blob: 55a8fa728036397b0629491160e4593522ef5da3 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
Willy Tarreau8317b282014-04-23 01:49:41 +02002 HAProxy
Willy Tarreau6a06a402007-07-15 20:15:28 +02003 Configuration Manual
4 ----------------------
Willy Tarreau9dc6b972019-06-16 21:49:47 +02005 version 2.1
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau84681322019-11-15 18:49:37 +01007 2019/11/15
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
Davor Ocelice9ed2812017-12-25 17:49:28 +010011specified above. It does not provide any hints, examples, or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Davor Ocelice9ed2812017-12-25 17:49:28 +010013The summary below is meant to help you find sections by name and navigate
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
Davor Ocelice9ed2812017-12-25 17:49:28 +010022 sometimes useful to prefix all output lines (logs, console outputs) with 3
23 closing angle brackets ('>>>') in order to emphasize the difference between
24 inputs and outputs when they may be ambiguous. If you add sections,
Willy Tarreau62a36c42010-08-17 15:53:10 +020025 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
Davor Ocelice9ed2812017-12-25 17:49:28 +0100341.2.1. The request line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200351.2.2. The request headers
361.3. HTTP response
Davor Ocelice9ed2812017-12-25 17:49:28 +0100371.3.1. The response line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
William Lallemandf9873ba2015-05-05 17:37:14 +0200422.2. Quoting and escaping
William Lallemandb2f07452015-05-12 14:27:13 +0200432.3. Environment variables
442.4. Time format
452.5. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020046
473. Global parameters
483.1. Process management and security
493.2. Performance tuning
503.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100513.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200523.5. Peers
Cyril Bonté307ee1e2015-09-28 23:16:06 +0200533.6. Mailers
William Lallemandc9515522019-06-12 16:32:11 +0200543.7. Programs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020055
564. Proxies
574.1. Proxy keywords matrix
584.2. Alphabetically sorted keywords reference
59
Davor Ocelice9ed2812017-12-25 17:49:28 +0100605. Bind and server options
Willy Tarreau086fbf52012-09-24 20:34:51 +0200615.1. Bind options
625.2. Server and default-server options
Baptiste Assmann1fa66662015-04-14 00:28:47 +0200635.3. Server DNS resolution
645.3.1. Global overview
655.3.2. The resolvers section
Willy Tarreauc57f0e22009-05-10 13:12:33 +020066
Willy Tarreau74ca5042013-06-11 23:12:07 +0200677. Using ACLs and fetching samples
687.1. ACL basics
697.1.1. Matching booleans
707.1.2. Matching integers
717.1.3. Matching strings
727.1.4. Matching regular expressions (regexes)
737.1.5. Matching arbitrary data blocks
747.1.6. Matching IPv4 and IPv6 addresses
757.2. Using ACLs to form conditions
767.3. Fetching samples
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200777.3.1. Converters
787.3.2. Fetching samples from internal states
797.3.3. Fetching samples at Layer 4
807.3.4. Fetching samples at Layer 5
817.3.5. Fetching samples from buffer contents (Layer 6)
827.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +0200837.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020084
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200856. Cache
866.1. Limitation
876.2. Setup
886.2.1. Cache section
896.2.2. Proxy section
90
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200918. Logging
928.1. Log levels
938.2. Log formats
948.2.1. Default log format
958.2.2. TCP log format
968.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100978.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +0100988.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200998.3. Advanced logging options
1008.3.1. Disabling logging of external tests
1018.3.2. Logging before waiting for the session to terminate
1028.3.3. Raising log level upon errors
1038.3.4. Disabling logging of successful connections
1048.4. Timing events
1058.5. Session state at disconnection
1068.6. Non-printable characters
1078.7. Capturing HTTP cookies
1088.8. Capturing HTTP headers
1098.9. Examples of logs
110
Christopher Fauletc3fe5332016-04-07 15:30:10 +02001119. Supported filters
1129.1. Trace
1139.2. HTTP compression
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +02001149.3. Stream Processing Offload Engine (SPOE)
Christopher Faulet99a17a22018-12-11 09:18:27 +01001159.4. Cache
Christopher Fauletb30b3102019-09-12 23:03:09 +02001169.5. fcgi-app
Christopher Fauletc3fe5332016-04-07 15:30:10 +0200117
Christopher Fauletb30b3102019-09-12 23:03:09 +020011810. FastCGI applications
11910.1. Setup
12010.1.1. Fcgi-app section
12110.1.2. Proxy section
12210.1.3. Example
12310.2. Default parameters
12410.3. Limitations
125
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200126
1271. Quick reminder about HTTP
128----------------------------
129
Davor Ocelice9ed2812017-12-25 17:49:28 +0100130When HAProxy is running in HTTP mode, both the request and the response are
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200131fully analyzed and indexed, thus it becomes possible to build matching criteria
132on almost anything found in the contents.
133
134However, it is important to understand how HTTP requests and responses are
135formed, and how HAProxy decomposes them. It will then become easier to write
136correct rules and to debug existing configurations.
137
138
1391.1. The HTTP transaction model
140-------------------------------
141
142The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100143to one and only one response. Traditionally, a TCP connection is established
Davor Ocelice9ed2812017-12-25 17:49:28 +0100144from the client to the server, a request is sent by the client through the
145connection, the server responds, and the connection is closed. A new request
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200146will involve a new connection :
147
148 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
149
150In this mode, called the "HTTP close" mode, there are as many connection
151establishments as there are HTTP transactions. Since the connection is closed
152by the server after the response, the client does not need to know the content
153length.
154
155Due to the transactional nature of the protocol, it was possible to improve it
156to avoid closing a connection between two subsequent transactions. In this mode
157however, it is mandatory that the server indicates the content length for each
158response so that the client does not wait indefinitely. For this, a special
159header is used: "Content-length". This mode is called the "keep-alive" mode :
160
161 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
162
163Its advantages are a reduced latency between transactions, and less processing
164power required on the server side. It is generally better than the close mode,
165but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200166a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200167
Willy Tarreau95c4e142017-11-26 12:18:55 +0100168Another improvement in the communications is the pipelining mode. It still uses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200169keep-alive, but the client does not wait for the first response to send the
170second request. This is useful for fetching large number of images composing a
171page :
172
173 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
174
175This can obviously have a tremendous benefit on performance because the network
176latency is eliminated between subsequent requests. Many HTTP agents do not
177correctly support pipelining since there is no way to associate a response with
178the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100179server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200180
Willy Tarreau95c4e142017-11-26 12:18:55 +0100181The next improvement is the multiplexed mode, as implemented in HTTP/2. This
182time, each transaction is assigned a single stream identifier, and all streams
183are multiplexed over an existing connection. Many requests can be sent in
184parallel by the client, and responses can arrive in any order since they also
185carry the stream identifier.
186
Willy Tarreau70dffda2014-01-30 03:07:23 +0100187By default HAProxy operates in keep-alive mode with regards to persistent
188connections: for each connection it processes each request and response, and
189leaves the connection idle on both sides between the end of a response and the
Willy Tarreau95c4e142017-11-26 12:18:55 +0100190start of a new request. When it receives HTTP/2 connections from a client, it
191processes all the requests in parallel and leaves the connection idling,
192waiting for new requests, just as if it was a keep-alive HTTP connection.
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200193
Christopher Faulet315b39c2018-09-21 16:26:19 +0200194HAProxy supports 4 connection modes :
Willy Tarreau70dffda2014-01-30 03:07:23 +0100195 - keep alive : all requests and responses are processed (default)
196 - tunnel : only the first request and response are processed,
Christopher Faulet6c9bbb22019-03-26 21:37:23 +0100197 everything else is forwarded with no analysis (deprecated).
Willy Tarreau70dffda2014-01-30 03:07:23 +0100198 - server close : the server-facing connection is closed after the response.
Christopher Faulet315b39c2018-09-21 16:26:19 +0200199 - close : the connection is actively closed after end of response.
Willy Tarreau70dffda2014-01-30 03:07:23 +0100200
Davor Ocelice9ed2812017-12-25 17:49:28 +0100201For HTTP/2, the connection mode resembles more the "server close" mode : given
202the independence of all streams, there is currently no place to hook the idle
Willy Tarreau95c4e142017-11-26 12:18:55 +0100203server connection after a response, so it is closed after the response. HTTP/2
204is only supported for incoming connections, not on connections going to
205servers.
206
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200207
2081.2. HTTP request
209-----------------
210
211First, let's consider this HTTP request :
212
213 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100214 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200215 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
216 2 Host: www.mydomain.com
217 3 User-agent: my small browser
218 4 Accept: image/jpeg, image/gif
219 5 Accept: image/png
220
221
2221.2.1. The Request line
223-----------------------
224
225Line 1 is the "request line". It is always composed of 3 fields :
226
227 - a METHOD : GET
228 - a URI : /serv/login.php?lang=en&profile=2
229 - a version tag : HTTP/1.1
230
231All of them are delimited by what the standard calls LWS (linear white spaces),
232which are commonly spaces, but can also be tabs or line feeds/carriage returns
233followed by spaces/tabs. The method itself cannot contain any colon (':') and
234is limited to alphabetic letters. All those various combinations make it
235desirable that HAProxy performs the splitting itself rather than leaving it to
236the user to write a complex or inaccurate regular expression.
237
238The URI itself can have several forms :
239
240 - A "relative URI" :
241
242 /serv/login.php?lang=en&profile=2
243
244 It is a complete URL without the host part. This is generally what is
245 received by servers, reverse proxies and transparent proxies.
246
247 - An "absolute URI", also called a "URL" :
248
249 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
250
251 It is composed of a "scheme" (the protocol name followed by '://'), a host
252 name or address, optionally a colon (':') followed by a port number, then
253 a relative URI beginning at the first slash ('/') after the address part.
254 This is generally what proxies receive, but a server supporting HTTP/1.1
255 must accept this form too.
256
257 - a star ('*') : this form is only accepted in association with the OPTIONS
258 method and is not relayable. It is used to inquiry a next hop's
259 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100260
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200261 - an address:port combination : 192.168.0.12:80
262 This is used with the CONNECT method, which is used to establish TCP
263 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
264 other protocols too.
265
266In a relative URI, two sub-parts are identified. The part before the question
267mark is called the "path". It is typically the relative path to static objects
268on the server. The part after the question mark is called the "query string".
269It is mostly used with GET requests sent to dynamic scripts and is very
270specific to the language, framework or application in use.
271
Willy Tarreau95c4e142017-11-26 12:18:55 +0100272HTTP/2 doesn't convey a version information with the request, so the version is
Davor Ocelice9ed2812017-12-25 17:49:28 +0100273assumed to be the same as the one of the underlying protocol (i.e. "HTTP/2").
Willy Tarreau95c4e142017-11-26 12:18:55 +0100274However, haproxy natively processes HTTP/1.x requests and headers, so requests
275received over an HTTP/2 connection are transcoded to HTTP/1.1 before being
276processed. This explains why they still appear as "HTTP/1.1" in haproxy's logs
277as well as in server logs.
278
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200279
2801.2.2. The request headers
281--------------------------
282
283The headers start at the second line. They are composed of a name at the
284beginning of the line, immediately followed by a colon (':'). Traditionally,
285an LWS is added after the colon but that's not required. Then come the values.
286Multiple identical headers may be folded into one single line, delimiting the
287values with commas, provided that their order is respected. This is commonly
288encountered in the "Cookie:" field. A header may span over multiple lines if
289the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
290define a total of 3 values for the "Accept:" header.
291
Davor Ocelice9ed2812017-12-25 17:49:28 +0100292Contrary to a common misconception, header names are not case-sensitive, and
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200293their values are not either if they refer to other header names (such as the
Willy Tarreau95c4e142017-11-26 12:18:55 +0100294"Connection:" header). In HTTP/2, header names are always sent in lower case,
295as can be seen when running in debug mode.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200296
297The end of the headers is indicated by the first empty line. People often say
298that it's a double line feed, which is not exact, even if a double line feed
299is one valid form of empty line.
300
301Fortunately, HAProxy takes care of all these complex combinations when indexing
302headers, checking values and counting them, so there is no reason to worry
303about the way they could be written, but it is important not to accuse an
304application of being buggy if it does unusual, valid things.
305
306Important note:
Lukas Tribus23953682017-04-28 13:24:30 +0000307 As suggested by RFC7231, HAProxy normalizes headers by replacing line breaks
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200308 in the middle of headers by LWS in order to join multi-line headers. This
309 is necessary for proper analysis and helps less capable HTTP parsers to work
310 correctly and not to be fooled by such complex constructs.
311
312
3131.3. HTTP response
314------------------
315
316An HTTP response looks very much like an HTTP request. Both are called HTTP
317messages. Let's consider this HTTP response :
318
319 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100320 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200321 1 HTTP/1.1 200 OK
322 2 Content-length: 350
323 3 Content-Type: text/html
324
Willy Tarreau816b9792009-09-15 21:25:21 +0200325As a special case, HTTP supports so called "Informational responses" as status
326codes 1xx. These messages are special in that they don't convey any part of the
327response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100328continue to post its request for instance. In the case of a status 100 response
329the requested information will be carried by the next non-100 response message
330following the informational one. This implies that multiple responses may be
331sent to a single request, and that this only works when keep-alive is enabled
332(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
333correctly forward and skip them, and only process the next non-100 response. As
334such, these messages are neither logged nor transformed, unless explicitly
335state otherwise. Status 101 messages indicate that the protocol is changing
336over the same connection and that haproxy must switch to tunnel mode, just as
337if a CONNECT had occurred. Then the Upgrade header would contain additional
338information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200339
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200340
Davor Ocelice9ed2812017-12-25 17:49:28 +01003411.3.1. The response line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200342------------------------
343
344Line 1 is the "response line". It is always composed of 3 fields :
345
346 - a version tag : HTTP/1.1
347 - a status code : 200
348 - a reason : OK
349
350The status code is always 3-digit. The first digit indicates a general status :
Davor Ocelice9ed2812017-12-25 17:49:28 +0100351 - 1xx = informational message to be skipped (e.g. 100, 101)
352 - 2xx = OK, content is following (e.g. 200, 206)
353 - 3xx = OK, no content following (e.g. 302, 304)
354 - 4xx = error caused by the client (e.g. 401, 403, 404)
355 - 5xx = error caused by the server (e.g. 500, 502, 503)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200356
Lukas Tribus23953682017-04-28 13:24:30 +0000357Please refer to RFC7231 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100358"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200359found there, but it's a common practice to respect the well-established
360messages. It can be composed of one or multiple words, such as "OK", "Found",
361or "Authentication Required".
362
Davor Ocelice9ed2812017-12-25 17:49:28 +0100363HAProxy may emit the following status codes by itself :
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200364
365 Code When / reason
366 200 access to stats page, and when replying to monitoring requests
367 301 when performing a redirection, depending on the configured code
368 302 when performing a redirection, depending on the configured code
369 303 when performing a redirection, depending on the configured code
Willy Tarreaub67fdc42013-03-29 19:28:11 +0100370 307 when performing a redirection, depending on the configured code
371 308 when performing a redirection, depending on the configured code
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200372 400 for an invalid or too large request
373 401 when an authentication is required to perform the action (when
374 accessing the stats page)
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200375 403 when a request is forbidden by a "http-request deny" rule
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200376 408 when the request timeout strikes before the request is complete
377 500 when haproxy encounters an unrecoverable internal error, such as a
378 memory allocation failure, which should never happen
379 502 when the server returns an empty, invalid or incomplete response, or
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200380 when an "http-response deny" rule blocks the response.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200381 503 when no server was available to handle the request, or in response to
382 monitoring requests which match the "monitor fail" condition
383 504 when the response timeout strikes before the server responds
384
385The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3864.2).
387
388
3891.3.2. The response headers
390---------------------------
391
392Response headers work exactly like request headers, and as such, HAProxy uses
393the same parsing function for both. Please refer to paragraph 1.2.2 for more
394details.
