 | KAL | TUN | PCL | SCL | FCL
1288 ----+-----+-----+-----+-----+----
1289 KAL | KAL | TUN | PCL | SCL | FCL
1290 ----+-----+-----+-----+-----+----
1291 TUN | TUN | TUN | PCL | SCL | FCL
1292 Frontend ----+-----+-----+-----+-----+----
1293 mode PCL | PCL | PCL | PCL | FCL | FCL
1294 ----+-----+-----+-----+-----+----
1295 SCL | SCL | SCL | FCL | SCL | FCL
1296 ----+-----+-----+-----+-----+----
1297 FCL | FCL | FCL | FCL | FCL | FCL
1298
Willy Tarreau0ba27502007-12-24 16:55:16 +01001299
Willy Tarreau70dffda2014-01-30 03:07:23 +01001300
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013014.1. Proxy keywords matrix
1302--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001303
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001304The following list of keywords is supported. Most of them may only be used in a
1305limited set of section types. Some of them are marked as "deprecated" because
1306they are inherited from an old syntax which may be confusing or functionally
1307limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001308marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001309option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02001310and must be disabled for a specific instance. Such options may also be prefixed
1311with "default" in order to restore default settings regardless of what has been
1312specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001313
Willy Tarreau6a06a402007-07-15 20:15:28 +02001314
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001315 keyword defaults frontend listen backend
1316------------------------------------+----------+----------+---------+---------
1317acl - X X X
1318appsession - - X X
1319backlog X X X -
1320balance X - X X
1321bind - X X -
1322bind-process X X X X
1323block - X X X
1324capture cookie - X X -
1325capture request header - X X -
1326capture response header - X X -
1327clitimeout (deprecated) X X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02001328compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001329contimeout (deprecated) X - X X
1330cookie X - X X
1331default-server X - X X
1332default_backend X X X -
1333description - X X X
1334disabled X X X X
1335dispatch - - X X
1336enabled X X X X
1337errorfile X X X X
1338errorloc X X X X
1339errorloc302 X X X X
1340-- keyword -------------------------- defaults - frontend - listen -- backend -
1341errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001342force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001343fullconn X - X X
1344grace X X X X
1345hash-type X - X X
1346http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +01001347http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02001348http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001349http-request - X X X
Willy Tarreaue365c0b2013-06-11 16:06:12 +02001350http-response - X X X
Baptiste Assmann2c42ef52013-10-09 21:57:02 +02001351http-send-name-header - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001352id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001353ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001354log (*) X X X X
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01001355log-format X X X -
Willy Tarreau094af4e2015-01-07 15:03:42 +01001356log-tag X X X X
Willy Tarreauc35362a2014-04-25 13:58:37 +02001357max-keep-alive-queue X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001358maxconn X X X -
1359mode X X X X
1360monitor fail - X X -
1361monitor-net X X X -
1362monitor-uri X X X -
1363option abortonclose (*) X - X X
1364option accept-invalid-http-request (*) X X X -
1365option accept-invalid-http-response (*) X - X X
1366option allbackups (*) X - X X
1367option checkcache (*) X - X X
1368option clitcpka (*) X X X -
1369option contstats (*) X X X -
1370option dontlog-normal (*) X X X -
1371option dontlognull (*) X X X -
1372option forceclose (*) X X X X
1373-- keyword -------------------------- defaults - frontend - listen -- backend -
1374option forwardfor X X X X
Willy Tarreau16bfb022010-01-16 19:48:41 +01001375option http-keep-alive (*) X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001376option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001377option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001378option http-server-close (*) X X X X
Willy Tarreau02bce8b2014-01-30 00:15:28 +01001379option http-tunnel (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001380option http-use-proxy-header (*) X X X -
1381option httpchk X - X X
1382option httpclose (*) X X X X
1383option httplog X X X X
1384option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001385option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001386option ldap-check X - X X
Simon Horman98637e52014-06-20 12:30:16 +09001387option external-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001388option log-health-checks (*) X - X X
1389option log-separate-errors (*) X X X -
1390option logasap (*) X X X -
1391option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001392option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001393option nolinger (*) X X X X
1394option originalto X X X X
1395option persist (*) X - X X
1396option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001397option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001398option smtpchk X - X X
1399option socket-stats (*) X X X -
1400option splice-auto (*) X X X X
1401option splice-request (*) X X X X
1402option splice-response (*) X X X X
1403option srvtcpka (*) X - X X
1404option ssl-hello-chk X - X X
1405-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreaued179852013-12-16 01:07:00 +01001406option tcp-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001407option tcp-smart-accept (*) X X X -
1408option tcp-smart-connect (*) X - X X
1409option tcpka X X X X
1410option tcplog X X X X
1411option transparent (*) X - X X
Simon Horman98637e52014-06-20 12:30:16 +09001412external-check command X - X X
1413external-check path X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001414persist rdp-cookie X - X X
1415rate-limit sessions X X X -
1416redirect - X X X
1417redisp (deprecated) X - X X
1418redispatch (deprecated) X - X X
1419reqadd - X X X
1420reqallow - X X X
1421reqdel - X X X
1422reqdeny - X X X
1423reqiallow - X X X
1424reqidel - X X X
1425reqideny - X X X
1426reqipass - X X X
1427reqirep - X X X
1428reqisetbe - X X X
1429reqitarpit - X X X
1430reqpass - X X X
1431reqrep - X X X
1432-- keyword -------------------------- defaults - frontend - listen -- backend -
1433reqsetbe - X X X
1434reqtarpit - X X X
1435retries X - X X
1436rspadd - X X X
1437rspdel - X X X
1438rspdeny - X X X
1439rspidel - X X X
1440rspideny - X X X
1441rspirep - X X X
1442rsprep - X X X
1443server - - X X
1444source X - X X
1445srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001446stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001447stats auth X - X X
1448stats enable X - X X
1449stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001450stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001451stats realm X - X X
1452stats refresh X - X X
1453stats scope X - X X
1454stats show-desc X - X X
1455stats show-legends X - X X
1456stats show-node X - X X
1457stats uri X - X X
1458-- keyword -------------------------- defaults - frontend - listen -- backend -
1459stick match - - X X
1460stick on - - X X
1461stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001462stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001463stick-table - - X X
Willy Tarreau938c7fe2014-04-25 14:21:39 +02001464tcp-check connect - - X X
1465tcp-check expect - - X X
1466tcp-check send - - X X
1467tcp-check send-binary - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001468tcp-request connection - X X -
1469tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001470tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001471tcp-response content - - X X
1472tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001473timeout check X - X X
1474timeout client X X X -
Willy Tarreau05cdd962014-05-10 14:30:07 +02001475timeout client-fin X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001476timeout clitimeout (deprecated) X X X -
1477timeout connect X - X X
1478timeout contimeout (deprecated) X - X X
1479timeout http-keep-alive X X X X
1480timeout http-request X X X X
1481timeout queue X - X X
1482timeout server X - X X
Willy Tarreau05cdd962014-05-10 14:30:07 +02001483timeout server-fin X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001484timeout srvtimeout (deprecated) X - X X
1485timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001486timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001487transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001488unique-id-format X X X -
1489unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001490use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001491use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001492------------------------------------+----------+----------+---------+---------
1493 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001494
Willy Tarreau0ba27502007-12-24 16:55:16 +01001495
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014964.2. Alphabetically sorted keywords reference
1497---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001498
1499This section provides a description of each keyword and its usage.
1500
1501
1502acl <aclname> <criterion> [flags] [operator] <value> ...
1503 Declare or complete an access list.
1504 May be used in sections : defaults | frontend | listen | backend
1505 no | yes | yes | yes
1506 Example:
1507 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1508 acl invalid_src src_port 0:1023
1509 acl local_dst hdr(host) -i localhost
1510
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001511 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001512
1513
Cyril Bontéb21570a2009-11-29 20:04:48 +01001514appsession <cookie> len <length> timeout <holdtime>
1515 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001516 Define session stickiness on an existing application cookie.
1517 May be used in sections : defaults | frontend | listen | backend
1518 no | no | yes | yes
1519 Arguments :
1520 <cookie> this is the name of the cookie used by the application and which
1521 HAProxy will have to learn for each new session.
1522
Cyril Bontéb21570a2009-11-29 20:04:48 +01001523 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001524 checked in each cookie value.
1525
1526 <holdtime> this is the time after which the cookie will be removed from
1527 memory if unused. If no unit is specified, this time is in
1528 milliseconds.
1529
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001530 request-learn
1531 If this option is specified, then haproxy will be able to learn
1532 the cookie found in the request in case the server does not
1533 specify any in response. This is typically what happens with
1534 PHPSESSID cookies, or when haproxy's session expires before
1535 the application's session and the correct server is selected.
1536 It is recommended to specify this option to improve reliability.
1537
Cyril Bontéb21570a2009-11-29 20:04:48 +01001538 prefix When this option is specified, haproxy will match on the cookie
1539 prefix (or URL parameter prefix). The appsession value is the
1540 data following this prefix.
1541
1542 Example :
1543 appsession ASPSESSIONID len 64 timeout 3h prefix
1544
1545 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1546 the appsession value will be XXXX=XXXXX.
1547
1548 mode This option allows to change the URL parser mode.
1549 2 modes are currently supported :
1550 - path-parameters :
1551 The parser looks for the appsession in the path parameters
1552 part (each parameter is separated by a semi-colon), which is
1553 convenient for JSESSIONID for example.
1554 This is the default mode if the option is not set.
1555 - query-string :
1556 In this mode, the parser will look for the appsession in the
1557 query string.
1558
Willy Tarreau0ba27502007-12-24 16:55:16 +01001559 When an application cookie is defined in a backend, HAProxy will check when
1560 the server sets such a cookie, and will store its value in a table, and
1561 associate it with the server's identifier. Up to <length> characters from
1562 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001563 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1564 the mode used). If a known value is found, the client will be directed to the
1565 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001566 applied. Cookies are automatically removed from memory when they have been
1567 unused for a duration longer than <holdtime>.
1568
1569 The definition of an application cookie is limited to one per backend.
1570
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001571 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1572 unless you know what you do : memory is not shared between the
1573 processes, which can result in random behaviours.
1574
Willy Tarreau0ba27502007-12-24 16:55:16 +01001575 Example :
1576 appsession JSESSIONID len 52 timeout 3h
1577
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001578 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1579 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001580
1581
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001582backlog <conns>
1583 Give hints to the system about the approximate listen backlog desired size
1584 May be used in sections : defaults | frontend | listen | backend
1585 yes | yes | yes | no
1586 Arguments :
1587 <conns> is the number of pending connections. Depending on the operating
1588 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001589 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001590
1591 In order to protect against SYN flood attacks, one solution is to increase
1592 the system's SYN backlog size. Depending on the system, sometimes it is just
1593 tunable via a system parameter, sometimes it is not adjustable at all, and
1594 sometimes the system relies on hints given by the application at the time of
1595 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1596 to the listen() syscall. On systems which can make use of this value, it can
1597 sometimes be useful to be able to specify a different value, hence this
1598 backlog parameter.
1599
1600 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1601 used as a hint and the system accepts up to the smallest greater power of
1602 two, and never more than some limits (usually 32768).
1603
1604 See also : "maxconn" and the target operating system's tuning guide.
1605
1606
Willy Tarreau0ba27502007-12-24 16:55:16 +01001607balance <algorithm> [ <arguments> ]
Willy Tarreau226071e2014-04-10 11:55:45 +02001608balance url_param <param> [check_post]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001609 Define the load balancing algorithm to be used in a backend.
1610 May be used in sections : defaults | frontend | listen | backend
1611 yes | no | yes | yes
1612 Arguments :
1613 <algorithm> is the algorithm used to select a server when doing load
1614 balancing. This only applies when no persistence information
1615 is available, or when a connection is redispatched to another
1616 server. <algorithm> may be one of the following :
1617
1618 roundrobin Each server is used in turns, according to their weights.
1619 This is the smoothest and fairest algorithm when the server's
1620 processing time remains equally distributed. This algorithm
1621 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001622 on the fly for slow starts for instance. It is limited by
Godbacha34bdc02013-07-22 07:44:53 +08001623 design to 4095 active servers per backend. Note that in some
Willy Tarreau9757a382009-10-03 12:56:50 +02001624 large farms, when a server becomes up after having been down
1625 for a very short time, it may sometimes take a few hundreds
1626 requests for it to be re-integrated into the farm and start
1627 receiving traffic. This is normal, though very rare. It is
1628 indicated here in case you would have the chance to observe
1629 it, so that you don't worry.
1630
1631 static-rr Each server is used in turns, according to their weights.
1632 This algorithm is as similar to roundrobin except that it is
1633 static, which means that changing a server's weight on the
1634 fly will have no effect. On the other hand, it has no design
1635 limitation on the number of servers, and when a server goes
1636 up, it is always immediately reintroduced into the farm, once
1637 the full map is recomputed. It also uses slightly less CPU to
1638 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001639
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001640 leastconn The server with the lowest number of connections receives the
1641 connection. Round-robin is performed within groups of servers
1642 of the same load to ensure that all servers will be used. Use
1643 of this algorithm is recommended where very long sessions are
1644 expected, such as LDAP, SQL, TSE, etc... but is not very well
1645 suited for protocols using short sessions such as HTTP. This
1646 algorithm is dynamic, which means that server weights may be
1647 adjusted on the fly for slow starts for instance.
1648
Willy Tarreauf09c6602012-02-13 17:12:08 +01001649 first The first server with available connection slots receives the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001650 connection. The servers are chosen from the lowest numeric
Willy Tarreauf09c6602012-02-13 17:12:08 +01001651 identifier to the highest (see server parameter "id"), which
1652 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001653 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001654 not make sense to use this algorithm without setting maxconn.
1655 The purpose of this algorithm is to always use the smallest
1656 number of servers so that extra servers can be powered off
1657 during non-intensive hours. This algorithm ignores the server
1658 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001659 or IMAP than HTTP, though it can be useful there too. In
1660 order to use this algorithm efficiently, it is recommended
1661 that a cloud controller regularly checks server usage to turn
1662 them off when unused, and regularly checks backend queue to
1663 turn new servers on when the queue inflates. Alternatively,
1664 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001665
Willy Tarreau0ba27502007-12-24 16:55:16 +01001666 source The source IP address is hashed and divided by the total
1667 weight of the running servers to designate which server will
1668 receive the request. This ensures that the same client IP
1669 address will always reach the same server as long as no
1670 server goes down or up. If the hash result changes due to the
1671 number of running servers changing, many clients will be
1672 directed to a different server. This algorithm is generally
1673 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001674 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001675 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001676 static by default, which means that changing a server's
1677 weight on the fly will have no effect, but this can be
1678 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001679
Oskar Stolc8dc41842012-05-19 10:19:54 +01001680 uri This algorithm hashes either the left part of the URI (before
1681 the question mark) or the whole URI (if the "whole" parameter
1682 is present) and divides the hash value by the total weight of
1683 the running servers. The result designates which server will
1684 receive the request. This ensures that the same URI will
1685 always be directed to the same server as long as no server
1686 goes up or down. This is used with proxy caches and
1687 anti-virus proxies in order to maximize the cache hit rate.
1688 Note that this algorithm may only be used in an HTTP backend.
1689 This algorithm is static by default, which means that
1690 changing a server's weight on the fly will have no effect,
1691 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001692
Oskar Stolc8dc41842012-05-19 10:19:54 +01001693 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001694 "depth", both followed by a positive integer number. These
1695 options may be helpful when it is needed to balance servers
1696 based on the beginning of the URI only. The "len" parameter
1697 indicates that the algorithm should only consider that many
1698 characters at the beginning of the URI to compute the hash.
1699 Note that having "len" set to 1 rarely makes sense since most
1700 URIs start with a leading "/".
1701
1702 The "depth" parameter indicates the maximum directory depth
1703 to be used to compute the hash. One level is counted for each
1704 slash in the request. If both parameters are specified, the
1705 evaluation stops when either is reached.
1706
Willy Tarreau0ba27502007-12-24 16:55:16 +01001707 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001708 the query string of each HTTP GET request.
1709
1710 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001711 request entity will be searched for the parameter argument,
1712 when it is not found in a query string after a question mark
Willy Tarreau226071e2014-04-10 11:55:45 +02001713 ('?') in the URL. The message body will only start to be
1714 analyzed once either the advertised amount of data has been
1715 received or the request buffer is full. In the unlikely event
1716 that chunked encoding is used, only the first chunk is
Cyril Bontédc4d9032012-04-08 21:57:39 +02001717 scanned. Parameter values separated by a chunk boundary, may
Willy Tarreau226071e2014-04-10 11:55:45 +02001718 be randomly balanced if at all. This keyword used to support
1719 an optional <max_wait> parameter which is now ignored.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001720
1721 If the parameter is found followed by an equal sign ('=') and
1722 a value, then the value is hashed and divided by the total
1723 weight of the running servers. The result designates which
1724 server will receive the request.
1725
1726 This is used to track user identifiers in requests and ensure
1727 that a same user ID will always be sent to the same server as
1728 long as no server goes up or down. If no value is found or if
1729 the parameter is not found, then a round robin algorithm is
1730 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001731 backend. This algorithm is static by default, which means
1732 that changing a server's weight on the fly will have no
1733 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001734
Cyril Bontédc4d9032012-04-08 21:57:39 +02001735 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1736 request. Just as with the equivalent ACL 'hdr()' function,
1737 the header name in parenthesis is not case sensitive. If the
1738 header is absent or if it does not contain any value, the
1739 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001740
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001741 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001742 reducing the hash algorithm to the main domain part with some
1743 specific headers such as 'Host'. For instance, in the Host
1744 value "haproxy.1wt.eu", only "1wt" will be considered.
1745
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001746 This algorithm is static by default, which means that
1747 changing a server's weight on the fly will have no effect,
1748 but this can be changed using "hash-type".
1749
Emeric Brun736aa232009-06-30 17:56:00 +02001750 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001751 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001752 The RDP cookie <name> (or "mstshash" if omitted) will be
1753 looked up and hashed for each incoming TCP request. Just as
1754 with the equivalent ACL 'req_rdp_cookie()' function, the name
1755 is not case-sensitive. This mechanism is useful as a degraded
1756 persistence mode, as it makes it possible to always send the
1757 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001758 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001759 used instead.
1760
1761 Note that for this to work, the frontend must ensure that an
1762 RDP cookie is already present in the request buffer. For this
1763 you must use 'tcp-request content accept' rule combined with
1764 a 'req_rdp_cookie_cnt' ACL.
1765
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001766 This algorithm is static by default, which means that
1767 changing a server's weight on the fly will have no effect,
1768 but this can be changed using "hash-type".
1769
Cyril Bontédc4d9032012-04-08 21:57:39 +02001770 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001771
Willy Tarreau0ba27502007-12-24 16:55:16 +01001772 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001773 algorithms. Right now, only "url_param" and "uri" support an
1774 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001775
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001776 The load balancing algorithm of a backend is set to roundrobin when no other
1777 algorithm, mode nor option have been set. The algorithm may only be set once
1778 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001779
1780 Examples :
1781 balance roundrobin
1782 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001783 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001784 balance hdr(User-Agent)
1785 balance hdr(host)
1786 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001787
1788 Note: the following caveats and limitations on using the "check_post"
1789 extension with "url_param" must be considered :
1790
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001791 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001792 to determine if the parameters will be found in the body or entity which
1793 may contain binary data. Therefore another method may be required to
1794 restrict consideration of POST requests that have no URL parameters in
1795 the body. (see acl reqideny http_end)
1796
1797 - using a <max_wait> value larger than the request buffer size does not
1798 make sense and is useless. The buffer size is set at build time, and
1799 defaults to 16 kB.
1800
1801 - Content-Encoding is not supported, the parameter search will probably
1802 fail; and load balancing will fall back to Round Robin.
1803
1804 - Expect: 100-continue is not supported, load balancing will fall back to
1805 Round Robin.
1806
1807 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1808 If the entire parameter value is not present in the first chunk, the
1809 selection of server is undefined (actually, defined by how little
1810 actually appeared in the first chunk).
1811
1812 - This feature does not support generation of a 100, 411 or 501 response.
1813
1814 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001815 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001816 white space or control characters are found, indicating the end of what
1817 might be a URL parameter list. This is probably not a concern with SGML
1818 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001819
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001820 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1821 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001822
1823
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001824bind [<address>]:<port_range> [, ...] [param*]
1825bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001826 Define one or several listening addresses and/or ports in a frontend.
1827 May be used in sections : defaults | frontend | listen | backend
1828 no | yes | yes | no
1829 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001830 <address> is optional and can be a host name, an IPv4 address, an IPv6
1831 address, or '*'. It designates the address the frontend will
1832 listen on. If unset, all IPv4 addresses of the system will be
1833 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001834 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreau24709282013-03-10 21:32:12 +01001835 Optionally, an address family prefix may be used before the
1836 address to force the family regardless of the address format,
1837 which can be useful to specify a path to a unix socket with
1838 no slash ('/'). Currently supported prefixes are :
1839 - 'ipv4@' -> address is always IPv4
1840 - 'ipv6@' -> address is always IPv6
1841 - 'unix@' -> address is a path to a local unix socket
Willy Tarreau70f72e02014-07-08 00:37:50 +02001842 - 'abns@' -> address is in abstract namespace (Linux only).
1843 Note: since abstract sockets are not "rebindable", they
1844 do not cope well with multi-process mode during
1845 soft-restart, so it is better to avoid them if
1846 nbproc is greater than 1. The effect is that if the
1847 new process fails to start, only one of the old ones
1848 will be able to rebind to the socket.
Willy Tarreau40aa0702013-03-10 23:51:38 +01001849 - 'fd@<n>' -> use file descriptor <n> inherited from the
1850 parent. The fd must be bound and may or may not already
1851 be listening.
Willy Tarreaudad36a32013-03-11 01:20:04 +01001852 Any part of the address string may reference any number of
1853 environment variables by preceding their name with a dollar
1854 sign ('$') and optionally enclosing them with braces ('{}'),
1855 similarly to what is done in Bourne shell.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001856
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001857 <port_range> is either a unique TCP port, or a port range for which the
1858 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001859 above. The port is mandatory for TCP listeners. Note that in
1860 the case of an IPv6 address, the port is always the number
1861 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001862 - a numerical port (ex: '80')
1863 - a dash-delimited ports range explicitly stating the lower
1864 and upper bounds (ex: '2000-2100') which are included in
1865 the range.
1866
1867 Particular care must be taken against port ranges, because
1868 every <address:port> couple consumes one socket (= a file
1869 descriptor), so it's easy to consume lots of descriptors
1870 with a simple range, and to run out of sockets. Also, each
1871 <address:port> couple must be used only once among all
1872 instances running on a same system. Please note that binding
1873 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001874 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001875 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001876
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001877 <path> is a UNIX socket path beginning with a slash ('/'). This is
1878 alternative to the TCP listening port. Haproxy will then
1879 receive UNIX connections on the socket located at this place.
1880 The path must begin with a slash and by default is absolute.
1881 It can be relative to the prefix defined by "unix-bind" in
1882 the global section. Note that the total length of the prefix
1883 followed by the socket path cannot exceed some system limits
1884 for UNIX sockets, which commonly are set to 107 characters.
1885
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001886 <param*> is a list of parameters common to all sockets declared on the
1887 same line. These numerous parameters depend on OS and build
1888 options and have a complete section dedicated to them. Please
1889 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001890
Willy Tarreau0ba27502007-12-24 16:55:16 +01001891 It is possible to specify a list of address:port combinations delimited by
1892 commas. The frontend will then listen on all of these addresses. There is no
1893 fixed limit to the number of addresses and ports which can be listened on in
1894 a frontend, as well as there is no limit to the number of "bind" statements
1895 in a frontend.
1896
1897 Example :
1898 listen http_proxy
1899 bind :80,:443
1900 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001901 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001902
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001903 listen http_https_proxy
1904 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02001905 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001906
Willy Tarreau24709282013-03-10 21:32:12 +01001907 listen http_https_proxy_explicit
1908 bind ipv6@:80
1909 bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem
1910 bind unix@ssl-frontend.sock user root mode 600 accept-proxy
1911
Willy Tarreaudad36a32013-03-11 01:20:04 +01001912 listen external_bind_app1
1913 bind fd@${FD_APP1}
1914
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001915 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001916 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001917
1918
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001919bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001920 Limit visibility of an instance to a certain set of processes numbers.
1921 May be used in sections : defaults | frontend | listen | backend
1922 yes | yes | yes | yes
1923 Arguments :
1924 all All process will see this instance. This is the default. It
1925 may be used to override a default value.
1926
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001927 odd This instance will be enabled on processes 1,3,5,...63. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001928 option may be combined with other numbers.
1929
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001930 even This instance will be enabled on processes 2,4,6,...64. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001931 option may be combined with other numbers. Do not use it
1932 with less than 2 processes otherwise some instances might be
1933 missing from all processes.
1934
Willy Tarreau110ecc12012-11-15 17:50:01 +01001935 number The instance will be enabled on this process number or range,
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001936 whose values must all be between 1 and 32 or 64 depending on
Willy Tarreau102df612014-05-07 23:56:38 +02001937 the machine's word size. If a proxy is bound to process
1938 numbers greater than the configured global.nbproc, it will
1939 either be forced to process #1 if a single process was
1940 specified, or to all processes otherwise.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001941
1942 This keyword limits binding of certain instances to certain processes. This
1943 is useful in order not to have too many processes listening to the same
1944 ports. For instance, on a dual-core machine, it might make sense to set
1945 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1946 and 'even' instances.
1947
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001948 At the moment, it is not possible to reference more than 32 or 64 processes
1949 using this keyword, but this should be more than enough for most setups.
1950 Please note that 'all' really means all processes regardless of the machine's
1951 word size, and is not limited to the first 32 or 64.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001952
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02001953 Each "bind" line may further be limited to a subset of the proxy's processes,
1954 please consult the "process" bind keyword in section 5.1.
1955
Willy Tarreaub369a042014-09-16 13:21:03 +02001956 When a frontend has no explicit "bind-process" line, it tries to bind to all
1957 the processes referenced by its "bind" lines. That means that frontends can
1958 easily adapt to their listeners' processes.
1959
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001960 If some backends are referenced by frontends bound to other processes, the
1961 backend automatically inherits the frontend's processes.
1962
1963 Example :
1964 listen app_ip1
1965 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001966 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001967
1968 listen app_ip2
1969 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001970 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001971
1972 listen management
1973 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001974 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001975
Willy Tarreau110ecc12012-11-15 17:50:01 +01001976 listen management
1977 bind 10.0.0.4:80
1978 bind-process 1-4
1979
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02001980 See also : "nbproc" in global section, and "process" in section 5.1.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001981
1982
Willy Tarreau0ba27502007-12-24 16:55:16 +01001983block { if | unless } <condition>
1984 Block a layer 7 request if/unless a condition is matched
1985 May be used in sections : defaults | frontend | listen | backend
1986 no | yes | yes | yes
1987
1988 The HTTP request will be blocked very early in the layer 7 processing
1989 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001990 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02001991 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01001992 conditions are met or not met. There is no fixed limit to the number of
1993 "block" statements per instance.
1994
1995 Example:
1996 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1997 acl invalid_src src_port 0:1023
1998 acl local_dst hdr(host) -i localhost
1999 block if invalid_src || local_dst
2000
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002001 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002002
2003
2004capture cookie <name> len <length>
2005 Capture and log a cookie in the request and in the response.
2006 May be used in sections : defaults | frontend | listen | backend
2007 no | yes | yes | no
2008 Arguments :
2009 <name> is the beginning of the name of the cookie to capture. In order
2010 to match the exact name, simply suffix the name with an equal
2011 sign ('='). The full name will appear in the logs, which is
2012 useful with application servers which adjust both the cookie name
2013 and value (eg: ASPSESSIONXXXXX).
2014
2015 <length> is the maximum number of characters to report in the logs, which
2016 include the cookie name, the equal sign and the value, all in the
2017 standard "name=value" form. The string will be truncated on the
2018 right if it exceeds <length>.
2019
2020 Only the first cookie is captured. Both the "cookie" request headers and the
2021 "set-cookie" response headers are monitored. This is particularly useful to
2022 check for application bugs causing session crossing or stealing between
2023 users, because generally the user's cookies can only change on a login page.
2024
2025 When the cookie was not presented by the client, the associated log column
2026 will report "-". When a request does not cause a cookie to be assigned by the
2027 server, a "-" is reported in the response column.
2028
2029 The capture is performed in the frontend only because it is necessary that
2030 the log format does not change for a given frontend depending on the
2031 backends. This may change in the future. Note that there can be only one
Willy Tarreau193b8c62012-11-22 00:17:38 +01002032 "capture cookie" statement in a frontend. The maximum capture length is set
2033 by the global "tune.http.cookielen" setting and defaults to 63 characters. It
2034 is not possible to specify a capture in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002035
2036 Example:
2037 capture cookie ASPSESSION len 32
2038
2039 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002040 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002041
2042
2043capture request header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01002044 Capture and log the last occurrence of the specified request header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002045 May be used in sections : defaults | frontend | listen | backend
2046 no | yes | yes | no
2047 Arguments :
2048 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002049 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01002050 appear in the requests, with the first letter of each word in
2051 upper case. The header name will not appear in the logs, only the
2052 value is reported, but the position in the logs is respected.
2053
2054 <length> is the maximum number of characters to extract from the value and
2055 report in the logs. The string will be truncated on the right if
2056 it exceeds <length>.
2057
Willy Tarreau4460d032012-11-21 23:37:37 +01002058 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01002059 value will be added to the logs between braces ('{}'). If multiple headers
2060 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002061 in the same order they were declared in the configuration. Non-existent
2062 headers will be logged just as an empty string. Common uses for request
2063 header captures include the "Host" field in virtual hosting environments, the
2064 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002065 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002066 environments to find where the request came from.
2067
2068 Note that when capturing headers such as "User-agent", some spaces may be
2069 logged, making the log analysis more difficult. Thus be careful about what
2070 you log if you know your log parser is not smart enough to rely on the
2071 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002072
Willy Tarreau0900abb2012-11-22 00:21:46 +01002073 There is no limit to the number of captured request headers nor to their
2074 length, though it is wise to keep them low to limit memory usage per session.
2075 In order to keep log format consistent for a same frontend, header captures
2076 can only be declared in a frontend. It is not possible to specify a capture
2077 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002078
2079 Example:
2080 capture request header Host len 15
2081 capture request header X-Forwarded-For len 15
2082 capture request header Referrer len 15
2083
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002084 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002085 about logging.
2086
2087
2088capture response header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01002089 Capture and log the last occurrence of the specified response header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002090 May be used in sections : defaults | frontend | listen | backend
2091 no | yes | yes | no
2092 Arguments :
2093 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002094 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01002095 appear in the response, with the first letter of each word in
2096 upper case. The header name will not appear in the logs, only the
2097 value is reported, but the position in the logs is respected.
2098
2099 <length> is the maximum number of characters to extract from the value and
2100 report in the logs. The string will be truncated on the right if
2101 it exceeds <length>.
2102
Willy Tarreau4460d032012-11-21 23:37:37 +01002103 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01002104 result will be added to the logs between braces ('{}') after the captured
2105 request headers. If multiple headers are captured, they will be delimited by
2106 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002107 the configuration. Non-existent headers will be logged just as an empty
2108 string. Common uses for response header captures include the "Content-length"
2109 header which indicates how many bytes are expected to be returned, the
2110 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002111
Willy Tarreau0900abb2012-11-22 00:21:46 +01002112 There is no limit to the number of captured response headers nor to their
2113 length, though it is wise to keep them low to limit memory usage per session.
2114 In order to keep log format consistent for a same frontend, header captures
2115 can only be declared in a frontend. It is not possible to specify a capture
2116 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002117
2118 Example:
2119 capture response header Content-length len 9
2120 capture response header Location len 15
2121
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002122 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002123 about logging.
2124
2125
Cyril Bontéf0c60612010-02-06 14:44:47 +01002126clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002127 Set the maximum inactivity time on the client side.
2128 May be used in sections : defaults | frontend | listen | backend
2129 yes | yes | yes | no
2130 Arguments :
2131 <timeout> is the timeout value is specified in milliseconds by default, but
2132 can be in any other unit if the number is suffixed by the unit,
2133 as explained at the top of this document.
2134
2135 The inactivity timeout applies when the client is expected to acknowledge or
2136 send data. In HTTP mode, this timeout is particularly important to consider
2137 during the first phase, when the client sends the request, and during the
2138 response while it is reading data sent by the server. The value is specified
2139 in milliseconds by default, but can be in any other unit if the number is
2140 suffixed by the unit, as specified at the top of this document. In TCP mode
2141 (and to a lesser extent, in HTTP mode), it is highly recommended that the
2142 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002143 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01002144 losses by specifying timeouts that are slightly above multiples of 3 seconds
2145 (eg: 4 or 5 seconds).
2146
2147 This parameter is specific to frontends, but can be specified once for all in
2148 "defaults" sections. This is in fact one of the easiest solutions not to
2149 forget about it. An unspecified timeout results in an infinite timeout, which
2150 is not recommended. Such a usage is accepted and works but reports a warning
2151 during startup because it may results in accumulation of expired sessions in
2152 the system if the system's timeouts are not configured either.
2153
2154 This parameter is provided for compatibility but is currently deprecated.
2155 Please use "timeout client" instead.
2156
Willy Tarreau036fae02008-01-06 13:24:40 +01002157 See also : "timeout client", "timeout http-request", "timeout server", and
2158 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002159
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002160compression algo <algorithm> ...
2161compression type <mime type> ...
Willy Tarreau70737d12012-10-27 00:34:28 +02002162compression offload
William Lallemand82fe75c2012-10-23 10:25:10 +02002163 Enable HTTP compression.
2164 May be used in sections : defaults | frontend | listen | backend
2165 yes | yes | yes | yes
2166 Arguments :
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002167 algo is followed by the list of supported compression algorithms.
2168 type is followed by the list of MIME types that will be compressed.
2169 offload makes haproxy work as a compression offloader only (see notes).
2170
2171 The currently supported algorithms are :
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04002172 identity this is mostly for debugging, and it was useful for developing
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002173 the compression feature. Identity does not apply any change on
2174 data.
2175
2176 gzip applies gzip compression. This setting is only available when
2177 support for zlib was built in.
2178
2179 deflate same as gzip, but with deflate algorithm and zlib format.
2180 Note that this algorithm has ambiguous support on many browsers
2181 and no support at all from recent ones. It is strongly
2182 recommended not to use it for anything else than experimentation.
2183 This setting is only available when support for zlib was built
2184 in.
2185
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04002186 Compression will be activated depending on the Accept-Encoding request
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002187 header. With identity, it does not take care of that header.
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002188 If backend servers support HTTP compression, these directives
2189 will be no-op: haproxy will see the compressed response and will not
2190 compress again. If backend servers do not support HTTP compression and
2191 there is Accept-Encoding header in request, haproxy will compress the
2192 matching response.
Willy Tarreau70737d12012-10-27 00:34:28 +02002193
2194 The "offload" setting makes haproxy remove the Accept-Encoding header to
2195 prevent backend servers from compressing responses. It is strongly
2196 recommended not to do this because this means that all the compression work
2197 will be done on the single point where haproxy is located. However in some
2198 deployment scenarios, haproxy may be installed in front of a buggy gateway
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002199 with broken HTTP compression implementation which can't be turned off.
2200 In that case haproxy can be used to prevent that gateway from emitting
2201 invalid payloads. In this case, simply removing the header in the
2202 configuration does not work because it applies before the header is parsed,
2203 so that prevents haproxy from compressing. The "offload" setting should
Willy Tarreauffea9fd2014-07-12 16:37:02 +02002204 then be used for such scenarios. Note: for now, the "offload" setting is
2205 ignored when set in a defaults section.
William Lallemand82fe75c2012-10-23 10:25:10 +02002206
William Lallemand05097442012-11-20 12:14:28 +01002207 Compression is disabled when:
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002208 * the request does not advertise a supported compression algorithm in the
2209 "Accept-Encoding" header
2210 * the response message is not HTTP/1.1
William Lallemandd3002612012-11-26 14:34:47 +01002211 * HTTP status code is not 200
William Lallemand8bb4e342013-12-10 17:28:48 +01002212 * response header "Transfer-Encoding" contains "chunked" (Temporary
2213 Workaround)
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002214 * response contain neither a "Content-Length" header nor a
2215 "Transfer-Encoding" whose last value is "chunked"
2216 * response contains a "Content-Type" header whose first value starts with
2217 "multipart"
2218 * the response contains the "no-transform" value in the "Cache-control"
2219 header
2220 * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7
2221 and later
2222 * The response contains a "Content-Encoding" header, indicating that the
2223 response is already compressed (see compression offload)
William Lallemand05097442012-11-20 12:14:28 +01002224
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002225 Note: The compression does not rewrite Etag headers, and does not emit the
2226 Warning header.
William Lallemand05097442012-11-20 12:14:28 +01002227
William Lallemand82fe75c2012-10-23 10:25:10 +02002228 Examples :
2229 compression algo gzip
2230 compression type text/html text/plain
Willy Tarreau0ba27502007-12-24 16:55:16 +01002231
Cyril Bontéf0c60612010-02-06 14:44:47 +01002232contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002233 Set the maximum time to wait for a connection attempt to a server to succeed.
2234 May be used in sections : defaults | frontend | listen | backend
2235 yes | no | yes | yes
2236 Arguments :
2237 <timeout> is the timeout value is specified in milliseconds by default, but
2238 can be in any other unit if the number is suffixed by the unit,
2239 as explained at the top of this document.
2240
2241 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002242 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01002243 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01002244 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
2245 connect timeout also presets the queue timeout to the same value if this one
2246 has not been specified. Historically, the contimeout was also used to set the
2247 tarpit timeout in a listen section, which is not possible in a pure frontend.
2248
2249 This parameter is specific to backends, but can be specified once for all in
2250 "defaults" sections. This is in fact one of the easiest solutions not to
2251 forget about it. An unspecified timeout results in an infinite timeout, which
2252 is not recommended. Such a usage is accepted and works but reports a warning
2253 during startup because it may results in accumulation of failed sessions in
2254 the system if the system's timeouts are not configured either.
2255
2256 This parameter is provided for backwards compatibility but is currently
2257 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
2258 instead.
2259
2260 See also : "timeout connect", "timeout queue", "timeout tarpit",
2261 "timeout server", "contimeout".
2262
2263
Willy Tarreau55165fe2009-05-10 12:02:55 +02002264cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02002265 [ postonly ] [ preserve ] [ httponly ] [ secure ]
2266 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01002267 Enable cookie-based persistence in a backend.
2268 May be used in sections : defaults | frontend | listen | backend
2269 yes | no | yes | yes
2270 Arguments :
2271 <name> is the name of the cookie which will be monitored, modified or
2272 inserted in order to bring persistence. This cookie is sent to
2273 the client via a "Set-Cookie" header in the response, and is
2274 brought back by the client in a "Cookie" header in all requests.
2275 Special care should be taken to choose a name which does not
2276 conflict with any likely application cookie. Also, if the same
2277 backends are subject to be used by the same clients (eg:
2278 HTTP/HTTPS), care should be taken to use different cookie names
2279 between all backends if persistence between them is not desired.
2280
2281 rewrite This keyword indicates that the cookie will be provided by the
2282 server and that haproxy will have to modify its value to set the
2283 server's identifier in it. This mode is handy when the management
2284 of complex combinations of "Set-cookie" and "Cache-control"
2285 headers is left to the application. The application can then
2286 decide whether or not it is appropriate to emit a persistence
2287 cookie. Since all responses should be monitored, this mode only
2288 works in HTTP close mode. Unless the application behaviour is
2289 very complex and/or broken, it is advised not to start with this
2290 mode for new deployments. This keyword is incompatible with
2291 "insert" and "prefix".
2292
2293 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02002294 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002295
Willy Tarreaua79094d2010-08-31 22:54:15 +02002296 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002297 server. When used without the "preserve" option, if the server
2298 emits a cookie with the same name, it will be remove before
2299 processing. For this reason, this mode can be used to upgrade
2300 existing configurations running in the "rewrite" mode. The cookie
2301 will only be a session cookie and will not be stored on the
2302 client's disk. By default, unless the "indirect" option is added,
2303 the server will see the cookies emitted by the client. Due to
2304 caching effects, it is generally wise to add the "nocache" or
2305 "postonly" keywords (see below). The "insert" keyword is not
2306 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002307
2308 prefix This keyword indicates that instead of relying on a dedicated
2309 cookie for the persistence, an existing one will be completed.
2310 This may be needed in some specific environments where the client
2311 does not support more than one single cookie and the application
2312 already needs it. In this case, whenever the server sets a cookie
2313 named <name>, it will be prefixed with the server's identifier
2314 and a delimiter. The prefix will be removed from all client
2315 requests so that the server still finds the cookie it emitted.
2316 Since all requests and responses are subject to being modified,
2317 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02002318 not compatible with "rewrite" and "insert". Note: it is highly
2319 recommended not to use "indirect" with "prefix", otherwise server
2320 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002321
Willy Tarreaua79094d2010-08-31 22:54:15 +02002322 indirect When this option is specified, no cookie will be emitted to a
2323 client which already has a valid one for the server which has
2324 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002325 it will be removed, unless the "preserve" option is also set. In
2326 "insert" mode, this will additionally remove cookies from the
2327 requests transmitted to the server, making the persistence
2328 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02002329 Note: it is highly recommended not to use "indirect" with
2330 "prefix", otherwise server cookie updates would not be sent to
2331 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002332
2333 nocache This option is recommended in conjunction with the insert mode
2334 when there is a cache between the client and HAProxy, as it
2335 ensures that a cacheable response will be tagged non-cacheable if
2336 a cookie needs to be inserted. This is important because if all
2337 persistence cookies are added on a cacheable home page for
2338 instance, then all customers will then fetch the page from an
2339 outer cache and will all share the same persistence cookie,
2340 leading to one server receiving much more traffic than others.
2341 See also the "insert" and "postonly" options.
2342
2343 postonly This option ensures that cookie insertion will only be performed
2344 on responses to POST requests. It is an alternative to the
2345 "nocache" option, because POST responses are not cacheable, so
2346 this ensures that the persistence cookie will never get cached.
2347 Since most sites do not need any sort of persistence before the
2348 first POST which generally is a login request, this is a very
2349 efficient method to optimize caching without risking to find a
2350 persistence cookie in the cache.
2351 See also the "insert" and "nocache" options.
2352
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002353 preserve This option may only be used with "insert" and/or "indirect". It
2354 allows the server to emit the persistence cookie itself. In this
2355 case, if a cookie is found in the response, haproxy will leave it
2356 untouched. This is useful in order to end persistence after a
2357 logout request for instance. For this, the server just has to
2358 emit a cookie with an invalid value (eg: empty) or with a date in
2359 the past. By combining this mechanism with the "disable-on-404"
2360 check option, it is possible to perform a completely graceful
2361 shutdown because users will definitely leave the server after
2362 they logout.
2363
Willy Tarreau4992dd22012-05-31 21:02:17 +02002364 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
2365 when a cookie is inserted. This attribute is used so that a
2366 user agent doesn't share the cookie with non-HTTP components.
2367 Please check RFC6265 for more information on this attribute.
2368
2369 secure This option tells haproxy to add a "Secure" cookie attribute when
2370 a cookie is inserted. This attribute is used so that a user agent
2371 never emits this cookie over non-secure channels, which means
2372 that a cookie learned with this flag will be presented only over
2373 SSL/TLS connections. Please check RFC6265 for more information on
2374 this attribute.
2375
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002376 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002377 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01002378 name. If the domain begins with a dot, the browser is allowed to
2379 use it for any host ending with that name. It is also possible to
2380 specify several domain names by invoking this option multiple
2381 times. Some browsers might have small limits on the number of
2382 domains, so be careful when doing that. For the record, sending
2383 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002384
Willy Tarreau996a92c2010-10-13 19:30:47 +02002385 maxidle This option allows inserted cookies to be ignored after some idle
2386 time. It only works with insert-mode cookies. When a cookie is
2387 sent to the client, the date this cookie was emitted is sent too.
2388 Upon further presentations of this cookie, if the date is older
2389 than the delay indicated by the parameter (in seconds), it will
2390 be ignored. Otherwise, it will be refreshed if needed when the
2391 response is sent to the client. This is particularly useful to
2392 prevent users who never close their browsers from remaining for
2393 too long on the same server (eg: after a farm size change). When
2394 this option is set and a cookie has no date, it is always
2395 accepted, but gets refreshed in the response. This maintains the
2396 ability for admins to access their sites. Cookies that have a
2397 date in the future further than 24 hours are ignored. Doing so
2398 lets admins fix timezone issues without risking kicking users off
2399 the site.
2400
2401 maxlife This option allows inserted cookies to be ignored after some life
2402 time, whether they're in use or not. It only works with insert
2403 mode cookies. When a cookie is first sent to the client, the date
2404 this cookie was emitted is sent too. Upon further presentations
2405 of this cookie, if the date is older than the delay indicated by
2406 the parameter (in seconds), it will be ignored. If the cookie in
2407 the request has no date, it is accepted and a date will be set.
2408 Cookies that have a date in the future further than 24 hours are
2409 ignored. Doing so lets admins fix timezone issues without risking
2410 kicking users off the site. Contrary to maxidle, this value is
2411 not refreshed, only the first visit date counts. Both maxidle and
2412 maxlife may be used at the time. This is particularly useful to
2413 prevent users who never close their browsers from remaining for
2414 too long on the same server (eg: after a farm size change). This
2415 is stronger than the maxidle method in that it forces a
2416 redispatch after some absolute delay.
2417
Willy Tarreau0ba27502007-12-24 16:55:16 +01002418 There can be only one persistence cookie per HTTP backend, and it can be
2419 declared in a defaults section. The value of the cookie will be the value
2420 indicated after the "cookie" keyword in a "server" statement. If no cookie
2421 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002422
Willy Tarreau0ba27502007-12-24 16:55:16 +01002423 Examples :
2424 cookie JSESSIONID prefix
2425 cookie SRV insert indirect nocache
2426 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002427 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002428
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002429 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002430 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002431
Willy Tarreau983e01e2010-01-11 18:42:06 +01002432
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002433default-server [param*]
2434 Change default options for a server in a backend
2435 May be used in sections : defaults | frontend | listen | backend
2436 yes | no | yes | yes
2437 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002438 <param*> is a list of parameters for this server. The "default-server"
2439 keyword accepts an important number of options and has a complete
2440 section dedicated to it. Please refer to section 5 for more
2441 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002442
Willy Tarreau983e01e2010-01-11 18:42:06 +01002443 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002444 default-server inter 1000 weight 13
2445
2446 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002447
Willy Tarreau983e01e2010-01-11 18:42:06 +01002448
Willy Tarreau0ba27502007-12-24 16:55:16 +01002449default_backend <backend>
2450 Specify the backend to use when no "use_backend" rule has been matched.
2451 May be used in sections : defaults | frontend | listen | backend
2452 yes | yes | yes | no
2453 Arguments :
2454 <backend> is the name of the backend to use.
2455
2456 When doing content-switching between frontend and backends using the
2457 "use_backend" keyword, it is often useful to indicate which backend will be
2458 used when no rule has matched. It generally is the dynamic backend which
2459 will catch all undetermined requests.
2460
Willy Tarreau0ba27502007-12-24 16:55:16 +01002461 Example :
2462
2463 use_backend dynamic if url_dyn
2464 use_backend static if url_css url_img extension_img
2465 default_backend dynamic
2466
Willy Tarreau2769aa02007-12-27 18:26:09 +01002467 See also : "use_backend", "reqsetbe", "reqisetbe"
2468
Willy Tarreau0ba27502007-12-24 16:55:16 +01002469
Baptiste Assmann27f51342013-10-09 06:51:49 +02002470description <string>
2471 Describe a listen, frontend or backend.
2472 May be used in sections : defaults | frontend | listen | backend
2473 no | yes | yes | yes
2474 Arguments : string
2475
2476 Allows to add a sentence to describe the related object in the HAProxy HTML
2477 stats page. The description will be printed on the right of the object name
2478 it describes.
2479 No need to backslash spaces in the <string> arguments.
2480
2481
Willy Tarreau0ba27502007-12-24 16:55:16 +01002482disabled
2483 Disable a proxy, frontend or backend.
2484 May be used in sections : defaults | frontend | listen | backend
2485 yes | yes | yes | yes
2486 Arguments : none
2487
2488 The "disabled" keyword is used to disable an instance, mainly in order to
2489 liberate a listening port or to temporarily disable a service. The instance
2490 will still be created and its configuration will be checked, but it will be
2491 created in the "stopped" state and will appear as such in the statistics. It
2492 will not receive any traffic nor will it send any health-checks or logs. It
2493 is possible to disable many instances at once by adding the "disabled"
2494 keyword in a "defaults" section.
2495
2496 See also : "enabled"
2497
2498
Willy Tarreau5ce94572010-06-07 14:35:41 +02002499dispatch <address>:<port>
2500 Set a default server address
2501 May be used in sections : defaults | frontend | listen | backend
2502 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002503 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002504
2505 <address> is the IPv4 address of the default server. Alternatively, a
2506 resolvable hostname is supported, but this name will be resolved
2507 during start-up.
2508
2509 <ports> is a mandatory port specification. All connections will be sent
2510 to this port, and it is not permitted to use port offsets as is
2511 possible with normal servers.
2512
Willy Tarreau787aed52011-04-15 06:45:37 +02002513 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002514 server can take the connection. In the past it was used to forward non
2515 persistent connections to an auxiliary load balancer. Due to its simple
2516 syntax, it has also been used for simple TCP relays. It is recommended not to
2517 use it for more clarity, and to use the "server" directive instead.
2518
2519 See also : "server"
2520
2521
Willy Tarreau0ba27502007-12-24 16:55:16 +01002522enabled
2523 Enable a proxy, frontend or backend.
2524 May be used in sections : defaults | frontend | listen | backend
2525 yes | yes | yes | yes
2526 Arguments : none
2527
2528 The "enabled" keyword is used to explicitly enable an instance, when the
2529 defaults has been set to "disabled". This is very rarely used.
2530
2531 See also : "disabled"
2532
2533
2534errorfile <code> <file>
2535 Return a file contents instead of errors generated by HAProxy
2536 May be used in sections : defaults | frontend | listen | backend
2537 yes | yes | yes | yes
2538 Arguments :
2539 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002540 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002541
2542 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002543 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002544 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002545 error pages, and to use absolute paths, since files are read
2546 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002547
2548 It is important to understand that this keyword is not meant to rewrite
2549 errors returned by the server, but errors detected and returned by HAProxy.
2550 This is why the list of supported errors is limited to a small set.
2551
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002552 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2553
Willy Tarreau0ba27502007-12-24 16:55:16 +01002554 The files are returned verbatim on the TCP socket. This allows any trick such
2555 as redirections to another URL or site, as well as tricks to clean cookies,
2556 force enable or disable caching, etc... The package provides default error
2557 files returning the same contents as default errors.
2558
Willy Tarreau59140a22009-02-22 12:02:30 +01002559 The files should not exceed the configured buffer size (BUFSIZE), which
2560 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2561 not to put any reference to local contents (eg: images) in order to avoid
2562 loops between the client and HAProxy when all servers are down, causing an
2563 error to be returned instead of an image. For better HTTP compliance, it is
2564 recommended that all header lines end with CR-LF and not LF alone.
2565
Willy Tarreau0ba27502007-12-24 16:55:16 +01002566 The files are read at the same time as the configuration and kept in memory.
2567 For this reason, the errors continue to be returned even when the process is
2568 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002569 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002570 403 status code and interrogating a blocked URL.
2571
2572 See also : "errorloc", "errorloc302", "errorloc303"
2573
Willy Tarreau59140a22009-02-22 12:02:30 +01002574 Example :
2575 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
Willy Tarreau2705a612014-05-23 17:38:34 +02002576 errorfile 408 /dev/null # workaround Chrome pre-connect bug
Willy Tarreau59140a22009-02-22 12:02:30 +01002577 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2578 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2579
Willy Tarreau2769aa02007-12-27 18:26:09 +01002580
2581errorloc <code> <url>
2582errorloc302 <code> <url>
2583 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2584 May be used in sections : defaults | frontend | listen | backend
2585 yes | yes | yes | yes
2586 Arguments :
2587 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002588 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002589
2590 <url> it is the exact contents of the "Location" header. It may contain
2591 either a relative URI to an error page hosted on the same site,
2592 or an absolute URI designating an error page on another site.
2593 Special care should be given to relative URIs to avoid redirect
2594 loops if the URI itself may generate the same error (eg: 500).
2595
2596 It is important to understand that this keyword is not meant to rewrite
2597 errors returned by the server, but errors detected and returned by HAProxy.
2598 This is why the list of supported errors is limited to a small set.
2599
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002600 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2601
Willy Tarreau2769aa02007-12-27 18:26:09 +01002602 Note that both keyword return the HTTP 302 status code, which tells the
2603 client to fetch the designated URL using the same HTTP method. This can be
2604 quite problematic in case of non-GET methods such as POST, because the URL
2605 sent to the client might not be allowed for something other than GET. To
2606 workaround this problem, please use "errorloc303" which send the HTTP 303
2607 status code, indicating to the client that the URL must be fetched with a GET
2608 request.
2609
2610 See also : "errorfile", "errorloc303"
2611
2612
2613errorloc303 <code> <url>
2614 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2615 May be used in sections : defaults | frontend | listen | backend
2616 yes | yes | yes | yes
2617 Arguments :
2618 <code> is the HTTP status code. Currently, HAProxy is capable of
2619 generating codes 400, 403, 408, 500, 502, 503, and 504.
2620
2621 <url> it is the exact contents of the "Location" header. It may contain
2622 either a relative URI to an error page hosted on the same site,
2623 or an absolute URI designating an error page on another site.
2624 Special care should be given to relative URIs to avoid redirect
2625 loops if the URI itself may generate the same error (eg: 500).
2626
2627 It is important to understand that this keyword is not meant to rewrite
2628 errors returned by the server, but errors detected and returned by HAProxy.
2629 This is why the list of supported errors is limited to a small set.
2630
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002631 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2632
Willy Tarreau2769aa02007-12-27 18:26:09 +01002633 Note that both keyword return the HTTP 303 status code, which tells the
2634 client to fetch the designated URL using the same HTTP GET method. This
2635 solves the usual problems associated with "errorloc" and the 302 code. It is
2636 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002637 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002638
2639 See also : "errorfile", "errorloc", "errorloc302"
2640
2641
Willy Tarreau4de91492010-01-22 19:10:05 +01002642force-persist { if | unless } <condition>
2643 Declare a condition to force persistence on down servers
2644 May be used in sections: defaults | frontend | listen | backend
2645 no | yes | yes | yes
2646
2647 By default, requests are not dispatched to down servers. It is possible to
2648 force this using "option persist", but it is unconditional and redispatches
2649 to a valid server if "option redispatch" is set. That leaves with very little
2650 possibilities to force some requests to reach a server which is artificially
2651 marked down for maintenance operations.
2652
2653 The "force-persist" statement allows one to declare various ACL-based
2654 conditions which, when met, will cause a request to ignore the down status of
2655 a server and still try to connect to it. That makes it possible to start a
2656 server, still replying an error to the health checks, and run a specially
2657 configured browser to test the service. Among the handy methods, one could
2658 use a specific source IP address, or a specific cookie. The cookie also has
2659 the advantage that it can easily be added/removed on the browser from a test
2660 page. Once the service is validated, it is then possible to open the service
2661 to the world by returning a valid response to health checks.
2662
2663 The forced persistence is enabled when an "if" condition is met, or unless an
2664 "unless" condition is met. The final redispatch is always disabled when this
2665 is used.
2666
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002667 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002668 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002669
2670
Willy Tarreau2769aa02007-12-27 18:26:09 +01002671fullconn <conns>
2672 Specify at what backend load the servers will reach their maxconn
2673 May be used in sections : defaults | frontend | listen | backend
2674 yes | no | yes | yes
2675 Arguments :
2676 <conns> is the number of connections on the backend which will make the
2677 servers use the maximal number of connections.
2678
Willy Tarreau198a7442008-01-17 12:05:32 +01002679 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002680 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002681 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002682 load. The server will then always accept at least <minconn> connections,
2683 never more than <maxconn>, and the limit will be on the ramp between both
2684 values when the backend has less than <conns> concurrent connections. This
2685 makes it possible to limit the load on the servers during normal loads, but
2686 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002687 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002688
Willy Tarreaufbb78422011-06-05 15:38:35 +02002689 Since it's hard to get this value right, haproxy automatically sets it to
2690 10% of the sum of the maxconns of all frontends that may branch to this
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01002691 backend (based on "use_backend" and "default_backend" rules). That way it's
2692 safe to leave it unset. However, "use_backend" involving dynamic names are
2693 not counted since there is no way to know if they could match or not.
Willy Tarreaufbb78422011-06-05 15:38:35 +02002694
Willy Tarreau2769aa02007-12-27 18:26:09 +01002695 Example :
2696 # The servers will accept between 100 and 1000 concurrent connections each
2697 # and the maximum of 1000 will be reached when the backend reaches 10000
2698 # connections.
2699 backend dynamic
2700 fullconn 10000
2701 server srv1 dyn1:80 minconn 100 maxconn 1000
2702 server srv2 dyn2:80 minconn 100 maxconn 1000
2703
2704 See also : "maxconn", "server"
2705
2706
2707grace <time>
2708 Maintain a proxy operational for some time after a soft stop
2709 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002710 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002711 Arguments :
2712 <time> is the time (by default in milliseconds) for which the instance
2713 will remain operational with the frontend sockets still listening
2714 when a soft-stop is received via the SIGUSR1 signal.
2715
2716 This may be used to ensure that the services disappear in a certain order.
2717 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002718 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002719 needed by the equipment to detect the failure.
2720
2721 Note that currently, there is very little benefit in using this parameter,
2722 and it may in fact complicate the soft-reconfiguration process more than
2723 simplify it.
2724
Willy Tarreau0ba27502007-12-24 16:55:16 +01002725
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002726hash-type <method> <function> <modifier>
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002727 Specify a method to use for mapping hashes to servers
2728 May be used in sections : defaults | frontend | listen | backend
2729 yes | no | yes | yes
2730 Arguments :
Bhaskar98634f02013-10-29 23:30:51 -04002731 <method> is the method used to select a server from the hash computed by
2732 the <function> :
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002733
Bhaskar98634f02013-10-29 23:30:51 -04002734 map-based the hash table is a static array containing all alive servers.
2735 The hashes will be very smooth, will consider weights, but
2736 will be static in that weight changes while a server is up
2737 will be ignored. This means that there will be no slow start.
2738 Also, since a server is selected by its position in the array,
2739 most mappings are changed when the server count changes. This
2740 means that when a server goes up or down, or when a server is
2741 added to a farm, most connections will be redistributed to
2742 different servers. This can be inconvenient with caches for
2743 instance.
Willy Tarreau798a39c2010-11-24 15:04:29 +01002744
Bhaskar98634f02013-10-29 23:30:51 -04002745 consistent the hash table is a tree filled with many occurrences of each
2746 server. The hash key is looked up in the tree and the closest
2747 server is chosen. This hash is dynamic, it supports changing
2748 weights while the servers are up, so it is compatible with the
2749 slow start feature. It has the advantage that when a server
2750 goes up or down, only its associations are moved. When a
2751 server is added to the farm, only a few part of the mappings
2752 are redistributed, making it an ideal method for caches.
2753 However, due to its principle, the distribution will never be
2754 very smooth and it may sometimes be necessary to adjust a
2755 server's weight or its ID to get a more balanced distribution.
2756 In order to get the same distribution on multiple load
2757 balancers, it is important that all servers have the exact
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002758 same IDs. Note: consistent hash uses sdbm and avalanche if no
2759 hash function is specified.
Bhaskar98634f02013-10-29 23:30:51 -04002760
2761 <function> is the hash function to be used :
2762
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002763 sdbm this function was created initially for sdbm (a public-domain
Bhaskar98634f02013-10-29 23:30:51 -04002764 reimplementation of ndbm) database library. It was found to do
2765 well in scrambling bits, causing better distribution of the keys
2766 and fewer splits. It also happens to be a good general hashing
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002767 function with good distribution, unless the total server weight
2768 is a multiple of 64, in which case applying the avalanche
2769 modifier may help.
Bhaskar98634f02013-10-29 23:30:51 -04002770
2771 djb2 this function was first proposed by Dan Bernstein many years ago
2772 on comp.lang.c. Studies have shown that for certain workload this
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002773 function provides a better distribution than sdbm. It generally
2774 works well with text-based inputs though it can perform extremely
2775 poorly with numeric-only input or when the total server weight is
2776 a multiple of 33, unless the avalanche modifier is also used.
2777
Willy Tarreaua0f42712013-11-14 14:30:35 +01002778 wt6 this function was designed for haproxy while testing other
2779 functions in the past. It is not as smooth as the other ones, but
2780 is much less sensible to the input data set or to the number of
2781 servers. It can make sense as an alternative to sdbm+avalanche or
2782 djb2+avalanche for consistent hashing or when hashing on numeric
2783 data such as a source IP address or a visitor identifier in a URL
2784 parameter.
2785
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002786 <modifier> indicates an optional method applied after hashing the key :
2787
2788 avalanche This directive indicates that the result from the hash
2789 function above should not be used in its raw form but that
2790 a 4-byte full avalanche hash must be applied first. The
2791 purpose of this step is to mix the resulting bits from the
2792 previous hash in order to avoid any undesired effect when
2793 the input contains some limited values or when the number of
2794 servers is a multiple of one of the hash's components (64
2795 for SDBM, 33 for DJB2). Enabling avalanche tends to make the
2796 result less predictable, but it's also not as smooth as when
2797 using the original function. Some testing might be needed
2798 with some workloads. This hash is one of the many proposed
2799 by Bob Jenkins.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002800
Bhaskar98634f02013-10-29 23:30:51 -04002801 The default hash type is "map-based" and is recommended for most usages. The
2802 default function is "sdbm", the selection of a function should be based on
2803 the range of the values being hashed.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002804
2805 See also : "balance", "server"
2806
2807
Willy Tarreau0ba27502007-12-24 16:55:16 +01002808http-check disable-on-404
2809 Enable a maintenance mode upon HTTP/404 response to health-checks
2810 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002811 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002812 Arguments : none
2813
2814 When this option is set, a server which returns an HTTP code 404 will be
2815 excluded from further load-balancing, but will still receive persistent
2816 connections. This provides a very convenient method for Web administrators
2817 to perform a graceful shutdown of their servers. It is also important to note
2818 that a server which is detected as failed while it was in this mode will not
2819 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2820 will immediately be reinserted into the farm. The status on the stats page
2821 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002822 option only works in conjunction with the "httpchk" option. If this option
2823 is used with "http-check expect", then it has precedence over it so that 404
2824 responses will still be considered as soft-stop.
2825
2826 See also : "option httpchk", "http-check expect"
2827
2828
2829http-check expect [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002830 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01002831 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02002832 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01002833 Arguments :
2834 <match> is a keyword indicating how to look for a specific pattern in the
2835 response. The keyword may be one of "status", "rstatus",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002836 "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01002837 exclamation mark ("!") to negate the match. Spaces are allowed
2838 between the exclamation mark and the keyword. See below for more
2839 details on the supported keywords.
2840
2841 <pattern> is the pattern to look for. It may be a string or a regular
2842 expression. If the pattern contains spaces, they must be escaped
2843 with the usual backslash ('\').
2844
2845 By default, "option httpchk" considers that response statuses 2xx and 3xx
2846 are valid, and that others are invalid. When "http-check expect" is used,
2847 it defines what is considered valid or invalid. Only one "http-check"
2848 statement is supported in a backend. If a server fails to respond or times
2849 out, the check obviously fails. The available matches are :
2850
2851 status <string> : test the exact string match for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002852 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002853 response's status code is exactly this string. If the
2854 "status" keyword is prefixed with "!", then the response
2855 will be considered invalid if the status code matches.
2856
2857 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002858 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002859 response's status code matches the expression. If the
2860 "rstatus" keyword is prefixed with "!", then the response
2861 will be considered invalid if the status code matches.
2862 This is mostly used to check for multiple codes.
2863
2864 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002865 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002866 response's body contains this exact string. If the
2867 "string" keyword is prefixed with "!", then the response
2868 will be considered invalid if the body contains this
2869 string. This can be used to look for a mandatory word at
2870 the end of a dynamic page, or to detect a failure when a
2871 specific error appears on the check page (eg: a stack
2872 trace).
2873
2874 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002875 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002876 response's body matches this expression. If the "rstring"
2877 keyword is prefixed with "!", then the response will be
2878 considered invalid if the body matches the expression.
2879 This can be used to look for a mandatory word at the end
2880 of a dynamic page, or to detect a failure when a specific
2881 error appears on the check page (eg: a stack trace).
2882
2883 It is important to note that the responses will be limited to a certain size
2884 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2885 Thus, too large responses may not contain the mandatory pattern when using
2886 "string" or "rstring". If a large response is absolutely required, it is
2887 possible to change the default max size by setting the global variable.
2888 However, it is worth keeping in mind that parsing very large responses can
2889 waste some CPU cycles, especially when regular expressions are used, and that
2890 it is always better to focus the checks on smaller resources.
2891
2892 Last, if "http-check expect" is combined with "http-check disable-on-404",
2893 then this last one has precedence when the server responds with 404.
2894
2895 Examples :
2896 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002897 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01002898
2899 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002900 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01002901
2902 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002903 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01002904
2905 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002906 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002907
Willy Tarreaubd741542010-03-16 18:46:54 +01002908 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002909
2910
Willy Tarreauef781042010-01-27 11:53:01 +01002911http-check send-state
2912 Enable emission of a state header with HTTP health checks
2913 May be used in sections : defaults | frontend | listen | backend
2914 yes | no | yes | yes
2915 Arguments : none
2916
2917 When this option is set, haproxy will systematically send a special header
2918 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2919 how they are seen by haproxy. This can be used for instance when a server is
2920 manipulated without access to haproxy and the operator needs to know whether
2921 haproxy still sees it up or not, or if the server is the last one in a farm.
2922
2923 The header is composed of fields delimited by semi-colons, the first of which
2924 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2925 checks on the total number before transition, just as appears in the stats
2926 interface. Next headers are in the form "<variable>=<value>", indicating in
2927 no specific order some values available in the stats interface :
2928 - a variable "name", containing the name of the backend followed by a slash
2929 ("/") then the name of the server. This can be used when a server is
2930 checked in multiple backends.
2931
2932 - a variable "node" containing the name of the haproxy node, as set in the
2933 global "node" variable, otherwise the system's hostname if unspecified.
2934
2935 - a variable "weight" indicating the weight of the server, a slash ("/")
2936 and the total weight of the farm (just counting usable servers). This
2937 helps to know if other servers are available to handle the load when this
2938 one fails.
2939
2940 - a variable "scur" indicating the current number of concurrent connections
2941 on the server, followed by a slash ("/") then the total number of
2942 connections on all servers of the same backend.
2943
2944 - a variable "qcur" indicating the current number of requests in the
2945 server's queue.
2946
2947 Example of a header received by the application server :
2948 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2949 scur=13/22; qcur=0
2950
2951 See also : "option httpchk", "http-check disable-on-404"
2952
Willy Tarreauccbcc372012-12-27 12:37:57 +01002953http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
Willy Tarreauf4c43c12013-06-11 17:01:13 +02002954 add-header <name> <fmt> | set-header <name> <fmt> |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02002955 del-header <name> | set-nice <nice> | set-log-level <level> |
Sasha Pachev218f0642014-06-16 12:05:59 -06002956 replace-header <name> <match-regex> <replace-fmt> |
2957 replace-value <name> <match-regex> <replace-fmt> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02002958 set-tos <tos> | set-mark <mark> |
2959 add-acl(<file name>) <key fmt> |
2960 del-acl(<file name>) <key fmt> |
2961 del-map(<file name>) <key fmt> |
Baptiste Assmannbb7e86a2014-09-03 18:29:47 +02002962 set-map(<file name>) <key fmt> <value fmt> |
2963 { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02002964 }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002965 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002966 Access control for Layer 7 requests
2967
2968 May be used in sections: defaults | frontend | listen | backend
2969 no | yes | yes | yes
2970
Willy Tarreau20b0de52012-12-24 15:45:22 +01002971 The http-request statement defines a set of rules which apply to layer 7
2972 processing. The rules are evaluated in their declaration order when they are
2973 met in a frontend, listen or backend section. Any rule may optionally be
2974 followed by an ACL-based condition, in which case it will only be evaluated
2975 if the condition is true.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002976
Willy Tarreau20b0de52012-12-24 15:45:22 +01002977 The first keyword is the rule's action. Currently supported actions include :
2978 - "allow" : this stops the evaluation of the rules and lets the request
2979 pass the check. No further "http-request" rules are evaluated.
2980
2981 - "deny" : this stops the evaluation of the rules and immediately rejects
2982 the request and emits an HTTP 403 error. No further "http-request" rules
2983 are evaluated.
2984
Willy Tarreauccbcc372012-12-27 12:37:57 +01002985 - "tarpit" : this stops the evaluation of the rules and immediately blocks
2986 the request without responding for a delay specified by "timeout tarpit"
2987 or "timeout connect" if the former is not set. After that delay, if the
2988 client is still connected, an HTTP error 500 is returned so that the
2989 client does not suspect it has been tarpitted. Logs will report the flags
2990 "PT". The goal of the tarpit rule is to slow down robots during an attack
2991 when they're limited on the number of concurrent requests. It can be very
2992 efficient against very dumb robots, and will significantly reduce the
2993 load on firewalls compared to a "deny" rule. But when facing "correctly"
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002994 developed robots, it can make things worse by forcing haproxy and the
Willy Tarreauccbcc372012-12-27 12:37:57 +01002995 front firewall to support insane number of concurrent connections.
2996
Willy Tarreau20b0de52012-12-24 15:45:22 +01002997 - "auth" : this stops the evaluation of the rules and immediately responds
2998 with an HTTP 401 or 407 error code to invite the user to present a valid
2999 user name and password. No further "http-request" rules are evaluated. An
3000 optional "realm" parameter is supported, it sets the authentication realm
3001 that is returned with the response (typically the application's name).
3002
Willy Tarreau81499eb2012-12-27 12:19:02 +01003003 - "redirect" : this performs an HTTP redirection based on a redirect rule.
3004 This is exactly the same as the "redirect" statement except that it
3005 inserts a redirect rule which can be processed in the middle of other
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01003006 "http-request" rules and that these rules use the "log-format" strings.
3007 See the "redirect" keyword for the rule's syntax.
Willy Tarreau81499eb2012-12-27 12:19:02 +01003008
Willy Tarreau20b0de52012-12-24 15:45:22 +01003009 - "add-header" appends an HTTP header field whose name is specified in
3010 <name> and whose value is defined by <fmt> which follows the log-format
3011 rules (see Custom Log Format in section 8.2.4). This is particularly
3012 useful to pass connection-specific information to the server (eg: the
3013 client's SSL certificate), or to combine several headers into one. This
3014 rule is not final, so it is possible to add other similar rules. Note
3015 that header addition is performed immediately, so one rule might reuse
3016 the resulting header from a previous rule.
3017
3018 - "set-header" does the same as "add-header" except that the header name
3019 is first removed if it existed. This is useful when passing security
3020 information to the server, where the header must not be manipulated by
3021 external users.
3022
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003023 - "del-header" removes all HTTP header fields whose name is specified in
3024 <name>.
3025
Sasha Pachev218f0642014-06-16 12:05:59 -06003026 - "replace-header" matches the regular expression in all occurrences of
3027 header field <name> according to <match-regex>, and replaces them with
3028 the <replace-fmt> argument. Format characters are allowed in replace-fmt
3029 and work like in <fmt> arguments in "add-header". The match is only
3030 case-sensitive. It is important to understand that this action only
3031 considers whole header lines, regardless of the number of values they
3032 may contain. This usage is suited to headers naturally containing commas
3033 in their value, such as If-Modified-Since and so on.
3034
3035 Example:
3036
3037 http-request replace-header Cookie foo=([^;]*);(.*) foo=\1;ip=%bi;\2
3038
3039 applied to:
3040
3041 Cookie: foo=foobar; expires=Tue, 14-Jun-2016 01:40:45 GMT;
3042
3043 outputs:
3044
3045 Cookie: foo=foobar;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT;
3046
3047 assuming the backend IP is 192.168.1.20
3048
3049 - "replace-value" works like "replace-header" except that it matches the
3050 regex against every comma-delimited value of the header field <name>
3051 instead of the entire header. This is suited for all headers which are
3052 allowed to carry more than one value. An example could be the Accept
3053 header.