395
396
3972. Configuring HAProxy
398----------------------
399
4002.1. Configuration file format
401------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200402
403HAProxy's configuration process involves 3 major sources of parameters :
404
405 - the arguments from the command-line, which always take precedence
406 - the "global" section, which sets process-wide parameters
407 - the proxies sections which can take form of "defaults", "listen",
408 "frontend" and "backend".
409
Willy Tarreau0ba27502007-12-24 16:55:16 +0100410The configuration file syntax consists in lines beginning with a keyword
411referenced in this manual, optionally followed by one or several parameters
William Lallemandf9873ba2015-05-05 17:37:14 +0200412delimited by spaces.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100413
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200414
William Lallemandf9873ba2015-05-05 17:37:14 +02004152.2. Quoting and escaping
416-------------------------
417
418HAProxy's configuration introduces a quoting and escaping system similar to
419many programming languages. The configuration file supports 3 types: escaping
420with a backslash, weak quoting with double quotes, and strong quoting with
421single quotes.
422
423If spaces have to be entered in strings, then they must be escaped by preceding
424them by a backslash ('\') or by quoting them. Backslashes also have to be
425escaped by doubling or strong quoting them.
426
427Escaping is achieved by preceding a special character by a backslash ('\'):
428
429 \ to mark a space and differentiate it from a delimiter
430 \# to mark a hash and differentiate it from a comment
431 \\ to use a backslash
432 \' to use a single quote and differentiate it from strong quoting
433 \" to use a double quote and differentiate it from weak quoting
434
435Weak quoting is achieved by using double quotes (""). Weak quoting prevents
436the interpretation of:
437
438 space as a parameter separator
439 ' single quote as a strong quoting delimiter
440 # hash as a comment start
441
William Lallemandb2f07452015-05-12 14:27:13 +0200442Weak quoting permits the interpretation of variables, if you want to use a non
443-interpreted dollar within a double quoted string, you should escape it with a
444backslash ("\$"), it does not work outside weak quoting.
445
446Interpretation of escaping and special characters are not prevented by weak
William Lallemandf9873ba2015-05-05 17:37:14 +0200447quoting.
448
449Strong quoting is achieved by using single quotes (''). Inside single quotes,
450nothing is interpreted, it's the efficient way to quote regexes.
451
452Quoted and escaped strings are replaced in memory by their interpreted
453equivalent, it allows you to perform concatenation.
454
455 Example:
456 # those are equivalents:
457 log-format %{+Q}o\ %t\ %s\ %{-Q}r
458 log-format "%{+Q}o %t %s %{-Q}r"
459 log-format '%{+Q}o %t %s %{-Q}r'
460 log-format "%{+Q}o %t"' %s %{-Q}r'
461 log-format "%{+Q}o %t"' %s'\ %{-Q}r
462
463 # those are equivalents:
464 reqrep "^([^\ :]*)\ /static/(.*)" \1\ /\2
465 reqrep "^([^ :]*)\ /static/(.*)" '\1 /\2'
466 reqrep "^([^ :]*)\ /static/(.*)" "\1 /\2"
467 reqrep "^([^ :]*)\ /static/(.*)" "\1\ /\2"
468
469
William Lallemandb2f07452015-05-12 14:27:13 +02004702.3. Environment variables
471--------------------------
472
473HAProxy's configuration supports environment variables. Those variables are
474interpreted only within double quotes. Variables are expanded during the
475configuration parsing. Variable names must be preceded by a dollar ("$") and
476optionally enclosed with braces ("{}") similarly to what is done in Bourne
477shell. Variable names can contain alphanumerical characters or the character
478underscore ("_") but should not start with a digit.
479
480 Example:
481
482 bind "fd@${FD_APP1}"
483
484 log "${LOCAL_SYSLOG}:514" local0 notice # send to local server
485
486 user "$HAPROXY_USER"
487
William Lallemand4d03e432019-06-14 15:35:37 +0200488Some variables are defined by HAProxy, they can be used in the configuration
489file, or could be inherited by a program (See 3.7. Programs):
William Lallemanddaf4cd22018-04-17 16:46:13 +0200490
William Lallemand4d03e432019-06-14 15:35:37 +0200491* HAPROXY_LOCALPEER: defined at the startup of the process which contains the
492 name of the local peer. (See "-L" in the management guide.)
493
494* HAPROXY_CFGFILES: list of the configuration files loaded by HAProxy,
495 separated by semicolons. Can be useful in the case you specified a
496 directory.
497
498* HAPROXY_MWORKER: In master-worker mode, this variable is set to 1.
499
John Roeslerfb2fce12019-07-10 15:45:51 -0500500* HAPROXY_CLI: configured listeners addresses of the stats socket for every
William Lallemand4d03e432019-06-14 15:35:37 +0200501 processes, separated by semicolons.
502
John Roeslerfb2fce12019-07-10 15:45:51 -0500503* HAPROXY_MASTER_CLI: In master-worker mode, listeners addresses of the master
William Lallemand4d03e432019-06-14 15:35:37 +0200504 CLI, separated by semicolons.
505
506See also "external-check command" for other variables.
William Lallemandb2f07452015-05-12 14:27:13 +0200507
5082.4. Time format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200509----------------
510
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100511Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100512values are generally expressed in milliseconds (unless explicitly stated
513otherwise) but may be expressed in any other unit by suffixing the unit to the
514numeric value. It is important to consider this because it will not be repeated
515for every keyword. Supported units are :
516
517 - us : microseconds. 1 microsecond = 1/1000000 second
518 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
519 - s : seconds. 1s = 1000ms
520 - m : minutes. 1m = 60s = 60000ms
521 - h : hours. 1h = 60m = 3600s = 3600000ms
522 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
523
524
Lukas Tribusaa83a312017-03-21 09:25:09 +00005252.5. Examples
Patrick Mezard35da19c2010-06-12 17:02:47 +0200526-------------
527
528 # Simple configuration for an HTTP proxy listening on port 80 on all
529 # interfaces and forwarding requests to a single backend "servers" with a
530 # single server "server1" listening on 127.0.0.1:8000
531 global
532 daemon
533 maxconn 256
534
535 defaults
536 mode http
537 timeout connect 5000ms
538 timeout client 50000ms
539 timeout server 50000ms
540
541 frontend http-in
542 bind *:80
543 default_backend servers
544
545 backend servers
546 server server1 127.0.0.1:8000 maxconn 32
547
548
549 # The same configuration defined with a single listen block. Shorter but
550 # less expressive, especially in HTTP mode.
551 global
552 daemon
553 maxconn 256
554
555 defaults
556 mode http
557 timeout connect 5000ms
558 timeout client 50000ms
559 timeout server 50000ms
560
561 listen http-in
562 bind *:80
563 server server1 127.0.0.1:8000 maxconn 32
564
565
566Assuming haproxy is in $PATH, test these configurations in a shell with:
567
Willy Tarreauccb289d2010-12-11 20:19:38 +0100568 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200569
570
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005713. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200572--------------------
573
574Parameters in the "global" section are process-wide and often OS-specific. They
575are generally set once for all and do not need being changed once correct. Some
576of them have command-line equivalents.
577
578The following keywords are supported in the "global" section :
579
580 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200581 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200582 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200583 - crt-base
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200584 - cpu-map
Willy Tarreau6a06a402007-07-15 20:15:28 +0200585 - daemon
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200586 - description
587 - deviceatlas-json-file
588 - deviceatlas-log-level
589 - deviceatlas-separator
590 - deviceatlas-properties-cookie
Simon Horman98637e52014-06-20 12:30:16 +0900591 - external-check
Willy Tarreau6a06a402007-07-15 20:15:28 +0200592 - gid
593 - group
Cyril Bonté203ec5a2017-03-23 22:44:13 +0100594 - hard-stop-after
Christopher Faulet98fbe952019-07-22 16:18:24 +0200595 - h1-case-adjust
596 - h1-case-adjust-file
Willy Tarreau6a06a402007-07-15 20:15:28 +0200597 - log
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200598 - log-tag
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100599 - log-send-hostname
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200600 - lua-load
William Lallemand27edc4b2019-05-07 17:49:33 +0200601 - mworker-max-reloads
Willy Tarreau6a06a402007-07-15 20:15:28 +0200602 - nbproc
Christopher Fauletbe0faa22017-08-29 15:37:10 +0200603 - nbthread
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200604 - node
Willy Tarreau6a06a402007-07-15 20:15:28 +0200605 - pidfile
Willy Tarreau1d549722016-02-16 12:41:57 +0100606 - presetenv
607 - resetenv
Willy Tarreau6a06a402007-07-15 20:15:28 +0200608 - uid
609 - ulimit-n
610 - user
Willy Tarreau636848a2019-04-15 19:38:50 +0200611 - set-dumpable
Willy Tarreau1d549722016-02-16 12:41:57 +0100612 - setenv
Willy Tarreaufbee7132007-10-18 13:53:22 +0200613 - stats
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200614 - ssl-default-bind-ciphers
Dirkjan Bussink415150f2018-09-14 11:14:21 +0200615 - ssl-default-bind-ciphersuites
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200616 - ssl-default-bind-options
617 - ssl-default-server-ciphers
Dirkjan Bussink415150f2018-09-14 11:14:21 +0200618 - ssl-default-server-ciphersuites
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200619 - ssl-default-server-options
620 - ssl-dh-param-file
Emeric Brun850efd52014-01-29 12:24:34 +0100621 - ssl-server-verify
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100622 - unix-bind
Willy Tarreau1d549722016-02-16 12:41:57 +0100623 - unsetenv
Thomas Holmesdb04f192015-05-18 13:21:39 +0100624 - 51degrees-data-file
625 - 51degrees-property-name-list
Dragan Dosen93b38d92015-06-29 16:43:25 +0200626 - 51degrees-property-separator
Dragan Dosenae6d39a2015-06-29 16:43:27 +0200627 - 51degrees-cache-size
Willy Tarreaub3cc9f22019-04-19 16:03:32 +0200628 - wurfl-data-file
629 - wurfl-information-list
630 - wurfl-information-list-separator
Willy Tarreaub3cc9f22019-04-19 16:03:32 +0200631 - wurfl-cache-size
William Dauchy0fec3ab2019-10-27 20:08:11 +0100632 - strict-limits
Willy Tarreaud72758d2010-01-12 10:42:19 +0100633
Willy Tarreau6a06a402007-07-15 20:15:28 +0200634 * Performance tuning
William Dauchy0a8824f2019-10-27 20:08:09 +0100635 - busy-polling
Willy Tarreau1746eec2014-04-25 10:46:47 +0200636 - max-spread-checks
Willy Tarreau6a06a402007-07-15 20:15:28 +0200637 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200638 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +0100639 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +0100640 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100641 - maxpipes
Willy Tarreau93e7c002013-10-07 18:51:07 +0200642 - maxsessrate
Willy Tarreau403edff2012-09-06 11:58:37 +0200643 - maxsslconn
Willy Tarreaue43d5322013-10-07 20:01:52 +0200644 - maxsslrate
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200645 - maxzlibmem
Willy Tarreau6a06a402007-07-15 20:15:28 +0200646 - noepoll
647 - nokqueue
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +0000648 - noevports
Willy Tarreau6a06a402007-07-15 20:15:28 +0200649 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100650 - nosplice
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300651 - nogetaddrinfo
Lukas Tribusa0bcbdc2016-09-12 21:42:20 +0000652 - noreuseport
Willy Tarreau75c62c22018-11-22 11:02:09 +0100653 - profiling.tasks
Willy Tarreaufe255b72007-10-14 23:09:26 +0200654 - spread-checks
Baptiste Assmann5626f482015-08-23 10:00:10 +0200655 - server-state-base
Baptiste Assmannef1f0fc2015-08-23 10:06:39 +0200656 - server-state-file
Grant Zhang872f9c22017-01-21 01:10:18 +0000657 - ssl-engine
Grant Zhangfa6c7ee2017-01-14 01:42:15 +0000658 - ssl-mode-async
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200659 - tune.buffers.limit
660 - tune.buffers.reserve
Willy Tarreau27a674e2009-08-17 07:23:33 +0200661 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200662 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +0100663 - tune.comp.maxlevel
Willy Tarreaufe20e5b2017-07-27 11:42:14 +0200664 - tune.h2.header-table-size
Willy Tarreaue6baec02017-07-27 11:45:11 +0200665 - tune.h2.initial-window-size
Willy Tarreau5242ef82017-07-27 11:47:28 +0200666 - tune.h2.max-concurrent-streams
Willy Tarreau193b8c62012-11-22 00:17:38 +0100667 - tune.http.cookielen
Stéphane Cottin23e9e932017-05-18 08:58:41 +0200668 - tune.http.logurilen
Willy Tarreauac1932d2011-10-24 19:14:41 +0200669 - tune.http.maxhdr
Willy Tarreau7e312732014-02-12 16:35:14 +0100670 - tune.idletimer
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100671 - tune.lua.forced-yield
Willy Tarreau32f61e22015-03-18 17:54:59 +0100672 - tune.lua.maxmem
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100673 - tune.lua.session-timeout
674 - tune.lua.task-timeout
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +0200675 - tune.lua.service-timeout
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100676 - tune.maxaccept
677 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200678 - tune.maxrewrite
Willy Tarreauf3045d22015-04-29 16:24:50 +0200679 - tune.pattern.cache-size
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200680 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100681 - tune.rcvbuf.client
682 - tune.rcvbuf.server
Willy Tarreaub22fc302015-12-14 12:04:35 +0100683 - tune.recv_enough
Olivier Houchard1599b802018-05-24 18:59:04 +0200684 - tune.runqueue-depth
Willy Tarreaue803de22010-01-21 17:43:04 +0100685 - tune.sndbuf.client
686 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100687 - tune.ssl.cachesize
Willy Tarreaubfd59462013-02-21 07:46:09 +0100688 - tune.ssl.lifetime
Emeric Brun8dc60392014-05-09 13:52:00 +0200689 - tune.ssl.force-private-cache
Willy Tarreaubfd59462013-02-21 07:46:09 +0100690 - tune.ssl.maxrecord
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200691 - tune.ssl.default-dh-param
Christopher Faulet31af49d2015-06-09 17:29:50 +0200692 - tune.ssl.ssl-ctx-cache-size
Thierry FOURNIER5bf77322017-02-25 12:45:22 +0100693 - tune.ssl.capture-cipherlist-size
Thierry FOURNIER4834bc72015-06-06 19:29:07 +0200694 - tune.vars.global-max-size
Christopher Fauletff2613e2016-11-09 11:36:17 +0100695 - tune.vars.proc-max-size
Thierry FOURNIER4834bc72015-06-06 19:29:07 +0200696 - tune.vars.reqres-max-size
697 - tune.vars.sess-max-size
698 - tune.vars.txn-max-size
William Lallemanda509e4c2012-11-07 16:54:34 +0100699 - tune.zlib.memlevel
700 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +0100701
Willy Tarreau6a06a402007-07-15 20:15:28 +0200702 * Debugging
703 - debug
704 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200705
706
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007073.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200708------------------------------------
709
Emeric Brunc8e8d122012-10-02 18:42:10 +0200710ca-base <dir>
711 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emeric Brunfd33a262012-10-11 16:28:27 +0200712 relative path is used with "ca-file" or "crl-file" directives. Absolute
713 locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200714
Willy Tarreau6a06a402007-07-15 20:15:28 +0200715chroot <jail dir>
716 Changes current directory to <jail dir> and performs a chroot() there before
717 dropping privileges. This increases the security level in case an unknown
718 vulnerability would be exploited, since it would make it very hard for the
719 attacker to exploit the system. This only works when the process is started
720 with superuser privileges. It is important to ensure that <jail_dir> is both
Davor Ocelice9ed2812017-12-25 17:49:28 +0100721 empty and non-writable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100722
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100723cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
724 On Linux 2.6 and above, it is possible to bind a process or a thread to a
725 specific CPU set. This means that the process or the thread will never run on
726 other CPUs. The "cpu-map" directive specifies CPU sets for process or thread
727 sets. The first argument is a process set, eventually followed by a thread
728 set. These sets have the format
729
730 all | odd | even | number[-[number]]
731
732 <number>> must be a number between 1 and 32 or 64, depending on the machine's
Davor Ocelice9ed2812017-12-25 17:49:28 +0100733 word size. Any process IDs above nbproc and any thread IDs above nbthread are
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100734 ignored. It is possible to specify a range with two such number delimited by
735 a dash ('-'). It also is possible to specify all processes at once using
Christopher Faulet1dcb9cb2017-11-22 10:24:40 +0100736 "all", only odd numbers using "odd" or even numbers using "even", just like
737 with the "bind-process" directive. The second and forthcoming arguments are
Davor Ocelice9ed2812017-12-25 17:49:28 +0100738 CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a
Christopher Faulet1dcb9cb2017-11-22 10:24:40 +0100739 range with two such numbers delimited by a dash ('-'). Multiple CPU numbers
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100740 or ranges may be specified, and the processes or threads will be allowed to
Davor Ocelice9ed2812017-12-25 17:49:28 +0100741 bind to all of them. Obviously, multiple "cpu-map" directives may be
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100742 specified. Each "cpu-map" directive will replace the previous ones when they
743 overlap. A thread will be bound on the intersection of its mapping and the
744 one of the process on which it is attached. If the intersection is null, no
745 specific binding will be set for the thread.
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100746
Christopher Fauletff4121f2017-11-22 16:38:49 +0100747 Ranges can be partially defined. The higher bound can be omitted. In such
748 case, it is replaced by the corresponding maximum value, 32 or 64 depending
749 on the machine's word size.
750
Christopher Faulet26028f62017-11-22 15:01:51 +0100751 The prefix "auto:" can be added before the process set to let HAProxy
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100752 automatically bind a process or a thread to a CPU by incrementing
753 process/thread and CPU sets. To be valid, both sets must have the same
754 size. No matter the declaration order of the CPU sets, it will be bound from
755 the lowest to the highest bound. Having a process and a thread range with the
756 "auto:" prefix is not supported. Only one range is supported, the other one
757 must be a fixed number.
Christopher Faulet26028f62017-11-22 15:01:51 +0100758
759 Examples:
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100760 cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs
761
762 cpu-map 1/all 0-3 # bind all threads of the first process on the
763 # first 4 CPUs
764
765 cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63"
766 # or "cpu-map 1-32 0-31" depending on the machine's
767 # word size.
768
Christopher Faulet26028f62017-11-22 15:01:51 +0100769 # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100770 # and so on.
Christopher Faulet26028f62017-11-22 15:01:51 +0100771 cpu-map auto:1-4 0-3
772 cpu-map auto:1-4 0-1 2-3
773 cpu-map auto:1-4 3 2 1 0
774
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100775 # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1
776 # and so on.
777 cpu-map auto:1/1-4 0-3
778 cpu-map auto:1/1-4 0-1 2-3
779 cpu-map auto:1/1-4 3 2 1 0
780
Davor Ocelice9ed2812017-12-25 17:49:28 +0100781 # bind each process to exactly one CPU using all/odd/even keyword
Christopher Faulet26028f62017-11-22 15:01:51 +0100782 cpu-map auto:all 0-63
783 cpu-map auto:even 0-31
784 cpu-map auto:odd 32-63
785
786 # invalid cpu-map because process and CPU sets have different sizes.
787 cpu-map auto:1-4 0 # invalid
788 cpu-map auto:1 0-3 # invalid
789
Christopher Fauletcb6a9452017-11-22 16:50:41 +0100790 # invalid cpu-map because automatic binding is used with a process range
791 # and a thread range.
792 cpu-map auto:all/all 0 # invalid
793 cpu-map auto:all/1-4 0 # invalid
794 cpu-map auto:1-4/all 0 # invalid
795
Emeric Brunc8e8d122012-10-02 18:42:10 +0200796crt-base <dir>
797 Assigns a default directory to fetch SSL certificates from when a relative
798 path is used with "crtfile" directives. Absolute locations specified after
799 "crtfile" prevail and ignore "crt-base".
800
Willy Tarreau6a06a402007-07-15 20:15:28 +0200801daemon
802 Makes the process fork into background. This is the recommended mode of
803 operation. It is equivalent to the command line "-D" argument. It can be
Lukas Tribusf46bf952017-11-21 12:39:34 +0100804 disabled by the command line "-db" argument. This option is ignored in
805 systemd mode.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200806
David Carlier8167f302015-06-01 13:50:06 +0200807deviceatlas-json-file <path>
808 Sets the path of the DeviceAtlas JSON data file to be loaded by the API.
Davor Ocelice9ed2812017-12-25 17:49:28 +0100809 The path must be a valid JSON data file and accessible by HAProxy process.
David Carlier8167f302015-06-01 13:50:06 +0200810
811deviceatlas-log-level <value>
Davor Ocelice9ed2812017-12-25 17:49:28 +0100812 Sets the level of information returned by the API. This directive is
David Carlier8167f302015-06-01 13:50:06 +0200813 optional and set to 0 by default if not set.
814
815deviceatlas-separator <char>
816 Sets the character separator for the API properties results. This directive
817 is optional and set to | by default if not set.
818
Cyril Bonté0306c4a2015-10-26 22:37:38 +0100819deviceatlas-properties-cookie <name>
Cyril Bonté307ee1e2015-09-28 23:16:06 +0200820 Sets the client cookie's name used for the detection if the DeviceAtlas
821 Client-side component was used during the request. This directive is optional
822 and set to DAPROPS by default if not set.
David Carlier29b3ca32015-09-25 14:09:21 +0100823
Simon Horman98637e52014-06-20 12:30:16 +0900824external-check
825 Allows the use of an external agent to perform health checks.
826 This is disabled by default as a security precaution.
827 See "option external-check".
828
Willy Tarreau6a06a402007-07-15 20:15:28 +0200829gid <number>
830 Changes the process' group ID to <number>. It is recommended that the group
831 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
832 be started with a user belonging to this group, or with superuser privileges.
Michael Schererab012dd2013-01-12 18:35:19 +0100833 Note that if haproxy is started from a user having supplementary groups, it
834 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200835 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100836
Cyril Bonté203ec5a2017-03-23 22:44:13 +0100837hard-stop-after <time>
838 Defines the maximum time allowed to perform a clean soft-stop.
839
840 Arguments :
841 <time> is the maximum time (by default in milliseconds) for which the
842 instance will remain alive when a soft-stop is received via the
843 SIGUSR1 signal.
844
845 This may be used to ensure that the instance will quit even if connections
846 remain opened during a soft-stop (for example with long timeouts for a proxy
847 in tcp mode). It applies both in TCP and HTTP mode.
848
849 Example:
850 global
851 hard-stop-after 30s
852
Christopher Faulet98fbe952019-07-22 16:18:24 +0200853h1-case-adjust <from> <to>
854 Defines the case adjustment to apply, when enabled, to the header name
855 <from>, to change it to <to> before sending it to HTTP/1 clients or
856 servers. <from> must be in lower case, and <from> and <to> must not differ
857 except for their case. It may be repeated if several header names need to be
858 ajusted. Duplicate entries are not allowed. If a lot of header names have to
859 be adjusted, it might be more convenient to use "h1-case-adjust-file".
860 Please note that no transformation will be applied unless "option
861 h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is
862 specified in a proxy.
863
864 There is no standard case for header names because, as stated in RFC7230,
865 they are case-insensitive. So applications must handle them in a case-
866 insensitive manner. But some bogus applications violate the standards and
867 erroneously rely on the cases most commonly used by browsers. This problem
868 becomes critical with HTTP/2 because all header names must be exchanged in
869 lower case, and HAProxy follows the same convention. All header names are
870 sent in lower case to clients and servers, regardless of the HTTP version.
871
872 Applications which fail to properly process requests or responses may require
873 to temporarily use such workarounds to adjust header names sent to them for
874 the time it takes the application to be fixed. Please note that an
875 application which requires such workarounds might be vulnerable to content
876 smuggling attacks and must absolutely be fixed.
877
878 Example:
879 global
880 h1-case-adjust content-length Content-Length
881
882 See "h1-case-adjust-file", "option h1-case-adjust-bogus-client" and
883 "option h1-case-adjust-bogus-server".
884
885h1-case-adjust-file <hdrs-file>
886 Defines a file containing a list of key/value pairs used to adjust the case
887 of some header names before sending them to HTTP/1 clients or servers. The
888 file <hdrs-file> must contain 2 header names per line. The first one must be
889 in lower case and both must not differ except for their case. Lines which
890 start with '#' are ignored, just like empty lines. Leading and trailing tabs
891 and spaces are stripped. Duplicate entries are not allowed. Please note that
892 no transformation will be applied unless "option h1-case-adjust-bogus-client"
893 or "option h1-case-adjust-bogus-server" is specified in a proxy.
894
895 If this directive is repeated, only the last one will be processed. It is an
896 alternative to the directive "h1-case-adjust" if a lot of header names need
897 to be adjusted. Please read the risks associated with using this.
898
899 See "h1-case-adjust", "option h1-case-adjust-bogus-client" and
900 "option h1-case-adjust-bogus-server".
901
Willy Tarreau6a06a402007-07-15 20:15:28 +0200902group <group name>
903 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
904 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100905
Frédéric Lécailled690dfa2019-04-25 10:52:17 +0200906log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>]
907 <facility> [max level [min level]]
Cyril Bonté3e954872018-03-20 23:30:27 +0100908 Adds a global syslog server. Several global servers can be defined. They
Davor Ocelice9ed2812017-12-25 17:49:28 +0100909 will receive logs for starts and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100910 configured with "log global".
911
912 <address> can be one of:
913
Willy Tarreau2769aa02007-12-27 18:26:09 +0100914 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100915 no port is specified, 514 is used by default (the standard syslog
916 port).
917
David du Colombier24bb5f52011-03-17 10:40:23 +0100918 - An IPv6 address followed by a colon and optionally a UDP port. If
919 no port is specified, 514 is used by default (the standard syslog
920 port).
921
Willy Tarreau5a32ecc2018-11-12 07:34:59 +0100922 - A filesystem path to a datagram UNIX domain socket, keeping in mind
Robert Tsai81ae1952007-12-05 10:47:29 +0100923 considerations for chroot (be sure the path is accessible inside
924 the chroot) and uid/gid (be sure the path is appropriately
Davor Ocelice9ed2812017-12-25 17:49:28 +0100925 writable).
Robert Tsai81ae1952007-12-05 10:47:29 +0100926
Willy Tarreau5a32ecc2018-11-12 07:34:59 +0100927 - A file descriptor number in the form "fd@<number>", which may point
928 to a pipe, terminal, or socket. In this case unbuffered logs are used
929 and one writev() call per log is performed. This is a bit expensive
930 but acceptable for most workloads. Messages sent this way will not be
931 truncated but may be dropped, in which case the DroppedLogs counter
932 will be incremented. The writev() call is atomic even on pipes for
933 messages up to PIPE_BUF size, which POSIX recommends to be at least
934 512 and which is 4096 bytes on most modern operating systems. Any
935 larger message may be interleaved with messages from other processes.
936 Exceptionally for debugging purposes the file descriptor may also be
937 directed to a file, but doing so will significantly slow haproxy down
938 as non-blocking calls will be ignored. Also there will be no way to
939 purge nor rotate this file without restarting the process. Note that
940 the configured syslog format is preserved, so the output is suitable
Willy Tarreauc1b06452018-11-12 11:57:56 +0100941 for use with a TCP syslog server. See also the "short" and "raw"
942 format below.
Willy Tarreau5a32ecc2018-11-12 07:34:59 +0100943
944 - "stdout" / "stderr", which are respectively aliases for "fd@1" and
945 "fd@2", see above.
946
Willy Tarreauc046d162019-08-30 15:24:59 +0200947 - A ring buffer in the form "ring@<name>", which will correspond to an
948 in-memory ring buffer accessible over the CLI using the "show events"
949 command, which will also list existing rings and their sizes. Such
950 buffers are lost on reload or restart but when used as a complement
951 this can help troubleshooting by having the logs instantly available.
952
William Lallemandb2f07452015-05-12 14:27:13 +0200953 You may want to reference some environment variables in the address
954 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +0100955
Willy Tarreau18324f52014-06-27 18:10:07 +0200956 <length> is an optional maximum line length. Log lines larger than this value
957 will be truncated before being sent. The reason is that syslog
958 servers act differently on log line length. All servers support the
959 default value of 1024, but some servers simply drop larger lines
960 while others do log them. If a server supports long lines, it may
961 make sense to set this value here in order to avoid truncating long
962 lines. Similarly, if a server drops long lines, it is preferable to
963 truncate them before sending them. Accepted values are 80 to 65535
964 inclusive. The default value of 1024 is generally fine for all
965 standard usages. Some specific cases of long captures or
Davor Ocelice9ed2812017-12-25 17:49:28 +0100966 JSON-formatted logs may require larger values. You may also need to
967 increase "tune.http.logurilen" if your request URIs are truncated.
Willy Tarreau18324f52014-06-27 18:10:07 +0200968
Dragan Dosen7ad31542015-09-28 17:16:47 +0200969 <format> is the log format used when generating syslog messages. It may be
970 one of the following :
971
972 rfc3164 The RFC3164 syslog message format. This is the default.
973 (https://tools.ietf.org/html/rfc3164)
974
975 rfc5424 The RFC5424 syslog message format.
976 (https://tools.ietf.org/html/rfc5424)
977
Willy Tarreaue8746a02018-11-12 08:45:00 +0100978 short A message containing only a level between angle brackets such as
979 '<3>', followed by the text. The PID, date, time, process name
980 and system name are omitted. This is designed to be used with a
981 local log server. This format is compatible with what the systemd
982 logger consumes.
983
Willy Tarreauc1b06452018-11-12 11:57:56 +0100984 raw A message containing only the text. The level, PID, date, time,
985 process name and system name are omitted. This is designed to be
986 used in containers or during development, where the severity only
987 depends on the file descriptor used (stdout/stderr).
988
Frédéric Lécailled690dfa2019-04-25 10:52:17 +0200989 <ranges> A list of comma-separated ranges to identify the logs to sample.
990 This is used to balance the load of the logs to send to the log
991 server. The limits of the ranges cannot be null. They are numbered
992 from 1. The size or period (in number of logs) of the sample must be
993 set with <sample_size> parameter.
994
995 <sample_size>
996 The size of the sample in number of logs to consider when balancing
997 their logging loads. It is used to balance the load of the logs to
998 send to the syslog server. This size must be greater or equal to the
999 maximum of the high limits of the ranges.
1000 (see also <ranges> parameter).
1001
Robert Tsai81ae1952007-12-05 10:47:29 +01001002 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +02001003
Willy Tarreaue8746a02018-11-12 08:45:00 +01001004 kern user mail daemon auth syslog lpr news
1005 uucp cron auth2 ftp ntp audit alert cron2
1006 local0 local1 local2 local3 local4 local5 local6 local7
1007
Willy Tarreauc1b06452018-11-12 11:57:56 +01001008 Note that the facility is ignored for the "short" and "raw"
1009 formats, but still required as a positional field. It is
1010 recommended to use "daemon" in this case to make it clear that
1011 it's only supposed to be used locally.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001012
1013 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +02001014 all messages are sent. If a maximum level is specified, only messages with a
1015 severity at least as important as this level will be sent. An optional minimum
1016 level can be specified. If it is set, logs emitted with a more severe level
1017 than this one will be capped to this level. This is used to avoid sending
1018 "emerg" messages on all terminals on some default syslog configurations.