3054
3055 Example:
3056
3057 http-request replace-value X-Forwarded-For ^192\.168\.(.*)$ 172.16.\1
3058
3059 applied to:
3060
3061 X-Forwarded-For: 192.168.10.1, 192.168.13.24, 10.0.0.37
3062
3063 outputs:
3064
3065 X-Forwarded-For: 172.16.10.1, 172.16.13.24, 10.0.0.37
3066
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003067 - "set-nice" sets the "nice" factor of the current request being processed.
3068 It only has effect against the other requests being processed at the same
3069 time. The default value is 0, unless altered by the "nice" setting on the
3070 "bind" line. The accepted range is -1024..1024. The higher the value, the
3071 nicest the request will be. Lower values will make the request more
3072 important than other ones. This can be useful to improve the speed of
3073 some requests, or lower the priority of non-important requests. Using
3074 this setting without prior experimentation can cause some major slowdown.
3075
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003076 - "set-log-level" is used to change the log level of the current request
3077 when a certain condition is met. Valid levels are the 8 syslog levels
3078 (see the "log" keyword) plus the special level "silent" which disables
3079 logging for this request. This rule is not final so the last matching
3080 rule wins. This rule can be useful to disable health checks coming from
3081 another equipment.
3082
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003083 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3084 the client to the value passed in <tos> on platforms which support this.
3085 This value represents the whole 8 bits of the IP TOS field, and can be
3086 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3087 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3088 bits are always 0. This can be used to adjust some routing behaviour on
3089 border routers based on some information from the request. See RFC 2474,
3090 2597, 3260 and 4594 for more information.
3091
Willy Tarreau51347ed2013-06-11 19:34:13 +02003092 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3093 client to the value passed in <mark> on platforms which support it. This
3094 value is an unsigned 32 bit value which can be matched by netfilter and
3095 by the routing table. It can be expressed both in decimal or hexadecimal
3096 format (prefixed by "0x"). This can be useful to force certain packets to
3097 take a different route (for example a cheaper network path for bulk
3098 downloads). This works on Linux kernels 2.6.32 and above and requires
3099 admin privileges.
3100
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003101 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3102 from a file (even a dummy empty file). The file name of the ACL to be
3103 updated is passed between parentheses. It takes one argument: <key fmt>,
3104 which follows log-format rules, to collect content of the new entry. It
3105 performs a lookup in the ACL before insertion, to avoid duplicated (or
3106 more) values. This lookup is done by a linear search and can be expensive
3107 with large lists! It is the equivalent of the "add acl" command from the
3108 stats socket, but can be triggered by an HTTP request.
3109
3110 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3111 from a file (even a dummy empty file). The file name of the ACL to be
3112 updated is passed between parentheses. It takes one argument: <key fmt>,
3113 which follows log-format rules, to collect content of the entry to delete.
3114 It is the equivalent of the "del acl" command from the stats socket, but
3115 can be triggered by an HTTP request.
3116
3117 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3118 from a file (even a dummy empty file). The file name of the MAP to be
3119 updated is passed between parentheses. It takes one argument: <key fmt>,
3120 which follows log-format rules, to collect content of the entry to delete.
3121 It takes one argument: "file name" It is the equivalent of the "del map"
3122 command from the stats socket, but can be triggered by an HTTP request.
3123
3124 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3125 from a file (even a dummy empty file). The file name of the MAP to be
3126 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3127 which follows log-format rules, used to collect MAP key, and <value fmt>,
3128 which follows log-format rules, used to collect content for the new entry.
3129 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3130 more) values. This lookup is done by a linear search and can be expensive
3131 with large lists! It is the equivalent of the "set map" command from the
3132 stats socket, but can be triggered by an HTTP request.
3133
Willy Tarreau09448f72014-06-25 18:12:15 +02003134 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
3135 enables tracking of sticky counters from current request. These rules
3136 do not stop evaluation and do not change default action. Three sets of
3137 counters may be simultaneously tracked by the same connection. The first
3138 "track-sc0" rule executed enables tracking of the counters of the
3139 specified table as the first set. The first "track-sc1" rule executed
3140 enables tracking of the counters of the specified table as the second
3141 set. The first "track-sc2" rule executed enables tracking of the
3142 counters of the specified table as the third set. It is a recommended
3143 practice to use the first set of counters for the per-frontend counters
3144 and the second set for the per-backend ones. But this is just a
3145 guideline, all may be used everywhere.
3146
3147 These actions take one or two arguments :
3148 <key> is mandatory, and is a sample expression rule as described
3149 in section 7.3. It describes what elements of the incoming
3150 request or connection will be analysed, extracted, combined,
3151 and used to select which table entry to update the counters.
3152
3153 <table> is an optional table to be used instead of the default one,
3154 which is the stick-table declared in the current proxy. All
3155 the counters for the matches and updates for the key will
3156 then be performed in that table until the session ends.
3157
3158 Once a "track-sc*" rule is executed, the key is looked up in the table
3159 and if it is not found, an entry is allocated for it. Then a pointer to
3160 that entry is kept during all the session's life, and this entry's
3161 counters are updated as often as possible, every time the session's
3162 counters are updated, and also systematically when the session ends.
3163 Counters are only updated for events that happen after the tracking has
3164 been started. As an exception, connection counters and request counters
3165 are systematically updated so that they reflect useful information.
3166
3167 If the entry tracks concurrent connection counters, one connection is
3168 counted for as long as the entry is tracked, and the entry will not
3169 expire during that time. Tracking counters also provides a performance
3170 advantage over just checking the keys, because only one table lookup is
3171 performed for all ACL checks that make use of it.
3172
Willy Tarreau20b0de52012-12-24 15:45:22 +01003173 There is no limit to the number of http-request statements per instance.
3174
3175 It is important to know that http-request rules are processed very early in
3176 the HTTP processing, just after "block" rules and before "reqdel" or "reqrep"
3177 rules. That way, headers added by "add-header"/"set-header" are visible by
3178 almost all further ACL rules.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003179
3180 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01003181 acl nagios src 192.168.129.3
3182 acl local_net src 192.168.0.0/16
3183 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003184
Cyril Bonté78caf842010-03-10 22:41:43 +01003185 http-request allow if nagios
3186 http-request allow if local_net auth_ok
3187 http-request auth realm Gimme if local_net auth_ok
3188 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003189
Cyril Bonté78caf842010-03-10 22:41:43 +01003190 Example:
3191 acl auth_ok http_auth_group(L1) G1
Cyril Bonté78caf842010-03-10 22:41:43 +01003192 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003193
Willy Tarreau20b0de52012-12-24 15:45:22 +01003194 Example:
3195 http-request set-header X-Haproxy-Current-Date %T
3196 http-request set-header X-SSL %[ssl_fc]
3197 http-request set-header X-SSL-Session_ID %[ssl_fc_session_id]
3198 http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
3199 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
3200 http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
3201 http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
3202 http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
3203 http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
3204
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003205 Example:
3206 acl key req.hdr(X-Add-Acl-Key) -m found
3207 acl add path /addacl
3208 acl del path /delacl
3209
3210 acl myhost hdr(Host) -f myhost.lst
3211
3212 http-request add-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key add
3213 http-request del-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key del
3214
3215 Example:
3216 acl value req.hdr(X-Value) -m found
3217 acl setmap path /setmap
3218 acl delmap path /delmap
3219
3220 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3221
3222 http-request set-map(map.lst) %[src] %[req.hdr(X-Value)] if setmap value
3223 http-request del-map(map.lst) %[src] if delmap
3224
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02003225 See also : "stats http-request", section 3.4 about userlists and section 7
3226 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01003227
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003228http-response { allow | deny | add-header <name> <fmt> | set-nice <nice> |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003229 set-header <name> <fmt> | del-header <name> |
Sasha Pachev218f0642014-06-16 12:05:59 -06003230 replace-header <name> <regex-match> <replace-fmt> |
3231 replace-value <name> <regex-match> <replace-fmt> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003232 set-log-level <level> | set-mark <mark> | set-tos <tos> |
3233 add-acl(<file name>) <key fmt> |
3234 del-acl(<file name>) <key fmt> |
3235 del-map(<file name>) <key fmt> |
3236 set-map(<file name>) <key fmt> <value fmt>
3237 }
Lukas Tribus2dd1d1a2013-06-19 23:34:41 +02003238 [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003239 Access control for Layer 7 responses
3240
3241 May be used in sections: defaults | frontend | listen | backend
3242 no | yes | yes | yes
3243
3244 The http-response statement defines a set of rules which apply to layer 7
3245 processing. The rules are evaluated in their declaration order when they are
3246 met in a frontend, listen or backend section. Any rule may optionally be
3247 followed by an ACL-based condition, in which case it will only be evaluated
3248 if the condition is true. Since these rules apply on responses, the backend
3249 rules are applied first, followed by the frontend's rules.
3250
3251 The first keyword is the rule's action. Currently supported actions include :
3252 - "allow" : this stops the evaluation of the rules and lets the response
3253 pass the check. No further "http-response" rules are evaluated for the
3254 current section.
3255
3256 - "deny" : this stops the evaluation of the rules and immediately rejects
3257 the response and emits an HTTP 502 error. No further "http-response"
3258 rules are evaluated.
3259
3260 - "add-header" appends an HTTP header field whose name is specified in
3261 <name> and whose value is defined by <fmt> which follows the log-format
3262 rules (see Custom Log Format in section 8.2.4). This may be used to send
3263 a cookie to a client for example, or to pass some internal information.
3264 This rule is not final, so it is possible to add other similar rules.
3265 Note that header addition is performed immediately, so one rule might
3266 reuse the resulting header from a previous rule.
3267
3268 - "set-header" does the same as "add-header" except that the header name
3269 is first removed if it existed. This is useful when passing security
3270 information to the server, where the header must not be manipulated by
3271 external users.
3272
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003273 - "del-header" removes all HTTP header fields whose name is specified in
3274 <name>.
3275
Sasha Pachev218f0642014-06-16 12:05:59 -06003276 - "replace-header" matches the regular expression in all occurrences of
3277 header field <name> according to <match-regex>, and replaces them with
3278 the <replace-fmt> argument. Format characters are allowed in replace-fmt
3279 and work like in <fmt> arguments in "add-header". The match is only
3280 case-sensitive. It is important to understand that this action only
3281 considers whole header lines, regardless of the number of values they
3282 may contain. This usage is suited to headers naturally containing commas
3283 in their value, such as Set-Cookie, Expires and so on.
3284
3285 Example:
3286
3287 http-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
3288
3289 applied to:
3290
3291 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
3292
3293 outputs:
3294
3295 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
3296
3297 assuming the backend IP is 192.168.1.20.
3298
3299 - "replace-value" works like "replace-header" except that it matches the
3300 regex against every comma-delimited value of the header field <name>
3301 instead of the entire header. This is suited for all headers which are
3302 allowed to carry more than one value. An example could be the Accept
3303 header.
3304
3305 Example:
3306
3307 http-response replace-value Cache-control ^public$ private
3308
3309 applied to:
3310
3311 Cache-Control: max-age=3600, public
3312
3313 outputs:
3314
3315 Cache-Control: max-age=3600, private
3316
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003317 - "set-nice" sets the "nice" factor of the current request being processed.
3318 It only has effect against the other requests being processed at the same
3319 time. The default value is 0, unless altered by the "nice" setting on the
3320 "bind" line. The accepted range is -1024..1024. The higher the value, the
3321 nicest the request will be. Lower values will make the request more
3322 important than other ones. This can be useful to improve the speed of
3323 some requests, or lower the priority of non-important requests. Using
3324 this setting without prior experimentation can cause some major slowdown.
3325
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003326 - "set-log-level" is used to change the log level of the current request
3327 when a certain condition is met. Valid levels are the 8 syslog levels
3328 (see the "log" keyword) plus the special level "silent" which disables
3329 logging for this request. This rule is not final so the last matching
3330 rule wins. This rule can be useful to disable health checks coming from
3331 another equipment.
3332
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003333 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3334 the client to the value passed in <tos> on platforms which support this.
3335 This value represents the whole 8 bits of the IP TOS field, and can be
3336 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3337 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3338 bits are always 0. This can be used to adjust some routing behaviour on
3339 border routers based on some information from the request. See RFC 2474,
3340 2597, 3260 and 4594 for more information.
3341
Willy Tarreau51347ed2013-06-11 19:34:13 +02003342 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3343 client to the value passed in <mark> on platforms which support it. This
3344 value is an unsigned 32 bit value which can be matched by netfilter and
3345 by the routing table. It can be expressed both in decimal or hexadecimal
3346 format (prefixed by "0x"). This can be useful to force certain packets to
3347 take a different route (for example a cheaper network path for bulk
3348 downloads). This works on Linux kernels 2.6.32 and above and requires
3349 admin privileges.
3350
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003351 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3352 from a file (even a dummy empty file). The file name of the ACL to be
3353 updated is passed between parentheses. It takes one argument: <key fmt>,
3354 which follows log-format rules, to collect content of the new entry. It
3355 performs a lookup in the ACL before insertion, to avoid duplicated (or
3356 more) values. This lookup is done by a linear search and can be expensive
3357 with large lists! It is the equivalent of the "add acl" command from the
3358 stats socket, but can be triggered by an HTTP response.
3359
3360 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3361 from a file (even a dummy empty file). The file name of the ACL to be
3362 updated is passed between parentheses. It takes one argument: <key fmt>,
3363 which follows log-format rules, to collect content of the entry to delete.
3364 It is the equivalent of the "del acl" command from the stats socket, but
3365 can be triggered by an HTTP response.
3366
3367 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3368 from a file (even a dummy empty file). The file name of the MAP to be
3369 updated is passed between parentheses. It takes one argument: <key fmt>,
3370 which follows log-format rules, to collect content of the entry to delete.
3371 It takes one argument: "file name" It is the equivalent of the "del map"
3372 command from the stats socket, but can be triggered by an HTTP response.
3373
3374 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3375 from a file (even a dummy empty file). The file name of the MAP to be
3376 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3377 which follows log-format rules, used to collect MAP key, and <value fmt>,
3378 which follows log-format rules, used to collect content for the new entry.
3379 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3380 more) values. This lookup is done by a linear search and can be expensive
3381 with large lists! It is the equivalent of the "set map" command from the
3382 stats socket, but can be triggered by an HTTP response.
3383
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003384 There is no limit to the number of http-response statements per instance.
3385
Godbach09250262013-07-02 01:19:15 +08003386 It is important to know that http-response rules are processed very early in
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003387 the HTTP processing, before "reqdel" or "reqrep" rules. That way, headers
3388 added by "add-header"/"set-header" are visible by almost all further ACL
3389 rules.
3390
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003391 Example:
3392 acl key_acl res.hdr(X-Acl-Key) -m found
3393
3394 acl myhost hdr(Host) -f myhost.lst
3395
3396 http-response add-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3397 http-response del-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3398
3399 Example:
3400 acl value res.hdr(X-Value) -m found
3401
3402 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3403
3404 http-response set-map(map.lst) %[src] %[res.hdr(X-Value)] if value
3405 http-response del-map(map.lst) %[src] if ! value
3406
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003407 See also : "http-request", section 3.4 about userlists and section 7 about
3408 ACL usage.
3409
Baptiste Assmann5ecb77f2013-10-06 23:24:13 +02003410
Mark Lamourinec2247f02012-01-04 13:02:01 -05003411http-send-name-header [<header>]
3412 Add the server name to a request. Use the header string given by <header>
3413
3414 May be used in sections: defaults | frontend | listen | backend
3415 yes | no | yes | yes
3416
3417 Arguments :
3418
3419 <header> The header string to use to send the server name
3420
3421 The "http-send-name-header" statement causes the name of the target
3422 server to be added to the headers of an HTTP request. The name
3423 is added with the header string proved.
3424
3425 See also : "server"
3426
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01003427id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02003428 Set a persistent ID to a proxy.
3429 May be used in sections : defaults | frontend | listen | backend
3430 no | yes | yes | yes
3431 Arguments : none
3432
3433 Set a persistent ID for the proxy. This ID must be unique and positive.
3434 An unused ID will automatically be assigned if unset. The first assigned
3435 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01003436
3437
Cyril Bonté0d4bf012010-04-25 23:21:46 +02003438ignore-persist { if | unless } <condition>
3439 Declare a condition to ignore persistence
3440 May be used in sections: defaults | frontend | listen | backend
3441 no | yes | yes | yes
3442
3443 By default, when cookie persistence is enabled, every requests containing
3444 the cookie are unconditionally persistent (assuming the target server is up
3445 and running).
3446
3447 The "ignore-persist" statement allows one to declare various ACL-based
3448 conditions which, when met, will cause a request to ignore persistence.
3449 This is sometimes useful to load balance requests for static files, which
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003450 often don't require persistence. This can also be used to fully disable
Cyril Bonté0d4bf012010-04-25 23:21:46 +02003451 persistence for a specific User-Agent (for example, some web crawler bots).
3452
3453 Combined with "appsession", it can also help reduce HAProxy memory usage, as
3454 the appsession table won't grow if persistence is ignored.
3455
3456 The persistence is ignored when an "if" condition is met, or unless an
3457 "unless" condition is met.
3458
3459 See also : "force-persist", "cookie", and section 7 about ACL usage.
3460
3461
Willy Tarreau2769aa02007-12-27 18:26:09 +01003462log global
Willy Tarreau18324f52014-06-27 18:10:07 +02003463log <address> [len <length>] <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02003464no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01003465 Enable per-instance logging of events and traffic.
3466 May be used in sections : defaults | frontend | listen | backend
3467 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02003468
3469 Prefix :
3470 no should be used when the logger list must be flushed. For example,
3471 if you don't want to inherit from the default logger list. This
3472 prefix does not allow arguments.
3473
Willy Tarreau2769aa02007-12-27 18:26:09 +01003474 Arguments :
3475 global should be used when the instance's logging parameters are the
3476 same as the global ones. This is the most common usage. "global"
3477 replaces <address>, <facility> and <level> with those of the log
3478 entries found in the "global" section. Only one "log global"
3479 statement may be used per instance, and this form takes no other
3480 parameter.
3481
3482 <address> indicates where to send the logs. It takes the same format as
3483 for the "global" section's logs, and can be one of :
3484
3485 - An IPv4 address optionally followed by a colon (':') and a UDP
3486 port. If no port is specified, 514 is used by default (the
3487 standard syslog port).
3488
David du Colombier24bb5f52011-03-17 10:40:23 +01003489 - An IPv6 address followed by a colon (':') and optionally a UDP
3490 port. If no port is specified, 514 is used by default (the
3491 standard syslog port).
3492
Willy Tarreau2769aa02007-12-27 18:26:09 +01003493 - A filesystem path to a UNIX domain socket, keeping in mind
3494 considerations for chroot (be sure the path is accessible
3495 inside the chroot) and uid/gid (be sure the path is
3496 appropriately writeable).
3497
Willy Tarreaudad36a32013-03-11 01:20:04 +01003498 Any part of the address string may reference any number of
3499 environment variables by preceding their name with a dollar
3500 sign ('$') and optionally enclosing them with braces ('{}'),
3501 similarly to what is done in Bourne shell.
3502
Willy Tarreau18324f52014-06-27 18:10:07 +02003503 <length> is an optional maximum line length. Log lines larger than this
3504 value will be truncated before being sent. The reason is that
3505 syslog servers act differently on log line length. All servers
3506 support the default value of 1024, but some servers simply drop
3507 larger lines while others do log them. If a server supports long
3508 lines, it may make sense to set this value here in order to avoid
3509 truncating long lines. Similarly, if a server drops long lines,
3510 it is preferable to truncate them before sending them. Accepted
3511 values are 80 to 65535 inclusive. The default value of 1024 is
3512 generally fine for all standard usages. Some specific cases of
3513 long captures or JSON-formated logs may require larger values.
3514
Willy Tarreau2769aa02007-12-27 18:26:09 +01003515 <facility> must be one of the 24 standard syslog facilities :
3516
3517 kern user mail daemon auth syslog lpr news
3518 uucp cron auth2 ftp ntp audit alert cron2
3519 local0 local1 local2 local3 local4 local5 local6 local7
3520
3521 <level> is optional and can be specified to filter outgoing messages. By
3522 default, all messages are sent. If a level is specified, only
3523 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02003524 will be sent. An optional minimum level can be specified. If it
3525 is set, logs emitted with a more severe level than this one will
3526 be capped to this level. This is used to avoid sending "emerg"
3527 messages on all terminals on some default syslog configurations.
3528 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01003529
3530 emerg alert crit err warning notice info debug
3531
William Lallemand0f99e342011-10-12 17:50:54 +02003532 It is important to keep in mind that it is the frontend which decides what to
3533 log from a connection, and that in case of content switching, the log entries
3534 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003535
3536 However, backend log declaration define how and where servers status changes
3537 will be logged. Level "notice" will be used to indicate a server going up,
3538 "warning" will be used for termination signals and definitive service
3539 termination, and "alert" will be used for when a server goes down.
3540
3541 Note : According to RFC3164, messages are truncated to 1024 bytes before
3542 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003543
3544 Example :
3545 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02003546 log 127.0.0.1:514 local0 notice # only send important events
3547 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreaudad36a32013-03-11 01:20:04 +01003548 log ${LOCAL_SYSLOG}:514 local0 notice # send to local server
3549
Willy Tarreau2769aa02007-12-27 18:26:09 +01003550
William Lallemand48940402012-01-30 16:47:22 +01003551log-format <string>
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01003552 Specifies the log format string to use for traffic logs
3553 May be used in sections: defaults | frontend | listen | backend
3554 yes | yes | yes | no
William Lallemand48940402012-01-30 16:47:22 +01003555
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01003556 This directive specifies the log format string that will be used for all logs
3557 resulting from traffic passing through the frontend using this line. If the
3558 directive is used in a defaults section, all subsequent frontends will use
3559 the same log format. Please see section 8.2.4 which covers the log format
3560 string in depth.
William Lallemand48940402012-01-30 16:47:22 +01003561
Willy Tarreau094af4e2015-01-07 15:03:42 +01003562log-tag <string>
3563 Specifies the log tag to use for all outgoing logs
3564 May be used in sections: defaults | frontend | listen | backend
3565 yes | yes | yes | yes
3566
3567 Sets the tag field in the syslog header to this string. It defaults to the
3568 log-tag set in the global section, otherwise the program name as launched
3569 from the command line, which usually is "haproxy". Sometimes it can be useful
3570 to differentiate between multiple processes running on the same host, or to
3571 differentiate customer instances running in the same process. In the backend,
3572 logs about servers up/down will use this tag. As a hint, it can be convenient
3573 to set a log-tag related to a hosted customer in a defaults section then put
3574 all the frontends and backends for that customer, then start another customer
3575 in a new defaults section. See also the global "log-tag" directive.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003576
Willy Tarreauc35362a2014-04-25 13:58:37 +02003577max-keep-alive-queue <value>
3578 Set the maximum server queue size for maintaining keep-alive connections
3579 May be used in sections: defaults | frontend | listen | backend
3580 yes | no | yes | yes
3581
3582 HTTP keep-alive tries to reuse the same server connection whenever possible,
3583 but sometimes it can be counter-productive, for example if a server has a lot
3584 of connections while other ones are idle. This is especially true for static
3585 servers.
3586
3587 The purpose of this setting is to set a threshold on the number of queued
3588 connections at which haproxy stops trying to reuse the same server and prefers
3589 to find another one. The default value, -1, means there is no limit. A value
3590 of zero means that keep-alive requests will never be queued. For very close
3591 servers which can be reached with a low latency and which are not sensible to
3592 breaking keep-alive, a low value is recommended (eg: local static server can
3593 use a value of 10 or less). For remote servers suffering from a high latency,
3594 higher values might be needed to cover for the latency and/or the cost of
3595 picking a different server.
3596
3597 Note that this has no impact on responses which are maintained to the same
3598 server consecutively to a 401 response. They will still go to the same server
3599 even if they have to be queued.
3600
3601 See also : "option http-server-close", "option prefer-last-server", server
3602 "maxconn" and cookie persistence.
3603
3604
Willy Tarreau2769aa02007-12-27 18:26:09 +01003605maxconn <conns>
3606 Fix the maximum number of concurrent connections on a frontend
3607 May be used in sections : defaults | frontend | listen | backend
3608 yes | yes | yes | no
3609 Arguments :
3610 <conns> is the maximum number of concurrent connections the frontend will
3611 accept to serve. Excess connections will be queued by the system
3612 in the socket's listen queue and will be served once a connection
3613 closes.
3614
3615 If the system supports it, it can be useful on big sites to raise this limit
3616 very high so that haproxy manages connection queues, instead of leaving the
3617 clients with unanswered connection attempts. This value should not exceed the
3618 global maxconn. Also, keep in mind that a connection contains two buffers
3619 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
3620 consumed per established connection. That means that a medium system equipped
3621 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
3622 properly tuned.
3623
3624 Also, when <conns> is set to large values, it is possible that the servers
3625 are not sized to accept such loads, and for this reason it is generally wise
3626 to assign them some reasonable connection limits.
3627
Vincent Bernat6341be52012-06-27 17:18:30 +02003628 By default, this value is set to 2000.
3629
Willy Tarreau2769aa02007-12-27 18:26:09 +01003630 See also : "server", global section's "maxconn", "fullconn"
3631
3632
3633mode { tcp|http|health }
3634 Set the running mode or protocol of the instance
3635 May be used in sections : defaults | frontend | listen | backend
3636 yes | yes | yes | yes
3637 Arguments :
3638 tcp The instance will work in pure TCP mode. A full-duplex connection
3639 will be established between clients and servers, and no layer 7
3640 examination will be performed. This is the default mode. It
3641 should be used for SSL, SSH, SMTP, ...
3642
3643 http The instance will work in HTTP mode. The client request will be
3644 analyzed in depth before connecting to any server. Any request
3645 which is not RFC-compliant will be rejected. Layer 7 filtering,
3646 processing and switching will be possible. This is the mode which
3647 brings HAProxy most of its value.
3648
3649 health The instance will work in "health" mode. It will just reply "OK"
Willy Tarreau82569f92012-09-27 23:48:56 +02003650 to incoming connections and close the connection. Alternatively,
3651 If the "httpchk" option is set, "HTTP/1.0 200 OK" will be sent
3652 instead. Nothing will be logged in either case. This mode is used
3653 to reply to external components health checks. This mode is
3654 deprecated and should not be used anymore as it is possible to do
3655 the same and even better by combining TCP or HTTP modes with the
3656 "monitor" keyword.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003657
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003658 When doing content switching, it is mandatory that the frontend and the
3659 backend are in the same mode (generally HTTP), otherwise the configuration
3660 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003661
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003662 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01003663 defaults http_instances
3664 mode http
3665
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003666 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003667
Willy Tarreau0ba27502007-12-24 16:55:16 +01003668
Cyril Bontéf0c60612010-02-06 14:44:47 +01003669monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01003670 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003671 May be used in sections : defaults | frontend | listen | backend
3672 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01003673 Arguments :
3674 if <cond> the monitor request will fail if the condition is satisfied,
3675 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003676 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01003677 are met, for instance a low number of servers both in a
3678 backend and its backup.
3679
3680 unless <cond> the monitor request will succeed only if the condition is
3681 satisfied, and will fail otherwise. Such a condition may be
3682 based on a test on the presence of a minimum number of active
3683 servers in a list of backends.
3684
3685 This statement adds a condition which can force the response to a monitor
3686 request to report a failure. By default, when an external component queries
3687 the URI dedicated to monitoring, a 200 response is returned. When one of the
3688 conditions above is met, haproxy will return 503 instead of 200. This is
3689 very useful to report a site failure to an external component which may base
3690 routing advertisements between multiple sites on the availability reported by
3691 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02003692 criterion. Note that "monitor fail" only works in HTTP mode. Both status
3693 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003694
3695 Example:
3696 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01003697 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01003698 acl site_dead nbsrv(dynamic) lt 2
3699 acl site_dead nbsrv(static) lt 2
3700 monitor-uri /site_alive
3701 monitor fail if site_dead
3702
Willy Tarreauae94d4d2011-05-11 16:28:49 +02003703 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003704
3705
3706monitor-net <source>
3707 Declare a source network which is limited to monitor requests
3708 May be used in sections : defaults | frontend | listen | backend
3709 yes | yes | yes | no
3710 Arguments :
3711 <source> is the source IPv4 address or network which will only be able to
3712 get monitor responses to any request. It can be either an IPv4
3713 address, a host name, or an address followed by a slash ('/')
3714 followed by a mask.
3715
3716 In TCP mode, any connection coming from a source matching <source> will cause
3717 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003718 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01003719 forwarding the connection to a remote server.
3720
3721 In HTTP mode, a connection coming from a source matching <source> will be
3722 accepted, the following response will be sent without waiting for a request,
3723 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
3724 enough for any front-end HTTP probe to detect that the service is UP and
Willy Tarreau82569f92012-09-27 23:48:56 +02003725 running without forwarding the request to a backend server. Note that this
3726 response is sent in raw format, without any transformation. This is important
3727 as it means that it will not be SSL-encrypted on SSL listeners.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003728
Willy Tarreau82569f92012-09-27 23:48:56 +02003729 Monitor requests are processed very early, just after tcp-request connection
3730 ACLs which are the only ones able to block them. These connections are short
3731 lived and never wait for any data from the client. They cannot be logged, and
3732 it is the intended purpose. They are only used to report HAProxy's health to
3733 an upper component, nothing more. Please note that "monitor fail" rules do
3734 not apply to connections intercepted by "monitor-net".
Willy Tarreau2769aa02007-12-27 18:26:09 +01003735
Willy Tarreau95cd2832010-03-04 23:36:33 +01003736 Last, please note that only one "monitor-net" statement can be specified in
3737 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003738
Willy Tarreau2769aa02007-12-27 18:26:09 +01003739 Example :
3740 # addresses .252 and .253 are just probing us.
3741 frontend www
3742 monitor-net 192.168.0.252/31
3743
3744 See also : "monitor fail", "monitor-uri"
3745
3746
3747monitor-uri <uri>
3748 Intercept a URI used by external components' monitor requests
3749 May be used in sections : defaults | frontend | listen | backend
3750 yes | yes | yes | no
3751 Arguments :
3752 <uri> is the exact URI which we want to intercept to return HAProxy's
3753 health status instead of forwarding the request.
3754
3755 When an HTTP request referencing <uri> will be received on a frontend,
3756 HAProxy will not forward it nor log it, but instead will return either
3757 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
3758 conditions defined with "monitor fail". This is normally enough for any
3759 front-end HTTP probe to detect that the service is UP and running without
3760 forwarding the request to a backend server. Note that the HTTP method, the
3761 version and all headers are ignored, but the request must at least be valid
3762 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
3763
3764 Monitor requests are processed very early. It is not possible to block nor
3765 divert them using ACLs. They cannot be logged either, and it is the intended
3766 purpose. They are only used to report HAProxy's health to an upper component,
3767 nothing more. However, it is possible to add any number of conditions using
3768 "monitor fail" and ACLs so that the result can be adjusted to whatever check
3769 can be imagined (most often the number of available servers in a backend).
3770
3771 Example :
3772 # Use /haproxy_test to report haproxy's status
3773 frontend www
3774 mode http
3775 monitor-uri /haproxy_test
3776
3777 See also : "monitor fail", "monitor-net"
3778
Willy Tarreau0ba27502007-12-24 16:55:16 +01003779
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003780option abortonclose
3781no option abortonclose
3782 Enable or disable early dropping of aborted requests pending in queues.
3783 May be used in sections : defaults | frontend | listen | backend
3784 yes | no | yes | yes
3785 Arguments : none
3786
3787 In presence of very high loads, the servers will take some time to respond.
3788 The per-instance connection queue will inflate, and the response time will
3789 increase respective to the size of the queue times the average per-session
3790 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01003791 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003792 the queue, and slowing down other users, and the servers as well, because the
3793 request will eventually be served, then aborted at the first error
3794 encountered while delivering the response.
3795
3796 As there is no way to distinguish between a full STOP and a simple output
3797 close on the client side, HTTP agents should be conservative and consider
3798 that the client might only have closed its output channel while waiting for
3799 the response. However, this introduces risks of congestion when lots of users
3800 do the same, and is completely useless nowadays because probably no client at
3801 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01003802 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003803 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01003804 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003805 of being the single component to break rare but valid traffic is extremely
3806 low, which adds to the temptation to be able to abort a session early while
3807 still not served and not pollute the servers.
3808
3809 In HAProxy, the user can choose the desired behaviour using the option
3810 "abortonclose". By default (without the option) the behaviour is HTTP
3811 compliant and aborted requests will be served. But when the option is
3812 specified, a session with an incoming channel closed will be aborted while
3813 it is still possible, either pending in the queue for a connection slot, or
3814 during the connection establishment if the server has not yet acknowledged
3815 the connection request. This considerably reduces the queue size and the load
3816 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01003817 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003818
3819 If this option has been enabled in a "defaults" section, it can be disabled
3820 in a specific instance by prepending the "no" keyword before it.
3821
3822 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
3823
3824
Willy Tarreau4076a152009-04-02 15:18:36 +02003825option accept-invalid-http-request
3826no option accept-invalid-http-request
3827 Enable or disable relaxing of HTTP request parsing
3828 May be used in sections : defaults | frontend | listen | backend
3829 yes | yes | yes | no
3830 Arguments : none
3831
3832 By default, HAProxy complies with RFC2616 in terms of message parsing. This
3833 means that invalid characters in header names are not permitted and cause an
3834 error to be returned to the client. This is the desired behaviour as such
3835 forbidden characters are essentially used to build attacks exploiting server
3836 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
3837 server will emit invalid header names for whatever reason (configuration,
3838 implementation) and the issue will not be immediately fixed. In such a case,
3839 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01003840 even if that does not make sense, by specifying this option. Similarly, the
3841 list of characters allowed to appear in a URI is well defined by RFC3986, and
3842 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
3843 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
3844 not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
3845 remaining ones are blocked by default unless this option is enabled.
Willy Tarreau4076a152009-04-02 15:18:36 +02003846
3847 This option should never be enabled by default as it hides application bugs
3848 and open security breaches. It should only be deployed after a problem has
3849 been confirmed.
3850
3851 When this option is enabled, erroneous header names will still be accepted in
3852 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01003853 analysis using the "show errors" request on the UNIX stats socket. Similarly,
3854 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02003855 also helps confirming that the issue has been solved.
3856
3857 If this option has been enabled in a "defaults" section, it can be disabled
3858 in a specific instance by prepending the "no" keyword before it.
3859
3860 See also : "option accept-invalid-http-response" and "show errors" on the
3861 stats socket.
3862
3863
3864option accept-invalid-http-response
3865no option accept-invalid-http-response
3866 Enable or disable relaxing of HTTP response parsing
3867 May be used in sections : defaults | frontend | listen | backend
3868 yes | no | yes | yes
3869 Arguments : none
3870
3871 By default, HAProxy complies with RFC2616 in terms of message parsing. This
3872 means that invalid characters in header names are not permitted and cause an
3873 error to be returned to the client. This is the desired behaviour as such
3874 forbidden characters are essentially used to build attacks exploiting server
3875 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
3876 server will emit invalid header names for whatever reason (configuration,
3877 implementation) and the issue will not be immediately fixed. In such a case,
3878 it is possible to relax HAProxy's header name parser to accept any character
3879 even if that does not make sense, by specifying this option.
3880
3881 This option should never be enabled by default as it hides application bugs
3882 and open security breaches. It should only be deployed after a problem has
3883 been confirmed.
3884
3885 When this option is enabled, erroneous header names will still be accepted in
3886 responses, but the complete response will be captured in order to permit
3887 later analysis using the "show errors" request on the UNIX stats socket.
3888 Doing this also helps confirming that the issue has been solved.
3889
3890 If this option has been enabled in a "defaults" section, it can be disabled
3891 in a specific instance by prepending the "no" keyword before it.
3892
3893 See also : "option accept-invalid-http-request" and "show errors" on the
3894 stats socket.
3895
3896
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003897option allbackups
3898no option allbackups
3899 Use either all backup servers at a time or only the first one
3900 May be used in sections : defaults | frontend | listen | backend
3901 yes | no | yes | yes
3902 Arguments : none
3903
3904 By default, the first operational backup server gets all traffic when normal
3905 servers are all down. Sometimes, it may be preferred to use multiple backups
3906 at once, because one will not be enough. When "option allbackups" is enabled,
3907 the load balancing will be performed among all backup servers when all normal
3908 ones are unavailable. The same load balancing algorithm will be used and the
3909 servers' weights will be respected. Thus, there will not be any priority
3910 order between the backup servers anymore.
3911
3912 This option is mostly used with static server farms dedicated to return a
3913 "sorry" page when an application is completely offline.
3914
3915 If this option has been enabled in a "defaults" section, it can be disabled
3916 in a specific instance by prepending the "no" keyword before it.
3917
3918
3919option checkcache
3920no option checkcache
Godbach7056a352013-12-11 20:01:07 +08003921 Analyze all server responses and block responses with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003922 May be used in sections : defaults | frontend | listen | backend
3923 yes | no | yes | yes
3924 Arguments : none
3925
3926 Some high-level frameworks set application cookies everywhere and do not
3927 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003928 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003929 high risk of session crossing or stealing between users traversing the same
3930 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02003931 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003932
3933 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003934 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01003935 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003936 response to check if there's a risk of caching a cookie on a client-side
3937 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01003938 to the client are :
3939 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003940 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01003941 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003942 - all those that come from a POST request, provided that the server has not
3943 set a 'Cache-Control: public' header ;
3944 - those with a 'Pragma: no-cache' header
3945 - those with a 'Cache-control: private' header
3946 - those with a 'Cache-control: no-store' header
3947 - those with a 'Cache-control: max-age=0' header
3948 - those with a 'Cache-control: s-maxage=0' header
3949 - those with a 'Cache-control: no-cache' header
3950 - those with a 'Cache-control: no-cache="set-cookie"' header
3951 - those with a 'Cache-control: no-cache="set-cookie,' header
3952 (allowing other fields after set-cookie)
3953
3954 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01003955 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003956 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003957 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003958 that admins are informed that there's something to be fixed.
3959
3960 Due to the high impact on the application, the application should be tested
3961 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003962 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003963 production, as it will report potentially dangerous application behaviours.
3964
3965 If this option has been enabled in a "defaults" section, it can be disabled
3966 in a specific instance by prepending the "no" keyword before it.
3967
3968
3969option clitcpka
3970no option clitcpka
3971 Enable or disable the sending of TCP keepalive packets on the client side
3972 May be used in sections : defaults | frontend | listen | backend
3973 yes | yes | yes | no
3974 Arguments : none
3975
3976 When there is a firewall or any session-aware component between a client and
3977 a server, and when the protocol involves very long sessions with long idle
3978 periods (eg: remote desktops), there is a risk that one of the intermediate
3979 components decides to expire a session which has remained idle for too long.
3980
3981 Enabling socket-level TCP keep-alives makes the system regularly send packets
3982 to the other end of the connection, leaving it active. The delay between
3983 keep-alive probes is controlled by the system only and depends both on the
3984 operating system and its tuning parameters.
3985
3986 It is important to understand that keep-alive packets are neither emitted nor
3987 received at the application level. It is only the network stacks which sees
3988 them. For this reason, even if one side of the proxy already uses keep-alives
3989 to maintain its connection alive, those keep-alive packets will not be
3990 forwarded to the other side of the proxy.
3991
3992 Please note that this has nothing to do with HTTP keep-alive.
3993
3994 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
3995 client side of a connection, which should help when session expirations are
3996 noticed between HAProxy and a client.
3997
3998 If this option has been enabled in a "defaults" section, it can be disabled
3999 in a specific instance by prepending the "no" keyword before it.
4000
4001 See also : "option srvtcpka", "option tcpka"
4002
4003
Willy Tarreau0ba27502007-12-24 16:55:16 +01004004option contstats
4005 Enable continuous traffic statistics updates
4006 May be used in sections : defaults | frontend | listen | backend
4007 yes | yes | yes | no
4008 Arguments : none
4009
4010 By default, counters used for statistics calculation are incremented
4011 only when a session finishes. It works quite well when serving small
4012 objects, but with big ones (for example large images or archives) or
4013 with A/V streaming, a graph generated from haproxy counters looks like
4014 a hedgehog. With this option enabled counters get incremented continuously,
4015 during a whole session. Recounting touches a hotpath directly so
4016 it is not enabled by default, as it has small performance impact (~0.5%).
4017
4018
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004019option dontlog-normal
4020no option dontlog-normal
4021 Enable or disable logging of normal, successful connections
4022 May be used in sections : defaults | frontend | listen | backend
4023 yes | yes | yes | no
4024 Arguments : none
4025
4026 There are large sites dealing with several thousand connections per second
4027 and for which logging is a major pain. Some of them are even forced to turn
4028 logs off and cannot debug production issues. Setting this option ensures that
4029 normal connections, those which experience no error, no timeout, no retry nor
4030 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
4031 mode, the response status code is checked and return codes 5xx will still be
4032 logged.
4033
4034 It is strongly discouraged to use this option as most of the time, the key to
4035 complex issues is in the normal logs which will not be logged here. If you
4036 need to separate logs, see the "log-separate-errors" option instead.
4037
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004038 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004039 logging.
4040
4041
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004042option dontlognull
4043no option dontlognull
4044 Enable or disable logging of null connections
4045 May be used in sections : defaults | frontend | listen | backend
4046 yes | yes | yes | no
4047 Arguments : none
4048
4049 In certain environments, there are components which will regularly connect to
4050 various systems to ensure that they are still alive. It can be the case from
4051 another load balancer as well as from monitoring systems. By default, even a
4052 simple port probe or scan will produce a log. If those connections pollute
4053 the logs too much, it is possible to enable option "dontlognull" to indicate
4054 that a connection on which no data has been transferred will not be logged,
4055 which typically corresponds to those probes.
4056
4057 It is generally recommended not to use this option in uncontrolled
4058 environments (eg: internet), otherwise scans and other malicious activities
4059 would not be logged.
4060
4061 If this option has been enabled in a "defaults" section, it can be disabled
4062 in a specific instance by prepending the "no" keyword before it.
4063
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004064 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004065
4066
4067option forceclose
4068no option forceclose
4069 Enable or disable active connection closing after response is transferred.
4070 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01004071 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004072 Arguments : none
4073
4074 Some HTTP servers do not necessarily close the connections when they receive
4075 the "Connection: close" set by "option httpclose", and if the client does not
4076 close either, then the connection remains open till the timeout expires. This
4077 causes high number of simultaneous connections on the servers and shows high
4078 global session times in the logs.
4079
4080 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01004081 actively close the outgoing server channel as soon as the server has finished
Cyril Bonté653dcd62014-02-20 00:13:15 +01004082 to respond and release some resources earlier than with "option httpclose".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004083
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004084 This option may also be combined with "option http-pretend-keepalive", which
4085 will disable sending of the "Connection: close" header, but will still cause
4086 the connection to be closed once the whole response is received.
4087
Cyril Bonté653dcd62014-02-20 00:13:15 +01004088 This option disables and replaces any previous "option httpclose", "option
4089 http-server-close", "option http-keep-alive", or "option http-tunnel".
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004090
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004091 If this option has been enabled in a "defaults" section, it can be disabled
4092 in a specific instance by prepending the "no" keyword before it.
4093
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004094 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004095
4096
Willy Tarreau87cf5142011-08-19 22:57:24 +02004097option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01004098 Enable insertion of the X-Forwarded-For header to requests sent to servers
4099 May be used in sections : defaults | frontend | listen | backend
4100 yes | yes | yes | yes
4101 Arguments :
4102 <network> is an optional argument used to disable this option for sources
4103 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02004104 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01004105 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004106
4107 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
4108 their client address. This is sometimes annoying when the client's IP address
4109 is expected in server logs. To solve this problem, the well-known HTTP header
4110 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
4111 This header contains a value representing the client's IP address. Since this
4112 header is always appended at the end of the existing header list, the server
4113 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02004114 the server's manual to find how to enable use of this standard header. Note
4115 that only the last occurrence of the header must be used, since it is really
4116 possible that the client has already brought one.
4117
Willy Tarreaud72758d2010-01-12 10:42:19 +01004118 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02004119 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01004120 have a "X-Forwarded-For" header from a different application (eg: stunnel),
4121 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02004122 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
4123 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01004124
4125 Sometimes, a same HAProxy instance may be shared between a direct client
4126 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
4127 used to decrypt HTTPS traffic). It is possible to disable the addition of the
4128 header for a known source address or network by adding the "except" keyword
4129 followed by the network address. In this case, any source IP matching the
4130 network will not cause an addition of this header. Most common uses are with
4131 private networks or 127.0.0.1.
4132
Willy Tarreau87cf5142011-08-19 22:57:24 +02004133 Alternatively, the keyword "if-none" states that the header will only be
4134 added if it is not present. This should only be used in perfectly trusted
4135 environment, as this might cause a security issue if headers reaching haproxy
4136 are under the control of the end-user.
4137
Willy Tarreauc27debf2008-01-06 08:57:02 +01004138 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02004139 least one of them uses it, the header will be added. Note that the backend's
4140 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02004141 both are defined. In the case of the "if-none" argument, if at least one of
4142 the frontend or the backend does not specify it, it wants the addition to be
4143 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004144
Ross Westaf72a1d2008-08-03 10:51:45 +02004145 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01004146 # Public HTTP address also used by stunnel on the same machine
4147 frontend www
4148 mode http
4149 option forwardfor except 127.0.0.1 # stunnel already adds the header
4150
Ross Westaf72a1d2008-08-03 10:51:45 +02004151 # Those servers want the IP Address in X-Client
4152 backend www
4153 mode http
4154 option forwardfor header X-Client
4155
Willy Tarreau87cf5142011-08-19 22:57:24 +02004156 See also : "option httpclose", "option http-server-close",
Willy Tarreau70dffda2014-01-30 03:07:23 +01004157 "option forceclose", "option http-keep-alive"
Willy Tarreauc27debf2008-01-06 08:57:02 +01004158
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004159
Willy Tarreau16bfb022010-01-16 19:48:41 +01004160option http-keep-alive
4161no option http-keep-alive
4162 Enable or disable HTTP keep-alive from client to server
4163 May be used in sections : defaults | frontend | listen | backend
4164 yes | yes | yes | yes
4165 Arguments : none
4166
Willy Tarreau70dffda2014-01-30 03:07:23 +01004167 By default HAProxy operates in keep-alive mode with regards to persistent
4168 connections: for each connection it processes each request and response, and
4169 leaves the connection idle on both sides between the end of a response and the
4170 start of a new request. This mode may be changed by several options such as
4171 "option http-server-close", "option forceclose", "option httpclose" or
4172 "option http-tunnel". This option allows to set back the keep-alive mode,
4173 which can be useful when another mode was used in a defaults section.
4174
4175 Setting "option http-keep-alive" enables HTTP keep-alive mode on the client-
4176 and server- sides. This provides the lowest latency on the client side (slow
Willy Tarreau16bfb022010-01-16 19:48:41 +01004177 network) and the fastest session reuse on the server side at the expense
4178 of maintaining idle connections to the servers. In general, it is possible
4179 with this option to achieve approximately twice the request rate that the
4180 "http-server-close" option achieves on small objects. There are mainly two
4181 situations where this option may be useful :
4182
4183 - when the server is non-HTTP compliant and authenticates the connection
4184 instead of requests (eg: NTLM authentication)
4185
4186 - when the cost of establishing the connection to the server is significant
4187 compared to the cost of retrieving the associated object from the server.
4188
4189 This last case can happen when the server is a fast static server of cache.
4190 In this case, the server will need to be properly tuned to support high enough
4191 connection counts because connections will last until the client sends another
4192 request.
4193
4194 If the client request has to go to another backend or another server due to
4195 content switching or the load balancing algorithm, the idle connection will
Willy Tarreau9420b122013-12-15 18:58:25 +01004196 immediately be closed and a new one re-opened. Option "prefer-last-server" is
4197 available to try optimize server selection so that if the server currently
4198 attached to an idle connection is usable, it will be used.
Willy Tarreau16bfb022010-01-16 19:48:41 +01004199
4200 In general it is preferred to use "option http-server-close" with application
4201 servers, and some static servers might benefit from "option http-keep-alive".
4202
4203 At the moment, logs will not indicate whether requests came from the same
4204 session or not. The accept date reported in the logs corresponds to the end
4205 of the previous request, and the request time corresponds to the time spent
4206 waiting for a new request. The keep-alive request time is still bound to the
4207 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
4208 not set.
4209
Cyril Bonté653dcd62014-02-20 00:13:15 +01004210 This option disables and replaces any previous "option httpclose", "option
4211 http-server-close", "option forceclose" or "option http-tunnel". When backend
Willy Tarreau70dffda2014-01-30 03:07:23 +01004212 and frontend options differ, all of these 4 options have precedence over
Cyril Bonté653dcd62014-02-20 00:13:15 +01004213 "option http-keep-alive".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004214
4215 See also : "option forceclose", "option http-server-close",
Willy Tarreau9420b122013-12-15 18:58:25 +01004216 "option prefer-last-server", "option http-pretend-keepalive",
4217 "option httpclose", and "1.1. The HTTP transaction model".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004218
4219
Willy Tarreau96e31212011-05-30 18:10:30 +02004220option http-no-delay
4221no option http-no-delay
4222 Instruct the system to favor low interactive delays over performance in HTTP
4223 May be used in sections : defaults | frontend | listen | backend
4224 yes | yes | yes | yes
4225 Arguments : none
4226
4227 In HTTP, each payload is unidirectional and has no notion of interactivity.
4228 Any agent is expected to queue data somewhat for a reasonably low delay.
4229 There are some very rare server-to-server applications that abuse the HTTP
4230 protocol and expect the payload phase to be highly interactive, with many
4231 interleaved data chunks in both directions within a single request. This is
4232 absolutely not supported by the HTTP specification and will not work across
4233 most proxies or servers. When such applications attempt to do this through
4234 haproxy, it works but they will experience high delays due to the network
4235 optimizations which favor performance by instructing the system to wait for
4236 enough data to be available in order to only send full packets. Typical
4237 delays are around 200 ms per round trip. Note that this only happens with
4238 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
4239 affected.
4240
4241 When "option http-no-delay" is present in either the frontend or the backend
4242 used by a connection, all such optimizations will be disabled in order to
4243 make the exchanges as fast as possible. Of course this offers no guarantee on
4244 the functionality, as it may break at any other place. But if it works via
4245 HAProxy, it will work as fast as possible. This option should never be used
4246 by default, and should never be used at all unless such a buggy application
4247 is discovered. The impact of using this option is an increase of bandwidth
4248 usage and CPU usage, which may significantly lower performance in high
4249 latency environments.
4250
4251
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004252option http-pretend-keepalive
4253no option http-pretend-keepalive
4254 Define whether haproxy will announce keepalive to the server or not
4255 May be used in sections : defaults | frontend | listen | backend
4256 yes | yes | yes | yes
4257 Arguments : none
4258
4259 When running with "option http-server-close" or "option forceclose", haproxy
4260 adds a "Connection: close" header to the request forwarded to the server.
4261 Unfortunately, when some servers see this header, they automatically refrain
4262 from using the chunked encoding for responses of unknown length, while this
4263 is totally unrelated. The immediate effect is that this prevents haproxy from
4264 maintaining the client connection alive. A second effect is that a client or
4265 a cache could receive an incomplete response without being aware of it, and
4266 consider the response complete.
4267
4268 By setting "option http-pretend-keepalive", haproxy will make the server
4269 believe it will keep the connection alive. The server will then not fall back
4270 to the abnormal undesired above. When haproxy gets the whole response, it
4271 will close the connection with the server just as it would do with the
4272 "forceclose" option. That way the client gets a normal response and the
4273 connection is correctly closed on the server side.
4274
4275 It is recommended not to enable this option by default, because most servers
4276 will more efficiently close the connection themselves after the last packet,
4277 and release its buffers slightly earlier. Also, the added packet on the
4278 network could slightly reduce the overall peak performance. However it is
4279 worth noting that when this option is enabled, haproxy will have slightly
4280 less work to do. So if haproxy is the bottleneck on the whole architecture,
4281 enabling this option might save a few CPU cycles.
4282
4283 This option may be set both in a frontend and in a backend. It is enabled if
4284 at least one of the frontend or backend holding a connection has it enabled.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004285 This option may be combined with "option httpclose", which will cause
Willy Tarreau22a95342010-09-29 14:31:41 +02004286 keepalive to be announced to the server and close to be announced to the
4287 client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004288
4289 If this option has been enabled in a "defaults" section, it can be disabled
4290 in a specific instance by prepending the "no" keyword before it.
4291
Willy Tarreau16bfb022010-01-16 19:48:41 +01004292 See also : "option forceclose", "option http-server-close", and
4293 "option http-keep-alive"
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004294
Willy Tarreauc27debf2008-01-06 08:57:02 +01004295
Willy Tarreaub608feb2010-01-02 22:47:18 +01004296option http-server-close
4297no option http-server-close
4298 Enable or disable HTTP connection closing on the server side
4299 May be used in sections : defaults | frontend | listen | backend
4300 yes | yes | yes | yes
4301 Arguments : none
4302
Willy Tarreau70dffda2014-01-30 03:07:23 +01004303 By default HAProxy operates in keep-alive mode with regards to persistent
4304 connections: for each connection it processes each request and response, and
4305 leaves the connection idle on both sides between the end of a response and
4306 the start of a new request. This mode may be changed by several options such
4307 as "option http-server-close", "option forceclose", "option httpclose" or
4308 "option http-tunnel". Setting "option http-server-close" enables HTTP
4309 connection-close mode on the server side while keeping the ability to support
4310 HTTP keep-alive and pipelining on the client side. This provides the lowest
4311 latency on the client side (slow network) and the fastest session reuse on
4312 the server side to save server resources, similarly to "option forceclose".
4313 It also permits non-keepalive capable servers to be served in keep-alive mode
4314 to the clients if they conform to the requirements of RFC2616. Please note
4315 that some servers do not always conform to those requirements when they see
4316 "Connection: close" in the request. The effect will be that keep-alive will
4317 never be used. A workaround consists in enabling "option
4318 http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01004319
4320 At the moment, logs will not indicate whether requests came from the same
4321 session or not. The accept date reported in the logs corresponds to the end
4322 of the previous request, and the request time corresponds to the time spent
4323 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01004324 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
4325 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01004326
4327 This option may be set both in a frontend and in a backend. It is enabled if
4328 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01004329 It disables and replaces any previous "option httpclose", "option forceclose",
4330 "option http-tunnel" or "option http-keep-alive". Please check section 4
Willy Tarreau70dffda2014-01-30 03:07:23 +01004331 ("Proxies") to see how this option combines with others when frontend and
4332 backend options differ.
Willy Tarreaub608feb2010-01-02 22:47:18 +01004333
4334 If this option has been enabled in a "defaults" section, it can be disabled
4335 in a specific instance by prepending the "no" keyword before it.
4336
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02004337 See also : "option forceclose", "option http-pretend-keepalive",
Willy Tarreau16bfb022010-01-16 19:48:41 +01004338 "option httpclose", "option http-keep-alive", and
4339 "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01004340
4341
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004342option http-tunnel
4343no option http-tunnel
4344 Disable or enable HTTP connection processing after first transaction
4345 May be used in sections : defaults | frontend | listen | backend
4346 yes | yes | yes | yes
4347 Arguments : none
4348
Willy Tarreau70dffda2014-01-30 03:07:23 +01004349 By default HAProxy operates in keep-alive mode with regards to persistent
4350 connections: for each connection it processes each request and response, and
4351 leaves the connection idle on both sides between the end of a response and
4352 the start of a new request. This mode may be changed by several options such
4353 as "option http-server-close", "option forceclose", "option httpclose" or
4354 "option http-tunnel".
4355
4356 Option "http-tunnel" disables any HTTP processing past the first request and
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004357 the first response. This is the mode which was used by default in versions
Willy Tarreau70dffda2014-01-30 03:07:23 +01004358 1.0 to 1.5-dev21. It is the mode with the lowest processing overhead, which
4359 is normally not needed anymore unless in very specific cases such as when
4360 using an in-house protocol that looks like HTTP but is not compatible, or
4361 just to log one request per client in order to reduce log size. Note that
4362 everything which works at the HTTP level, including header parsing/addition,
4363 cookie processing or content switching will only work for the first request
4364 and will be ignored after the first response.
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004365
4366 If this option has been enabled in a "defaults" section, it can be disabled
4367 in a specific instance by prepending the "no" keyword before it.
4368
4369 See also : "option forceclose", "option http-server-close",
4370 "option httpclose", "option http-keep-alive", and
4371 "1.1. The HTTP transaction model".
4372
4373
Willy Tarreau88d349d2010-01-25 12:15:43 +01004374option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01004375no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01004376 Make use of non-standard Proxy-Connection header instead of Connection
4377 May be used in sections : defaults | frontend | listen | backend
4378 yes | yes | yes | no
4379 Arguments : none
4380
4381 While RFC2616 explicitly states that HTTP/1.1 agents must use the
4382 Connection header to indicate their wish of persistent or non-persistent
4383 connections, both browsers and proxies ignore this header for proxied
4384 connections and make use of the undocumented, non-standard Proxy-Connection
4385 header instead. The issue begins when trying to put a load balancer between
4386 browsers and such proxies, because there will be a difference between what
4387 haproxy understands and what the client and the proxy agree on.
4388
4389 By setting this option in a frontend, haproxy can automatically switch to use
4390 that non-standard header if it sees proxied requests. A proxied request is
4391 defined here as one where the URI begins with neither a '/' nor a '*'. The
4392 choice of header only affects requests passing through proxies making use of
4393 one of the "httpclose", "forceclose" and "http-server-close" options. Note
4394 that this option can only be specified in a frontend and will affect the
4395 request along its whole life.
4396
Willy Tarreau844a7e72010-01-31 21:46:18 +01004397 Also, when this option is set, a request which requires authentication will
4398 automatically switch to use proxy authentication headers if it is itself a
4399 proxied request. That makes it possible to check or enforce authentication in
4400 front of an existing proxy.
4401
Willy Tarreau88d349d2010-01-25 12:15:43 +01004402 This option should normally never be used, except in front of a proxy.
4403
4404 See also : "option httpclose", "option forceclose" and "option
4405 http-server-close".
4406
4407
Willy Tarreaud63335a2010-02-26 12:56:52 +01004408option httpchk
4409option httpchk <uri>
4410option httpchk <method> <uri>
4411option httpchk <method> <uri> <version>
4412 Enable HTTP protocol to check on the servers health
4413 May be used in sections : defaults | frontend | listen | backend
4414 yes | no | yes | yes
4415 Arguments :
4416 <method> is the optional HTTP method used with the requests. When not set,
4417 the "OPTIONS" method is used, as it generally requires low server
4418 processing and is easy to filter out from the logs. Any method
4419 may be used, though it is not recommended to invent non-standard
4420 ones.
4421
4422 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
4423 which is accessible by default on almost any server, but may be
4424 changed to any other URI. Query strings are permitted.
4425
4426 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
4427 but some servers might behave incorrectly in HTTP 1.0, so turning
4428 it to HTTP/1.1 may sometimes help. Note that the Host field is
4429 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
4430 after "\r\n" following the version string.
4431
4432 By default, server health checks only consist in trying to establish a TCP
4433 connection. When "option httpchk" is specified, a complete HTTP request is
4434 sent once the TCP connection is established, and responses 2xx and 3xx are
4435 considered valid, while all other ones indicate a server failure, including
4436 the lack of any response.
4437
4438 The port and interval are specified in the server configuration.
4439
4440 This option does not necessarily require an HTTP backend, it also works with
4441 plain TCP backends. This is particularly useful to check simple scripts bound
4442 to some dedicated ports using the inetd daemon.
4443
4444 Examples :
4445 # Relay HTTPS traffic to Apache instance and check service availability
4446 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
4447 backend https_relay
4448 mode tcp
4449 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
4450 server apache1 192.168.1.1:443 check port 80
4451
Simon Hormanafc47ee2013-11-25 10:46:35 +09004452 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
4453 "option pgsql-check", "http-check" and the "check", "port" and
4454 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01004455
4456
Willy Tarreauc27debf2008-01-06 08:57:02 +01004457option httpclose
4458no option httpclose
4459 Enable or disable passive HTTP connection closing
4460 May be used in sections : defaults | frontend | listen | backend
4461 yes | yes | yes | yes
4462 Arguments : none
4463
Willy Tarreau70dffda2014-01-30 03:07:23 +01004464 By default HAProxy operates in keep-alive mode with regards to persistent
4465 connections: for each connection it processes each request and response, and
4466 leaves the connection idle on both sides between the end of a response and
4467 the start of a new request. This mode may be changed by several options such
Cyril Bonté653dcd62014-02-20 00:13:15 +01004468 as "option http-server-close", "option forceclose", "option httpclose" or
Willy Tarreau70dffda2014-01-30 03:07:23 +01004469 "option http-tunnel".
4470
4471 If "option httpclose" is set, HAProxy will work in HTTP tunnel mode and check
4472 if a "Connection: close" header is already set in each direction, and will
4473 add one if missing. Each end should react to this by actively closing the TCP
4474 connection after each transfer, thus resulting in a switch to the HTTP close
4475 mode. Any "Connection" header different from "close" will also be removed.
4476 Note that this option is deprecated since what it does is very cheap but not
4477 reliable. Using "option http-server-close" or "option forceclose" is strongly
4478 recommended instead.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004479
4480 It seldom happens that some servers incorrectly ignore this header and do not
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004481 close the connection even though they reply "Connection: close". For this
Willy Tarreau0dfdf192010-01-05 11:33:11 +01004482 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
4483 it is possible to use the "option forceclose" which actively closes the
4484 request connection once the server responds. Option "forceclose" also
4485 releases the server connection earlier because it does not have to wait for
4486 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004487
4488 This option may be set both in a frontend and in a backend. It is enabled if
4489 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01004490 It disables and replaces any previous "option http-server-close",
4491 "option forceclose", "option http-keep-alive" or "option http-tunnel". Please
Willy Tarreau70dffda2014-01-30 03:07:23 +01004492 check section 4 ("Proxies") to see how this option combines with others when
4493 frontend and backend options differ.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004494
4495 If this option has been enabled in a "defaults" section, it can be disabled
4496 in a specific instance by prepending the "no" keyword before it.
4497
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02004498 See also : "option forceclose", "option http-server-close" and
4499 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01004500
4501
Emeric Brun3a058f32009-06-30 18:26:00 +02004502option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01004503 Enable logging of HTTP request, session state and timers
4504 May be used in sections : defaults | frontend | listen | backend
4505 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02004506 Arguments :
4507 clf if the "clf" argument is added, then the output format will be
4508 the CLF format instead of HAProxy's default HTTP format. You can
4509 use this when you need to feed HAProxy's logs through a specific
4510 log analyser which only support the CLF format and which is not
4511 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004512
4513 By default, the log output format is very poor, as it only contains the
4514 source and destination addresses, and the instance name. By specifying
4515 "option httplog", each log line turns into a much richer format including,
4516 but not limited to, the HTTP request, the connection timers, the session
4517 status, the connections numbers, the captured headers and cookies, the
4518 frontend, backend and server name, and of course the source address and
4519 ports.
4520
4521 This option may be set either in the frontend or the backend.
4522
PiBa-NLbd556bf2014-12-11 21:31:54 +01004523 Specifying only "option httplog" will automatically clear the 'clf' mode
4524 if it was set by default.
Emeric Brun3a058f32009-06-30 18:26:00 +02004525
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004526 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004527
Willy Tarreau55165fe2009-05-10 12:02:55 +02004528
4529option http_proxy
4530no option http_proxy
4531 Enable or disable plain HTTP proxy mode
4532 May be used in sections : defaults | frontend | listen | backend
4533 yes | yes | yes | yes
4534 Arguments : none
4535
4536 It sometimes happens that people need a pure HTTP proxy which understands
4537 basic proxy requests without caching nor any fancy feature. In this case,
4538 it may be worth setting up an HAProxy instance with the "option http_proxy"
4539 set. In this mode, no server is declared, and the connection is forwarded to
4540 the IP address and port found in the URL after the "http://" scheme.
4541
4542 No host address resolution is performed, so this only works when pure IP
4543 addresses are passed. Since this option's usage perimeter is rather limited,
4544 it will probably be used only by experts who know they need exactly it. Last,
4545 if the clients are susceptible of sending keep-alive requests, it will be
Cyril Bonté2409e682010-12-14 22:47:51 +01004546 needed to add "option httpclose" to ensure that all requests will correctly
Willy Tarreau55165fe2009-05-10 12:02:55 +02004547 be analyzed.
4548
4549 If this option has been enabled in a "defaults" section, it can be disabled
4550 in a specific instance by prepending the "no" keyword before it.
4551
4552 Example :
4553 # this backend understands HTTP proxy requests and forwards them directly.
4554 backend direct_forward
4555 option httpclose
4556 option http_proxy
4557
4558 See also : "option httpclose"
4559
Willy Tarreau211ad242009-10-03 21:45:07 +02004560
Jamie Gloudon801a0a32012-08-25 00:18:33 -04004561option independent-streams
4562no option independent-streams
4563 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02004564 May be used in sections : defaults | frontend | listen | backend
4565 yes | yes | yes | yes
4566 Arguments : none
4567
4568 By default, when data is sent over a socket, both the write timeout and the
4569 read timeout for that socket are refreshed, because we consider that there is
4570 activity on that socket, and we have no other means of guessing if we should
4571 receive data or not.
4572
4573 While this default behaviour is desirable for almost all applications, there
4574 exists a situation where it is desirable to disable it, and only refresh the
4575 read timeout if there are incoming data. This happens on sessions with large
4576 timeouts and low amounts of exchanged data such as telnet session. If the
4577 server suddenly disappears, the output data accumulates in the system's
4578 socket buffers, both timeouts are correctly refreshed, and there is no way
4579 to know the server does not receive them, so we don't timeout. However, when
4580 the underlying protocol always echoes sent data, it would be enough by itself
4581 to detect the issue using the read timeout. Note that this problem does not
4582 happen with more verbose protocols because data won't accumulate long in the
4583 socket buffers.
4584
4585 When this option is set on the frontend, it will disable read timeout updates
4586 on data sent to the client. There probably is little use of this case. When
4587 the option is set on the backend, it will disable read timeout updates on
4588 data sent to the server. Doing so will typically break large HTTP posts from
4589 slow lines, so use it with caution.
4590
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004591 Note: older versions used to call this setting "option independent-streams"
Jamie Gloudon801a0a32012-08-25 00:18:33 -04004592 with a spelling mistake. This spelling is still supported but
4593 deprecated.
4594
Willy Tarreauce887fd2012-05-12 12:50:00 +02004595 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02004596
4597
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02004598option ldap-check
4599 Use LDAPv3 health checks for server testing
4600 May be used in sections : defaults | frontend | listen | backend
4601 yes | no | yes | yes
4602 Arguments : none
4603
4604 It is possible to test that the server correctly talks LDAPv3 instead of just
4605 testing that it accepts the TCP connection. When this option is set, an
4606 LDAPv3 anonymous simple bind message is sent to the server, and the response
4607 is analyzed to find an LDAPv3 bind response message.
4608
4609 The server is considered valid only when the LDAP response contains success
4610 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
4611
4612 Logging of bind requests is server dependent see your documentation how to
4613 configure it.
4614
4615 Example :
4616 option ldap-check
4617
4618 See also : "option httpchk"
4619
4620
Simon Horman98637e52014-06-20 12:30:16 +09004621option external-check
4622 Use external processes for server health checks
4623 May be used in sections : defaults | frontend | listen | backend
4624 yes | no | yes | yes
4625
4626 It is possible to test the health of a server using an external command.
4627 This is achieved by running the executable set using "external-check
4628 command".
4629
4630 Requires the "external-check" global to be set.
4631
4632 See also : "external-check", "external-check command", "external-check path"
4633
4634
Willy Tarreau211ad242009-10-03 21:45:07 +02004635option log-health-checks
4636no option log-health-checks
Willy Tarreaubef1b322014-05-13 21:01:39 +02004637 Enable or disable logging of health checks status updates
Willy Tarreau211ad242009-10-03 21:45:07 +02004638 May be used in sections : defaults | frontend | listen | backend
4639 yes | no | yes | yes
4640 Arguments : none
4641
Willy Tarreaubef1b322014-05-13 21:01:39 +02004642 By default, failed health check are logged if server is UP and successful
4643 health checks are logged if server is DOWN, so the amount of additional
4644 information is limited.
Willy Tarreau211ad242009-10-03 21:45:07 +02004645
Willy Tarreaubef1b322014-05-13 21:01:39 +02004646 When this option is enabled, any change of the health check status or to
4647 the server's health will be logged, so that it becomes possible to know
4648 that a server was failing occasional checks before crashing, or exactly when
4649 it failed to respond a valid HTTP status, then when the port started to
4650 reject connections, then when the server stopped responding at all.
4651
4652 Note that status changes not caused by health checks (eg: enable/disable on
4653 the CLI) are intentionally not logged by this option.
Willy Tarreau211ad242009-10-03 21:45:07 +02004654
Willy Tarreaubef1b322014-05-13 21:01:39 +02004655 See also: "option httpchk", "option ldap-check", "option mysql-check",
4656 "option pgsql-check", "option redis-check", "option smtpchk",
4657 "option tcp-check", "log" and section 8 about logging.
Willy Tarreau211ad242009-10-03 21:45:07 +02004658
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004659
4660option log-separate-errors
4661no option log-separate-errors
4662 Change log level for non-completely successful connections
4663 May be used in sections : defaults | frontend | listen | backend
4664 yes | yes | yes | no
4665 Arguments : none
4666
4667 Sometimes looking for errors in logs is not easy. This option makes haproxy
4668 raise the level of logs containing potentially interesting information such
4669 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
4670 level changes from "info" to "err". This makes it possible to log them
4671 separately to a different file with most syslog daemons. Be careful not to
4672 remove them from the original file, otherwise you would lose ordering which
4673 provides very important information.
4674
4675 Using this option, large sites dealing with several thousand connections per
4676 second may log normal traffic to a rotating buffer and only archive smaller
4677 error logs.
4678
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004679 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004680 logging.
4681
Willy Tarreauc27debf2008-01-06 08:57:02 +01004682
4683option logasap
4684no option logasap
4685 Enable or disable early logging of HTTP requests
4686 May be used in sections : defaults | frontend | listen | backend
4687 yes | yes | yes | no
4688 Arguments : none
4689
4690 By default, HTTP requests are logged upon termination so that the total
4691 transfer time and the number of bytes appear in the logs. When large objects
4692 are being transferred, it may take a while before the request appears in the
4693 logs. Using "option logasap", the request gets logged as soon as the server
4694 sends the complete headers. The only missing information in the logs will be
4695 the total number of bytes which will indicate everything except the amount
4696 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004697 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01004698 "Content-Length" response header so that the logs at least indicate how many
4699 bytes are expected to be transferred.
4700
Willy Tarreaucc6c8912009-02-22 10:53:55 +01004701 Examples :
4702 listen http_proxy 0.0.0.0:80
4703 mode http
4704 option httplog
4705 option logasap
4706 log 192.168.2.200 local3
4707
4708 >>> Feb 6 12:14:14 localhost \
4709 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
4710 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
4711 "GET /image.iso HTTP/1.0"
4712
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004713 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01004714 logging.
4715
4716
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02004717option mysql-check [ user <username> [ post-41 ] ]
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004718 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004719 May be used in sections : defaults | frontend | listen | backend
4720 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004721 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004722 <username> This is the username which will be used when connecting to MySQL
4723 server.
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02004724 post-41 Send post v4.1 client compatible checks
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004725
4726 If you specify a username, the check consists of sending two MySQL packet,
4727 one Client Authentication packet, and one QUIT packet, to correctly close
4728 MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
4729 Error packet. It is a basic but useful test which does not produce error nor
4730 aborted connect on the server. However, it requires adding an authorization
4731 in the MySQL table, like this :
4732
4733 USE mysql;
4734 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
4735 FLUSH PRIVILEGES;
4736
4737 If you don't specify a username (it is deprecated and not recommended), the
4738 check only consists in parsing the Mysql Handshake Initialisation packet or
4739 Error packet, we don't send anything in this mode. It was reported that it
4740 can generate lockout if check is too frequent and/or if there is not enough
4741 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
4742 value as if a connection is established successfully within fewer than MySQL
4743 "max_connect_errors" attempts after a previous connection was interrupted,
4744 the error count for the host is cleared to zero. If HAProxy's server get
4745 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
4746
4747 Remember that this does not check database presence nor database consistency.
4748 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004749
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02004750 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004751
4752 Most often, an incoming MySQL server needs to see the client's IP address for
4753 various purposes, including IP privilege matching and connection logging.