1019 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +02001020
Cyril Bontédc4d9032012-04-08 21:57:39 +02001021 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +02001022
Joe Williamsdf5b38f2010-12-29 17:05:48 +01001023log-send-hostname [<string>]
1024 Sets the hostname field in the syslog header. If optional "string" parameter
1025 is set the header is set to the string contents, otherwise uses the hostname
1026 of the system. Generally used if one is not relaying logs through an
1027 intermediate syslog server or for simply customizing the hostname printed in
1028 the logs.
1029
Kevinm48936af2010-12-22 16:08:21 +00001030log-tag <string>
1031 Sets the tag field in the syslog header to this string. It defaults to the
1032 program name as launched from the command line, which usually is "haproxy".
1033 Sometimes it can be useful to differentiate between multiple processes
Willy Tarreau094af4e2015-01-07 15:03:42 +01001034 running on the same host. See also the per-proxy "log-tag" directive.
Kevinm48936af2010-12-22 16:08:21 +00001035
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001036lua-load <file>
1037 This global directive loads and executes a Lua file. This directive can be
1038 used multiple times.
1039
William Lallemand4cfede82017-11-24 22:02:34 +01001040master-worker [no-exit-on-failure]
William Lallemande202b1e2017-06-01 17:38:56 +02001041 Master-worker mode. It is equivalent to the command line "-W" argument.
1042 This mode will launch a "master" which will monitor the "workers". Using
1043 this mode, you can reload HAProxy directly by sending a SIGUSR2 signal to
Davor Ocelice9ed2812017-12-25 17:49:28 +01001044 the master. The master-worker mode is compatible either with the foreground
William Lallemande202b1e2017-06-01 17:38:56 +02001045 or daemon mode. It is recommended to use this mode with multiprocess and
1046 systemd.
William Lallemand4cfede82017-11-24 22:02:34 +01001047 By default, if a worker exits with a bad return code, in the case of a
1048 segfault for example, all workers will be killed, and the master will leave.
1049 It is convenient to combine this behavior with Restart=on-failure in a
1050 systemd unit file in order to relaunch the whole process. If you don't want
1051 this behavior, you must use the keyword "no-exit-on-failure".
William Lallemande202b1e2017-06-01 17:38:56 +02001052
William Lallemand4cfede82017-11-24 22:02:34 +01001053 See also "-W" in the management guide.
William Lallemande202b1e2017-06-01 17:38:56 +02001054
William Lallemand27edc4b2019-05-07 17:49:33 +02001055mworker-max-reloads <number>
1056 In master-worker mode, this option limits the number of time a worker can
John Roeslerfb2fce12019-07-10 15:45:51 -05001057 survive to a reload. If the worker did not leave after a reload, once its
William Lallemand27edc4b2019-05-07 17:49:33 +02001058 number of reloads is greater than this number, the worker will receive a
1059 SIGTERM. This option helps to keep under control the number of workers.
1060 See also "show proc" in the Management Guide.
1061
Willy Tarreau6a06a402007-07-15 20:15:28 +02001062nbproc <number>
1063 Creates <number> processes when going daemon. This requires the "daemon"
1064 mode. By default, only one process is created, which is the recommended mode
1065 of operation. For systems limited to small sets of file descriptors per
Willy Tarreau149ab772019-01-26 14:27:06 +01001066 process, it may be needed to fork multiple daemons. When set to a value
1067 larger than 1, threads are automatically disabled. USING MULTIPLE PROCESSES
Willy Tarreau1f672a82019-01-26 14:20:55 +01001068 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon" and
1069 "nbthread".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001070
Christopher Fauletbe0faa22017-08-29 15:37:10 +02001071nbthread <number>
1072 This setting is only available when support for threads was built in. It
Willy Tarreau26f6ae12019-02-02 12:56:15 +01001073 makes haproxy run on <number> threads. This is exclusive with "nbproc". While
1074 "nbproc" historically used to be the only way to use multiple processors, it
1075 also involved a number of shortcomings related to the lack of synchronization
1076 between processes (health-checks, peers, stick-tables, stats, ...) which do
1077 not affect threads. As such, any modern configuration is strongly encouraged
Willy Tarreau149ab772019-01-26 14:27:06 +01001078 to migrate away from "nbproc" to "nbthread". "nbthread" also works when
1079 HAProxy is started in foreground. On some platforms supporting CPU affinity,
1080 when nbproc is not used, the default "nbthread" value is automatically set to
1081 the number of CPUs the process is bound to upon startup. This means that the
1082 thread count can easily be adjusted from the calling process using commands
1083 like "taskset" or "cpuset". Otherwise, this value defaults to 1. The default
1084 value is reported in the output of "haproxy -vv". See also "nbproc".
Christopher Fauletbe0faa22017-08-29 15:37:10 +02001085
Willy Tarreau6a06a402007-07-15 20:15:28 +02001086pidfile <pidfile>
Davor Ocelice9ed2812017-12-25 17:49:28 +01001087 Writes PIDs of all daemons into file <pidfile>. This option is equivalent to
Willy Tarreau6a06a402007-07-15 20:15:28 +02001088 the "-p" command line argument. The file must be accessible to the user
1089 starting the process. See also "daemon".
1090
Willy Tarreau1d549722016-02-16 12:41:57 +01001091presetenv <name> <value>
1092 Sets environment variable <name> to value <value>. If the variable exists, it
1093 is NOT overwritten. The changes immediately take effect so that the next line
1094 in the configuration file sees the new value. See also "setenv", "resetenv",
1095 and "unsetenv".
1096
1097resetenv [<name> ...]
1098 Removes all environment variables except the ones specified in argument. It
1099 allows to use a clean controlled environment before setting new values with
1100 setenv or unsetenv. Please note that some internal functions may make use of
1101 some environment variables, such as time manipulation functions, but also
1102 OpenSSL or even external checks. This must be used with extreme care and only
1103 after complete validation. The changes immediately take effect so that the
1104 next line in the configuration file sees the new environment. See also
1105 "setenv", "presetenv", and "unsetenv".
1106
Christopher Fauletff4121f2017-11-22 16:38:49 +01001107stats bind-process [ all | odd | even | <process_num>[-[process_num>]] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +02001108 Limits the stats socket to a certain set of processes numbers. By default the
1109 stats socket is bound to all processes, causing a warning to be emitted when
1110 nbproc is greater than 1 because there is no way to select the target process
1111 when connecting. However, by using this setting, it becomes possible to pin
1112 the stats socket to a specific set of processes, typically the first one. The
1113 warning will automatically be disabled when this setting is used, whatever
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001114 the number of processes used. The maximum process ID depends on the machine's
Christopher Fauletff4121f2017-11-22 16:38:49 +01001115 word size (32 or 64). Ranges can be partially defined. The higher bound can
1116 be omitted. In such case, it is replaced by the corresponding maximum
1117 value. A better option consists in using the "process" setting of the "stats
1118 socket" line to force the process on each line.
Willy Tarreau35b7b162012-10-22 23:17:18 +02001119
Baptiste Assmann5626f482015-08-23 10:00:10 +02001120server-state-base <directory>
1121 Specifies the directory prefix to be prepended in front of all servers state
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02001122 file names which do not start with a '/'. See also "server-state-file",
1123 "load-server-state-from-file" and "server-state-file-name".
Baptiste Assmannef1f0fc2015-08-23 10:06:39 +02001124
1125server-state-file <file>
1126 Specifies the path to the file containing state of servers. If the path starts
1127 with a slash ('/'), it is considered absolute, otherwise it is considered
1128 relative to the directory specified using "server-state-base" (if set) or to
1129 the current directory. Before reloading HAProxy, it is possible to save the
1130 servers' current state using the stats command "show servers state". The
1131 output of this command must be written in the file pointed by <file>. When
1132 starting up, before handling traffic, HAProxy will read, load and apply state
1133 for each server found in the file and available in its current running
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02001134 configuration. See also "server-state-base" and "show servers state",
1135 "load-server-state-from-file" and "server-state-file-name"
Baptiste Assmann5626f482015-08-23 10:00:10 +02001136
Willy Tarreau1d549722016-02-16 12:41:57 +01001137setenv <name> <value>
1138 Sets environment variable <name> to value <value>. If the variable exists, it
1139 is overwritten. The changes immediately take effect so that the next line in
1140 the configuration file sees the new value. See also "presetenv", "resetenv",
1141 and "unsetenv".
1142
Willy Tarreau636848a2019-04-15 19:38:50 +02001143set-dumpable
1144 This option is better left disabled by default and enabled only upon a
William Dauchyec730982019-10-27 20:08:10 +01001145 developer's request. If it has been enabled, it may still be forcibly
1146 disabled by prefixing it with the "no" keyword. It has no impact on
1147 performance nor stability but will try hard to re-enable core dumps that were
1148 possibly disabled by file size limitations (ulimit -f), core size limitations
1149 (ulimit -c), or "dumpability" of a process after changing its UID/GID (such
1150 as /proc/sys/fs/suid_dumpable on Linux). Core dumps might still be limited by
1151 the current directory's permissions (check what directory the file is started
1152 from), the chroot directory's permission (it may be needed to temporarily
1153 disable the chroot directive or to move it to a dedicated writable location),
1154 or any other system-specific constraint. For example, some Linux flavours are
1155 notorious for replacing the default core file with a path to an executable
1156 not even installed on the system (check /proc/sys/kernel/core_pattern). Often,
1157 simply writing "core", "core.%p" or "/var/log/core/core.%p" addresses the
1158 issue. When trying to enable this option waiting for a rare issue to
1159 re-appear, it's often a good idea to first try to obtain such a dump by
1160 issuing, for example, "kill -11" to the haproxy process and verify that it
1161 leaves a core where expected when dying.
Willy Tarreau636848a2019-04-15 19:38:50 +02001162
Willy Tarreau610f04b2014-02-13 11:36:41 +01001163ssl-default-bind-ciphers <ciphers>
1164 This setting is only available when support for OpenSSL was built in. It sets
1165 the default string describing the list of cipher algorithms ("cipher suite")
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +00001166 that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001167 "bind" lines which do not explicitly define theirs. The format of the string
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001168 is defined in "man 1 ciphers" from OpenSSL man pages. For background
1169 information and recommendations see e.g.
1170 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
1171 (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
1172 cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
1173 Please check the "bind" keyword for more information.
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001174
1175ssl-default-bind-ciphersuites <ciphersuites>
1176 This setting is only available when support for OpenSSL was built in and
1177 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
1178 describing the list of cipher algorithms ("cipher suite") that are negotiated
1179 during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
1180 theirs. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001181 "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1182 cipher configuration for TLSv1.2 and earlier, please check the
1183 "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001184 information.
Willy Tarreau610f04b2014-02-13 11:36:41 +01001185
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001186ssl-default-bind-options [<option>]...
1187 This setting is only available when support for OpenSSL was built in. It sets
1188 default ssl-options to force on all "bind" lines. Please check the "bind"
1189 keyword to see available options.
1190
1191 Example:
1192 global
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +02001193 ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001194
Willy Tarreau610f04b2014-02-13 11:36:41 +01001195ssl-default-server-ciphers <ciphers>
1196 This setting is only available when support for OpenSSL was built in. It
1197 sets the default string describing the list of cipher algorithms that are
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +00001198 negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001199 for all "server" lines which do not explicitly define theirs. The format of
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001200 the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
1201 information and recommendations see e.g.
1202 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
1203 (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
1204 For TLSv1.3 cipher configuration, please check the
1205 "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
1206 for more information.
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001207
1208ssl-default-server-ciphersuites <ciphersuites>
1209 This setting is only available when support for OpenSSL was built in and
1210 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
1211 string describing the list of cipher algorithms that are negotiated during
1212 the TLSv1.3 handshake with the server, for all "server" lines which do not
1213 explicitly define theirs. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001214 "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1215 cipher configuration for TLSv1.2 and earlier, please check the
1216 "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
1217 more information.
Willy Tarreau610f04b2014-02-13 11:36:41 +01001218
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001219ssl-default-server-options [<option>]...
1220 This setting is only available when support for OpenSSL was built in. It sets
1221 default ssl-options to force on all "server" lines. Please check the "server"
1222 keyword to see available options.
1223
Remi Gacogne47783ef2015-05-29 15:53:22 +02001224ssl-dh-param-file <file>
1225 This setting is only available when support for OpenSSL was built in. It sets
1226 the default DH parameters that are used during the SSL/TLS handshake when
1227 ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
Davor Ocelice9ed2812017-12-25 17:49:28 +01001228 which do not explicitly define theirs. It will be overridden by custom DH
Remi Gacogne47783ef2015-05-29 15:53:22 +02001229 parameters found in a bind certificate file if any. If custom DH parameters
Cyril Bonté307ee1e2015-09-28 23:16:06 +02001230 are not specified either by using ssl-dh-param-file or by setting them
1231 directly in the certificate file, pre-generated DH parameters of the size
1232 specified by tune.ssl.default-dh-param will be used. Custom parameters are
1233 known to be more secure and therefore their use is recommended.
Remi Gacogne47783ef2015-05-29 15:53:22 +02001234 Custom DH parameters may be generated by using the OpenSSL command
1235 "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
1236 parameters should not be considered secure anymore.
1237
Emeric Brun850efd52014-01-29 12:24:34 +01001238ssl-server-verify [none|required]
1239 The default behavior for SSL verify on servers side. If specified to 'none',
1240 servers certificates are not verified. The default is 'required' except if
1241 forced using cmdline option '-dV'.
1242
Willy Tarreauabb175f2012-09-24 12:43:26 +02001243stats socket [<address:port>|<path>] [param*]
1244 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
1245 Connections to this socket will return various statistics outputs and even
1246 allow some commands to be issued to change some runtime settings. Please
Willy Tarreau1af20c72017-06-23 16:01:14 +02001247 consult section 9.3 "Unix Socket commands" of Management Guide for more
Kevin Decherf949c7202015-10-13 23:26:44 +02001248 details.
Willy Tarreau6162db22009-10-10 17:13:00 +02001249
Willy Tarreauabb175f2012-09-24 12:43:26 +02001250 All parameters supported by "bind" lines are supported, for instance to
1251 restrict access to some users or their access rights. Please consult
1252 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +02001253
1254stats timeout <timeout, in milliseconds>
1255 The default timeout on the stats socket is set to 10 seconds. It is possible
1256 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +01001257 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +02001258
1259stats maxconn <connections>
1260 By default, the stats socket is limited to 10 concurrent connections. It is
1261 possible to change this value with "stats maxconn".
1262
Willy Tarreau6a06a402007-07-15 20:15:28 +02001263uid <number>
1264 Changes the process' user ID to <number>. It is recommended that the user ID
1265 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
1266 be started with superuser privileges in order to be able to switch to another
1267 one. See also "gid" and "user".
1268
1269ulimit-n <number>
1270 Sets the maximum number of per-process file-descriptors to <number>. By
1271 default, it is automatically computed, so it is recommended not to use this
1272 option.
1273
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001274unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
1275 [ group <group> ] [ gid <gid> ]
1276
1277 Fixes common settings to UNIX listening sockets declared in "bind" statements.
1278 This is mainly used to simplify declaration of those UNIX sockets and reduce
1279 the risk of errors, since those settings are most commonly required but are
1280 also process-specific. The <prefix> setting can be used to force all socket
1281 path to be relative to that directory. This might be needed to access another
1282 component's chroot. Note that those paths are resolved before haproxy chroots
1283 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
1284 all have the same meaning as their homonyms used by the "bind" statement. If
1285 both are specified, the "bind" statement has priority, meaning that the
1286 "unix-bind" settings may be seen as process-wide default settings.
1287
Willy Tarreau1d549722016-02-16 12:41:57 +01001288unsetenv [<name> ...]