4754 When possible, it is often wise to masquerade the client's IP address when
4755 connecting to the server using the "usesrc" argument of the "source" keyword,
4756 which requires the cttproxy feature to be compiled in, and the MySQL server
4757 to route the client via the machine hosting haproxy.
4758
4759 See also: "option httpchk"
4760
4761
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004762option nolinger
4763no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004764 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004765 May be used in sections: defaults | frontend | listen | backend
4766 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004767 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004768
4769 When clients or servers abort connections in a dirty way (eg: they are
4770 physically disconnected), the session timeouts triggers and the session is
4771 closed. But it will remain in FIN_WAIT1 state for some time in the system,
4772 using some resources and possibly limiting the ability to establish newer
4773 connections.
4774
4775 When this happens, it is possible to activate "option nolinger" which forces
4776 the system to immediately remove any socket's pending data on close. Thus,
4777 the session is instantly purged from the system's tables. This usually has
4778 side effects such as increased number of TCP resets due to old retransmits
4779 getting immediately rejected. Some firewalls may sometimes complain about
4780 this too.
4781
4782 For this reason, it is not recommended to use this option when not absolutely
4783 needed. You know that you need it when you have thousands of FIN_WAIT1
4784 sessions on your system (TIME_WAIT ones do not count).
4785
4786 This option may be used both on frontends and backends, depending on the side
4787 where it is required. Use it on the frontend for clients, and on the backend
4788 for servers.
4789
4790 If this option has been enabled in a "defaults" section, it can be disabled
4791 in a specific instance by prepending the "no" keyword before it.
4792
4793
Willy Tarreau55165fe2009-05-10 12:02:55 +02004794option originalto [ except <network> ] [ header <name> ]
4795 Enable insertion of the X-Original-To header to requests sent to servers
4796 May be used in sections : defaults | frontend | listen | backend
4797 yes | yes | yes | yes
4798 Arguments :
4799 <network> is an optional argument used to disable this option for sources
4800 matching <network>
4801 <name> an optional argument to specify a different "X-Original-To"
4802 header name.
4803
4804 Since HAProxy can work in transparent mode, every request from a client can
4805 be redirected to the proxy and HAProxy itself can proxy every request to a
4806 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
4807 be lost. This is annoying when you want access rules based on destination ip
4808 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
4809 added by HAProxy to all requests sent to the server. This header contains a
4810 value representing the original destination IP address. Since this must be
4811 configured to always use the last occurrence of this header only. Note that
4812 only the last occurrence of the header must be used, since it is really
4813 possible that the client has already brought one.
4814
4815 The keyword "header" may be used to supply a different header name to replace
4816 the default "X-Original-To". This can be useful where you might already
4817 have a "X-Original-To" header from a different application, and you need
4818 preserve it. Also if your backend server doesn't use the "X-Original-To"
4819 header and requires different one.
4820
4821 Sometimes, a same HAProxy instance may be shared between a direct client
4822 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
4823 used to decrypt HTTPS traffic). It is possible to disable the addition of the
4824 header for a known source address or network by adding the "except" keyword
4825 followed by the network address. In this case, any source IP matching the
4826 network will not cause an addition of this header. Most common uses are with
4827 private networks or 127.0.0.1.
4828
4829 This option may be specified either in the frontend or in the backend. If at
4830 least one of them uses it, the header will be added. Note that the backend's
4831 setting of the header subargument takes precedence over the frontend's if
4832 both are defined.
4833
Willy Tarreau55165fe2009-05-10 12:02:55 +02004834 Examples :
4835 # Original Destination address
4836 frontend www
4837 mode http
4838 option originalto except 127.0.0.1
4839
4840 # Those servers want the IP Address in X-Client-Dst
4841 backend www
4842 mode http
4843 option originalto header X-Client-Dst
4844
Willy Tarreau87cf5142011-08-19 22:57:24 +02004845 See also : "option httpclose", "option http-server-close",
4846 "option forceclose"
Willy Tarreau55165fe2009-05-10 12:02:55 +02004847
4848
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004849option persist
4850no option persist
4851 Enable or disable forced persistence on down servers
4852 May be used in sections: defaults | frontend | listen | backend
4853 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004854 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004855
4856 When an HTTP request reaches a backend with a cookie which references a dead
4857 server, by default it is redispatched to another server. It is possible to
4858 force the request to be sent to the dead server first using "option persist"
4859 if absolutely needed. A common use case is when servers are under extreme
4860 load and spend their time flapping. In this case, the users would still be
4861 directed to the server they opened the session on, in the hope they would be
4862 correctly served. It is recommended to use "option redispatch" in conjunction
4863 with this option so that in the event it would not be possible to connect to
4864 the server at all (server definitely dead), the client would finally be
4865 redirected to another valid server.
4866
4867 If this option has been enabled in a "defaults" section, it can be disabled
4868 in a specific instance by prepending the "no" keyword before it.
4869
Willy Tarreau4de91492010-01-22 19:10:05 +01004870 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004871
4872
Willy Tarreau0c122822013-12-15 18:49:01 +01004873option pgsql-check [ user <username> ]
4874 Use PostgreSQL health checks for server testing
4875 May be used in sections : defaults | frontend | listen | backend
4876 yes | no | yes | yes
4877 Arguments :
4878 <username> This is the username which will be used when connecting to
4879 PostgreSQL server.
4880
4881 The check sends a PostgreSQL StartupMessage and waits for either
4882 Authentication request or ErrorResponse message. It is a basic but useful
4883 test which does not produce error nor aborted connect on the server.
4884 This check is identical with the "mysql-check".
4885
4886 See also: "option httpchk"
4887
4888
Willy Tarreau9420b122013-12-15 18:58:25 +01004889option prefer-last-server
4890no option prefer-last-server
4891 Allow multiple load balanced requests to remain on the same server
4892 May be used in sections: defaults | frontend | listen | backend
4893 yes | no | yes | yes
4894 Arguments : none
4895
4896 When the load balancing algorithm in use is not deterministic, and a previous
4897 request was sent to a server to which haproxy still holds a connection, it is
4898 sometimes desirable that subsequent requests on a same session go to the same
4899 server as much as possible. Note that this is different from persistence, as
4900 we only indicate a preference which haproxy tries to apply without any form
4901 of warranty. The real use is for keep-alive connections sent to servers. When
4902 this option is used, haproxy will try to reuse the same connection that is
4903 attached to the server instead of rebalancing to another server, causing a
4904 close of the connection. This can make sense for static file servers. It does
Willy Tarreau068621e2013-12-23 15:11:25 +01004905 not make much sense to use this in combination with hashing algorithms. Note,
4906 haproxy already automatically tries to stick to a server which sends a 401 or
4907 to a proxy which sends a 407 (authentication required). This is mandatory for
4908 use with the broken NTLM authentication challenge, and significantly helps in
4909 troubleshooting some faulty applications. Option prefer-last-server might be
4910 desirable in these environments as well, to avoid redistributing the traffic
4911 after every other response.
Willy Tarreau9420b122013-12-15 18:58:25 +01004912
4913 If this option has been enabled in a "defaults" section, it can be disabled
4914 in a specific instance by prepending the "no" keyword before it.
4915
4916 See also: "option http-keep-alive"
4917
4918
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004919option redispatch
4920no option redispatch
4921 Enable or disable session redistribution in case of connection failure
4922 May be used in sections: defaults | frontend | listen | backend
4923 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004924 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004925
4926 In HTTP mode, if a server designated by a cookie is down, clients may
4927 definitely stick to it because they cannot flush the cookie, so they will not
4928 be able to access the service anymore.
4929
4930 Specifying "option redispatch" will allow the proxy to break their
4931 persistence and redistribute them to a working server.
4932
4933 It also allows to retry last connection to another server in case of multiple
4934 connection failures. Of course, it requires having "retries" set to a nonzero
4935 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01004936
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004937 This form is the preferred form, which replaces both the "redispatch" and
4938 "redisp" keywords.
4939
4940 If this option has been enabled in a "defaults" section, it can be disabled
4941 in a specific instance by prepending the "no" keyword before it.
4942
Willy Tarreau4de91492010-01-22 19:10:05 +01004943 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004944
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004945
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02004946option redis-check
4947 Use redis health checks for server testing
4948 May be used in sections : defaults | frontend | listen | backend
4949 yes | no | yes | yes
4950 Arguments : none
4951
4952 It is possible to test that the server correctly talks REDIS protocol instead
4953 of just testing that it accepts the TCP connection. When this option is set,
4954 a PING redis command is sent to the server, and the response is analyzed to
4955 find the "+PONG" response message.
4956
4957 Example :
4958 option redis-check
4959
4960 See also : "option httpchk"
4961
4962
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004963option smtpchk
4964option smtpchk <hello> <domain>
4965 Use SMTP health checks for server testing
4966 May be used in sections : defaults | frontend | listen | backend
4967 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01004968 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004969 <hello> is an optional argument. It is the "hello" command to use. It can
4970 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
4971 values will be turned into the default command ("HELO").
4972
4973 <domain> is the domain name to present to the server. It may only be
4974 specified (and is mandatory) if the hello command has been
4975 specified. By default, "localhost" is used.
4976
4977 When "option smtpchk" is set, the health checks will consist in TCP
4978 connections followed by an SMTP command. By default, this command is
4979 "HELO localhost". The server's return code is analyzed and only return codes
4980 starting with a "2" will be considered as valid. All other responses,
4981 including a lack of response will constitute an error and will indicate a
4982 dead server.
4983
4984 This test is meant to be used with SMTP servers or relays. Depending on the
4985 request, it is possible that some servers do not log each connection attempt,
4986 so you may want to experiment to improve the behaviour. Using telnet on port
4987 25 is often easier than adjusting the configuration.
4988
4989 Most often, an incoming SMTP server needs to see the client's IP address for
4990 various purposes, including spam filtering, anti-spoofing and logging. When
4991 possible, it is often wise to masquerade the client's IP address when
4992 connecting to the server using the "usesrc" argument of the "source" keyword,
4993 which requires the cttproxy feature to be compiled in.
4994
4995 Example :
4996 option smtpchk HELO mydomain.org
4997
4998 See also : "option httpchk", "source"
4999
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005000
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02005001option socket-stats
5002no option socket-stats
5003
5004 Enable or disable collecting & providing separate statistics for each socket.
5005 May be used in sections : defaults | frontend | listen | backend
5006 yes | yes | yes | no
5007
5008 Arguments : none
5009
5010
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005011option splice-auto
5012no option splice-auto
5013 Enable or disable automatic kernel acceleration on sockets in both directions
5014 May be used in sections : defaults | frontend | listen | backend
5015 yes | yes | yes | yes
5016 Arguments : none
5017
5018 When this option is enabled either on a frontend or on a backend, haproxy
5019 will automatically evaluate the opportunity to use kernel tcp splicing to
5020 forward data between the client and the server, in either direction. Haproxy
5021 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005022 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005023 are not much aggressive in order to limit excessive use of splicing. This
5024 option requires splicing to be enabled at compile time, and may be globally
5025 disabled with the global option "nosplice". Since splice uses pipes, using it
5026 requires that there are enough spare pipes.
5027
5028 Important note: kernel-based TCP splicing is a Linux-specific feature which
5029 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
5030 transfer data between sockets without copying these data to user-space, thus
5031 providing noticeable performance gains and CPU cycles savings. Since many
5032 early implementations are buggy, corrupt data and/or are inefficient, this
5033 feature is not enabled by default, and it should be used with extreme care.
5034 While it is not possible to detect the correctness of an implementation,
5035 2.6.29 is the first version offering a properly working implementation. In
5036 case of doubt, splicing may be globally disabled using the global "nosplice"
5037 keyword.
5038
5039 Example :
5040 option splice-auto
5041
5042 If this option has been enabled in a "defaults" section, it can be disabled
5043 in a specific instance by prepending the "no" keyword before it.
5044
5045 See also : "option splice-request", "option splice-response", and global
5046 options "nosplice" and "maxpipes"
5047
5048
5049option splice-request
5050no option splice-request
5051 Enable or disable automatic kernel acceleration on sockets for requests
5052 May be used in sections : defaults | frontend | listen | backend
5053 yes | yes | yes | yes
5054 Arguments : none
5055
5056 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005057 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005058 the client to the server. It might still use the recv/send scheme if there
5059 are no spare pipes left. This option requires splicing to be enabled at
5060 compile time, and may be globally disabled with the global option "nosplice".
5061 Since splice uses pipes, using it requires that there are enough spare pipes.
5062
5063 Important note: see "option splice-auto" for usage limitations.
5064
5065 Example :
5066 option splice-request
5067
5068 If this option has been enabled in a "defaults" section, it can be disabled
5069 in a specific instance by prepending the "no" keyword before it.
5070
5071 See also : "option splice-auto", "option splice-response", and global options
5072 "nosplice" and "maxpipes"
5073
5074
5075option splice-response
5076no option splice-response
5077 Enable or disable automatic kernel acceleration on sockets for responses
5078 May be used in sections : defaults | frontend | listen | backend
5079 yes | yes | yes | yes
5080 Arguments : none
5081
5082 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005083 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005084 the server to the client. It might still use the recv/send scheme if there
5085 are no spare pipes left. This option requires splicing to be enabled at
5086 compile time, and may be globally disabled with the global option "nosplice".
5087 Since splice uses pipes, using it requires that there are enough spare pipes.
5088
5089 Important note: see "option splice-auto" for usage limitations.
5090
5091 Example :
5092 option splice-response
5093
5094 If this option has been enabled in a "defaults" section, it can be disabled
5095 in a specific instance by prepending the "no" keyword before it.
5096
5097 See also : "option splice-auto", "option splice-request", and global options
5098 "nosplice" and "maxpipes"
5099
5100
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005101option srvtcpka
5102no option srvtcpka
5103 Enable or disable the sending of TCP keepalive packets on the server side
5104 May be used in sections : defaults | frontend | listen | backend
5105 yes | no | yes | yes
5106 Arguments : none
5107
5108 When there is a firewall or any session-aware component between a client and
5109 a server, and when the protocol involves very long sessions with long idle
5110 periods (eg: remote desktops), there is a risk that one of the intermediate
5111 components decides to expire a session which has remained idle for too long.
5112
5113 Enabling socket-level TCP keep-alives makes the system regularly send packets
5114 to the other end of the connection, leaving it active. The delay between
5115 keep-alive probes is controlled by the system only and depends both on the
5116 operating system and its tuning parameters.
5117
5118 It is important to understand that keep-alive packets are neither emitted nor
5119 received at the application level. It is only the network stacks which sees
5120 them. For this reason, even if one side of the proxy already uses keep-alives
5121 to maintain its connection alive, those keep-alive packets will not be
5122 forwarded to the other side of the proxy.
5123
5124 Please note that this has nothing to do with HTTP keep-alive.
5125
5126 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
5127 server side of a connection, which should help when session expirations are
5128 noticed between HAProxy and a server.
5129
5130 If this option has been enabled in a "defaults" section, it can be disabled
5131 in a specific instance by prepending the "no" keyword before it.
5132
5133 See also : "option clitcpka", "option tcpka"
5134
5135
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005136option ssl-hello-chk
5137 Use SSLv3 client hello health checks for server testing
5138 May be used in sections : defaults | frontend | listen | backend
5139 yes | no | yes | yes
5140 Arguments : none
5141
5142 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
5143 possible to test that the server correctly talks SSL instead of just testing
5144 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
5145 SSLv3 client hello messages are sent once the connection is established to
5146 the server, and the response is analyzed to find an SSL server hello message.
5147 The server is considered valid only when the response contains this server
5148 hello message.
5149
5150 All servers tested till there correctly reply to SSLv3 client hello messages,
5151 and most servers tested do not even log the requests containing only hello
5152 messages, which is appreciable.
5153
Willy Tarreau763a95b2012-10-04 23:15:39 +02005154 Note that this check works even when SSL support was not built into haproxy
5155 because it forges the SSL message. When SSL support is available, it is best
5156 to use native SSL health checks instead of this one.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005157
Willy Tarreau763a95b2012-10-04 23:15:39 +02005158 See also: "option httpchk", "check-ssl"
5159
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005160
Willy Tarreaued179852013-12-16 01:07:00 +01005161option tcp-check
5162 Perform health checks using tcp-check send/expect sequences
5163 May be used in sections: defaults | frontend | listen | backend
5164 yes | no | yes | yes
5165
5166 This health check method is intended to be combined with "tcp-check" command
5167 lists in order to support send/expect types of health check sequences.
5168
5169 TCP checks currently support 4 modes of operations :
5170 - no "tcp-check" directive : the health check only consists in a connection
5171 attempt, which remains the default mode.
5172
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005173 - "tcp-check send" or "tcp-check send-binary" only is mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005174 used to send a string along with a connection opening. With some
5175 protocols, it helps sending a "QUIT" message for example that prevents
5176 the server from logging a connection error for each health check. The
5177 check result will still be based on the ability to open the connection
5178 only.
5179
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005180 - "tcp-check expect" only is mentioned : this is used to test a banner.
Willy Tarreaued179852013-12-16 01:07:00 +01005181 The connection is opened and haproxy waits for the server to present some
5182 contents which must validate some rules. The check result will be based
5183 on the matching between the contents and the rules. This is suited for
5184 POP, IMAP, SMTP, FTP, SSH, TELNET.
5185
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005186 - both "tcp-check send" and "tcp-check expect" are mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005187 used to test a hello-type protocol. Haproxy sends a message, the server
5188 responds and its response is analysed. the check result will be based on
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005189 the matching between the response contents and the rules. This is often
Willy Tarreaued179852013-12-16 01:07:00 +01005190 suited for protocols which require a binding or a request/response model.
5191 LDAP, MySQL, Redis and SSL are example of such protocols, though they
5192 already all have their dedicated checks with a deeper understanding of
5193 the respective protocols.
5194 In this mode, many questions may be sent and many answers may be
5195 analysed.
5196
5197 Examples :
5198 # perform a POP check (analyse only server's banner)
5199 option tcp-check
5200 tcp-check expect string +OK\ POP3\ ready
5201
5202 # perform an IMAP check (analyse only server's banner)
5203 option tcp-check
5204 tcp-check expect string *\ OK\ IMAP4\ ready
5205
5206 # look for the redis master server after ensuring it speaks well
5207 # redis protocol, then it exits properly.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005208 # (send a command then analyse the response 3 times)
Willy Tarreaued179852013-12-16 01:07:00 +01005209 option tcp-check
5210 tcp-check send PING\r\n
5211 tcp-check expect +PONG
5212 tcp-check send info\ replication\r\n
5213 tcp-check expect string role:master
5214 tcp-check send QUIT\r\n
5215 tcp-check expect string +OK
5216
5217 forge a HTTP request, then analyse the response
5218 (send many headers before analyzing)
5219 option tcp-check
5220 tcp-check send HEAD\ /\ HTTP/1.1\r\n
5221 tcp-check send Host:\ www.mydomain.com\r\n
5222 tcp-check send User-Agent:\ HAProxy\ tcpcheck\r\n
5223 tcp-check send \r\n
5224 tcp-check expect rstring HTTP/1\..\ (2..|3..)
5225
5226
5227 See also : "tcp-check expect", "tcp-check send"
5228
5229
Willy Tarreau9ea05a72009-06-14 12:07:01 +02005230option tcp-smart-accept
5231no option tcp-smart-accept
5232 Enable or disable the saving of one ACK packet during the accept sequence
5233 May be used in sections : defaults | frontend | listen | backend
5234 yes | yes | yes | no
5235 Arguments : none
5236
5237 When an HTTP connection request comes in, the system acknowledges it on
5238 behalf of HAProxy, then the client immediately sends its request, and the
5239 system acknowledges it too while it is notifying HAProxy about the new
5240 connection. HAProxy then reads the request and responds. This means that we
5241 have one TCP ACK sent by the system for nothing, because the request could
5242 very well be acknowledged by HAProxy when it sends its response.
5243
5244 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
5245 sending this useless ACK on platforms which support it (currently at least
5246 Linux). It must not cause any problem, because the system will send it anyway
5247 after 40 ms if the response takes more time than expected to come.
5248
5249 During complex network debugging sessions, it may be desirable to disable
5250 this optimization because delayed ACKs can make troubleshooting more complex
5251 when trying to identify where packets are delayed. It is then possible to
5252 fall back to normal behaviour by specifying "no option tcp-smart-accept".
5253
5254 It is also possible to force it for non-HTTP proxies by simply specifying
5255 "option tcp-smart-accept". For instance, it can make sense with some services
5256 such as SMTP where the server speaks first.
5257
5258 It is recommended to avoid forcing this option in a defaults section. In case
5259 of doubt, consider setting it back to automatic values by prepending the
5260 "default" keyword before it, or disabling it using the "no" keyword.
5261
Willy Tarreaud88edf22009-06-14 15:48:17 +02005262 See also : "option tcp-smart-connect"
5263
5264
5265option tcp-smart-connect
5266no option tcp-smart-connect
5267 Enable or disable the saving of one ACK packet during the connect sequence
5268 May be used in sections : defaults | frontend | listen | backend
5269 yes | no | yes | yes
5270 Arguments : none
5271
5272 On certain systems (at least Linux), HAProxy can ask the kernel not to
5273 immediately send an empty ACK upon a connection request, but to directly
5274 send the buffer request instead. This saves one packet on the network and
5275 thus boosts performance. It can also be useful for some servers, because they
5276 immediately get the request along with the incoming connection.
5277
5278 This feature is enabled when "option tcp-smart-connect" is set in a backend.
5279 It is not enabled by default because it makes network troubleshooting more
5280 complex.
5281
5282 It only makes sense to enable it with protocols where the client speaks first
5283 such as HTTP. In other situations, if there is no data to send in place of
5284 the ACK, a normal ACK is sent.
5285
5286 If this option has been enabled in a "defaults" section, it can be disabled
5287 in a specific instance by prepending the "no" keyword before it.
5288
5289 See also : "option tcp-smart-accept"
5290
Willy Tarreau9ea05a72009-06-14 12:07:01 +02005291
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005292option tcpka
5293 Enable or disable the sending of TCP keepalive packets on both sides
5294 May be used in sections : defaults | frontend | listen | backend
5295 yes | yes | yes | yes
5296 Arguments : none
5297
5298 When there is a firewall or any session-aware component between a client and
5299 a server, and when the protocol involves very long sessions with long idle
5300 periods (eg: remote desktops), there is a risk that one of the intermediate
5301 components decides to expire a session which has remained idle for too long.
5302
5303 Enabling socket-level TCP keep-alives makes the system regularly send packets
5304 to the other end of the connection, leaving it active. The delay between
5305 keep-alive probes is controlled by the system only and depends both on the
5306 operating system and its tuning parameters.
5307
5308 It is important to understand that keep-alive packets are neither emitted nor
5309 received at the application level. It is only the network stacks which sees
5310 them. For this reason, even if one side of the proxy already uses keep-alives
5311 to maintain its connection alive, those keep-alive packets will not be
5312 forwarded to the other side of the proxy.
5313
5314 Please note that this has nothing to do with HTTP keep-alive.
5315
5316 Using option "tcpka" enables the emission of TCP keep-alive probes on both
5317 the client and server sides of a connection. Note that this is meaningful
5318 only in "defaults" or "listen" sections. If this option is used in a
5319 frontend, only the client side will get keep-alives, and if this option is
5320 used in a backend, only the server side will get keep-alives. For this
5321 reason, it is strongly recommended to explicitly use "option clitcpka" and
5322 "option srvtcpka" when the configuration is split between frontends and
5323 backends.
5324
5325 See also : "option clitcpka", "option srvtcpka"
5326
Willy Tarreau844e3c52008-01-11 16:28:18 +01005327
5328option tcplog
5329 Enable advanced logging of TCP connections with session state and timers
5330 May be used in sections : defaults | frontend | listen | backend
5331 yes | yes | yes | yes
5332 Arguments : none
5333
5334 By default, the log output format is very poor, as it only contains the
5335 source and destination addresses, and the instance name. By specifying
5336 "option tcplog", each log line turns into a much richer format including, but
5337 not limited to, the connection timers, the session status, the connections
5338 numbers, the frontend, backend and server name, and of course the source
5339 address and ports. This option is useful for pure TCP proxies in order to
5340 find which of the client or server disconnects or times out. For normal HTTP
5341 proxies, it's better to use "option httplog" which is even more complete.
5342
5343 This option may be set either in the frontend or the backend.
5344
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005345 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005346
5347
Willy Tarreau844e3c52008-01-11 16:28:18 +01005348option transparent
5349no option transparent
5350 Enable client-side transparent proxying
5351 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01005352 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01005353 Arguments : none
5354
5355 This option was introduced in order to provide layer 7 persistence to layer 3
5356 load balancers. The idea is to use the OS's ability to redirect an incoming
5357 connection for a remote address to a local process (here HAProxy), and let
5358 this process know what address was initially requested. When this option is
5359 used, sessions without cookies will be forwarded to the original destination
5360 IP address of the incoming request (which should match that of another
5361 equipment), while requests with cookies will still be forwarded to the
5362 appropriate server.
5363
5364 Note that contrary to a common belief, this option does NOT make HAProxy
5365 present the client's IP to the server when establishing the connection.
5366
Willy Tarreaua1146052011-03-01 09:51:54 +01005367 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005368 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005369
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005370
Simon Horman98637e52014-06-20 12:30:16 +09005371external-check command <command>
5372 Executable to run when performing an external-check
5373 May be used in sections : defaults | frontend | listen | backend
5374 yes | no | yes | yes
5375
5376 Arguments :
5377 <command> is the external command to run
5378
Simon Horman98637e52014-06-20 12:30:16 +09005379 The arguments passed to the to the command are:
5380
Cyril Bonté777be862014-12-02 21:21:35 +01005381 <proxy_address> <proxy_port> <server_address> <server_port>
Simon Horman98637e52014-06-20 12:30:16 +09005382
Cyril Bonté777be862014-12-02 21:21:35 +01005383 The <proxy_address> and <proxy_port> are derived from the first listener
5384 that is either IPv4, IPv6 or a UNIX socket. In the case of a UNIX socket
5385 listener the proxy_address will be the path of the socket and the
5386 <proxy_port> will be the string "NOT_USED". In a backend section, it's not
5387 possible to determine a listener, and both <proxy_address> and <proxy_port>
5388 will have the string value "NOT_USED".
Simon Horman98637e52014-06-20 12:30:16 +09005389
Cyril Bonté72cda2a2014-12-27 22:28:39 +01005390 Some values are also provided through environment variables.
5391
5392 Environment variables :
5393 HAPROXY_PROXY_ADDR The first bind address if available (or empty if not
5394 applicable, for example in a "backend" section).
5395
5396 HAPROXY_PROXY_ID The backend id.
5397
5398 HAPROXY_PROXY_NAME The backend name.
5399
5400 HAPROXY_PROXY_PORT The first bind port if available (or empty if not
5401 applicable, for example in a "backend" section or
5402 for a UNIX socket).
5403
5404 HAPROXY_SERVER_ADDR The server address.
5405
5406 HAPROXY_SERVER_CURCONN The current number of connections on the server.
5407
5408 HAPROXY_SERVER_ID The server id.
5409
5410 HAPROXY_SERVER_MAXCONN The server max connections.
5411
5412 HAPROXY_SERVER_NAME The server name.
5413
5414 HAPROXY_SERVER_PORT The server port if available (or empty for a UNIX
5415 socket).
5416
5417 PATH The PATH environment variable used when executing
5418 the command may be set using "external-check path".
5419
Simon Horman98637e52014-06-20 12:30:16 +09005420 If the command executed and exits with a zero status then the check is
5421 considered to have passed, otherwise the check is considered to have
5422 failed.
5423
5424 Example :
5425 external-check command /bin/true
5426
5427 See also : "external-check", "option external-check", "external-check path"
5428
5429
5430external-check path <path>
5431 The value of the PATH environment variable used when running an external-check
5432 May be used in sections : defaults | frontend | listen | backend
5433 yes | no | yes | yes
5434
5435 Arguments :
5436 <path> is the path used when executing external command to run
5437
5438 The default path is "".
5439
5440 Example :
5441 external-check path "/usr/bin:/bin"
5442
5443 See also : "external-check", "option external-check",
5444 "external-check command"
5445
5446
Emeric Brun647caf12009-06-30 17:57:00 +02005447persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02005448persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02005449 Enable RDP cookie-based persistence
5450 May be used in sections : defaults | frontend | listen | backend
5451 yes | no | yes | yes
5452 Arguments :
5453 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02005454 default cookie name "msts" will be used. There currently is no
5455 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02005456
5457 This statement enables persistence based on an RDP cookie. The RDP cookie
5458 contains all information required to find the server in the list of known
5459 servers. So when this option is set in the backend, the request is analysed
5460 and if an RDP cookie is found, it is decoded. If it matches a known server
5461 which is still UP (or if "option persist" is set), then the connection is
5462 forwarded to this server.
5463
5464 Note that this only makes sense in a TCP backend, but for this to work, the
5465 frontend must have waited long enough to ensure that an RDP cookie is present
5466 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005467 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02005468 a single "listen" section.
5469
Willy Tarreau61e28f22010-05-16 22:31:05 +02005470 Also, it is important to understand that the terminal server will emit this
5471 RDP cookie only if it is configured for "token redirection mode", which means
5472 that the "IP address redirection" option is disabled.
5473
Emeric Brun647caf12009-06-30 17:57:00 +02005474 Example :
5475 listen tse-farm
5476 bind :3389
5477 # wait up to 5s for an RDP cookie in the request
5478 tcp-request inspect-delay 5s
5479 tcp-request content accept if RDP_COOKIE
5480 # apply RDP cookie persistence
5481 persist rdp-cookie
5482 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02005483 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02005484 balance rdp-cookie
5485 server srv1 1.1.1.1:3389
5486 server srv2 1.1.1.2:3389
5487
Simon Hormanab814e02011-06-24 14:50:20 +09005488 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
5489 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02005490
5491
Willy Tarreau3a7d2072009-03-05 23:48:25 +01005492rate-limit sessions <rate>
5493 Set a limit on the number of new sessions accepted per second on a frontend
5494 May be used in sections : defaults | frontend | listen | backend
5495 yes | yes | yes | no
5496 Arguments :
5497 <rate> The <rate> parameter is an integer designating the maximum number
5498 of new sessions per second to accept on the frontend.
5499
5500 When the frontend reaches the specified number of new sessions per second, it
5501 stops accepting new connections until the rate drops below the limit again.
5502 During this time, the pending sessions will be kept in the socket's backlog
5503 (in system buffers) and haproxy will not even be aware that sessions are
5504 pending. When applying very low limit on a highly loaded service, it may make
5505 sense to increase the socket's backlog using the "backlog" keyword.
5506
5507 This feature is particularly efficient at blocking connection-based attacks
5508 or service abuse on fragile servers. Since the session rate is measured every
5509 millisecond, it is extremely accurate. Also, the limit applies immediately,
5510 no delay is needed at all to detect the threshold.
5511
5512 Example : limit the connection rate on SMTP to 10 per second max
5513 listen smtp
5514 mode tcp
5515 bind :25
5516 rate-limit sessions 10
5517 server 127.0.0.1:1025
5518
Willy Tarreaua17c2d92011-07-25 08:16:20 +02005519 Note : when the maximum rate is reached, the frontend's status is not changed
5520 but its sockets appear as "WAITING" in the statistics if the
5521 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01005522
5523 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
5524
5525
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005526redirect location <loc> [code <code>] <option> [{if | unless} <condition>]
5527redirect prefix <pfx> [code <code>] <option> [{if | unless} <condition>]
5528redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005529 Return an HTTP redirection if/unless a condition is matched
5530 May be used in sections : defaults | frontend | listen | backend
5531 no | yes | yes | yes
5532
5533 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01005534 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005535
Willy Tarreau0140f252008-11-19 21:07:09 +01005536 Arguments :
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005537 <loc> With "redirect location", the exact value in <loc> is placed into
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005538 the HTTP "Location" header. When used in an "http-request" rule,
5539 <loc> value follows the log-format rules and can include some
5540 dynamic values (see Custom Log Format in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005541
5542 <pfx> With "redirect prefix", the "Location" header is built from the
5543 concatenation of <pfx> and the complete URI path, including the
5544 query string, unless the "drop-query" option is specified (see
5545 below). As a special case, if <pfx> equals exactly "/", then
5546 nothing is inserted before the original URI. It allows one to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005547 redirect to the same URL (for instance, to insert a cookie). When
5548 used in an "http-request" rule, <pfx> value follows the log-format
5549 rules and can include some dynamic values (see Custom Log Format
5550 in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005551
5552 <sch> With "redirect scheme", then the "Location" header is built by
5553 concatenating <sch> with "://" then the first occurrence of the
5554 "Host" header, and then the URI path, including the query string
5555 unless the "drop-query" option is specified (see below). If no
5556 path is found or if the path is "*", then "/" is used instead. If
5557 no "Host" header is found, then an empty host component will be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005558 returned, which most recent browsers interpret as redirecting to
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005559 the same host. This directive is mostly used to redirect HTTP to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005560 HTTPS. When used in an "http-request" rule, <sch> value follows
5561 the log-format rules and can include some dynamic values (see
5562 Custom Log Format in section 8.2.4).
Willy Tarreau0140f252008-11-19 21:07:09 +01005563
5564 <code> The code is optional. It indicates which type of HTTP redirection
Willy Tarreaub67fdc42013-03-29 19:28:11 +01005565 is desired. Only codes 301, 302, 303, 307 and 308 are supported,
5566 with 302 used by default if no code is specified. 301 means
5567 "Moved permanently", and a browser may cache the Location. 302
5568 means "Moved permanently" and means that the browser should not
5569 cache the redirection. 303 is equivalent to 302 except that the
5570 browser will fetch the location with a GET method. 307 is just
5571 like 302 but makes it clear that the same method must be reused.
5572 Likewise, 308 replaces 301 if the same method must be used.
Willy Tarreau0140f252008-11-19 21:07:09 +01005573
5574 <option> There are several options which can be specified to adjust the
5575 expected behaviour of a redirection :
5576
5577 - "drop-query"
5578 When this keyword is used in a prefix-based redirection, then the
5579 location will be set without any possible query-string, which is useful
5580 for directing users to a non-secure page for instance. It has no effect
5581 with a location-type redirect.
5582
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01005583 - "append-slash"
5584 This keyword may be used in conjunction with "drop-query" to redirect
5585 users who use a URL not ending with a '/' to the same one with the '/'.
5586 It can be useful to ensure that search engines will only see one URL.
5587 For this, a return code 301 is preferred.
5588
Willy Tarreau0140f252008-11-19 21:07:09 +01005589 - "set-cookie NAME[=value]"
5590 A "Set-Cookie" header will be added with NAME (and optionally "=value")
5591 to the response. This is sometimes used to indicate that a user has
5592 been seen, for instance to protect against some types of DoS. No other
5593 cookie option is added, so the cookie will be a session cookie. Note
5594 that for a browser, a sole cookie name without an equal sign is
5595 different from a cookie with an equal sign.
5596
5597 - "clear-cookie NAME[=]"
5598 A "Set-Cookie" header will be added with NAME (and optionally "="), but
5599 with the "Max-Age" attribute set to zero. This will tell the browser to
5600 delete this cookie. It is useful for instance on logout pages. It is
5601 important to note that clearing the cookie "NAME" will not remove a
5602 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
5603 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005604
5605 Example: move the login URL only to HTTPS.
5606 acl clear dst_port 80
5607 acl secure dst_port 8080
5608 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01005609 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01005610 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01005611 acl cookie_set hdr_sub(cookie) SEEN=1
5612
5613 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01005614 redirect prefix https://mysite.com if login_page !secure
5615 redirect prefix http://mysite.com drop-query if login_page !uid_given
5616 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01005617 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005618
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01005619 Example: send redirects for request for articles without a '/'.
5620 acl missing_slash path_reg ^/article/[^/]*$
5621 redirect code 301 prefix / drop-query append-slash if missing_slash
5622
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005623 Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
David BERARDe7153042012-11-03 00:11:31 +01005624 redirect scheme https if !{ ssl_fc }
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005625
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005626 Example: append 'www.' prefix in front of all hosts not having it
5627 http-request redirect code 301 location www.%[hdr(host)]%[req.uri] \
5628 unless { hdr_beg(host) -i www }
5629
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005630 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005631
5632
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005633redisp (deprecated)
5634redispatch (deprecated)
5635 Enable or disable session redistribution in case of connection failure
5636 May be used in sections: defaults | frontend | listen | backend
5637 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005638 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005639
5640 In HTTP mode, if a server designated by a cookie is down, clients may
5641 definitely stick to it because they cannot flush the cookie, so they will not
5642 be able to access the service anymore.
5643
5644 Specifying "redispatch" will allow the proxy to break their persistence and
5645 redistribute them to a working server.
5646
5647 It also allows to retry last connection to another server in case of multiple
5648 connection failures. Of course, it requires having "retries" set to a nonzero
5649 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005650
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005651 This form is deprecated, do not use it in any new configuration, use the new
5652 "option redispatch" instead.
5653
5654 See also : "option redispatch"
5655
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005656
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005657reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01005658 Add a header at the end of the HTTP request
5659 May be used in sections : defaults | frontend | listen | backend
5660 no | yes | yes | yes
5661 Arguments :
5662 <string> is the complete line to be added. Any space or known delimiter
5663 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005664 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005665
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005666 <cond> is an optional matching condition built from ACLs. It makes it
5667 possible to ignore this rule when other conditions are not met.
5668
Willy Tarreau303c0352008-01-17 19:01:39 +01005669 A new line consisting in <string> followed by a line feed will be added after
5670 the last header of an HTTP request.
5671
5672 Header transformations only apply to traffic which passes through HAProxy,
5673 and not to traffic generated by HAProxy, such as health-checks or error
5674 responses.
5675
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005676 Example : add "X-Proto: SSL" to requests coming via port 81
5677 acl is-ssl dst_port 81
5678 reqadd X-Proto:\ SSL if is-ssl
5679
5680 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
5681 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005682
5683
Willy Tarreau5321c422010-01-28 20:35:13 +01005684reqallow <search> [{if | unless} <cond>]
5685reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005686 Definitely allow an HTTP request if a line matches a regular expression
5687 May be used in sections : defaults | frontend | listen | backend
5688 no | yes | yes | yes
5689 Arguments :
5690 <search> is the regular expression applied to HTTP headers and to the
5691 request line. This is an extended regular expression. Parenthesis
5692 grouping is supported and no preliminary backslash is required.
5693 Any space or known delimiter must be escaped using a backslash
5694 ('\'). The pattern applies to a full line at a time. The
5695 "reqallow" keyword strictly matches case while "reqiallow"
5696 ignores case.
5697
Willy Tarreau5321c422010-01-28 20:35:13 +01005698 <cond> is an optional matching condition built from ACLs. It makes it
5699 possible to ignore this rule when other conditions are not met.
5700
Willy Tarreau303c0352008-01-17 19:01:39 +01005701 A request containing any line which matches extended regular expression
5702 <search> will mark the request as allowed, even if any later test would
5703 result in a deny. The test applies both to the request line and to request
5704 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01005705 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01005706
5707 It is easier, faster and more powerful to use ACLs to write access policies.
5708 Reqdeny, reqallow and reqpass should be avoided in new designs.
5709
5710 Example :
5711 # allow www.* but refuse *.local
5712 reqiallow ^Host:\ www\.
5713 reqideny ^Host:\ .*\.local
5714
Willy Tarreau5321c422010-01-28 20:35:13 +01005715 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
5716 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005717
5718
Willy Tarreau5321c422010-01-28 20:35:13 +01005719reqdel <search> [{if | unless} <cond>]
5720reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005721 Delete all headers matching a regular expression in an HTTP request
5722 May be used in sections : defaults | frontend | listen | backend
5723 no | yes | yes | yes
5724 Arguments :
5725 <search> is the regular expression applied to HTTP headers and to the
5726 request line. This is an extended regular expression. Parenthesis
5727 grouping is supported and no preliminary backslash is required.
5728 Any space or known delimiter must be escaped using a backslash
5729 ('\'). The pattern applies to a full line at a time. The "reqdel"
5730 keyword strictly matches case while "reqidel" ignores case.
5731
Willy Tarreau5321c422010-01-28 20:35:13 +01005732 <cond> is an optional matching condition built from ACLs. It makes it
5733 possible to ignore this rule when other conditions are not met.
5734
Willy Tarreau303c0352008-01-17 19:01:39 +01005735 Any header line matching extended regular expression <search> in the request
5736 will be completely deleted. Most common use of this is to remove unwanted
5737 and/or dangerous headers or cookies from a request before passing it to the
5738 next servers.
5739
5740 Header transformations only apply to traffic which passes through HAProxy,
5741 and not to traffic generated by HAProxy, such as health-checks or error
5742 responses. Keep in mind that header names are not case-sensitive.
5743
5744 Example :
5745 # remove X-Forwarded-For header and SERVER cookie
5746 reqidel ^X-Forwarded-For:.*
5747 reqidel ^Cookie:.*SERVER=
5748
Willy Tarreau5321c422010-01-28 20:35:13 +01005749 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
5750 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005751
5752
Willy Tarreau5321c422010-01-28 20:35:13 +01005753reqdeny <search> [{if | unless} <cond>]
5754reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005755 Deny an HTTP request if a line matches a regular expression
5756 May be used in sections : defaults | frontend | listen | backend
5757 no | yes | yes | yes
5758 Arguments :
5759 <search> is the regular expression applied to HTTP headers and to the
5760 request line. This is an extended regular expression. Parenthesis
5761 grouping is supported and no preliminary backslash is required.
5762 Any space or known delimiter must be escaped using a backslash
5763 ('\'). The pattern applies to a full line at a time. The
5764 "reqdeny" keyword strictly matches case while "reqideny" ignores
5765 case.
5766
Willy Tarreau5321c422010-01-28 20:35:13 +01005767 <cond> is an optional matching condition built from ACLs. It makes it
5768 possible to ignore this rule when other conditions are not met.
5769
Willy Tarreau303c0352008-01-17 19:01:39 +01005770 A request containing any line which matches extended regular expression
5771 <search> will mark the request as denied, even if any later test would
5772 result in an allow. The test applies both to the request line and to request
5773 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01005774 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01005775
Willy Tarreauced27012008-01-17 20:35:34 +01005776 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005777 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01005778 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01005779
Willy Tarreau303c0352008-01-17 19:01:39 +01005780 It is easier, faster and more powerful to use ACLs to write access policies.
5781 Reqdeny, reqallow and reqpass should be avoided in new designs.
5782
5783 Example :
5784 # refuse *.local, then allow www.*
5785 reqideny ^Host:\ .*\.local
5786 reqiallow ^Host:\ www\.
5787
Willy Tarreau5321c422010-01-28 20:35:13 +01005788 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
5789 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005790
5791
Willy Tarreau5321c422010-01-28 20:35:13 +01005792reqpass <search> [{if | unless} <cond>]
5793reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005794 Ignore any HTTP request line matching a regular expression in next rules
5795 May be used in sections : defaults | frontend | listen | backend
5796 no | yes | yes | yes
5797 Arguments :
5798 <search> is the regular expression applied to HTTP headers and to the
5799 request line. This is an extended regular expression. Parenthesis
5800 grouping is supported and no preliminary backslash is required.
5801 Any space or known delimiter must be escaped using a backslash
5802 ('\'). The pattern applies to a full line at a time. The
5803 "reqpass" keyword strictly matches case while "reqipass" ignores
5804 case.
5805
Willy Tarreau5321c422010-01-28 20:35:13 +01005806 <cond> is an optional matching condition built from ACLs. It makes it
5807 possible to ignore this rule when other conditions are not met.
5808
Willy Tarreau303c0352008-01-17 19:01:39 +01005809 A request containing any line which matches extended regular expression
5810 <search> will skip next rules, without assigning any deny or allow verdict.
5811 The test applies both to the request line and to request headers. Keep in
5812 mind that URLs in request line are case-sensitive while header names are not.
5813
5814 It is easier, faster and more powerful to use ACLs to write access policies.
5815 Reqdeny, reqallow and reqpass should be avoided in new designs.
5816
5817 Example :
5818 # refuse *.local, then allow www.*, but ignore "www.private.local"
5819 reqipass ^Host:\ www.private\.local
5820 reqideny ^Host:\ .*\.local
5821 reqiallow ^Host:\ www\.
5822
Willy Tarreau5321c422010-01-28 20:35:13 +01005823 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
5824 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005825
5826
Willy Tarreau5321c422010-01-28 20:35:13 +01005827reqrep <search> <string> [{if | unless} <cond>]
5828reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005829 Replace a regular expression with a string in an HTTP request line
5830 May be used in sections : defaults | frontend | listen | backend
5831 no | yes | yes | yes
5832 Arguments :
5833 <search> is the regular expression applied to HTTP headers and to the
5834 request line. This is an extended regular expression. Parenthesis
5835 grouping is supported and no preliminary backslash is required.
5836 Any space or known delimiter must be escaped using a backslash
5837 ('\'). The pattern applies to a full line at a time. The "reqrep"
5838 keyword strictly matches case while "reqirep" ignores case.
5839
5840 <string> is the complete line to be added. Any space or known delimiter
5841 must be escaped using a backslash ('\'). References to matched
5842 pattern groups are possible using the common \N form, with N
5843 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005844 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005845
Willy Tarreau5321c422010-01-28 20:35:13 +01005846 <cond> is an optional matching condition built from ACLs. It makes it
5847 possible to ignore this rule when other conditions are not met.
5848
Willy Tarreau303c0352008-01-17 19:01:39 +01005849 Any line matching extended regular expression <search> in the request (both
5850 the request line and header lines) will be completely replaced with <string>.
5851 Most common use of this is to rewrite URLs or domain names in "Host" headers.
5852
5853 Header transformations only apply to traffic which passes through HAProxy,
5854 and not to traffic generated by HAProxy, such as health-checks or error
5855 responses. Note that for increased readability, it is suggested to add enough
5856 spaces between the request and the response. Keep in mind that URLs in
5857 request line are case-sensitive while header names are not.
5858
5859 Example :
5860 # replace "/static/" with "/" at the beginning of any request path.
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005861 reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2
Willy Tarreau303c0352008-01-17 19:01:39 +01005862 # replace "www.mydomain.com" with "www" in the host name.
5863 reqirep ^Host:\ www.mydomain.com Host:\ www
5864
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04005865 See also: "reqadd", "reqdel", "rsprep", "tune.bufsize", section 6 about
5866 HTTP header manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005867
5868
Willy Tarreau5321c422010-01-28 20:35:13 +01005869reqtarpit <search> [{if | unless} <cond>]
5870reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005871 Tarpit an HTTP request containing a line matching a regular expression
5872 May be used in sections : defaults | frontend | listen | backend
5873 no | yes | yes | yes
5874 Arguments :
5875 <search> is the regular expression applied to HTTP headers and to the
5876 request line. This is an extended regular expression. Parenthesis
5877 grouping is supported and no preliminary backslash is required.
5878 Any space or known delimiter must be escaped using a backslash
5879 ('\'). The pattern applies to a full line at a time. The
5880 "reqtarpit" keyword strictly matches case while "reqitarpit"
5881 ignores case.
5882
Willy Tarreau5321c422010-01-28 20:35:13 +01005883 <cond> is an optional matching condition built from ACLs. It makes it
5884 possible to ignore this rule when other conditions are not met.
5885
Willy Tarreau303c0352008-01-17 19:01:39 +01005886 A request containing any line which matches extended regular expression
5887 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01005888 be kept open for a pre-defined time, then will return an HTTP error 500 so
5889 that the attacker does not suspect it has been tarpitted. The status 500 will
5890 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01005891 delay is defined by "timeout tarpit", or "timeout connect" if the former is
5892 not set.
5893
5894 The goal of the tarpit is to slow down robots attacking servers with
5895 identifiable requests. Many robots limit their outgoing number of connections
5896 and stay connected waiting for a reply which can take several minutes to
5897 come. Depending on the environment and attack, it may be particularly
5898 efficient at reducing the load on the network and firewalls.
5899
Willy Tarreau5321c422010-01-28 20:35:13 +01005900 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01005901 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
5902 # block all others.
5903 reqipass ^User-Agent:\.*(Mozilla|MSIE)
5904 reqitarpit ^User-Agent:
5905
Willy Tarreau5321c422010-01-28 20:35:13 +01005906 # block bad guys
5907 acl badguys src 10.1.0.3 172.16.13.20/28
5908 reqitarpit . if badguys
5909
5910 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
5911 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005912
5913
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02005914retries <value>
5915 Set the number of retries to perform on a server after a connection failure
5916 May be used in sections: defaults | frontend | listen | backend
5917 yes | no | yes | yes
5918 Arguments :
5919 <value> is the number of times a connection attempt should be retried on
5920 a server when a connection either is refused or times out. The
5921 default value is 3.
5922
5923 It is important to understand that this value applies to the number of
5924 connection attempts, not full requests. When a connection has effectively
5925 been established to a server, there will be no more retry.
5926
5927 In order to avoid immediate reconnections to a server which is restarting,
5928 a turn-around timer of 1 second is applied before a retry occurs.
5929
5930 When "option redispatch" is set, the last retry may be performed on another
5931 server even if a cookie references a different server.
5932
5933 See also : "option redispatch"
5934
5935
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005936rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01005937 Add a header at the end of the HTTP response
5938 May be used in sections : defaults | frontend | listen | backend
5939 no | yes | yes | yes
5940 Arguments :
5941 <string> is the complete line to be added. Any space or known delimiter
5942 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005943 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005944
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005945 <cond> is an optional matching condition built from ACLs. It makes it
5946 possible to ignore this rule when other conditions are not met.
5947
Willy Tarreau303c0352008-01-17 19:01:39 +01005948 A new line consisting in <string> followed by a line feed will be added after
5949 the last header of an HTTP response.
5950
5951 Header transformations only apply to traffic which passes through HAProxy,
5952 and not to traffic generated by HAProxy, such as health-checks or error
5953 responses.
5954
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005955 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
5956 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005957
5958
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005959rspdel <search> [{if | unless} <cond>]
5960rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005961 Delete all headers matching a regular expression in an HTTP response
5962 May be used in sections : defaults | frontend | listen | backend
5963 no | yes | yes | yes
5964 Arguments :
5965 <search> is the regular expression applied to HTTP headers and to the
5966 response line. This is an extended regular expression, so
5967 parenthesis grouping is supported and no preliminary backslash
5968 is required. Any space or known delimiter must be escaped using
5969 a backslash ('\'). The pattern applies to a full line at a time.
5970 The "rspdel" keyword strictly matches case while "rspidel"
5971 ignores case.
5972
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005973 <cond> is an optional matching condition built from ACLs. It makes it
5974 possible to ignore this rule when other conditions are not met.
5975
Willy Tarreau303c0352008-01-17 19:01:39 +01005976 Any header line matching extended regular expression <search> in the response
5977 will be completely deleted. Most common use of this is to remove unwanted
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02005978 and/or sensitive headers or cookies from a response before passing it to the
Willy Tarreau303c0352008-01-17 19:01:39 +01005979 client.
5980
5981 Header transformations only apply to traffic which passes through HAProxy,
5982 and not to traffic generated by HAProxy, such as health-checks or error
5983 responses. Keep in mind that header names are not case-sensitive.
5984
5985 Example :
5986 # remove the Server header from responses
Willy Tarreau5e80e022013-05-25 08:31:25 +02005987 rspidel ^Server:.*
Willy Tarreau303c0352008-01-17 19:01:39 +01005988
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005989 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
5990 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005991
5992
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005993rspdeny <search> [{if | unless} <cond>]
5994rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005995 Block an HTTP response if a line matches a regular expression
5996 May be used in sections : defaults | frontend | listen | backend
5997 no | yes | yes | yes
5998 Arguments :
5999 <search> is the regular expression applied to HTTP headers and to the
6000 response line. This is an extended regular expression, so
6001 parenthesis grouping is supported and no preliminary backslash
6002 is required. Any space or known delimiter must be escaped using
6003 a backslash ('\'). The pattern applies to a full line at a time.
6004 The "rspdeny" keyword strictly matches case while "rspideny"
6005 ignores case.
6006
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006007 <cond> is an optional matching condition built from ACLs. It makes it
6008 possible to ignore this rule when other conditions are not met.
6009
Willy Tarreau303c0352008-01-17 19:01:39 +01006010 A response containing any line which matches extended regular expression
6011 <search> will mark the request as denied. The test applies both to the
6012 response line and to response headers. Keep in mind that header names are not
6013 case-sensitive.
6014
6015 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01006016 block the response before it reaches the client. If a response is denied, it
6017 will be replaced with an HTTP 502 error so that the client never retrieves
6018 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01006019
6020 It is easier, faster and more powerful to use ACLs to write access policies.
6021 Rspdeny should be avoided in new designs.
6022
6023 Example :
6024 # Ensure that no content type matching ms-word will leak
6025 rspideny ^Content-type:\.*/ms-word
6026
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006027 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
6028 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006029
6030
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006031rsprep <search> <string> [{if | unless} <cond>]
6032rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006033 Replace a regular expression with a string in an HTTP response line
6034 May be used in sections : defaults | frontend | listen | backend
6035 no | yes | yes | yes
6036 Arguments :
6037 <search> is the regular expression applied to HTTP headers and to the
6038 response line. This is an extended regular expression, so
6039 parenthesis grouping is supported and no preliminary backslash
6040 is required. Any space or known delimiter must be escaped using
6041 a backslash ('\'). The pattern applies to a full line at a time.
6042 The "rsprep" keyword strictly matches case while "rspirep"
6043 ignores case.
6044
6045 <string> is the complete line to be added. Any space or known delimiter
6046 must be escaped using a backslash ('\'). References to matched
6047 pattern groups are possible using the common \N form, with N
6048 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006049 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006050
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006051 <cond> is an optional matching condition built from ACLs. It makes it
6052 possible to ignore this rule when other conditions are not met.
6053
Willy Tarreau303c0352008-01-17 19:01:39 +01006054 Any line matching extended regular expression <search> in the response (both
6055 the response line and header lines) will be completely replaced with
6056 <string>. Most common use of this is to rewrite Location headers.
6057
6058 Header transformations only apply to traffic which passes through HAProxy,
6059 and not to traffic generated by HAProxy, such as health-checks or error
6060 responses. Note that for increased readability, it is suggested to add enough
6061 spaces between the request and the response. Keep in mind that header names
6062 are not case-sensitive.
6063
6064 Example :
6065 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
6066 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
6067
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006068 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
6069 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006070
6071
David du Colombier486df472011-03-17 10:40:26 +01006072server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006073 Declare a server in a backend
6074 May be used in sections : defaults | frontend | listen | backend
6075 no | no | yes | yes
6076 Arguments :
6077 <name> is the internal name assigned to this server. This name will
Cyril Bonté941a0c62012-10-15 19:44:24 +02006078 appear in logs and alerts. If "http-send-name-header" is
Mark Lamourinec2247f02012-01-04 13:02:01 -05006079 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006080
David du Colombier486df472011-03-17 10:40:26 +01006081 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
6082 resolvable hostname is supported, but this name will be resolved
6083 during start-up. Address "0.0.0.0" or "*" has a special meaning.
6084 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02006085 address as the one from the client connection. This is useful in
6086 transparent proxy architectures where the client's connection is
6087 intercepted and haproxy must forward to the original destination
6088 address. This is more or less what the "transparent" keyword does
6089 except that with a server it's possible to limit concurrency and
Willy Tarreau24709282013-03-10 21:32:12 +01006090 to report statistics. Optionally, an address family prefix may be
6091 used before the address to force the family regardless of the
6092 address format, which can be useful to specify a path to a unix
6093 socket with no slash ('/'). Currently supported prefixes are :
6094 - 'ipv4@' -> address is always IPv4
6095 - 'ipv6@' -> address is always IPv6
6096 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02006097 - 'abns@' -> address is in abstract namespace (Linux only)
Willy Tarreaudad36a32013-03-11 01:20:04 +01006098 Any part of the address string may reference any number of
6099 environment variables by preceding their name with a dollar
6100 sign ('$') and optionally enclosing them with braces ('{}'),
6101 similarly to what is done in Bourne shell.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006102
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006103 <port> is an optional port specification. If set, all connections will
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006104 be sent to this port. If unset, the same port the client
6105 connected to will be used. The port may also be prefixed by a "+"
6106 or a "-". In this case, the server's port will be determined by
6107 adding this value to the client's port.
6108
6109 <param*> is a list of parameters for this server. The "server" keywords
6110 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006111 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006112
6113 Examples :
6114 server first 10.1.1.1:1080 cookie first check inter 1000
6115 server second 10.1.1.2:1080 cookie second check inter 1000
Willy Tarreau24709282013-03-10 21:32:12 +01006116 server transp ipv4@
Willy Tarreaudad36a32013-03-11 01:20:04 +01006117 server backup ${SRV_BACKUP}:1080 backup
6118 server www1_dc1 ${LAN_DC1}.101:80
6119 server www1_dc2 ${LAN_DC2}.101:80
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006120
Mark Lamourinec2247f02012-01-04 13:02:01 -05006121 See also: "default-server", "http-send-name-header" and section 5 about
6122 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006123
6124
6125source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02006126source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01006127source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006128 Set the source address for outgoing connections
6129 May be used in sections : defaults | frontend | listen | backend
6130 yes | no | yes | yes
6131 Arguments :
6132 <addr> is the IPv4 address HAProxy will bind to before connecting to a
6133 server. This address is also used as a source for health checks.
Willy Tarreau24709282013-03-10 21:32:12 +01006134
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006135 The default value of 0.0.0.0 means that the system will select
Willy Tarreau24709282013-03-10 21:32:12 +01006136 the most appropriate address to reach its destination. Optionally
6137 an address family prefix may be used before the address to force
6138 the family regardless of the address format, which can be useful
6139 to specify a path to a unix socket with no slash ('/'). Currently
6140 supported prefixes are :
6141 - 'ipv4@' -> address is always IPv4
6142 - 'ipv6@' -> address is always IPv6
6143 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02006144 - 'abns@' -> address is in abstract namespace (Linux only)
Willy Tarreaudad36a32013-03-11 01:20:04 +01006145 Any part of the address string may reference any number of
6146 environment variables by preceding their name with a dollar
6147 sign ('$') and optionally enclosing them with braces ('{}'),
6148 similarly to what is done in Bourne shell.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006149
6150 <port> is an optional port. It is normally not needed but may be useful
6151 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006152 the system will select a free port. Note that port ranges are not
6153 supported in the backend. If you want to force port ranges, you
6154 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006155
6156 <addr2> is the IP address to present to the server when connections are
6157 forwarded in full transparent proxy mode. This is currently only
6158 supported on some patched Linux kernels. When this address is
6159 specified, clients connecting to the server will be presented
6160 with this address, while health checks will still use the address
6161 <addr>.
6162
6163 <port2> is the optional port to present to the server when connections
6164 are forwarded in full transparent proxy mode (see <addr2> above).
6165 The default value of zero means the system will select a free
6166 port.
6167
Willy Tarreaubce70882009-09-07 11:51:47 +02006168 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
6169 This is the name of a comma-separated header list which can
6170 contain multiple IP addresses. By default, the last occurrence is
6171 used. This is designed to work with the X-Forwarded-For header
Baptiste Assmannea3e73b2013-02-02 23:47:49 +01006172 and to automatically bind to the client's IP address as seen
Willy Tarreaubce70882009-09-07 11:51:47 +02006173 by previous proxy, typically Stunnel. In order to use another
6174 occurrence from the last one, please see the <occ> parameter
6175 below. When the header (or occurrence) is not found, no binding
6176 is performed so that the proxy's default IP address is used. Also
6177 keep in mind that the header name is case insensitive, as for any
6178 HTTP header.
6179
6180 <occ> is the occurrence number of a value to be used in a multi-value
6181 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006182 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +02006183 address. Positive values indicate a position from the first
6184 occurrence, 1 being the first one. Negative values indicate
6185 positions relative to the last one, -1 being the last one. This
6186 is helpful for situations where an X-Forwarded-For header is set
6187 at the entry point of an infrastructure and must be used several
6188 proxy layers away. When this value is not specified, -1 is
6189 assumed. Passing a zero here disables the feature.
6190
Willy Tarreaud53f96b2009-02-04 18:46:54 +01006191 <name> is an optional interface name to which to bind to for outgoing
6192 traffic. On systems supporting this features (currently, only
6193 Linux), this allows one to bind all traffic to the server to
6194 this interface even if it is not the one the system would select
6195 based on routing tables. This should be used with extreme care.
6196 Note that using this option requires root privileges.
6197
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006198 The "source" keyword is useful in complex environments where a specific
6199 address only is allowed to connect to the servers. It may be needed when a
6200 private address must be used through a public gateway for instance, and it is
6201 known that the system cannot determine the adequate source address by itself.
6202
6203 An extension which is available on certain patched Linux kernels may be used
6204 through the "usesrc" optional keyword. It makes it possible to connect to the
6205 servers with an IP address which does not belong to the system itself. This
6206 is called "full transparent proxy mode". For this to work, the destination
6207 servers have to route their traffic back to this address through the machine
6208 running HAProxy, and IP forwarding must generally be enabled on this machine.
6209
6210 In this "full transparent proxy" mode, it is possible to force a specific IP
6211 address to be presented to the servers. This is not much used in fact. A more
6212 common use is to tell HAProxy to present the client's IP address. For this,
6213 there are two methods :
6214
6215 - present the client's IP and port addresses. This is the most transparent
6216 mode, but it can cause problems when IP connection tracking is enabled on
6217 the machine, because a same connection may be seen twice with different
6218 states. However, this solution presents the huge advantage of not
6219 limiting the system to the 64k outgoing address+port couples, because all
6220 of the client ranges may be used.
6221
6222 - present only the client's IP address and select a spare port. This
6223 solution is still quite elegant but slightly less transparent (downstream
6224 firewalls logs will not match upstream's). It also presents the downside
6225 of limiting the number of concurrent connections to the usual 64k ports.
6226 However, since the upstream and downstream ports are different, local IP
6227 connection tracking on the machine will not be upset by the reuse of the
6228 same session.
6229
6230 Note that depending on the transparent proxy technology used, it may be
6231 required to force the source address. In fact, cttproxy version 2 requires an
6232 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
6233 IP address because it creates NAT entries which much match the exact outgoing
6234 address. Tproxy version 4 and some other kernel patches which work in pure
6235 forwarding mode generally will not have this limitation.
6236
6237 This option sets the default source for all servers in the backend. It may
6238 also be specified in a "defaults" section. Finer source address specification
6239 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006240 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006241
6242 Examples :
6243 backend private
6244 # Connect to the servers using our 192.168.1.200 source address
6245 source 192.168.1.200
6246
6247 backend transparent_ssl1
6248 # Connect to the SSL farm from the client's source address
6249 source 192.168.1.200 usesrc clientip
6250
6251 backend transparent_ssl2
6252 # Connect to the SSL farm from the client's source address and port
6253 # not recommended if IP conntrack is present on the local machine.
6254 source 192.168.1.200 usesrc client
6255
6256 backend transparent_ssl3
6257 # Connect to the SSL farm from the client's source address. It
6258 # is more conntrack-friendly.
6259 source 192.168.1.200 usesrc clientip
6260
6261 backend transparent_smtp
6262 # Connect to the SMTP farm from the client's source address/port
6263 # with Tproxy version 4.
6264 source 0.0.0.0 usesrc clientip
6265
Willy Tarreaubce70882009-09-07 11:51:47 +02006266 backend transparent_http
6267 # Connect to the servers using the client's IP as seen by previous
6268 # proxy.
6269 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
6270
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006271 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006272 the Linux kernel on www.balabit.com, the "bind" keyword.
6273
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01006274
Willy Tarreau844e3c52008-01-11 16:28:18 +01006275srvtimeout <timeout> (deprecated)
6276 Set the maximum inactivity time on the server side.
6277 May be used in sections : defaults | frontend | listen | backend
6278 yes | no | yes | yes
6279 Arguments :
6280 <timeout> is the timeout value specified in milliseconds by default, but
6281 can be in any other unit if the number is suffixed by the unit,
6282 as explained at the top of this document.
6283
6284 The inactivity timeout applies when the server is expected to acknowledge or
6285 send data. In HTTP mode, this timeout is particularly important to consider
6286 during the first phase of the server's response, when it has to send the
6287 headers, as it directly represents the server's processing time for the
6288 request. To find out what value to put there, it's often good to start with
6289 what would be considered as unacceptable response times, then check the logs
6290 to observe the response time distribution, and adjust the value accordingly.
6291
6292 The value is specified in milliseconds by default, but can be in any other
6293 unit if the number is suffixed by the unit, as specified at the top of this
6294 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
6295 recommended that the client timeout remains equal to the server timeout in
6296 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006297 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01006298 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01006299 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01006300
6301 This parameter is specific to backends, but can be specified once for all in
6302 "defaults" sections. This is in fact one of the easiest solutions not to
6303 forget about it. An unspecified timeout results in an infinite timeout, which
6304 is not recommended. Such a usage is accepted and works but reports a warning
6305 during startup because it may results in accumulation of expired sessions in
6306 the system if the system's timeouts are not configured either.
6307
6308 This parameter is provided for compatibility but is currently deprecated.
6309 Please use "timeout server" instead.
6310
Willy Tarreauce887fd2012-05-12 12:50:00 +02006311 See also : "timeout server", "timeout tunnel", "timeout client" and
6312 "clitimeout".
Willy Tarreau844e3c52008-01-11 16:28:18 +01006313
6314
Cyril Bonté66c327d2010-10-12 00:14:37 +02006315stats admin { if | unless } <cond>
6316 Enable statistics admin level if/unless a condition is matched
6317 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006318 no | yes | yes | yes
Cyril Bonté66c327d2010-10-12 00:14:37 +02006319
6320 This statement enables the statistics admin level if/unless a condition is
6321 matched.
6322
6323 The admin level allows to enable/disable servers from the web interface. By
6324 default, statistics page is read-only for security reasons.
6325
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006326 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6327 unless you know what you do : memory is not shared between the
6328 processes, which can result in random behaviours.
6329
Cyril Bonté23b39d92011-02-10 22:54:44 +01006330 Currently, the POST request is limited to the buffer size minus the reserved
6331 buffer space, which means that if the list of servers is too long, the
6332 request won't be processed. It is recommended to alter few servers at a
6333 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02006334
6335 Example :
6336 # statistics admin level only for localhost
6337 backend stats_localhost
6338 stats enable
6339 stats admin if LOCALHOST
6340
6341 Example :
6342 # statistics admin level always enabled because of the authentication
6343 backend stats_auth
6344 stats enable
6345 stats auth admin:AdMiN123
6346 stats admin if TRUE
6347
6348 Example :
6349 # statistics admin level depends on the authenticated user
6350 userlist stats-auth
6351 group admin users admin
6352 user admin insecure-password AdMiN123
6353 group readonly users haproxy
6354 user haproxy insecure-password haproxy
6355
6356 backend stats_auth
6357 stats enable
6358 acl AUTH http_auth(stats-auth)
6359 acl AUTH_ADMIN http_auth_group(stats-auth) admin
6360 stats http-request auth unless AUTH
6361 stats admin if AUTH_ADMIN
6362
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006363 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
6364 "bind-process", section 3.4 about userlists and section 7 about
6365 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02006366
6367
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006368stats auth <user>:<passwd>
6369 Enable statistics with authentication and grant access to an account
6370 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006371 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006372 Arguments :
6373 <user> is a user name to grant access to
6374
6375 <passwd> is the cleartext password associated to this user
6376
6377 This statement enables statistics with default settings, and restricts access
6378 to declared users only. It may be repeated as many times as necessary to
6379 allow as many users as desired. When a user tries to access the statistics
6380 without a valid account, a "401 Forbidden" response will be returned so that
6381 the browser asks the user to provide a valid user and password. The real
6382 which will be returned to the browser is configurable using "stats realm".
6383
6384 Since the authentication method is HTTP Basic Authentication, the passwords
6385 circulate in cleartext on the network. Thus, it was decided that the
6386 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02006387 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006388
6389 It is also possible to reduce the scope of the proxies which appear in the
6390 report using "stats scope".
6391
6392 Though this statement alone is enough to enable statistics reporting, it is
6393 recommended to set all other settings in order to avoid relying on default
6394 unobvious parameters.
6395
6396 Example :
6397 # public access (limited to this backend only)
6398 backend public_www
6399 server srv1 192.168.0.1:80
6400 stats enable
6401 stats hide-version
6402 stats scope .
6403 stats uri /admin?stats
6404 stats realm Haproxy\ Statistics
6405 stats auth admin1:AdMiN123
6406 stats auth admin2:AdMiN321
6407
6408 # internal monitoring access (unlimited)
6409 backend private_monitoring
6410 stats enable
6411 stats uri /admin?stats
6412 stats refresh 5s
6413
6414 See also : "stats enable", "stats realm", "stats scope", "stats uri"
6415
6416
6417stats enable
6418 Enable statistics reporting with default settings
6419 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006420 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006421 Arguments : none
6422
6423 This statement enables statistics reporting with default settings defined
6424 at build time. Unless stated otherwise, these settings are used :
6425 - stats uri : /haproxy?stats
6426 - stats realm : "HAProxy Statistics"
6427 - stats auth : no authentication
6428 - stats scope : no restriction
6429
6430 Though this statement alone is enough to enable statistics reporting, it is
6431 recommended to set all other settings in order to avoid relying on default
6432 unobvious parameters.
6433
6434 Example :
6435 # public access (limited to this backend only)
6436 backend public_www
6437 server srv1 192.168.0.1:80
6438 stats enable
6439 stats hide-version
6440 stats scope .
6441 stats uri /admin?stats
6442 stats realm Haproxy\ Statistics
6443 stats auth admin1:AdMiN123
6444 stats auth admin2:AdMiN321
6445
6446 # internal monitoring access (unlimited)
6447 backend private_monitoring
6448 stats enable
6449 stats uri /admin?stats
6450 stats refresh 5s
6451
6452 See also : "stats auth", "stats realm", "stats uri"
6453
6454
Willy Tarreaud63335a2010-02-26 12:56:52 +01006455stats hide-version
6456 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006457 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006458 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006459 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006460
Willy Tarreaud63335a2010-02-26 12:56:52 +01006461 By default, the stats page reports some useful status information along with
6462 the statistics. Among them is HAProxy's version. However, it is generally
6463 considered dangerous to report precise version to anyone, as it can help them
6464 target known weaknesses with specific attacks. The "stats hide-version"
6465 statement removes the version from the statistics report. This is recommended
6466 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006467
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02006468 Though this statement alone is enough to enable statistics reporting, it is
6469 recommended to set all other settings in order to avoid relying on default
6470 unobvious parameters.
6471
Willy Tarreaud63335a2010-02-26 12:56:52 +01006472 Example :
6473 # public access (limited to this backend only)
6474 backend public_www
6475 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02006476 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01006477 stats hide-version
6478 stats scope .
6479 stats uri /admin?stats
6480 stats realm Haproxy\ Statistics
6481 stats auth admin1:AdMiN123
6482 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006483
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006484 # internal monitoring access (unlimited)
6485 backend private_monitoring
6486 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01006487 stats uri /admin?stats
6488 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01006489
Willy Tarreaud63335a2010-02-26 12:56:52 +01006490 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006491
Willy Tarreau983e01e2010-01-11 18:42:06 +01006492
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02006493stats http-request { allow | deny | auth [realm <realm>] }
6494 [ { if | unless } <condition> ]
6495 Access control for statistics
6496
6497 May be used in sections: defaults | frontend | listen | backend
6498 no | no | yes | yes
6499
6500 As "http-request", these set of options allow to fine control access to
6501 statistics. Each option may be followed by if/unless and acl.
6502 First option with matched condition (or option without condition) is final.
6503 For "deny" a 403 error will be returned, for "allow" normal processing is
6504 performed, for "auth" a 401/407 error code is returned so the client
6505 should be asked to enter a username and password.
6506
6507 There is no fixed limit to the number of http-request statements per
6508 instance.
6509
6510 See also : "http-request", section 3.4 about userlists and section 7
6511 about ACL usage.
6512
6513
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006514stats realm <realm>
6515 Enable statistics and set authentication realm
6516 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006517 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006518 Arguments :
6519 <realm> is the name of the HTTP Basic Authentication realm reported to
6520 the browser. The browser uses it to display it in the pop-up
6521 inviting the user to enter a valid username and password.
6522
6523 The realm is read as a single word, so any spaces in it should be escaped
6524 using a backslash ('\').
6525
6526 This statement is useful only in conjunction with "stats auth" since it is
6527 only related to authentication.
6528
6529 Though this statement alone is enough to enable statistics reporting, it is
6530 recommended to set all other settings in order to avoid relying on default
6531 unobvious parameters.
6532
6533 Example :
6534 # public access (limited to this backend only)
6535 backend public_www
6536 server srv1 192.168.0.1:80
6537 stats enable
6538 stats hide-version
6539 stats scope .
6540 stats uri /admin?stats
6541 stats realm Haproxy\ Statistics
6542 stats auth admin1:AdMiN123
6543 stats auth admin2:AdMiN321
6544
6545 # internal monitoring access (unlimited)
6546 backend private_monitoring
6547 stats enable
6548 stats uri /admin?stats
6549 stats refresh 5s
6550
6551 See also : "stats auth", "stats enable", "stats uri"
6552
6553
6554stats refresh <delay>
6555 Enable statistics with automatic refresh
6556 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006557 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006558 Arguments :
6559 <delay> is the suggested refresh delay, specified in seconds, which will
6560 be returned to the browser consulting the report page. While the
6561 browser is free to apply any delay, it will generally respect it
6562 and refresh the page this every seconds. The refresh interval may
6563 be specified in any other non-default time unit, by suffixing the
6564 unit after the value, as explained at the top of this document.
6565
6566 This statement is useful on monitoring displays with a permanent page
6567 reporting the load balancer's activity. When set, the HTML report page will
6568 include a link "refresh"/"stop refresh" so that the user can select whether
6569 he wants automatic refresh of the page or not.
6570
6571 Though this statement alone is enough to enable statistics reporting, it is
6572 recommended to set all other settings in order to avoid relying on default
6573 unobvious parameters.
6574
6575 Example :
6576 # public access (limited to this backend only)
6577 backend public_www
6578 server srv1 192.168.0.1:80
6579 stats enable
6580 stats hide-version
6581 stats scope .
6582 stats uri /admin?stats
6583 stats realm Haproxy\ Statistics
6584 stats auth admin1:AdMiN123
6585 stats auth admin2:AdMiN321
6586
6587 # internal monitoring access (unlimited)
6588 backend private_monitoring
6589 stats enable
6590 stats uri /admin?stats
6591 stats refresh 5s
6592
6593 See also : "stats auth", "stats enable", "stats realm", "stats uri"
6594
6595
6596stats scope { <name> | "." }
6597 Enable statistics and limit access scope
6598 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006599 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006600 Arguments :
6601 <name> is the name of a listen, frontend or backend section to be
6602 reported. The special name "." (a single dot) designates the
6603 section in which the statement appears.
6604
6605 When this statement is specified, only the sections enumerated with this
6606 statement will appear in the report. All other ones will be hidden. This
6607 statement may appear as many times as needed if multiple sections need to be
6608 reported. Please note that the name checking is performed as simple string
6609 comparisons, and that it is never checked that a give section name really
6610 exists.
6611
6612 Though this statement alone is enough to enable statistics reporting, it is
6613 recommended to set all other settings in order to avoid relying on default
6614 unobvious parameters.
6615
6616 Example :
6617 # public access (limited to this backend only)
6618 backend public_www
6619 server srv1 192.168.0.1:80
6620 stats enable
6621 stats hide-version
6622 stats scope .
6623 stats uri /admin?stats
6624 stats realm Haproxy\ Statistics
6625 stats auth admin1:AdMiN123
6626 stats auth admin2:AdMiN321
6627
6628 # internal monitoring access (unlimited)
6629 backend private_monitoring
6630 stats enable
6631 stats uri /admin?stats
6632 stats refresh 5s
6633
6634 See also : "stats auth", "stats enable", "stats realm", "stats uri"
6635
Willy Tarreaud63335a2010-02-26 12:56:52 +01006636
Willy Tarreauc9705a12010-07-27 20:05:50 +02006637stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01006638 Enable reporting of a description on the statistics page.
6639 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006640 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006641
Willy Tarreauc9705a12010-07-27 20:05:50 +02006642 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01006643 description from global section is automatically used instead.
6644
6645 This statement is useful for users that offer shared services to their
6646 customers, where node or description should be different for each customer.
6647
6648 Though this statement alone is enough to enable statistics reporting, it is
6649 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006650 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006651
6652 Example :
6653 # internal monitoring access (unlimited)
6654 backend private_monitoring
6655 stats enable
6656 stats show-desc Master node for Europe, Asia, Africa
6657 stats uri /admin?stats
6658 stats refresh 5s
6659
6660 See also: "show-node", "stats enable", "stats uri" and "description" in
6661 global section.
6662
6663
6664stats show-legends
Willy Tarreaued2119c2014-04-24 22:10:39 +02006665 Enable reporting additional information on the statistics page
6666 May be used in sections : defaults | frontend | listen | backend
6667 yes | yes | yes | yes
6668 Arguments : none
6669
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03006670 Enable reporting additional information on the statistics page :
Willy Tarreaud63335a2010-02-26 12:56:52 +01006671 - cap: capabilities (proxy)
6672 - mode: one of tcp, http or health (proxy)
6673 - id: SNMP ID (proxy, socket, server)
6674 - IP (socket, server)
6675 - cookie (backend, server)
6676
6677 Though this statement alone is enough to enable statistics reporting, it is
6678 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006679 unobvious parameters. Default behaviour is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006680
6681 See also: "stats enable", "stats uri".
6682
6683
6684stats show-node [ <name> ]
6685 Enable reporting of a host name on the statistics page.
6686 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006687 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006688 Arguments:
6689 <name> is an optional name to be reported. If unspecified, the
6690 node name from global section is automatically used instead.
6691
6692 This statement is useful for users that offer shared services to their
6693 customers, where node or description might be different on a stats page
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006694 provided for each customer. Default behaviour is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006695
6696 Though this statement alone is enough to enable statistics reporting, it is
6697 recommended to set all other settings in order to avoid relying on default
6698 unobvious parameters.
6699
6700 Example:
6701 # internal monitoring access (unlimited)
6702 backend private_monitoring
6703 stats enable
6704 stats show-node Europe-1
6705 stats uri /admin?stats
6706 stats refresh 5s
6707
6708 See also: "show-desc", "stats enable", "stats uri", and "node" in global
6709 section.
6710
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006711
6712stats uri <prefix>
6713 Enable statistics and define the URI prefix to access them
6714 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006715 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006716 Arguments :
6717 <prefix> is the prefix of any URI which will be redirected to stats. This
6718 prefix may contain a question mark ('?') to indicate part of a
6719 query string.
6720
6721 The statistics URI is intercepted on the relayed traffic, so it appears as a
6722 page within the normal application. It is strongly advised to ensure that the
6723 selected URI will never appear in the application, otherwise it will never be
6724 possible to reach it in the application.
6725
6726 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006727 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006728 It is generally a good idea to include a question mark in the URI so that
6729 intermediate proxies refrain from caching the results. Also, since any string
6730 beginning with the prefix will be accepted as a stats request, the question
6731 mark helps ensuring that no valid URI will begin with the same words.
6732
6733 It is sometimes very convenient to use "/" as the URI prefix, and put that
6734 statement in a "listen" instance of its own. That makes it easy to dedicate
6735 an address or a port to statistics only.
6736
6737 Though this statement alone is enough to enable statistics reporting, it is
6738 recommended to set all other settings in order to avoid relying on default
6739 unobvious parameters.
6740
6741 Example :
6742 # public access (limited to this backend only)
6743 backend public_www
6744 server srv1 192.168.0.1:80
6745 stats enable
6746 stats hide-version
6747 stats scope .
6748 stats uri /admin?stats
6749 stats realm Haproxy\ Statistics
6750 stats auth admin1:AdMiN123
6751 stats auth admin2:AdMiN321
6752
6753 # internal monitoring access (unlimited)
6754 backend private_monitoring
6755 stats enable
6756 stats uri /admin?stats
6757 stats refresh 5s
6758
6759 See also : "stats auth", "stats enable", "stats realm"
6760
6761
Willy Tarreaud63335a2010-02-26 12:56:52 +01006762stick match <pattern> [table <table>] [{if | unless} <cond>]
6763 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006764 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01006765 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006766
6767 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02006768 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006769 describes what elements of the incoming request or connection
6770 will be analysed in the hope to find a matching entry in a
6771 stickiness table. This rule is mandatory.
6772
6773 <table> is an optional stickiness table name. If unspecified, the same
6774 backend's table is used. A stickiness table is declared using
6775 the "stick-table" statement.
6776
6777 <cond> is an optional matching condition. It makes it possible to match
6778 on a certain criterion only when other conditions are met (or
6779 not met). For instance, it could be used to match on a source IP
6780 address except when a request passes through a known proxy, in
6781 which case we'd match on a header containing that IP address.
6782
6783 Some protocols or applications require complex stickiness rules and cannot
6784 always simply rely on cookies nor hashing. The "stick match" statement
6785 describes a rule to extract the stickiness criterion from an incoming request
6786 or connection. See section 7 for a complete list of possible patterns and
6787 transformation rules.
6788
6789 The table has to be declared using the "stick-table" statement. It must be of
6790 a type compatible with the pattern. By default it is the one which is present
6791 in the same backend. It is possible to share a table with other backends by
6792 referencing it using the "table" keyword. If another table is referenced,
6793 the server's ID inside the backends are used. By default, all server IDs
6794 start at 1 in each backend, so the server ordering is enough. But in case of
6795 doubt, it is highly recommended to force server IDs using their "id" setting.
6796
6797 It is possible to restrict the conditions where a "stick match" statement
6798 will apply, using "if" or "unless" followed by a condition. See section 7 for
6799 ACL based conditions.
6800
6801 There is no limit on the number of "stick match" statements. The first that
6802 applies and matches will cause the request to be directed to the same server
6803 as was used for the request which created the entry. That way, multiple
6804 matches can be used as fallbacks.
6805
6806 The stick rules are checked after the persistence cookies, so they will not
6807 affect stickiness if a cookie has already been used to select a server. That
6808 way, it becomes very easy to insert cookies and match on IP addresses in
6809 order to maintain stickiness between HTTP and HTTPS.
6810
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006811 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6812 unless you know what you do : memory is not shared between the
6813 processes, which can result in random behaviours.
6814
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006815 Example :
6816 # forward SMTP users to the same server they just used for POP in the
6817 # last 30 minutes
6818 backend pop
6819 mode tcp
6820 balance roundrobin
6821 stick store-request src
6822 stick-table type ip size 200k expire 30m
6823 server s1 192.168.1.1:110
6824 server s2 192.168.1.1:110
6825
6826 backend smtp
6827 mode tcp
6828 balance roundrobin
6829 stick match src table pop
6830 server s1 192.168.1.1:25
6831 server s2 192.168.1.1:25
6832
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006833 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02006834 about ACLs and samples fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006835
6836
6837stick on <pattern> [table <table>] [{if | unless} <condition>]
6838 Define a request pattern to associate a user to a server
6839 May be used in sections : defaults | frontend | listen | backend
6840 no | no | yes | yes
6841
6842 Note : This form is exactly equivalent to "stick match" followed by
6843 "stick store-request", all with the same arguments. Please refer
6844 to both keywords for details. It is only provided as a convenience
6845 for writing more maintainable configurations.
6846
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006847 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6848 unless you know what you do : memory is not shared between the
6849 processes, which can result in random behaviours.
6850
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006851 Examples :
6852 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01006853 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006854
6855 # ...is strictly equivalent to this one :
6856 stick match src table pop if !localhost
6857 stick store-request src table pop if !localhost
6858
6859
6860 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
6861 # well as HTTP without cookie. Share the same table between both accesses.
6862 backend http
6863 mode http
6864 balance roundrobin
6865 stick on src table https
6866 cookie SRV insert indirect nocache
6867 server s1 192.168.1.1:80 cookie s1
6868 server s2 192.168.1.1:80 cookie s2
6869
6870 backend https
6871 mode tcp
6872 balance roundrobin
6873 stick-table type ip size 200k expire 30m
6874 stick on src
6875 server s1 192.168.1.1:443
6876 server s2 192.168.1.1:443
6877
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006878 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006879
6880
6881stick store-request <pattern> [table <table>] [{if | unless} <condition>]
6882 Define a request pattern used to create an entry in a stickiness table
6883 May be used in sections : defaults | frontend | listen | backend
6884 no | no | yes | yes
6885
6886 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02006887 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006888 describes what elements of the incoming request or connection
6889 will be analysed, extracted and stored in the table once a
6890 server is selected.
6891
6892 <table> is an optional stickiness table name. If unspecified, the same
6893 backend's table is used. A stickiness table is declared using
6894 the "stick-table" statement.
6895
6896 <cond> is an optional storage condition. It makes it possible to store
6897 certain criteria only when some conditions are met (or not met).
6898 For instance, it could be used to store the source IP address
6899 except when the request passes through a known proxy, in which
6900 case we'd store a converted form of a header containing that IP
6901 address.
6902
6903 Some protocols or applications require complex stickiness rules and cannot
6904 always simply rely on cookies nor hashing. The "stick store-request" statement
6905 describes a rule to decide what to extract from the request and when to do
6906 it, in order to store it into a stickiness table for further requests to
6907 match it using the "stick match" statement. Obviously the extracted part must
6908 make sense and have a chance to be matched in a further request. Storing a
6909 client's IP address for instance often makes sense. Storing an ID found in a
6910 URL parameter also makes sense. Storing a source port will almost never make
6911 any sense because it will be randomly matched. See section 7 for a complete
6912 list of possible patterns and transformation rules.
6913
6914 The table has to be declared using the "stick-table" statement. It must be of
6915 a type compatible with the pattern. By default it is the one which is present
6916 in the same backend. It is possible to share a table with other backends by
6917 referencing it using the "table" keyword. If another table is referenced,
6918 the server's ID inside the backends are used. By default, all server IDs
6919 start at 1 in each backend, so the server ordering is enough. But in case of
6920 doubt, it is highly recommended to force server IDs using their "id" setting.
6921
6922 It is possible to restrict the conditions where a "stick store-request"
6923 statement will apply, using "if" or "unless" followed by a condition. This
6924 condition will be evaluated while parsing the request, so any criteria can be
6925 used. See section 7 for ACL based conditions.
6926
6927 There is no limit on the number of "stick store-request" statements, but
6928 there is a limit of 8 simultaneous stores per request or response. This
6929 makes it possible to store up to 8 criteria, all extracted from either the
6930 request or the response, regardless of the number of rules. Only the 8 first
6931 ones which match will be kept. Using this, it is possible to feed multiple
6932 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01006933 another protocol or access method. Using multiple store-request rules with
6934 the same table is possible and may be used to find the best criterion to rely
6935 on, by arranging the rules by decreasing preference order. Only the first
6936 extracted criterion for a given table will be stored. All subsequent store-
6937 request rules referencing the same table will be skipped and their ACLs will
6938 not be evaluated.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006939
6940 The "store-request" rules are evaluated once the server connection has been
6941 established, so that the table will contain the real server that processed
6942 the request.
6943
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006944 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6945 unless you know what you do : memory is not shared between the
6946 processes, which can result in random behaviours.
6947
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006948 Example :
6949 # forward SMTP users to the same server they just used for POP in the
6950 # last 30 minutes
6951 backend pop
6952 mode tcp
6953 balance roundrobin
6954 stick store-request src
6955 stick-table type ip size 200k expire 30m
6956 server s1 192.168.1.1:110
6957 server s2 192.168.1.1:110
6958
6959 backend smtp
6960 mode tcp
6961 balance roundrobin
6962 stick match src table pop
6963 server s1 192.168.1.1:25
6964 server s2 192.168.1.1:25
6965
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006966 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02006967 about ACLs and sample fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006968
6969
Emeric Brun7c6b82e2010-09-24 16:34:28 +02006970stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +02006971 size <size> [expire <expire>] [nopurge] [peers <peersect>]
6972 [store <data_type>]*
Godbach64cef792013-12-04 16:08:22 +08006973 Configure the stickiness table for the current section
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006974 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02006975 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006976
6977 Arguments :
6978 ip a table declared with "type ip" will only store IPv4 addresses.
6979 This form is very compact (about 50 bytes per entry) and allows
6980 very fast entry lookup and stores with almost no overhead. This
6981 is mainly used to store client source IP addresses.
6982
David du Colombier9a6d3c92011-03-17 10:40:24 +01006983 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
6984 This form is very compact (about 60 bytes per entry) and allows
6985 very fast entry lookup and stores with almost no overhead. This
6986 is mainly used to store client source IP addresses.
6987
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006988 integer a table declared with "type integer" will store 32bit integers
6989 which can represent a client identifier found in a request for
6990 instance.
6991
6992 string a table declared with "type string" will store substrings of up
6993 to <len> characters. If the string provided by the pattern
6994 extractor is larger than <len>, it will be truncated before
6995 being stored. During matching, at most <len> characters will be
6996 compared between the string in the table and the extracted
6997 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +02006998 to 32 characters.
6999
7000 binary a table declared with "type binary" will store binary blocks
7001 of <len> bytes. If the block provided by the pattern
7002 extractor is larger than <len>, it will be truncated before
Willy Tarreaube722a22014-06-13 16:31:59 +02007003 being stored. If the block provided by the sample expression
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007004 is shorter than <len>, it will be padded by 0. When not
7005 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007006
7007 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007008 "string" type table (See type "string" above). Or the number
7009 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007010 changing this parameter as memory usage will proportionally
7011 increase.
7012
7013 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01007014 value directly impacts memory usage. Count approximately
7015 50 bytes per entry, plus the size of a string if any. The size
7016 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007017
7018 [nopurge] indicates that we refuse to purge older entries when the table
7019 is full. When not specified and the table is full when haproxy
7020 wants to store an entry in it, it will flush a few of the oldest
7021 entries in order to release some space for the new ones. This is
7022 most often the desired behaviour. In some specific cases, it
7023 be desirable to refuse new entries instead of purging the older
7024 ones. That may be the case when the amount of data to store is
7025 far above the hardware limits and we prefer not to offer access
7026 to new clients than to reject the ones already connected. When
7027 using this parameter, be sure to properly set the "expire"
7028 parameter (see below).
7029
Emeric Brunf099e792010-09-27 12:05:28 +02007030 <peersect> is the name of the peers section to use for replication. Entries
7031 which associate keys to server IDs are kept synchronized with
7032 the remote peers declared in this section. All entries are also
7033 automatically learned from the local peer (old process) during a
7034 soft restart.
7035
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007036 NOTE : peers can't be used in multi-process mode.
7037
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007038 <expire> defines the maximum duration of an entry in the table since it
7039 was last created, refreshed or matched. The expiration delay is
7040 defined using the standard time format, similarly as the various
7041 timeouts. The maximum duration is slightly above 24 days. See
7042 section 2.2 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +02007043 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007044 be removed once full. Be sure not to use the "nopurge" parameter
7045 if not expiration delay is specified.
7046
Willy Tarreau08d5f982010-06-06 13:34:54 +02007047 <data_type> is used to store additional information in the stick-table. This
7048 may be used by ACLs in order to control various criteria related
7049 to the activity of the client matching the stick-table. For each
7050 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02007051 that the additional data can fit. Several data types may be
7052 stored with an entry. Multiple data types may be specified after
7053 the "store" keyword, as a comma-separated list. Alternatively,
7054 it is possible to repeat the "store" keyword followed by one or
7055 several data types. Except for the "server_id" type which is
7056 automatically detected and enabled, all data types must be
7057 explicitly declared to be stored. If an ACL references a data
7058 type which is not stored, the ACL will simply not match. Some
7059 data types require an argument which must be passed just after
7060 the type between parenthesis. See below for the supported data
7061 types and their arguments.
7062
7063 The data types that can be stored with an entry are the following :
7064 - server_id : this is an integer which holds the numeric ID of the server a
7065 request was assigned to. It is used by the "stick match", "stick store",
7066 and "stick on" rules. It is automatically enabled when referenced.
7067
7068 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
7069 integer which may be used for anything. Most of the time it will be used
7070 to put a special tag on some entries, for instance to note that a
7071 specific behaviour was detected and must be known for future matches.
7072
Willy Tarreauba2ffd12013-05-29 15:54:14 +02007073 - gpc0_rate(<period>) : increment rate of the first General Purpose Counter
7074 over a period. It is a positive 32-bit integer integer which may be used
7075 for anything. Just like <gpc0>, it counts events, but instead of keeping
7076 a cumulative count, it maintains the rate at which the counter is
7077 incremented. Most of the time it will be used to measure the frequency of
7078 occurrence of certain events (eg: requests to a specific URL).
7079
Willy Tarreauc9705a12010-07-27 20:05:50 +02007080 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
7081 the absolute number of connections received from clients which matched
7082 this entry. It does not mean the connections were accepted, just that
7083 they were received.
7084
7085 - conn_cur : Current Connections. It is a positive 32-bit integer which
7086 stores the concurrent connection counts for the entry. It is incremented
7087 once an incoming connection matches the entry, and decremented once the
7088 connection leaves. That way it is possible to know at any time the exact
7089 number of concurrent connections for an entry.
7090
7091 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7092 integer parameter <period> which indicates in milliseconds the length
7093 of the period over which the average is measured. It reports the average
7094 incoming connection rate over that period, in connections per period. The
7095 result is an integer which can be matched using ACLs.
7096
7097 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
7098 the absolute number of sessions received from clients which matched this
7099 entry. A session is a connection that was accepted by the layer 4 rules.
7100
7101 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7102 integer parameter <period> which indicates in milliseconds the length
7103 of the period over which the average is measured. It reports the average
7104 incoming session rate over that period, in sessions per period. The
7105 result is an integer which can be matched using ACLs.
7106
7107 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
7108 counts the absolute number of HTTP requests received from clients which
7109 matched this entry. It does not matter whether they are valid requests or
7110 not. Note that this is different from sessions when keep-alive is used on
7111 the client side.
7112
7113 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7114 integer parameter <period> which indicates in milliseconds the length
7115 of the period over which the average is measured. It reports the average
7116 HTTP request rate over that period, in requests per period. The result is
7117 an integer which can be matched using ACLs. It does not matter whether
7118 they are valid requests or not. Note that this is different from sessions
7119 when keep-alive is used on the client side.
7120
7121 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
7122 counts the absolute number of HTTP requests errors induced by clients
7123 which matched this entry. Errors are counted on invalid and truncated
7124 requests, as well as on denied or tarpitted requests, and on failed
7125 authentications. If the server responds with 4xx, then the request is
7126 also counted as an error since it's an error triggered by the client
7127 (eg: vulnerability scan).
7128
7129 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7130 integer parameter <period> which indicates in milliseconds the length
7131 of the period over which the average is measured. It reports the average
7132 HTTP request error rate over that period, in requests per period (see
7133 http_err_cnt above for what is accounted as an error). The result is an
7134 integer which can be matched using ACLs.
7135
7136 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
7137 integer which counts the cumulated amount of bytes received from clients
7138 which matched this entry. Headers are included in the count. This may be
7139 used to limit abuse of upload features on photo or video servers.
7140
7141 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7142 integer parameter <period> which indicates in milliseconds the length
7143 of the period over which the average is measured. It reports the average
7144 incoming bytes rate over that period, in bytes per period. It may be used
7145 to detect users which upload too much and too fast. Warning: with large
7146 uploads, it is possible that the amount of uploaded data will be counted
7147 once upon termination, thus causing spikes in the average transfer speed
7148 instead of having a smooth one. This may partially be smoothed with
7149 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
7150 recommended for better fairness.
7151
7152 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
7153 integer which counts the cumulated amount of bytes sent to clients which
7154 matched this entry. Headers are included in the count. This may be used
7155 to limit abuse of bots sucking the whole site.
7156
7157 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
7158 an integer parameter <period> which indicates in milliseconds the length
7159 of the period over which the average is measured. It reports the average
7160 outgoing bytes rate over that period, in bytes per period. It may be used
7161 to detect users which download too much and too fast. Warning: with large
7162 transfers, it is possible that the amount of transferred data will be
7163 counted once upon termination, thus causing spikes in the average
7164 transfer speed instead of having a smooth one. This may partially be
7165 smoothed with "option contstats" though this is not perfect yet. Use of
7166 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02007167
Willy Tarreauc00cdc22010-06-06 16:48:26 +02007168 There is only one stick-table per proxy. At the moment of writing this doc,
7169 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007170 to be required, simply create a dummy backend with a stick-table in it and
7171 reference it.
7172
7173 It is important to understand that stickiness based on learning information
7174 has some limitations, including the fact that all learned associations are
7175 lost upon restart. In general it can be good as a complement but not always
7176 as an exclusive stickiness.
7177
Willy Tarreauc9705a12010-07-27 20:05:50 +02007178 Last, memory requirements may be important when storing many data types.
7179 Indeed, storing all indicators above at once in each entry requires 116 bytes
7180 per entry, or 116 MB for a 1-million entries table. This is definitely not
7181 something that can be ignored.
7182
7183 Example:
7184 # Keep track of counters of up to 1 million IP addresses over 5 minutes
7185 # and store a general purpose counter and the average connection rate
7186 # computed over a sliding window of 30 seconds.
7187 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
7188
7189 See also : "stick match", "stick on", "stick store-request", section 2.2
David du Colombiera13d1b92011-03-17 10:40:22 +01007190 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007191
7192
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007193stick store-response <pattern> [table <table>] [{if | unless} <condition>]
7194 Define a request pattern used to create an entry in a stickiness table
7195 May be used in sections : defaults | frontend | listen | backend
7196 no | no | yes | yes
7197
7198 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007199 <pattern> is a sample expression rule as described in section 7.3. It
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007200 describes what elements of the response or connection will
7201 be analysed, extracted and stored in the table once a
7202 server is selected.
7203
7204 <table> is an optional stickiness table name. If unspecified, the same
7205 backend's table is used. A stickiness table is declared using
7206 the "stick-table" statement.
7207
7208 <cond> is an optional storage condition. It makes it possible to store
7209 certain criteria only when some conditions are met (or not met).
7210 For instance, it could be used to store the SSL session ID only
7211 when the response is a SSL server hello.
7212
7213 Some protocols or applications require complex stickiness rules and cannot
7214 always simply rely on cookies nor hashing. The "stick store-response"
7215 statement describes a rule to decide what to extract from the response and
7216 when to do it, in order to store it into a stickiness table for further
7217 requests to match it using the "stick match" statement. Obviously the
7218 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007219 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007220 See section 7 for a complete list of possible patterns and transformation
7221 rules.
7222
7223 The table has to be declared using the "stick-table" statement. It must be of
7224 a type compatible with the pattern. By default it is the one which is present
7225 in the same backend. It is possible to share a table with other backends by
7226 referencing it using the "table" keyword. If another table is referenced,
7227 the server's ID inside the backends are used. By default, all server IDs
7228 start at 1 in each backend, so the server ordering is enough. But in case of
7229 doubt, it is highly recommended to force server IDs using their "id" setting.
7230
7231 It is possible to restrict the conditions where a "stick store-response"
7232 statement will apply, using "if" or "unless" followed by a condition. This
7233 condition will be evaluated while parsing the response, so any criteria can
7234 be used. See section 7 for ACL based conditions.
7235
7236 There is no limit on the number of "stick store-response" statements, but
7237 there is a limit of 8 simultaneous stores per request or response. This
7238 makes it possible to store up to 8 criteria, all extracted from either the
7239 request or the response, regardless of the number of rules. Only the 8 first
7240 ones which match will be kept. Using this, it is possible to feed multiple
7241 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01007242 another protocol or access method. Using multiple store-response rules with
7243 the same table is possible and may be used to find the best criterion to rely
7244 on, by arranging the rules by decreasing preference order. Only the first
7245 extracted criterion for a given table will be stored. All subsequent store-
7246 response rules referencing the same table will be skipped and their ACLs will
7247 not be evaluated. However, even if a store-request rule references a table, a
7248 store-response rule may also use the same table. This means that each table
7249 may learn exactly one element from the request and one element from the
7250 response at once.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007251
7252 The table will contain the real server that processed the request.
7253
7254 Example :
7255 # Learn SSL session ID from both request and response and create affinity.
7256 backend https
7257 mode tcp
7258 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +02007259 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007260 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007261
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007262 acl clienthello req_ssl_hello_type 1
7263 acl serverhello rep_ssl_hello_type 2
7264
7265 # use tcp content accepts to detects ssl client and server hello.
7266 tcp-request inspect-delay 5s
7267 tcp-request content accept if clienthello
7268
7269 # no timeout on response inspect delay by default.
7270 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007271
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007272 # SSL session ID (SSLID) may be present on a client or server hello.
7273 # Its length is coded on 1 byte at offset 43 and its value starts
7274 # at offset 44.
7275
7276 # Match and learn on request if client hello.
7277 stick on payload_lv(43,1) if clienthello
7278
7279 # Learn on response if server hello.
7280 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +02007281
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007282 server s1 192.168.1.1:443
7283 server s2 192.168.1.1:443
7284
7285 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
7286 extraction.
7287
7288
Willy Tarreau938c7fe2014-04-25 14:21:39 +02007289tcp-check connect [params*]
7290 Opens a new connection
7291 May be used in sections: defaults | frontend | listen | backend
7292 no | no | yes | yes
7293
7294 When an application lies on more than a single TCP port or when HAProxy
7295 load-balance many services in a single backend, it makes sense to probe all
7296 the services individually before considering a server as operational.
7297
7298 When there are no TCP port configured on the server line neither server port
7299 directive, then the 'tcp-check connect port <port>' must be the first step
7300 of the sequence.
7301
7302 In a tcp-check ruleset a 'connect' is required, it is also mandatory to start
7303 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
7304 do.
7305
7306 Parameters :
7307 They are optional and can be used to describe how HAProxy should open and
7308 use the TCP connection.
7309
7310 port if not set, check port or server port is used.
7311 It tells HAProxy where to open the connection to.
7312 <port> must be a valid TCP port source integer, from 1 to 65535.
7313
7314 send-proxy send a PROXY protocol string
7315
7316 ssl opens a ciphered connection
7317
7318 Examples:
7319 # check HTTP and HTTPs services on a server.
7320 # first open port 80 thanks to server line port directive, then
7321 # tcp-check opens port 443, ciphered and run a request on it:
7322 option tcp-check
7323 tcp-check connect
7324 tcp-check send GET\ /\ HTTP/1.0\r\n
7325 tcp-check send Host:\ haproxy.1wt.eu\r\n
7326 tcp-check send \r\n
7327 tcp-check expect rstring (2..|3..)
7328 tcp-check connect port 443 ssl
7329 tcp-check send GET\ /\ HTTP/1.0\r\n
7330 tcp-check send Host:\ haproxy.1wt.eu\r\n
7331 tcp-check send \r\n
7332 tcp-check expect rstring (2..|3..)
7333 server www 10.0.0.1 check port 80
7334
7335 # check both POP and IMAP from a single server:
7336 option tcp-check
7337 tcp-check connect port 110
7338 tcp-check expect string +OK\ POP3\ ready
7339 tcp-check connect port 143
7340 tcp-check expect string *\ OK\ IMAP4\ ready
7341 server mail 10.0.0.1 check
7342
7343 See also : "option tcp-check", "tcp-check send", "tcp-check expect"
7344
7345
7346tcp-check expect [!] <match> <pattern>
7347 Specify data to be collected and analysed during a generic health check
7348 May be used in sections: defaults | frontend | listen | backend
7349 no | no | yes | yes
7350
7351 Arguments :
7352 <match> is a keyword indicating how to look for a specific pattern in the
7353 response. The keyword may be one of "string", "rstring" or
7354 binary.
7355 The keyword may be preceded by an exclamation mark ("!") to negate
7356 the match. Spaces are allowed between the exclamation mark and the
7357 keyword. See below for more details on the supported keywords.
7358
7359 <pattern> is the pattern to look for. It may be a string or a regular
7360 expression. If the pattern contains spaces, they must be escaped
7361 with the usual backslash ('\').
7362 If the match is set to binary, then the pattern must be passed as
7363 a serie of hexadecimal digits in an even number. Each sequence of
7364 two digits will represent a byte. The hexadecimal digits may be
7365 used upper or lower case.
7366
7367
7368 The available matches are intentionally similar to their http-check cousins :
7369
7370 string <string> : test the exact string matches in the response buffer.
7371 A health check response will be considered valid if the
7372 response's buffer contains this exact string. If the
7373 "string" keyword is prefixed with "!", then the response
7374 will be considered invalid if the body contains this
7375 string. This can be used to look for a mandatory pattern
7376 in a protocol response, or to detect a failure when a
7377 specific error appears in a protocol banner.
7378
7379 rstring <regex> : test a regular expression on the response buffer.
7380 A health check response will be considered valid if the
7381 response's buffer matches this expression. If the
7382 "rstring" keyword is prefixed with "!", then the response
7383 will be considered invalid if the body matches the
7384 expression.
7385
7386 binary <hexstring> : test the exact string in its hexadecimal form matches
7387 in the response buffer. A health check response will
7388 be considered valid if the response's buffer contains
7389 this exact hexadecimal string.
7390 Purpose is to match data on binary protocols.
7391
7392 It is important to note that the responses will be limited to a certain size
7393 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
7394 Thus, too large responses may not contain the mandatory pattern when using
7395 "string", "rstring" or binary. If a large response is absolutely required, it
7396 is possible to change the default max size by setting the global variable.
7397 However, it is worth keeping in mind that parsing very large responses can
7398 waste some CPU cycles, especially when regular expressions are used, and that
7399 it is always better to focus the checks on smaller resources. Also, in its
7400 current state, the check will not find any string nor regex past a null
7401 character in the response. Similarly it is not possible to request matching
7402 the null character.
7403
7404 Examples :
7405 # perform a POP check
7406 option tcp-check
7407 tcp-check expect string +OK\ POP3\ ready
7408
7409 # perform an IMAP check
7410 option tcp-check
7411 tcp-check expect string *\ OK\ IMAP4\ ready
7412
7413 # look for the redis master server
7414 option tcp-check
7415 tcp-check send PING\r\n
7416 tcp-check expect +PONG
7417 tcp-check send info\ replication\r\n
7418 tcp-check expect string role:master
7419 tcp-check send QUIT\r\n
7420 tcp-check expect string +OK
7421
7422
7423 See also : "option tcp-check", "tcp-check connect", "tcp-check send",
7424 "tcp-check send-binary", "http-check expect", tune.chksize
7425
7426
7427tcp-check send <data>
7428 Specify a string to be sent as a question during a generic health check
7429 May be used in sections: defaults | frontend | listen | backend
7430 no | no | yes | yes
7431
7432 <data> : the data to be sent as a question during a generic health check
7433 session. For now, <data> must be a string.
7434
7435 Examples :
7436 # look for the redis master server
7437 option tcp-check
7438 tcp-check send info\ replication\r\n
7439 tcp-check expect string role:master
7440
7441 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
7442 "tcp-check send-binary", tune.chksize
7443
7444
7445tcp-check send-binary <hexastring>
7446 Specify an hexa digits string to be sent as a binary question during a raw
7447 tcp health check
7448 May be used in sections: defaults | frontend | listen | backend
7449 no | no | yes | yes
7450
7451 <data> : the data to be sent as a question during a generic health check
7452 session. For now, <data> must be a string.
7453 <hexastring> : test the exact string in its hexadecimal form matches in the
7454 response buffer. A health check response will be considered
7455 valid if the response's buffer contains this exact
7456 hexadecimal string.
7457 Purpose is to send binary data to ask on binary protocols.
7458
7459 Examples :
7460 # redis check in binary
7461 option tcp-check
7462 tcp-check send-binary 50494e470d0a # PING\r\n
7463 tcp-check expect binary 2b504F4e47 # +PONG
7464
7465
7466 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
7467 "tcp-check send", tune.chksize
7468
7469
Willy Tarreaue9656522010-08-17 15:40:09 +02007470tcp-request connection <action> [{if | unless} <condition>]
7471 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02007472 May be used in sections : defaults | frontend | listen | backend
7473 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02007474 Arguments :
7475 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007476 actions include : "accept", "reject", "track-sc0", "track-sc1",
7477 "track-sc2", and "expect-proxy". See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02007478
Willy Tarreaue9656522010-08-17 15:40:09 +02007479 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007480
7481 Immediately after acceptance of a new incoming connection, it is possible to
7482 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02007483 or dropped or have its counters tracked. Those conditions cannot make use of
7484 any data contents because the connection has not been read from yet, and the
7485 buffers are not yet allocated. This is used to selectively and very quickly
7486 accept or drop connections from various sources with a very low overhead. If
7487 some contents need to be inspected in order to take the decision, the
7488 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007489
Willy Tarreaue9656522010-08-17 15:40:09 +02007490 The "tcp-request connection" rules are evaluated in their exact declaration
7491 order. If no rule matches or if there is no rule, the default action is to
7492 accept the incoming connection. There is no specific limit to the number of
7493 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007494
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007495 Five types of actions are supported :
Willy Tarreaue9656522010-08-17 15:40:09 +02007496 - accept :
7497 accepts the connection if the condition is true (when used with "if")
7498 or false (when used with "unless"). The first such rule executed ends
7499 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007500
Willy Tarreaue9656522010-08-17 15:40:09 +02007501 - reject :
7502 rejects the connection if the condition is true (when used with "if")
7503 or false (when used with "unless"). The first such rule executed ends
7504 the rules evaluation. Rejected connections do not even become a
7505 session, which is why they are accounted separately for in the stats,
7506 as "denied connections". They are not considered for the session
7507 rate-limit and are not logged either. The reason is that these rules
7508 should only be used to filter extremely high connection rates such as
7509 the ones encountered during a massive DDoS attack. Under these extreme
7510 conditions, the simple action of logging each event would make the
7511 system collapse and would considerably lower the filtering capacity. If
7512 logging is absolutely desired, then "tcp-request content" rules should
7513 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007514
Willy Tarreau4f0d9192013-06-11 20:40:55 +02007515 - expect-proxy layer4 :
7516 configures the client-facing connection to receive a PROXY protocol
7517 header before any byte is read from the socket. This is equivalent to
7518 having the "accept-proxy" keyword on the "bind" line, except that using
7519 the TCP rule allows the PROXY protocol to be accepted only for certain
7520 IP address ranges using an ACL. This is convenient when multiple layers
7521 of load balancers are passed through by traffic coming from public
7522 hosts.
7523
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007524 - capture <sample> len <length> :
7525 This only applies to "tcp-request content" rules. It captures sample
7526 expression <sample> from the request buffer, and converts it to a
7527 string of at most <len> characters. The resulting string is stored into
7528 the next request "capture" slot, so it will possibly appear next to
7529 some captured HTTP headers. It will then automatically appear in the
7530 logs, and it will be possible to extract it using sample fetch rules to
7531 feed it into headers or anything. The length should be limited given
7532 that this size will be allocated for each capture during the whole
7533 session life. Since it applies to Please check section 7.3 (Fetching
7534 samples) and "capture request header" for more information.
7535
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007536 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
Willy Tarreaue9656522010-08-17 15:40:09 +02007537 enables tracking of sticky counters from current connection. These
Willy Tarreau09448f72014-06-25 18:12:15 +02007538 rules do not stop evaluation and do not change default action. 3 sets
Willy Tarreaue9656522010-08-17 15:40:09 +02007539 of counters may be simultaneously tracked by the same connection. The
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007540 first "track-sc0" rule executed enables tracking of the counters of the
7541 specified table as the first set. The first "track-sc1" rule executed
Willy Tarreaue9656522010-08-17 15:40:09 +02007542 enables tracking of the counters of the specified table as the second
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007543 set. The first "track-sc2" rule executed enables tracking of the
7544 counters of the specified table as the third set. It is a recommended
7545 practice to use the first set of counters for the per-frontend counters
7546 and the second set for the per-backend ones. But this is just a
7547 guideline, all may be used everywhere.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007548
Willy Tarreaue9656522010-08-17 15:40:09 +02007549 These actions take one or two arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007550 <key> is mandatory, and is a sample expression rule as described
Willy Tarreau74ca5042013-06-11 23:12:07 +02007551 in section 7.3. It describes what elements of the incoming
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007552 request or connection will be analysed, extracted, combined,
7553 and used to select which table entry to update the counters.
7554 Note that "tcp-request connection" cannot use content-based
7555 fetches.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007556
Willy Tarreaue9656522010-08-17 15:40:09 +02007557 <table> is an optional table to be used instead of the default one,
7558 which is the stick-table declared in the current proxy. All
7559 the counters for the matches and updates for the key will
7560 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007561
Willy Tarreaue9656522010-08-17 15:40:09 +02007562 Once a "track-sc*" rule is executed, the key is looked up in the table
7563 and if it is not found, an entry is allocated for it. Then a pointer to
7564 that entry is kept during all the session's life, and this entry's
7565 counters are updated as often as possible, every time the session's
7566 counters are updated, and also systematically when the session ends.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007567 Counters are only updated for events that happen after the tracking has
7568 been started. For example, connection counters will not be updated when
7569 tracking layer 7 information, since the connection event happens before
7570 layer7 information is extracted.
7571
Willy Tarreaue9656522010-08-17 15:40:09 +02007572 If the entry tracks concurrent connection counters, one connection is
7573 counted for as long as the entry is tracked, and the entry will not
7574 expire during that time. Tracking counters also provides a performance
7575 advantage over just checking the keys, because only one table lookup is
7576 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007577
Willy Tarreaue9656522010-08-17 15:40:09 +02007578 Note that the "if/unless" condition is optional. If no condition is set on
7579 the action, it is simply performed unconditionally. That can be useful for
7580 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007581
Willy Tarreaue9656522010-08-17 15:40:09 +02007582 Example: accept all connections from white-listed hosts, reject too fast
7583 connection without counting them, and track accepted connections.
7584 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007585
Willy Tarreaue9656522010-08-17 15:40:09 +02007586 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007587 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007588 tcp-request connection track-sc0 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007589
Willy Tarreaue9656522010-08-17 15:40:09 +02007590 Example: accept all connections from white-listed hosts, count all other
7591 connections and reject too fast ones. This results in abusive ones
7592 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007593
Willy Tarreaue9656522010-08-17 15:40:09 +02007594 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007595 tcp-request connection track-sc0 src
7596 tcp-request connection reject if { sc0_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007597
Willy Tarreau4f0d9192013-06-11 20:40:55 +02007598 Example: enable the PROXY protocol for traffic coming from all known proxies.
7599
7600 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
7601
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007602 See section 7 about ACL usage.
7603
Willy Tarreaue9656522010-08-17 15:40:09 +02007604 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007605
7606
Willy Tarreaue9656522010-08-17 15:40:09 +02007607tcp-request content <action> [{if | unless} <condition>]
7608 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02007609 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02007610 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02007611 Arguments :
7612 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007613 actions include : "accept", "reject", "track-sc0", "track-sc1",
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007614 "track-sc2" and "capture". See "tcp-request connection" above
7615 for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02007616
Willy Tarreaue9656522010-08-17 15:40:09 +02007617 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02007618
Willy Tarreaue9656522010-08-17 15:40:09 +02007619 A request's contents can be analysed at an early stage of request processing
7620 called "TCP content inspection". During this stage, ACL-based rules are
7621 evaluated every time the request contents are updated, until either an
7622 "accept" or a "reject" rule matches, or the TCP request inspection delay
7623 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02007624
Willy Tarreaue9656522010-08-17 15:40:09 +02007625 The first difference between these rules and "tcp-request connection" rules
7626 is that "tcp-request content" rules can make use of contents to take a
7627 decision. Most often, these decisions will consider a protocol recognition or
7628 validity. The second difference is that content-based rules can be used in
Willy Tarreauf3338342014-01-28 21:40:28 +01007629 both frontends and backends. In case of HTTP keep-alive with the client, all
7630 tcp-request content rules are evaluated again, so haproxy keeps a record of
7631 what sticky counters were assigned by a "tcp-request connection" versus a
7632 "tcp-request content" rule, and flushes all the content-related ones after
7633 processing an HTTP request, so that they may be evaluated again by the rules
7634 being evaluated again for the next request. This is of particular importance
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03007635 when the rule tracks some L7 information or when it is conditioned by an
Willy Tarreauf3338342014-01-28 21:40:28 +01007636 L7-based ACL, since tracking may change between requests.
Willy Tarreau62644772008-07-16 18:36:06 +02007637
Willy Tarreaue9656522010-08-17 15:40:09 +02007638 Content-based rules are evaluated in their exact declaration order. If no
7639 rule matches or if there is no rule, the default action is to accept the
7640 contents. There is no specific limit to the number of rules which may be
7641 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02007642
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007643 Four types of actions are supported :
7644 - accept : the request is accepted
7645 - reject : the request is rejected and the connection is closed
7646 - capture : the specified sample expression is captured
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007647 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02007648
Willy Tarreaue9656522010-08-17 15:40:09 +02007649 They have the same meaning as their counter-parts in "tcp-request connection"
7650 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02007651
Willy Tarreauf3338342014-01-28 21:40:28 +01007652 While there is nothing mandatory about it, it is recommended to use the
7653 track-sc0 in "tcp-request connection" rules, track-sc1 for "tcp-request
7654 content" rules in the frontend, and track-sc2 for "tcp-request content"
7655 rules in the backend, because that makes the configuration more readable
7656 and easier to troubleshoot, but this is just a guideline and all counters
7657 may be used everywhere.
Willy Tarreau62644772008-07-16 18:36:06 +02007658
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007659 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02007660 the action, it is simply performed unconditionally. That can be useful for
7661 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02007662
Willy Tarreaue9656522010-08-17 15:40:09 +02007663 It is perfectly possible to match layer 7 contents with "tcp-request content"
Willy Tarreauc0239e02012-04-16 14:42:55 +02007664 rules, since HTTP-specific ACL matches are able to preliminarily parse the
7665 contents of a buffer before extracting the required data. If the buffered
7666 contents do not parse as a valid HTTP message, then the ACL does not match.
7667 The parser which is involved there is exactly the same as for all other HTTP
Willy Tarreauf3338342014-01-28 21:40:28 +01007668 processing, so there is no risk of parsing something differently. In an HTTP
7669 backend connected to from an HTTP frontend, it is guaranteed that HTTP
7670 contents will always be immediately present when the rule is evaluated first.
Willy Tarreau62644772008-07-16 18:36:06 +02007671
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007672 Tracking layer7 information is also possible provided that the information
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02007673 are present when the rule is processed. The rule processing engine is able to
7674 wait until the inspect delay expires when the data to be tracked is not yet
7675 available.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007676
Willy Tarreau62644772008-07-16 18:36:06 +02007677 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02007678 # Accept HTTP requests containing a Host header saying "example.com"
7679 # and reject everything else.
7680 acl is_host_com hdr(Host) -i example.com
7681 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +02007682 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +02007683 tcp-request content reject
7684
7685 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02007686 # reject SMTP connection if client speaks first
7687 tcp-request inspect-delay 30s
7688 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007689 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02007690
7691 # Forward HTTPS connection only if client speaks
7692 tcp-request inspect-delay 30s
7693 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007694 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02007695 tcp-request content reject
7696
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007697 Example:
7698 # Track the last IP from X-Forwarded-For
7699 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02007700 tcp-request content track-sc0 hdr(x-forwarded-for,-1)
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007701
7702 Example:
7703 # track request counts per "base" (concatenation of Host+URL)
7704 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02007705 tcp-request content track-sc0 base table req-rate
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007706
Willy Tarreaue9656522010-08-17 15:40:09 +02007707 Example: track per-frontend and per-backend counters, block abusers at the
7708 frontend when the backend detects abuse.
7709
7710 frontend http
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007711 # Use General Purpose Couter 0 in SC0 as a global abuse counter
Willy Tarreaue9656522010-08-17 15:40:09 +02007712 # protecting all our sites
7713 stick-table type ip size 1m expire 5m store gpc0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007714 tcp-request connection track-sc0 src
7715 tcp-request connection reject if { sc0_get_gpc0 gt 0 }
Willy Tarreaue9656522010-08-17 15:40:09 +02007716 ...
7717 use_backend http_dynamic if { path_end .php }
7718
7719 backend http_dynamic
7720 # if a source makes too fast requests to this dynamic site (tracked
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007721 # by SC1), block it globally in the frontend.
Willy Tarreaue9656522010-08-17 15:40:09 +02007722 stick-table type ip size 1m expire 5m store http_req_rate(10s)
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007723 acl click_too_fast sc1_http_req_rate gt 10
7724 acl mark_as_abuser sc0_inc_gpc0 gt 0
7725 tcp-request content track-sc1 src
Willy Tarreaue9656522010-08-17 15:40:09 +02007726 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02007727
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007728 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02007729
Willy Tarreaue9656522010-08-17 15:40:09 +02007730 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02007731
7732
7733tcp-request inspect-delay <timeout>
7734 Set the maximum allowed time to wait for data during content inspection
7735 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02007736 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02007737 Arguments :
7738 <timeout> is the timeout value specified in milliseconds by default, but
7739 can be in any other unit if the number is suffixed by the unit,
7740 as explained at the top of this document.
7741
7742 People using haproxy primarily as a TCP relay are often worried about the
7743 risk of passing any type of protocol to a server without any analysis. In
7744 order to be able to analyze the request contents, we must first withhold
7745 the data then analyze them. This statement simply enables withholding of
7746 data for at most the specified amount of time.
7747
Willy Tarreaufb356202010-08-03 14:02:05 +02007748 TCP content inspection applies very early when a connection reaches a
7749 frontend, then very early when the connection is forwarded to a backend. This
7750 means that a connection may experience a first delay in the frontend and a
7751 second delay in the backend if both have tcp-request rules.
7752
Willy Tarreau62644772008-07-16 18:36:06 +02007753 Note that when performing content inspection, haproxy will evaluate the whole
7754 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007755 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02007756 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01007757 contents are definitive. If no delay is set, haproxy will not wait at all
7758 and will immediately apply a verdict based on the available information.
7759 Obviously this is unlikely to be very useful and might even be racy, so such
7760 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02007761
7762 As soon as a rule matches, the request is released and continues as usual. If
7763 the timeout is reached and no rule matches, the default policy will be to let
7764 it pass through unaffected.
7765
7766 For most protocols, it is enough to set it to a few seconds, as most clients
7767 send the full request immediately upon connection. Add 3 or more seconds to
7768 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01007769 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02007770 before the server (eg: SMTP), or to wait for a client to talk before passing
7771 data to the server (eg: SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +02007772 least the inspection delay, otherwise it will expire first. If the client
7773 closes the connection or if the buffer is full, the delay immediately expires
7774 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +02007775
Willy Tarreau55165fe2009-05-10 12:02:55 +02007776 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02007777 "timeout client".
7778
7779
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007780tcp-response content <action> [{if | unless} <condition>]
7781 Perform an action on a session response depending on a layer 4-7 condition
7782 May be used in sections : defaults | frontend | listen | backend
7783 no | no | yes | yes
7784 Arguments :
7785 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007786 actions include : "accept", "close", "reject".
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007787
7788 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
7789
7790 Response contents can be analysed at an early stage of response processing
7791 called "TCP content inspection". During this stage, ACL-based rules are
7792 evaluated every time the response contents are updated, until either an
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007793 "accept", "close" or a "reject" rule matches, or a TCP response inspection
7794 delay is set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007795
7796 Most often, these decisions will consider a protocol recognition or validity.
7797
7798 Content-based rules are evaluated in their exact declaration order. If no
7799 rule matches or if there is no rule, the default action is to accept the
7800 contents. There is no specific limit to the number of rules which may be
7801 inserted.
7802
7803 Two types of actions are supported :
7804 - accept :
7805 accepts the response if the condition is true (when used with "if")
7806 or false (when used with "unless"). The first such rule executed ends
7807 the rules evaluation.
7808
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007809 - close :
7810 immediately closes the connection with the server if the condition is
7811 true (when used with "if"), or false (when used with "unless"). The
7812 first such rule executed ends the rules evaluation. The main purpose of
7813 this action is to force a connection to be finished between a client
7814 and a server after an exchange when the application protocol expects
7815 some long time outs to elapse first. The goal is to eliminate idle
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03007816 connections which take significant resources on servers with certain
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007817 protocols.
7818
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007819 - reject :
7820 rejects the response if the condition is true (when used with "if")
7821 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007822 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007823
7824 Note that the "if/unless" condition is optional. If no condition is set on
7825 the action, it is simply performed unconditionally. That can be useful for
7826 for changing the default action to a reject.
7827
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007828 It is perfectly possible to match layer 7 contents with "tcp-response
7829 content" rules, but then it is important to ensure that a full response has
7830 been buffered, otherwise no contents will match. In order to achieve this,
7831 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007832 period.
7833
7834 See section 7 about ACL usage.
7835
7836 See also : "tcp-request content", "tcp-response inspect-delay"
7837
7838
7839tcp-response inspect-delay <timeout>
7840 Set the maximum allowed time to wait for a response during content inspection
7841 May be used in sections : defaults | frontend | listen | backend
7842 no | no | yes | yes
7843 Arguments :
7844 <timeout> is the timeout value specified in milliseconds by default, but
7845 can be in any other unit if the number is suffixed by the unit,
7846 as explained at the top of this document.
7847
7848 See also : "tcp-response content", "tcp-request inspect-delay".
7849
7850
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007851timeout check <timeout>
7852 Set additional check timeout, but only after a connection has been already
7853 established.
7854
7855 May be used in sections: defaults | frontend | listen | backend
7856 yes | no | yes | yes
7857 Arguments:
7858 <timeout> is the timeout value specified in milliseconds by default, but
7859 can be in any other unit if the number is suffixed by the unit,
7860 as explained at the top of this document.
7861
7862 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
7863 for check and "timeout check" as an additional read timeout. The "min" is
7864 used so that people running with *very* long "timeout connect" (eg. those
7865 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01007866 (Please also note that there is no valid reason to have such long connect
7867 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
7868 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007869
7870 If "timeout check" is not set haproxy uses "inter" for complete check
7871 timeout (connect + read) exactly like all <1.3.15 version.
7872
7873 In most cases check request is much simpler and faster to handle than normal
7874 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01007875 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007876
7877 This parameter is specific to backends, but can be specified once for all in
7878 "defaults" sections. This is in fact one of the easiest solutions not to
7879 forget about it.
7880
Willy Tarreau41a340d2008-01-22 12:25:31 +01007881 See also: "timeout connect", "timeout queue", "timeout server",
7882 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007883
7884
Willy Tarreau0ba27502007-12-24 16:55:16 +01007885timeout client <timeout>
7886timeout clitimeout <timeout> (deprecated)
7887 Set the maximum inactivity time on the client side.
7888 May be used in sections : defaults | frontend | listen | backend
7889 yes | yes | yes | no
7890 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01007891 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01007892 can be in any other unit if the number is suffixed by the unit,
7893 as explained at the top of this document.
7894
7895 The inactivity timeout applies when the client is expected to acknowledge or
7896 send data. In HTTP mode, this timeout is particularly important to consider
7897 during the first phase, when the client sends the request, and during the
7898 response while it is reading data sent by the server. The value is specified
7899 in milliseconds by default, but can be in any other unit if the number is
7900 suffixed by the unit, as specified at the top of this document. In TCP mode
7901 (and to a lesser extent, in HTTP mode), it is highly recommended that the
7902 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007903 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01007904 losses by specifying timeouts that are slightly above multiples of 3 seconds
Willy Tarreauce887fd2012-05-12 12:50:00 +02007905 (eg: 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
7906 sessions (eg: WebSocket and HTTP), it's worth considering "timeout tunnel",
Willy Tarreau05cdd962014-05-10 14:30:07 +02007907 which overrides "timeout client" and "timeout server" for tunnels, as well as
7908 "timeout client-fin" for half-closed connections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007909
7910 This parameter is specific to frontends, but can be specified once for all in
7911 "defaults" sections. This is in fact one of the easiest solutions not to
7912 forget about it. An unspecified timeout results in an infinite timeout, which
7913 is not recommended. Such a usage is accepted and works but reports a warning
7914 during startup because it may results in accumulation of expired sessions in
7915 the system if the system's timeouts are not configured either.
7916
7917 This parameter replaces the old, deprecated "clitimeout". It is recommended
7918 to use it to write new configurations. The form "timeout clitimeout" is
7919 provided only by backwards compatibility but its use is strongly discouraged.
7920
Willy Tarreauce887fd2012-05-12 12:50:00 +02007921 See also : "clitimeout", "timeout server", "timeout tunnel".
Willy Tarreau0ba27502007-12-24 16:55:16 +01007922
7923
Willy Tarreau05cdd962014-05-10 14:30:07 +02007924timeout client-fin <timeout>
7925 Set the inactivity timeout on the client side for half-closed connections.
7926 May be used in sections : defaults | frontend | listen | backend
7927 yes | yes | yes | no
7928 Arguments :
7929 <timeout> is the timeout value specified in milliseconds by default, but
7930 can be in any other unit if the number is suffixed by the unit,
7931 as explained at the top of this document.
7932
7933 The inactivity timeout applies when the client is expected to acknowledge or
7934 send data while one direction is already shut down. This timeout is different
7935 from "timeout client" in that it only applies to connections which are closed
7936 in one direction. This is particularly useful to avoid keeping connections in
7937 FIN_WAIT state for too long when clients do not disconnect cleanly. This
7938 problem is particularly common long connections such as RDP or WebSocket.
7939 Note that this timeout can override "timeout tunnel" when a connection shuts
7940 down in one direction.
7941
7942 This parameter is specific to frontends, but can be specified once for all in
7943 "defaults" sections. By default it is not set, so half-closed connections
7944 will use the other timeouts (timeout.client or timeout.tunnel).
7945
7946 See also : "timeout client", "timeout server-fin", and "timeout tunnel".
7947
7948
Willy Tarreau0ba27502007-12-24 16:55:16 +01007949timeout connect <timeout>
7950timeout contimeout <timeout> (deprecated)
7951 Set the maximum time to wait for a connection attempt to a server to succeed.
7952 May be used in sections : defaults | frontend | listen | backend
7953 yes | no | yes | yes
7954 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01007955 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01007956 can be in any other unit if the number is suffixed by the unit,
7957 as explained at the top of this document.
7958
7959 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007960 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01007961 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01007962 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007963 connect timeout also presets both queue and tarpit timeouts to the same value
7964 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007965
7966 This parameter is specific to backends, but can be specified once for all in
7967 "defaults" sections. This is in fact one of the easiest solutions not to
7968 forget about it. An unspecified timeout results in an infinite timeout, which
7969 is not recommended. Such a usage is accepted and works but reports a warning
7970 during startup because it may results in accumulation of failed sessions in
7971 the system if the system's timeouts are not configured either.
7972
7973 This parameter replaces the old, deprecated "contimeout". It is recommended
7974 to use it to write new configurations. The form "timeout contimeout" is
7975 provided only by backwards compatibility but its use is strongly discouraged.
7976
Willy Tarreau41a340d2008-01-22 12:25:31 +01007977 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
7978 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01007979
7980
Willy Tarreaub16a5742010-01-10 14:46:16 +01007981timeout http-keep-alive <timeout>
7982 Set the maximum allowed time to wait for a new HTTP request to appear
7983 May be used in sections : defaults | frontend | listen | backend
7984 yes | yes | yes | yes
7985 Arguments :
7986 <timeout> is the timeout value specified in milliseconds by default, but
7987 can be in any other unit if the number is suffixed by the unit,
7988 as explained at the top of this document.
7989
7990 By default, the time to wait for a new request in case of keep-alive is set
7991 by "timeout http-request". However this is not always convenient because some
7992 people want very short keep-alive timeouts in order to release connections
7993 faster, and others prefer to have larger ones but still have short timeouts
7994 once the request has started to present itself.
7995
7996 The "http-keep-alive" timeout covers these needs. It will define how long to
7997 wait for a new HTTP request to start coming after a response was sent. Once
7998 the first byte of request has been seen, the "http-request" timeout is used
7999 to wait for the complete request to come. Note that empty lines prior to a
8000 new request do not refresh the timeout and are not counted as a new request.
8001
8002 There is also another difference between the two timeouts : when a connection
8003 expires during timeout http-keep-alive, no error is returned, the connection
8004 just closes. If the connection expires in "http-request" while waiting for a
8005 connection to complete, a HTTP 408 error is returned.
8006
8007 In general it is optimal to set this value to a few tens to hundreds of
8008 milliseconds, to allow users to fetch all objects of a page at once but
8009 without waiting for further clicks. Also, if set to a very small value (eg:
8010 1 millisecond) it will probably only accept pipelined requests but not the
8011 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02008012 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01008013
8014 If this parameter is not set, the "http-request" timeout applies, and if both
8015 are not set, "timeout client" still applies at the lower level. It should be
8016 set in the frontend to take effect, unless the frontend is in TCP mode, in
8017 which case the HTTP backend's timeout will be used.
8018
8019 See also : "timeout http-request", "timeout client".
8020
8021
Willy Tarreau036fae02008-01-06 13:24:40 +01008022timeout http-request <timeout>
8023 Set the maximum allowed time to wait for a complete HTTP request
8024 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02008025 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01008026 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01008027 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01008028 can be in any other unit if the number is suffixed by the unit,
8029 as explained at the top of this document.
8030
8031 In order to offer DoS protection, it may be required to lower the maximum
8032 accepted time to receive a complete HTTP request without affecting the client
8033 timeout. This helps protecting against established connections on which
8034 nothing is sent. The client timeout cannot offer a good protection against
8035 this abuse because it is an inactivity timeout, which means that if the
8036 attacker sends one character every now and then, the timeout will not
8037 trigger. With the HTTP request timeout, no matter what speed the client
Willy Tarreau2705a612014-05-23 17:38:34 +02008038 types, the request will be aborted if it does not complete in time. When the
8039 timeout expires, an HTTP 408 response is sent to the client to inform it
8040 about the problem, and the connection is closed. The logs will report
8041 termination codes "cR". Some recent browsers are having problems with this
8042 standard, well-documented behaviour, so it might be needed to hide the 408
8043 code using "errorfile 408 /dev/null". See more details in the explanations of
8044 the "cR" termination code in section 8.5.
Willy Tarreau036fae02008-01-06 13:24:40 +01008045
8046 Note that this timeout only applies to the header part of the request, and
8047 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01008048 used anymore. It is used again on keep-alive connections to wait for a second
8049 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01008050
8051 Generally it is enough to set it to a few seconds, as most clients send the
8052 full request immediately upon connection. Add 3 or more seconds to cover TCP
8053 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
8054 generally work on local networks as long as there are no packet losses. This
8055 will prevent people from sending bare HTTP requests using telnet.
8056
8057 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02008058 chunk of the incoming request. It should be set in the frontend to take
8059 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
8060 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01008061
Willy Tarreau2705a612014-05-23 17:38:34 +02008062 See also : "errorfile", "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01008063
Willy Tarreau844e3c52008-01-11 16:28:18 +01008064
8065timeout queue <timeout>
8066 Set the maximum time to wait in the queue for a connection slot to be free
8067 May be used in sections : defaults | frontend | listen | backend
8068 yes | no | yes | yes
8069 Arguments :
8070 <timeout> is the timeout value specified in milliseconds by default, but
8071 can be in any other unit if the number is suffixed by the unit,
8072 as explained at the top of this document.
8073
8074 When a server's maxconn is reached, connections are left pending in a queue
8075 which may be server-specific or global to the backend. In order not to wait
8076 indefinitely, a timeout is applied to requests pending in the queue. If the
8077 timeout is reached, it is considered that the request will almost never be
8078 served, so it is dropped and a 503 error is returned to the client.
8079
8080 The "timeout queue" statement allows to fix the maximum time for a request to
8081 be left pending in a queue. If unspecified, the same value as the backend's
8082 connection timeout ("timeout connect") is used, for backwards compatibility
8083 with older versions with no "timeout queue" parameter.
8084
8085 See also : "timeout connect", "contimeout".
8086
8087
8088timeout server <timeout>
8089timeout srvtimeout <timeout> (deprecated)
8090 Set the maximum inactivity time on the server side.
8091 May be used in sections : defaults | frontend | listen | backend
8092 yes | no | yes | yes
8093 Arguments :
8094 <timeout> is the timeout value specified in milliseconds by default, but
8095 can be in any other unit if the number is suffixed by the unit,
8096 as explained at the top of this document.
8097
8098 The inactivity timeout applies when the server is expected to acknowledge or
8099 send data. In HTTP mode, this timeout is particularly important to consider
8100 during the first phase of the server's response, when it has to send the
8101 headers, as it directly represents the server's processing time for the
8102 request. To find out what value to put there, it's often good to start with
8103 what would be considered as unacceptable response times, then check the logs
8104 to observe the response time distribution, and adjust the value accordingly.
8105
8106 The value is specified in milliseconds by default, but can be in any other
8107 unit if the number is suffixed by the unit, as specified at the top of this
8108 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
8109 recommended that the client timeout remains equal to the server timeout in
8110 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008111 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01008112 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreauce887fd2012-05-12 12:50:00 +02008113 seconds (eg: 4 or 5 seconds minimum). If some long-lived sessions are mixed
8114 with short-lived sessions (eg: WebSocket and HTTP), it's worth considering
8115 "timeout tunnel", which overrides "timeout client" and "timeout server" for
8116 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008117
8118 This parameter is specific to backends, but can be specified once for all in
8119 "defaults" sections. This is in fact one of the easiest solutions not to
8120 forget about it. An unspecified timeout results in an infinite timeout, which
8121 is not recommended. Such a usage is accepted and works but reports a warning
8122 during startup because it may results in accumulation of expired sessions in
8123 the system if the system's timeouts are not configured either.
8124
8125 This parameter replaces the old, deprecated "srvtimeout". It is recommended
8126 to use it to write new configurations. The form "timeout srvtimeout" is
8127 provided only by backwards compatibility but its use is strongly discouraged.
8128
Willy Tarreauce887fd2012-05-12 12:50:00 +02008129 See also : "srvtimeout", "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +01008130
Willy Tarreau05cdd962014-05-10 14:30:07 +02008131
8132timeout server-fin <timeout>
8133 Set the inactivity timeout on the server side for half-closed connections.
8134 May be used in sections : defaults | frontend | listen | backend
8135 yes | no | yes | yes
8136 Arguments :
8137 <timeout> is the timeout value specified in milliseconds by default, but
8138 can be in any other unit if the number is suffixed by the unit,
8139 as explained at the top of this document.
8140
8141 The inactivity timeout applies when the server is expected to acknowledge or
8142 send data while one direction is already shut down. This timeout is different
8143 from "timeout server" in that it only applies to connections which are closed
8144 in one direction. This is particularly useful to avoid keeping connections in
8145 FIN_WAIT state for too long when a remote server does not disconnect cleanly.
8146 This problem is particularly common long connections such as RDP or WebSocket.
8147 Note that this timeout can override "timeout tunnel" when a connection shuts
8148 down in one direction. This setting was provided for completeness, but in most
8149 situations, it should not be needed.
8150
8151 This parameter is specific to backends, but can be specified once for all in
8152 "defaults" sections. By default it is not set, so half-closed connections
8153 will use the other timeouts (timeout.server or timeout.tunnel).
8154
8155 See also : "timeout client-fin", "timeout server", and "timeout tunnel".
8156
Willy Tarreau844e3c52008-01-11 16:28:18 +01008157
8158timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01008159 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01008160 May be used in sections : defaults | frontend | listen | backend
8161 yes | yes | yes | yes
8162 Arguments :
8163 <timeout> is the tarpit duration specified in milliseconds by default, but
8164 can be in any other unit if the number is suffixed by the unit,
8165 as explained at the top of this document.
8166
8167 When a connection is tarpitted using "reqtarpit", it is maintained open with
8168 no activity for a certain amount of time, then closed. "timeout tarpit"
8169 defines how long it will be maintained open.
8170
8171 The value is specified in milliseconds by default, but can be in any other
8172 unit if the number is suffixed by the unit, as specified at the top of this
8173 document. If unspecified, the same value as the backend's connection timeout
8174 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01008175 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008176
8177 See also : "timeout connect", "contimeout".
8178
8179
Willy Tarreauce887fd2012-05-12 12:50:00 +02008180timeout tunnel <timeout>
8181 Set the maximum inactivity time on the client and server side for tunnels.
8182 May be used in sections : defaults | frontend | listen | backend
8183 yes | no | yes | yes
8184 Arguments :
8185 <timeout> is the timeout value specified in milliseconds by default, but
8186 can be in any other unit if the number is suffixed by the unit,
8187 as explained at the top of this document.
8188
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008189 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +02008190 between a client and a server, and the connection remains inactive in both
8191 directions. This timeout supersedes both the client and server timeouts once
8192 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
8193 analyser remains attached to either connection (eg: tcp content rules are
8194 accepted). In HTTP, this timeout is used when a connection is upgraded (eg:
8195 when switching to the WebSocket protocol, or forwarding a CONNECT request
8196 to a proxy), or after the first response when no keepalive/close option is
8197 specified.
8198
Willy Tarreau05cdd962014-05-10 14:30:07 +02008199 Since this timeout is usually used in conjunction with long-lived connections,
8200 it usually is a good idea to also set "timeout client-fin" to handle the
8201 situation where a client suddenly disappears from the net and does not
8202 acknowledge a close, or sends a shutdown and does not acknowledge pending
8203 data anymore. This can happen in lossy networks where firewalls are present,
8204 and is detected by the presence of large amounts of sessions in a FIN_WAIT
8205 state.
8206
Willy Tarreauce887fd2012-05-12 12:50:00 +02008207 The value is specified in milliseconds by default, but can be in any other
8208 unit if the number is suffixed by the unit, as specified at the top of this
8209 document. Whatever the expected normal idle time, it is a good practice to
8210 cover at least one or several TCP packet losses by specifying timeouts that
8211 are slightly above multiples of 3 seconds (eg: 4 or 5 seconds minimum).
8212
8213 This parameter is specific to backends, but can be specified once for all in
8214 "defaults" sections. This is in fact one of the easiest solutions not to
8215 forget about it.
8216
8217 Example :
8218 defaults http
8219 option http-server-close
8220 timeout connect 5s
8221 timeout client 30s
Willy Tarreau05cdd962014-05-10 14:30:07 +02008222 timeout client-fin 30s
Willy Tarreauce887fd2012-05-12 12:50:00 +02008223 timeout server 30s
8224 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
8225
Willy Tarreau05cdd962014-05-10 14:30:07 +02008226 See also : "timeout client", "timeout client-fin", "timeout server".
Willy Tarreauce887fd2012-05-12 12:50:00 +02008227
8228
Willy Tarreau844e3c52008-01-11 16:28:18 +01008229transparent (deprecated)
8230 Enable client-side transparent proxying
8231 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01008232 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01008233 Arguments : none
8234
8235 This keyword was introduced in order to provide layer 7 persistence to layer
8236 3 load balancers. The idea is to use the OS's ability to redirect an incoming
8237 connection for a remote address to a local process (here HAProxy), and let
8238 this process know what address was initially requested. When this option is
8239 used, sessions without cookies will be forwarded to the original destination
8240 IP address of the incoming request (which should match that of another
8241 equipment), while requests with cookies will still be forwarded to the
8242 appropriate server.
8243
8244 The "transparent" keyword is deprecated, use "option transparent" instead.
8245
8246 Note that contrary to a common belief, this option does NOT make HAProxy
8247 present the client's IP to the server when establishing the connection.
8248
Willy Tarreau844e3c52008-01-11 16:28:18 +01008249 See also: "option transparent"
8250
William Lallemanda73203e2012-03-12 12:48:57 +01008251unique-id-format <string>
8252 Generate a unique ID for each request.
8253 May be used in sections : defaults | frontend | listen | backend
8254 yes | yes | yes | no
8255 Arguments :
8256 <string> is a log-format string.
8257
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008258 This keyword creates a ID for each request using the custom log format. A
8259 unique ID is useful to trace a request passing through many components of
8260 a complex infrastructure. The newly created ID may also be logged using the
8261 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +01008262
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008263 The format should be composed from elements that are guaranteed to be
8264 unique when combined together. For instance, if multiple haproxy instances
8265 are involved, it might be important to include the node name. It is often
8266 needed to log the incoming connection's source and destination addresses
8267 and ports. Note that since multiple requests may be performed over the same
8268 connection, including a request counter may help differentiate them.