1289 Removes environment variables specified in arguments. This can be useful to
1290 hide some sensitive information that are occasionally inherited from the
1291 user's environment during some operations. Variables which did not exist are
1292 silently ignored so that after the operation, it is certain that none of
1293 these variables remain. The changes immediately take effect so that the next
1294 line in the configuration file will not see these variables. See also
1295 "setenv", "presetenv", and "resetenv".
1296
Willy Tarreau6a06a402007-07-15 20:15:28 +02001297user <user name>
1298 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
1299 See also "uid" and "group".
1300
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02001301node <name>
1302 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
1303
1304 This statement is useful in HA configurations where two or more processes or
1305 servers share the same IP address. By setting a different node-name on all
1306 nodes, it becomes easy to immediately spot what server is handling the
1307 traffic.
1308
1309description <text>
1310 Add a text that describes the instance.
1311
1312 Please note that it is required to escape certain characters (# for example)
1313 and this text is inserted into a html page so you should avoid using
1314 "<" and ">" characters.
1315
Thomas Holmesdb04f192015-05-18 13:21:39 +0100131651degrees-data-file <file path>
1317 The path of the 51Degrees data file to provide device detection services. The
Davor Ocelice9ed2812017-12-25 17:49:28 +01001318 file should be unzipped and accessible by HAProxy with relevant permissions.
Thomas Holmesdb04f192015-05-18 13:21:39 +01001319
Dragan Dosenae6d39a2015-06-29 16:43:27 +02001320 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01001321 compiled with USE_51DEGREES.
1322
Ben Shillitof25e8e52016-12-02 14:25:37 +0000132351degrees-property-name-list [<string> ...]
Thomas Holmesdb04f192015-05-18 13:21:39 +01001324 A list of 51Degrees property names to be load from the dataset. A full list
1325 of names is available on the 51Degrees website:
1326 https://51degrees.com/resources/property-dictionary
1327
Dragan Dosenae6d39a2015-06-29 16:43:27 +02001328 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01001329 compiled with USE_51DEGREES.
1330
Dragan Dosen93b38d92015-06-29 16:43:25 +0200133151degrees-property-separator <char>
Thomas Holmesdb04f192015-05-18 13:21:39 +01001332 A char that will be appended to every property value in a response header
1333 containing 51Degrees results. If not set that will be set as ','.
1334
Dragan Dosenae6d39a2015-06-29 16:43:27 +02001335 Please note that this option is only available when haproxy has been
1336 compiled with USE_51DEGREES.
1337
133851degrees-cache-size <number>
1339 Sets the size of the 51Degrees converter cache to <number> entries. This
1340 is an LRU cache which reminds previous device detections and their results.
1341 By default, this cache is disabled.
1342
1343 Please note that this option is only available when haproxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01001344 compiled with USE_51DEGREES.
1345
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001346wurfl-data-file <file path>
1347 The path of the WURFL data file to provide device detection services. The
1348 file should be accessible by HAProxy with relevant permissions.
1349
1350 Please note that this option is only available when haproxy has been compiled
1351 with USE_WURFL=1.
1352
1353wurfl-information-list [<capability>]*
1354 A space-delimited list of WURFL capabilities, virtual capabilities, property
1355 names we plan to use in injected headers. A full list of capability and
1356 virtual capability names is available on the Scientiamobile website :
1357
1358 https://www.scientiamobile.com/wurflCapability
1359
1360 Valid WURFL properties are:
1361 - wurfl_id Contains the device ID of the matched device.
1362
1363 - wurfl_root_id Contains the device root ID of the matched
1364 device.
1365
1366 - wurfl_isdevroot Tells if the matched device is a root device.
1367 Possible values are "TRUE" or "FALSE".
1368
1369 - wurfl_useragent The original useragent coming with this
1370 particular web request.
1371
1372 - wurfl_api_version Contains a string representing the currently
1373 used Libwurfl API version.
1374
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001375 - wurfl_info A string containing information on the parsed
1376 wurfl.xml and its full path.
1377
1378 - wurfl_last_load_time Contains the UNIX timestamp of the last time
1379 WURFL has been loaded successfully.
1380
1381 - wurfl_normalized_useragent The normalized useragent.
1382
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001383 Please note that this option is only available when haproxy has been compiled
1384 with USE_WURFL=1.
1385
1386wurfl-information-list-separator <char>
1387 A char that will be used to separate values in a response header containing
1388 WURFL results. If not set that a comma (',') will be used by default.
1389
1390 Please note that this option is only available when haproxy has been compiled
1391 with USE_WURFL=1.
1392
1393wurfl-patch-file [<file path>]
1394 A list of WURFL patch file paths. Note that patches are loaded during startup
1395 thus before the chroot.
1396
1397 Please note that this option is only available when haproxy has been compiled
1398 with USE_WURFL=1.
1399
paulborilebad132c2019-04-18 11:57:04 +02001400wurfl-cache-size <size>
1401 Sets the WURFL Useragent cache size. For faster lookups, already processed user
1402 agents are kept in a LRU cache :
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001403 - "0" : no cache is used.
paulborilebad132c2019-04-18 11:57:04 +02001404 - <size> : size of lru cache in elements.
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001405
1406 Please note that this option is only available when haproxy has been compiled
1407 with USE_WURFL=1.
1408
William Dauchy0fec3ab2019-10-27 20:08:11 +01001409strict-limits
1410 Makes process fail at startup when a setrlimit fails. Haproxy is tries to set
1411 the best setrlimit according to what has been calculated. If it fails, it
1412 will emit a warning. Use this option if you want an explicit failure of
1413 haproxy when those limits fail. This option is disabled by default. If it has
1414 been enabled, it may still be forcibly disabled by prefixing it with the "no"
1415 keyword.
1416
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014173.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +02001418-----------------------
1419
Willy Tarreaubeb859a2018-11-22 18:07:59 +01001420busy-polling
1421 In some situations, especially when dealing with low latency on processors
1422 supporting a variable frequency or when running inside virtual machines, each
1423 time the process waits for an I/O using the poller, the processor goes back
1424 to sleep or is offered to another VM for a long time, and it causes
1425 excessively high latencies. This option provides a solution preventing the
1426 processor from sleeping by always using a null timeout on the pollers. This
1427 results in a significant latency reduction (30 to 100 microseconds observed)
1428 at the expense of a risk to overheat the processor. It may even be used with
1429 threads, in which case improperly bound threads may heavily conflict,
1430 resulting in a worse performance and high values for the CPU stolen fields
1431 in "show info" output, indicating which threads are misconfigured. It is
1432 important not to let the process run on the same processor as the network
1433 interrupts when this option is used. It is also better to avoid using it on
1434 multiple CPU threads sharing the same core. This option is disabled by
1435 default. If it has been enabled, it may still be forcibly disabled by
1436 prefixing it with the "no" keyword. It is ignored by the "select" and
1437 "poll" pollers.
1438
Willy Tarreau1746eec2014-04-25 10:46:47 +02001439max-spread-checks <delay in milliseconds>
1440 By default, haproxy tries to spread the start of health checks across the
1441 smallest health check interval of all the servers in a farm. The principle is
1442 to avoid hammering services running on the same server. But when using large
1443 check intervals (10 seconds or more), the last servers in the farm take some
1444 time before starting to be tested, which can be a problem. This parameter is
1445 used to enforce an upper bound on delay between the first and the last check,
1446 even if the servers' check intervals are larger. When servers run with
1447 shorter intervals, their intervals will be respected though.
1448
Willy Tarreau6a06a402007-07-15 20:15:28 +02001449maxconn <number>
1450 Sets the maximum per-process number of concurrent connections to <number>. It
1451 is equivalent to the command-line argument "-n". Proxies will stop accepting
1452 connections when this limit is reached. The "ulimit-n" parameter is
Willy Tarreau8274e102014-06-19 15:31:25 +02001453 automatically adjusted according to this value. See also "ulimit-n". Note:
1454 the "select" poller cannot reliably use more than 1024 file descriptors on
1455 some platforms. If your platform only supports select and reports "select
1456 FAILED" on startup, you need to reduce maxconn until it works (slightly
Willy Tarreaub28f3442019-03-04 08:13:43 +01001457 below 500 in general). If this value is not set, it will automatically be
1458 calculated based on the current file descriptors limit reported by the
1459 "ulimit -n" command, possibly reduced to a lower value if a memory limit
1460 is enforced, based on the buffer size, memory allocated to compression, SSL
1461 cache size, and use or not of SSL and the associated maxsslconn (which can
1462 also be automatic).
Willy Tarreau6a06a402007-07-15 20:15:28 +02001463
Willy Tarreau81c25d02011-09-07 15:17:21 +02001464maxconnrate <number>
1465 Sets the maximum per-process number of connections per second to <number>.
1466 Proxies will stop accepting connections when this limit is reached. It can be
1467 used to limit the global capacity regardless of each frontend capacity. It is
1468 important to note that this can only be used as a service protection measure,
1469 as there will not necessarily be a fair share between frontends when the
1470 limit is reached, so it's a good idea to also limit each frontend to some
1471 value close to its expected share. Also, lowering tune.maxaccept can improve
1472 fairness.
1473
William Lallemandd85f9172012-11-09 17:05:39 +01001474maxcomprate <number>
1475 Sets the maximum per-process input compression rate to <number> kilobytes
Davor Ocelice9ed2812017-12-25 17:49:28 +01001476 per second. For each session, if the maximum is reached, the compression
William Lallemandd85f9172012-11-09 17:05:39 +01001477 level will be decreased during the session. If the maximum is reached at the
1478 beginning of a session, the session will not compress at all. If the maximum
1479 is not reached, the compression level will be increased up to
Davor Ocelice9ed2812017-12-25 17:49:28 +01001480 tune.comp.maxlevel. A value of zero means there is no limit, this is the
William Lallemandd85f9172012-11-09 17:05:39 +01001481 default value.
1482
William Lallemand072a2bf2012-11-20 17:01:01 +01001483maxcompcpuusage <number>
1484 Sets the maximum CPU usage HAProxy can reach before stopping the compression
1485 for new requests or decreasing the compression level of current requests.
1486 It works like 'maxcomprate' but measures CPU usage instead of incoming data
1487 bandwidth. The value is expressed in percent of the CPU used by haproxy. In
1488 case of multiple processes (nbproc > 1), each process manages its individual
1489 usage. A value of 100 disable the limit. The default value is 100. Setting
1490 a lower value will prevent the compression work from slowing the whole
1491 process down and from introducing high latencies.
1492
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001493maxpipes <number>
1494 Sets the maximum per-process number of pipes to <number>. Currently, pipes
1495 are only used by kernel-based tcp splicing. Since a pipe contains two file
1496 descriptors, the "ulimit-n" value will be increased accordingly. The default
1497 value is maxconn/4, which seems to be more than enough for most heavy usages.
1498 The splice code dynamically allocates and releases pipes, and can fall back
1499 to standard copy, so setting this value too low may only impact performance.
1500
Willy Tarreau93e7c002013-10-07 18:51:07 +02001501maxsessrate <number>
1502 Sets the maximum per-process number of sessions per second to <number>.
1503 Proxies will stop accepting connections when this limit is reached. It can be
1504 used to limit the global capacity regardless of each frontend capacity. It is
1505 important to note that this can only be used as a service protection measure,
1506 as there will not necessarily be a fair share between frontends when the
1507 limit is reached, so it's a good idea to also limit each frontend to some
1508 value close to its expected share. Also, lowering tune.maxaccept can improve
1509 fairness.
1510
Willy Tarreau403edff2012-09-06 11:58:37 +02001511maxsslconn <number>
1512 Sets the maximum per-process number of concurrent SSL connections to
1513 <number>. By default there is no SSL-specific limit, which means that the
1514 global maxconn setting will apply to all connections. Setting this limit
1515 avoids having openssl use too much memory and crash when malloc returns NULL
1516 (since it unfortunately does not reliably check for such conditions). Note
1517 that the limit applies both to incoming and outgoing connections, so one
1518 connection which is deciphered then ciphered accounts for 2 SSL connections.
Willy Tarreaud0256482015-01-15 21:45:22 +01001519 If this value is not set, but a memory limit is enforced, this value will be
1520 automatically computed based on the memory limit, maxconn, the buffer size,
1521 memory allocated to compression, SSL cache size, and use of SSL in either
1522 frontends, backends or both. If neither maxconn nor maxsslconn are specified
1523 when there is a memory limit, haproxy will automatically adjust these values
1524 so that 100% of the connections can be made over SSL with no risk, and will
1525 consider the sides where it is enabled (frontend, backend, both).
Willy Tarreau403edff2012-09-06 11:58:37 +02001526
Willy Tarreaue43d5322013-10-07 20:01:52 +02001527maxsslrate <number>
1528 Sets the maximum per-process number of SSL sessions per second to <number>.
1529 SSL listeners will stop accepting connections when this limit is reached. It
1530 can be used to limit the global SSL CPU usage regardless of each frontend
1531 capacity. It is important to note that this can only be used as a service
1532 protection measure, as there will not necessarily be a fair share between
1533 frontends when the limit is reached, so it's a good idea to also limit each
1534 frontend to some value close to its expected share. It is also important to
1535 note that the sessions are accounted before they enter the SSL stack and not
1536 after, which also protects the stack against bad handshakes. Also, lowering
1537 tune.maxaccept can improve fairness.
1538
William Lallemand9d5f5482012-11-07 16:12:57 +01001539maxzlibmem <number>
1540 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
1541 When the maximum amount is reached, future sessions will not compress as long
1542 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +01001543 The default value is 0. The value is available in bytes on the UNIX socket
1544 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
1545 "ZlibMemUsage" in bytes.
1546
Willy Tarreau6a06a402007-07-15 20:15:28 +02001547noepoll
1548 Disables the use of the "epoll" event polling system on Linux. It is
1549 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +01001550 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001551
1552nokqueue
1553 Disables the use of the "kqueue" event polling system on BSD. It is
1554 equivalent to the command-line argument "-dk". The next polling system
1555 used will generally be "poll". See also "nopoll".
1556
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +00001557noevports
1558 Disables the use of the event ports event polling system on SunOS systems
1559 derived from Solaris 10 and later. It is equivalent to the command-line
1560 argument "-dv". The next polling system used will generally be "poll". See
1561 also "nopoll".
1562
Willy Tarreau6a06a402007-07-15 20:15:28 +02001563nopoll
1564 Disables the use of the "poll" event polling system. It is equivalent to the
1565 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001566 It should never be needed to disable "poll" since it's available on all
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +00001567 platforms supported by HAProxy. See also "nokqueue", "noepoll" and
1568 "noevports".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001569
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001570nosplice
1571 Disables the use of kernel tcp splicing between sockets on Linux. It is
Davor Ocelice9ed2812017-12-25 17:49:28 +01001572 equivalent to the command line argument "-dS". Data will then be copied
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001573 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001574 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001575 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
1576 be used. This option makes it easier to globally disable kernel splicing in
1577 case of doubt. See also "option splice-auto", "option splice-request" and
1578 "option splice-response".
1579
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001580nogetaddrinfo
1581 Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
1582 the command line argument "-dG". Deprecated gethostbyname(3) will be used.
1583
Lukas Tribusa0bcbdc2016-09-12 21:42:20 +00001584noreuseport
1585 Disables the use of SO_REUSEPORT - see socket(7). It is equivalent to the
1586 command line argument "-dR".
1587
Willy Tarreaud2d33482019-04-25 17:09:07 +02001588profiling.tasks { auto | on | off }
1589 Enables ('on') or disables ('off') per-task CPU profiling. When set to 'auto'
1590 the profiling automatically turns on a thread when it starts to suffer from
1591 an average latency of 1000 microseconds or higher as reported in the
1592 "avg_loop_us" activity field, and automatically turns off when the latency
John Roeslerfb2fce12019-07-10 15:45:51 -05001593 returns below 990 microseconds (this value is an average over the last 1024
Willy Tarreaud2d33482019-04-25 17:09:07 +02001594 loops so it does not vary quickly and tends to significantly smooth short
1595 spikes). It may also spontaneously trigger from time to time on overloaded
1596 systems, containers, or virtual machines, or when the system swaps (which
1597 must absolutely never happen on a load balancer).