8269 Similarly, a timestamp may protect against a rollover of the counter.
8270 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +01008271
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008272 It is recommended to use hexadecimal notation for many fields since it
8273 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +01008274
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008275 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01008276
Julien Vehentf21be322014-03-07 08:27:34 -05008277 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01008278
8279 will generate:
8280
8281 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
8282
8283 See also: "unique-id-header"
8284
8285unique-id-header <name>
8286 Add a unique ID header in the HTTP request.
8287 May be used in sections : defaults | frontend | listen | backend
8288 yes | yes | yes | no
8289 Arguments :
8290 <name> is the name of the header.
8291
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008292 Add a unique-id header in the HTTP request sent to the server, using the
8293 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +01008294
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008295 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01008296
Julien Vehentf21be322014-03-07 08:27:34 -05008297 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01008298 unique-id-header X-Unique-ID
8299
8300 will generate:
8301
8302 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
8303
8304 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +01008305
Willy Tarreauf51658d2014-04-23 01:21:56 +02008306use_backend <backend> [{if | unless} <condition>]
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02008307 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008308 May be used in sections : defaults | frontend | listen | backend
8309 no | yes | yes | no
8310 Arguments :
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008311 <backend> is the name of a valid backend or "listen" section, or a
8312 "log-format" string resolving to a backend name.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008313
Willy Tarreauf51658d2014-04-23 01:21:56 +02008314 <condition> is a condition composed of ACLs, as described in section 7. If
8315 it is omitted, the rule is unconditionally applied.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008316
8317 When doing content-switching, connections arrive on a frontend and are then
8318 dispatched to various backends depending on a number of conditions. The
8319 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02008320 "use_backend" keyword. While it is normally used with HTTP processing, it can
8321 also be used in pure TCP, either without content using stateless ACLs (eg:
8322 source address validation) or combined with a "tcp-request" rule to wait for
8323 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008324
8325 There may be as many "use_backend" rules as desired. All of these rules are
8326 evaluated in their declaration order, and the first one which matches will
8327 assign the backend.
8328
8329 In the first form, the backend will be used if the condition is met. In the
8330 second form, the backend will be used if the condition is not met. If no
8331 condition is valid, the backend defined with "default_backend" will be used.
8332 If no default backend is defined, either the servers in the same section are
8333 used (in case of a "listen" section) or, in case of a frontend, no server is
8334 used and a 503 service unavailable response is returned.
8335
Willy Tarreau51aecc72009-07-12 09:47:04 +02008336 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008337 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02008338 and backend processing will immediately follow, or the backend will wait for
8339 a complete HTTP request to get in. This feature is useful when a frontend
8340 must decode several protocols on a unique port, one of them being HTTP.
8341
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008342 When <backend> is a simple name, it is resolved at configuration time, and an
8343 error is reported if the specified backend does not exist. If <backend> is
8344 a log-format string instead, no check may be done at configuration time, so
8345 the backend name is resolved dynamically at run time. If the resulting
8346 backend name does not correspond to any valid backend, no other rule is
8347 evaluated, and the default_backend directive is applied instead. Note that
8348 when using dynamic backend names, it is highly recommended to use a prefix
8349 that no other backend uses in order to ensure that an unauthorized backend
8350 cannot be forced from the request.
8351
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008352 It is worth mentioning that "use_backend" rules with an explicit name are
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008353 used to detect the association between frontends and backends to compute the
8354 backend's "fullconn" setting. This cannot be done for dynamic names.
8355
8356 See also: "default_backend", "tcp-request", "fullconn", "log-format", and
8357 section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01008358
Willy Tarreau036fae02008-01-06 13:24:40 +01008359
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008360use-server <server> if <condition>
8361use-server <server> unless <condition>
8362 Only use a specific server if/unless an ACL-based condition is matched.
8363 May be used in sections : defaults | frontend | listen | backend
8364 no | no | yes | yes
8365 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008366 <server> is the name of a valid server in the same backend section.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008367
8368 <condition> is a condition composed of ACLs, as described in section 7.
8369
8370 By default, connections which arrive to a backend are load-balanced across
8371 the available servers according to the configured algorithm, unless a
8372 persistence mechanism such as a cookie is used and found in the request.
8373
8374 Sometimes it is desirable to forward a particular request to a specific
8375 server without having to declare a dedicated backend for this server. This
8376 can be achieved using the "use-server" rules. These rules are evaluated after
8377 the "redirect" rules and before evaluating cookies, and they have precedence
8378 on them. There may be as many "use-server" rules as desired. All of these
8379 rules are evaluated in their declaration order, and the first one which
8380 matches will assign the server.
8381
8382 If a rule designates a server which is down, and "option persist" is not used
8383 and no force-persist rule was validated, it is ignored and evaluation goes on
8384 with the next rules until one matches.
8385
8386 In the first form, the server will be used if the condition is met. In the
8387 second form, the server will be used if the condition is not met. If no
8388 condition is valid, the processing continues and the server will be assigned
8389 according to other persistence mechanisms.
8390
8391 Note that even if a rule is matched, cookie processing is still performed but
8392 does not assign the server. This allows prefixed cookies to have their prefix
8393 stripped.
8394
8395 The "use-server" statement works both in HTTP and TCP mode. This makes it
8396 suitable for use with content-based inspection. For instance, a server could
8397 be selected in a farm according to the TLS SNI field. And if these servers
8398 have their weight set to zero, they will not be used for other traffic.
8399
8400 Example :
8401 # intercept incoming TLS requests based on the SNI field
8402 use-server www if { req_ssl_sni -i www.example.com }
8403 server www 192.168.0.1:443 weight 0
8404 use-server mail if { req_ssl_sni -i mail.example.com }
8405 server mail 192.168.0.1:587 weight 0
8406 use-server imap if { req_ssl_sni -i imap.example.com }
8407 server mail 192.168.0.1:993 weight 0
8408 # all the rest is forwarded to this server
8409 server default 192.168.0.2:443 check
8410
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008411 See also: "use_backend", section 5 about server and section 7 about ACLs.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008412
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008413
84145. Bind and Server options
8415--------------------------
8416
8417The "bind", "server" and "default-server" keywords support a number of settings
8418depending on some build options and on the system HAProxy was built on. These
8419settings generally each consist in one word sometimes followed by a value,
8420written on the same line as the "bind" or "server" line. All these options are
8421described in this section.
8422
8423
84245.1. Bind options
8425-----------------
8426
8427The "bind" keyword supports a certain number of settings which are all passed
8428as arguments on the same line. The order in which those arguments appear makes
8429no importance, provided that they appear after the bind address. All of these
8430parameters are optional. Some of them consist in a single words (booleans),
8431while other ones expect a value after them. In this case, the value must be
8432provided immediately after the setting name.
8433
8434The currently supported settings are the following ones.
8435
8436accept-proxy
8437 Enforces the use of the PROXY protocol over any connection accepted by any of
Willy Tarreau77992672014-06-14 11:06:17 +02008438 the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol
8439 are supported and correctly detected. The PROXY protocol dictates the layer
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008440 3/4 addresses of the incoming connection to be used everywhere an address is
8441 used, with the only exception of "tcp-request connection" rules which will
8442 only see the real connection address. Logs will reflect the addresses
8443 indicated in the protocol, unless it is violated, in which case the real
8444 address will still be used. This keyword combined with support from external
8445 components can be used as an efficient and reliable alternative to the
8446 X-Forwarded-For mechanism which is not always reliable and not even always
Willy Tarreau4f0d9192013-06-11 20:40:55 +02008447 usable. See also "tcp-request connection expect-proxy" for a finer-grained
8448 setting of which client is allowed to use the protocol.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008449
Willy Tarreauab861d32013-04-02 02:30:41 +02008450alpn <protocols>
8451 This enables the TLS ALPN extension and advertises the specified protocol
8452 list as supported on top of ALPN. The protocol list consists in a comma-
8453 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
8454 quotes). This requires that the SSL library is build with support for TLS
8455 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
8456 initial NPN extension.
8457
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008458backlog <backlog>
8459 Sets the socket's backlog to this value. If unspecified, the frontend's
8460 backlog is used instead, which generally defaults to the maxconn value.
8461
Emeric Brun7fb34422012-09-28 15:26:15 +02008462ecdhe <named curve>
8463 This setting is only available when support for OpenSSL was built in. It sets
Emeric Brun6924ef82013-03-06 14:08:53 +01008464 the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
8465 used named curve is prime256v1.
Emeric Brun7fb34422012-09-28 15:26:15 +02008466
Emeric Brunfd33a262012-10-11 16:28:27 +02008467ca-file <cafile>
Emeric Brun1a073b42012-09-28 17:07:34 +02008468 This setting is only available when support for OpenSSL was built in. It
8469 designates a PEM file from which to load CA certificates used to verify
8470 client's certificate.
8471
Emeric Brunb6dc9342012-09-28 17:55:37 +02008472ca-ignore-err [all|<errorID>,...]
8473 This setting is only available when support for OpenSSL was built in.
8474 Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
8475 If set to 'all', all errors are ignored. SSL handshake is not aborted if an
8476 error is ignored.
8477
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008478ciphers <ciphers>
8479 This setting is only available when support for OpenSSL was built in. It sets
8480 the string describing the list of cipher algorithms ("cipher suite") that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008481 negotiated during the SSL/TLS handshake. The format of the string is defined
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008482 in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
8483 such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
8484
Emeric Brunfd33a262012-10-11 16:28:27 +02008485crl-file <crlfile>
Emeric Brun1a073b42012-09-28 17:07:34 +02008486 This setting is only available when support for OpenSSL was built in. It
8487 designates a PEM file from which to load certificate revocation list used
8488 to verify client's certificate.
8489
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008490crt <cert>
Alex Davies0fbf0162013-03-02 16:04:50 +00008491 This setting is only available when support for OpenSSL was built in. It
8492 designates a PEM file containing both the required certificates and any
8493 associated private keys. This file can be built by concatenating multiple
8494 PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
8495 requires an intermediate certificate, this can also be concatenated into this
8496 file.
8497
8498 If the OpenSSL used supports Diffie-Hellman, parameters present in this file
8499 are loaded.
8500
8501 If a directory name is used instead of a PEM file, then all files found in
Emeric Brun4147b2e2014-06-16 18:36:30 +02008502 that directory will be loaded unless their name ends with '.issuer' or
8503 '.ocsp' (reserved extensions). This directive may be specified multiple times
Alex Davies0fbf0162013-03-02 16:04:50 +00008504 in order to load certificates from multiple files or directories. The
8505 certificates will be presented to clients who provide a valid TLS Server Name
8506 Indication field matching one of their CN or alt subjects. Wildcards are
8507 supported, where a wildcard character '*' is used instead of the first
8508 hostname component (eg: *.example.org matches www.example.org but not
8509 www.sub.example.org).
8510
8511 If no SNI is provided by the client or if the SSL library does not support
8512 TLS extensions, or if the client provides an SNI hostname which does not
8513 match any certificate, then the first loaded certificate will be presented.
8514 This means that when loading certificates from a directory, it is highly
8515 recommended to load the default one first as a file.
8516
Emeric Brune032bfa2012-09-28 13:01:45 +02008517 Note that the same cert may be loaded multiple times without side effects.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008518
Alex Davies0fbf0162013-03-02 16:04:50 +00008519 Some CAs (such as Godaddy) offer a drop down list of server types that do not
8520 include HAProxy when obtaining a certificate. If this happens be sure to
Godbach8bf60a12014-04-21 21:42:41 +08008521 choose a webserver that the CA believes requires an intermediate CA (for
Alex Davies0fbf0162013-03-02 16:04:50 +00008522 Godaddy, selection Apache Tomcat will get the correct bundle, but many
8523 others, e.g. nginx, result in a wrong bundle that will not work for some
8524 clients).
8525
Emeric Brun4147b2e2014-06-16 18:36:30 +02008526 For each PEM file, haproxy checks for the presence of file at the same path
8527 suffixed by ".ocsp". If such file is found, support for the TLS Certificate
8528 Status Request extension (also known as "OCSP stapling") is automatically
8529 enabled. The content of this file is optional. If not empty, it must contain
8530 a valid OCSP Response in DER format. In order to be valid an OCSP Response
8531 must comply with the following rules: it has to indicate a good status,
8532 it has to be a single response for the certificate of the PEM file, and it
8533 has to be valid at the moment of addition. If these rules are not respected
8534 the OCSP Response is ignored and a warning is emitted. In order to identify
8535 which certificate an OCSP Response applies to, the issuer's certificate is
8536 necessary. If the issuer's certificate is not found in the PEM file, it will
8537 be loaded from a file at the same path as the PEM file suffixed by ".issuer"
8538 if it exists otherwise it will fail with an error.
8539
Emeric Brunb6dc9342012-09-28 17:55:37 +02008540crt-ignore-err <errors>
Alex Davies0fbf0162013-03-02 16:04:50 +00008541 This setting is only available when support for OpenSSL was built in. Sets a
8542 comma separated list of errorIDs to ignore during verify at depth == 0. If
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008543 set to 'all', all errors are ignored. SSL handshake is not aborted if an error
Alex Davies0fbf0162013-03-02 16:04:50 +00008544 is ignored.
Emeric Brunb6dc9342012-09-28 17:55:37 +02008545
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008546crt-list <file>
8547 This setting is only available when support for OpenSSL was built in. It
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008548 designates a list of PEM file with an optional list of SNI filter per
8549 certificate, with the following format for each line :
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008550
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008551 <crtfile> [[!]<snifilter> ...]
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008552
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008553 Wildcards are supported in the SNI filter. Negative filter are also supported,
8554 only useful in combination with a wildcard filter to exclude a particular SNI.
8555 The certificates will be presented to clients who provide a valid TLS Server
8556 Name Indication field matching one of the SNI filters. If no SNI filter is
8557 specified, the CN and alt subjects are used. This directive may be specified
8558 multiple times. See the "crt" option for more information. The default
8559 certificate is still needed to meet OpenSSL expectations. If it is not used,
8560 the 'strict-sni' option may be used.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008561
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008562defer-accept
8563 Is an optional keyword which is supported only on certain Linux kernels. It
8564 states that a connection will only be accepted once some data arrive on it,
8565 or at worst after the first retransmit. This should be used only on protocols
8566 for which the client talks first (eg: HTTP). It can slightly improve
8567 performance by ensuring that most of the request is already available when
8568 the connection is accepted. On the other hand, it will not be able to detect
8569 connections which don't talk. It is important to note that this option is
8570 broken in all kernels up to 2.6.31, as the connection is never accepted until
8571 the client talks. This can cause issues with front firewalls which would see
8572 an established connection while the proxy will only see it in SYN_RECV. This
8573 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
8574
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008575force-sslv3
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008576 This option enforces use of SSLv3 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008577 this listener. SSLv3 is generally less expensive than the TLS counterparts
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008578 for high connection rates. This option is also available on global statement
8579 "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008580
8581force-tlsv10
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008582 This option enforces use of TLSv1.0 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008583 this listener. This option is also available on global statement
8584 "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008585
8586force-tlsv11
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008587 This option enforces use of TLSv1.1 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008588 this listener. This option is also available on global statement
8589 "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008590
8591force-tlsv12
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008592 This option enforces use of TLSv1.2 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008593 this listener. This option is also available on global statement
8594 "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008595
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008596gid <gid>
8597 Sets the group of the UNIX sockets to the designated system gid. It can also
8598 be set by default in the global section's "unix-bind" statement. Note that
8599 some platforms simply ignore this. This setting is equivalent to the "group"
8600 setting except that the group ID is used instead of its name. This setting is
8601 ignored by non UNIX sockets.
8602
8603group <group>
8604 Sets the group of the UNIX sockets to the designated system group. It can
8605 also be set by default in the global section's "unix-bind" statement. Note
8606 that some platforms simply ignore this. This setting is equivalent to the
8607 "gid" setting except that the group name is used instead of its gid. This
8608 setting is ignored by non UNIX sockets.
8609
8610id <id>
8611 Fixes the socket ID. By default, socket IDs are automatically assigned, but
8612 sometimes it is more convenient to fix them to ease monitoring. This value
8613 must be strictly positive and unique within the listener/frontend. This
8614 option can only be used when defining only a single socket.
8615
8616interface <interface>
Lukas Tribusfce2e962013-02-12 22:13:19 +01008617 Restricts the socket to a specific interface. When specified, only packets
8618 received from that particular interface are processed by the socket. This is
8619 currently only supported on Linux. The interface must be a primary system
8620 interface, not an aliased interface. It is also possible to bind multiple
8621 frontends to the same address if they are bound to different interfaces. Note
8622 that binding to a network interface requires root privileges. This parameter
8623 is only compatible with TCPv4/TCPv6 sockets.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008624
Willy Tarreauabb175f2012-09-24 12:43:26 +02008625level <level>
8626 This setting is used with the stats sockets only to restrict the nature of
8627 the commands that can be issued on the socket. It is ignored by other
8628 sockets. <level> can be one of :
8629 - "user" is the least privileged level ; only non-sensitive stats can be
8630 read, and no change is allowed. It would make sense on systems where it
8631 is not easy to restrict access to the socket.
8632 - "operator" is the default level and fits most common uses. All data can
8633 be read, and only non-sensitive changes are permitted (eg: clear max
8634 counters).
8635 - "admin" should be used with care, as everything is permitted (eg: clear
8636 all counters).
8637
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008638maxconn <maxconn>
8639 Limits the sockets to this number of concurrent connections. Extraneous
8640 connections will remain in the system's backlog until a connection is
8641 released. If unspecified, the limit will be the same as the frontend's
8642 maxconn. Note that in case of port ranges or multiple addresses, the same
8643 value will be applied to each socket. This setting enables different
8644 limitations on expensive sockets, for instance SSL entries which may easily
8645 eat all memory.
8646
8647mode <mode>
8648 Sets the octal mode used to define access permissions on the UNIX socket. It
8649 can also be set by default in the global section's "unix-bind" statement.
8650 Note that some platforms simply ignore this. This setting is ignored by non
8651 UNIX sockets.
8652
8653mss <maxseg>
8654 Sets the TCP Maximum Segment Size (MSS) value to be advertised on incoming
8655 connections. This can be used to force a lower MSS for certain specific
8656 ports, for instance for connections passing through a VPN. Note that this
8657 relies on a kernel feature which is theoretically supported under Linux but
8658 was buggy in all versions prior to 2.6.28. It may or may not work on other
8659 operating systems. It may also not change the advertised value but change the
8660 effective size of outgoing segments. The commonly advertised value for TCPv4
8661 over Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
8662 positive, it will be used as the advertised MSS. If it is negative, it will
8663 indicate by how much to reduce the incoming connection's advertised MSS for
8664 outgoing segments. This parameter is only compatible with TCP v4/v6 sockets.
8665
8666name <name>
8667 Sets an optional name for these sockets, which will be reported on the stats
8668 page.
8669
8670nice <nice>
8671 Sets the 'niceness' of connections initiated from the socket. Value must be
8672 in the range -1024..1024 inclusive, and defaults to zero. Positive values
8673 means that such connections are more friendly to others and easily offer
8674 their place in the scheduler. On the opposite, negative values mean that
8675 connections want to run with a higher priority than others. The difference
8676 only happens under high loads when the system is close to saturation.
8677 Negative values are appropriate for low-latency or administration services,
8678 and high values are generally recommended for CPU intensive tasks such as SSL
8679 processing or bulk transfers which are less sensible to latency. For example,
8680 it may make sense to use a positive value for an SMTP socket and a negative
8681 one for an RDP socket.
8682
Emeric Brun9b3009b2012-10-05 11:55:06 +02008683no-sslv3
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008684 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008685 disables support for SSLv3 on any sockets instantiated from the listener when
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008686 SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008687 be enabled using any configuration option. This option is also available on
8688 global statement "ssl-default-bind-options". See also "force-tls*",
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008689 and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008690
Emeric Brun90ad8722012-10-02 14:00:59 +02008691no-tls-tickets
8692 This setting is only available when support for OpenSSL was built in. It
8693 disables the stateless session resumption (RFC 5077 TLS Ticket
8694 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008695 session resumption is more expensive in CPU usage. This option is also
8696 available on global statement "ssl-default-bind-options".
Emeric Brun90ad8722012-10-02 14:00:59 +02008697
Emeric Brun9b3009b2012-10-05 11:55:06 +02008698no-tlsv10
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008699 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008700 disables support for TLSv1.0 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008701 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008702 cannot be enabled using any configuration option. This option is also
8703 available on global statement "ssl-default-bind-options". See also
8704 "force-tlsv*", and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008705
Emeric Brun9b3009b2012-10-05 11:55:06 +02008706no-tlsv11
Emeric Brunf5da4932012-09-28 19:42:54 +02008707 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008708 disables support for TLSv1.1 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008709 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008710 cannot be enabled using any configuration option. This option is also
8711 available on global statement "ssl-default-bind-options". See also
8712 "force-tlsv*", and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02008713
Emeric Brun9b3009b2012-10-05 11:55:06 +02008714no-tlsv12
Emeric Brunf5da4932012-09-28 19:42:54 +02008715 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008716 disables support for TLSv1.2 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008717 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008718 cannot be enabled using any configuration option. This option is also
8719 available on global statement "ssl-default-bind-options". See also
8720 "force-tlsv*", and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02008721
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02008722npn <protocols>
8723 This enables the NPN TLS extension and advertises the specified protocol list
8724 as supported on top of NPN. The protocol list consists in a comma-delimited
8725 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
8726 This requires that the SSL library is build with support for TLS extensions
Willy Tarreauab861d32013-04-02 02:30:41 +02008727 enabled (check with haproxy -vv). Note that the NPN extension has been
8728 replaced with the ALPN extension (see the "alpn" keyword).
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02008729
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02008730process [ all | odd | even | <number 1-64>[-<number 1-64>] ]
8731 This restricts the list of processes on which this listener is allowed to
8732 run. It does not enforce any process but eliminates those which do not match.
8733 If the frontend uses a "bind-process" setting, the intersection between the
8734 two is applied. If in the end the listener is not allowed to run on any
8735 remaining process, a warning is emitted, and the listener will either run on
8736 the first process of the listener if a single process was specified, or on
8737 all of its processes if multiple processes were specified. For the unlikely
Willy Tarreauae302532014-05-07 19:22:24 +02008738 case where several ranges are needed, this directive may be repeated. The
8739 main purpose of this directive is to be used with the stats sockets and have
8740 one different socket per process. The second purpose is to have multiple bind
8741 lines sharing the same IP:port but not the same process in a listener, so
8742 that the system can distribute the incoming connections into multiple queues
8743 and allow a smoother inter-process load balancing. Currently Linux 3.9 and
8744 above is known for supporting this. See also "bind-process" and "nbproc".
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02008745
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008746ssl
8747 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008748 enables SSL deciphering on connections instantiated from this listener. A
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008749 certificate is necessary (see "crt" above). All contents in the buffers will
8750 appear in clear text, so that ACLs and HTTP processing will only have access
8751 to deciphered contents.
8752
Emmanuel Hocdet65623372013-01-24 17:17:15 +01008753strict-sni
8754 This setting is only available when support for OpenSSL was built in. The
8755 SSL/TLS negotiation is allow only if the client provided an SNI which match
8756 a certificate. The default certificate is not used.
8757 See the "crt" option for more information.
8758
Willy Tarreau1c862c52012-10-05 16:21:00 +02008759tfo
Lukas Tribus0defb902013-02-13 23:35:39 +01008760 Is an optional keyword which is supported only on Linux kernels >= 3.7. It
Willy Tarreau1c862c52012-10-05 16:21:00 +02008761 enables TCP Fast Open on the listening socket, which means that clients which
8762 support this feature will be able to send a request and receive a response
8763 during the 3-way handshake starting from second connection, thus saving one
8764 round-trip after the first connection. This only makes sense with protocols
8765 that use high connection rates and where each round trip matters. This can
8766 possibly cause issues with many firewalls which do not accept data on SYN
8767 packets, so this option should only be enabled once well tested. This option
Lukas Tribus0999f762013-04-02 16:43:24 +02008768 is only supported on TCPv4/TCPv6 sockets and ignored by other ones. You may
8769 need to build HAProxy with USE_TFO=1 if your libc doesn't define
8770 TCP_FASTOPEN.
Willy Tarreau1c862c52012-10-05 16:21:00 +02008771
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008772transparent
8773 Is an optional keyword which is supported only on certain Linux kernels. It
8774 indicates that the addresses will be bound even if they do not belong to the
8775 local machine, and that packets targeting any of these addresses will be
8776 intercepted just as if the addresses were locally configured. This normally
8777 requires that IP forwarding is enabled. Caution! do not use this with the
8778 default address '*', as it would redirect any traffic for the specified port.
8779 This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1.
8780 This parameter is only compatible with TCPv4 and TCPv6 sockets, depending on
8781 kernel version. Some distribution kernels include backports of the feature,
8782 so check for support with your vendor.
8783
Willy Tarreau77e3af92012-11-24 15:07:23 +01008784v4v6
8785 Is an optional keyword which is supported only on most recent systems
8786 including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
8787 and IPv6 when it uses the default address. Doing so is sometimes necessary
8788 on systems which bind to IPv6 only by default. It has no effect on non-IPv6
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008789 sockets, and is overridden by the "v6only" option.
Willy Tarreau77e3af92012-11-24 15:07:23 +01008790
Willy Tarreau9b6700f2012-11-24 11:55:28 +01008791v6only
8792 Is an optional keyword which is supported only on most recent systems
8793 including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
8794 when it uses the default address. Doing so is sometimes preferred to doing it
Willy Tarreau77e3af92012-11-24 15:07:23 +01008795 system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
8796 has precedence over the "v4v6" option.
Willy Tarreau9b6700f2012-11-24 11:55:28 +01008797
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008798uid <uid>
8799 Sets the owner of the UNIX sockets to the designated system uid. It can also
8800 be set by default in the global section's "unix-bind" statement. Note that
8801 some platforms simply ignore this. This setting is equivalent to the "user"
8802 setting except that the user numeric ID is used instead of its name. This
8803 setting is ignored by non UNIX sockets.
8804
8805user <user>
8806 Sets the owner of the UNIX sockets to the designated system user. It can also
8807 be set by default in the global section's "unix-bind" statement. Note that
8808 some platforms simply ignore this. This setting is equivalent to the "uid"
8809 setting except that the user name is used instead of its uid. This setting is
8810 ignored by non UNIX sockets.
8811
Emeric Brun1a073b42012-09-28 17:07:34 +02008812verify [none|optional|required]
8813 This setting is only available when support for OpenSSL was built in. If set
8814 to 'none', client certificate is not requested. This is the default. In other
8815 cases, a client certificate is requested. If the client does not provide a
8816 certificate after the request and if 'verify' is set to 'required', then the
8817 handshake is aborted, while it would have succeeded if set to 'optional'. The
Emeric Brunfd33a262012-10-11 16:28:27 +02008818 certificate provided by the client is always verified using CAs from
8819 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
8820 is aborted, regardless of the 'verify' option, unless the error code exactly
8821 matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008822
Willy Tarreaub6205fd2012-09-24 12:27:33 +020088235.2. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01008824------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02008825
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01008826The "server" and "default-server" keywords support a certain number of settings
8827which are all passed as arguments on the server line. The order in which those
8828arguments appear does not count, and they are all optional. Some of those
8829settings are single words (booleans) while others expect one or several values
8830after them. In this case, the values must immediately follow the setting name.
8831Except default-server, all those settings must be specified after the server's
8832address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02008833
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008834 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01008835 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02008836
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008837The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008838
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008839addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008840 Using the "addr" parameter, it becomes possible to use a different IP address
8841 to send health-checks. On some servers, it may be desirable to dedicate an IP
8842 address to specific component able to perform complex tests which are more
8843 suitable to health-checks than the application. This parameter is ignored if
8844 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008845
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008846 Supported in default-server: No
8847
Simon Hormand60d6912013-11-25 10:46:36 +09008848agent-check
8849 Enable an auxiliary agent check which is run independently of a regular
Willy Tarreau81f5d942013-12-09 20:51:51 +01008850 health check. An agent health check is performed by making a TCP connection
8851 to the port set by the "agent-port" parameter and reading an ASCII string.
8852 The string is made of a series of words delimited by spaces, tabs or commas
8853 in any order, optionally terminated by '\r' and/or '\n', each consisting of :
Simon Hormand60d6912013-11-25 10:46:36 +09008854
Willy Tarreau81f5d942013-12-09 20:51:51 +01008855 - An ASCII representation of a positive integer percentage, e.g. "75%".
Simon Hormand60d6912013-11-25 10:46:36 +09008856 Values in this format will set the weight proportional to the initial
Willy Tarreauc5af3a62014-10-07 15:27:33 +02008857 weight of a server as configured when haproxy starts. Note that a zero
8858 weight is reported on the stats page as "DRAIN" since it has the same
8859 effect on the server (it's removed from the LB farm).
Simon Hormand60d6912013-11-25 10:46:36 +09008860
Willy Tarreau81f5d942013-12-09 20:51:51 +01008861 - The word "ready". This will turn the server's administrative state to the
8862 READY mode, thus cancelling any DRAIN or MAINT state
Simon Hormand60d6912013-11-25 10:46:36 +09008863
Willy Tarreau81f5d942013-12-09 20:51:51 +01008864 - The word "drain". This will turn the server's administrative state to the
8865 DRAIN mode, thus it will not accept any new connections other than those
8866 that are accepted via persistence.
Simon Hormand60d6912013-11-25 10:46:36 +09008867
Willy Tarreau81f5d942013-12-09 20:51:51 +01008868 - The word "maint". This will turn the server's administrative state to the
8869 MAINT mode, thus it will not accept any new connections at all, and health
8870 checks will be stopped.
Simon Hormand60d6912013-11-25 10:46:36 +09008871
Willy Tarreau81f5d942013-12-09 20:51:51 +01008872 - The words "down", "failed", or "stopped", optionally followed by a
8873 description string after a sharp ('#'). All of these mark the server's
8874 operating state as DOWN, but since the word itself is reported on the stats
8875 page, the difference allows an administrator to know if the situation was
8876 expected or not : the service may intentionally be stopped, may appear up
8877 but fail some validity tests, or may be seen as down (eg: missing process,
8878 or port not responding).
Simon Hormand60d6912013-11-25 10:46:36 +09008879
Willy Tarreau81f5d942013-12-09 20:51:51 +01008880 - The word "up" sets back the server's operating state as UP if health checks
8881 also report that the service is accessible.
Simon Hormand60d6912013-11-25 10:46:36 +09008882
Willy Tarreau81f5d942013-12-09 20:51:51 +01008883 Parameters which are not advertised by the agent are not changed. For
8884 example, an agent might be designed to monitor CPU usage and only report a
8885 relative weight and never interact with the operating status. Similarly, an
8886 agent could be designed as an end-user interface with 3 radio buttons
8887 allowing an administrator to change only the administrative state. However,
8888 it is important to consider that only the agent may revert its own actions,
8889 so if a server is set to DRAIN mode or to DOWN state using the agent, the
8890 agent must implement the other equivalent actions to bring the service into
8891 operations again.
Simon Hormand60d6912013-11-25 10:46:36 +09008892
Simon Horman2f1f9552013-11-25 10:46:37 +09008893 Failure to connect to the agent is not considered an error as connectivity
8894 is tested by the regular health check which is enabled by the "check"
Willy Tarreau81f5d942013-12-09 20:51:51 +01008895 parameter. Warning though, it is not a good idea to stop an agent after it
8896 reports "down", since only an agent reporting "up" will be able to turn the
8897 server up again. Note that the CLI on the Unix stats socket is also able to
8898 force an agent's result in order to workaround a bogus agent if needed.
Simon Horman2f1f9552013-11-25 10:46:37 +09008899
Willy Tarreau81f5d942013-12-09 20:51:51 +01008900 Requires the "agent-port" parameter to be set. See also the "agent-inter"
8901 parameter.
Simon Hormand60d6912013-11-25 10:46:36 +09008902
8903 Supported in default-server: No
8904
8905agent-inter <delay>
8906 The "agent-inter" parameter sets the interval between two agent checks
8907 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
8908
8909 Just as with every other time-based parameter, it may be entered in any
8910 other explicit unit among { us, ms, s, m, h, d }. The "agent-inter"
8911 parameter also serves as a timeout for agent checks "timeout check" is
8912 not set. In order to reduce "resonance" effects when multiple servers are
8913 hosted on the same hardware, the agent and health checks of all servers
8914 are started with a small time offset between them. It is also possible to
8915 add some random noise in the agent and health checks interval using the
8916 global "spread-checks" keyword. This makes sense for instance when a lot
8917 of backends use the same servers.
8918
8919 See also the "agent-check" and "agent-port" parameters.
8920
8921 Supported in default-server: Yes
8922
8923agent-port <port>
8924 The "agent-port" parameter sets the TCP port used for agent checks.
8925
8926 See also the "agent-check" and "agent-inter" parameters.
8927
8928 Supported in default-server: Yes
8929
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008930backup
8931 When "backup" is present on a server line, the server is only used in load
8932 balancing when all other non-backup servers are unavailable. Requests coming
8933 with a persistence cookie referencing the server will always be served
8934 though. By default, only the first operational backup server is used, unless
8935 the "allbackups" option is set in the backend. See also the "allbackups"
8936 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008937
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008938 Supported in default-server: No
8939
Emeric Brunef42d922012-10-11 16:11:36 +02008940ca-file <cafile>
8941 This setting is only available when support for OpenSSL was built in. It
8942 designates a PEM file from which to load CA certificates used to verify
8943 server's certificate.
8944
8945 Supported in default-server: No
8946
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008947check
8948 This option enables health checks on the server. By default, a server is
Patrick Mézardb7aeec62012-01-22 16:01:22 +01008949 always considered available. If "check" is set, the server is available when
8950 accepting periodic TCP connections, to ensure that it is really able to serve
8951 requests. The default address and port to send the tests to are those of the
8952 server, and the default source is the same as the one defined in the
8953 backend. It is possible to change the address using the "addr" parameter, the
8954 port using the "port" parameter, the source address using the "source"
8955 address, and the interval and timers using the "inter", "rise" and "fall"
Simon Hormanafc47ee2013-11-25 10:46:35 +09008956 parameters. The request method is define in the backend using the "httpchk",
8957 "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
8958 refer to those options and parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008959
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008960 Supported in default-server: No
8961
Willy Tarreau6c16adc2012-10-05 00:04:16 +02008962check-send-proxy
8963 This option forces emission of a PROXY protocol line with outgoing health
8964 checks, regardless of whether the server uses send-proxy or not for the
8965 normal traffic. By default, the PROXY protocol is enabled for health checks
8966 if it is already enabled for normal traffic and if no "port" nor "addr"
8967 directive is present. However, if such a directive is present, the
8968 "check-send-proxy" option needs to be used to force the use of the
8969 protocol. See also the "send-proxy" option for more information.
8970
8971 Supported in default-server: No
8972
Willy Tarreau763a95b2012-10-04 23:15:39 +02008973check-ssl
8974 This option forces encryption of all health checks over SSL, regardless of
8975 whether the server uses SSL or not for the normal traffic. This is generally
8976 used when an explicit "port" or "addr" directive is specified and SSL health
8977 checks are not inherited. It is important to understand that this option
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008978 inserts an SSL transport layer below the checks, so that a simple TCP connect
Willy Tarreau763a95b2012-10-04 23:15:39 +02008979 check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
8980 common use is to send HTTPS checks by combining "httpchk" with SSL checks.
8981 All SSL settings are common to health checks and traffic (eg: ciphers).
8982 See the "ssl" option for more information.
8983
8984 Supported in default-server: No
8985
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008986ciphers <ciphers>
8987 This option sets the string describing the list of cipher algorithms that is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008988 is negotiated during the SSL/TLS handshake with the server. The format of the
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008989 string is defined in "man 1 ciphers". When SSL is used to communicate with
8990 servers on the local network, it is common to see a weaker set of algorithms
8991 than what is used over the internet. Doing so reduces CPU usage on both the
8992 server and haproxy while still keeping it compatible with deployed software.
8993 Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
8994 is needed and just connectivity, using DES can be appropriate.
8995
Willy Tarreau763a95b2012-10-04 23:15:39 +02008996 Supported in default-server: No
8997
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008998cookie <value>
8999 The "cookie" parameter sets the cookie value assigned to the server to
9000 <value>. This value will be checked in incoming requests, and the first
9001 operational server possessing the same value will be selected. In return, in
9002 cookie insertion or rewrite modes, this value will be assigned to the cookie
9003 sent to the client. There is nothing wrong in having several servers sharing
9004 the same cookie value, and it is in fact somewhat common between normal and
9005 backup servers. See also the "cookie" keyword in backend section.
9006
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009007 Supported in default-server: No
9008
Emeric Brunef42d922012-10-11 16:11:36 +02009009crl-file <crlfile>
9010 This setting is only available when support for OpenSSL was built in. It
9011 designates a PEM file from which to load certificate revocation list used
9012 to verify server's certificate.
9013
9014 Supported in default-server: No
9015
Emeric Bruna7aa3092012-10-26 12:58:00 +02009016crt <cert>
9017 This setting is only available when support for OpenSSL was built in.
9018 It designates a PEM file from which to load both a certificate and the
9019 associated private key. This file can be built by concatenating both PEM
9020 files into one. This certificate will be sent if the server send a client
9021 certificate request.
9022
9023 Supported in default-server: No
9024
Willy Tarreau96839092010-03-29 10:02:24 +02009025disabled
9026 The "disabled" keyword starts the server in the "disabled" state. That means
9027 that it is marked down in maintenance mode, and no connection other than the
9028 ones allowed by persist mode will reach it. It is very well suited to setup
9029 new servers, because normal traffic will never reach them, while it is still
9030 possible to test the service by making use of the force-persist mechanism.
9031
9032 Supported in default-server: No
9033
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009034error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01009035 If health observing is enabled, the "error-limit" parameter specifies the
9036 number of consecutive errors that triggers event selected by the "on-error"
9037 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009038
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009039 Supported in default-server: Yes
9040
9041 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009042
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009043fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009044 The "fall" parameter states that a server will be considered as dead after
9045 <count> consecutive unsuccessful health checks. This value defaults to 3 if
9046 unspecified. See also the "check", "inter" and "rise" parameters.
9047
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009048 Supported in default-server: Yes
9049
Emeric Brun8694b9a2012-10-05 14:39:07 +02009050force-sslv3
9051 This option enforces use of SSLv3 only when SSL is used to communicate with
9052 the server. SSLv3 is generally less expensive than the TLS counterparts for
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009053 high connection rates. This option is also available on global statement
9054 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009055
9056 Supported in default-server: No
9057
9058force-tlsv10
9059 This option enforces use of TLSv1.0 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009060 the server. This option is also available on global statement
9061 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009062
9063 Supported in default-server: No
9064
9065force-tlsv11
9066 This option enforces use of TLSv1.1 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009067 the server. This option is also available on global statement
9068 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009069
9070 Supported in default-server: No
9071
9072force-tlsv12
9073 This option enforces use of TLSv1.2 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009074 the server. This option is also available on global statement
9075 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009076
9077 Supported in default-server: No
9078
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009079id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02009080 Set a persistent ID for the server. This ID must be positive and unique for
9081 the proxy. An unused ID will automatically be assigned if unset. The first
9082 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009083
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009084 Supported in default-server: No
9085
9086inter <delay>
9087fastinter <delay>
9088downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009089 The "inter" parameter sets the interval between two consecutive health checks
9090 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
9091 It is also possible to use "fastinter" and "downinter" to optimize delays
9092 between checks depending on the server state :
9093
9094 Server state | Interval used
9095 ---------------------------------+-----------------------------------------
9096 UP 100% (non-transitional) | "inter"
9097 ---------------------------------+-----------------------------------------
9098 Transitionally UP (going down), |
9099 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
9100 or yet unchecked. |
9101 ---------------------------------+-----------------------------------------
9102 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
9103 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01009104
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009105 Just as with every other time-based parameter, they can be entered in any
9106 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
9107 serves as a timeout for health checks sent to servers if "timeout check" is
9108 not set. In order to reduce "resonance" effects when multiple servers are
Simon Hormand60d6912013-11-25 10:46:36 +09009109 hosted on the same hardware, the agent and health checks of all servers
9110 are started with a small time offset between them. It is also possible to
9111 add some random noise in the agent and health checks interval using the
9112 global "spread-checks" keyword. This makes sense for instance when a lot
9113 of backends use the same servers.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009114
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009115 Supported in default-server: Yes
9116
9117maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009118 The "maxconn" parameter specifies the maximal number of concurrent
9119 connections that will be sent to this server. If the number of incoming
9120 concurrent requests goes higher than this value, they will be queued, waiting
9121 for a connection to be released. This parameter is very important as it can
9122 save fragile servers from going down under extreme loads. If a "minconn"
9123 parameter is specified, the limit becomes dynamic. The default value is "0"
9124 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
9125 the backend's "fullconn" keyword.
9126
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009127 Supported in default-server: Yes
9128
9129maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009130 The "maxqueue" parameter specifies the maximal number of connections which
9131 will wait in the queue for this server. If this limit is reached, next
9132 requests will be redispatched to other servers instead of indefinitely
9133 waiting to be served. This will break persistence but may allow people to
9134 quickly re-log in when the server they try to connect to is dying. The
9135 default value is "0" which means the queue is unlimited. See also the
9136 "maxconn" and "minconn" parameters.
9137
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009138 Supported in default-server: Yes
9139
9140minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009141 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
9142 limit following the backend's load. The server will always accept at least
9143 <minconn> connections, never more than <maxconn>, and the limit will be on
9144 the ramp between both values when the backend has less than <fullconn>
9145 concurrent connections. This makes it possible to limit the load on the
9146 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009147 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009148 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009149
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009150 Supported in default-server: Yes
9151
Emeric Brun9b3009b2012-10-05 11:55:06 +02009152no-sslv3
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009153 This option disables support for SSLv3 when SSL is used to communicate with
9154 the server. Note that SSLv2 is disabled in the code and cannot be enabled
Emeric Brun8694b9a2012-10-05 14:39:07 +02009155 using any configuration option. See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009156
Willy Tarreau763a95b2012-10-04 23:15:39 +02009157 Supported in default-server: No
9158
Emeric Brunf9c5c472012-10-11 15:28:34 +02009159no-tls-tickets
9160 This setting is only available when support for OpenSSL was built in. It
9161 disables the stateless session resumption (RFC 5077 TLS Ticket
9162 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009163 session resumption is more expensive in CPU usage for servers. This option
9164 is also available on global statement "ssl-default-server-options".
Emeric Brunf9c5c472012-10-11 15:28:34 +02009165
9166 Supported in default-server: No
9167
Emeric Brun9b3009b2012-10-05 11:55:06 +02009168no-tlsv10
Emeric Brun8694b9a2012-10-05 14:39:07 +02009169 This option disables support for TLSv1.0 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02009170 the server. Note that SSLv2 is disabled in the code and cannot be enabled
9171 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009172 often makes sense to disable it when communicating with local servers. This
9173 option is also available on global statement "ssl-default-server-options".
9174 See also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02009175
Willy Tarreau763a95b2012-10-04 23:15:39 +02009176 Supported in default-server: No
9177
Emeric Brun9b3009b2012-10-05 11:55:06 +02009178no-tlsv11
Emeric Brun8694b9a2012-10-05 14:39:07 +02009179 This option disables support for TLSv1.1 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02009180 the server. Note that SSLv2 is disabled in the code and cannot be enabled
9181 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009182 often makes sense to disable it when communicating with local servers. This
9183 option is also available on global statement "ssl-default-server-options".
9184 See also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02009185
Willy Tarreau763a95b2012-10-04 23:15:39 +02009186 Supported in default-server: No
9187
Emeric Brun9b3009b2012-10-05 11:55:06 +02009188no-tlsv12
Emeric Brun8694b9a2012-10-05 14:39:07 +02009189 This option disables support for TLSv1.2 when SSL is used to communicate with
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009190 the server. Note that SSLv2 is disabled in the code and cannot be enabled
9191 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009192 often makes sense to disable it when communicating with local servers. This
9193 option is also available on global statement "ssl-default-server-options".
9194 See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009195
Willy Tarreau763a95b2012-10-04 23:15:39 +02009196 Supported in default-server: No
9197
Simon Hormanfa461682011-06-25 09:39:49 +09009198non-stick
9199 Never add connections allocated to this sever to a stick-table.
9200 This may be used in conjunction with backup to ensure that
9201 stick-table persistence is disabled for backup servers.
9202
Willy Tarreau763a95b2012-10-04 23:15:39 +02009203 Supported in default-server: No
9204
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009205observe <mode>
9206 This option enables health adjusting based on observing communication with
9207 the server. By default this functionality is disabled and enabling it also
9208 requires to enable health checks. There are two supported modes: "layer4" and
9209 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
9210 significant. In layer7, which is only allowed for http proxies, responses
9211 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +01009212 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009213
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009214 Supported in default-server: No
9215
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009216 See also the "check", "on-error" and "error-limit".
9217
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009218on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009219 Select what should happen when enough consecutive errors are detected.
9220 Currently, four modes are available:
9221 - fastinter: force fastinter
9222 - fail-check: simulate a failed check, also forces fastinter (default)
9223 - sudden-death: simulate a pre-fatal failed health check, one more failed
9224 check will mark a server down, forces fastinter
9225 - mark-down: mark the server immediately down and force fastinter
9226
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009227 Supported in default-server: Yes
9228
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009229 See also the "check", "observe" and "error-limit".
9230
Simon Hormane0d1bfb2011-06-21 14:34:58 +09009231on-marked-down <action>
9232 Modify what occurs when a server is marked down.
9233 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07009234 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
9235 all connections to the server are immediately terminated when the server
9236 goes down. It might be used if the health check detects more complex cases
9237 than a simple connection status, and long timeouts would cause the service
9238 to remain unresponsive for too long a time. For instance, a health check
9239 might detect that a database is stuck and that there's no chance to reuse
9240 existing connections anymore. Connections killed this way are logged with
9241 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +09009242
9243 Actions are disabled by default
9244
9245 Supported in default-server: Yes
9246
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07009247on-marked-up <action>
9248 Modify what occurs when a server is marked up.
9249 Currently one action is available:
9250 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
9251 done only if the server is not in backup state and if it is not disabled
9252 (it must have an effective weight > 0). This can be used sometimes to force
9253 an active server to take all the traffic back after recovery when dealing
9254 with long sessions (eg: LDAP, SQL, ...). Doing this can cause more trouble
9255 than it tries to solve (eg: incomplete transactions), so use this feature
9256 with extreme care. Sessions killed because a server comes up are logged
9257 with an 'U' termination code (for "Up").
9258
9259 Actions are disabled by default
9260
9261 Supported in default-server: Yes
9262
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009263port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009264 Using the "port" parameter, it becomes possible to use a different port to
9265 send health-checks. On some servers, it may be desirable to dedicate a port
9266 to a specific component able to perform complex tests which are more suitable
9267 to health-checks than the application. It is common to run a simple script in
9268 inetd for instance. This parameter is ignored if the "check" parameter is not
9269 set. See also the "addr" parameter.
9270
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009271 Supported in default-server: Yes
9272
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009273redir <prefix>
9274 The "redir" parameter enables the redirection mode for all GET and HEAD
9275 requests addressing this server. This means that instead of having HAProxy
9276 forward the request to the server, it will send an "HTTP 302" response with
9277 the "Location" header composed of this prefix immediately followed by the
9278 requested URI beginning at the leading '/' of the path component. That means
9279 that no trailing slash should be used after <prefix>. All invalid requests
9280 will be rejected, and all non-GET or HEAD requests will be normally served by
9281 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009282 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009283 requests are still analysed, making this solution completely usable to direct
9284 users to a remote location in case of local disaster. Main use consists in
9285 increasing bandwidth for static servers by having the clients directly
9286 connect to them. Note: never use a relative location here, it would cause a
9287 loop between the client and HAProxy!
9288
9289 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
9290
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009291 Supported in default-server: No
9292
9293rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009294 The "rise" parameter states that a server will be considered as operational
9295 after <count> consecutive successful health checks. This value defaults to 2
9296 if unspecified. See also the "check", "inter" and "fall" parameters.
9297
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009298 Supported in default-server: Yes
9299
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01009300send-proxy
9301 The "send-proxy" parameter enforces use of the PROXY protocol over any
9302 connection established to this server. The PROXY protocol informs the other
9303 end about the layer 3/4 addresses of the incoming connection, so that it can
9304 know the client's address or the public address it accessed to, whatever the
9305 upper layer protocol. For connections accepted by an "accept-proxy" listener,
9306 the advertised address will be used. Only TCPv4 and TCPv6 address families
9307 are supported. Other families such as Unix sockets, will report an UNKNOWN
9308 family. Servers using this option can fully be chained to another instance of
9309 haproxy listening with an "accept-proxy" setting. This setting must not be
Willy Tarreau6c16adc2012-10-05 00:04:16 +02009310 used if the server isn't aware of the protocol. When health checks are sent
9311 to the server, the PROXY protocol is automatically used when this option is
9312 set, unless there is an explicit "port" or "addr" directive, in which case an
9313 explicit "check-send-proxy" directive would also be needed to use the PROXY
9314 protocol. See also the "accept-proxy" option of the "bind" keyword.
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01009315
9316 Supported in default-server: No
9317
David Safb76832014-05-08 23:42:08 -04009318send-proxy-v2
9319 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2
9320 over any connection established to this server. The PROXY protocol informs
9321 the other end about the layer 3/4 addresses of the incoming connection, so
9322 that it can know the client's address or the public address it accessed to,
9323 whatever the upper layer protocol. This setting must not be used if the
9324 server isn't aware of this version of the protocol. See also the "send-proxy"
9325 option of the "bind" keyword.
9326
9327 Supported in default-server: No
9328
9329send-proxy-v2-ssl
9330 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
9331 2 over any connection established to this server. The PROXY protocol informs
9332 the other end about the layer 3/4 addresses of the incoming connection, so
9333 that it can know the client's address or the public address it accessed to,
9334 whatever the upper layer protocol. In addition, the SSL information extension
9335 of the PROXY protocol is added to the PROXY protocol header. This setting
9336 must not be used if the server isn't aware of this version of the protocol.
9337 See also the "send-proxy-v2" option of the "bind" keyword.
9338
9339 Supported in default-server: No
9340
9341send-proxy-v2-ssl-cn
9342 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
9343 2 over any connection established to this server. The PROXY protocol informs
9344 the other end about the layer 3/4 addresses of the incoming connection, so
9345 that it can know the client's address or the public address it accessed to,
9346 whatever the upper layer protocol. In addition, the SSL information extension
9347 of the PROXY protocol, along along with the Common Name from the subject of
9348 the client certificate (if any), is added to the PROXY protocol header. This
9349 setting must not be used if the server isn't aware of this version of the
9350 protocol. See also the "send-proxy-v2" option of the "bind" keyword.
9351
9352 Supported in default-server: No
9353
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009354slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009355 The "slowstart" parameter for a server accepts a value in milliseconds which
9356 indicates after how long a server which has just come back up will run at
9357 full speed. Just as with every other time-based parameter, it can be entered
9358 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
9359 linearly from 0 to 100% during this time. The limitation applies to two
9360 parameters :
9361
9362 - maxconn: the number of connections accepted by the server will grow from 1
9363 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
9364
9365 - weight: when the backend uses a dynamic weighted algorithm, the weight
9366 grows linearly from 1 to 100%. In this case, the weight is updated at every
9367 health-check. For this reason, it is important that the "inter" parameter
9368 is smaller than the "slowstart", in order to maximize the number of steps.
9369
9370 The slowstart never applies when haproxy starts, otherwise it would cause
9371 trouble to running servers. It only applies when a server has been previously
9372 seen as failed.
9373
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009374 Supported in default-server: Yes
9375
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009376source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02009377source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009378source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009379 The "source" parameter sets the source address which will be used when
9380 connecting to the server. It follows the exact same parameters and principle
9381 as the backend "source" keyword, except that it only applies to the server
9382 referencing it. Please consult the "source" keyword for details.
9383
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009384 Additionally, the "source" statement on a server line allows one to specify a
9385 source port range by indicating the lower and higher bounds delimited by a
9386 dash ('-'). Some operating systems might require a valid IP address when a
9387 source port range is specified. It is permitted to have the same IP/range for
9388 several servers. Doing so makes it possible to bypass the maximum of 64k
9389 total concurrent connections. The limit will then reach 64k connections per
9390 server.
9391
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009392 Supported in default-server: No
9393
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009394ssl
Willy Tarreau44f65392013-06-25 07:56:20 +02009395 This option enables SSL ciphering on outgoing connections to the server. It
9396 is critical to verify server certificates using "verify" when using SSL to
9397 connect to servers, otherwise the communication is prone to trivial man in
9398 the-middle attacks rendering SSL useless. When this option is used, health
9399 checks are automatically sent in SSL too unless there is a "port" or an
9400 "addr" directive indicating the check should be sent to a different location.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009401 See the "check-ssl" option to force SSL health checks.
Willy Tarreau763a95b2012-10-04 23:15:39 +02009402
9403 Supported in default-server: No
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009404
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009405track [<proxy>/]<server>
Willy Tarreau32091232014-05-16 13:52:00 +02009406 This option enables ability to set the current state of the server by tracking
9407 another one. It is possible to track a server which itself tracks another
9408 server, provided that at the end of the chain, a server has health checks
9409 enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009410 used, it has to be enabled on both proxies.
9411
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009412 Supported in default-server: No
9413
Emeric Brunef42d922012-10-11 16:11:36 +02009414verify [none|required]
9415 This setting is only available when support for OpenSSL was built in. If set
Emeric Brun850efd52014-01-29 12:24:34 +01009416 to 'none', server certificate is not verified. In the other case, The
9417 certificate provided by the server is verified using CAs from 'ca-file'
9418 and optional CRLs from 'crl-file'. If 'ssl_server_verify' is not specified
9419 in global section, this is the default. On verify failure the handshake
Willy Tarreau44f65392013-06-25 07:56:20 +02009420 is aborted. It is critically important to verify server certificates when
9421 using SSL to connect to servers, otherwise the communication is prone to
9422 trivial man-in-the-middle attacks rendering SSL totally useless.
Emeric Brunef42d922012-10-11 16:11:36 +02009423
9424 Supported in default-server: No
9425
Evan Broderbe554312013-06-27 00:05:25 -07009426verifyhost <hostname>
9427 This setting is only available when support for OpenSSL was built in, and
9428 only takes effect if 'verify required' is also specified. When set, the
9429 hostnames in the subject and subjectAlternateNames of the certificate
9430 provided by the server are checked. If none of the hostnames in the
9431 certificate match the specified hostname, the handshake is aborted. The
9432 hostnames in the server-provided certificate may include wildcards.
9433
9434 Supported in default-server: No
9435
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009436weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009437 The "weight" parameter is used to adjust the server's weight relative to
9438 other servers. All servers will receive a load proportional to their weight
9439 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02009440 load. The default weight is 1, and the maximal value is 256. A value of 0
9441 means the server will not participate in load-balancing but will still accept
9442 persistent connections. If this parameter is used to distribute the load
9443 according to server's capacity, it is recommended to start with values which
9444 can both grow and shrink, for instance between 10 and 100 to leave enough
9445 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009446
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009447 Supported in default-server: Yes
9448
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009449
94506. HTTP header manipulation
9451---------------------------
9452
9453In HTTP mode, it is possible to rewrite, add or delete some of the request and
9454response headers based on regular expressions. It is also possible to block a
9455request or a response if a particular header matches a regular expression,
9456which is enough to stop most elementary protocol attacks, and to protect
Willy Tarreau70dffda2014-01-30 03:07:23 +01009457against information leak from the internal network.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009458
Willy Tarreau70dffda2014-01-30 03:07:23 +01009459If HAProxy encounters an "Informational Response" (status code 1xx), it is able
9460to process all rsp* rules which can allow, deny, rewrite or delete a header,
9461but it will refuse to add a header to any such messages as this is not
9462HTTP-compliant. The reason for still processing headers in such responses is to
9463stop and/or fix any possible information leak which may happen, for instance
9464because another downstream equipment would unconditionally add a header, or if
9465a server name appears there. When such messages are seen, normal processing
9466still occurs on the next non-informational messages.
Willy Tarreau816b9792009-09-15 21:25:21 +02009467
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009468This section covers common usage of the following keywords, described in detail
9469in section 4.2 :
9470
9471 - reqadd <string>
9472 - reqallow <search>
9473 - reqiallow <search>
9474 - reqdel <search>
9475 - reqidel <search>
9476 - reqdeny <search>
9477 - reqideny <search>
9478 - reqpass <search>
9479 - reqipass <search>
9480 - reqrep <search> <replace>
9481 - reqirep <search> <replace>
9482 - reqtarpit <search>
9483 - reqitarpit <search>
9484 - rspadd <string>
9485 - rspdel <search>
9486 - rspidel <search>
9487 - rspdeny <search>
9488 - rspideny <search>
9489 - rsprep <search> <replace>
9490 - rspirep <search> <replace>
9491
9492With all these keywords, the same conventions are used. The <search> parameter
9493is a POSIX extended regular expression (regex) which supports grouping through
9494parenthesis (without the backslash). Spaces and other delimiters must be
9495prefixed with a backslash ('\') to avoid confusion with a field delimiter.
9496Other characters may be prefixed with a backslash to change their meaning :
9497
9498 \t for a tab
9499 \r for a carriage return (CR)
9500 \n for a new line (LF)
9501 \ to mark a space and differentiate it from a delimiter
9502 \# to mark a sharp and differentiate it from a comment
9503 \\ to use a backslash in a regex
9504 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
9505 \xXX to write the ASCII hex code XX as in the C language
9506
9507The <replace> parameter contains the string to be used to replace the largest
9508portion of text matching the regex. It can make use of the special characters
9509above, and can reference a substring which is delimited by parenthesis in the
9510regex, by writing a backslash ('\') immediately followed by one digit from 0 to
95119 indicating the group position (0 designating the entire line). This practice
9512is very common to users of the "sed" program.
9513
9514The <string> parameter represents the string which will systematically be added
9515after the last header line. It can also use special character sequences above.
9516
9517Notes related to these keywords :
9518---------------------------------
9519 - these keywords are not always convenient to allow/deny based on header
9520 contents. It is strongly recommended to use ACLs with the "block" keyword
9521 instead, resulting in far more flexible and manageable rules.
9522
9523 - lines are always considered as a whole. It is not possible to reference
9524 a header name only or a value only. This is important because of the way
9525 headers are written (notably the number of spaces after the colon).
9526
9527 - the first line is always considered as a header, which makes it possible to
9528 rewrite or filter HTTP requests URIs or response codes, but in turn makes
9529 it harder to distinguish between headers and request line. The regex prefix
9530 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
9531 ^[^ \t:]*: matches any header name followed by a colon.
9532
9533 - for performances reasons, the number of characters added to a request or to
9534 a response is limited at build time to values between 1 and 4 kB. This
9535 should normally be far more than enough for most usages. If it is too short
9536 on occasional usages, it is possible to gain some space by removing some
9537 useless headers before adding new ones.
9538
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009539 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009540 without the 'i' letter except that they ignore case when matching patterns.
9541
9542 - when a request passes through a frontend then a backend, all req* rules
9543 from the frontend will be evaluated, then all req* rules from the backend
9544 will be evaluated. The reverse path is applied to responses.
9545
9546 - req* statements are applied after "block" statements, so that "block" is
9547 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01009548 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009549
9550
Willy Tarreau74ca5042013-06-11 23:12:07 +020095517. Using ACLs and fetching samples
9552----------------------------------
9553
9554Haproxy is capable of extracting data from request or response streams, from
9555client or server information, from tables, environmental information etc...
9556The action of extracting such data is called fetching a sample. Once retrieved,
9557these samples may be used for various purposes such as a key to a stick-table,
9558but most common usages consist in matching them against predefined constant
9559data called patterns.
9560
9561
95627.1. ACL basics
9563---------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009564
9565The use of Access Control Lists (ACL) provides a flexible solution to perform
9566content switching and generally to take decisions based on content extracted
9567from the request, the response or any environmental status. The principle is
9568simple :
9569
Willy Tarreau74ca5042013-06-11 23:12:07 +02009570 - extract a data sample from a stream, table or the environment
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009571 - optionally apply some format conversion to the extracted sample
Willy Tarreau74ca5042013-06-11 23:12:07 +02009572 - apply one or multiple pattern matching methods on this sample
9573 - perform actions only when a pattern matches the sample
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009574
Willy Tarreau74ca5042013-06-11 23:12:07 +02009575The actions generally consist in blocking a request, selecting a backend, or
9576adding a header.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009577
9578In order to define a test, the "acl" keyword is used. The syntax is :
9579
Willy Tarreau74ca5042013-06-11 23:12:07 +02009580 acl <aclname> <criterion> [flags] [operator] [<value>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009581
9582This creates a new ACL <aclname> or completes an existing one with new tests.
9583Those tests apply to the portion of request/response specified in <criterion>
9584and may be adjusted with optional flags [flags]. Some criteria also support
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009585an operator which may be specified before the set of values. Optionally some
9586conversion operators may be applied to the sample, and they will be specified
9587as a comma-delimited list of keywords just after the first keyword. The values
9588are of the type supported by the criterion, and are separated by spaces.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009589
9590ACL names must be formed from upper and lower case letters, digits, '-' (dash),
9591'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
9592which means that "my_acl" and "My_Acl" are two different ACLs.
9593
9594There is no enforced limit to the number of ACLs. The unused ones do not affect
9595performance, they just consume a small amount of memory.
9596
Willy Tarreau74ca5042013-06-11 23:12:07 +02009597The criterion generally is the name of a sample fetch method, or one of its ACL
9598specific declinations. The default test method is implied by the output type of
9599this sample fetch method. The ACL declinations can describe alternate matching
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009600methods of a same sample fetch method. The sample fetch methods are the only
9601ones supporting a conversion.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009602
9603Sample fetch methods return data which can be of the following types :
9604 - boolean
9605 - integer (signed or unsigned)
9606 - IPv4 or IPv6 address
9607 - string
9608 - data block
9609
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009610Converters transform any of these data into any of these. For example, some
9611converters might convert a string to a lower-case string while other ones
9612would turn a string to an IPv4 address, or apply a netmask to an IP address.
9613The resulting sample is of the type of the last converter applied to the list,
9614which defaults to the type of the sample fetch method.
9615
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009616Each sample or converter returns data of a specific type, specified with its
9617keyword in this documentation. When an ACL is declared using a standard sample
9618fetch method, certain types automatically involved a default matching method
9619which are summarized in the table below :
9620
9621 +---------------------+-----------------+
9622 | Sample or converter | Default |
9623 | output type | matching method |
9624 +---------------------+-----------------+
9625 | boolean | bool |
9626 +---------------------+-----------------+
9627 | integer | int |
9628 +---------------------+-----------------+
9629 | ip | ip |
9630 +---------------------+-----------------+
9631 | string | str |
9632 +---------------------+-----------------+
9633 | binary | none, use "-m" |
9634 +---------------------+-----------------+
9635
9636Note that in order to match a binary samples, it is mandatory to specify a
9637matching method, see below.
9638
Willy Tarreau74ca5042013-06-11 23:12:07 +02009639The ACL engine can match these types against patterns of the following types :
9640 - boolean
9641 - integer or integer range
9642 - IP address / network
9643 - string (exact, substring, suffix, prefix, subdir, domain)
9644 - regular expression
9645 - hex block
9646
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009647The following ACL flags are currently supported :
9648
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009649 -i : ignore case during matching of all subsequent patterns.
9650 -f : load patterns from a file.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009651 -m : use a specific pattern matching method
Thierry FOURNIERb7729c92014-02-11 16:24:41 +01009652 -n : forbid the DNS resolutions
Thierry FOURNIER9860c412014-01-29 14:23:29 +01009653 -M : load the file pointed by -f like a map file.
Thierry FOURNIER3534d882014-01-20 17:01:44 +01009654 -u : force the unique id of the ACL
Willy Tarreau6a06a402007-07-15 20:15:28 +02009655 -- : force end of flags. Useful when a string looks like one of the flags.
9656
Willy Tarreau74ca5042013-06-11 23:12:07 +02009657The "-f" flag is followed by the name of a file from which all lines will be
9658read as individual values. It is even possible to pass multiple "-f" arguments
9659if the patterns are to be loaded from multiple files. Empty lines as well as
9660lines beginning with a sharp ('#') will be ignored. All leading spaces and tabs
9661will be stripped. If it is absolutely necessary to insert a valid pattern
9662beginning with a sharp, just prefix it with a space so that it is not taken for
9663a comment. Depending on the data type and match method, haproxy may load the
9664lines into a binary tree, allowing very fast lookups. This is true for IPv4 and
9665exact string matching. In this case, duplicates will automatically be removed.
9666
Thierry FOURNIER9860c412014-01-29 14:23:29 +01009667The "-M" flag allows an ACL to use a map file. If this flag is set, the file is
9668parsed as two column file. The first column contains the patterns used by the
9669ACL, and the second column contain the samples. The sample can be used later by
9670a map. This can be useful in some rare cases where an ACL would just be used to
9671check for the existence of a pattern in a map before a mapping is applied.
9672
Thierry FOURNIER3534d882014-01-20 17:01:44 +01009673The "-u" flag forces the unique id of the ACL. This unique id is used with the
9674socket interface to identify ACL and dynamically change its values. Note that a
9675file is always identified by its name even if an id is set.
9676
Willy Tarreau74ca5042013-06-11 23:12:07 +02009677Also, note that the "-i" flag applies to subsequent entries and not to entries
9678loaded from files preceding it. For instance :
9679
9680 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
9681
9682In this example, each line of "exact-ua.lst" will be exactly matched against
9683the "user-agent" header of the request. Then each line of "generic-ua" will be
9684case-insensitively matched. Then the word "test" will be insensitively matched
9685as well.
9686
9687The "-m" flag is used to select a specific pattern matching method on the input
9688sample. All ACL-specific criteria imply a pattern matching method and generally
9689do not need this flag. However, this flag is useful with generic sample fetch
9690methods to describe how they're going to be matched against the patterns. This
9691is required for sample fetches which return data type for which there is no
9692obvious matching method (eg: string or binary). When "-m" is specified and
9693followed by a pattern matching method name, this method is used instead of the
9694default one for the criterion. This makes it possible to match contents in ways
9695that were not initially planned, or with sample fetch methods which return a
9696string. The matching method also affects the way the patterns are parsed.
9697
Thierry FOURNIERb7729c92014-02-11 16:24:41 +01009698The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
9699By default, if the parser cannot parse ip address it considers that the parsed
9700string is maybe a domain name and try dns resolution. The flag "-n" disable this
9701resolution. It is useful for detecting malformed ip lists. Note that if the DNS
9702server is not reachable, the haproxy configuration parsing may last many minutes
9703waiting fir the timeout. During this time no error messages are displayed. The
9704flag "-n" disable this behavior. Note also that during the runtime, this
9705function is disabled for the dynamic acl modifications.
9706
Willy Tarreau74ca5042013-06-11 23:12:07 +02009707There are some restrictions however. Not all methods can be used with all
9708sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
9709be placed first. The pattern matching method must be one of the following :
Willy Tarreau5adeda12013-03-31 22:13:34 +02009710
9711 - "found" : only check if the requested sample could be found in the stream,
9712 but do not compare it against any pattern. It is recommended not
Willy Tarreau74ca5042013-06-11 23:12:07 +02009713 to pass any pattern to avoid confusion. This matching method is
9714 particularly useful to detect presence of certain contents such
9715 as headers, cookies, etc... even if they are empty and without
9716 comparing them to anything nor counting them.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009717
9718 - "bool" : check the value as a boolean. It can only be applied to fetches
9719 which return a boolean or integer value, and takes no pattern.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009720 Value zero or false does not match, all other values do match.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009721
9722 - "int" : match the value as an integer. It can be used with integer and
Willy Tarreau74ca5042013-06-11 23:12:07 +02009723 boolean samples. Boolean false is integer 0, true is integer 1.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009724
9725 - "ip" : match the value as an IPv4 or IPv6 address. It is compatible
Willy Tarreau74ca5042013-06-11 23:12:07 +02009726 with IP address samples only, so it is implied and never needed.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009727
9728 - "bin" : match the contents against an hexadecimal string representing a
9729 binary sequence. This may be used with binary or string samples.
9730
9731 - "len" : match the sample's length as an integer. This may be used with
9732 binary or string samples.
9733
Willy Tarreau74ca5042013-06-11 23:12:07 +02009734 - "str" : exact match : match the contents against a string. This may be
9735 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009736
Willy Tarreau74ca5042013-06-11 23:12:07 +02009737 - "sub" : substring match : check that the contents contain at least one of
9738 the provided string patterns. This may be used with binary or
9739 string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009740
Willy Tarreau74ca5042013-06-11 23:12:07 +02009741 - "reg" : regex match : match the contents against a list of regular
9742 expressions. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009743
Willy Tarreau74ca5042013-06-11 23:12:07 +02009744 - "beg" : prefix match : check that the contents begin like the provided
9745 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009746
Willy Tarreau74ca5042013-06-11 23:12:07 +02009747 - "end" : suffix match : check that the contents end like the provided
9748 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009749
Willy Tarreau74ca5042013-06-11 23:12:07 +02009750 - "dir" : subdir match : check that a slash-delimited portion of the
9751 contents exactly matches one of the provided string patterns.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009752 This may be used with binary or string samples.
9753
Willy Tarreau74ca5042013-06-11 23:12:07 +02009754 - "dom" : domain match : check that a dot-delimited portion of the contents
9755 exactly match one of the provided string patterns. This may be
9756 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009757
9758For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
9759request, it is possible to do :
9760
9761 acl jsess_present cook(JSESSIONID) -m found
9762
9763In order to apply a regular expression on the 500 first bytes of data in the
9764buffer, one would use the following acl :
9765
9766 acl script_tag payload(0,500) -m reg -i <script>
9767
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009768On systems where the regex library is much slower when using "-i", it is
9769possible to convert the sample to lowercase before matching, like this :
9770
9771 acl script_tag payload(0,500),lower -m reg <script>
9772
Willy Tarreau74ca5042013-06-11 23:12:07 +02009773All ACL-specific criteria imply a default matching method. Most often, these
9774criteria are composed by concatenating the name of the original sample fetch
9775method and the matching method. For example, "hdr_beg" applies the "beg" match
9776to samples retrieved using the "hdr" fetch method. Since all ACL-specific
9777criteria rely on a sample fetch method, it is always possible instead to use
9778the original sample fetch method and the explicit matching method using "-m".
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009779
Willy Tarreau74ca5042013-06-11 23:12:07 +02009780If an alternate match is specified using "-m" on an ACL-specific criterion,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009781the matching method is simply applied to the underlying sample fetch method.
9782For example, all ACLs below are exact equivalent :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009783
Willy Tarreau74ca5042013-06-11 23:12:07 +02009784 acl short_form hdr_beg(host) www.
9785 acl alternate1 hdr_beg(host) -m beg www.
9786 acl alternate2 hdr_dom(host) -m beg www.
9787 acl alternate3 hdr(host) -m beg www.
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009788
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009789
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009790The table below summarizes the compatibility matrix between sample or converter
9791types and the pattern types to fetch against. It indicates for each compatible
9792combination the name of the matching method to be used, surrounded with angle
9793brackets ">" and "<" when the method is the default one and will work by
9794default without "-m".
Willy Tarreau0ba27502007-12-24 16:55:16 +01009795
Willy Tarreau74ca5042013-06-11 23:12:07 +02009796 +-------------------------------------------------+
9797 | Input sample type |
9798 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009799 | pattern type | boolean | integer | ip | string | binary |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009800 +----------------------+---------+---------+---------+---------+---------+
9801 | none (presence only) | found | found | found | found | found |
9802 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009803 | none (boolean value) |> bool <| bool | | bool | |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009804 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009805 | integer (value) | int |> int <| int | int | |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009806 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009807 | integer (length) | len | len | len | len | len |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009808 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009809 | IP address | | |> ip <| ip | ip |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009810 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009811 | exact string | str | str | str |> str <| str |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009812 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009813 | prefix | beg | beg | beg | beg | beg |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009814 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009815 | suffix | end | end | end | end | end |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009816 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009817 | substring | sub | sub | sub | sub | sub |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009818 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009819 | subdir | dir | dir | dir | dir | dir |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009820 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009821 | domain | dom | dom | dom | dom | dom |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009822 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009823 | regex | reg | reg | reg | reg | reg |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009824 +----------------------+---------+---------+---------+---------+---------+
9825 | hex block | | | | bin | bin |
9826 +----------------------+---------+---------+---------+---------+---------+
Willy Tarreau6a06a402007-07-15 20:15:28 +02009827
9828
Willy Tarreau74ca5042013-06-11 23:12:07 +020098297.1.1. Matching booleans
9830------------------------
9831
9832In order to match a boolean, no value is needed and all values are ignored.
9833Boolean matching is used by default for all fetch methods of type "boolean".
9834When boolean matching is used, the fetched value is returned as-is, which means
9835that a boolean "true" will always match and a boolean "false" will never match.
9836
9837Boolean matching may also be enforced using "-m bool" on fetch methods which
9838return an integer value. Then, integer value 0 is converted to the boolean
9839"false" and all other values are converted to "true".
9840
Willy Tarreau6a06a402007-07-15 20:15:28 +02009841
Willy Tarreau74ca5042013-06-11 23:12:07 +020098427.1.2. Matching integers
9843------------------------
9844
9845Integer matching applies by default to integer fetch methods. It can also be
9846enforced on boolean fetches using "-m int". In this case, "false" is converted
9847to the integer 0, and "true" is converted to the integer 1.
9848
9849Integer matching also supports integer ranges and operators. Note that integer
9850matching only applies to positive values. A range is a value expressed with a
9851lower and an upper bound separated with a colon, both of which may be omitted.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009852
9853For instance, "1024:65535" is a valid range to represent a range of
9854unprivileged ports, and "1024:" would also work. "0:1023" is a valid
9855representation of privileged ports, and ":1023" would also work.
9856
Willy Tarreau62644772008-07-16 18:36:06 +02009857As a special case, some ACL functions support decimal numbers which are in fact
9858two integers separated by a dot. This is used with some version checks for
9859instance. All integer properties apply to those decimal numbers, including
9860ranges and operators.
9861
Willy Tarreau6a06a402007-07-15 20:15:28 +02009862For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01009863operators with ranges does not make much sense and is strongly discouraged.
9864Similarly, it does not make much sense to perform order comparisons with a set
9865of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009866
Willy Tarreau0ba27502007-12-24 16:55:16 +01009867Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02009868
9869 eq : true if the tested value equals at least one value
9870 ge : true if the tested value is greater than or equal to at least one value
9871 gt : true if the tested value is greater than at least one value
9872 le : true if the tested value is less than or equal to at least one value
9873 lt : true if the tested value is less than at least one value
9874
Willy Tarreau0ba27502007-12-24 16:55:16 +01009875For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02009876
9877 acl negative-length hdr_val(content-length) lt 0
9878
Willy Tarreau62644772008-07-16 18:36:06 +02009879This one matches SSL versions between 3.0 and 3.1 (inclusive) :
9880
9881 acl sslv3 req_ssl_ver 3:3.1
9882
Willy Tarreau6a06a402007-07-15 20:15:28 +02009883
Willy Tarreau74ca5042013-06-11 23:12:07 +020098847.1.3. Matching strings
9885-----------------------
9886
9887String matching applies to string or binary fetch methods, and exists in 6
9888different forms :
9889
9890 - exact match (-m str) : the extracted string must exactly match the
9891 patterns ;
9892
9893 - substring match (-m sub) : the patterns are looked up inside the
9894 extracted string, and the ACL matches if any of them is found inside ;
9895
9896 - prefix match (-m beg) : the patterns are compared with the beginning of
9897 the extracted string, and the ACL matches if any of them matches.
9898
9899 - suffix match (-m end) : the patterns are compared with the end of the
9900 extracted string, and the ACL matches if any of them matches.
9901
9902 - subdir match (-m sub) : the patterns are looked up inside the extracted
9903 string, delimited with slashes ("/"), and the ACL matches if any of them
9904 matches.
9905
9906 - domain match (-m dom) : the patterns are looked up inside the extracted
9907 string, delimited with dots ("."), and the ACL matches if any of them
9908 matches.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009909
9910String matching applies to verbatim strings as they are passed, with the
9911exception of the backslash ("\") which makes it possible to escape some
9912characters such as the space. If the "-i" flag is passed before the first
9913string, then the matching will be performed ignoring the case. In order
9914to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01009915before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02009916
9917
Willy Tarreau74ca5042013-06-11 23:12:07 +020099187.1.4. Matching regular expressions (regexes)
9919---------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02009920
9921Just like with string matching, regex matching applies to verbatim strings as
9922they are passed, with the exception of the backslash ("\") which makes it
9923possible to escape some characters such as the space. If the "-i" flag is
9924passed before the first regex, then the matching will be performed ignoring
9925the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01009926the "--" flag before the first string. Same principle applies of course to
9927match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02009928
9929
Willy Tarreau74ca5042013-06-11 23:12:07 +020099307.1.5. Matching arbitrary data blocks
9931-------------------------------------
9932
9933It is possible to match some extracted samples against a binary block which may
9934not safely be represented as a string. For this, the patterns must be passed as
9935a series of hexadecimal digits in an even number, when the match method is set
9936to binary. Each sequence of two digits will represent a byte. The hexadecimal
9937digits may be used upper or lower case.
9938
9939Example :
9940 # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
9941 acl hello payload(0,6) -m bin 48656c6c6f0a
9942
9943
99447.1.6. Matching IPv4 and IPv6 addresses
9945---------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02009946
9947IPv4 addresses values can be specified either as plain addresses or with a
9948netmask appended, in which case the IPv4 address matches whenever it is
9949within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01009950host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01009951difficult to read and debug configurations. If hostnames are used, you should
9952at least ensure that they are present in /etc/hosts so that the configuration
9953does not depend on any random DNS match at the moment the configuration is
9954parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009955
Willy Tarreauceb4ac92012-04-28 00:41:46 +02009956IPv6 may be entered in their usual form, with or without a netmask appended.
9957Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
9958trouble with randomly resolved IP addresses, host names are never allowed in
9959IPv6 patterns.
9960
9961HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
9962following situations :
9963 - tested address is IPv4, pattern address is IPv4, the match applies
9964 in IPv4 using the supplied mask if any.
9965 - tested address is IPv6, pattern address is IPv6, the match applies
9966 in IPv6 using the supplied mask if any.
9967 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
9968 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
9969 ::IPV4 or ::ffff:IPV4, otherwise it fails.
9970 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
9971 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
9972 applied in IPv6 using the supplied IPv6 mask.
9973
Willy Tarreau74ca5042013-06-11 23:12:07 +02009974
99757.2. Using ACLs to form conditions
9976----------------------------------
9977
9978Some actions are only performed upon a valid condition. A condition is a
9979combination of ACLs with operators. 3 operators are supported :
9980
9981 - AND (implicit)
9982 - OR (explicit with the "or" keyword or the "||" operator)
9983 - Negation with the exclamation mark ("!")
Willy Tarreau6a06a402007-07-15 20:15:28 +02009984
Willy Tarreau74ca5042013-06-11 23:12:07 +02009985A condition is formed as a disjunctive form:
Willy Tarreau6a06a402007-07-15 20:15:28 +02009986
Willy Tarreau74ca5042013-06-11 23:12:07 +02009987 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreaubef91e72013-03-31 23:14:46 +02009988
Willy Tarreau74ca5042013-06-11 23:12:07 +02009989Such conditions are generally used after an "if" or "unless" statement,
9990indicating when the condition will trigger the action.
Willy Tarreaubef91e72013-03-31 23:14:46 +02009991
Willy Tarreau74ca5042013-06-11 23:12:07 +02009992For instance, to block HTTP requests to the "*" URL with methods other than
9993"OPTIONS", as well as POST requests without content-length, and GET or HEAD
9994requests with a content-length greater than 0, and finally every request which
9995is not either GET/HEAD/POST/OPTIONS !
9996
9997 acl missing_cl hdr_cnt(Content-length) eq 0
9998 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
9999 block if METH_GET HTTP_CONTENT
10000 block unless METH_GET or METH_POST or METH_OPTIONS
10001
10002To select a different backend for requests to static contents on the "www" site
10003and to every request on the "img", "video", "download" and "ftp" hosts :
10004
10005 acl url_static path_beg /static /images /img /css
10006 acl url_static path_end .gif .png .jpg .css .js
10007 acl host_www hdr_beg(host) -i www
10008 acl host_static hdr_beg(host) -i img. video. download. ftp.
10009
10010 # now use backend "static" for all static-only hosts, and for static urls
10011 # of host "www". Use backend "www" for the rest.
10012 use_backend static if host_static or host_www url_static
10013 use_backend www if host_www
10014
10015It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
10016expressions that are built on the fly without needing to be declared. They must
10017be enclosed between braces, with a space before and after each brace (because
10018the braces must be seen as independent words). Example :
10019
10020 The following rule :
10021
10022 acl missing_cl hdr_cnt(Content-length) eq 0
10023 block if METH_POST missing_cl
10024
10025 Can also be written that way :
10026
10027 block if METH_POST { hdr_cnt(Content-length) eq 0 }
10028
10029It is generally not recommended to use this construct because it's a lot easier
10030to leave errors in the configuration when written that way. However, for very
10031simple rules matching only one source IP address for instance, it can make more
10032sense to use them than to declare ACLs with random names. Another example of
10033good use is the following :
10034
10035 With named ACLs :
10036
10037 acl site_dead nbsrv(dynamic) lt 2
10038 acl site_dead nbsrv(static) lt 2
10039 monitor fail if site_dead
10040
10041 With anonymous ACLs :
10042
10043 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
10044
10045See section 4.2 for detailed help on the "block" and "use_backend" keywords.
10046
10047
100487.3. Fetching samples
10049---------------------
10050
10051Historically, sample fetch methods were only used to retrieve data to match
10052against patterns using ACLs. With the arrival of stick-tables, a new class of
10053sample fetch methods was created, most often sharing the same syntax as their
10054ACL counterpart. These sample fetch methods are also known as "fetches". As
10055of now, ACLs and fetches have converged. All ACL fetch methods have been made
10056available as fetch methods, and ACLs may use any sample fetch method as well.
10057
10058This section details all available sample fetch methods and their output type.
10059Some sample fetch methods have deprecated aliases that are used to maintain
10060compatibility with existing configurations. They are then explicitly marked as
10061deprecated and should not be used in new setups.
10062
10063The ACL derivatives are also indicated when available, with their respective
10064matching methods. These ones all have a well defined default pattern matching
10065method, so it is never necessary (though allowed) to pass the "-m" option to
10066indicate how the sample will be matched using ACLs.
10067
10068As indicated in the sample type versus matching compatibility matrix above,
10069when using a generic sample fetch method in an ACL, the "-m" option is
10070mandatory unless the sample type is one of boolean, integer, IPv4 or IPv6. When
10071the same keyword exists as an ACL keyword and as a standard fetch method, the
10072ACL engine will automatically pick the ACL-only one by default.
10073
10074Some of these keywords support one or multiple mandatory arguments, and one or
10075multiple optional arguments. These arguments are strongly typed and are checked
10076when the configuration is parsed so that there is no risk of running with an
10077incorrect argument (eg: an unresolved backend name). Fetch function arguments
10078are passed between parenthesis and are delimited by commas. When an argument
10079is optional, it will be indicated below between square brackets ('[ ]'). When
10080all arguments are optional, the parenthesis may be omitted.
10081
10082Thus, the syntax of a standard sample fetch method is one of the following :
10083 - name
10084 - name(arg1)
10085 - name(arg1,arg2)
10086
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010087
100887.3.1. Converters
10089-----------------
10090
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010091Sample fetch methods may be combined with transformations to be applied on top
10092of the fetched sample (also called "converters"). These combinations form what
10093is called "sample expressions" and the result is a "sample". Initially this
10094was only supported by "stick on" and "stick store-request" directives but this
10095has now be extended to all places where samples may be used (acls, log-format,
10096unique-id-format, add-header, ...).
10097
10098These transformations are enumerated as a series of specific keywords after the
10099sample fetch method. These keywords may equally be appended immediately after
10100the fetch keyword's argument, delimited by a comma. These keywords can also
10101support some arguments (eg: a netmask) which must be passed in parenthesis.
Willy Tarreau0ba27502007-12-24 16:55:16 +010010102
Willy Tarreau74ca5042013-06-11 23:12:07 +020010103The currently available list of transformation keywords include :
Willy Tarreau0ba27502007-12-24 16:55:16 +010010104
Emeric Brun53d1a982014-04-30 18:21:37 +020010105base64
10106 Converts a binary input sample to a base64 string. It is used to log or
10107 transfer binary content in a way that can be reliably transferred (eg:
10108 an SSL ID can be copied in a header).
10109
Emeric Brun54c4ac82014-11-03 15:32:43 +010010110bytes(<offset>[,<length>])
10111 Extracts some bytes from an input binary sample. The result is a binary
10112 sample starting at an offset (in bytes) of the original sample and
10113 optionnaly truncated at the given length.
10114
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010115djb2([<avalanche>])
10116 Hashes a binary input sample into an unsigned 32-bit quantity using the DJB2
10117 hash function. Optionally, it is possible to apply a full avalanche hash
10118 function to the output if the optional <avalanche> argument equals 1. This
10119 converter uses the same functions as used by the various hash-based load
10120 balancing algorithms, so it will provide exactly the same results. It is
10121 mostly intended for debugging, but can be used as a stick-table entry to
10122 collect rough statistics. It must not be used for security purposes as a
10123 32-bit hash is trivial to break. See also "sdbm", "wt6" and the "hash-type"
10124 directive.
10125
Emeric Brunf399b0d2014-11-03 17:07:03 +010010126field(<index>,<delimiters>)
10127 Extracts the substring at the given index considering given delimiters from
10128 an input string. Indexes start at 1 and delimiters are a string formatted
10129 list of chars.
10130
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010131hex
10132 Converts a binary input sample to an hex string containing two hex digits per
10133 input byte. It is used to log or transfer hex dumps of some binary input data
10134 in a way that can be reliably transferred (eg: an SSL ID can be copied in a
10135 header).
Thierry FOURNIER2f49d6d2014-03-12 15:01:52 +010010136
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010137http_date([<offset>])
10138 Converts an integer supposed to contain a date since epoch to a string
10139 representing this date in a format suitable for use in HTTP header fields. If
10140 an offset value is specified, then it is a number of seconds that is added to
10141 the date before the conversion is operated. This is particularly useful to
10142 emit Date header fields, Expires values in responses when combined with a
10143 positive offset, or Last-Modified values when the offset is negative.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010144
Willy Tarreaud9f316a2014-07-10 14:03:38 +020010145in_table(<table>)
10146 Uses the string representation of the input sample to perform a look up in
10147 the specified table. If the key is not found in the table, a boolean false
10148 is returned. Otherwise a boolean true is returned. This can be used to verify
10149 the presence of a certain key in a table tracking some elements (eg: whether
10150 or not a source IP address or an Authorization header was already seen).
10151
Willy Tarreauffcb2e42014-07-10 16:29:08 +020010152ipmask(<mask>)
10153 Apply a mask to an IPv4 address, and use the result for lookups and storage.
10154 This can be used to make all hosts within a certain mask to share the same
10155 table entries and as such use the same server. The mask can be passed in
10156 dotted form (eg: 255.255.255.0) or in CIDR form (eg: 24).
10157
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020010158json([<input-code>])
10159 Escapes the input string and produces an ASCII ouput string ready to use as a
10160 JSON string. The converter tries to decode the input string according to the
10161 <input-code> parameter. It can be "ascii", "utf8", "utf8s", "utf8"" or
10162 "utf8ps". The "ascii" decoder never fails. The "utf8" decoder detects 3 types
10163 of errors:
10164 - bad UTF-8 sequence (lone continuation byte, bad number of continuation
10165 bytes, ...)
10166 - invalid range (the decoded value is within a UTF-8 prohibited range),
10167 - code overlong (the value is encoded with more bytes than necessary).
10168
10169 The UTF-8 JSON encoding can produce a "too long value" error when the UTF-8
10170 character is greater than 0xffff because the JSON string escape specification
10171 only authorizes 4 hex digits for the value encoding. The UTF-8 decoder exists
10172 in 4 variants designated by a combination of two suffix letters : "p" for
10173 "permissive" and "s" for "silently ignore". The behaviors of the decoders
10174 are :
10175 - "ascii" : never fails ;
10176 - "utf8" : fails on any detected errors ;
10177 - "utf8s" : never fails, but removes characters corresponding to errors ;
10178 - "utf8p" : accepts and fixes the overlong errors, but fails on any other
10179 error ;
10180 - "utf8ps" : never fails, accepts and fixes the overlong errors, but removes
10181 characters corresponding to the other errors.
10182
10183 This converter is particularly useful for building properly escaped JSON for
10184 logging to servers which consume JSON-formated traffic logs.
10185
10186 Example:
10187 capture request header user-agent len 150
10188 capture request header Host len 15
10189 log-format {"ip":"%[src]","user-agent":"%[capture.req.hdr(1),json]"}
10190
10191 Input request from client 127.0.0.1:
10192 GET / HTTP/1.0
10193 User-Agent: Very "Ugly" UA 1/2
10194
10195 Output log:
10196 {"ip":"127.0.0.1","user-agent":"Very \"Ugly\" UA 1\/2"}
10197
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010198language(<value>[,<default>])
10199 Returns the value with the highest q-factor from a list as extracted from the
10200 "accept-language" header using "req.fhdr". Values with no q-factor have a
10201 q-factor of 1. Values with a q-factor of 0 are dropped. Only values which
10202 belong to the list of semi-colon delimited <values> will be considered. The
10203 argument <value> syntax is "lang[;lang[;lang[;...]]]". If no value matches the
10204 given list and a default value is provided, it is returned. Note that language
10205 names may have a variant after a dash ('-'). If this variant is present in the
10206 list, it will be matched, but if it is not, only the base language is checked.
10207 The match is case-sensitive, and the output string is always one of those
10208 provided in arguments. The ordering of arguments is meaningless, only the
10209 ordering of the values in the request counts, as the first value among
10210 multiple sharing the same q-factor is used.
Thierry FOURNIERad903512014-04-11 17:51:01 +020010211
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010212 Example :
Thierry FOURNIERad903512014-04-11 17:51:01 +020010213
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010214 # this configuration switches to the backend matching a
10215 # given language based on the request :
Thierry FOURNIERad903512014-04-11 17:51:01 +020010216
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010217 acl es req.fhdr(accept-language),language(es;fr;en) -m str es
10218 acl fr req.fhdr(accept-language),language(es;fr;en) -m str fr
10219 acl en req.fhdr(accept-language),language(es;fr;en) -m str en
10220 use_backend spanish if es
10221 use_backend french if fr
10222 use_backend english if en
10223 default_backend choose_your_language
Thierry FOURNIERad903512014-04-11 17:51:01 +020010224
Willy Tarreauffcb2e42014-07-10 16:29:08 +020010225lower
10226 Convert a string sample to lower case. This can only be placed after a string
10227 sample fetch function or after a transformation keyword returning a string
10228 type. The result is of type string.
10229
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020010230ltime(<format>[,<offset>])
10231 Converts an integer supposed to contain a date since epoch to a string
10232 representing this date in local time using a format defined by the <format>
10233 string using strftime(3). The purpose is to allow any date format to be used
10234 in logs. An optional <offset> in seconds may be applied to the input date
10235 (positive or negative). See the strftime() man page for the format supported
10236 by your operating system. See also the utime converter.
10237
10238 Example :
10239
10240 # Emit two colons, one with the local time and another with ip:port
10241 # Eg: 20140710162350 127.0.0.1:57325
10242 log-format %[date,ltime(%Y%m%d%H%M%S)]\ %ci:%cp
10243
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010244map(<map_file>[,<default_value>])
10245map_<match_type>(<map_file>[,<default_value>])
10246map_<match_type>_<output_type>(<map_file>[,<default_value>])
10247 Search the input value from <map_file> using the <match_type> matching method,
10248 and return the associated value converted to the type <output_type>. If the
10249 input value cannot be found in the <map_file>, the converter returns the
10250 <default_value>. If the <default_value> is not set, the converter fails and
10251 acts as if no input value could be fetched. If the <match_type> is not set, it
10252 defaults to "str". Likewise, if the <output_type> is not set, it defaults to
10253 "str". For convenience, the "map" keyword is an alias for "map_str" and maps a
10254 string to another string.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010255
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010256 It is important to avoid overlapping between the keys : IP addresses and
10257 strings are stored in trees, so the first of the finest match will be used.
10258 Other keys are stored in lists, so the first matching occurrence will be used.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010259
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010260 The following array contains the list of all map functions avalaible sorted by
10261 input type, match type and output type.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010262
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010263 input type | match method | output type str | output type int | output type ip
10264 -----------+--------------+-----------------+-----------------+---------------
10265 str | str | map_str | map_str_int | map_str_ip
10266 -----------+--------------+-----------------+-----------------+---------------
Willy Tarreau787a4c02014-05-10 07:55:30 +020010267 str | beg | map_beg | map_beg_int | map_end_ip
10268 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010269 str | sub | map_sub | map_sub_int | map_sub_ip
10270 -----------+--------------+-----------------+-----------------+---------------
10271 str | dir | map_dir | map_dir_int | map_dir_ip
10272 -----------+--------------+-----------------+-----------------+---------------
10273 str | dom | map_dom | map_dom_int | map_dom_ip
10274 -----------+--------------+-----------------+-----------------+---------------
10275 str | end | map_end | map_end_int | map_end_ip
10276 -----------+--------------+-----------------+-----------------+---------------
10277 str | reg | map_reg | map_reg_int | map_reg_ip
10278 -----------+--------------+-----------------+-----------------+---------------
10279 int | int | map_int | map_int_int | map_int_ip
10280 -----------+--------------+-----------------+-----------------+---------------
10281 ip | ip | map_ip | map_ip_int | map_ip_ip
10282 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010283
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010284 The file contains one key + value per line. Lines which start with '#' are
10285 ignored, just like empty lines. Leading tabs and spaces are stripped. The key
10286 is then the first "word" (series of non-space/tabs characters), and the value
10287 is what follows this series of space/tab till the end of the line excluding
10288 trailing spaces/tabs.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010289
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010290 Example :
10291
10292 # this is a comment and is ignored
10293 2.22.246.0/23 United Kingdom \n
10294 <-><-----------><--><------------><---->
10295 | | | | `- trailing spaces ignored
10296 | | | `---------- value
10297 | | `-------------------- middle spaces ignored
10298 | `---------------------------- key
10299 `------------------------------------ leading spaces ignored
10300
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010301sdbm([<avalanche>])
10302 Hashes a binary input sample into an unsigned 32-bit quantity using the SDBM
10303 hash function. Optionally, it is possible to apply a full avalanche hash
10304 function to the output if the optional <avalanche> argument equals 1. This
10305 converter uses the same functions as used by the various hash-based load
10306 balancing algorithms, so it will provide exactly the same results. It is
10307 mostly intended for debugging, but can be used as a stick-table entry to
10308 collect rough statistics. It must not be used for security purposes as a
10309 32-bit hash is trivial to break. See also "djb2", "wt6" and the "hash-type"
10310 directive.
10311
Willy Tarreaud9f316a2014-07-10 14:03:38 +020010312table_bytes_in_rate(<table>)
10313 Uses the string representation of the input sample to perform a look up in
10314 the specified table. If the key is not found in the table, integer value zero
10315 is returned. Otherwise the converter returns the average client-to-server
10316 bytes rate associated with the input sample in the designated table, measured
10317 in amount of bytes over the period configured in the table. See also the
10318 sc_bytes_in_rate sample fetch keyword.
10319
10320
10321table_bytes_out_rate(<table>)
10322 Uses the string representation of the input sample to perform a look up in
10323 the specified table. If the key is not found in the table, integer value zero
10324 is returned. Otherwise the converter returns the average server-to-client
10325 bytes rate associated with the input sample in the designated table, measured
10326 in amount of bytes over the period configured in the table. See also the
10327 sc_bytes_out_rate sample fetch keyword.
10328
10329table_conn_cnt(<table>)
10330 Uses the string representation of the input sample to perform a look up in
10331 the specified table. If the key is not found in the table, integer value zero
10332 is returned. Otherwise the converter returns the cumulated amount of incoming
10333 connections associated with the input sample in the designated table. See
10334 also the sc_conn_cnt sample fetch keyword.
10335
10336table_conn_cur(<table>)
10337 Uses the string representation of the input sample to perform a look up in
10338 the specified table. If the key is not found in the table, integer value zero
10339 is returned. Otherwise the converter returns the current amount of concurrent
10340 tracked connections associated with the input sample in the designated table.
10341 See also the sc_conn_cur sample fetch keyword.
10342
10343table_conn_rate(<table>)
10344 Uses the string representation of the input sample to perform a look up in
10345 the specified table. If the key is not found in the table, integer value zero
10346 is returned. Otherwise the converter returns the average incoming connection
10347 rate associated with the input sample in the designated table. See also the
10348 sc_conn_rate sample fetch keyword.
10349
10350table_gpc0(<table>)
10351 Uses the string representation of the input sample to perform a look up in
10352 the specified table. If the key is not found in the table, integer value zero
10353 is returned. Otherwise the converter returns the current value of the first
10354 general purpose counter associated with the input sample in the designated
10355 table. See also the sc_get_gpc0 sample fetch keyword.
10356
10357table_gpc0_rate(<table>)
10358 Uses the string representation of the input sample to perform a look up in
10359 the specified table. If the key is not found in the table, integer value zero
10360 is returned. Otherwise the converter returns the frequency which the gpc0
10361 counter was incremented over the configured period in the table, associated
10362 with the input sample in the designated table. See also the sc_get_gpc0_rate
10363 sample fetch keyword.
10364
10365table_http_err_cnt(<table>)
10366 Uses the string representation of the input sample to perform a look up in
10367 the specified table. If the key is not found in the table, integer value zero
10368 is returned. Otherwise the converter returns the cumulated amount of HTTP
10369 errors associated with the input sample in the designated table. See also the
10370 sc_http_err_cnt sample fetch keyword.
10371
10372table_http_err_rate(<table>)
10373 Uses the string representation of the input sample to perform a look up in
10374 the specified table. If the key is not found in the table, integer value zero
10375 is returned. Otherwise the average rate of HTTP errors associated with the
10376 input sample in the designated table, measured in amount of errors over the
10377 period configured in the table. See also the sc_http_err_rate sample fetch
10378 keyword.
10379
10380table_http_req_cnt(<table>)
10381 Uses the string representation of the input sample to perform a look up in
10382 the specified table. If the key is not found in the table, integer value zero
10383 is returned. Otherwise the converter returns the cumulated amount of HTTP
10384 requests associated with the input sample in the designated table. See also
10385 the sc_http_req_cnt sample fetch keyword.
10386
10387table_http_req_rate(<table>)
10388 Uses the string representation of the input sample to perform a look up in
10389 the specified table. If the key is not found in the table, integer value zero
10390 is returned. Otherwise the average rate of HTTP requests associated with the
10391 input sample in the designated table, measured in amount of requests over the
10392 period configured in the table. See also the sc_http_req_rate sample fetch
10393 keyword.
10394
10395table_kbytes_in(<table>)
10396 Uses the string representation of the input sample to perform a look up in
10397 the specified table. If the key is not found in the table, integer value zero
10398 is returned. Otherwise the converter returns the cumulated amount of client-
10399 to-server data associated with the input sample in the designated table,
10400 measured in kilobytes. The test is currently performed on 32-bit integers,
10401 which limits values to 4 terabytes. See also the sc_kbytes_in sample fetch
10402 keyword.
10403
10404table_kbytes_out(<table>)
10405 Uses the string representation of the input sample to perform a look up in
10406 the specified table. If the key is not found in the table, integer value zero
10407 is returned. Otherwise the converter returns the cumulated amount of server-
10408 to-client data associated with the input sample in the designated table,
10409 measured in kilobytes. The test is currently performed on 32-bit integers,
10410 which limits values to 4 terabytes. See also the sc_kbytes_out sample fetch
10411 keyword.
10412
10413table_server_id(<table>)
10414 Uses the string representation of the input sample to perform a look up in
10415 the specified table. If the key is not found in the table, integer value zero
10416 is returned. Otherwise the converter returns the server ID associated with
10417 the input sample in the designated table. A server ID is associated to a
10418 sample by a "stick" rule when a connection to a server succeeds. A server ID
10419 zero means that no server is associated with this key.
10420
10421table_sess_cnt(<table>)
10422 Uses the string representation of the input sample to perform a look up in
10423 the specified table. If the key is not found in the table, integer value zero
10424 is returned. Otherwise the converter returns the cumulated amount of incoming
10425 sessions associated with the input sample in the designated table. Note that
10426 a session here refers to an incoming connection being accepted by the
10427 "tcp-request connection" rulesets. See also the sc_sess_cnt sample fetch
10428 keyword.
10429
10430table_sess_rate(<table>)
10431 Uses the string representation of the input sample to perform a look up in
10432 the specified table. If the key is not found in the table, integer value zero
10433 is returned. Otherwise the converter returns the average incoming session
10434 rate associated with the input sample in the designated table. Note that a
10435 session here refers to an incoming connection being accepted by the
10436 "tcp-request connection" rulesets. See also the sc_sess_rate sample fetch
10437 keyword.
10438
10439table_trackers(<table>)
10440 Uses the string representation of the input sample to perform a look up in
10441 the specified table. If the key is not found in the table, integer value zero
10442 is returned. Otherwise the converter returns the current amount of concurrent
10443 connections tracking the same key as the input sample in the designated
10444 table. It differs from table_conn_cur in that it does not rely on any stored
10445 information but on the table's reference count (the "use" value which is
10446 returned by "show table" on the CLI). This may sometimes be more suited for
10447 layer7 tracking. It can be used to tell a server how many concurrent
10448 connections there are from a given address for example. See also the
10449 sc_trackers sample fetch keyword.
10450
Willy Tarreauffcb2e42014-07-10 16:29:08 +020010451upper
10452 Convert a string sample to upper case. This can only be placed after a string
10453 sample fetch function or after a transformation keyword returning a string
10454 type. The result is of type string.
10455
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020010456utime(<format>[,<offset>])
10457 Converts an integer supposed to contain a date since epoch to a string
10458 representing this date in UTC time using a format defined by the <format>
10459 string using strftime(3). The purpose is to allow any date format to be used
10460 in logs. An optional <offset> in seconds may be applied to the input date
10461 (positive or negative). See the strftime() man page for the format supported
10462 by your operating system. See also the ltime converter.
10463
10464 Example :
10465
10466 # Emit two colons, one with the UTC time and another with ip:port
10467 # Eg: 20140710162350 127.0.0.1:57325
10468 log-format %[date,utime(%Y%m%d%H%M%S)]\ %ci:%cp
10469
Emeric Brunc9a0f6d2014-11-25 14:09:01 +010010470word(<index>,<delimiters>)
10471 Extracts the nth word considering given delimiters from an input string.
10472 Indexes start at 1 and delimiters are a string formatted list of chars.
10473
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010474wt6([<avalanche>])
10475 Hashes a binary input sample into an unsigned 32-bit quantity using the WT6
10476 hash function. Optionally, it is possible to apply a full avalanche hash
10477 function to the output if the optional <avalanche> argument equals 1. This
10478 converter uses the same functions as used by the various hash-based load
10479 balancing algorithms, so it will provide exactly the same results. It is
10480 mostly intended for debugging, but can be used as a stick-table entry to
10481 collect rough statistics. It must not be used for security purposes as a
10482 32-bit hash is trivial to break. See also "djb2", "sdbm", and the "hash-type"
10483 directive.
10484
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010485
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200104867.3.2. Fetching samples from internal states
Willy Tarreau74ca5042013-06-11 23:12:07 +020010487--------------------------------------------
10488
10489A first set of sample fetch methods applies to internal information which does
10490not even relate to any client information. These ones are sometimes used with
10491"monitor-fail" directives to report an internal status to external watchers.
10492The sample fetch methods described in this section are usable anywhere.
10493
10494always_false : boolean
10495 Always returns the boolean "false" value. It may be used with ACLs as a
10496 temporary replacement for another one when adjusting configurations.
10497
10498always_true : boolean
10499 Always returns the boolean "true" value. It may be used with ACLs as a
10500 temporary replacement for another one when adjusting configurations.
10501
10502avg_queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010010503 Returns the total number of queued connections of the designated backend
Willy Tarreau74ca5042013-06-11 23:12:07 +020010504 divided by the number of active servers. The current backend is used if no
10505 backend is specified. This is very similar to "queue" except that the size of
10506 the farm is considered, in order to give a more accurate measurement of the
10507 time it may take for a new connection to be processed. The main usage is with
10508 ACL to return a sorry page to new users when it becomes certain they will get
10509 a degraded service, or to pass to the backend servers in a header so that
10510 they decide to work in degraded mode or to disable some functions to speed up
10511 the processing a bit. Note that in the event there would not be any active
10512 server anymore, twice the number of queued connections would be considered as
10513 the measured value. This is a fair estimate, as we expect one server to get
10514 back soon anyway, but we still prefer to send new traffic to another backend
10515 if in better shape. See also the "queue", "be_conn", and "be_sess_rate"
10516 sample fetches.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +010010517
Willy Tarreau74ca5042013-06-11 23:12:07 +020010518be_conn([<backend>]) : integer
Willy Tarreaua36af912009-10-10 12:02:45 +020010519 Applies to the number of currently established connections on the backend,
10520 possibly including the connection being evaluated. If no backend name is
10521 specified, the current one is used. But it is also possible to check another
10522 backend. It can be used to use a specific farm when the nominal one is full.
10523 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010524
Willy Tarreau74ca5042013-06-11 23:12:07 +020010525be_sess_rate([<backend>]) : integer
10526 Returns an integer value corresponding to the sessions creation rate on the
10527 backend, in number of new sessions per second. This is used with ACLs to
10528 switch to an alternate backend when an expensive or fragile one reaches too
10529 high a session rate, or to limit abuse of service (eg. prevent sucking of an
10530 online dictionary). It can also be useful to add this element to logs using a
10531 log-format directive.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010532
10533 Example :
10534 # Redirect to an error page if the dictionary is requested too often
10535 backend dynamic
10536 mode http
10537 acl being_scanned be_sess_rate gt 100
10538 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +010010539
Willy Tarreau74ca5042013-06-11 23:12:07 +020010540connslots([<backend>]) : integer
10541 Returns an integer value corresponding to the number of connection slots
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010542 still available in the backend, by totaling the maximum amount of
Willy Tarreau74ca5042013-06-11 23:12:07 +020010543 connections on all servers and the maximum queue size. This is probably only
10544 used with ACLs.
Tait Clarridge7896d522012-12-05 21:39:31 -050010545
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010546 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +020010547 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010548 usage; see "use_backend" keyword) can be redirected to a different backend.
10549
Willy Tarreau55165fe2009-05-10 12:02:55 +020010550 'connslots' = number of available server connection slots, + number of
10551 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010552
Willy Tarreaua36af912009-10-10 12:02:45 +020010553 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +020010554 useful when you have a case of traffic going to one single ip, splitting into
Willy Tarreau74ca5042013-06-11 23:12:07 +020010555 multiple backends (perhaps using ACLs to do name-based load balancing) and
Willy Tarreau55165fe2009-05-10 12:02:55 +020010556 you want to be able to differentiate between different backends, and their
10557 available "connslots". Also, whereas "nbsrv" only measures servers that are
Willy Tarreau74ca5042013-06-11 23:12:07 +020010558 actually *down*, this fetch is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +020010559 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010560
Willy Tarreau55165fe2009-05-10 12:02:55 +020010561 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
10562 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
Willy Tarreau74ca5042013-06-11 23:12:07 +020010563 then this fetch clearly does not make sense, in which case the value returned
Willy Tarreau55165fe2009-05-10 12:02:55 +020010564 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010565
Willy Tarreau6236d3a2013-07-25 14:28:25 +020010566date([<offset>]) : integer
10567 Returns the current date as the epoch (number of seconds since 01/01/1970).
10568 If an offset value is specified, then it is a number of seconds that is added
10569 to the current date before returning the value. This is particularly useful
10570 to compute relative dates, as both positive and negative offsets are allowed.
Willy Tarreau276fae92013-07-25 14:36:01 +020010571 It is useful combined with the http_date converter.
10572
10573 Example :
10574
10575 # set an expires header to now+1 hour in every response
10576 http-response set-header Expires %[date(3600),http_date]
Willy Tarreau6236d3a2013-07-25 14:28:25 +020010577
Willy Tarreau595ec542013-06-12 21:34:28 +020010578env(<name>) : string
10579 Returns a string containing the value of environment variable <name>. As a
10580 reminder, environment variables are per-process and are sampled when the
10581 process starts. This can be useful to pass some information to a next hop
10582 server, or with ACLs to take specific action when the process is started a
10583 certain way.
10584
10585 Examples :
10586 # Pass the Via header to next hop with the local hostname in it
10587 http-request add-header Via 1.1\ %[env(HOSTNAME)]
10588
10589 # reject cookie-less requests when the STOP environment variable is set
10590 http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
10591
Willy Tarreau74ca5042013-06-11 23:12:07 +020010592fe_conn([<frontend>]) : integer
10593 Returns the number of currently established connections on the frontend,
Willy Tarreaud63335a2010-02-26 12:56:52 +010010594 possibly including the connection being evaluated. If no frontend name is
10595 specified, the current one is used. But it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020010596 frontend. It can be used to return a sorry page before hard-blocking, or to
10597 use a specific backend to drain new requests when the farm is considered
10598 full. This is mostly used with ACLs but can also be used to pass some
10599 statistics to servers in HTTP headers. See also the "dst_conn", "be_conn",
10600 "fe_sess_rate" fetches.
Willy Tarreaua36af912009-10-10 12:02:45 +020010601
Willy Tarreau74ca5042013-06-11 23:12:07 +020010602fe_sess_rate([<frontend>]) : integer
10603 Returns an integer value corresponding to the sessions creation rate on the
10604 frontend, in number of new sessions per second. This is used with ACLs to
10605 limit the incoming session rate to an acceptable range in order to prevent
10606 abuse of service at the earliest moment, for example when combined with other
10607 layer 4 ACLs in order to force the clients to wait a bit for the rate to go
10608 down below the limit. It can also be useful to add this element to logs using
10609 a log-format directive. See also the "rate-limit sessions" directive for use
10610 in frontends.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010010611
10612 Example :
10613 # This frontend limits incoming mails to 10/s with a max of 100
10614 # concurrent connections. We accept any connection below 10/s, and
10615 # force excess clients to wait for 100 ms. Since clients are limited to
10616 # 100 max, there cannot be more than 10 incoming mails per second.
10617 frontend mail
10618 bind :25
10619 mode tcp
10620 maxconn 100
10621 acl too_fast fe_sess_rate ge 10
10622 tcp-request inspect-delay 100ms
10623 tcp-request content accept if ! too_fast
10624 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +010010625
Willy Tarreau0f30d262014-11-24 16:02:05 +010010626nbproc : integer
10627 Returns an integer value corresponding to the number of processes that were
10628 started (it equals the global "nbproc" setting). This is useful for logging
10629 and debugging purposes.
10630
Willy Tarreau74ca5042013-06-11 23:12:07 +020010631nbsrv([<backend>]) : integer
10632 Returns an integer value corresponding to the number of usable servers of
10633 either the current backend or the named backend. This is mostly used with
10634 ACLs but can also be useful when added to logs. This is normally used to
Willy Tarreaud63335a2010-02-26 12:56:52 +010010635 switch to an alternate backend when the number of servers is too low to
10636 to handle some load. It is useful to report a failure when combined with
10637 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +010010638
Willy Tarreau0f30d262014-11-24 16:02:05 +010010639proc : integer
10640 Returns an integer value corresponding to the position of the process calling
10641 the function, between 1 and global.nbproc. This is useful for logging and
10642 debugging purposes.
10643
Willy Tarreau74ca5042013-06-11 23:12:07 +020010644queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010010645 Returns the total number of queued connections of the designated backend,
10646 including all the connections in server queues. If no backend name is
10647 specified, the current one is used, but it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020010648 one. This is useful with ACLs or to pass statistics to backend servers. This
10649 can be used to take actions when queuing goes above a known level, generally
10650 indicating a surge of traffic or a massive slowdown on the servers. One
10651 possible action could be to reject new users but still accept old ones. See
10652 also the "avg_queue", "be_conn", and "be_sess_rate" fetches.
10653
Willy Tarreau84310e22014-02-14 11:59:04 +010010654rand([<range>]) : integer
10655 Returns a random integer value within a range of <range> possible values,
10656 starting at zero. If the range is not specified, it defaults to 2^32, which
10657 gives numbers between 0 and 4294967295. It can be useful to pass some values
10658 needed to take some routing decisions for example, or just for debugging
10659 purposes. This random must not be used for security purposes.
10660
Willy Tarreau74ca5042013-06-11 23:12:07 +020010661srv_conn([<backend>/]<server>) : integer
10662 Returns an integer value corresponding to the number of currently established
10663 connections on the designated server, possibly including the connection being
10664 evaluated. If <backend> is omitted, then the server is looked up in the
10665 current backend. It can be used to use a specific farm when one server is
10666 full, or to inform the server about our view of the number of active
10667 connections with it. See also the "fe_conn", "be_conn" and "queue" fetch
10668 methods.
10669
10670srv_is_up([<backend>/]<server>) : boolean
10671 Returns true when the designated server is UP, and false when it is either
10672 DOWN or in maintenance mode. If <backend> is omitted, then the server is
10673 looked up in the current backend. It is mainly used to take action based on
10674 an external status reported via a health check (eg: a geographical site's
10675 availability). Another possible use which is more of a hack consists in
10676 using dummy servers as boolean variables that can be enabled or disabled from
10677 the CLI, so that rules depending on those ACLs can be tweaked in realtime.
10678
10679srv_sess_rate([<backend>/]<server>) : integer
10680 Returns an integer corresponding to the sessions creation rate on the
10681 designated server, in number of new sessions per second. If <backend> is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010682 omitted, then the server is looked up in the current backend. This is mostly
Willy Tarreau74ca5042013-06-11 23:12:07 +020010683 used with ACLs but can make sense with logs too. This is used to switch to an
10684 alternate backend when an expensive or fragile one reaches too high a session
10685 rate, or to limit abuse of service (eg. prevent latent requests from
10686 overloading servers).
10687
10688 Example :
10689 # Redirect to a separate back
10690 acl srv1_full srv_sess_rate(be1/srv1) gt 50
10691 acl srv2_full srv_sess_rate(be1/srv2) gt 50
10692 use_backend be2 if srv1_full or srv2_full
10693
Willy Tarreau0f30d262014-11-24 16:02:05 +010010694stopping : boolean
10695 Returns TRUE if the process calling the function is currently stopping. This
10696 can be useful for logging, or for relaxing certain checks or helping close
10697 certain connections upon graceful shutdown.
10698
Willy Tarreau74ca5042013-06-11 23:12:07 +020010699table_avl([<table>]) : integer
10700 Returns the total number of available entries in the current proxy's
10701 stick-table or in the designated stick-table. See also table_cnt.
10702
10703table_cnt([<table>]) : integer
10704 Returns the total number of entries currently in use in the current proxy's
10705 stick-table or in the designated stick-table. See also src_conn_cnt and
10706 table_avl for other entry counting methods.
10707
10708
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200107097.3.3. Fetching samples at Layer 4
Willy Tarreau74ca5042013-06-11 23:12:07 +020010710----------------------------------
10711
10712The layer 4 usually describes just the transport layer which in haproxy is
10713closest to the connection, where no content is yet made available. The fetch
10714methods described here are usable as low as the "tcp-request connection" rule
10715sets unless they require some future information. Those generally include
10716TCP/IP addresses and ports, as well as elements from stick-tables related to
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010717the incoming connection. For retrieving a value from a sticky counters, the
10718counter number can be explicitly set as 0, 1, or 2 using the pre-defined
10719"sc0_", "sc1_", or "sc2_" prefix, or it can be specified as the first integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010720argument when using the "sc_" prefix. An optional table may be specified with
10721the "sc*" form, in which case the currently tracked key will be looked up into
10722this alternate table instead of the table currently being tracked.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010723
10724be_id : integer
10725 Returns an integer containing the current backend's id. It can be used in
10726 frontends with responses to check which backend processed the request.
10727
10728dst : ip
10729 This is the destination IPv4 address of the connection on the client side,
10730 which is the address the client connected to. It can be useful when running
10731 in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
10732 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
10733 RFC 4291.
10734
10735dst_conn : integer
10736 Returns an integer value corresponding to the number of currently established
10737 connections on the same socket including the one being evaluated. It is
10738 normally used with ACLs but can as well be used to pass the information to
10739 servers in an HTTP header or in logs. It can be used to either return a sorry
10740 page before hard-blocking, or to use a specific backend to drain new requests
10741 when the socket is considered saturated. This offers the ability to assign
10742 different limits to different listening ports or addresses. See also the
10743 "fe_conn" and "be_conn" fetches.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010744
Willy Tarreau74ca5042013-06-11 23:12:07 +020010745dst_port : integer
10746 Returns an integer value corresponding to the destination TCP port of the
10747 connection on the client side, which is the port the client connected to.
10748 This might be used when running in transparent mode, when assigning dynamic
10749 ports to some clients for a whole application session, to stick all users to
10750 a same server, or to pass the destination port information to a server using
10751 an HTTP header.
10752
10753fe_id : integer
10754 Returns an integer containing the current frontend's id. It can be used in
10755 backends to check from which backend it was called, or to stick all users
10756 coming via a same frontend to the same server.
10757
Cyril Bonté62ba8702014-04-22 23:52:25 +020010758sc_bytes_in_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010759sc0_bytes_in_rate([<table>]) : integer
10760sc1_bytes_in_rate([<table>]) : integer
10761sc2_bytes_in_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010762 Returns the average client-to-server bytes rate from the currently tracked
10763 counters, measured in amount of bytes over the period configured in the
10764 table. See also src_bytes_in_rate.
10765
Cyril Bonté62ba8702014-04-22 23:52:25 +020010766sc_bytes_out_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010767sc0_bytes_out_rate([<table>]) : integer
10768sc1_bytes_out_rate([<table>]) : integer
10769sc2_bytes_out_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010770 Returns the average server-to-client bytes rate from the currently tracked
10771 counters, measured in amount of bytes over the period configured in the
10772 table. See also src_bytes_out_rate.
10773
Cyril Bonté62ba8702014-04-22 23:52:25 +020010774sc_clr_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010775sc0_clr_gpc0([<table>]) : integer
10776sc1_clr_gpc0([<table>]) : integer
10777sc2_clr_gpc0([<table>]) : integer
Willy Tarreauf73cd112011-08-13 01:45:16 +020010778 Clears the first General Purpose Counter associated to the currently tracked
10779 counters, and returns its previous value. Before the first invocation, the
Willy Tarreau869948b2013-01-04 14:14:57 +010010780 stored value is zero, so first invocation will always return zero. This is
10781 typically used as a second ACL in an expression in order to mark a connection
10782 when a first ACL was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020010783
10784 # block if 5 consecutive requests continue to come faster than 10 sess
10785 # per second, and reset the counter as soon as the traffic slows down.
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010786 acl abuse sc0_http_req_rate gt 10
10787 acl kill sc0_inc_gpc0 gt 5
10788 acl save sc0_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020010789 tcp-request connection accept if !abuse save
10790 tcp-request connection reject if abuse kill
10791
Cyril Bonté62ba8702014-04-22 23:52:25 +020010792sc_conn_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010793sc0_conn_cnt([<table>]) : integer
10794sc1_conn_cnt([<table>]) : integer
10795sc2_conn_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010796 Returns the cumulated number of incoming connections from currently tracked
10797 counters. See also src_conn_cnt.
10798
Cyril Bonté62ba8702014-04-22 23:52:25 +020010799sc_conn_cur(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010800sc0_conn_cur([<table>]) : integer
10801sc1_conn_cur([<table>]) : integer
10802sc2_conn_cur([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010803 Returns the current amount of concurrent connections tracking the same
10804 tracked counters. This number is automatically incremented when tracking
10805 begins and decremented when tracking stops. See also src_conn_cur.
10806
Cyril Bonté62ba8702014-04-22 23:52:25 +020010807sc_conn_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010808sc0_conn_rate([<table>]) : integer
10809sc1_conn_rate([<table>]) : integer
10810sc2_conn_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010811 Returns the average connection rate from the currently tracked counters,
10812 measured in amount of connections over the period configured in the table.
10813 See also src_conn_rate.
10814
Cyril Bonté62ba8702014-04-22 23:52:25 +020010815sc_get_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010816sc0_get_gpc0([<table>]) : integer
10817sc1_get_gpc0([<table>]) : integer
10818sc2_get_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010819 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010820 currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010821
Cyril Bonté62ba8702014-04-22 23:52:25 +020010822sc_gpc0_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010823sc0_gpc0_rate([<table>]) : integer
10824sc1_gpc0_rate([<table>]) : integer
10825sc2_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010826 Returns the average increment rate of the first General Purpose Counter
10827 associated to the currently tracked counters. It reports the frequency
10828 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010829 src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
10830 that the "gpc0_rate" counter must be stored in the stick-table for a value to
10831 be returned, as "gpc0" only holds the event count.
Willy Tarreaue9656522010-08-17 15:40:09 +020010832
Cyril Bonté62ba8702014-04-22 23:52:25 +020010833sc_http_err_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010834sc0_http_err_cnt([<table>]) : integer
10835sc1_http_err_cnt([<table>]) : integer
10836sc2_http_err_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010837 Returns the cumulated number of HTTP errors from the currently tracked
10838 counters. This includes the both request errors and 4xx error responses.
10839 See also src_http_err_cnt.
10840
Cyril Bonté62ba8702014-04-22 23:52:25 +020010841sc_http_err_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010842sc0_http_err_rate([<table>]) : integer
10843sc1_http_err_rate([<table>]) : integer
10844sc2_http_err_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010845 Returns the average rate of HTTP errors from the currently tracked counters,
10846 measured in amount of errors over the period configured in the table. This
10847 includes the both request errors and 4xx error responses. See also
10848 src_http_err_rate.
10849
Cyril Bonté62ba8702014-04-22 23:52:25 +020010850sc_http_req_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010851sc0_http_req_cnt([<table>]) : integer
10852sc1_http_req_cnt([<table>]) : integer
10853sc2_http_req_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010854 Returns the cumulated number of HTTP requests from the currently tracked
10855 counters. This includes every started request, valid or not. See also
10856 src_http_req_cnt.
10857
Cyril Bonté62ba8702014-04-22 23:52:25 +020010858sc_http_req_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010859sc0_http_req_rate([<table>]) : integer
10860sc1_http_req_rate([<table>]) : integer
10861sc2_http_req_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010862 Returns the average rate of HTTP requests from the currently tracked
10863 counters, measured in amount of requests over the period configured in
10864 the table. This includes every started request, valid or not. See also
10865 src_http_req_rate.
10866
Cyril Bonté62ba8702014-04-22 23:52:25 +020010867sc_inc_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010868sc0_inc_gpc0([<table>]) : integer
10869sc1_inc_gpc0([<table>]) : integer
10870sc2_inc_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010871 Increments the first General Purpose Counter associated to the currently
Willy Tarreau869948b2013-01-04 14:14:57 +010010872 tracked counters, and returns its new value. Before the first invocation,
10873 the stored value is zero, so first invocation will increase it to 1 and will
10874 return 1. This is typically used as a second ACL in an expression in order
10875 to mark a connection when a first ACL was verified :
Willy Tarreaue9656522010-08-17 15:40:09 +020010876
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010877 acl abuse sc0_http_req_rate gt 10
10878 acl kill sc0_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020010879 tcp-request connection reject if abuse kill
10880
Cyril Bonté62ba8702014-04-22 23:52:25 +020010881sc_kbytes_in(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010882sc0_kbytes_in([<table>]) : integer
10883sc1_kbytes_in([<table>]) : integer
10884sc2_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020010885 Returns the total amount of client-to-server data from the currently tracked
10886 counters, measured in kilobytes. The test is currently performed on 32-bit
10887 integers, which limits values to 4 terabytes. See also src_kbytes_in.
Willy Tarreaue9656522010-08-17 15:40:09 +020010888
Cyril Bonté62ba8702014-04-22 23:52:25 +020010889sc_kbytes_out(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010890sc0_kbytes_out([<table>]) : integer
10891sc1_kbytes_out([<table>]) : integer
10892sc2_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020010893 Returns the total amount of server-to-client data from the currently tracked
10894 counters, measured in kilobytes. The test is currently performed on 32-bit
10895 integers, which limits values to 4 terabytes. See also src_kbytes_out.
Willy Tarreaue9656522010-08-17 15:40:09 +020010896
Cyril Bonté62ba8702014-04-22 23:52:25 +020010897sc_sess_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010898sc0_sess_cnt([<table>]) : integer
10899sc1_sess_cnt([<table>]) : integer
10900sc2_sess_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010901 Returns the cumulated number of incoming connections that were transformed
10902 into sessions, which means that they were accepted by a "tcp-request
10903 connection" rule, from the currently tracked counters. A backend may count
10904 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -040010905 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +020010906 with the client. See also src_sess_cnt.
10907
Cyril Bonté62ba8702014-04-22 23:52:25 +020010908sc_sess_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010909sc0_sess_rate([<table>]) : integer
10910sc1_sess_rate([<table>]) : integer
10911sc2_sess_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010912 Returns the average session rate from the currently tracked counters,
10913 measured in amount of sessions over the period configured in the table. A
10914 session is a connection that got past the early "tcp-request connection"
10915 rules. A backend may count more sessions than connections because each
10916 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -040010917 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +020010918
Cyril Bonté62ba8702014-04-22 23:52:25 +020010919sc_tracked(<ctr>[,<table>]) : boolean
Willy Tarreau0f791d42013-07-23 19:56:43 +020010920sc0_tracked([<table>]) : boolean
10921sc1_tracked([<table>]) : boolean
10922sc2_tracked([<table>]) : boolean
Willy Tarreau6f1615f2013-06-03 15:15:22 +020010923 Returns true if the designated session counter is currently being tracked by
10924 the current session. This can be useful when deciding whether or not we want
10925 to set some values in a header passed to the server.
10926
Cyril Bonté62ba8702014-04-22 23:52:25 +020010927sc_trackers(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010928sc0_trackers([<table>]) : integer
10929sc1_trackers([<table>]) : integer
10930sc2_trackers([<table>]) : integer
Willy Tarreau2406db42012-12-09 12:16:43 +010010931 Returns the current amount of concurrent connections tracking the same
10932 tracked counters. This number is automatically incremented when tracking
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010933 begins and decremented when tracking stops. It differs from sc0_conn_cur in
Willy Tarreau2406db42012-12-09 12:16:43 +010010934 that it does not rely on any stored information but on the table's reference
10935 count (the "use" value which is returned by "show table" on the CLI). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020010936 may sometimes be more suited for layer7 tracking. It can be used to tell a
10937 server how many concurrent connections there are from a given address for
10938 example.
Willy Tarreau2406db42012-12-09 12:16:43 +010010939
Willy Tarreau74ca5042013-06-11 23:12:07 +020010940so_id : integer
10941 Returns an integer containing the current listening socket's id. It is useful
10942 in frontends involving many "bind" lines, or to stick all users coming via a
10943 same socket to the same server.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010944
Willy Tarreau74ca5042013-06-11 23:12:07 +020010945src : ip
10946 This is the source IPv4 address of the client of the session. It is of type
10947 IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
10948 mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
10949 TCP-level source address which is used, and not the address of a client
10950 behind a proxy. However if the "accept-proxy" bind directive is used, it can
10951 be the address of a client behind another PROXY-protocol compatible component
10952 for all rule sets except "tcp-request connection" which sees the real address.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010953
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010954 Example:
10955 # add an HTTP header in requests with the originating address' country
10956 http-request set-header X-Country %[src,map_ip(geoip.lst)]
10957
Willy Tarreau74ca5042013-06-11 23:12:07 +020010958src_bytes_in_rate([<table>]) : integer
10959 Returns the average bytes rate from the incoming connection's source address
10960 in the current proxy's stick-table or in the designated stick-table, measured
10961 in amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010962 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010963
Willy Tarreau74ca5042013-06-11 23:12:07 +020010964src_bytes_out_rate([<table>]) : integer
10965 Returns the average bytes rate to the incoming connection's source address in
10966 the current proxy's stick-table or in the designated stick-table, measured in
Willy Tarreauc9705a12010-07-27 20:05:50 +020010967 amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010968 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010969
Willy Tarreau74ca5042013-06-11 23:12:07 +020010970src_clr_gpc0([<table>]) : integer
10971 Clears the first General Purpose Counter associated to the incoming
10972 connection's source address in the current proxy's stick-table or in the
10973 designated stick-table, and returns its previous value. If the address is not
10974 found, an entry is created and 0 is returned. This is typically used as a
10975 second ACL in an expression in order to mark a connection when a first ACL
10976 was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020010977
10978 # block if 5 consecutive requests continue to come faster than 10 sess
10979 # per second, and reset the counter as soon as the traffic slows down.
10980 acl abuse src_http_req_rate gt 10
10981 acl kill src_inc_gpc0 gt 5
Willy Tarreau869948b2013-01-04 14:14:57 +010010982 acl save src_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020010983 tcp-request connection accept if !abuse save
10984 tcp-request connection reject if abuse kill
10985
Willy Tarreau74ca5042013-06-11 23:12:07 +020010986src_conn_cnt([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020010987 Returns the cumulated number of connections initiated from the current
Willy Tarreau74ca5042013-06-11 23:12:07 +020010988 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020010989 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010990 See also sc/sc0/sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010991
Willy Tarreau74ca5042013-06-11 23:12:07 +020010992src_conn_cur([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020010993 Returns the current amount of concurrent connections initiated from the
Willy Tarreau74ca5042013-06-11 23:12:07 +020010994 current incoming connection's source address in the current proxy's
10995 stick-table or in the designated stick-table. If the address is not found,
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010996 zero is returned. See also sc/sc0/sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010997
Willy Tarreau74ca5042013-06-11 23:12:07 +020010998src_conn_rate([<table>]) : integer
10999 Returns the average connection rate from the incoming connection's source
11000 address in the current proxy's stick-table or in the designated stick-table,
11001 measured in amount of connections over the period configured in the table. If
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011002 the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011003
Willy Tarreau74ca5042013-06-11 23:12:07 +020011004src_get_gpc0([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020011005 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau74ca5042013-06-11 23:12:07 +020011006 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020011007 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011008 See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011009
Willy Tarreau74ca5042013-06-11 23:12:07 +020011010src_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011011 Returns the average increment rate of the first General Purpose Counter
Willy Tarreau74ca5042013-06-11 23:12:07 +020011012 associated to the incoming connection's source address in the current proxy's
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011013 stick-table or in the designated stick-table. It reports the frequency
11014 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011015 sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
11016 that the "gpc0_rate" counter must be stored in the stick-table for a value to
11017 be returned, as "gpc0" only holds the event count.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011018
Willy Tarreau74ca5042013-06-11 23:12:07 +020011019src_http_err_cnt([<table>]) : integer
11020 Returns the cumulated number of HTTP errors from the incoming connection's
11021 source address in the current proxy's stick-table or in the designated
Willy Tarreauc9705a12010-07-27 20:05:50 +020011022 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011023 See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is
Willy Tarreau74ca5042013-06-11 23:12:07 +020011024 returned.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011025
Willy Tarreau74ca5042013-06-11 23:12:07 +020011026src_http_err_rate([<table>]) : integer
11027 Returns the average rate of HTTP errors from the incoming connection's source
11028 address in the current proxy's stick-table or in the designated stick-table,
11029 measured in amount of errors over the period configured in the table. This
11030 includes the both request errors and 4xx error responses. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011031 not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011032
Willy Tarreau74ca5042013-06-11 23:12:07 +020011033src_http_req_cnt([<table>]) : integer
11034 Returns the cumulated number of HTTP requests from the incoming connection's
11035 source address in the current proxy's stick-table or in the designated stick-
11036 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011037 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011038
Willy Tarreau74ca5042013-06-11 23:12:07 +020011039src_http_req_rate([<table>]) : integer
11040 Returns the average rate of HTTP requests from the incoming connection's
11041 source address in the current proxy's stick-table or in the designated stick-
11042 table, measured in amount of requests over the period configured in the
Willy Tarreauc9705a12010-07-27 20:05:50 +020011043 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011044 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011045
Willy Tarreau74ca5042013-06-11 23:12:07 +020011046src_inc_gpc0([<table>]) : integer
11047 Increments the first General Purpose Counter associated to the incoming
11048 connection's source address in the current proxy's stick-table or in the
11049 designated stick-table, and returns its new value. If the address is not
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011050 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011051 This is typically used as a second ACL in an expression in order to mark a
11052 connection when a first ACL was verified :
Willy Tarreauc9705a12010-07-27 20:05:50 +020011053
11054 acl abuse src_http_req_rate gt 10
Willy Tarreau869948b2013-01-04 14:14:57 +010011055 acl kill src_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020011056 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +020011057
Willy Tarreau74ca5042013-06-11 23:12:07 +020011058src_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020011059 Returns the total amount of data received from the incoming connection's
11060 source address in the current proxy's stick-table or in the designated
11061 stick-table, measured in kilobytes. If the address is not found, zero is
11062 returned. The test is currently performed on 32-bit integers, which limits
11063 values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011064
Willy Tarreau74ca5042013-06-11 23:12:07 +020011065src_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020011066 Returns the total amount of data sent to the incoming connection's source
11067 address in the current proxy's stick-table or in the designated stick-table,
11068 measured in kilobytes. If the address is not found, zero is returned. The
11069 test is currently performed on 32-bit integers, which limits values to 4
11070 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020011071
Willy Tarreau74ca5042013-06-11 23:12:07 +020011072src_port : integer
11073 Returns an integer value corresponding to the TCP source port of the
11074 connection on the client side, which is the port the client connected from.
11075 Usage of this function is very limited as modern protocols do not care much
11076 about source ports nowadays.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010011077
Willy Tarreau74ca5042013-06-11 23:12:07 +020011078src_sess_cnt([<table>]) : integer
11079 Returns the cumulated number of connections initiated from the incoming
Willy Tarreauc9705a12010-07-27 20:05:50 +020011080 connection's source IPv4 address in the current proxy's stick-table or in the
11081 designated stick-table, that were transformed into sessions, which means that
11082 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011083 is returned. See also sc/sc0/sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011084
Willy Tarreau74ca5042013-06-11 23:12:07 +020011085src_sess_rate([<table>]) : integer
11086 Returns the average session rate from the incoming connection's source
11087 address in the current proxy's stick-table or in the designated stick-table,
11088 measured in amount of sessions over the period configured in the table. A
11089 session is a connection that went past the early "tcp-request" rules. If the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011090 address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011091
Willy Tarreau74ca5042013-06-11 23:12:07 +020011092src_updt_conn_cnt([<table>]) : integer
11093 Creates or updates the entry associated to the incoming connection's source
11094 address in the current proxy's stick-table or in the designated stick-table.
11095 This table must be configured to store the "conn_cnt" data type, otherwise
11096 the match will be ignored. The current count is incremented by one, and the
11097 expiration timer refreshed. The updated count is returned, so this match
11098 can't return zero. This was used to reject service abusers based on their
11099 source address. Note: it is recommended to use the more complete "track-sc*"
11100 actions in "tcp-request" rules instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020011101
11102 Example :
11103 # This frontend limits incoming SSH connections to 3 per 10 second for
11104 # each source address, and rejects excess connections until a 10 second
11105 # silence is observed. At most 20 addresses are tracked.
11106 listen ssh
11107 bind :22
11108 mode tcp
11109 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +020011110 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreau74ca5042013-06-11 23:12:07 +020011111 tcp-request content reject if { src_updt_conn_cnt gt 3 }
Willy Tarreaua975b8f2010-06-05 19:13:27 +020011112 server local 127.0.0.1:22
11113
Willy Tarreau74ca5042013-06-11 23:12:07 +020011114srv_id : integer
11115 Returns an integer containing the server's id when processing the response.
11116 While it's almost only used with ACLs, it may be used for logging or
11117 debugging.
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +020011118
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +010011119
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200111207.3.4. Fetching samples at Layer 5
Willy Tarreau74ca5042013-06-11 23:12:07 +020011121----------------------------------
Willy Tarreau0b1cd942010-05-16 22:18:27 +020011122
Willy Tarreau74ca5042013-06-11 23:12:07 +020011123The layer 5 usually describes just the session layer which in haproxy is
11124closest to the session once all the connection handshakes are finished, but
11125when no content is yet made available. The fetch methods described here are
11126usable as low as the "tcp-request content" rule sets unless they require some
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011127future information. Those generally include the results of SSL negotiations.
Willy Tarreauc735a072011-03-29 00:57:02 +020011128
Emeric Brun645ae792014-04-30 14:21:06 +020011129ssl_bc : boolean
11130 Returns true when the back connection was made via an SSL/TLS transport
11131 layer and is locally deciphered. This means the outgoing connection was made
11132 other a server with the "ssl" option.
11133
11134ssl_bc_alg_keysize : integer
11135 Returns the symmetric cipher key size supported in bits when the outgoing
11136 connection was made over an SSL/TLS transport layer.
11137
11138ssl_bc_cipher : string
11139 Returns the name of the used cipher when the outgoing connection was made
11140 over an SSL/TLS transport layer.
11141
11142ssl_bc_protocol : string
11143 Returns the name of the used protocol when the outgoing connection was made
11144 over an SSL/TLS transport layer.
11145
Emeric Brunb73a9b02014-04-30 18:49:19 +020011146ssl_bc_unique_id : binary
Emeric Brun645ae792014-04-30 14:21:06 +020011147 When the outgoing connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020011148 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
11149 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
Emeric Brun645ae792014-04-30 14:21:06 +020011150
11151ssl_bc_session_id : binary
11152 Returns the SSL ID of the back connection when the outgoing connection was
11153 made over an SSL/TLS transport layer. It is useful to log if we want to know
11154 if session was reused or not.
11155
11156ssl_bc_use_keysize : integer
11157 Returns the symmetric cipher key size used in bits when the outgoing
11158 connection was made over an SSL/TLS transport layer.
11159
Willy Tarreau74ca5042013-06-11 23:12:07 +020011160ssl_c_ca_err : integer
11161 When the incoming connection was made over an SSL/TLS transport layer,
11162 returns the ID of the first error detected during verification of the client
11163 certificate at depth > 0, or 0 if no error was encountered during this
11164 verification process. Please refer to your SSL library's documentation to
11165 find the exhaustive list of error codes.
Willy Tarreauc735a072011-03-29 00:57:02 +020011166
Willy Tarreau74ca5042013-06-11 23:12:07 +020011167ssl_c_ca_err_depth : integer
11168 When the incoming connection was made over an SSL/TLS transport layer,
11169 returns the depth in the CA chain of the first error detected during the
11170 verification of the client certificate. If no error is encountered, 0 is
11171 returned.
Willy Tarreau0ba27502007-12-24 16:55:16 +010011172
Emeric Brun43e79582014-10-29 19:03:26 +010011173ssl_c_der : binary
11174 Returns the DER formatted certificate presented by the client when the
11175 incoming connection was made over an SSL/TLS transport layer. When used for
11176 an ACL, the value(s) to match against can be passed in hexadecimal form.
11177
Willy Tarreau74ca5042013-06-11 23:12:07 +020011178ssl_c_err : integer
11179 When the incoming connection was made over an SSL/TLS transport layer,
11180 returns the ID of the first error detected during verification at depth 0, or
11181 0 if no error was encountered during this verification process. Please refer
11182 to your SSL library's documentation to find the exhaustive list of error
11183 codes.
Willy Tarreau62644772008-07-16 18:36:06 +020011184
Willy Tarreau74ca5042013-06-11 23:12:07 +020011185ssl_c_i_dn([<entry>[,<occ>]]) : string
11186 When the incoming connection was made over an SSL/TLS transport layer,
11187 returns the full distinguished name of the issuer of the certificate
11188 presented by the client when no <entry> is specified, or the value of the
11189 first given entry found from the beginning of the DN. If a positive/negative
11190 occurrence number is specified as the optional second argument, it returns
11191 the value of the nth given entry value from the beginning/end of the DN.
11192 For instance, "ssl_c_i_dn(OU,2)" the second organization unit, and
11193 "ssl_c_i_dn(CN)" retrieves the common name.
Willy Tarreau62644772008-07-16 18:36:06 +020011194
Willy Tarreau74ca5042013-06-11 23:12:07 +020011195ssl_c_key_alg : string
11196 Returns the name of the algorithm used to generate the key of the certificate
11197 presented by the client when the incoming connection was made over an SSL/TLS
11198 transport layer.
Willy Tarreau62644772008-07-16 18:36:06 +020011199
Willy Tarreau74ca5042013-06-11 23:12:07 +020011200ssl_c_notafter : string
11201 Returns the end date presented by the client as a formatted string
11202 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11203 transport layer.
Emeric Brunbede3d02009-06-30 17:54:00 +020011204
Willy Tarreau74ca5042013-06-11 23:12:07 +020011205ssl_c_notbefore : string
11206 Returns the start date presented by the client as a formatted string
11207 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11208 transport layer.
Willy Tarreaub6672b52011-12-12 17:23:41 +010011209
Willy Tarreau74ca5042013-06-11 23:12:07 +020011210ssl_c_s_dn([<entry>[,<occ>]]) : string
11211 When the incoming connection was made over an SSL/TLS transport layer,
11212 returns the full distinguished name of the subject of the certificate
11213 presented by the client when no <entry> is specified, or the value of the
11214 first given entry found from the beginning of the DN. If a positive/negative
11215 occurrence number is specified as the optional second argument, it returns
11216 the value of the nth given entry value from the beginning/end of the DN.
11217 For instance, "ssl_c_s_dn(OU,2)" the second organization unit, and
11218 "ssl_c_s_dn(CN)" retrieves the common name.
Willy Tarreaub6672b52011-12-12 17:23:41 +010011219
Willy Tarreau74ca5042013-06-11 23:12:07 +020011220ssl_c_serial : binary
11221 Returns the serial of the certificate presented by the client when the
11222 incoming connection was made over an SSL/TLS transport layer. When used for
11223 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun2525b6b2012-10-18 15:59:43 +020011224
Willy Tarreau74ca5042013-06-11 23:12:07 +020011225ssl_c_sha1 : binary
11226 Returns the SHA-1 fingerprint of the certificate presented by the client when
11227 the incoming connection was made over an SSL/TLS transport layer. This can be
11228 used to stick a client to a server, or to pass this information to a server.
Willy Tarreau2d0caa32014-07-02 19:01:22 +020011229 Note that the output is binary, so if you want to pass that signature to the
11230 server, you need to encode it in hex or base64, such as in the example below:
11231
11232 http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]
Emeric Brun2525b6b2012-10-18 15:59:43 +020011233
Willy Tarreau74ca5042013-06-11 23:12:07 +020011234ssl_c_sig_alg : string
11235 Returns the name of the algorithm used to sign the certificate presented by
11236 the client when the incoming connection was made over an SSL/TLS transport
11237 layer.
Emeric Brun87855892012-10-17 17:39:35 +020011238
Willy Tarreau74ca5042013-06-11 23:12:07 +020011239ssl_c_used : boolean
11240 Returns true if current SSL session uses a client certificate even if current
11241 connection uses SSL session resumption. See also "ssl_fc_has_crt".
Emeric Brun7f56e742012-10-19 18:15:40 +020011242
Willy Tarreau74ca5042013-06-11 23:12:07 +020011243ssl_c_verify : integer
11244 Returns the verify result error ID when the incoming connection was made over
11245 an SSL/TLS transport layer, otherwise zero if no error is encountered. Please
11246 refer to your SSL library's documentation for an exhaustive list of error
11247 codes.
Emeric Brunce5ad802012-10-22 14:11:22 +020011248
Willy Tarreau74ca5042013-06-11 23:12:07 +020011249ssl_c_version : integer
11250 Returns the version of the certificate presented by the client when the
11251 incoming connection was made over an SSL/TLS transport layer.
Emeric Brunce5ad802012-10-22 14:11:22 +020011252
Emeric Brun43e79582014-10-29 19:03:26 +010011253ssl_f_der : binary
11254 Returns the DER formatted certificate presented by the frontend when the
11255 incoming connection was made over an SSL/TLS transport layer. When used for
11256 an ACL, the value(s) to match against can be passed in hexadecimal form.