1598
1599 CPU profiling per task can be very convenient to report where the time is
1600 spent and which requests have what effect on which other request. Enabling
1601 it will typically affect the overall's performance by less than 1%, thus it
1602 is recommended to leave it to the default 'auto' value so that it only
1603 operates when a problem is identified. This feature requires a system
Willy Tarreau75c62c22018-11-22 11:02:09 +01001604 supporting the clock_gettime(2) syscall with clock identifiers
1605 CLOCK_MONOTONIC and CLOCK_THREAD_CPUTIME_ID, otherwise the reported time will
1606 be zero. This option may be changed at run time using "set profiling" on the
1607 CLI.
1608
Willy Tarreaufe255b72007-10-14 23:09:26 +02001609spread-checks <0..50, in percent>
Simon Hormand60d6912013-11-25 10:46:36 +09001610 Sometimes it is desirable to avoid sending agent and health checks to
1611 servers at exact intervals, for instance when many logical servers are
1612 located on the same physical server. With the help of this parameter, it
1613 becomes possible to add some randomness in the check interval between 0
1614 and +/- 50%. A value between 2 and 5 seems to show good results. The
1615 default value remains at 0.
Willy Tarreaufe255b72007-10-14 23:09:26 +02001616
Davor Ocelice9ed2812017-12-25 17:49:28 +01001617ssl-engine <name> [algo <comma-separated list of algorithms>]
Grant Zhang872f9c22017-01-21 01:10:18 +00001618 Sets the OpenSSL engine to <name>. List of valid values for <name> may be
Davor Ocelice9ed2812017-12-25 17:49:28 +01001619 obtained using the command "openssl engine". This statement may be used
Grant Zhang872f9c22017-01-21 01:10:18 +00001620 multiple times, it will simply enable multiple crypto engines. Referencing an
1621 unsupported engine will prevent haproxy from starting. Note that many engines
1622 will lead to lower HTTPS performance than pure software with recent
1623 processors. The optional command "algo" sets the default algorithms an ENGINE
1624 will supply using the OPENSSL function ENGINE_set_default_string(). A value
Davor Ocelice9ed2812017-12-25 17:49:28 +01001625 of "ALL" uses the engine for all cryptographic operations. If no list of
1626 algo is specified then the value of "ALL" is used. A comma-separated list
Grant Zhang872f9c22017-01-21 01:10:18 +00001627 of different algorithms may be specified, including: RSA, DSA, DH, EC, RAND,
1628 CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. This is the same format that
1629 openssl configuration file uses:
1630 https://www.openssl.org/docs/man1.0.2/apps/config.html
1631
Grant Zhangfa6c7ee2017-01-14 01:42:15 +00001632ssl-mode-async
1633 Adds SSL_MODE_ASYNC mode to the SSL context. This enables asynchronous TLS
Emeric Brun3854e012017-05-17 20:42:48 +02001634 I/O operations if asynchronous capable SSL engines are used. The current
Emeric Brunb5e42a82017-06-06 12:35:14 +00001635 implementation supports a maximum of 32 engines. The Openssl ASYNC API
1636 doesn't support moving read/write buffers and is not compliant with
1637 haproxy's buffer management. So the asynchronous mode is disabled on
John Roeslerfb2fce12019-07-10 15:45:51 -05001638 read/write operations (it is only enabled during initial and renegotiation
Emeric Brunb5e42a82017-06-06 12:35:14 +00001639 handshakes).
Grant Zhangfa6c7ee2017-01-14 01:42:15 +00001640
Willy Tarreau33cb0652014-12-23 22:52:37 +01001641tune.buffers.limit <number>
1642 Sets a hard limit on the number of buffers which may be allocated per process.
1643 The default value is zero which means unlimited. The minimum non-zero value
1644 will always be greater than "tune.buffers.reserve" and should ideally always
1645 be about twice as large. Forcing this value can be particularly useful to
1646 limit the amount of memory a process may take, while retaining a sane
Davor Ocelice9ed2812017-12-25 17:49:28 +01001647 behavior. When this limit is reached, sessions which need a buffer wait for
Willy Tarreau33cb0652014-12-23 22:52:37 +01001648 another one to be released by another session. Since buffers are dynamically
1649 allocated and released, the waiting time is very short and not perceptible
1650 provided that limits remain reasonable. In fact sometimes reducing the limit
1651 may even increase performance by increasing the CPU cache's efficiency. Tests
1652 have shown good results on average HTTP traffic with a limit to 1/10 of the
1653 expected global maxconn setting, which also significantly reduces memory
1654 usage. The memory savings come from the fact that a number of connections
1655 will not allocate 2*tune.bufsize. It is best not to touch this value unless
1656 advised to do so by an haproxy core developer.
1657
Willy Tarreau1058ae72014-12-23 22:40:40 +01001658tune.buffers.reserve <number>
1659 Sets the number of buffers which are pre-allocated and reserved for use only
1660 during memory shortage conditions resulting in failed memory allocations. The
1661 minimum value is 2 and is also the default. There is no reason a user would
1662 want to change this value, it's mostly aimed at haproxy core developers.
1663
Willy Tarreau27a674e2009-08-17 07:23:33 +02001664tune.bufsize <number>
1665 Sets the buffer size to this size (in bytes). Lower values allow more
1666 sessions to coexist in the same amount of RAM, and higher values allow some
1667 applications with very large cookies to work. The default value is 16384 and
1668 can be changed at build time. It is strongly recommended not to change this
1669 from the default value, as very low values will break some services such as
1670 statistics, and values larger than default size will increase memory usage,
1671 possibly causing the system to run out of memory. At least the global maxconn
Willy Tarreau45a66cc2017-11-24 11:28:00 +01001672 parameter should be decreased by the same factor as this one is increased. In
1673 addition, use of HTTP/2 mandates that this value must be 16384 or more. If an
1674 HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04001675 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
Willy Tarreauc77d3642018-12-12 06:19:42 +01001676 than this size, haproxy will return HTTP 502 (Bad Gateway). Note that the
1677 value set using this parameter will automatically be rounded up to the next
1678 multiple of 8 on 32-bit machines and 16 on 64-bit machines.
Willy Tarreau27a674e2009-08-17 07:23:33 +02001679
Willy Tarreau43961d52010-10-04 20:39:20 +02001680tune.chksize <number>
1681 Sets the check buffer size to this size (in bytes). Higher values may help
1682 find string or regex patterns in very large pages, though doing so may imply
1683 more memory and CPU usage. The default value is 16384 and can be changed at
1684 build time. It is not recommended to change this value, but to use better
1685 checks whenever possible.
1686
William Lallemandf3747832012-11-09 12:33:10 +01001687tune.comp.maxlevel <number>
1688 Sets the maximum compression level. The compression level affects CPU
1689 usage during compression. This value affects CPU usage during compression.
1690 Each session using compression initializes the compression algorithm with
1691 this value. The default value is 1.
1692
Willy Tarreauc299e1e2019-02-27 11:35:12 +01001693tune.fail-alloc
1694 If compiled with DEBUG_FAIL_ALLOC, gives the percentage of chances an
1695 allocation attempt fails. Must be between 0 (no failure) and 100 (no
1696 success). This is useful to debug and make sure memory failures are handled
1697 gracefully.
1698
Willy Tarreaufe20e5b2017-07-27 11:42:14 +02001699tune.h2.header-table-size <number>
1700 Sets the HTTP/2 dynamic header table size. It defaults to 4096 bytes and
1701 cannot be larger than 65536 bytes. A larger value may help certain clients
1702 send more compact requests, depending on their capabilities. This amount of
1703 memory is consumed for each HTTP/2 connection. It is recommended not to
1704 change it.
1705
Willy Tarreaue6baec02017-07-27 11:45:11 +02001706tune.h2.initial-window-size <number>
1707 Sets the HTTP/2 initial window size, which is the number of bytes the client
Davor Ocelice9ed2812017-12-25 17:49:28 +01001708 can upload before waiting for an acknowledgment from haproxy. This setting
1709 only affects payload contents (i.e. the body of POST requests), not headers.
Willy Tarreaue6baec02017-07-27 11:45:11 +02001710 The default value is 65535, which roughly allows up to 5 Mbps of upload
1711 bandwidth per client over a network showing a 100 ms ping time, or 500 Mbps
1712 over a 1-ms local network. It can make sense to increase this value to allow
1713 faster uploads, or to reduce it to increase fairness when dealing with many
1714 clients. It doesn't affect resource usage.
1715
Willy Tarreau5242ef82017-07-27 11:47:28 +02001716tune.h2.max-concurrent-streams <number>
1717 Sets the HTTP/2 maximum number of concurrent streams per connection (ie the
1718 number of outstanding requests on a single connection). The default value is
1719 100. A larger one may slightly improve page load time for complex sites when
1720 visited over high latency networks, but increases the amount of resources a
1721 single client may allocate. A value of zero disables the limit so a single
1722 client may create as many streams as allocatable by haproxy. It is highly
1723 recommended not to change this value.
1724
Willy Tarreaua24b35c2019-02-21 13:24:36 +01001725tune.h2.max-frame-size <number>
1726 Sets the HTTP/2 maximum frame size that haproxy announces it is willing to
1727 receive to its peers. The default value is the largest between 16384 and the
1728 buffer size (tune.bufsize). In any case, haproxy will not announce support
1729 for frame sizes larger than buffers. The main purpose of this setting is to
1730 allow to limit the maximum frame size setting when using large buffers. Too
1731 large frame sizes might have performance impact or cause some peers to
1732 misbehave. It is highly recommended not to change this value.
1733
Willy Tarreau193b8c62012-11-22 00:17:38 +01001734tune.http.cookielen <number>
1735 Sets the maximum length of captured cookies. This is the maximum value that
1736 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
1737 will automatically be truncated to this one. It is important not to set too
1738 high a value because all cookie captures still allocate this size whatever
1739 their configured value (they share a same pool). This value is per request
1740 per response, so the memory allocated is twice this value per connection.
1741 When not specified, the limit is set to 63 characters. It is recommended not
1742 to change this value.
1743
Stéphane Cottin23e9e932017-05-18 08:58:41 +02001744tune.http.logurilen <number>
Davor Ocelice9ed2812017-12-25 17:49:28 +01001745 Sets the maximum length of request URI in logs. This prevents truncating long
1746 request URIs with valuable query strings in log lines. This is not related
Stéphane Cottin23e9e932017-05-18 08:58:41 +02001747 to syslog limits. If you increase this limit, you may also increase the
Davor Ocelice9ed2812017-12-25 17:49:28 +01001748 'log ... len yyy' parameter. Your syslog daemon may also need specific
Stéphane Cottin23e9e932017-05-18 08:58:41 +02001749 configuration directives too.
1750 The default value is 1024.
1751
Willy Tarreauac1932d2011-10-24 19:14:41 +02001752tune.http.maxhdr <number>
1753 Sets the maximum number of headers in a request. When a request comes with a
1754 number of headers greater than this value (including the first line), it is
1755 rejected with a "400 Bad Request" status code. Similarly, too large responses
1756 are blocked with "502 Bad Gateway". The default value is 101, which is enough
1757 for all usages, considering that the widely deployed Apache server uses the
1758 same limit. It can be useful to push this limit further to temporarily allow
Christopher Faulet50174f32017-06-21 16:31:35 +02001759 a buggy application to work by the time it gets fixed. The accepted range is
1760 1..32767. Keep in mind that each new header consumes 32bits of memory for
1761 each session, so don't push this limit too high.
Willy Tarreauac1932d2011-10-24 19:14:41 +02001762
Willy Tarreau7e312732014-02-12 16:35:14 +01001763tune.idletimer <timeout>
1764 Sets the duration after which haproxy will consider that an empty buffer is
1765 probably associated with an idle stream. This is used to optimally adjust
1766 some packet sizes while forwarding large and small data alternatively. The
1767 decision to use splice() or to send large buffers in SSL is modulated by this
1768 parameter. The value is in milliseconds between 0 and 65535. A value of zero
1769 means that haproxy will not try to detect idle streams. The default is 1000,
Davor Ocelice9ed2812017-12-25 17:49:28 +01001770 which seems to correctly detect end user pauses (e.g. read a page before
John Roeslerfb2fce12019-07-10 15:45:51 -05001771 clicking). There should be no reason for changing this value. Please check
Willy Tarreau7e312732014-02-12 16:35:14 +01001772 tune.ssl.maxrecord below.
1773
Willy Tarreau7ac908b2019-02-27 12:02:18 +01001774tune.listener.multi-queue { on | off }
1775 Enables ('on') or disables ('off') the listener's multi-queue accept which
1776 spreads the incoming traffic to all threads a "bind" line is allowed to run
1777 on instead of taking them for itself. This provides a smoother traffic
1778 distribution and scales much better, especially in environments where threads
1779 may be unevenly loaded due to external activity (network interrupts colliding
1780 with one thread for example). This option is enabled by default, but it may
1781 be forcefully disabled for troubleshooting or for situations where it is
1782 estimated that the operating system already provides a good enough
1783 distribution and connections are extremely short-lived.
1784
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001785tune.lua.forced-yield <number>
1786 This directive forces the Lua engine to execute a yield each <number> of
Tim Düsterhus4896c442016-11-29 02:15:19 +01001787 instructions executed. This permits interrupting a long script and allows the
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001788 HAProxy scheduler to process other tasks like accepting connections or
1789 forwarding traffic. The default value is 10000 instructions. If HAProxy often
Davor Ocelice9ed2812017-12-25 17:49:28 +01001790 executes some Lua code but more responsiveness is required, this value can be
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001791 lowered. If the Lua code is quite long and its result is absolutely required
1792 to process the data, the <number> can be increased.
1793
Willy Tarreau32f61e22015-03-18 17:54:59 +01001794tune.lua.maxmem
1795 Sets the maximum amount of RAM in megabytes per process usable by Lua. By
1796 default it is zero which means unlimited. It is important to set a limit to
1797 ensure that a bug in a script will not result in the system running out of
1798 memory.
1799
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001800tune.lua.session-timeout <timeout>
1801 This is the execution timeout for the Lua sessions. This is useful for
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02001802 preventing infinite loops or spending too much time in Lua. This timeout
1803 counts only the pure Lua runtime. If the Lua does a sleep, the sleep is
Davor Ocelice9ed2812017-12-25 17:49:28 +01001804 not taken in account. The default timeout is 4s.
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001805
1806tune.lua.task-timeout <timeout>
1807 Purpose is the same as "tune.lua.session-timeout", but this timeout is
1808 dedicated to the tasks. By default, this timeout isn't set because a task may
1809 remain alive during of the lifetime of HAProxy. For example, a task used to
1810 check servers.
1811
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02001812tune.lua.service-timeout <timeout>
1813 This is the execution timeout for the Lua services. This is useful for
1814 preventing infinite loops or spending too much time in Lua. This timeout
1815 counts only the pure Lua runtime. If the Lua does a sleep, the sleep is
Davor Ocelice9ed2812017-12-25 17:49:28 +01001816 not taken in account. The default timeout is 4s.
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02001817
Willy Tarreaua0250ba2008-01-06 11:22:57 +01001818tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +01001819 Sets the maximum number of consecutive connections a process may accept in a
1820 row before switching to other work. In single process mode, higher numbers
1821 give better performance at high connection rates. However in multi-process
1822 modes, keeping a bit of fairness between processes generally is better to
1823 increase performance. This value applies individually to each listener, so
1824 that the number of processes a listener is bound to is taken into account.