11257
Willy Tarreau74ca5042013-06-11 23:12:07 +020011258ssl_f_i_dn([<entry>[,<occ>]]) : string
11259 When the incoming connection was made over an SSL/TLS transport layer,
11260 returns the full distinguished name of the issuer of the certificate
11261 presented by the frontend when no <entry> is specified, or the value of the
11262 first given entry found from the beginning of the DN. If a positive/negative
Emeric Brun87855892012-10-17 17:39:35 +020011263 occurrence number is specified as the optional second argument, it returns
Willy Tarreau74ca5042013-06-11 23:12:07 +020011264 the value of the nth given entry value from the beginning/end of the DN.
11265 For instance, "ssl_f_i_dn(OU,2)" the second organization unit, and
11266 "ssl_f_i_dn(CN)" retrieves the common name.
Emeric Brun87855892012-10-17 17:39:35 +020011267
Willy Tarreau74ca5042013-06-11 23:12:07 +020011268ssl_f_key_alg : string
11269 Returns the name of the algorithm used to generate the key of the certificate
11270 presented by the frontend when the incoming connection was made over an
11271 SSL/TLS transport layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020011272
Willy Tarreau74ca5042013-06-11 23:12:07 +020011273ssl_f_notafter : string
11274 Returns the end date presented by the frontend as a formatted string
11275 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11276 transport layer.
Emeric Brun2525b6b2012-10-18 15:59:43 +020011277
Willy Tarreau74ca5042013-06-11 23:12:07 +020011278ssl_f_notbefore : string
11279 Returns the start date presented by the frontend as a formatted string
11280 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11281 transport layer.
Emeric Brun87855892012-10-17 17:39:35 +020011282
Willy Tarreau74ca5042013-06-11 23:12:07 +020011283ssl_f_s_dn([<entry>[,<occ>]]) : string
11284 When the incoming connection was made over an SSL/TLS transport layer,
11285 returns the full distinguished name of the subject of the certificate
11286 presented by the frontend when no <entry> is specified, or the value of the
11287 first given entry found from the beginning of the DN. If a positive/negative
11288 occurrence number is specified as the optional second argument, it returns
11289 the value of the nth given entry value from the beginning/end of the DN.
11290 For instance, "ssl_f_s_dn(OU,2)" the second organization unit, and
11291 "ssl_f_s_dn(CN)" retrieves the common name.
Emeric Brunce5ad802012-10-22 14:11:22 +020011292
Willy Tarreau74ca5042013-06-11 23:12:07 +020011293ssl_f_serial : binary
11294 Returns the serial of the certificate presented by the frontend when the
11295 incoming connection was made over an SSL/TLS transport layer. When used for
11296 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun87855892012-10-17 17:39:35 +020011297
Emeric Brun55f4fa82014-04-30 17:11:25 +020011298ssl_f_sha1 : binary
11299 Returns the SHA-1 fingerprint of the certificate presented by the frontend
11300 when the incoming connection was made over an SSL/TLS transport layer. This
11301 can be used to know which certificate was chosen using SNI.
11302
Willy Tarreau74ca5042013-06-11 23:12:07 +020011303ssl_f_sig_alg : string
11304 Returns the name of the algorithm used to sign the certificate presented by
11305 the frontend when the incoming connection was made over an SSL/TLS transport
11306 layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020011307
Willy Tarreau74ca5042013-06-11 23:12:07 +020011308ssl_f_version : integer
11309 Returns the version of the certificate presented by the frontend when the
11310 incoming connection was made over an SSL/TLS transport layer.
11311
11312ssl_fc : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020011313 Returns true when the front connection was made via an SSL/TLS transport
11314 layer and is locally deciphered. This means it has matched a socket declared
11315 with a "bind" line having the "ssl" option.
11316
Willy Tarreau74ca5042013-06-11 23:12:07 +020011317 Example :
11318 # This passes "X-Proto: https" to servers when client connects over SSL
11319 listen http-https
11320 bind :80
11321 bind :443 ssl crt /etc/haproxy.pem
11322 http-request add-header X-Proto https if { ssl_fc }
11323
11324ssl_fc_alg_keysize : integer
11325 Returns the symmetric cipher key size supported in bits when the incoming
11326 connection was made over an SSL/TLS transport layer.
11327
11328ssl_fc_alpn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011329 This extracts the Application Layer Protocol Negotiation field from an
Willy Tarreau74ca5042013-06-11 23:12:07 +020011330 incoming connection made via a TLS transport layer and locally deciphered by
11331 haproxy. The result is a string containing the protocol name advertised by
11332 the client. The SSL library must have been built with support for TLS
11333 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
11334 not advertised unless the "alpn" keyword on the "bind" line specifies a
11335 protocol list. Also, nothing forces the client to pick a protocol from this
11336 list, any other one may be requested. The TLS ALPN extension is meant to
11337 replace the TLS NPN extension. See also "ssl_fc_npn".
11338
Willy Tarreau74ca5042013-06-11 23:12:07 +020011339ssl_fc_cipher : string
11340 Returns the name of the used cipher when the incoming connection was made
11341 over an SSL/TLS transport layer.
Willy Tarreauab861d32013-04-02 02:30:41 +020011342
Willy Tarreau74ca5042013-06-11 23:12:07 +020011343ssl_fc_has_crt : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020011344 Returns true if a client certificate is present in an incoming connection over
11345 SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Emeric Brun9143d372012-12-20 15:44:16 +010011346 Note: on SSL session resumption with Session ID or TLS ticket, client
11347 certificate is not present in the current connection but may be retrieved
11348 from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
11349 current SSL session uses a client certificate.
Emeric Brun2525b6b2012-10-18 15:59:43 +020011350
Willy Tarreau74ca5042013-06-11 23:12:07 +020011351ssl_fc_has_sni : boolean
11352 This checks for the presence of a Server Name Indication TLS extension (SNI)
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020011353 in an incoming connection was made over an SSL/TLS transport layer. Returns
11354 true when the incoming connection presents a TLS SNI field. This requires
11355 that the SSL library is build with support for TLS extensions enabled (check
11356 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +020011357
Willy Tarreau74ca5042013-06-11 23:12:07 +020011358ssl_fc_npn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011359 This extracts the Next Protocol Negotiation field from an incoming connection
Willy Tarreau74ca5042013-06-11 23:12:07 +020011360 made via a TLS transport layer and locally deciphered by haproxy. The result
11361 is a string containing the protocol name advertised by the client. The SSL
11362 library must have been built with support for TLS extensions enabled (check
11363 haproxy -vv). Note that the TLS NPN extension is not advertised unless the
11364 "npn" keyword on the "bind" line specifies a protocol list. Also, nothing
11365 forces the client to pick a protocol from this list, any other one may be
11366 requested. Please note that the TLS NPN extension was replaced with ALPN.
Willy Tarreaua33c6542012-10-15 13:19:06 +020011367
Willy Tarreau74ca5042013-06-11 23:12:07 +020011368ssl_fc_protocol : string
11369 Returns the name of the used protocol when the incoming connection was made
11370 over an SSL/TLS transport layer.
Willy Tarreau7875d092012-09-10 08:20:03 +020011371
Emeric Brunb73a9b02014-04-30 18:49:19 +020011372ssl_fc_unique_id : binary
David Sc1ad52e2014-04-08 18:48:47 -040011373 When the incoming connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020011374 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
11375 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
David Sc1ad52e2014-04-08 18:48:47 -040011376
Willy Tarreau74ca5042013-06-11 23:12:07 +020011377ssl_fc_session_id : binary
11378 Returns the SSL ID of the front connection when the incoming connection was
11379 made over an SSL/TLS transport layer. It is useful to stick a given client to
11380 a server. It is important to note that some browsers refresh their session ID
11381 every few minutes.
Willy Tarreau7875d092012-09-10 08:20:03 +020011382
Willy Tarreau74ca5042013-06-11 23:12:07 +020011383ssl_fc_sni : string
11384 This extracts the Server Name Indication TLS extension (SNI) field from an
11385 incoming connection made via an SSL/TLS transport layer and locally
11386 deciphered by haproxy. The result (when present) typically is a string
11387 matching the HTTPS host name (253 chars or less). The SSL library must have
11388 been built with support for TLS extensions enabled (check haproxy -vv).
11389
11390 This fetch is different from "req_ssl_sni" above in that it applies to the
11391 connection being deciphered by haproxy and not to SSL contents being blindly
11392 forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +020011393 requires that the SSL library is build with support for TLS extensions
11394 enabled (check haproxy -vv).
Willy Tarreau62644772008-07-16 18:36:06 +020011395
Willy Tarreau74ca5042013-06-11 23:12:07 +020011396 ACL derivatives :
Willy Tarreau74ca5042013-06-11 23:12:07 +020011397 ssl_fc_sni_end : suffix match
11398 ssl_fc_sni_reg : regex match
Emeric Brun589fcad2012-10-16 14:13:26 +020011399
Willy Tarreau74ca5042013-06-11 23:12:07 +020011400ssl_fc_use_keysize : integer
11401 Returns the symmetric cipher key size used in bits when the incoming
11402 connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020011403
Willy Tarreaub6fb4202008-07-20 11:18:28 +020011404
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200114057.3.5. Fetching samples from buffer contents (Layer 6)
Willy Tarreau74ca5042013-06-11 23:12:07 +020011406------------------------------------------------------
Willy Tarreaub6fb4202008-07-20 11:18:28 +020011407
Willy Tarreau74ca5042013-06-11 23:12:07 +020011408Fetching samples from buffer contents is a bit different from the previous
11409sample fetches above because the sampled data are ephemeral. These data can
11410only be used when they're available and will be lost when they're forwarded.
11411For this reason, samples fetched from buffer contents during a request cannot
11412be used in a response for example. Even while the data are being fetched, they
11413can change. Sometimes it is necessary to set some delays or combine multiple
11414sample fetch methods to ensure that the expected data are complete and usable,
11415for example through TCP request content inspection. Please see the "tcp-request
11416content" keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +020011417
Willy Tarreau74ca5042013-06-11 23:12:07 +020011418payload(<offset>,<length>) : binary (deprecated)
11419 This is an alias for "req.payload" when used in the context of a request (eg:
11420 "stick on", "stick match"), and for "res.payload" when used in the context of
11421 a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010011422
Willy Tarreau74ca5042013-06-11 23:12:07 +020011423payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated)
11424 This is an alias for "req.payload_lv" when used in the context of a request
11425 (eg: "stick on", "stick match"), and for "res.payload_lv" when used in the
11426 context of a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010011427
Willy Tarreau74ca5042013-06-11 23:12:07 +020011428req.len : integer
11429req_len : integer (deprecated)
11430 Returns an integer value corresponding to the number of bytes present in the
11431 request buffer. This is mostly used in ACL. It is important to understand
11432 that this test does not return false as long as the buffer is changing. This
11433 means that a check with equality to zero will almost always immediately match
11434 at the beginning of the session, while a test for more data will wait for
11435 that data to come in and return false only when haproxy is certain that no
11436 more data will come in. This test was designed to be used with TCP request
11437 content inspection.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011438
Willy Tarreau74ca5042013-06-11 23:12:07 +020011439req.payload(<offset>,<length>) : binary
11440 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020011441 in the request buffer. As a special case, if the <length> argument is zero,
11442 the the whole buffer from <offset> to the end is extracted. This can be used
11443 with ACLs in order to check for the presence of some content in a buffer at
11444 any location.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011445
Willy Tarreau74ca5042013-06-11 23:12:07 +020011446 ACL alternatives :
11447 payload(<offset>,<length>) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011448
Willy Tarreau74ca5042013-06-11 23:12:07 +020011449req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
11450 This extracts a binary block whose size is specified at <offset1> for <length>
11451 bytes, and which starts at <offset2> if specified or just after the length in
11452 the request buffer. The <offset2> parameter also supports relative offsets if
11453 prepended with a '+' or '-' sign.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011454
Willy Tarreau74ca5042013-06-11 23:12:07 +020011455 ACL alternatives :
11456 payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011457
Willy Tarreau74ca5042013-06-11 23:12:07 +020011458 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011459
Willy Tarreau74ca5042013-06-11 23:12:07 +020011460req.proto_http : boolean
11461req_proto_http : boolean (deprecated)
11462 Returns true when data in the request buffer look like HTTP and correctly
11463 parses as such. It is the same parser as the common HTTP request parser which
11464 is used so there should be no surprises. The test does not match until the
11465 request is complete, failed or timed out. This test may be used to report the
11466 protocol in TCP logs, but the biggest use is to block TCP request analysis
11467 until a complete HTTP request is present in the buffer, for example to track
11468 a header.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011469
Willy Tarreau74ca5042013-06-11 23:12:07 +020011470 Example:
11471 # track request counts per "base" (concatenation of Host+URL)
11472 tcp-request inspect-delay 10s
11473 tcp-request content reject if !HTTP
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011474 tcp-request content track-sc0 base table req-rate
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011475
Willy Tarreau74ca5042013-06-11 23:12:07 +020011476req.rdp_cookie([<name>]) : string
11477rdp_cookie([<name>]) : string (deprecated)
11478 When the request buffer looks like the RDP protocol, extracts the RDP cookie
11479 <name>, or any cookie if unspecified. The parser only checks for the first
11480 cookie, as illustrated in the RDP protocol specification. The cookie name is
11481 case insensitive. Generally the "MSTS" cookie name will be used, as it can
11482 contain the user name of the client connecting to the server if properly
11483 configured on the client. The "MSTSHASH" cookie is often used as well for
11484 session stickiness to servers.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011485
Willy Tarreau74ca5042013-06-11 23:12:07 +020011486 This differs from "balance rdp-cookie" in that any balancing algorithm may be
11487 used and thus the distribution of clients to backend servers is not linked to
11488 a hash of the RDP cookie. It is envisaged that using a balancing algorithm
11489 such as "balance roundrobin" or "balance leastconn" will lead to a more even
11490 distribution of clients to backend servers than the hash used by "balance
11491 rdp-cookie".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011492
Willy Tarreau74ca5042013-06-11 23:12:07 +020011493 ACL derivatives :
11494 req_rdp_cookie([<name>]) : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011495
Willy Tarreau74ca5042013-06-11 23:12:07 +020011496 Example :
11497 listen tse-farm
11498 bind 0.0.0.0:3389
11499 # wait up to 5s for an RDP cookie in the request
11500 tcp-request inspect-delay 5s
11501 tcp-request content accept if RDP_COOKIE
11502 # apply RDP cookie persistence
11503 persist rdp-cookie
11504 # Persist based on the mstshash cookie
11505 # This is only useful makes sense if
11506 # balance rdp-cookie is not used
11507 stick-table type string size 204800
11508 stick on req.rdp_cookie(mstshash)
11509 server srv1 1.1.1.1:3389
11510 server srv1 1.1.1.2:3389
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011511
Willy Tarreau74ca5042013-06-11 23:12:07 +020011512 See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
11513 "req_rdp_cookie" ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011514
Willy Tarreau74ca5042013-06-11 23:12:07 +020011515req.rdp_cookie_cnt([name]) : integer
11516rdp_cookie_cnt([name]) : integer (deprecated)
11517 Tries to parse the request buffer as RDP protocol, then returns an integer
11518 corresponding to the number of RDP cookies found. If an optional cookie name
11519 is passed, only cookies matching this name are considered. This is mostly
11520 used in ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011521
Willy Tarreau74ca5042013-06-11 23:12:07 +020011522 ACL derivatives :
11523 req_rdp_cookie_cnt([<name>]) : integer match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011524
Willy Tarreau74ca5042013-06-11 23:12:07 +020011525req.ssl_hello_type : integer
11526req_ssl_hello_type : integer (deprecated)
11527 Returns an integer value containing the type of the SSL hello message found
11528 in the request buffer if the buffer contains data that parse as a complete
11529 SSL (v3 or superior) client hello message. Note that this only applies to raw
11530 contents found in the request buffer and not to contents deciphered via an
11531 SSL data layer, so this will not work with "bind" lines having the "ssl"
11532 option. This is mostly used in ACL to detect presence of an SSL hello message
11533 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011534
Willy Tarreau74ca5042013-06-11 23:12:07 +020011535req.ssl_sni : string
11536req_ssl_sni : string (deprecated)
11537 Returns a string containing the value of the Server Name TLS extension sent
11538 by a client in a TLS stream passing through the request buffer if the buffer
11539 contains data that parse as a complete SSL (v3 or superior) client hello
11540 message. Note that this only applies to raw contents found in the request
11541 buffer and not to contents deciphered via an SSL data layer, so this will not
11542 work with "bind" lines having the "ssl" option. SNI normally contains the
11543 name of the host the client tries to connect to (for recent browsers). SNI is
11544 useful for allowing or denying access to certain hosts when SSL/TLS is used
11545 by the client. This test was designed to be used with TCP request content
11546 inspection. If content switching is needed, it is recommended to first wait
11547 for a complete client hello (type 1), like in the example below. See also
11548 "ssl_fc_sni".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011549
Willy Tarreau74ca5042013-06-11 23:12:07 +020011550 ACL derivatives :
11551 req_ssl_sni : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011552
Willy Tarreau74ca5042013-06-11 23:12:07 +020011553 Examples :
11554 # Wait for a client hello for at most 5 seconds
11555 tcp-request inspect-delay 5s
11556 tcp-request content accept if { req_ssl_hello_type 1 }
11557 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
11558 default_backend bk_sorry_page
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011559
Willy Tarreau74ca5042013-06-11 23:12:07 +020011560res.ssl_hello_type : integer
11561rep_ssl_hello_type : integer (deprecated)
11562 Returns an integer value containing the type of the SSL hello message found
11563 in the response buffer if the buffer contains data that parses as a complete
11564 SSL (v3 or superior) hello message. Note that this only applies to raw
11565 contents found in the response buffer and not to contents deciphered via an
11566 SSL data layer, so this will not work with "server" lines having the "ssl"
11567 option. This is mostly used in ACL to detect presence of an SSL hello message
11568 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau51539362012-05-08 12:46:28 +020011569
Willy Tarreau74ca5042013-06-11 23:12:07 +020011570req.ssl_ver : integer
11571req_ssl_ver : integer (deprecated)
11572 Returns an integer value containing the version of the SSL/TLS protocol of a
11573 stream present in the request buffer. Both SSLv2 hello messages and SSLv3
11574 messages are supported. TLSv1 is announced as SSL version 3.1. The value is
11575 composed of the major version multiplied by 65536, added to the minor
11576 version. Note that this only applies to raw contents found in the request
11577 buffer and not to contents deciphered via an SSL data layer, so this will not
11578 work with "bind" lines having the "ssl" option. The ACL version of the test
11579 matches against a decimal notation in the form MAJOR.MINOR (eg: 3.1). This
11580 fetch is mostly used in ACL.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011581
Willy Tarreau74ca5042013-06-11 23:12:07 +020011582 ACL derivatives :
11583 req_ssl_ver : decimal match
Willy Tarreaud63335a2010-02-26 12:56:52 +010011584
Willy Tarreau47e8eba2013-09-11 23:28:46 +020011585res.len : integer
11586 Returns an integer value corresponding to the number of bytes present in the
11587 response buffer. This is mostly used in ACL. It is important to understand
11588 that this test does not return false as long as the buffer is changing. This
11589 means that a check with equality to zero will almost always immediately match
11590 at the beginning of the session, while a test for more data will wait for
11591 that data to come in and return false only when haproxy is certain that no
11592 more data will come in. This test was designed to be used with TCP response
11593 content inspection.
11594
Willy Tarreau74ca5042013-06-11 23:12:07 +020011595res.payload(<offset>,<length>) : binary
11596 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020011597 in the response buffer. As a special case, if the <length> argument is zero,
11598 the the whole buffer from <offset> to the end is extracted. This can be used
11599 with ACLs in order to check for the presence of some content in a buffer at
11600 any location.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011601
Willy Tarreau74ca5042013-06-11 23:12:07 +020011602res.payload_lv(<offset1>,<length>[,<offset2>]) : binary
11603 This extracts a binary block whose size is specified at <offset1> for <length>
11604 bytes, and which starts at <offset2> if specified or just after the length in
11605 the response buffer. The <offset2> parameter also supports relative offsets
11606 if prepended with a '+' or '-' sign.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011607
Willy Tarreau74ca5042013-06-11 23:12:07 +020011608 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011609
Willy Tarreau74ca5042013-06-11 23:12:07 +020011610wait_end : boolean
11611 This fetch either returns true when the inspection period is over, or does
11612 not fetch. It is only used in ACLs, in conjunction with content analysis to
11613 avoid returning a wrong verdict early. It may also be used to delay some
11614 actions, such as a delayed reject for some special addresses. Since it either
11615 stops the rules evaluation or immediately returns true, it is recommended to
11616 use this acl as the last one in a rule. Please note that the default ACL
11617 "WAIT_END" is always usable without prior declaration. This test was designed
11618 to be used with TCP request content inspection.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011619
Willy Tarreau74ca5042013-06-11 23:12:07 +020011620 Examples :
11621 # delay every incoming request by 2 seconds
11622 tcp-request inspect-delay 2s
11623 tcp-request content accept if WAIT_END
Willy Tarreaud63335a2010-02-26 12:56:52 +010011624
Willy Tarreau74ca5042013-06-11 23:12:07 +020011625 # don't immediately tell bad guys they are rejected
11626 tcp-request inspect-delay 10s
11627 acl goodguys src 10.0.0.0/24
11628 acl badguys src 10.0.1.0/24
11629 tcp-request content accept if goodguys
11630 tcp-request content reject if badguys WAIT_END
11631 tcp-request content reject
11632
11633
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200116347.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +020011635--------------------------------------
11636
11637It is possible to fetch samples from HTTP contents, requests and responses.
11638This application layer is also called layer 7. It is only possible to fetch the
11639data in this section when a full HTTP request or response has been parsed from
11640its respective request or response buffer. This is always the case with all
11641HTTP specific rules and for sections running with "mode http". When using TCP
11642content inspection, it may be necessary to support an inspection delay in order
11643to let the request or response come in first. These fetches may require a bit
11644more CPU resources than the layer 4 ones, but not much since the request and
11645response are indexed.
11646
11647base : string
11648 This returns the concatenation of the first Host header and the path part of
11649 the request, which starts at the first slash and ends before the question
11650 mark. It can be useful in virtual hosted environments to detect URL abuses as
11651 well as to improve shared caches efficiency. Using this with a limited size
11652 stick table also allows one to collect statistics about most commonly
11653 requested objects by host/path. With ACLs it can allow simple content
11654 switching rules involving the host and the path at the same time, such as
11655 "www.example.com/favicon.ico". See also "path" and "uri".
11656
11657 ACL derivatives :
11658 base : exact string match
11659 base_beg : prefix match
11660 base_dir : subdir match
11661 base_dom : domain match
11662 base_end : suffix match
11663 base_len : length match
11664 base_reg : regex match
11665 base_sub : substring match
11666
11667base32 : integer
11668 This returns a 32-bit hash of the value returned by the "base" fetch method
11669 above. This is useful to track per-URL activity on high traffic sites without
11670 having to store all URLs. Instead a shorter hash is stored, saving a lot of
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020011671 memory. The output type is an unsigned integer. The hash function used is
11672 SDBM with full avalanche on the output. Technically, base32 is exactly equal
11673 to "base,sdbm(1)".
Willy Tarreau74ca5042013-06-11 23:12:07 +020011674
11675base32+src : binary
11676 This returns the concatenation of the base32 fetch above and the src fetch
11677 below. The resulting type is of type binary, with a size of 8 or 20 bytes
11678 depending on the source address family. This can be used to track per-IP,
11679 per-URL counters.
11680
William Lallemand65ad6e12014-01-31 15:08:02 +010011681capture.req.hdr(<idx>) : string
11682 This extracts the content of the header captured by the "capture request
11683 header", idx is the position of the capture keyword in the configuration.
11684 The first entry is an index of 0. See also: "capture request header".
11685
11686capture.req.method : string
11687 This extracts the METHOD of an HTTP request. It can be used in both request
11688 and response. Unlike "method", it can be used in both request and response
11689 because it's allocated.
11690
11691capture.req.uri : string
11692 This extracts the request's URI, which starts at the first slash and ends
11693 before the first space in the request (without the host part). Unlike "path"
11694 and "url", it can be used in both request and response because it's
11695 allocated.
11696
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020011697capture.req.ver : string
11698 This extracts the request's HTTP version and returns either "HTTP/1.0" or
11699 "HTTP/1.1". Unlike "req.ver", it can be used in both request, response, and
11700 logs because it relies on a persistent flag.
11701
William Lallemand65ad6e12014-01-31 15:08:02 +010011702capture.res.hdr(<idx>) : string
11703 This extracts the content of the header captured by the "capture response
11704 header", idx is the position of the capture keyword in the configuration.
11705 The first entry is an index of 0.
11706 See also: "capture response header"
11707
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020011708capture.res.ver : string
11709 This extracts the response's HTTP version and returns either "HTTP/1.0" or
11710 "HTTP/1.1". Unlike "res.ver", it can be used in logs because it relies on a
11711 persistent flag.
11712
Willy Tarreau74ca5042013-06-11 23:12:07 +020011713req.cook([<name>]) : string
11714cook([<name>]) : string (deprecated)
11715 This extracts the last occurrence of the cookie name <name> on a "Cookie"
11716 header line from the request, and returns its value as string. If no name is
11717 specified, the first cookie value is returned. When used with ACLs, all
11718 matching cookies are evaluated. Spaces around the name and the value are
11719 ignored as requested by the Cookie header specification (RFC6265). The cookie
11720 name is case-sensitive. Empty cookies are valid, so an empty cookie may very
11721 well return an empty value if it is present. Use the "found" match to detect
11722 presence. Use the res.cook() variant for response cookies sent by the server.
11723
11724 ACL derivatives :
11725 cook([<name>]) : exact string match
11726 cook_beg([<name>]) : prefix match
11727 cook_dir([<name>]) : subdir match
11728 cook_dom([<name>]) : domain match
11729 cook_end([<name>]) : suffix match
11730 cook_len([<name>]) : length match
11731 cook_reg([<name>]) : regex match
11732 cook_sub([<name>]) : substring match
Willy Tarreaud63335a2010-02-26 12:56:52 +010011733
Willy Tarreau74ca5042013-06-11 23:12:07 +020011734req.cook_cnt([<name>]) : integer
11735cook_cnt([<name>]) : integer (deprecated)
11736 Returns an integer value representing the number of occurrences of the cookie
11737 <name> in the request, or all cookies if <name> is not specified.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011738
Willy Tarreau74ca5042013-06-11 23:12:07 +020011739req.cook_val([<name>]) : integer
11740cook_val([<name>]) : integer (deprecated)
11741 This extracts the last occurrence of the cookie name <name> on a "Cookie"
11742 header line from the request, and converts its value to an integer which is
11743 returned. If no name is specified, the first cookie value is returned. When
11744 used in ACLs, all matching names are iterated over until a value matches.
Willy Tarreau0e698542011-09-16 08:32:32 +020011745
Willy Tarreau74ca5042013-06-11 23:12:07 +020011746cookie([<name>]) : string (deprecated)
11747 This extracts the last occurrence of the cookie name <name> on a "Cookie"
11748 header line from the request, or a "Set-Cookie" header from the response, and
11749 returns its value as a string. A typical use is to get multiple clients
11750 sharing a same profile use the same server. This can be similar to what
11751 "appsession" does with the "request-learn" statement, but with support for
11752 multi-peer synchronization and state keeping across restarts. If no name is
11753 specified, the first cookie value is returned. This fetch should not be used
11754 anymore and should be replaced by req.cook() or res.cook() instead as it
11755 ambiguously uses the direction based on the context where it is used.
11756 See also : "appsession".
Willy Tarreaud63335a2010-02-26 12:56:52 +010011757
Willy Tarreau74ca5042013-06-11 23:12:07 +020011758hdr([<name>[,<occ>]]) : string
11759 This is equivalent to req.hdr() when used on requests, and to res.hdr() when
11760 used on responses. Please refer to these respective fetches for more details.
11761 In case of doubt about the fetch direction, please use the explicit ones.
11762 Note that contrary to the hdr() sample fetch method, the hdr_* ACL keywords
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011763 unambiguously apply to the request headers.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011764
Willy Tarreau74ca5042013-06-11 23:12:07 +020011765req.fhdr(<name>[,<occ>]) : string
11766 This extracts the last occurrence of header <name> in an HTTP request. When
11767 used from an ACL, all occurrences are iterated over until a match is found.
11768 Optionally, a specific occurrence might be specified as a position number.
11769 Positive values indicate a position from the first occurrence, with 1 being
11770 the first one. Negative values indicate positions relative to the last one,
11771 with -1 being the last one. It differs from req.hdr() in that any commas
11772 present in the value are returned and are not used as delimiters. This is
11773 sometimes useful with headers such as User-Agent.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011774
Willy Tarreau74ca5042013-06-11 23:12:07 +020011775req.fhdr_cnt([<name>]) : integer
11776 Returns an integer value representing the number of occurrences of request
11777 header field name <name>, or the total number of header fields if <name> is
11778 not specified. Contrary to its req.hdr_cnt() cousin, this function returns
11779 the number of full line headers and does not stop on commas.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011780
Willy Tarreau74ca5042013-06-11 23:12:07 +020011781req.hdr([<name>[,<occ>]]) : string
11782 This extracts the last occurrence of header <name> in an HTTP request. When
11783 used from an ACL, all occurrences are iterated over until a match is found.
11784 Optionally, a specific occurrence might be specified as a position number.
11785 Positive values indicate a position from the first occurrence, with 1 being
11786 the first one. Negative values indicate positions relative to the last one,
11787 with -1 being the last one. A typical use is with the X-Forwarded-For header
11788 once converted to IP, associated with an IP stick-table. The function
11789 considers any comma as a delimiter for distinct values. If full-line headers
11790 are desired instead, use req.fhdr(). Please carefully check RFC2616 to know
11791 how certain headers are supposed to be parsed. Also, some of them are case
11792 insensitive (eg: Connection).
Willy Tarreaud63335a2010-02-26 12:56:52 +010011793
Willy Tarreau74ca5042013-06-11 23:12:07 +020011794 ACL derivatives :
11795 hdr([<name>[,<occ>]]) : exact string match
11796 hdr_beg([<name>[,<occ>]]) : prefix match
11797 hdr_dir([<name>[,<occ>]]) : subdir match
11798 hdr_dom([<name>[,<occ>]]) : domain match
11799 hdr_end([<name>[,<occ>]]) : suffix match
11800 hdr_len([<name>[,<occ>]]) : length match
11801 hdr_reg([<name>[,<occ>]]) : regex match
11802 hdr_sub([<name>[,<occ>]]) : substring match
11803
11804req.hdr_cnt([<name>]) : integer
11805hdr_cnt([<header>]) : integer (deprecated)
11806 Returns an integer value representing the number of occurrences of request
11807 header field name <name>, or the total number of header field values if
11808 <name> is not specified. It is important to remember that one header line may
11809 count as several headers if it has several values. The function considers any
11810 comma as a delimiter for distinct values. If full-line headers are desired
11811 instead, req.fhdr_cnt() should be used instead. With ACLs, it can be used to
11812 detect presence, absence or abuse of a specific header, as well as to block
11813 request smuggling attacks by rejecting requests which contain more than one
11814 of certain headers. See "req.hdr" for more information on header matching.
11815
11816req.hdr_ip([<name>[,<occ>]]) : ip
11817hdr_ip([<name>[,<occ>]]) : ip (deprecated)
11818 This extracts the last occurrence of header <name> in an HTTP request,
11819 converts it to an IPv4 or IPv6 address and returns this address. When used
11820 with ACLs, all occurrences are checked, and if <name> is omitted, every value
11821 of every header is checked. Optionally, a specific occurrence might be
11822 specified as a position number. Positive values indicate a position from the
11823 first occurrence, with 1 being the first one. Negative values indicate
11824 positions relative to the last one, with -1 being the last one. A typical use
11825 is with the X-Forwarded-For and X-Client-IP headers.
11826
11827req.hdr_val([<name>[,<occ>]]) : integer
11828hdr_val([<name>[,<occ>]]) : integer (deprecated)
11829 This extracts the last occurrence of header <name> in an HTTP request, and
11830 converts it to an integer value. When used with ACLs, all occurrences are
11831 checked, and if <name> is omitted, every value of every header is checked.
11832 Optionally, a specific occurrence might be specified as a position number.
11833 Positive values indicate a position from the first occurrence, with 1 being
11834 the first one. Negative values indicate positions relative to the last one,
11835 with -1 being the last one. A typical use is with the X-Forwarded-For header.
11836
11837http_auth(<userlist>) : boolean
11838 Returns a boolean indicating whether the authentication data received from
11839 the client match a username & password stored in the specified userlist. This
11840 fetch function is not really useful outside of ACLs. Currently only http
11841 basic auth is supported.
11842
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010011843http_auth_group(<userlist>) : string
11844 Returns a string corresponding to the user name found in the authentication
11845 data received from the client if both the user name and password are valid
11846 according to the specified userlist. The main purpose is to use it in ACLs
11847 where it is then checked whether the user belongs to any group within a list.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011848 This fetch function is not really useful outside of ACLs. Currently only http
11849 basic auth is supported.
11850
11851 ACL derivatives :
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010011852 http_auth_group(<userlist>) : group ...
11853 Returns true when the user extracted from the request and whose password is
11854 valid according to the specified userlist belongs to at least one of the
11855 groups.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011856
11857http_first_req : boolean
Willy Tarreau7f18e522010-10-22 20:04:13 +020011858 Returns true when the request being processed is the first one of the
11859 connection. This can be used to add or remove headers that may be missing
Willy Tarreau74ca5042013-06-11 23:12:07 +020011860 from some requests when a request is not the first one, or to help grouping
11861 requests in the logs.
Willy Tarreau7f18e522010-10-22 20:04:13 +020011862
Willy Tarreau74ca5042013-06-11 23:12:07 +020011863method : integer + string
11864 Returns an integer value corresponding to the method in the HTTP request. For
11865 example, "GET" equals 1 (check sources to establish the matching). Value 9
11866 means "other method" and may be converted to a string extracted from the
11867 stream. This should not be used directly as a sample, this is only meant to
11868 be used from ACLs, which transparently convert methods from patterns to these
11869 integer + string values. Some predefined ACL already check for most common
11870 methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011871
Willy Tarreau74ca5042013-06-11 23:12:07 +020011872 ACL derivatives :
11873 method : case insensitive method match
Willy Tarreau6a06a402007-07-15 20:15:28 +020011874
Willy Tarreau74ca5042013-06-11 23:12:07 +020011875 Example :
11876 # only accept GET and HEAD requests
11877 acl valid_method method GET HEAD
11878 http-request deny if ! valid_method
Willy Tarreau6a06a402007-07-15 20:15:28 +020011879
Willy Tarreau74ca5042013-06-11 23:12:07 +020011880path : string
11881 This extracts the request's URL path, which starts at the first slash and
11882 ends before the question mark (without the host part). A typical use is with
11883 prefetch-capable caches, and with portals which need to aggregate multiple
11884 information from databases and keep them in caches. Note that with outgoing
11885 caches, it would be wiser to use "url" instead. With ACLs, it's typically
11886 used to match exact file names (eg: "/login.php"), or directory parts using
11887 the derivative forms. See also the "url" and "base" fetch methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011888
Willy Tarreau74ca5042013-06-11 23:12:07 +020011889 ACL derivatives :
11890 path : exact string match
11891 path_beg : prefix match
11892 path_dir : subdir match
11893 path_dom : domain match
11894 path_end : suffix match
11895 path_len : length match
11896 path_reg : regex match
11897 path_sub : substring match
Willy Tarreau6a06a402007-07-15 20:15:28 +020011898
Willy Tarreau74ca5042013-06-11 23:12:07 +020011899req.ver : string
11900req_ver : string (deprecated)
11901 Returns the version string from the HTTP request, for example "1.1". This can
11902 be useful for logs, but is mostly there for ACL. Some predefined ACL already
11903 check for versions 1.0 and 1.1.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011904
Willy Tarreau74ca5042013-06-11 23:12:07 +020011905 ACL derivatives :
11906 req_ver : exact string match
Willy Tarreau0e698542011-09-16 08:32:32 +020011907
Willy Tarreau74ca5042013-06-11 23:12:07 +020011908res.comp : boolean
11909 Returns the boolean "true" value if the response has been compressed by
11910 HAProxy, otherwise returns boolean "false". This may be used to add
11911 information in the logs.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011912
Willy Tarreau74ca5042013-06-11 23:12:07 +020011913res.comp_algo : string
11914 Returns a string containing the name of the algorithm used if the response
11915 was compressed by HAProxy, for example : "deflate". This may be used to add
11916 some information in the logs.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011917
Willy Tarreau74ca5042013-06-11 23:12:07 +020011918res.cook([<name>]) : string
11919scook([<name>]) : string (deprecated)
11920 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
11921 header line from the response, and returns its value as string. If no name is
11922 specified, the first cookie value is returned.
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020011923
Willy Tarreau74ca5042013-06-11 23:12:07 +020011924 ACL derivatives :
11925 scook([<name>] : exact string match
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020011926
Willy Tarreau74ca5042013-06-11 23:12:07 +020011927res.cook_cnt([<name>]) : integer
11928scook_cnt([<name>]) : integer (deprecated)
11929 Returns an integer value representing the number of occurrences of the cookie
11930 <name> in the response, or all cookies if <name> is not specified. This is
11931 mostly useful when combined with ACLs to detect suspicious responses.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011932
Willy Tarreau74ca5042013-06-11 23:12:07 +020011933res.cook_val([<name>]) : integer
11934scook_val([<name>]) : integer (deprecated)
11935 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
11936 header line from the response, and converts its value to an integer which is
11937 returned. If no name is specified, the first cookie value is returned.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011938
Willy Tarreau74ca5042013-06-11 23:12:07 +020011939res.fhdr([<name>[,<occ>]]) : string
11940 This extracts the last occurrence of header <name> in an HTTP response, or of
11941 the last header if no <name> is specified. Optionally, a specific occurrence
11942 might be specified as a position number. Positive values indicate a position
11943 from the first occurrence, with 1 being the first one. Negative values
11944 indicate positions relative to the last one, with -1 being the last one. It
11945 differs from res.hdr() in that any commas present in the value are returned
11946 and are not used as delimiters. If this is not desired, the res.hdr() fetch
11947 should be used instead. This is sometimes useful with headers such as Date or
11948 Expires.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011949
Willy Tarreau74ca5042013-06-11 23:12:07 +020011950res.fhdr_cnt([<name>]) : integer
11951 Returns an integer value representing the number of occurrences of response
11952 header field name <name>, or the total number of header fields if <name> is
11953 not specified. Contrary to its res.hdr_cnt() cousin, this function returns
11954 the number of full line headers and does not stop on commas. If this is not
11955 desired, the res.hdr_cnt() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011956
Willy Tarreau74ca5042013-06-11 23:12:07 +020011957res.hdr([<name>[,<occ>]]) : string
11958shdr([<name>[,<occ>]]) : string (deprecated)
11959 This extracts the last occurrence of header <name> in an HTTP response, or of
11960 the last header if no <name> is specified. Optionally, a specific occurrence
11961 might be specified as a position number. Positive values indicate a position
11962 from the first occurrence, with 1 being the first one. Negative values
11963 indicate positions relative to the last one, with -1 being the last one. This
11964 can be useful to learn some data into a stick-table. The function considers
11965 any comma as a delimiter for distinct values. If this is not desired, the
11966 res.fhdr() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011967
Willy Tarreau74ca5042013-06-11 23:12:07 +020011968 ACL derivatives :
11969 shdr([<name>[,<occ>]]) : exact string match
11970 shdr_beg([<name>[,<occ>]]) : prefix match
11971 shdr_dir([<name>[,<occ>]]) : subdir match
11972 shdr_dom([<name>[,<occ>]]) : domain match
11973 shdr_end([<name>[,<occ>]]) : suffix match
11974 shdr_len([<name>[,<occ>]]) : length match
11975 shdr_reg([<name>[,<occ>]]) : regex match
11976 shdr_sub([<name>[,<occ>]]) : substring match
11977
11978res.hdr_cnt([<name>]) : integer
11979shdr_cnt([<name>]) : integer (deprecated)
11980 Returns an integer value representing the number of occurrences of response
11981 header field name <name>, or the total number of header fields if <name> is
11982 not specified. The function considers any comma as a delimiter for distinct
11983 values. If this is not desired, the res.fhdr_cnt() fetch should be used
11984 instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011985
Willy Tarreau74ca5042013-06-11 23:12:07 +020011986res.hdr_ip([<name>[,<occ>]]) : ip
11987shdr_ip([<name>[,<occ>]]) : ip (deprecated)
11988 This extracts the last occurrence of header <name> in an HTTP response,
11989 convert it to an IPv4 or IPv6 address and returns this address. Optionally, a
11990 specific occurrence might be specified as a position number. Positive values
11991 indicate a position from the first occurrence, with 1 being the first one.
11992 Negative values indicate positions relative to the last one, with -1 being
11993 the last one. This can be useful to learn some data into a stick table.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011994
Willy Tarreau74ca5042013-06-11 23:12:07 +020011995res.hdr_val([<name>[,<occ>]]) : integer
11996shdr_val([<name>[,<occ>]]) : integer (deprecated)
11997 This extracts the last occurrence of header <name> in an HTTP response, and
11998 converts it to an integer value. Optionally, a specific occurrence might be
11999 specified as a position number. Positive values indicate a position from the
12000 first occurrence, with 1 being the first one. Negative values indicate
12001 positions relative to the last one, with -1 being the last one. This can be
12002 useful to learn some data into a stick table.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010012003
Willy Tarreau74ca5042013-06-11 23:12:07 +020012004res.ver : string
12005resp_ver : string (deprecated)
12006 Returns the version string from the HTTP response, for example "1.1". This
12007 can be useful for logs, but is mostly there for ACL.
Willy Tarreau0e698542011-09-16 08:32:32 +020012008
Willy Tarreau74ca5042013-06-11 23:12:07 +020012009 ACL derivatives :
12010 resp_ver : exact string match
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010012011
Willy Tarreau74ca5042013-06-11 23:12:07 +020012012set-cookie([<name>]) : string (deprecated)
12013 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
12014 header line from the response and uses the corresponding value to match. This
12015 can be comparable to what "appsession" does with default options, but with
12016 support for multi-peer synchronization and state keeping across restarts.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010012017
Willy Tarreau74ca5042013-06-11 23:12:07 +020012018 This fetch function is deprecated and has been superseded by the "res.cook"
12019 fetch. This keyword will disappear soon.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010012020
Willy Tarreau74ca5042013-06-11 23:12:07 +020012021 See also : "appsession"
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012022
Willy Tarreau74ca5042013-06-11 23:12:07 +020012023status : integer
12024 Returns an integer containing the HTTP status code in the HTTP response, for
12025 example, 302. It is mostly used within ACLs and integer ranges, for example,
12026 to remove any Location header if the response is not a 3xx.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012027
Willy Tarreau74ca5042013-06-11 23:12:07 +020012028url : string
12029 This extracts the request's URL as presented in the request. A typical use is
12030 with prefetch-capable caches, and with portals which need to aggregate
12031 multiple information from databases and keep them in caches. With ACLs, using
12032 "path" is preferred over using "url", because clients may send a full URL as
12033 is normally done with proxies. The only real use is to match "*" which does
12034 not match in "path", and for which there is already a predefined ACL. See
12035 also "path" and "base".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012036
Willy Tarreau74ca5042013-06-11 23:12:07 +020012037 ACL derivatives :
12038 url : exact string match
12039 url_beg : prefix match
12040 url_dir : subdir match
12041 url_dom : domain match
12042 url_end : suffix match
12043 url_len : length match
12044 url_reg : regex match
12045 url_sub : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012046
Willy Tarreau74ca5042013-06-11 23:12:07 +020012047url_ip : ip
12048 This extracts the IP address from the request's URL when the host part is
12049 presented as an IP address. Its use is very limited. For instance, a
12050 monitoring system might use this field as an alternative for the source IP in
12051 order to test what path a given source address would follow, or to force an
12052 entry in a table for a given source address. With ACLs it can be used to
12053 restrict access to certain systems through a proxy, for example when combined
12054 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012055
Willy Tarreau74ca5042013-06-11 23:12:07 +020012056url_port : integer
12057 This extracts the port part from the request's URL. Note that if the port is
12058 not specified in the request, port 80 is assumed. With ACLs it can be used to
12059 restrict access to certain systems through a proxy, for example when combined
12060 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012061
Willy Tarreau74ca5042013-06-11 23:12:07 +020012062urlp(<name>[,<delim>]) : string
12063url_param(<name>[,<delim>]) : string
12064 This extracts the first occurrence of the parameter <name> in the query
12065 string, which begins after either '?' or <delim>, and which ends before '&',
12066 ';' or <delim>. The parameter name is case-sensitive. The result is a string
12067 corresponding to the value of the parameter <name> as presented in the
12068 request (no URL decoding is performed). This can be used for session
12069 stickiness based on a client ID, to extract an application cookie passed as a
12070 URL parameter, or in ACLs to apply some checks. Note that the ACL version of
12071 this fetch do not iterate over multiple parameters and stop at the first one
12072 as well.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012073
Willy Tarreau74ca5042013-06-11 23:12:07 +020012074 ACL derivatives :
12075 urlp(<name>[,<delim>]) : exact string match
12076 urlp_beg(<name>[,<delim>]) : prefix match
12077 urlp_dir(<name>[,<delim>]) : subdir match
12078 urlp_dom(<name>[,<delim>]) : domain match
12079 urlp_end(<name>[,<delim>]) : suffix match
12080 urlp_len(<name>[,<delim>]) : length match
12081 urlp_reg(<name>[,<delim>]) : regex match
12082 urlp_sub(<name>[,<delim>]) : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012083
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012084
Willy Tarreau74ca5042013-06-11 23:12:07 +020012085 Example :
12086 # match http://example.com/foo?PHPSESSIONID=some_id
12087 stick on urlp(PHPSESSIONID)
12088 # match http://example.com/foo;JSESSIONID=some_id
12089 stick on urlp(JSESSIONID,;)
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012090
Willy Tarreau74ca5042013-06-11 23:12:07 +020012091urlp_val(<name>[,<delim>]) : integer
12092 See "urlp" above. This one extracts the URL parameter <name> in the request
12093 and converts it to an integer value. This can be used for session stickiness
12094 based on a user ID for example, or with ACLs to match a page number or price.
Willy Tarreaua9fddca2012-07-31 07:51:48 +020012095
Willy Tarreau198a7442008-01-17 12:05:32 +010012096
Willy Tarreau74ca5042013-06-11 23:12:07 +0200120977.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012098---------------------
Willy Tarreauced27012008-01-17 20:35:34 +010012099
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012100Some predefined ACLs are hard-coded so that they do not have to be declared in
12101every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +020012102order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +010012103
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012104ACL name Equivalent to Usage
12105---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012106FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +020012107HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012108HTTP_1.0 req_ver 1.0 match HTTP version 1.0
12109HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +010012110HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
12111HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
12112HTTP_URL_SLASH url_beg / match URL beginning with "/"
12113HTTP_URL_STAR url * match URL equal to "*"
12114LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012115METH_CONNECT method CONNECT match HTTP CONNECT method
12116METH_GET method GET HEAD match HTTP GET or HEAD method
12117METH_HEAD method HEAD match HTTP HEAD method
12118METH_OPTIONS method OPTIONS match HTTP OPTIONS method
12119METH_POST method POST match HTTP POST method
12120METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +020012121RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012122REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +010012123TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012124WAIT_END wait_end wait for end of content analysis
12125---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +010012126
Willy Tarreaub937b7e2010-01-12 15:27:54 +010012127
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200121288. Logging
12129----------
Willy Tarreau844e3c52008-01-11 16:28:18 +010012130
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012131One of HAProxy's strong points certainly lies is its precise logs. It probably
12132provides the finest level of information available for such a product, which is
12133very important for troubleshooting complex environments. Standard information
12134provided in logs include client ports, TCP/HTTP state timers, precise session
12135state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012136to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012137headers.
12138
12139In order to improve administrators reactivity, it offers a great transparency
12140about encountered problems, both internal and external, and it is possible to
12141send logs to different sources at the same time with different level filters :
12142
12143 - global process-level logs (system errors, start/stop, etc..)
12144 - per-instance system and internal errors (lack of resource, bugs, ...)
12145 - per-instance external troubles (servers up/down, max connections)
12146 - per-instance activity (client connections), either at the establishment or
12147 at the termination.
12148
12149The ability to distribute different levels of logs to different log servers
12150allow several production teams to interact and to fix their problems as soon
12151as possible. For example, the system team might monitor system-wide errors,
12152while the application team might be monitoring the up/down for their servers in
12153real time, and the security team might analyze the activity logs with one hour
12154delay.
12155
12156
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200121578.1. Log levels
12158---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012159
Simon Hormandf791f52011-05-29 15:01:10 +090012160TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012161source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +090012162HTTP request, HTTP return code, number of bytes transmitted, conditions
12163in which the session ended, and even exchanged cookies values. For example
12164track a particular user's problems. All messages may be sent to up to two
12165syslog servers. Check the "log" keyword in section 4.2 for more information
12166about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012167
12168
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200121698.2. Log formats
12170----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012171
William Lallemand48940402012-01-30 16:47:22 +010012172HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +090012173and will be detailed in the following sections. A few of them may vary
12174slightly with the configuration, due to indicators specific to certain
12175options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012176
12177 - the default format, which is very basic and very rarely used. It only
12178 provides very basic information about the incoming connection at the moment
12179 it is accepted : source IP:port, destination IP:port, and frontend-name.
12180 This mode will eventually disappear so it will not be described to great
12181 extents.
12182
12183 - the TCP format, which is more advanced. This format is enabled when "option
12184 tcplog" is set on the frontend. HAProxy will then usually wait for the
12185 connection to terminate before logging. This format provides much richer
12186 information, such as timers, connection counts, queue size, etc... This
12187 format is recommended for pure TCP proxies.
12188
12189 - the HTTP format, which is the most advanced for HTTP proxying. This format
12190 is enabled when "option httplog" is set on the frontend. It provides the
12191 same information as the TCP format with some HTTP-specific fields such as
12192 the request, the status code, and captures of headers and cookies. This
12193 format is recommended for HTTP proxies.
12194
Emeric Brun3a058f32009-06-30 18:26:00 +020012195 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
12196 fields arranged in the same order as the CLF format. In this mode, all
12197 timers, captures, flags, etc... appear one per field after the end of the
12198 common fields, in the same order they appear in the standard HTTP format.
12199
William Lallemand48940402012-01-30 16:47:22 +010012200 - the custom log format, allows you to make your own log line.
12201
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012202Next sections will go deeper into details for each of these formats. Format
12203specification will be performed on a "field" basis. Unless stated otherwise, a
12204field is a portion of text delimited by any number of spaces. Since syslog
12205servers are susceptible of inserting fields at the beginning of a line, it is
12206always assumed that the first field is the one containing the process name and
12207identifier.
12208
12209Note : Since log lines may be quite long, the log examples in sections below
12210 might be broken into multiple lines. The example log lines will be
12211 prefixed with 3 closing angle brackets ('>>>') and each time a log is
12212 broken into multiple lines, each non-final line will end with a
12213 backslash ('\') and the next line will start indented by two characters.
12214
12215
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200122168.2.1. Default log format
12217-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012218
12219This format is used when no specific option is set. The log is emitted as soon
12220as the connection is accepted. One should note that this currently is the only
12221format which logs the request's destination IP and ports.
12222
12223 Example :
12224 listen www
12225 mode http
12226 log global
12227 server srv1 127.0.0.1:8000
12228
12229 >>> Feb 6 12:12:09 localhost \
12230 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
12231 (www/HTTP)
12232
12233 Field Format Extract from the example above
12234 1 process_name '[' pid ']:' haproxy[14385]:
12235 2 'Connect from' Connect from
12236 3 source_ip ':' source_port 10.0.1.2:33312
12237 4 'to' to
12238 5 destination_ip ':' destination_port 10.0.3.31:8012
12239 6 '(' frontend_name '/' mode ')' (www/HTTP)
12240
12241Detailed fields description :
12242 - "source_ip" is the IP address of the client which initiated the connection.
12243 - "source_port" is the TCP port of the client which initiated the connection.
12244 - "destination_ip" is the IP address the client connected to.
12245 - "destination_port" is the TCP port the client connected to.
12246 - "frontend_name" is the name of the frontend (or listener) which received
12247 and processed the connection.
12248 - "mode is the mode the frontend is operating (TCP or HTTP).
12249
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012250In case of a UNIX socket, the source and destination addresses are marked as
12251"unix:" and the ports reflect the internal ID of the socket which accepted the
12252connection (the same ID as reported in the stats).
12253
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012254It is advised not to use this deprecated format for newer installations as it
12255will eventually disappear.
12256
12257
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200122588.2.2. TCP log format
12259---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012260
12261The TCP format is used when "option tcplog" is specified in the frontend, and
12262is the recommended format for pure TCP proxies. It provides a lot of precious
12263information for troubleshooting. Since this format includes timers and byte
12264counts, the log is normally emitted at the end of the session. It can be
12265emitted earlier if "option logasap" is specified, which makes sense in most
12266environments with long sessions such as remote terminals. Sessions which match
12267the "monitor" rules are never logged. It is also possible not to emit logs for
12268sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012269specifying "option dontlognull" in the frontend. Successful connections will
12270not be logged if "option dontlog-normal" is specified in the frontend. A few
12271fields may slightly vary depending on some configuration options, those are
12272marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012273
12274 Example :
12275 frontend fnt
12276 mode tcp
12277 option tcplog
12278 log global
12279 default_backend bck
12280
12281 backend bck
12282 server srv1 127.0.0.1:8000
12283
12284 >>> Feb 6 12:12:56 localhost \
12285 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
12286 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
12287
12288 Field Format Extract from the example above
12289 1 process_name '[' pid ']:' haproxy[14387]:
12290 2 client_ip ':' client_port 10.0.1.2:33313
12291 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
12292 4 frontend_name fnt
12293 5 backend_name '/' server_name bck/srv1
12294 6 Tw '/' Tc '/' Tt* 0/0/5007
12295 7 bytes_read* 212
12296 8 termination_state --
12297 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
12298 10 srv_queue '/' backend_queue 0/0
12299
12300Detailed fields description :
12301 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012302 connection to haproxy. If the connection was accepted on a UNIX socket
12303 instead, the IP address would be replaced with the word "unix". Note that
12304 when the connection is accepted on a socket configured with "accept-proxy"
12305 and the PROXY protocol is correctly used, then the logs will reflect the
12306 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012307
12308 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012309 If the connection was accepted on a UNIX socket instead, the port would be
12310 replaced with the ID of the accepting socket, which is also reported in the
12311 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012312
12313 - "accept_date" is the exact date when the connection was received by haproxy
12314 (which might be very slightly different from the date observed on the
12315 network if there was some queuing in the system's backlog). This is usually
12316 the same date which may appear in any upstream firewall's log.
12317
12318 - "frontend_name" is the name of the frontend (or listener) which received
12319 and processed the connection.
12320
12321 - "backend_name" is the name of the backend (or listener) which was selected
12322 to manage the connection to the server. This will be the same as the
12323 frontend if no switching rule has been applied, which is common for TCP
12324 applications.
12325
12326 - "server_name" is the name of the last server to which the connection was
12327 sent, which might differ from the first one if there were connection errors
12328 and a redispatch occurred. Note that this server belongs to the backend
12329 which processed the request. If the connection was aborted before reaching
12330 a server, "<NOSRV>" is indicated instead of a server name.
12331
12332 - "Tw" is the total time in milliseconds spent waiting in the various queues.
12333 It can be "-1" if the connection was aborted before reaching the queue.
12334 See "Timers" below for more details.
12335
12336 - "Tc" is the total time in milliseconds spent waiting for the connection to
12337 establish to the final server, including retries. It can be "-1" if the
12338 connection was aborted before a connection could be established. See
12339 "Timers" below for more details.
12340
12341 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012342 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012343 "option logasap" was specified, then the time counting stops at the moment
12344 the log is emitted. In this case, a '+' sign is prepended before the value,
12345 indicating that the final one will be larger. See "Timers" below for more
12346 details.
12347
12348 - "bytes_read" is the total number of bytes transmitted from the server to
12349 the client when the log is emitted. If "option logasap" is specified, the
12350 this value will be prefixed with a '+' sign indicating that the final one
12351 may be larger. Please note that this value is a 64-bit counter, so log
12352 analysis tools must be able to handle it without overflowing.
12353
12354 - "termination_state" is the condition the session was in when the session
12355 ended. This indicates the session state, which side caused the end of
12356 session to happen, and for what reason (timeout, error, ...). The normal
12357 flags should be "--", indicating the session was closed by either end with
12358 no data remaining in buffers. See below "Session state at disconnection"
12359 for more details.
12360
12361 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012362 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012363 limits have been reached. For instance, if actconn is close to 512 when
12364 multiple connection errors occur, chances are high that the system limits
12365 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012366 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012367
12368 - "feconn" is the total number of concurrent connections on the frontend when
12369 the session was logged. It is useful to estimate the amount of resource
12370 required to sustain high loads, and to detect when the frontend's "maxconn"
12371 has been reached. Most often when this value increases by huge jumps, it is
12372 because there is congestion on the backend servers, but sometimes it can be
12373 caused by a denial of service attack.
12374
12375 - "beconn" is the total number of concurrent connections handled by the
12376 backend when the session was logged. It includes the total number of
12377 concurrent connections active on servers as well as the number of
12378 connections pending in queues. It is useful to estimate the amount of
12379 additional servers needed to support high loads for a given application.
12380 Most often when this value increases by huge jumps, it is because there is
12381 congestion on the backend servers, but sometimes it can be caused by a
12382 denial of service attack.
12383
12384 - "srv_conn" is the total number of concurrent connections still active on
12385 the server when the session was logged. It can never exceed the server's
12386 configured "maxconn" parameter. If this value is very often close or equal
12387 to the server's "maxconn", it means that traffic regulation is involved a
12388 lot, meaning that either the server's maxconn value is too low, or that
12389 there aren't enough servers to process the load with an optimal response
12390 time. When only one of the server's "srv_conn" is high, it usually means
12391 that this server has some trouble causing the connections to take longer to
12392 be processed than on other servers.
12393
12394 - "retries" is the number of connection retries experienced by this session
12395 when trying to connect to the server. It must normally be zero, unless a
12396 server is being stopped at the same moment the connection was attempted.
12397 Frequent retries generally indicate either a network problem between
12398 haproxy and the server, or a misconfigured system backlog on the server
12399 preventing new connections from being queued. This field may optionally be
12400 prefixed with a '+' sign, indicating that the session has experienced a
12401 redispatch after the maximal retry count has been reached on the initial
12402 server. In this case, the server name appearing in the log is the one the
12403 connection was redispatched to, and not the first one, though both may
12404 sometimes be the same in case of hashing for instance. So as a general rule
12405 of thumb, when a '+' is present in front of the retry count, this count
12406 should not be attributed to the logged server.
12407
12408 - "srv_queue" is the total number of requests which were processed before
12409 this one in the server queue. It is zero when the request has not gone
12410 through the server queue. It makes it possible to estimate the approximate
12411 server's response time by dividing the time spent in queue by the number of
12412 requests in the queue. It is worth noting that if a session experiences a
12413 redispatch and passes through two server queues, their positions will be
12414 cumulated. A request should not pass through both the server queue and the
12415 backend queue unless a redispatch occurs.
12416
12417 - "backend_queue" is the total number of requests which were processed before
12418 this one in the backend's global queue. It is zero when the request has not
12419 gone through the global queue. It makes it possible to estimate the average
12420 queue length, which easily translates into a number of missing servers when
12421 divided by a server's "maxconn" parameter. It is worth noting that if a
12422 session experiences a redispatch, it may pass twice in the backend's queue,
12423 and then both positions will be cumulated. A request should not pass
12424 through both the server queue and the backend queue unless a redispatch
12425 occurs.
12426
12427
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200124288.2.3. HTTP log format
12429----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012430
12431The HTTP format is the most complete and the best suited for HTTP proxies. It
12432is enabled by when "option httplog" is specified in the frontend. It provides
12433the same level of information as the TCP format with additional features which
12434are specific to the HTTP protocol. Just like the TCP format, the log is usually
12435emitted at the end of the session, unless "option logasap" is specified, which
12436generally only makes sense for download sites. A session which matches the
12437"monitor" rules will never logged. It is also possible not to log sessions for
12438which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012439frontend. Successful connections will not be logged if "option dontlog-normal"
12440is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012441
12442Most fields are shared with the TCP log, some being different. A few fields may
12443slightly vary depending on some configuration options. Those ones are marked
12444with a star ('*') after the field name below.
12445
12446 Example :
12447 frontend http-in
12448 mode http
12449 option httplog
12450 log global
12451 default_backend bck
12452
12453 backend static
12454 server srv1 127.0.0.1:8000
12455
12456 >>> Feb 6 12:14:14 localhost \
12457 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
12458 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010012459 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012460
12461 Field Format Extract from the example above
12462 1 process_name '[' pid ']:' haproxy[14389]:
12463 2 client_ip ':' client_port 10.0.1.2:33317
12464 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
12465 4 frontend_name http-in
12466 5 backend_name '/' server_name static/srv1
12467 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
12468 7 status_code 200
12469 8 bytes_read* 2750
12470 9 captured_request_cookie -
12471 10 captured_response_cookie -
12472 11 termination_state ----
12473 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
12474 13 srv_queue '/' backend_queue 0/0
12475 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
12476 15 '{' captured_response_headers* '}' {}
12477 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +010012478
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012479
12480Detailed fields description :
12481 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012482 connection to haproxy. If the connection was accepted on a UNIX socket
12483 instead, the IP address would be replaced with the word "unix". Note that
12484 when the connection is accepted on a socket configured with "accept-proxy"
12485 and the PROXY protocol is correctly used, then the logs will reflect the
12486 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012487
12488 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012489 If the connection was accepted on a UNIX socket instead, the port would be
12490 replaced with the ID of the accepting socket, which is also reported in the
12491 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012492
12493 - "accept_date" is the exact date when the TCP connection was received by
12494 haproxy (which might be very slightly different from the date observed on
12495 the network if there was some queuing in the system's backlog). This is
12496 usually the same date which may appear in any upstream firewall's log. This
12497 does not depend on the fact that the client has sent the request or not.
12498
12499 - "frontend_name" is the name of the frontend (or listener) which received
12500 and processed the connection.
12501
12502 - "backend_name" is the name of the backend (or listener) which was selected
12503 to manage the connection to the server. This will be the same as the
12504 frontend if no switching rule has been applied.
12505
12506 - "server_name" is the name of the last server to which the connection was
12507 sent, which might differ from the first one if there were connection errors
12508 and a redispatch occurred. Note that this server belongs to the backend
12509 which processed the request. If the request was aborted before reaching a
12510 server, "<NOSRV>" is indicated instead of a server name. If the request was
12511 intercepted by the stats subsystem, "<STATS>" is indicated instead.
12512
12513 - "Tq" is the total time in milliseconds spent waiting for the client to send
12514 a full HTTP request, not counting data. It can be "-1" if the connection
12515 was aborted before a complete request could be received. It should always
12516 be very small because a request generally fits in one single packet. Large
12517 times here generally indicate network trouble between the client and
12518 haproxy. See "Timers" below for more details.
12519
12520 - "Tw" is the total time in milliseconds spent waiting in the various queues.
12521 It can be "-1" if the connection was aborted before reaching the queue.
12522 See "Timers" below for more details.
12523
12524 - "Tc" is the total time in milliseconds spent waiting for the connection to
12525 establish to the final server, including retries. It can be "-1" if the
12526 request was aborted before a connection could be established. See "Timers"
12527 below for more details.
12528
12529 - "Tr" is the total time in milliseconds spent waiting for the server to send
12530 a full HTTP response, not counting data. It can be "-1" if the request was
12531 aborted before a complete response could be received. It generally matches
12532 the server's processing time for the request, though it may be altered by
12533 the amount of data sent by the client to the server. Large times here on
12534 "GET" requests generally indicate an overloaded server. See "Timers" below
12535 for more details.
12536
12537 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012538 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012539 "option logasap" was specified, then the time counting stops at the moment
12540 the log is emitted. In this case, a '+' sign is prepended before the value,
12541 indicating that the final one will be larger. See "Timers" below for more
12542 details.
12543
12544 - "status_code" is the HTTP status code returned to the client. This status
12545 is generally set by the server, but it might also be set by haproxy when
12546 the server cannot be reached or when its response is blocked by haproxy.
12547
12548 - "bytes_read" is the total number of bytes transmitted to the client when
12549 the log is emitted. This does include HTTP headers. If "option logasap" is
12550 specified, the this value will be prefixed with a '+' sign indicating that
12551 the final one may be larger. Please note that this value is a 64-bit
12552 counter, so log analysis tools must be able to handle it without
12553 overflowing.
12554
12555 - "captured_request_cookie" is an optional "name=value" entry indicating that
12556 the client had this cookie in the request. The cookie name and its maximum
12557 length are defined by the "capture cookie" statement in the frontend
12558 configuration. The field is a single dash ('-') when the option is not
12559 set. Only one cookie may be captured, it is generally used to track session
12560 ID exchanges between a client and a server to detect session crossing
12561 between clients due to application bugs. For more details, please consult
12562 the section "Capturing HTTP headers and cookies" below.
12563
12564 - "captured_response_cookie" is an optional "name=value" entry indicating
12565 that the server has returned a cookie with its response. The cookie name
12566 and its maximum length are defined by the "capture cookie" statement in the
12567 frontend configuration. The field is a single dash ('-') when the option is
12568 not set. Only one cookie may be captured, it is generally used to track
12569 session ID exchanges between a client and a server to detect session
12570 crossing between clients due to application bugs. For more details, please
12571 consult the section "Capturing HTTP headers and cookies" below.
12572
12573 - "termination_state" is the condition the session was in when the session
12574 ended. This indicates the session state, which side caused the end of
12575 session to happen, for what reason (timeout, error, ...), just like in TCP
12576 logs, and information about persistence operations on cookies in the last
12577 two characters. The normal flags should begin with "--", indicating the
12578 session was closed by either end with no data remaining in buffers. See
12579 below "Session state at disconnection" for more details.
12580
12581 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012582 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012583 limits have been reached. For instance, if actconn is close to 512 or 1024
12584 when multiple connection errors occur, chances are high that the system
12585 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012586 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012587 system.
12588
12589 - "feconn" is the total number of concurrent connections on the frontend when
12590 the session was logged. It is useful to estimate the amount of resource
12591 required to sustain high loads, and to detect when the frontend's "maxconn"
12592 has been reached. Most often when this value increases by huge jumps, it is
12593 because there is congestion on the backend servers, but sometimes it can be
12594 caused by a denial of service attack.
12595
12596 - "beconn" is the total number of concurrent connections handled by the
12597 backend when the session was logged. It includes the total number of
12598 concurrent connections active on servers as well as the number of
12599 connections pending in queues. It is useful to estimate the amount of
12600 additional servers needed to support high loads for a given application.
12601 Most often when this value increases by huge jumps, it is because there is
12602 congestion on the backend servers, but sometimes it can be caused by a
12603 denial of service attack.
12604
12605 - "srv_conn" is the total number of concurrent connections still active on
12606 the server when the session was logged. It can never exceed the server's
12607 configured "maxconn" parameter. If this value is very often close or equal
12608 to the server's "maxconn", it means that traffic regulation is involved a
12609 lot, meaning that either the server's maxconn value is too low, or that
12610 there aren't enough servers to process the load with an optimal response
12611 time. When only one of the server's "srv_conn" is high, it usually means
12612 that this server has some trouble causing the requests to take longer to be
12613 processed than on other servers.
12614
12615 - "retries" is the number of connection retries experienced by this session
12616 when trying to connect to the server. It must normally be zero, unless a
12617 server is being stopped at the same moment the connection was attempted.
12618 Frequent retries generally indicate either a network problem between
12619 haproxy and the server, or a misconfigured system backlog on the server
12620 preventing new connections from being queued. This field may optionally be
12621 prefixed with a '+' sign, indicating that the session has experienced a
12622 redispatch after the maximal retry count has been reached on the initial
12623 server. In this case, the server name appearing in the log is the one the
12624 connection was redispatched to, and not the first one, though both may
12625 sometimes be the same in case of hashing for instance. So as a general rule
12626 of thumb, when a '+' is present in front of the retry count, this count
12627 should not be attributed to the logged server.
12628
12629 - "srv_queue" is the total number of requests which were processed before
12630 this one in the server queue. It is zero when the request has not gone
12631 through the server queue. It makes it possible to estimate the approximate
12632 server's response time by dividing the time spent in queue by the number of
12633 requests in the queue. It is worth noting that if a session experiences a
12634 redispatch and passes through two server queues, their positions will be
12635 cumulated. A request should not pass through both the server queue and the
12636 backend queue unless a redispatch occurs.
12637
12638 - "backend_queue" is the total number of requests which were processed before
12639 this one in the backend's global queue. It is zero when the request has not
12640 gone through the global queue. It makes it possible to estimate the average
12641 queue length, which easily translates into a number of missing servers when
12642 divided by a server's "maxconn" parameter. It is worth noting that if a
12643 session experiences a redispatch, it may pass twice in the backend's queue,
12644 and then both positions will be cumulated. A request should not pass
12645 through both the server queue and the backend queue unless a redispatch
12646 occurs.
12647
12648 - "captured_request_headers" is a list of headers captured in the request due
12649 to the presence of the "capture request header" statement in the frontend.
12650 Multiple headers can be captured, they will be delimited by a vertical bar
12651 ('|'). When no capture is enabled, the braces do not appear, causing a
12652 shift of remaining fields. It is important to note that this field may
12653 contain spaces, and that using it requires a smarter log parser than when
12654 it's not used. Please consult the section "Capturing HTTP headers and
12655 cookies" below for more details.
12656
12657 - "captured_response_headers" is a list of headers captured in the response
12658 due to the presence of the "capture response header" statement in the
12659 frontend. Multiple headers can be captured, they will be delimited by a
12660 vertical bar ('|'). When no capture is enabled, the braces do not appear,
12661 causing a shift of remaining fields. It is important to note that this
12662 field may contain spaces, and that using it requires a smarter log parser
12663 than when it's not used. Please consult the section "Capturing HTTP headers
12664 and cookies" below for more details.
12665
12666 - "http_request" is the complete HTTP request line, including the method,
12667 request and HTTP version string. Non-printable characters are encoded (see
12668 below the section "Non-printable characters"). This is always the last
12669 field, and it is always delimited by quotes and is the only one which can
12670 contain quotes. If new fields are added to the log format, they will be
12671 added before this field. This field might be truncated if the request is
12672 huge and does not fit in the standard syslog buffer (1024 characters). This
12673 is the reason why this field must always remain the last one.
12674
12675
Cyril Bontédc4d9032012-04-08 21:57:39 +0200126768.2.4. Custom log format
12677------------------------
William Lallemand48940402012-01-30 16:47:22 +010012678
Willy Tarreau2beef582012-12-20 17:22:52 +010012679The directive log-format allows you to customize the logs in http mode and tcp
William Lallemandbddd4fd2012-02-27 11:23:10 +010012680mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +010012681
12682HAproxy understands some log format variables. % precedes log format variables.
12683Variables can take arguments using braces ('{}'), and multiple arguments are
12684separated by commas within the braces. Flags may be added or removed by
12685prefixing them with a '+' or '-' sign.
12686
12687Special variable "%o" may be used to propagate its flags to all other
12688variables on the same format string. This is particularly handy with quoted
12689string formats ("Q").
12690
Willy Tarreauc8368452012-12-21 00:09:23 +010012691If a variable is named between square brackets ('[' .. ']') then it is used
Willy Tarreaube722a22014-06-13 16:31:59 +020012692as a sample expression rule (see section 7.3). This it useful to add some
Willy Tarreauc8368452012-12-21 00:09:23 +010012693less common information such as the client's SSL certificate's DN, or to log
12694the key that would be used to store an entry into a stick table.
12695
William Lallemand48940402012-01-30 16:47:22 +010012696Note: spaces must be escaped. A space character is considered as a separator.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012697In order to emit a verbatim '%', it must be preceded by another '%' resulting
Willy Tarreau06d97f92013-12-02 17:45:48 +010012698in '%%'. HAProxy will automatically merge consecutive separators.
William Lallemand48940402012-01-30 16:47:22 +010012699
12700Flags are :
12701 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012702 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
William Lallemand48940402012-01-30 16:47:22 +010012703
12704 Example:
12705
12706 log-format %T\ %t\ Some\ Text
12707 log-format %{+Q}o\ %t\ %s\ %{-Q}r
12708
12709At the moment, the default HTTP format is defined this way :
12710
Willy Tarreau2beef582012-12-20 17:22:52 +010012711 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ \
12712 %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
William Lallemand48940402012-01-30 16:47:22 +010012713
William Lallemandbddd4fd2012-02-27 11:23:10 +010012714the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +010012715
Willy Tarreau2beef582012-12-20 17:22:52 +010012716 log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ \
Willy Tarreau773d65f2012-10-12 14:56:11 +020012717 %ms\ %ft\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \
Willy Tarreau2beef582012-12-20 17:22:52 +010012718 %bc\ %sc\ %rc\ %sq\ %bq\ %CC\ %CS\ \%hrl\ %hsl
William Lallemand48940402012-01-30 16:47:22 +010012719
William Lallemandbddd4fd2012-02-27 11:23:10 +010012720and the default TCP format is defined this way :
12721
Willy Tarreau2beef582012-12-20 17:22:52 +010012722 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ \
William Lallemandbddd4fd2012-02-27 11:23:10 +010012723 %ac/%fc/%bc/%sc/%rc\ %sq/%bq
12724
William Lallemand48940402012-01-30 16:47:22 +010012725Please refer to the table below for currently defined variables :
12726
William Lallemandbddd4fd2012-02-27 11:23:10 +010012727 +---+------+-----------------------------------------------+-------------+
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012728 | R | var | field name (8.2.2 and 8.2.3 for description) | type |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012729 +---+------+-----------------------------------------------+-------------+
12730 | | %o | special variable, apply flags on all next var | |
12731 +---+------+-----------------------------------------------+-------------+
Willy Tarreau2beef582012-12-20 17:22:52 +010012732 | | %B | bytes_read (from server to client) | numeric |
12733 | H | %CC | captured_request_cookie | string |
12734 | H | %CS | captured_response_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +020012735 | | %H | hostname | string |
William Lallemanda73203e2012-03-12 12:48:57 +010012736 | | %ID | unique-id | string |
Willy Tarreau4bf99632014-06-13 12:21:40 +020012737 | | %ST | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020012738 | | %T | gmt_date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012739 | | %Tc | Tc | numeric |
Yuxans Yao4e25b012012-10-19 10:36:09 +080012740 | | %Tl | local_date_time | date |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012741 | H | %Tq | Tq | numeric |
12742 | H | %Tr | Tr | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020012743 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012744 | | %Tt | Tt | numeric |
12745 | | %Tw | Tw | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010012746 | | %U | bytes_uploaded (from client to server) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012747 | | %ac | actconn | numeric |
12748 | | %b | backend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012749 | | %bc | beconn (backend concurrent connections) | numeric |
12750 | | %bi | backend_source_ip (connecting address) | IP |
12751 | | %bp | backend_source_port (connecting address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012752 | | %bq | backend_queue | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010012753 | | %ci | client_ip (accepted address) | IP |
12754 | | %cp | client_port (accepted address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012755 | | %f | frontend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012756 | | %fc | feconn (frontend concurrent connections) | numeric |
12757 | | %fi | frontend_ip (accepting address) | IP |
12758 | | %fp | frontend_port (accepting address) | numeric |
Willy Tarreau773d65f2012-10-12 14:56:11 +020012759 | | %ft | frontend_name_transport ('~' suffix for SSL) | string |
Willy Tarreau7346acb2014-08-28 15:03:15 +020012760 | | %lc | frontend_log_counter | numeric |
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020012761 | | %hr | captured_request_headers default style | string |
12762 | | %hrl | captured_request_headers CLF style | string list |
12763 | | %hs | captured_response_headers default style | string |
12764 | | %hsl | captured_response_headers CLF style | string list |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012765 | | %ms | accept date milliseconds | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020012766 | | %pid | PID | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012767 | H | %r | http_request | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012768 | | %rc | retries | numeric |
Willy Tarreau1f0da242014-01-25 11:01:50 +010012769 | | %rt | request_counter (HTTP req or TCP session) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012770 | | %s | server_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012771 | | %sc | srv_conn (server concurrent connections) | numeric |
12772 | | %si | server_IP (target address) | IP |
12773 | | %sp | server_port (target address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012774 | | %sq | srv_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012775 | S | %sslc| ssl_ciphers (ex: AES-SHA) | string |
12776 | S | %sslv| ssl_version (ex: TLSv1) | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012777 | | %t | date_time (with millisecond resolution) | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012778 | | %ts | termination_state | string |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012779 | H | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012780 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +010012781
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012782 R = Restrictions : H = mode http only ; S = SSL only
William Lallemand48940402012-01-30 16:47:22 +010012783
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010012784
127858.2.5. Error log format
12786-----------------------
12787
12788When an incoming connection fails due to an SSL handshake or an invalid PROXY
12789protocol header, haproxy will log the event using a shorter, fixed line format.
12790By default, logs are emitted at the LOG_INFO level, unless the option
12791"log-separate-errors" is set in the backend, in which case the LOG_ERR level
12792will be used. Connections on which no data are exchanged (eg: probes) are not
12793logged if the "dontlognull" option is set.
12794
12795The format looks like this :
12796
12797 >>> Dec 3 18:27:14 localhost \
12798 haproxy[6103]: 127.0.0.1:56059 [03/Dec/2012:17:35:10.380] frt/f1: \
12799 Connection error during SSL handshake
12800
12801 Field Format Extract from the example above
12802 1 process_name '[' pid ']:' haproxy[6103]:
12803 2 client_ip ':' client_port 127.0.0.1:56059
12804 3 '[' accept_date ']' [03/Dec/2012:17:35:10.380]
12805 4 frontend_name "/" bind_name ":" frt/f1:
12806 5 message Connection error during SSL handshake
12807
12808These fields just provide minimal information to help debugging connection
12809failures.
12810
12811
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128128.3. Advanced logging options
12813-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012814
12815Some advanced logging options are often looked for but are not easy to find out
12816just by looking at the various options. Here is an entry point for the few
12817options which can enable better logging. Please refer to the keywords reference
12818for more information about their usage.
12819
12820
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128218.3.1. Disabling logging of external tests
12822------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012823
12824It is quite common to have some monitoring tools perform health checks on
12825haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
12826commercial load-balancer, and sometimes it will simply be a more complete
12827monitoring system such as Nagios. When the tests are very frequent, users often
12828ask how to disable logging for those checks. There are three possibilities :
12829
12830 - if connections come from everywhere and are just TCP probes, it is often
12831 desired to simply disable logging of connections without data exchange, by
12832 setting "option dontlognull" in the frontend. It also disables logging of
12833 port scans, which may or may not be desired.
12834
12835 - if the connection come from a known source network, use "monitor-net" to
12836 declare this network as monitoring only. Any host in this network will then
12837 only be able to perform health checks, and their requests will not be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012838 logged. This is generally appropriate to designate a list of equipment
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012839 such as other load-balancers.
12840
12841 - if the tests are performed on a known URI, use "monitor-uri" to declare
12842 this URI as dedicated to monitoring. Any host sending this request will
12843 only get the result of a health-check, and the request will not be logged.
12844
12845
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128468.3.2. Logging before waiting for the session to terminate
12847----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012848
12849The problem with logging at end of connection is that you have no clue about
12850what is happening during very long sessions, such as remote terminal sessions
12851or large file downloads. This problem can be worked around by specifying
12852"option logasap" in the frontend. Haproxy will then log as soon as possible,
12853just before data transfer begins. This means that in case of TCP, it will still
12854log the connection status to the server, and in case of HTTP, it will log just
12855after processing the server headers. In this case, the number of bytes reported
12856is the number of header bytes sent to the client. In order to avoid confusion
12857with normal logs, the total time field and the number of bytes are prefixed
12858with a '+' sign which means that real numbers are certainly larger.
12859
12860
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128618.3.3. Raising log level upon errors
12862------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012863
12864Sometimes it is more convenient to separate normal traffic from errors logs,
12865for instance in order to ease error monitoring from log files. When the option
12866"log-separate-errors" is used, connections which experience errors, timeouts,
12867retries, redispatches or HTTP status codes 5xx will see their syslog level
12868raised from "info" to "err". This will help a syslog daemon store the log in
12869a separate file. It is very important to keep the errors in the normal traffic
12870file too, so that log ordering is not altered. You should also be careful if
12871you already have configured your syslog daemon to store all logs higher than
12872"notice" in an "admin" file, because the "err" level is higher than "notice".
12873
12874
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128758.3.4. Disabling logging of successful connections
12876--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012877
12878Although this may sound strange at first, some large sites have to deal with
12879multiple thousands of logs per second and are experiencing difficulties keeping
12880them intact for a long time or detecting errors within them. If the option
12881"dontlog-normal" is set on the frontend, all normal connections will not be
12882logged. In this regard, a normal connection is defined as one without any
12883error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
12884and a response with a status 5xx is not considered normal and will be logged
12885too. Of course, doing is is really discouraged as it will remove most of the
12886useful information from the logs. Do this only if you have no other
12887alternative.
12888
12889
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128908.4. Timing events
12891------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012892
12893Timers provide a great help in troubleshooting network problems. All values are
12894reported in milliseconds (ms). These timers should be used in conjunction with
12895the session termination flags. In TCP mode with "option tcplog" set on the
12896frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
12897mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
12898
12899 - Tq: total time to get the client request (HTTP mode only). It's the time
12900 elapsed between the moment the client connection was accepted and the
12901 moment the proxy received the last HTTP header. The value "-1" indicates
12902 that the end of headers (empty line) has never been seen. This happens when
12903 the client closes prematurely or times out.
12904
12905 - Tw: total time spent in the queues waiting for a connection slot. It
12906 accounts for backend queue as well as the server queues, and depends on the
12907 queue size, and the time needed for the server to complete previous
12908 requests. The value "-1" means that the request was killed before reaching
12909 the queue, which is generally what happens with invalid or denied requests.
12910
12911 - Tc: total time to establish the TCP connection to the server. It's the time
12912 elapsed between the moment the proxy sent the connection request, and the
12913 moment it was acknowledged by the server, or between the TCP SYN packet and
12914 the matching SYN/ACK packet in return. The value "-1" means that the
12915 connection never established.
12916
12917 - Tr: server response time (HTTP mode only). It's the time elapsed between
12918 the moment the TCP connection was established to the server and the moment
12919 the server sent its complete response headers. It purely shows its request
12920 processing time, without the network overhead due to the data transmission.
12921 It is worth noting that when the client has data to send to the server, for
12922 instance during a POST request, the time already runs, and this can distort
12923 apparent response time. For this reason, it's generally wise not to trust
12924 too much this field for POST requests initiated from clients behind an
12925 untrusted network. A value of "-1" here means that the last the response
12926 header (empty line) was never seen, most likely because the server timeout
12927 stroke before the server managed to process the request.
12928
12929 - Tt: total session duration time, between the moment the proxy accepted it
12930 and the moment both ends were closed. The exception is when the "logasap"
12931 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
12932 prefixed with a '+' sign. From this field, we can deduce "Td", the data
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012933 transmission time, by subtracting other timers when valid :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012934
12935 Td = Tt - (Tq + Tw + Tc + Tr)
12936
12937 Timers with "-1" values have to be excluded from this equation. In TCP
12938 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
12939 negative.
12940
12941These timers provide precious indications on trouble causes. Since the TCP
12942protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
12943that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012944due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012945close to a timeout value specified in the configuration, it often means that a
12946session has been aborted on timeout.
12947
12948Most common cases :
12949
12950 - If "Tq" is close to 3000, a packet has probably been lost between the
12951 client and the proxy. This is very rare on local networks but might happen
12952 when clients are on far remote networks and send large requests. It may
12953 happen that values larger than usual appear here without any network cause.
12954 Sometimes, during an attack or just after a resource starvation has ended,
12955 haproxy may accept thousands of connections in a few milliseconds. The time
12956 spent accepting these connections will inevitably slightly delay processing
12957 of other connections, and it can happen that request times in the order of
12958 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +020012959 connections have been accepted at once. Setting "option http-server-close"
12960 may display larger request times since "Tq" also measures the time spent
12961 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012962
12963 - If "Tc" is close to 3000, a packet has probably been lost between the
12964 server and the proxy during the server connection phase. This value should
12965 always be very low, such as 1 ms on local networks and less than a few tens
12966 of ms on remote networks.
12967
Willy Tarreau55165fe2009-05-10 12:02:55 +020012968 - If "Tr" is nearly always lower than 3000 except some rare values which seem
12969 to be the average majored by 3000, there are probably some packets lost
12970 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012971
12972 - If "Tt" is large even for small byte counts, it generally is because
12973 neither the client nor the server decides to close the connection, for
12974 instance because both have agreed on a keep-alive connection mode. In order
12975 to solve this issue, it will be needed to specify "option httpclose" on
12976 either the frontend or the backend. If the problem persists, it means that
12977 the server ignores the "close" connection mode and expects the client to
12978 close. Then it will be required to use "option forceclose". Having the
12979 smallest possible 'Tt' is important when connection regulation is used with
12980 the "maxconn" option on the servers, since no new connection will be sent
12981 to the server until another one is released.
12982
12983Other noticeable HTTP log cases ('xx' means any value to be ignored) :
12984
12985 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
12986 was emitted before the data phase. All the timers are valid
12987 except "Tt" which is shorter than reality.
12988
12989 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
12990 or it aborted too early. Check the session termination flags
12991 then "timeout http-request" and "timeout client" settings.
12992
12993 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
12994 servers were out of order, because the request was invalid
12995 or forbidden by ACL rules. Check the session termination
12996 flags.
12997
12998 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
12999 actively refused it or it timed out after Tt-(Tq+Tw) ms.
13000 Check the session termination flags, then check the
13001 "timeout connect" setting. Note that the tarpit action might
13002 return similar-looking patterns, with "Tw" equal to the time
13003 the client connection was maintained open.
13004
13005 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013006 a complete response in time, or it closed its connection
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013007 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
13008 termination flags, then check the "timeout server" setting.
13009
13010
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200130118.5. Session state at disconnection
13012-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013013
13014TCP and HTTP logs provide a session termination indicator in the
13015"termination_state" field, just before the number of active connections. It is
130162-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
13017each of which has a special meaning :
13018
13019 - On the first character, a code reporting the first event which caused the
13020 session to terminate :
13021
13022 C : the TCP session was unexpectedly aborted by the client.
13023
13024 S : the TCP session was unexpectedly aborted by the server, or the
13025 server explicitly refused it.
13026
13027 P : the session was prematurely aborted by the proxy, because of a
13028 connection limit enforcement, because a DENY filter was matched,
13029 because of a security check which detected and blocked a dangerous
13030 error in server response which might have caused information leak
Willy Tarreau570f2212013-06-10 16:42:09 +020013031 (eg: cacheable cookie).
13032
13033 L : the session was locally processed by haproxy and was not passed to
13034 a server. This is what happens for stats and redirects.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013035
13036 R : a resource on the proxy has been exhausted (memory, sockets, source
13037 ports, ...). Usually, this appears during the connection phase, and
13038 system logs should contain a copy of the precise error. If this
13039 happens, it must be considered as a very serious anomaly which
13040 should be fixed as soon as possible by any means.
13041
13042 I : an internal error was identified by the proxy during a self-check.
13043 This should NEVER happen, and you are encouraged to report any log
13044 containing this, because this would almost certainly be a bug. It
13045 would be wise to preventively restart the process after such an
13046 event too, in case it would be caused by memory corruption.
13047
Simon Horman752dc4a2011-06-21 14:34:59 +090013048 D : the session was killed by haproxy because the server was detected
13049 as down and was configured to kill all connections when going down.
13050
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070013051 U : the session was killed by haproxy on this backup server because an
13052 active server was detected as up and was configured to kill all
13053 backup connections when going up.
13054
Willy Tarreaua2a64e92011-09-07 23:01:56 +020013055 K : the session was actively killed by an admin operating on haproxy.
13056
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013057 c : the client-side timeout expired while waiting for the client to
13058 send or receive data.
13059
13060 s : the server-side timeout expired while waiting for the server to
13061 send or receive data.
13062
13063 - : normal session completion, both the client and the server closed
13064 with nothing left in the buffers.
13065
13066 - on the second character, the TCP or HTTP session state when it was closed :
13067
Willy Tarreauf7b30a92010-12-06 22:59:17 +010013068 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013069 (HTTP mode only). Nothing was sent to any server.
13070
13071 Q : the proxy was waiting in the QUEUE for a connection slot. This can
13072 only happen when servers have a 'maxconn' parameter set. It can
13073 also happen in the global queue after a redispatch consecutive to
13074 a failed attempt to connect to a dying server. If no redispatch is
13075 reported, then no connection attempt was made to any server.
13076
13077 C : the proxy was waiting for the CONNECTION to establish on the
13078 server. The server might at most have noticed a connection attempt.
13079
13080 H : the proxy was waiting for complete, valid response HEADERS from the
13081 server (HTTP only).
13082
13083 D : the session was in the DATA phase.
13084
13085 L : the proxy was still transmitting LAST data to the client while the
13086 server had already finished. This one is very rare as it can only
13087 happen when the client dies while receiving the last packets.
13088
13089 T : the request was tarpitted. It has been held open with the client
13090 during the whole "timeout tarpit" duration or until the client
13091 closed, both of which will be reported in the "Tw" timer.
13092
13093 - : normal session completion after end of data transfer.
13094
13095 - the third character tells whether the persistence cookie was provided by
13096 the client (only in HTTP mode) :
13097
13098 N : the client provided NO cookie. This is usually the case for new
13099 visitors, so counting the number of occurrences of this flag in the
13100 logs generally indicate a valid trend for the site frequentation.
13101
13102 I : the client provided an INVALID cookie matching no known server.
13103 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +020013104 cookies between HTTP/HTTPS sites, persistence conditionally
13105 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013106
13107 D : the client provided a cookie designating a server which was DOWN,
13108 so either "option persist" was used and the client was sent to
13109 this server, or it was not set and the client was redispatched to
13110 another server.
13111
Willy Tarreau996a92c2010-10-13 19:30:47 +020013112 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013113 server.
13114
Willy Tarreau996a92c2010-10-13 19:30:47 +020013115 E : the client provided a valid cookie, but with a last date which was
13116 older than what is allowed by the "maxidle" cookie parameter, so
13117 the cookie is consider EXPIRED and is ignored. The request will be
13118 redispatched just as if there was no cookie.
13119
13120 O : the client provided a valid cookie, but with a first date which was
13121 older than what is allowed by the "maxlife" cookie parameter, so
13122 the cookie is consider too OLD and is ignored. The request will be
13123 redispatched just as if there was no cookie.
13124
Willy Tarreauc89ccb62012-04-05 21:18:22 +020013125 U : a cookie was present but was not used to select the server because
13126 some other server selection mechanism was used instead (typically a
13127 "use-server" rule).
13128
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013129 - : does not apply (no cookie set in configuration).
13130
13131 - the last character reports what operations were performed on the persistence
13132 cookie returned by the server (only in HTTP mode) :
13133
13134 N : NO cookie was provided by the server, and none was inserted either.
13135
13136 I : no cookie was provided by the server, and the proxy INSERTED one.
13137 Note that in "cookie insert" mode, if the server provides a cookie,
13138 it will still be overwritten and reported as "I" here.
13139
Willy Tarreau996a92c2010-10-13 19:30:47 +020013140 U : the proxy UPDATED the last date in the cookie that was presented by
13141 the client. This can only happen in insert mode with "maxidle". It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013142 happens every time there is activity at a different date than the
Willy Tarreau996a92c2010-10-13 19:30:47 +020013143 date indicated in the cookie. If any other change happens, such as
13144 a redispatch, then the cookie will be marked as inserted instead.
13145
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013146 P : a cookie was PROVIDED by the server and transmitted as-is.
13147
13148 R : the cookie provided by the server was REWRITTEN by the proxy, which
13149 happens in "cookie rewrite" or "cookie prefix" modes.
13150
13151 D : the cookie provided by the server was DELETED by the proxy.
13152
13153 - : does not apply (no cookie set in configuration).
13154
Willy Tarreau996a92c2010-10-13 19:30:47 +020013155The combination of the two first flags gives a lot of information about what
13156was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013157helpful to detect server saturation, network troubles, local system resource
13158starvation, attacks, etc...
13159
13160The most common termination flags combinations are indicated below. They are
13161alphabetically sorted, with the lowercase set just after the upper case for
13162easier finding and understanding.
13163
13164 Flags Reason
13165
13166 -- Normal termination.
13167
13168 CC The client aborted before the connection could be established to the
13169 server. This can happen when haproxy tries to connect to a recently
13170 dead (or unchecked) server, and the client aborts while haproxy is
13171 waiting for the server to respond or for "timeout connect" to expire.
13172
13173 CD The client unexpectedly aborted during data transfer. This can be
13174 caused by a browser crash, by an intermediate equipment between the
13175 client and haproxy which decided to actively break the connection,
13176 by network routing issues between the client and haproxy, or by a
13177 keep-alive session between the server and the client terminated first
13178 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +010013179
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013180 cD The client did not send nor acknowledge any data for as long as the
13181 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +020013182 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013183
13184 CH The client aborted while waiting for the server to start responding.
13185 It might be the server taking too long to respond or the client
13186 clicking the 'Stop' button too fast.
13187
13188 cH The "timeout client" stroke while waiting for client data during a
13189 POST request. This is sometimes caused by too large TCP MSS values
13190 for PPPoE networks which cannot transport full-sized packets. It can
13191 also happen when client timeout is smaller than server timeout and
13192 the server takes too long to respond.
13193
13194 CQ The client aborted while its session was queued, waiting for a server
13195 with enough empty slots to accept it. It might be that either all the
13196 servers were saturated or that the assigned server was taking too
13197 long a time to respond.
13198
13199 CR The client aborted before sending a full HTTP request. Most likely
13200 the request was typed by hand using a telnet client, and aborted
13201 too early. The HTTP status code is likely a 400 here. Sometimes this
13202 might also be caused by an IDS killing the connection between haproxy
13203 and the client.
13204
13205 cR The "timeout http-request" stroke before the client sent a full HTTP
13206 request. This is sometimes caused by too large TCP MSS values on the
13207 client side for PPPoE networks which cannot transport full-sized
13208 packets, or by clients sending requests by hand and not typing fast
13209 enough, or forgetting to enter the empty line at the end of the
Willy Tarreau2705a612014-05-23 17:38:34 +020013210 request. The HTTP status code is likely a 408 here. Note: recently,
13211 some browsers such as Google Chrome started to break the deployed Web
13212 infrastructure by aggressively implementing a new "pre-connect"
13213 feature, consisting in sending connections to sites recently visited
13214 without sending any request on them until the user starts to browse
13215 the site. This mechanism causes massive disruption among resource-
13216 limited servers, and causes a lot of 408 errors in HAProxy logs.
13217 Worse, some people report that sometimes the browser displays the 408
13218 error when the user expects to see the actual content (Mozilla fixed
13219 this bug in 2004, while Chrome users continue to report it in 2014),
13220 so in this case, using "errorfile 408 /dev/null" can be used as a
13221 workaround. More information on the subject is available here :
13222 https://bugzilla.mozilla.org/show_bug.cgi?id=248827
13223 https://code.google.com/p/chromium/issues/detail?id=85229
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013224
13225 CT The client aborted while its session was tarpitted. It is important to
13226 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +020013227 wrong tarpit rules have been written. If a lot of them happen, it
13228 might make sense to lower the "timeout tarpit" value to something
13229 closer to the average reported "Tw" timer, in order not to consume
13230 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013231
Willy Tarreau570f2212013-06-10 16:42:09 +020013232 LR The request was intercepted and locally handled by haproxy. Generally
13233 it means that this was a redirect or a stats request.
13234
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013235 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013236 the TCP connection (the proxy received a TCP RST or an ICMP message
13237 in return). Under some circumstances, it can also be the network
13238 stack telling the proxy that the server is unreachable (eg: no route,
13239 or no ARP response on local network). When this happens in HTTP mode,
13240 the status code is likely a 502 or 503 here.
13241
13242 sC The "timeout connect" stroke before a connection to the server could
13243 complete. When this happens in HTTP mode, the status code is likely a
13244 503 or 504 here.
13245
13246 SD The connection to the server died with an error during the data
13247 transfer. This usually means that haproxy has received an RST from
13248 the server or an ICMP message from an intermediate equipment while
13249 exchanging data with the server. This can be caused by a server crash
13250 or by a network issue on an intermediate equipment.
13251
13252 sD The server did not send nor acknowledge any data for as long as the
13253 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013254 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013255 load-balancers, ...), as well as keep-alive sessions maintained
13256 between the client and the server expiring first on haproxy.
13257
13258 SH The server aborted before sending its full HTTP response headers, or
13259 it crashed while processing the request. Since a server aborting at
13260 this moment is very rare, it would be wise to inspect its logs to
13261 control whether it crashed and why. The logged request may indicate a
13262 small set of faulty requests, demonstrating bugs in the application.
13263 Sometimes this might also be caused by an IDS killing the connection
13264 between haproxy and the server.
13265
13266 sH The "timeout server" stroke before the server could return its
13267 response headers. This is the most common anomaly, indicating too
13268 long transactions, probably caused by server or database saturation.
13269 The immediate workaround consists in increasing the "timeout server"
13270 setting, but it is important to keep in mind that the user experience
13271 will suffer from these long response times. The only long term
13272 solution is to fix the application.
13273
13274 sQ The session spent too much time in queue and has been expired. See
13275 the "timeout queue" and "timeout connect" settings to find out how to
13276 fix this if it happens too often. If it often happens massively in
13277 short periods, it may indicate general problems on the affected
13278 servers due to I/O or database congestion, or saturation caused by
13279 external attacks.
13280
13281 PC The proxy refused to establish a connection to the server because the
13282 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +020013283 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013284 so that it does not happen anymore. This status is very rare and
13285 might happen when the global "ulimit-n" parameter is forced by hand.
13286
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010013287 PD The proxy blocked an incorrectly formatted chunked encoded message in
13288 a request or a response, after the server has emitted its headers. In
13289 most cases, this will indicate an invalid message from the server to
Willy Tarreauf3a3e132013-08-31 08:16:26 +020013290 the client. Haproxy supports chunk sizes of up to 2GB - 1 (2147483647
13291 bytes). Any larger size will be considered as an error.
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010013292
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013293 PH The proxy blocked the server's response, because it was invalid,
13294 incomplete, dangerous (cache control), or matched a security filter.
13295 In any case, an HTTP 502 error is sent to the client. One possible
13296 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010013297 containing unauthorized characters. It is also possible but quite
13298 rare, that the proxy blocked a chunked-encoding request from the
13299 client due to an invalid syntax, before the server responded. In this
13300 case, an HTTP 400 error is sent to the client and reported in the
13301 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013302
13303 PR The proxy blocked the client's HTTP request, either because of an
13304 invalid HTTP syntax, in which case it returned an HTTP 400 error to
13305 the client, or because a deny filter matched, in which case it
13306 returned an HTTP 403 error.
13307
13308 PT The proxy blocked the client's request and has tarpitted its
13309 connection before returning it a 500 server error. Nothing was sent
13310 to the server. The connection was maintained open for as long as
13311 reported by the "Tw" timer field.
13312
13313 RC A local resource has been exhausted (memory, sockets, source ports)
13314 preventing the connection to the server from establishing. The error
13315 logs will tell precisely what was missing. This is very rare and can
13316 only be solved by proper system tuning.
13317
Willy Tarreau996a92c2010-10-13 19:30:47 +020013318The combination of the two last flags gives a lot of information about how
13319persistence was handled by the client, the server and by haproxy. This is very
13320important to troubleshoot disconnections, when users complain they have to
13321re-authenticate. The commonly encountered flags are :
13322
13323 -- Persistence cookie is not enabled.
13324
13325 NN No cookie was provided by the client, none was inserted in the
13326 response. For instance, this can be in insert mode with "postonly"
13327 set on a GET request.
13328
13329 II A cookie designating an invalid server was provided by the client,
13330 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040013331 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +020013332 value can be presented by a client when no other server knows it.
13333
13334 NI No cookie was provided by the client, one was inserted in the
13335 response. This typically happens for first requests from every user
13336 in "insert" mode, which makes it an easy way to count real users.
13337
13338 VN A cookie was provided by the client, none was inserted in the
13339 response. This happens for most responses for which the client has
13340 already got a cookie.
13341
13342 VU A cookie was provided by the client, with a last visit date which is
13343 not completely up-to-date, so an updated cookie was provided in
13344 response. This can also happen if there was no date at all, or if
13345 there was a date but the "maxidle" parameter was not set, so that the
13346 cookie can be switched to unlimited time.
13347
13348 EI A cookie was provided by the client, with a last visit date which is
13349 too old for the "maxidle" parameter, so the cookie was ignored and a
13350 new cookie was inserted in the response.
13351
13352 OI A cookie was provided by the client, with a first visit date which is
13353 too old for the "maxlife" parameter, so the cookie was ignored and a
13354 new cookie was inserted in the response.
13355
13356 DI The server designated by the cookie was down, a new server was
13357 selected and a new cookie was emitted in the response.
13358
13359 VI The server designated by the cookie was not marked dead but could not
13360 be reached. A redispatch happened and selected another one, which was
13361 then advertised in the response.
13362
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013363
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200133648.6. Non-printable characters
13365-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013366
13367In order not to cause trouble to log analysis tools or terminals during log
13368consulting, non-printable characters are not sent as-is into log files, but are
13369converted to the two-digits hexadecimal representation of their ASCII code,
13370prefixed by the character '#'. The only characters that can be logged without
13371being escaped are comprised between 32 and 126 (inclusive). Obviously, the
13372escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
13373is the same for the character '"' which becomes "#22", as well as '{', '|' and
13374'}' when logging headers.
13375
13376Note that the space character (' ') is not encoded in headers, which can cause
13377issues for tools relying on space count to locate fields. A typical header
13378containing spaces is "User-Agent".
13379
13380Last, it has been observed that some syslog daemons such as syslog-ng escape
13381the quote ('"') with a backslash ('\'). The reverse operation can safely be
13382performed since no quote may appear anywhere else in the logs.
13383
13384
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200133858.7. Capturing HTTP cookies
13386---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013387
13388Cookie capture simplifies the tracking a complete user session. This can be
13389achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013390section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013391cookie will simultaneously be checked in the request ("Cookie:" header) and in
13392the response ("Set-Cookie:" header). The respective values will be reported in
13393the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013394locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013395not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
13396user switches to a new session for example, because the server will reassign it
13397a new cookie. It is also possible to detect if a server unexpectedly sets a
13398wrong cookie to a client, leading to session crossing.
13399
13400 Examples :
13401 # capture the first cookie whose name starts with "ASPSESSION"
13402 capture cookie ASPSESSION len 32
13403
13404 # capture the first cookie whose name is exactly "vgnvisitor"
13405 capture cookie vgnvisitor= len 32
13406
13407
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200134088.8. Capturing HTTP headers
13409---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013410
13411Header captures are useful to track unique request identifiers set by an upper
13412proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
13413the response, one can search for information about the response length, how the
13414server asked the cache to behave, or an object location during a redirection.
13415
13416Header captures are performed using the "capture request header" and "capture
13417response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013418section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013419
13420It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013421time. Non-existent headers are logged as empty strings, and if one header
13422appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013423are grouped within braces '{' and '}' in the same order as they were declared,
13424and delimited with a vertical bar '|' without any space. Response headers
13425follow the same representation, but are displayed after a space following the
13426request headers block. These blocks are displayed just before the HTTP request
13427in the logs.
13428
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020013429As a special case, it is possible to specify an HTTP header capture in a TCP
13430frontend. The purpose is to enable logging of headers which will be parsed in
13431an HTTP backend if the request is then switched to this HTTP backend.
13432
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013433 Example :
13434 # This instance chains to the outgoing proxy
13435 listen proxy-out
13436 mode http
13437 option httplog
13438 option logasap
13439 log global
13440 server cache1 192.168.1.1:3128
13441
13442 # log the name of the virtual server
13443 capture request header Host len 20
13444
13445 # log the amount of data uploaded during a POST
13446 capture request header Content-Length len 10
13447
13448 # log the beginning of the referrer
13449 capture request header Referer len 20
13450
13451 # server name (useful for outgoing proxies only)
13452 capture response header Server len 20
13453
13454 # logging the content-length is useful with "option logasap"
13455 capture response header Content-Length len 10
13456
13457 # log the expected cache behaviour on the response
13458 capture response header Cache-Control len 8
13459
13460 # the Via header will report the next proxy's name
13461 capture response header Via len 20
13462
13463 # log the URL location during a redirection
13464 capture response header Location len 20
13465
13466 >>> Aug 9 20:26:09 localhost \
13467 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
13468 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
13469 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
13470 "GET http://fr.adserver.yahoo.com/"
13471
13472 >>> Aug 9 20:30:46 localhost \
13473 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
13474 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
13475 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013476 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013477
13478 >>> Aug 9 20:30:46 localhost \
13479 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
13480 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
13481 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
13482 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013483 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013484
13485
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200134868.9. Examples of logs
13487---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013488
13489These are real-world examples of logs accompanied with an explanation. Some of
13490them have been made up by hand. The syslog part has been removed for better
13491reading. Their sole purpose is to explain how to decipher them.
13492
13493 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
13494 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
13495 "HEAD / HTTP/1.0"
13496
13497 => long request (6.5s) entered by hand through 'telnet'. The server replied
13498 in 147 ms, and the session ended normally ('----')
13499
13500 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
13501 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
13502 0/9 "HEAD / HTTP/1.0"
13503
13504 => Idem, but the request was queued in the global queue behind 9 other
13505 requests, and waited there for 1230 ms.
13506
13507 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
13508 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
13509 "GET /image.iso HTTP/1.0"
13510
13511 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013512 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013513 14 ms, 243 bytes of headers were sent to the client, and total time from
13514 accept to first data byte is 30 ms.
13515
13516 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
13517 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
13518 "GET /cgi-bin/bug.cgi? HTTP/1.0"
13519
13520 => the proxy blocked a server response either because of an "rspdeny" or
13521 "rspideny" filter, or because the response was improperly formatted and
Willy Tarreau3c92c5f2011-08-28 09:45:47 +020013522 not HTTP-compliant, or because it blocked sensitive information which
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013523 risked being cached. In this case, the response is replaced with a "502
13524 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
13525 to return the 502 and not the server.
13526
13527 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013528 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013529
13530 => the client never completed its request and aborted itself ("C---") after
13531 8.5s, while the proxy was waiting for the request headers ("-R--").
13532 Nothing was sent to any server.
13533
13534 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
13535 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
13536
13537 => The client never completed its request, which was aborted by the
13538 time-out ("c---") after 50s, while the proxy was waiting for the request
13539 headers ("-R--"). Nothing was sent to any server, but the proxy could
13540 send a 408 return code to the client.
13541
13542 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
13543 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
13544
13545 => This log was produced with "option tcplog". The client timed out after
13546 5 seconds ("c----").
13547
13548 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
13549 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013550 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013551
13552 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013553 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013554 (config says 'retries 3'), and no redispatch (otherwise we would have
13555 seen "/+3"). Status code 503 was returned to the client. There were 115
13556 connections on this server, 202 connections on this proxy, and 205 on
13557 the global process. It is possible that the server refused the
13558 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013559
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013560
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200135619. Statistics and monitoring
13562----------------------------
13563
13564It is possible to query HAProxy about its status. The most commonly used
13565mechanism is the HTTP statistics page. This page also exposes an alternative
13566CSV output format for monitoring tools. The same format is provided on the
13567Unix socket.
13568
13569
135709.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013571---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010013572
Willy Tarreau7f062c42009-03-05 18:43:00 +010013573The statistics may be consulted either from the unix socket or from the HTTP
Willy Tarreaua3310dc2014-06-16 15:43:21 +020013574page. Both means provide a CSV format whose fields follow. The first line
13575begins with a sharp ('#') and has one word per comma-delimited field which
13576represents the title of the column. All other lines starting at the second one
13577use a classical CSV format using a comma as the delimiter, and the double quote
13578('"') as an optional text delimiter, but only if the enclosed text is ambiguous
13579(if it contains a quote or a comma). The double-quote character ('"') in the
13580text is doubled ('""'), which is the format that most tools recognize. Please
13581do not insert any column before these ones in order not to break tools which
13582use hard-coded column positions.
Willy Tarreau7f062c42009-03-05 18:43:00 +010013583
James Westbyebe62d62014-07-08 10:14:57 -040013584In brackets after each field name are the types which may have a value for
13585that field. The types are L (Listeners), F (Frontends), B (Backends), and
13586S (Servers).
13587
13588 0. pxname [LFBS]: proxy name
13589 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend,
13590 any name for server/listener)
13591 2. qcur [..BS]: current queued requests. For the backend this reports the
13592 number queued without a server assigned.
13593 3. qmax [..BS]: max value of qcur
13594 4. scur [LFBS]: current sessions
13595 5. smax [LFBS]: max sessions
13596 6. slim [LFBS]: configured session limit
13597 7. stot [LFBS]: cumulative number of connections
13598 8. bin [LFBS]: bytes in
13599 9. bout [LFBS]: bytes out
13600 10. dreq [LFB.]: requests denied because of security concerns.
13601 - For tcp this is because of a matched tcp-request content rule.
13602 - For http this is because of a matched http-request or tarpit rule.
13603 11. dresp [LFBS]: responses denied because of security concerns.
13604 - For http this is because of a matched http-request rule, or
13605 "option checkcache".
13606 12. ereq [LF..]: request errors. Some of the possible causes are:
13607 - early termination from the client, before the request has been sent.
13608 - read error from the client
13609 - client timeout
13610 - client closed connection
13611 - various bad requests from the client.
13612 - request was tarpitted.
13613 13. econ [..BS]: number of requests that encountered an error trying to
13614 connect to a backend server. The backend stat is the sum of the stat
13615 for all servers of that backend, plus any connection errors not
13616 associated with a particular server (such as the backend having no
13617 active servers).
13618 14. eresp [..BS]: response errors. srv_abrt will be counted here also.
13619 Some other errors are:
13620 - write error on the client socket (won't be counted for the server stat)
13621 - failure applying filters to the response.
13622 15. wretr [..BS]: number of times a connection to a server was retried.
13623 16. wredis [..BS]: number of times a request was redispatched to another
13624 server. The server value counts the number of times that server was
13625 switched away from.
13626 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
13627 18. weight [..BS]: server weight (server), total weight (backend)
13628 19. act [..BS]: server is active (server), number of active servers (backend)
13629 20. bck [..BS]: server is backup (server), number of backup servers (backend)
13630 21. chkfail [...S]: number of failed checks. (Only counts checks failed when
13631 the server is up.)
13632 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
13633 transitions to the whole backend being down, rather than the sum of the
13634 counters for each server.
13635 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition
13636 24. downtime [..BS]: total downtime (in seconds). The value for the backend
13637 is the downtime for the whole backend, not the sum of the server downtime.
13638 25. qlimit [...S]: configured maxqueue for the server, or nothing in the
13639 value is 0 (default, meaning no limit)
13640 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...)
13641 27. iid [LFBS]: unique proxy id
13642 28. sid [L..S]: server id (unique inside a proxy)
13643 29. throttle [...S]: current throttle percentage for the server, when
13644 slowstart is active, or no value if not in slowstart.
13645 30. lbtot [..BS]: total number of times a server was selected, either for new
13646 sessions, or when re-dispatching. The server counter is the number
13647 of times that server was selected.
13648 31. tracked [...S]: id of proxy/server if tracking is enabled.
13649 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener)
13650 33. rate [.FBS]: number of sessions per second over last elapsed second
13651 34. rate_lim [.F..]: configured limit on new sessions per second
13652 35. rate_max [.FBS]: max number of new sessions per second
13653 36. check_status [...S]: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +010013654 UNK -> unknown
13655 INI -> initializing
13656 SOCKERR -> socket error
13657 L4OK -> check passed on layer 4, no upper layers testing enabled
13658 L4TMOUT -> layer 1-4 timeout
13659 L4CON -> layer 1-4 connection problem, for example
13660 "Connection refused" (tcp rst) or "No route to host" (icmp)
13661 L6OK -> check passed on layer 6
13662 L6TOUT -> layer 6 (SSL) timeout
13663 L6RSP -> layer 6 invalid response - protocol error
13664 L7OK -> check passed on layer 7
13665 L7OKC -> check conditionally passed on layer 7, for example 404 with
13666 disable-on-404
13667 L7TOUT -> layer 7 (HTTP/SMTP) timeout
13668 L7RSP -> layer 7 invalid response - protocol error
13669 L7STS -> layer 7 response error, for example HTTP 5xx
James Westbyebe62d62014-07-08 10:14:57 -040013670 37. check_code [...S]: layer5-7 code, if available
13671 38. check_duration [...S]: time in ms took to finish last health check
13672 39. hrsp_1xx [.FBS]: http responses with 1xx code
13673 40. hrsp_2xx [.FBS]: http responses with 2xx code
13674 41. hrsp_3xx [.FBS]: http responses with 3xx code
13675 42. hrsp_4xx [.FBS]: http responses with 4xx code
13676 43. hrsp_5xx [.FBS]: http responses with 5xx code
13677 44. hrsp_other [.FBS]: http responses with other codes (protocol error)
13678 45. hanafail [...S]: failed health checks details
13679 46. req_rate [.F..]: HTTP requests per second over last elapsed second
13680 47. req_rate_max [.F..]: max number of HTTP requests per second observed
13681 48. req_tot [.F..]: total number of HTTP requests received
13682 49. cli_abrt [..BS]: number of data transfers aborted by the client
13683 50. srv_abrt [..BS]: number of data transfers aborted by the server
13684 (inc. in eresp)
13685 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor
13686 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor
13687 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor
13688 (CPU/BW limit)
13689 54. comp_rsp [.FB.]: number of HTTP responses that were compressed
13690 55. lastsess [..BS]: number of seconds since last session assigned to
13691 server/backend
13692 56. last_chk [...S]: last health check contents or textual error
13693 57. last_agt [...S]: last agent check contents or textual error
13694 58. qtime [..BS]: the average queue time in ms over the 1024 last requests
13695 59. ctime [..BS]: the average connect time in ms over the 1024 last requests
13696 60. rtime [..BS]: the average response time in ms over the 1024 last requests
13697 (0 for TCP)
13698 61. ttime [..BS]: the average total session time in ms over the 1024 last
13699 requests
Willy Tarreau844e3c52008-01-11 16:28:18 +010013700
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013701
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200137029.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013703-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010013704
Willy Tarreau468f4932013-08-01 16:50:16 +020013705The stats socket is not enabled by default. In order to enable it, it is
13706necessary to add one line in the global section of the haproxy configuration.
13707A second line is recommended to set a larger timeout, always appreciated when
13708issuing commands by hand :
13709
13710 global
13711 stats socket /var/run/haproxy.sock mode 600 level admin
13712 stats timeout 2m
13713
13714It is also possible to add multiple instances of the stats socket by repeating
13715the line, and make them listen to a TCP port instead of a UNIX socket. This is
13716never done by default because this is dangerous, but can be handy in some
13717situations :
13718
13719 global
13720 stats socket /var/run/haproxy.sock mode 600 level admin
13721 stats socket ipv4@192.168.0.1:9999 level admin
13722 stats timeout 2m
13723
13724To access the socket, an external utility such as "socat" is required. Socat is a
13725swiss-army knife to connect anything to anything. We use it to connect terminals
13726to the socket, or a couple of stdin/stdout pipes to it for scripts. The two main
13727syntaxes we'll use are the following :
13728
13729 # socat /var/run/haproxy.sock stdio
13730 # socat /var/run/haproxy.sock readline
13731
13732The first one is used with scripts. It is possible to send the output of a
13733script to haproxy, and pass haproxy's output to another script. That's useful
13734for retrieving counters or attack traces for example.
13735
13736The second one is only useful for issuing commands by hand. It has the benefit
13737that the terminal is handled by the readline library which supports line
13738editing and history, which is very convenient when issuing repeated commands
13739(eg: watch a counter).
13740
13741The socket supports two operation modes :
13742 - interactive
13743 - non-interactive
13744
13745The non-interactive mode is the default when socat connects to the socket. In
13746this mode, a single line may be sent. It is processed as a whole, responses are
13747sent back, and the connection closes after the end of the response. This is the
13748mode that scripts and monitoring tools use. It is possible to send multiple
13749commands in this mode, they need to be delimited by a semi-colon (';'). For
13750example :
13751
13752 # echo "show info;show stat;show table" | socat /var/run/haproxy stdio
13753
13754The interactive mode displays a prompt ('>') and waits for commands to be
13755entered on the line, then processes them, and displays the prompt again to wait
13756for a new command. This mode is entered via the "prompt" command which must be
13757sent on the first line in non-interactive mode. The mode is a flip switch, if
13758"prompt" is sent in interactive mode, it is disabled and the connection closes
13759after processing the last command of the same line.
13760
13761For this reason, when debugging by hand, it's quite common to start with the
13762"prompt" command :
13763
13764 # socat /var/run/haproxy readline
13765 prompt
13766 > show info
13767 ...
13768 >
13769
13770Since multiple commands may be issued at once, haproxy uses the empty line as a
13771delimiter to mark an end of output for each command, and takes care of ensuring
13772that no command can emit an empty line on output. A script can thus easily
13773parse the output even when multiple commands were pipelined on a single line.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013774
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013775It is important to understand that when multiple haproxy processes are started
13776on the same sockets, any process may pick up the request and will output its
13777own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013778
Willy Tarreau468f4932013-08-01 16:50:16 +020013779The list of commands currently supported on the stats socket is provided below.
13780If an unknown command is sent, haproxy displays the usage message which reminds
13781all supported commands. Some commands support a more complex syntax, generally
13782it will explain what part of the command is invalid when this happens.
13783
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013784add acl <acl> <pattern>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013785 Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
13786 "show acl". This command does not verify if the entry already exists. This
13787 command cannot be used if the reference <acl> is a file also used with a map.
13788 In this case, you must use the command "add map" in place of "add acl".
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013789
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013790add map <map> <key> <value>
13791 Add an entry into the map <map> to associate the value <value> to the key
13792 <key>. This command does not verify if the entry already exists. It is
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013793 mainly used to fill a map after a clear operation. Note that if the reference
13794 <map> is a file and is shared with a map, this map will contain also a new
13795 pattern entry.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013796
Willy Tarreaud63335a2010-02-26 12:56:52 +010013797clear counters
13798 Clear the max values of the statistics counters in each proxy (frontend &
13799 backend) and in each server. The cumulated counters are not affected. This
13800 can be used to get clean counters after an incident, without having to
13801 restart nor to clear traffic counters. This command is restricted and can
13802 only be issued on sockets configured for levels "operator" or "admin".
13803
13804clear counters all
13805 Clear all statistics counters in each proxy (frontend & backend) and in each
13806 server. This has the same effect as restarting. This command is restricted
13807 and can only be issued on sockets configured for level "admin".
13808
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013809clear acl <acl>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013810 Remove all entries from the acl <acl>. <acl> is the #<id> or the <file>
13811 returned by "show acl". Note that if the reference <acl> is a file and is
13812 shared with a map, this map will be also cleared.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013813
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013814clear map <map>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013815 Remove all entries from the map <map>. <map> is the #<id> or the <file>
13816 returned by "show map". Note that if the reference <map> is a file and is
13817 shared with a acl, this acl will be also cleared.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013818
Simon Hormanc88b8872011-06-15 15:18:49 +090013819clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
13820 Remove entries from the stick-table <table>.
13821
13822 This is typically used to unblock some users complaining they have been
13823 abusively denied access to a service, but this can also be used to clear some
13824 stickiness entries matching a server that is going to be replaced (see "show
13825 table" below for details). Note that sometimes, removal of an entry will be
13826 refused because it is currently tracked by a session. Retrying a few seconds
13827 later after the session ends is usual enough.
13828
13829 In the case where no options arguments are given all entries will be removed.
13830
13831 When the "data." form is used entries matching a filter applied using the
13832 stored data (see "stick-table" in section 4.2) are removed. A stored data
13833 type must be specified in <type>, and this data type must be stored in the
13834 table otherwise an error is reported. The data is compared according to
13835 <operator> with the 64-bit integer <value>. Operators are the same as with
13836 the ACLs :
13837
13838 - eq : match entries whose data is equal to this value
13839 - ne : match entries whose data is not equal to this value
13840 - le : match entries whose data is less than or equal to this value
13841 - ge : match entries whose data is greater than or equal to this value
13842 - lt : match entries whose data is less than this value
13843 - gt : match entries whose data is greater than this value
13844
13845 When the key form is used the entry <key> is removed. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090013846 same type as the table, which currently is limited to IPv4, IPv6, integer and
13847 string.
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013848
13849 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020013850 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020013851 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020013852 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
13853 bytes_out_rate(60000)=187
13854 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13855 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013856
13857 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
13858
13859 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020013860 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau62a36c42010-08-17 15:53:10 +020013861 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13862 bytes_out_rate(60000)=191
Simon Hormanc88b8872011-06-15 15:18:49 +090013863 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
13864 $ echo "show table http_proxy" | socat stdio /tmp/sock1
13865 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013866
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013867del acl <acl> [<key>|#<ref>]
13868 Delete all the acl entries from the acl <acl> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013869 <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used,
13870 this command delete only the listed reference. The reference can be found with
13871 listing the content of the acl. Note that if the reference <acl> is a file and
13872 is shared with a map, the entry will be also deleted in the map.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013873
13874del map <map> [<key>|#<ref>]
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010013875 Delete all the map entries from the map <map> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013876 <map> is the #<id> or the <file> returned by "show map". If the <ref> is used,
13877 this command delete only the listed reference. The reference can be found with
13878 listing the content of the map. Note that if the reference <map> is a file and
13879 is shared with a acl, the entry will be also deleted in the map.
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010013880
13881disable agent <backend>/<server>
Simon Horman671b6f02013-11-25 10:46:39 +090013882 Mark the auxiliary agent check as temporarily stopped.
13883
13884 In the case where an agent check is being run as a auxiliary check, due
13885 to the agent-check parameter of a server directive, new checks are only
13886 initialised when the agent is in the enabled. Thus, disable agent will
13887 prevent any new agent checks from begin initiated until the agent
13888 re-enabled using enable agent.
13889
13890 When an agent is disabled the processing of an auxiliary agent check that
13891 was initiated while the agent was set as enabled is as follows: All
13892 results that would alter the weight, specifically "drain" or a weight
13893 returned by the agent, are ignored. The processing of agent check is
13894 otherwise unchanged.
13895
13896 The motivation for this feature is to allow the weight changing effects
13897 of the agent checks to be paused to allow the weight of a server to be
13898 configured using set weight without being overridden by the agent.
13899
13900 This command is restricted and can only be issued on sockets configured for
13901 level "admin".
13902
Willy Tarreau532a4502011-09-07 22:37:44 +020013903disable frontend <frontend>
13904 Mark the frontend as temporarily stopped. This corresponds to the mode which
13905 is used during a soft restart : the frontend releases the port but can be
13906 enabled again if needed. This should be used with care as some non-Linux OSes
13907 are unable to enable it back. This is intended to be used in environments
13908 where stopping a proxy is not even imaginable but a misconfigured proxy must
13909 be fixed. That way it's possible to release the port and bind it into another
13910 process to restore operations. The frontend will appear with status "STOP"
13911 on the stats page.
13912
13913 The frontend may be specified either by its name or by its numeric ID,
13914 prefixed with a sharp ('#').
13915
13916 This command is restricted and can only be issued on sockets configured for
13917 level "admin".
13918
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020013919disable health <backend>/<server>
13920 Mark the primary health check as temporarily stopped. This will disable
13921 sending of health checks, and the last health check result will be ignored.
13922 The server will be in unchecked state and considered UP unless an auxiliary
13923 agent check forces it down.
13924
13925 This command is restricted and can only be issued on sockets configured for
13926 level "admin".
13927
Willy Tarreaud63335a2010-02-26 12:56:52 +010013928disable server <backend>/<server>
13929 Mark the server DOWN for maintenance. In this mode, no more checks will be
13930 performed on the server until it leaves maintenance.
13931 If the server is tracked by other servers, those servers will be set to DOWN
13932 during the maintenance.
13933
13934 In the statistics page, a server DOWN for maintenance will appear with a
13935 "MAINT" status, its tracking servers with the "MAINT(via)" one.
13936
13937 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020013938 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010013939
13940 This command is restricted and can only be issued on sockets configured for
13941 level "admin".
13942
Simon Horman671b6f02013-11-25 10:46:39 +090013943enable agent <backend>/<server>
13944 Resume auxiliary agent check that was temporarily stopped.
13945
13946 See "disable agent" for details of the effect of temporarily starting
13947 and stopping an auxiliary agent.
13948
13949 This command is restricted and can only be issued on sockets configured for
13950 level "admin".
13951
Willy Tarreau532a4502011-09-07 22:37:44 +020013952enable frontend <frontend>
13953 Resume a frontend which was temporarily stopped. It is possible that some of
13954 the listening ports won't be able to bind anymore (eg: if another process
13955 took them since the 'disable frontend' operation). If this happens, an error
13956 is displayed. Some operating systems might not be able to resume a frontend
13957 which was disabled.
13958
13959 The frontend may be specified either by its name or by its numeric ID,
13960 prefixed with a sharp ('#').
13961
13962 This command is restricted and can only be issued on sockets configured for
13963 level "admin".
13964
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020013965enable health <backend>/<server>
13966 Resume a primary health check that was temporarily stopped. This will enable
13967 sending of health checks again. Please see "disable health" for details.
13968
13969 This command is restricted and can only be issued on sockets configured for
13970 level "admin".
13971
Willy Tarreaud63335a2010-02-26 12:56:52 +010013972enable server <backend>/<server>
13973 If the server was previously marked as DOWN for maintenance, this marks the
13974 server UP and checks are re-enabled.
13975
13976 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020013977 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010013978
13979 This command is restricted and can only be issued on sockets configured for
13980 level "admin".
13981
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010013982get map <map> <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013983get acl <acl> <value>
13984 Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl>
13985 are the #<id> or the <file> returned by "show map" or "show acl". This command
13986 returns all the matching patterns associated with this map. This is useful for
13987 debugging maps and ACLs. The output format is composed by one line par
13988 matching type. Each line is composed by space-delimited series of words.
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010013989
13990 The first two words are:
13991
13992 <match method>: The match method applied. It can be "found", "bool",
13993 "int", "ip", "bin", "len", "str", "beg", "sub", "dir",
13994 "dom", "end" or "reg".
13995
13996 <match result>: The result. Can be "match" or "no-match".
13997
13998 The following words are returned only if the pattern matches an entry.
13999
14000 <index type>: "tree" or "list". The internal lookup algorithm.
14001
14002 <case>: "case-insensitive" or "case-sensitive". The
14003 interpretation of the case.
14004
14005 <entry matched>: match="<entry>". Return the matched pattern. It is
14006 useful with regular expressions.
14007
14008 The two last word are used to show the returned value and its type. With the
14009 "acl" case, the pattern doesn't exist.
14010
14011 return=nothing: No return because there are no "map".
14012 return="<value>": The value returned in the string format.
14013 return=cannot-display: The value cannot be converted as string.
14014
14015 type="<type>": The type of the returned sample.
14016
Willy Tarreaud63335a2010-02-26 12:56:52 +010014017get weight <backend>/<server>
14018 Report the current weight and the initial weight of server <server> in
14019 backend <backend> or an error if either doesn't exist. The initial weight is
14020 the one that appears in the configuration file. Both are normally equal
14021 unless the current weight has been changed. Both the backend and the server
14022 may be specified either by their name or by their numeric ID, prefixed with a
Willy Tarreauf5f31922011-08-02 11:32:07 +020014023 sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010014024
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014025help
14026 Print the list of known keywords and their basic usage. The same help screen
14027 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010014028
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014029prompt
14030 Toggle the prompt at the beginning of the line and enter or leave interactive
14031 mode. In interactive mode, the connection is not closed after a command
14032 completes. Instead, the prompt will appear again, indicating the user that
14033 the interpreter is waiting for a new command. The prompt consists in a right
14034 angle bracket followed by a space "> ". This mode is particularly convenient
14035 when one wants to periodically check information such as stats or errors.
14036 It is also a good idea to enter interactive mode before issuing a "help"
14037 command.
14038
14039quit
14040 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010014041
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014042set map <map> [<key>|#<ref>] <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014043 Modify the value corresponding to each key <key> in a map <map>. <map> is the
14044 #<id> or <file> returned by "show map". If the <ref> is used in place of
14045 <key>, only the entry pointed by <ref> is changed. The new value is <value>.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014046
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020014047set maxconn frontend <frontend> <value>
Willy Tarreau3c7a79d2012-09-26 21:07:15 +020014048 Dynamically change the specified frontend's maxconn setting. Any positive
14049 value is allowed including zero, but setting values larger than the global
14050 maxconn does not make much sense. If the limit is increased and connections
14051 were pending, they will immediately be accepted. If it is lowered to a value
14052 below the current number of connections, new connections acceptation will be
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020014053 delayed until the threshold is reached. The frontend might be specified by
14054 either its name or its numeric ID prefixed with a sharp ('#').
14055
Willy Tarreau91886b62011-09-07 14:38:31 +020014056set maxconn global <maxconn>
14057 Dynamically change the global maxconn setting within the range defined by the
14058 initial global maxconn setting. If it is increased and connections were
14059 pending, they will immediately be accepted. If it is lowered to a value below
14060 the current number of connections, new connections acceptation will be
14061 delayed until the threshold is reached. A value of zero restores the initial
14062 setting.
14063
Willy Tarreauf5b22872011-09-07 16:13:44 +020014064set rate-limit connections global <value>
14065 Change the process-wide connection rate limit, which is set by the global
14066 'maxconnrate' setting. A value of zero disables the limitation. This limit
14067 applies to all frontends and the change has an immediate effect. The value
14068 is passed in number of connections per second.
14069
William Lallemandd85f9172012-11-09 17:05:39 +010014070set rate-limit http-compression global <value>
14071 Change the maximum input compression rate, which is set by the global
14072 'maxcomprate' setting. A value of zero disables the limitation. The value is
William Lallemand096f5542012-11-19 17:26:05 +010014073 passed in number of kilobytes per second. The value is available in the "show
14074 info" on the line "CompressBpsRateLim" in bytes.
William Lallemandd85f9172012-11-09 17:05:39 +010014075
Willy Tarreau93e7c002013-10-07 18:51:07 +020014076set rate-limit sessions global <value>
14077 Change the process-wide session rate limit, which is set by the global
14078 'maxsessrate' setting. A value of zero disables the limitation. This limit
14079 applies to all frontends and the change has an immediate effect. The value
14080 is passed in number of sessions per second.
14081
Willy Tarreaue43d5322013-10-07 20:01:52 +020014082set rate-limit ssl-sessions global <value>
14083 Change the process-wide SSL session rate limit, which is set by the global
14084 'maxsslrate' setting. A value of zero disables the limitation. This limit
14085 applies to all frontends and the change has an immediate effect. The value
14086 is passed in number of sessions per second sent to the SSL stack. It applies
14087 before the handshake in order to protect the stack against handshake abuses.
14088
Willy Tarreau2a4b70f2014-05-22 18:42:35 +020014089set server <backend>/<server> agent [ up | down ]
14090 Force a server's agent to a new state. This can be useful to immediately
14091 switch a server's state regardless of some slow agent checks for example.
14092 Note that the change is propagated to tracking servers if any.
14093
14094set server <backend>/<server> health [ up | stopping | down ]
14095 Force a server's health to a new state. This can be useful to immediately
14096 switch a server's state regardless of some slow health checks for example.
14097 Note that the change is propagated to tracking servers if any.
14098
14099set server <backend>/<server> state [ ready | drain | maint ]
14100 Force a server's administrative state to a new state. This can be useful to
14101 disable load balancing and/or any traffic to a server. Setting the state to
14102 "ready" puts the server in normal mode, and the command is the equivalent of
14103 the "enable server" command. Setting the state to "maint" disables any traffic
14104 to the server as well as any health checks. This is the equivalent of the
14105 "disable server" command. Setting the mode to "drain" only removes the server
14106 from load balancing but still allows it to be checked and to accept new
14107 persistent connections. Changes are propagated to tracking servers if any.
14108
14109set server <backend>/<server> weight <weight>[%]
14110 Change a server's weight to the value passed in argument. This is the exact
14111 equivalent of the "set weight" command below.
14112
Emeric Brun4147b2e2014-06-16 18:36:30 +020014113set ssl ocsp-response <response>
14114 This command is used to update an OCSP Response for a certificate (see "crt"
14115 on "bind" lines). Same controls are performed as during the initial loading of
14116 the response. The <response> must be passed as a base64 encoded string of the
14117 DER encoded response from the OCSP server.
14118
14119 Example:
14120 openssl ocsp -issuer issuer.pem -cert server.pem \
14121 -host ocsp.issuer.com:80 -respout resp.der
14122 echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
14123 socat stdio /var/run/haproxy.stat
14124
Willy Tarreau47060b62013-08-01 21:11:42 +020014125set table <table> key <key> [data.<data_type> <value>]*
Willy Tarreau654694e2012-06-07 01:03:16 +020014126 Create or update a stick-table entry in the table. If the key is not present,
14127 an entry is inserted. See stick-table in section 4.2 to find all possible
14128 values for <data_type>. The most likely use consists in dynamically entering
14129 entries for source IP addresses, with a flag in gpc0 to dynamically block an
Willy Tarreau47060b62013-08-01 21:11:42 +020014130 IP address or affect its quality of service. It is possible to pass multiple
14131 data_types in a single call.
Willy Tarreau654694e2012-06-07 01:03:16 +020014132
Willy Tarreaud63335a2010-02-26 12:56:52 +010014133set timeout cli <delay>
14134 Change the CLI interface timeout for current connection. This can be useful
14135 during long debugging sessions where the user needs to constantly inspect
14136 some indicators without being disconnected. The delay is passed in seconds.
14137
14138set weight <backend>/<server> <weight>[%]
14139 Change a server's weight to the value passed in argument. If the value ends
14140 with the '%' sign, then the new weight will be relative to the initially
Simon Horman58b5d292013-02-12 10:45:52 +090014141 configured weight. Absolute weights are permitted between 0 and 256.
14142 Relative weights must be positive with the resulting absolute weight is
14143 capped at 256. Servers which are part of a farm running a static
14144 load-balancing algorithm have stricter limitations because the weight
14145 cannot change once set. Thus for these servers, the only accepted values
14146 are 0 and 100% (or 0 and the initial weight). Changes take effect
14147 immediately, though certain LB algorithms require a certain amount of
14148 requests to consider changes. A typical usage of this command is to
14149 disable a server during an update by setting its weight to zero, then to
14150 enable it again after the update by setting it back to 100%. This command
14151 is restricted and can only be issued on sockets configured for level
14152 "admin". Both the backend and the server may be specified either by their
14153 name or by their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010014154
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014155show errors [<iid>]
14156 Dump last known request and response errors collected by frontends and
14157 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +020014158 either frontend or backend whose ID is <iid>. This command is restricted
14159 and can only be issued on sockets configured for levels "operator" or
14160 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014161
14162 The errors which may be collected are the last request and response errors
14163 caused by protocol violations, often due to invalid characters in header
14164 names. The report precisely indicates what exact character violated the
14165 protocol. Other important information such as the exact date the error was
14166 detected, frontend and backend names, the server name (when known), the
14167 internal session ID and the source address which has initiated the session
14168 are reported too.
14169
14170 All characters are returned, and non-printable characters are encoded. The
14171 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
14172 letter following a backslash. The backslash itself is encoded as '\\' to
14173 avoid confusion. Other non-printable characters are encoded '\xNN' where
14174 NN is the two-digits hexadecimal representation of the character's ASCII
14175 code.
14176
14177 Lines are prefixed with the position of their first character, starting at 0
14178 for the beginning of the buffer. At most one input line is printed per line,
14179 and large lines will be broken into multiple consecutive output lines so that
14180 the output never goes beyond 79 characters wide. It is easy to detect if a
14181 line was broken, because it will not end with '\n' and the next line's offset
14182 will be followed by a '+' sign, indicating it is a continuation of previous
14183 line.
14184
14185 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014186 $ echo "show errors" | socat stdio /tmp/sock1
14187 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014188 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
14189 response length 213 bytes, error at position 23:
14190
14191 00000 HTTP/1.0 200 OK\r\n
14192 00017 header/bizarre:blah\r\n
14193 00038 Location: blah\r\n
14194 00054 Long-line: this is a very long line which should b
14195 00104+ e broken into multiple lines on the output buffer,
14196 00154+ otherwise it would be too large to print in a ter
14197 00204+ minal\r\n
14198 00211 \r\n
14199
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014200 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014201 ID 2 has blocked an invalid response from its server s2 which has internal
14202 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
14203 received by frontend fe-eth0 whose ID is 1. The total response length was
14204 213 bytes when the error was detected, and the error was at byte 23. This
14205 is the slash ('/') in header name "header/bizarre", which is not a valid
14206 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010014207
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014208show info
14209 Dump info about haproxy status on current process.
14210
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014211show map [<map>]
14212 Dump info about map converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014213 maps is returned. If a <map> is specified, its contents are dumped. <map> is
14214 the #<id> or <file>. The first column is a unique identifier. It can be used
14215 as reference for the operation "del map" and "set map". The second column is
14216 the pattern and the third column is the sample if available. The data returned
14217 are not directly a list of available maps, but are the list of all patterns
14218 composing any map. Many of these patterns can be shared with ACL.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014219
14220show acl [<acl>]
14221 Dump info about acl converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014222 acls is returned. If a <acl> is specified, its contents are dumped. <acl> if
14223 the #<id> or <file>. The dump format is the same than the map even for the
14224 sample value. The data returned are not a list of available ACL, but are the
14225 list of all patterns composing any ACL. Many of these patterns can be shared
14226 with maps.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014227
Willy Tarreau12833bb2014-01-28 16:49:56 +010014228show pools
14229 Dump the status of internal memory pools. This is useful to track memory
14230 usage when suspecting a memory leak for example. It does exactly the same
14231 as the SIGQUIT when running in foreground except that it does not flush
14232 the pools.
14233
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014234show sess
14235 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +020014236 be huge. This command is restricted and can only be issued on sockets
14237 configured for levels "operator" or "admin".
14238
Willy Tarreau66dc20a2010-03-05 17:53:32 +010014239show sess <id>
14240 Display a lot of internal information about the specified session identifier.
14241 This identifier is the first field at the beginning of the lines in the dumps
14242 of "show sess" (it corresponds to the session pointer). Those information are
14243 useless to most users but may be used by haproxy developers to troubleshoot a
14244 complex bug. The output format is intentionally not documented so that it can
Olivierce31e6e2014-09-05 18:49:10 +020014245 freely evolve depending on demands. You may find a description of all fields
14246 returned in src/dumpstats.c
14247
14248 The special id "all" dumps the states of all sessions, which must be avoided
14249 as much as possible as it is highly CPU intensive and can take a lot of time.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014250
14251show stat [<iid> <type> <sid>]
14252 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
14253 possible to dump only selected items :
14254 - <iid> is a proxy ID, -1 to dump everything
14255 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
14256 backends, 4 for servers, -1 for everything. These values can be ORed,
14257 for example:
14258 1 + 2 = 3 -> frontend + backend.
14259 1 + 2 + 4 = 7 -> frontend + backend + server.
14260 - <sid> is a server ID, -1 to dump everything from the selected proxy.
14261
14262 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014263 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
14264 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014265 Version: 1.4-dev2-49
14266 Release_date: 2009/09/23
14267 Nbproc: 1
14268 Process_num: 1
14269 (...)
14270
14271 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
14272 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
14273 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
14274 (...)
14275 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
14276
14277 $
14278
14279 Here, two commands have been issued at once. That way it's easy to find
14280 which process the stats apply to in multi-process mode. Notice the empty
14281 line after the information output which marks the end of the first block.
14282 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014283 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014284
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014285show table
14286 Dump general information on all known stick-tables. Their name is returned
14287 (the name of the proxy which holds them), their type (currently zero, always
14288 IP), their size in maximum possible number of entries, and the number of
14289 entries currently in use.
14290
14291 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014292 $ echo "show table" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014293 >>> # table: front_pub, type: ip, size:204800, used:171454
14294 >>> # table: back_rdp, type: ip, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014295
Simon Horman17bce342011-06-15 15:18:47 +090014296show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014297 Dump contents of stick-table <name>. In this mode, a first line of generic
14298 information about the table is reported as with "show table", then all
14299 entries are dumped. Since this can be quite heavy, it is possible to specify
Simon Horman17bce342011-06-15 15:18:47 +090014300 a filter in order to specify what entries to display.
14301
14302 When the "data." form is used the filter applies to the stored data (see
14303 "stick-table" in section 4.2). A stored data type must be specified
14304 in <type>, and this data type must be stored in the table otherwise an
14305 error is reported. The data is compared according to <operator> with the
14306 64-bit integer <value>. Operators are the same as with the ACLs :
14307
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014308 - eq : match entries whose data is equal to this value
14309 - ne : match entries whose data is not equal to this value
14310 - le : match entries whose data is less than or equal to this value
14311 - ge : match entries whose data is greater than or equal to this value
14312 - lt : match entries whose data is less than this value
14313 - gt : match entries whose data is greater than this value
14314
Simon Hormanc88b8872011-06-15 15:18:49 +090014315
14316 When the key form is used the entry <key> is shown. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090014317 same type as the table, which currently is limited to IPv4, IPv6, integer,
14318 and string.
Simon Horman17bce342011-06-15 15:18:47 +090014319
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014320 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014321 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014322 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020014323 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
14324 bytes_out_rate(60000)=187
14325 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14326 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014327
Willy Tarreau62a36c42010-08-17 15:53:10 +020014328 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014329 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020014330 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14331 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014332
Willy Tarreau62a36c42010-08-17 15:53:10 +020014333 $ echo "show table http_proxy data.conn_rate gt 5" | \
14334 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014335 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020014336 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14337 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014338
Simon Horman17bce342011-06-15 15:18:47 +090014339 $ echo "show table http_proxy key 127.0.0.2" | \
14340 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014341 >>> # table: http_proxy, type: ip, size:204800, used:2
Simon Horman17bce342011-06-15 15:18:47 +090014342 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14343 bytes_out_rate(60000)=191
14344
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014345 When the data criterion applies to a dynamic value dependent on time such as
14346 a bytes rate, the value is dynamically computed during the evaluation of the
14347 entry in order to decide whether it has to be dumped or not. This means that
14348 such a filter could match for some time then not match anymore because as
14349 time goes, the average event rate drops.
14350
14351 It is possible to use this to extract lists of IP addresses abusing the
14352 service, in order to monitor them or even blacklist them in a firewall.
14353 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014354 $ echo "show table http_proxy data.gpc0 gt 0" \
14355 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014356 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
14357 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +020014358
Willy Tarreau532a4502011-09-07 22:37:44 +020014359shutdown frontend <frontend>
14360 Completely delete the specified frontend. All the ports it was bound to will
14361 be released. It will not be possible to enable the frontend anymore after
14362 this operation. This is intended to be used in environments where stopping a
14363 proxy is not even imaginable but a misconfigured proxy must be fixed. That
14364 way it's possible to release the port and bind it into another process to
14365 restore operations. The frontend will not appear at all on the stats page
14366 once it is terminated.
14367
14368 The frontend may be specified either by its name or by its numeric ID,
14369 prefixed with a sharp ('#').
14370
14371 This command is restricted and can only be issued on sockets configured for
14372 level "admin".
14373
Willy Tarreaua295edc2011-09-07 23:21:03 +020014374shutdown session <id>
14375 Immediately terminate the session matching the specified session identifier.
14376 This identifier is the first field at the beginning of the lines in the dumps
14377 of "show sess" (it corresponds to the session pointer). This can be used to
14378 terminate a long-running session without waiting for a timeout or when an
14379 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
14380 flag in the logs.
14381
Cyril Bontée63a1eb2014-07-12 18:22:42 +020014382shutdown sessions server <backend>/<server>
Willy Tarreau52b2d222011-09-07 23:48:48 +020014383 Immediately terminate all the sessions attached to the specified server. This
14384 can be used to terminate long-running sessions after a server is put into
14385 maintenance mode, for instance. Such terminated sessions are reported with a
14386 'K' flag in the logs.
14387
Willy Tarreau0ba27502007-12-24 16:55:16 +010014388/*
14389 * Local variables:
14390 * fill-column: 79
14391 * End:
14392 */