1825 This value defaults to 64. In multi-process mode, it is divided by twice
1826 the number of processes the listener is bound to. Setting this value to -1
1827 completely disables the limitation. It should normally not be needed to tweak
1828 this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +01001829
1830tune.maxpollevents <number>
1831 Sets the maximum amount of events that can be processed at once in a call to
1832 the polling system. The default value is adapted to the operating system. It
1833 has been noticed that reducing it below 200 tends to slightly decrease
1834 latency at the expense of network bandwidth, and increasing it above 200
1835 tends to trade latency for slightly increased bandwidth.
1836
Willy Tarreau27a674e2009-08-17 07:23:33 +02001837tune.maxrewrite <number>
1838 Sets the reserved buffer space to this size in bytes. The reserved space is
1839 used for header rewriting or appending. The first reads on sockets will never
1840 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
1841 bufsize, though that does not make much sense since there are rarely large
1842 numbers of headers to add. Setting it too high prevents processing of large
1843 requests or responses. Setting it too low prevents addition of new headers
1844 to already large requests or to POST requests. It is generally wise to set it
1845 to about 1024. It is automatically readjusted to half of bufsize if it is
1846 larger than that. This means you don't have to worry about it when changing
1847 bufsize.
1848
Willy Tarreauf3045d22015-04-29 16:24:50 +02001849tune.pattern.cache-size <number>
1850 Sets the size of the pattern lookup cache to <number> entries. This is an LRU
1851 cache which reminds previous lookups and their results. It is used by ACLs
1852 and maps on slow pattern lookups, namely the ones using the "sub", "reg",
1853 "dir", "dom", "end", "bin" match methods as well as the case-insensitive
1854 strings. It applies to pattern expressions which means that it will be able
1855 to memorize the result of a lookup among all the patterns specified on a
1856 configuration line (including all those loaded from files). It automatically
1857 invalidates entries which are updated using HTTP actions or on the CLI. The
1858 default cache size is set to 10000 entries, which limits its footprint to
Willy Tarreau403bfbb2019-10-23 06:59:31 +02001859 about 5 MB per process/thread on 32-bit systems and 8 MB per process/thread
1860 on 64-bit systems, as caches are thread/process local. There is a very low
Willy Tarreauf3045d22015-04-29 16:24:50 +02001861 risk of collision in this cache, which is in the order of the size of the
1862 cache divided by 2^64. Typically, at 10000 requests per second with the
1863 default cache size of 10000 entries, there's 1% chance that a brute force
1864 attack could cause a single collision after 60 years, or 0.1% after 6 years.
1865 This is considered much lower than the risk of a memory corruption caused by
1866 aging components. If this is not acceptable, the cache can be disabled by
1867 setting this parameter to 0.
1868
Willy Tarreaubd9a0a72011-10-23 21:14:29 +02001869tune.pipesize <number>
1870 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
1871 are the default size for the system. But sometimes when using TCP splicing,
1872 it can improve performance to increase pipe sizes, especially if it is
1873 suspected that pipes are not filled and that many calls to splice() are
1874 performed. This has an impact on the kernel's memory footprint, so this must
1875 not be changed if impacts are not understood.
1876
Olivier Houchard88698d92019-04-16 19:07:22 +02001877tune.pool-low-fd-ratio <number>
1878 This setting sets the max number of file descriptors (in percentage) used by
1879 haproxy globally against the maximum number of file descriptors haproxy can
1880 use before we stop putting connection into the idle pool for reuse. The
1881 default is 20.
1882
1883tune.pool-high-fd-ratio <number>
1884 This setting sets the max number of file descriptors (in percentage) used by
1885 haproxy globally against the maximum number of file descriptors haproxy can
1886 use before we start killing idle connections when we can't reuse a connection
1887 and we have to create a new one. The default is 25 (one quarter of the file
1888 descriptor will mean that roughly half of the maximum front connections can
1889 keep an idle connection behind, anything beyond this probably doesn't make
John Roeslerfb2fce12019-07-10 15:45:51 -05001890 much sense in the general case when targeting connection reuse).
Olivier Houchard88698d92019-04-16 19:07:22 +02001891
Willy Tarreaue803de22010-01-21 17:43:04 +01001892tune.rcvbuf.client <number>
1893tune.rcvbuf.server <number>
1894 Forces the kernel socket receive buffer size on the client or the server side
1895 to the specified value in bytes. This value applies to all TCP/HTTP frontends
1896 and backends. It should normally never be set, and the default size (0) lets
John Roeslerfb2fce12019-07-10 15:45:51 -05001897 the kernel auto-tune this value depending on the amount of available memory.
Davor Ocelice9ed2812017-12-25 17:49:28 +01001898 However it can sometimes help to set it to very low values (e.g. 4096) in
Willy Tarreaue803de22010-01-21 17:43:04 +01001899 order to save kernel memory by preventing it from buffering too large amounts
1900 of received data. Lower values will significantly increase CPU usage though.
1901
Willy Tarreaub22fc302015-12-14 12:04:35 +01001902tune.recv_enough <number>
Davor Ocelice9ed2812017-12-25 17:49:28 +01001903 HAProxy uses some hints to detect that a short read indicates the end of the
Willy Tarreaub22fc302015-12-14 12:04:35 +01001904 socket buffers. One of them is that a read returns more than <recv_enough>
1905 bytes, which defaults to 10136 (7 segments of 1448 each). This default value
1906 may be changed by this setting to better deal with workloads involving lots
1907 of short messages such as telnet or SSH sessions.
1908
Olivier Houchard1599b802018-05-24 18:59:04 +02001909tune.runqueue-depth <number>
John Roeslerfb2fce12019-07-10 15:45:51 -05001910 Sets the maximum amount of task that can be processed at once when running
Olivier Houchard1599b802018-05-24 18:59:04 +02001911 tasks. The default value is 200. Increasing it may incur latency when
1912 dealing with I/Os, making it too small can incur extra overhead.
1913
Willy Tarreaue803de22010-01-21 17:43:04 +01001914tune.sndbuf.client <number>
1915tune.sndbuf.server <number>
1916 Forces the kernel socket send buffer size on the client or the server side to
1917 the specified value in bytes. This value applies to all TCP/HTTP frontends
1918 and backends. It should normally never be set, and the default size (0) lets
John Roeslerfb2fce12019-07-10 15:45:51 -05001919 the kernel auto-tune this value depending on the amount of available memory.
Davor Ocelice9ed2812017-12-25 17:49:28 +01001920 However it can sometimes help to set it to very low values (e.g. 4096) in
Willy Tarreaue803de22010-01-21 17:43:04 +01001921 order to save kernel memory by preventing it from buffering too large amounts
1922 of received data. Lower values will significantly increase CPU usage though.
1923 Another use case is to prevent write timeouts with extremely slow clients due
1924 to the kernel waiting for a large part of the buffer to be read before
1925 notifying haproxy again.
1926
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001927tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +01001928 Sets the size of the global SSL session cache, in a number of blocks. A block
1929 is large enough to contain an encoded session without peer certificate.
1930 An encoded session with peer certificate is stored in multiple blocks
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001931 depending on the size of the peer certificate. A block uses approximately
Emeric Brunaf9619d2012-11-28 18:47:52 +01001932 200 bytes of memory. The default value may be forced at build time, otherwise
Davor Ocelice9ed2812017-12-25 17:49:28 +01001933 defaults to 20000. When the cache is full, the most idle entries are purged
Emeric Brunaf9619d2012-11-28 18:47:52 +01001934 and reassigned. Higher values reduce the occurrence of such a purge, hence
1935 the number of CPU-intensive SSL handshakes by ensuring that all users keep
1936 their session as long as possible. All entries are pre-allocated upon startup
Emeric Brun22890a12012-12-28 14:41:32 +01001937 and are shared between all processes if "nbproc" is greater than 1. Setting
1938 this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001939
Emeric Brun8dc60392014-05-09 13:52:00 +02001940tune.ssl.force-private-cache
Lukas Tribus27935782018-10-01 02:00:16 +02001941 This option disables SSL session cache sharing between all processes. It
Emeric Brun8dc60392014-05-09 13:52:00 +02001942 should normally not be used since it will force many renegotiations due to
1943 clients hitting a random process. But it may be required on some operating
1944 systems where none of the SSL cache synchronization method may be used. In
1945 this case, adding a first layer of hash-based load balancing before the SSL
1946 layer might limit the impact of the lack of session sharing.
1947
Emeric Brun4f65bff2012-11-16 15:11:00 +01001948tune.ssl.lifetime <timeout>
1949 Sets how long a cached SSL session may remain valid. This time is expressed
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001950 in seconds and defaults to 300 (5 min). It is important to understand that it
Emeric Brun4f65bff2012-11-16 15:11:00 +01001951 does not guarantee that sessions will last that long, because if the cache is
1952 full, the longest idle sessions will be purged despite their configured
1953 lifetime. The real usefulness of this setting is to prevent sessions from
1954 being used for too long.
1955
Willy Tarreaubfd59462013-02-21 07:46:09 +01001956tune.ssl.maxrecord <number>
1957 Sets the maximum amount of bytes passed to SSL_write() at a time. Default
1958 value 0 means there is no limit. Over SSL/TLS, the client can decipher the
1959 data only once it has received a full record. With large records, it means
1960 that clients might have to download up to 16kB of data before starting to
1961 process them. Limiting the value can improve page load times on browsers
1962 located over high latency or low bandwidth networks. It is suggested to find
1963 optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over
1964 Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled),
1965 keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and
1966 2859 gave good results during tests. Use "strace -e trace=write" to find the
Davor Ocelice9ed2812017-12-25 17:49:28 +01001967 best value. HAProxy will automatically switch to this setting after an idle
Willy Tarreau7e312732014-02-12 16:35:14 +01001968 stream has been detected (see tune.idletimer above).
Willy Tarreaubfd59462013-02-21 07:46:09 +01001969
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001970tune.ssl.default-dh-param <number>
1971 Sets the maximum size of the Diffie-Hellman parameters used for generating
1972 the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
1973 final size will try to match the size of the server's RSA (or DSA) key (e.g,
1974 a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
1975 this maximum value. Default value if 1024. Only 1024 or higher values are
1976 allowed. Higher values will increase the CPU load, and values greater than
1977 1024 bits are not supported by Java 7 and earlier clients. This value is not
Remi Gacogne47783ef2015-05-29 15:53:22 +02001978 used if static Diffie-Hellman parameters are supplied either directly
1979 in the certificate file or by using the ssl-dh-param-file parameter.
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001980
Christopher Faulet31af49d2015-06-09 17:29:50 +02001981tune.ssl.ssl-ctx-cache-size <number>
1982 Sets the size of the cache used to store generated certificates to <number>
1983 entries. This is a LRU cache. Because generating a SSL certificate
1984 dynamically is expensive, they are cached. The default cache size is set to
1985 1000 entries.
1986
Thierry FOURNIER5bf77322017-02-25 12:45:22 +01001987tune.ssl.capture-cipherlist-size <number>
1988 Sets the maximum size of the buffer used for capturing client-hello cipher
1989 list. If the value is 0 (default value) the capture is disabled, otherwise
1990 a buffer is allocated for each SSL/TLS connection.
1991
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02001992tune.vars.global-max-size <size>
Christopher Fauletff2613e2016-11-09 11:36:17 +01001993tune.vars.proc-max-size <size>
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02001994tune.vars.reqres-max-size <size>
1995tune.vars.sess-max-size <size>
1996tune.vars.txn-max-size <size>
Christopher Fauletff2613e2016-11-09 11:36:17 +01001997 These five tunes help to manage the maximum amount of memory used by the
1998 variables system. "global" limits the overall amount of memory available for
1999 all scopes. "proc" limits the memory for the process scope, "sess" limits the
2000 memory for the session scope, "txn" for the transaction scope, and "reqres"
2001 limits the memory for each request or response processing.
2002 Memory accounting is hierarchical, meaning more coarse grained limits include
2003 the finer grained ones: "proc" includes "sess", "sess" includes "txn", and
2004 "txn" includes "reqres".
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002005
Daniel Schneller0b547052016-03-21 20:46:57 +01002006 For example, when "tune.vars.sess-max-size" is limited to 100,
2007 "tune.vars.txn-max-size" and "tune.vars.reqres-max-size" cannot exceed
2008 100 either. If we create a variable "txn.var" that contains 100 bytes,
2009 all available space is consumed.
2010 Notice that exceeding the limits at runtime will not result in an error
2011 message, but values might be cut off or corrupted. So make sure to accurately
2012 plan for the amount of space needed to store all your variables.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002013
William Lallemanda509e4c2012-11-07 16:54:34 +01002014tune.zlib.memlevel <number>
2015 Sets the memLevel parameter in zlib initialization for each session. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002016 defines how much memory should be allocated for the internal compression
William Lallemanda509e4c2012-11-07 16:54:34 +01002017 state. A value of 1 uses minimum memory but is slow and reduces compression
Davor Ocelice9ed2812017-12-25 17:49:28 +01002018 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
William Lallemanda509e4c2012-11-07 16:54:34 +01002019 between 1 and 9. The default value is 8.
2020
2021tune.zlib.windowsize <number>
2022 Sets the window size (the size of the history buffer) as a parameter of the
2023 zlib initialization for each session. Larger values of this parameter result
Davor Ocelice9ed2812017-12-25 17:49:28 +01002024 in better compression at the expense of memory usage. Can be a value between
2025 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002026
Willy Tarreauc57f0e22009-05-10 13:12:33 +020020273.3. Debugging
2028--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02002029
2030debug
2031 Enables debug mode which dumps to stdout all exchanges, and disables forking
2032 into background. It is the equivalent of the command-line argument "-d". It
2033 should never be used in a production configuration since it may prevent full
2034 system startup.
2035
2036quiet
2037 Do not display any message during startup. It is equivalent to the command-
2038 line argument "-q".
2039
Emeric Brunf099e792010-09-27 12:05:28 +02002040
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010020413.4. Userlists
2042--------------
2043It is possible to control access to frontend/backend/listen sections or to
2044http stats by allowing only authenticated and authorized users. To do this,
2045it is required to create at least one userlist and to define users.
2046
2047userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +01002048 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002049 used to store authentication & authorization data for independent customers.
2050
2051group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +01002052 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002053 attach users to this group by using a comma separated list of names
2054 proceeded by "users" keyword.
2055
Cyril Bontéf0c60612010-02-06 14:44:47 +01002056user <username> [password|insecure-password <password>]
2057 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002058 Adds user <username> to the current userlist. Both secure (encrypted) and
2059 insecure (unencrypted) passwords can be used. Encrypted passwords are
Daniel Schnellerd06f31c2017-11-06 16:51:04 +01002060 evaluated using the crypt(3) function, so depending on the system's
2061 capabilities, different algorithms are supported. For example, modern Glibc
2062 based Linux systems support MD5, SHA-256, SHA-512, and, of course, the
2063 classic DES-based method of encrypting passwords.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002064
Daniel Schnellerd06f31c2017-11-06 16:51:04 +01002065 Attention: Be aware that using encrypted passwords might cause significantly
2066 increased CPU usage, depending on the number of requests, and the algorithm
2067 used. For any of the hashed variants, the password for each request must
2068 be processed through the chosen algorithm, before it can be compared to the
2069 value specified in the config file. Most current algorithms are deliberately
2070 designed to be expensive to compute to achieve resistance against brute
2071 force attacks. They do not simply salt/hash the clear text password once,
2072 but thousands of times. This can quickly become a major factor in haproxy's
2073 overall CPU consumption!
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002074
2075 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +01002076 userlist L1
2077 group G1 users tiger,scott
2078 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002079
Cyril Bontéf0c60612010-02-06 14:44:47 +01002080 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
2081 user scott insecure-password elgato
2082 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002083
Cyril Bontéf0c60612010-02-06 14:44:47 +01002084 userlist L2
2085 group G1
2086 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002087
Cyril Bontéf0c60612010-02-06 14:44:47 +01002088 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
2089 user scott insecure-password elgato groups G1,G2
2090 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002091
2092 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002093
Emeric Brunf099e792010-09-27 12:05:28 +02002094
20953.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +02002096----------
Emeric Brun94900952015-06-11 18:25:54 +02002097It is possible to propagate entries of any data-types in stick-tables between
2098several haproxy instances over TCP connections in a multi-master fashion. Each
2099instance pushes its local updates and insertions to remote peers. The pushed
2100values overwrite remote ones without aggregation. Interrupted exchanges are
2101automatically detected and recovered from the last known point.
2102In addition, during a soft restart, the old process connects to the new one
2103using such a TCP connection to push all its entries before the new process
2104tries to connect to other peers. That ensures very fast replication during a
2105reload, it typically takes a fraction of a second even for large tables.
2106Note that Server IDs are used to identify servers remotely, so it is important
2107that configurations look similar or at least that the same IDs are forced on
2108each server on all participants.
Emeric Brunf099e792010-09-27 12:05:28 +02002109
2110peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -04002111 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +02002112 which is referenced by one or more stick-tables.
2113
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002114bind [<address>]:<port_range> [, ...] [param*]
2115 Defines the binding parameters of the local peer of this "peers" section.
2116 Such lines are not supported with "peer" line in the same "peers" section.
2117
Willy Tarreau77e4bd12015-05-01 20:02:17 +02002118disabled
2119 Disables a peers section. It disables both listening and any synchronization
2120 related to this section. This is provided to disable synchronization of stick
2121 tables without having to comment out all "peers" references.
2122
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002123default-bind [param*]
2124 Defines the binding parameters for the local peer, excepted its address.
2125
2126default-server [param*]
2127 Change default options for a server in a "peers" section.
2128
2129 Arguments:
2130 <param*> is a list of parameters for this server. The "default-server"
2131 keyword accepts an important number of options and has a complete
2132 section dedicated to it. Please refer to section 5 for more
2133 details.
2134
2135
2136 See also: "server" and section 5 about server options
2137
Willy Tarreau77e4bd12015-05-01 20:02:17 +02002138enable
2139 This re-enables a disabled peers section which was previously disabled.
2140
Frédéric Lécailleb6f759b2019-11-05 09:57:45 +01002141log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>]
2142 <facility> [<level> [<minlevel>]]
2143 "peers" sections support the same "log" keyword as for the proxies to
2144 log information about the "peers" listener. See "log" option for proxies for
2145 more details.
2146
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002147peer <peername> <ip>:<port> [param*]
Emeric Brunf099e792010-09-27 12:05:28 +02002148 Defines a peer inside a peers section.
2149 If <peername> is set to the local peer name (by default hostname, or forced
2150 using "-L" command line option), haproxy will listen for incoming remote peer
2151 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
2152 to join the remote peer, and <peername> is used at the protocol level to
2153 identify and validate the remote peer on the server side.
2154
2155 During a soft restart, local peer <ip>:<port> is used by the old instance to
2156 connect the new one and initiate a complete replication (teaching process).
2157
2158 It is strongly recommended to have the exact same peers declaration on all
2159 peers and to only rely on the "-L" command line argument to change the local
2160 peer name. This makes it easier to maintain coherent configuration files
2161 across all peers.
2162
William Lallemandb2f07452015-05-12 14:27:13 +02002163 You may want to reference some environment variables in the address
2164 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01002165
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002166 Note: "peer" keyword may transparently be replaced by "server" keyword (see
2167 "server" keyword explanation below).
2168
2169server <peername> [<ip>:<port>] [param*]
Michael Prokop4438c602019-05-24 10:25:45 +02002170 As previously mentioned, "peer" keyword may be replaced by "server" keyword
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002171 with a support for all "server" parameters found in 5.2 paragraph.
2172 If the underlying peer is local, <ip>:<port> parameters must not be present.
2173 These parameters must be provided on a "bind" line (see "bind" keyword
2174 of this "peers" section).
2175 Some of these parameters are irrelevant for "peers" sections.
2176
2177
Cyril Bontédc4d9032012-04-08 21:57:39 +02002178 Example:
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002179 # The old way.
Emeric Brunf099e792010-09-27 12:05:28 +02002180 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01002181 peer haproxy1 192.168.0.1:1024
2182 peer haproxy2 192.168.0.2:1024
2183 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02002184
2185 backend mybackend
2186 mode tcp
2187 balance roundrobin
2188 stick-table type ip size 20k peers mypeers
2189 stick on src
2190
Willy Tarreauf7b30a92010-12-06 22:59:17 +01002191 server srv1 192.168.0.30:80
2192 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02002193
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002194 Example:
2195 peers mypeers
2196 bind 127.0.0.11:10001 ssl crt mycerts/pem
2197 default-server ssl verify none
2198 server hostA 127.0.0.10:10000
2199 server hostB #local peer
Emeric Brunf099e792010-09-27 12:05:28 +02002200
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01002201
2202table <tablename> type {ip | integer | string [len <length>] | binary [len <length>]}
2203 size <size> [expire <expire>] [nopurge] [store <data_type>]*
2204
2205 Configure a stickiness table for the current section. This line is parsed
2206 exactly the same way as the "stick-table" keyword in others section, except
John Roeslerfb2fce12019-07-10 15:45:51 -05002207 for the "peers" argument which is not required here and with an additional
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01002208 mandatory first parameter to designate the stick-table. Contrary to others
2209 sections, there may be several "table" lines in "peers" sections (see also
2210 "stick-table" keyword).
2211
2212 Also be aware of the fact that "peers" sections have their own stick-table
2213 namespaces to avoid collisions between stick-table names identical in
2214 different "peers" section. This is internally handled prepending the "peers"
2215 sections names to the name of the stick-tables followed by a '/' character.
2216 If somewhere else in the configuration file you have to refer to such
2217 stick-tables declared in "peers" sections you must use the prefixed version
2218 of the stick-table name as follows:
2219
2220 peers mypeers
2221 peer A ...
2222 peer B ...
2223 table t1 ...
2224
2225 frontend fe1
2226 tcp-request content track-sc0 src table mypeers/t1
2227
2228 This is also this prefixed version of the stick-table names which must be
2229 used to refer to stick-tables through the CLI.
2230
2231 About "peers" protocol, as only "peers" belonging to the same section may
2232 communicate with each others, there is no need to do such a distinction.
2233 Several "peers" sections may declare stick-tables with the same name.
2234 This is shorter version of the stick-table name which is sent over the network.
2235 There is only a '/' character as prefix to avoid stick-table name collisions between
2236 stick-tables declared as backends and stick-table declared in "peers" sections
2237 as follows in this weird but supported configuration:
2238
2239 peers mypeers
2240 peer A ...
2241 peer B ...
2242 table t1 type string size 10m store gpc0
2243
2244 backend t1
2245 stick-table type string size 10m store gpc0 peers mypeers
2246
2247 Here "t1" table declared in "mypeeers" section has "mypeers/t1" as global name.
2248 "t1" table declared as a backend as "t1" as global name. But at peer protocol
2249 level the former table is named "/t1", the latter is again named "t1".
2250
Simon Horman51a1cf62015-02-03 13:00:44 +090022513.6. Mailers
2252------------
2253It is possible to send email alerts when the state of servers changes.
2254If configured email alerts are sent to each mailer that is configured
2255in a mailers section. Email is sent to mailers using SMTP.
2256
Pieter Baauw386a1272015-08-16 15:26:24 +02002257mailers <mailersect>
Simon Horman51a1cf62015-02-03 13:00:44 +09002258 Creates a new mailer list with the name <mailersect>. It is an
2259 independent section which is referenced by one or more proxies.
2260
2261mailer <mailername> <ip>:<port>
2262 Defines a mailer inside a mailers section.
2263
2264 Example:
2265 mailers mymailers
2266 mailer smtp1 192.168.0.1:587
2267 mailer smtp2 192.168.0.2:587
2268
2269 backend mybackend
2270 mode tcp
2271 balance roundrobin
2272
2273 email-alert mailers mymailers
2274 email-alert from test1@horms.org
2275 email-alert to test2@horms.org
2276
2277 server srv1 192.168.0.30:80
2278 server srv2 192.168.0.31:80
2279
Pieter Baauw235fcfc2016-02-13 15:33:40 +01002280timeout mail <time>
2281 Defines the time available for a mail/connection to be made and send to
2282 the mail-server. If not defined the default value is 10 seconds. To allow
2283 for at least two SYN-ACK packets to be send during initial TCP handshake it
2284 is advised to keep this value above 4 seconds.
2285
2286 Example:
2287 mailers mymailers
2288 timeout mail 20s
2289 mailer smtp1 192.168.0.1:587
Simon Horman51a1cf62015-02-03 13:00:44 +09002290
William Lallemandc9515522019-06-12 16:32:11 +020022913.7. Programs
2292-------------
2293In master-worker mode, it is possible to launch external binaries with the
2294master, these processes are called programs. These programs are launched and
2295managed the same way as the workers.
2296
2297During a reload of HAProxy, those processes are dealing with the same
2298sequence as a worker:
2299
2300 - the master is re-executed
2301 - the master sends a SIGUSR1 signal to the program
2302 - if "option start-on-reload" is not disabled, the master launches a new
2303 instance of the program
2304
2305During a stop, or restart, a SIGTERM is sent to the programs.
2306
2307program <name>
2308 This is a new program section, this section will create an instance <name>
2309 which is visible in "show proc" on the master CLI. (See "9.4. Master CLI" in
2310 the management guide).
2311
2312command <command> [arguments*]
2313 Define the command to start with optional arguments. The command is looked
2314 up in the current PATH if it does not include an absolute path. This is a
2315 mandatory option of the program section. Arguments containing spaces must
2316 be enclosed in quotes or double quotes or be prefixed by a backslash.
2317
Andrew Heberle97236962019-07-12 11:50:26 +08002318user <user name>
2319 Changes the executed command user ID to the <user name> from /etc/passwd.
2320 See also "group".
2321
2322group <group name>
2323 Changes the executed command group ID to the <group name> from /etc/group.
2324 See also "user".
2325
William Lallemandc9515522019-06-12 16:32:11 +02002326option start-on-reload
2327no option start-on-reload
2328 Start (or not) a new instance of the program upon a reload of the master.
2329 The default is to start a new instance. This option may only be used in a
2330 program section.
2331
2332
Willy Tarreauc57f0e22009-05-10 13:12:33 +020023334. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02002334----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01002335
Willy Tarreau6a06a402007-07-15 20:15:28 +02002336Proxy configuration can be located in a set of sections :
William Lallemand6e62fb62015-04-28 16:55:23 +02002337 - defaults [<name>]
Willy Tarreau6a06a402007-07-15 20:15:28 +02002338 - frontend <name>
2339 - backend <name>
2340 - listen <name>
2341
2342A "defaults" section sets default parameters for all other sections following
2343its declaration. Those default parameters are reset by the next "defaults"
2344section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +01002345section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002346
2347A "frontend" section describes a set of listening sockets accepting client
2348connections.
2349
2350A "backend" section describes a set of servers to which the proxy will connect
2351to forward incoming connections.
2352
2353A "listen" section defines a complete proxy with its frontend and backend
2354parts combined in one section. It is generally useful for TCP-only traffic.
2355
Willy Tarreau0ba27502007-12-24 16:55:16 +01002356All proxy names must be formed from upper and lower case letters, digits,
2357'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
2358case-sensitive, which means that "www" and "WWW" are two different proxies.
2359
2360Historically, all proxy names could overlap, it just caused troubles in the
2361logs. Since the introduction of content switching, it is mandatory that two
2362proxies with overlapping capabilities (frontend/backend) have different names.
2363However, it is still permitted that a frontend and a backend share the same
2364name, as this configuration seems to be commonly encountered.
2365
2366Right now, two major proxy modes are supported : "tcp", also known as layer 4,
2367and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002368bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002369protocol, and can interact with it by allowing, blocking, switching, adding,
2370modifying, or removing arbitrary contents in requests or responses, based on
2371arbitrary criteria.
2372
Willy Tarreau70dffda2014-01-30 03:07:23 +01002373In HTTP mode, the processing applied to requests and responses flowing over
2374a connection depends in the combination of the frontend's HTTP options and
Christopher Faulet315b39c2018-09-21 16:26:19 +02002375the backend's. HAProxy supports 4 connection modes :
Willy Tarreau70dffda2014-01-30 03:07:23 +01002376
2377 - KAL : keep alive ("option http-keep-alive") which is the default mode : all
2378 requests and responses are processed, and connections remain open but idle
2379 between responses and new requests.
2380
Willy Tarreau70dffda2014-01-30 03:07:23 +01002381 - SCL: server close ("option http-server-close") : the server-facing
2382 connection is closed after the end of the response is received, but the
2383 client-facing connection remains open.
2384
Christopher Faulet315b39c2018-09-21 16:26:19 +02002385 - CLO: close ("option httpclose"): the connection is closed after the end of
2386 the response and "Connection: close" appended in both directions.
Willy Tarreau70dffda2014-01-30 03:07:23 +01002387
2388The effective mode that will be applied to a connection passing through a
2389frontend and a backend can be determined by both proxy modes according to the
2390following matrix, but in short, the modes are symmetric, keep-alive is the
Christopher Faulet315b39c2018-09-21 16:26:19 +02002391weakest option and close is the strongest.
Willy Tarreau70dffda2014-01-30 03:07:23 +01002392
Christopher Faulet315b39c2018-09-21 16:26:19 +02002393 Backend mode
Willy Tarreau70dffda2014-01-30 03:07:23 +01002394
Christopher Faulet315b39c2018-09-21 16:26:19 +02002395 | KAL | SCL | CLO
2396 ----+-----+-----+----
2397 KAL | KAL | SCL | CLO
2398 ----+-----+-----+----
Christopher Faulet315b39c2018-09-21 16:26:19 +02002399 mode SCL | SCL | SCL | CLO
2400 ----+-----+-----+----
2401 CLO | CLO | CLO | CLO
Willy Tarreau70dffda2014-01-30 03:07:23 +01002402
Willy Tarreau0ba27502007-12-24 16:55:16 +01002403
Willy Tarreau70dffda2014-01-30 03:07:23 +01002404
Willy Tarreauc57f0e22009-05-10 13:12:33 +020024054.1. Proxy keywords matrix
2406--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01002407
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002408The following list of keywords is supported. Most of them may only be used in a
2409limited set of section types. Some of them are marked as "deprecated" because
2410they are inherited from an old syntax which may be confusing or functionally
2411limited, and there are new recommended keywords to replace them. Keywords
Davor Ocelice9ed2812017-12-25 17:49:28 +01002412marked with "(*)" can be optionally inverted using the "no" prefix, e.g. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002413option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02002414and must be disabled for a specific instance. Such options may also be prefixed
2415with "default" in order to restore default settings regardless of what has been
2416specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002417
Willy Tarreau6a06a402007-07-15 20:15:28 +02002418
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002419 keyword defaults frontend listen backend
2420------------------------------------+----------+----------+---------+---------
2421acl - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002422backlog X X X -
2423balance X - X X
2424bind - X X -
2425bind-process X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002426capture cookie - X X -
2427capture request header - X X -
2428capture response header - X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02002429compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002430cookie X - X X
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02002431declare capture - X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002432default-server X - X X
2433default_backend X X X -
2434description - X X X
2435disabled X X X X
2436dispatch - - X X
Simon Horman51a1cf62015-02-03 13:00:44 +09002437email-alert from X X X X
Simon Horman64e34162015-02-06 11:11:57 +09002438email-alert level X X X X
Simon Horman51a1cf62015-02-03 13:00:44 +09002439email-alert mailers X X X X
2440email-alert myhostname X X X X
2441email-alert to X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01002442enabled X X X X
2443errorfile X X X X
2444errorloc X X X X
2445errorloc302 X X X X
2446-- keyword -------------------------- defaults - frontend - listen -- backend -
2447errorloc303 X X X X
Cyril Bonté